1. 信息搜集
2. user.txt
3. root.txt

信息搜集

arp-scan -l

┌──(root㉿kali)-[~/Desktop/tmp]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:ff:66:80, IPv4: 192.168.31.129
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.31.1    0a:00:27:00:00:11       (Unknown: locally administered)
192.168.31.2    08:00:27:f8:3e:94       PCS Systemtechnik GmbH
192.168.31.144  08:00:27:5c:e1:4f       PCS Systemtechnik GmbH

192.168.31.144就是靶机ip，扫描端口

1
2
3

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64

开启了22和80端口

user.txt

80端口是一个hoteldruid，存在ndayhttps://github.com/kaal18/CVE-2022-22909#

反弹一个shell出来，/var/www/html目录下有一个ttylog很可疑，用ttyplay可以重现当时录制的tty

得到person的密码为

1	Endur4nc3.

ssh登录，拿到user.txt

root.txt

sudo -l

person@hotel:~$ sudo -l
Matching Defaults entries for person on hotel:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User person may run the following commands on hotel:
    (root) NOPASSWD: /usr/bin/wkhtmltopdf

sudo /usr/bin/wkhtmltopdf file:///root/root.txt 1.pdf可以拿到root.txt

本作品采用知识共享署名-相同方式共享 4.0 国际许可协议进行许可

lvzhouhang

HackmyVM-hotel

信息搜集

user.txt

root.txt