当前位置:网站首页>Hackmyvm target series (5) -warez
Hackmyvm target series (5) -warez
2022-07-06 13:58:00 【The moon should know my meaning】
One 、 information gathering
Scan a wave of network segment first , Find the target .
nmap -sP 192.168.220.0/24
Use nmap Port scan , Found open 22,80,6800 Three ports .
nmap -sC -sV -T4 -p- -sT -A 192.168.220.128
Visit a wave http service , The page is as follows . I don't know what it is , But found keywords Aria2 WebUI, Search on Baidu , I found that this is a thing to download resources .
Take a look at the source code , Find the following keywords , Search for a wave of , See if there are any loopholes that can be exploited .
forehead ....., Out of line , There is really no one .
Come on , On gobuster Do a wave of directory scanning
gobuster dir -u "http://192.168.220.128/" -w directory-list-2.3-medium.txt -t 30 -x php,html,txt,7z,zip,bak,gz
give the result as follows , Found two txt file ,robots.txt,result.txt
robots.txt The contents are as follows
result.txt The contents are as follows , Um. .... This thing doesn't look very familiar ? Don't worry , Look at the following
I am here kali On the implementation ps -aux, Combined with the above figure , See? , The above should be the process list . And it turns out that aria2c In order to carolina Identity running .
Notice the following arrows , This is a download tool , guess dir Is the default directory we download .
Click Add , Click the use link to download . Can we use kali Generate the key , Then open a http service , This enables the target machine to download to /home/carolina Under the directory ?
Two 、 Exploit
Use kali Generate the key
ssh-keygen
Use python To start a http service
python3 -m http.server 80
Add download links and save directories
Here's the picture , Download successful
ssh [email protected] -i id_rsa
Successfully log in to the target machine with the private key , Get the first one flag
3、 ... and 、 Elevated privileges
The next step is to raise the permission to root 了 .
Let's see if there is sudo The abuse of ,??? No order ?
Forget it , First let's see if we can suid and sgid Raise your rights .
find / -perm -u=s -type f 2>/dev/null
Pictured , Find a /usr/bin/rtorrent, See if you can raise your rights
After Baidu , Found that this can be used execute.throw Execute some system commands , But use rtorrent The premise is that you need a configuration file .rtorrent.rc, So I'll use to create this file first , Then enter the following , establish /root/.ssh Catalog , And copy the public key to the directory .
because rtorrent Command has suid jurisdiction , So when other users execute the command, they can get root jurisdiction , So create /roo/.ssh Catalog , And copy the public key .
stay kali Login with private key on root, Successfully get the second flag
边栏推荐
- 实验六 继承和多态
- 7-11 mechanic mustadio (PTA program design)
- Have you encountered ABA problems? Let's talk about the following in detail, how to avoid ABA problems
- [modern Chinese history] Chapter 6 test
- 2022 Teddy cup data mining challenge question C idea and post game summary
- Using qcommonstyle to draw custom form parts
- .Xmind文件如何上传金山文档共享在线编辑?
- 7-5 走楼梯升级版(PTA程序设计)
- 7-4 散列表查找(PTA程序设计)
- 1. First knowledge of C language (1)
猜你喜欢
Canvas foundation 1 - draw a straight line (easy to understand)
Intensive literature reading series (I): Courier routing and assignment for food delivery service using reinforcement learning
Thoroughly understand LRU algorithm - explain 146 questions in detail and eliminate LRU cache in redis
Have you encountered ABA problems? Let's talk about the following in detail, how to avoid ABA problems
Custom RPC project - frequently asked questions and explanations (Registration Center)
A comprehensive summary of MySQL transactions and implementation principles, and no longer have to worry about interviews
7-5 staircase upgrade (PTA program design)
HackMyvm靶机系列(3)-visions
Hackmyvm Target Series (3) - vues
7-5 走楼梯升级版(PTA程序设计)
随机推荐
实验九 输入输出流(节选)
A piece of music composed by buzzer (Chengdu)
.Xmind文件如何上传金山文档共享在线编辑?
Force deduction 152 question multiplier maximum subarray
MySQL lock summary (comprehensive and concise + graphic explanation)
[modern Chinese history] Chapter 9 test
【数据库 三大范式】一看就懂
QT meta object qmetaobject indexofslot and other functions to obtain class methods attention
HackMyvm靶机系列(4)-vulny
1143_ SiCp learning notes_ Tree recursion
【MySQL-表结构与完整性约束的修改(ALTER)】
SRC mining ideas and methods
Callback function ----------- callback
中间件漏洞复现—apache
7-15 h0161. 求最大公约数和最小公倍数(PTA程序设计)
实验八 异常处理
7-1 output all primes between 2 and n (PTA programming)
强化学习基础记录
[面試時]——我如何講清楚TCP實現可靠傳輸的機制
仿牛客技术博客项目常见问题及解答(三)