靶机介绍: Description: This VM tells us that there are a couple of lovers namely Alice and Bob, where the couple was originally very romantic, but since Alice worked at a private company, “Ceban Corp”, something has changed from Alice’s attitude towards Bob like something is “hidden”, And Bob asks for your help to get what Alice is hiding and get full access to the company!
Difficulty Level: Beginner
Notes: there are 2 flag files
Learning: Web Application | Simple Privilege Escalation
┌──(root㉿kali)-[~/tmp] └─# nmap 192.168.10.139 -A Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-1819:43 CST Nmap scan report for 192.168.10.139 (192.168.10.139) Host is up (0.00087s latency). Not shown:998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 102457:e1:56:58:46:04:33:56:3d:c3:4b:a7:93:ee:23:16 (DSA) | 20483b:26:4d:e4:a0:3b:f8:75:d9:6e:15:55:82:8c:71:97 (RSA) | 2568f:48:97:9b:55:11:5b:f1:6c:1d:b3:4a:bc:36:bd:b0 (ECDSA) |_ 256 d0:c3:02:a1:c4:c2:a8:ac:3b:84:ae:8f:e5:79:66:76 (ED25519) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-title: Site doesn't have a title (text/html). |_http-server-header: Apache/2.4.7 (Ubuntu) MAC Address:00:0C:29:63:6B:88 (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2-4.14 Network Distance:1 hop Service Info:OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE HOP RTT ADDRESS 10.87 ms 192.168.10.139 (192.168.10.139)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done:1 IP address (1 host up) scanned in17.74 seconds
经典的22和80端口
web
先去80端口
1 2 3
┌──(root㉿kali)-[~/tmp] └─# curl 192.168.10.139 Who are you? Hacker? Sorry This Site Can Only Be Accessed local!<!-- Maybe you can search how to use x-forwarded-for -->
┌──(root㉿kali)-[~/tmp] └─# dirsearch -u 192.168.10.139 /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict
┌──(root㉿kali)-[~/tmp] └─# ssh alice@192.168.10.139 alice@192.168.10.139's password: Last login: Fri Dec 13 14:48:25 2019 alice@gfriEND:~$ id uid=1000(alice) gid=1001(alice) groups=1001(alice) alice@gfriEND:~$ ls alice@gfriEND:~$ pwd /home/alice alice@gfriEND:~$ ls -al total 32 drwxr-xr-x 4 alice alice 4096 Dec 13 2019 . drwxr-xr-x 6 root root 4096 Dec 13 2019 .. -rw------- 1 alice alice 10 Dec 13 2019 .bash_history -rw-r--r-- 1 alice alice 220 Dec 13 2019 .bash_logout -rw-r--r-- 1 alice alice 3637 Dec 13 2019 .bashrc drwx------ 2 alice alice 4096 Dec 13 2019 .cache drwxrwxr-x 2 alice alice 4096 Dec 13 2019 .my_secret -rw-r--r-- 1 alice alice 675 Dec 13 2019 .profile alice@gfriEND:~$ cd .my_secret/ alice@gfriEND:~/.my_secret$ ls flag1.txt my_notes.txt alice@gfriEND:~/.my_secret$ cat flag1.txt Greattttt my brother! You saw the Alice's note! Now you save the record information to give to bob! I know if it's given to him then Bob will be hurt but this is better than Bob cheated!
Now your last job is get access to the root and read the flag ^_^
Flag 1 : gfriEND{2f5f21b2af1b8c3e227bcf35544f8f09}
提权
有一个note 发现没什么东西 sudo-l 发现可以用php
1 2 3 4 5 6 7 8
alice@gfriEND:~/.my_secret$ cat my_notes.txt Woahhh! I like this company, I hope that here i get a better partner than bob ^_^, hopefully Bob doesn't know my notes alice@gfriEND:~/.my_secret$ sudo -l Matching Defaults entries for alice on gfriEND: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User alice may run the following commands on gfriEND: (root) NOPASSWD: /usr/bin/php
