Catalog

One 、nmap Routine scanning

Two 、FTP Anonymous access

3、 ... and 、zip Password cracking

1. Transform first hash

2.john Crack the decompression password

3. Private key id_rsa Sign in

Four 、sudo Raise the right

5、 ... and 、rbash The escape

One 、nmap Routine scanning

Scan out ftp service , And can be accessed anonymously

also 22 and 80

This range is from 80 Port did not find a breakthrough , The main page is apache The default page for , There is no hidden directory .

  Two 、FTP Anonymous access

1.mget

mget *

mget Download all the files .

get Download the two hidden files

2. View hidden files

It probably means that the password is hidden zip In file . And the password of the compressed file is older

（1）[email protected]

 （2）[email protected]

3、 ... and 、zip Password cracking

1. Transform first hash

2.john Crack the decompression password

（1）cathtine success

（2）tom success

3. Private key id_rsa Sign in

tom Can successfully login

Four 、sudo Raise the right

Can execute all sudo command , And in mysql_history The password was leaked in .

Direct use of sudo -s Mention right to success

But this is rbash One is limited shell

5、 ... and 、rbash The escape

Conditions 1： There is mysql 3306

Conditions 2：sudo Can execute all commands

1. With root function mysql

adopt mysql Directly execute operating system commands . Achieve a rebound root The powers of the shell.