Hackmyvm target series (5) -warez

One 、 information gathering

Scan a wave of network segment first , Find the target .

nmap -sP 192.168.220.0/24

Use nmap Port scan , Found open 22,80,6800 Three ports .

nmap -sC -sV -T4 -p- -sT -A 192.168.220.128

Visit a wave http service , The page is as follows . I don't know what it is , But found keywords Aria2 WebUI, Search on Baidu , I found that this is a thing to download resources .

Take a look at the source code , Find the following keywords , Search for a wave of , See if there are any loopholes that can be exploited .

forehead ....., Out of line , There is really no one .

Come on , On gobuster Do a wave of directory scanning

gobuster dir -u "http://192.168.220.128/" -w directory-list-2.3-medium.txt -t 30 -x php,html,txt,7z,zip,bak,gz

give the result as follows , Found two txt file ,robots.txt,result.txt

robots.txt The contents are as follows

result.txt The contents are as follows , Um. .... This thing doesn't look very familiar ？ Don't worry , Look at the following

I am here kali On the implementation ps -aux, Combined with the above figure , See? , The above should be the process list . And it turns out that aria2c In order to carolina Identity running .

Notice the following arrows , This is a download tool , guess dir Is the default directory we download .

Click Add , Click the use link to download . Can we use kali Generate the key , Then open a http service , This enables the target machine to download to /home/carolina Under the directory ？

Two 、 Exploit

Use kali Generate the key

ssh-keygen

Use python To start a http service

python3 -m http.server 80

  Add download links and save directories

  Here's the picture , Download successful

ssh [email protected] -i id_rsa

Successfully log in to the target machine with the private key , Get the first one flag

3、 ... and 、 Elevated privileges

The next step is to raise the permission to root 了 .

Let's see if there is sudo The abuse of ,？？？ No order ？

Forget it , First let's see if we can suid and sgid Raise your rights .

find / -perm -u=s -type f 2>/dev/null

Pictured , Find a /usr/bin/rtorrent, See if you can raise your rights

After Baidu , Found that this can be used execute.throw Execute some system commands , But use rtorrent The premise is that you need a configuration file .rtorrent.rc, So I'll use to create this file first , Then enter the following , establish /root/.ssh Catalog , And copy the public key to the directory .

because rtorrent Command has suid jurisdiction , So when other users execute the command, they can get root jurisdiction , So create /roo/.ssh Catalog , And copy the public key .

stay kali Login with private key on root, Successfully get the second flag