描述

Difficulty : Easy

Goal : 3 flags

This works better with VirtualBox rather than VMware

存活

  • 扫不到IP参考:
1
https://putdown.top/archives/7051f480.html

  • 把网卡改为ens33

    image-20221213101816958

image-20221213101904171

1
2
kali 192.168.169.220
 靶机 192.168.169.232

靶机扫描

image-20221213102038941

1
21 22 80

21

  • 匿名登陆

image-20221213102159008

  • 发现图片先下载

image-20221213102250487

80

image-20221213102331891

  • 扫一下目录

image-20221213102558989

image-20221213102643645

  • 查看源代码

image-20221213102705925

  • 提示有个目录,访问

image-20221213102804855

  • 源代码

image-20221213102827625

1
这个key应该是图片解密要用到

图片解密

image-20221213103028185

  • 输入上面的key得到一个文件
1
steghide extract -sf  trytofind.jpg

image-20221213103338664

image-20221213103355306

image-20221213103455952

1
大概意思是 renu用户的密码太弱了 ,尝试爆破

image-20221213103801395

ssh

image-20221213103903630

提权

image-20221213104150569

1
2
3

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRIE9tEEbTL0A+7n+od9tCjASYAWY0XBqcqzyqb2qsNsJnBm8cBMCBNSktugtos9HY9hzSInkOzDn3RitZJXuemXCasOsM6gBctu5GDuL882dFgz962O9TvdF7JJm82eIiVrsS8YCVQq43migWs6HXJu+BNrVbcf+xq36biziQaVBy+vGbiCPpN0JTrtG449NdNZcl0FDmlm2Y6nlH42zM5hCC0HQJiBymc/I37G09VtUsaCpjiKaxZanglyb2+WLSxmJfr+EhGnWOpQv91hexXd7IdlK6hhUOff5yNxlvIVzG2VEbugtJXukMSLWk2FhnEdDLqCCHXY+1V+XEB9F3 renu@debian

  • 这个用户发现 authorized_keys 是现在这个 renu 用户的,那找一下 id_rsa 然后 ssh 连接 lily 用户即可:

image-20221213104509333

image-20221213104642889

  • 利用perl提权

image-20221213104802077

image-20221213105055270

  • 一共三个flag每个用户都有一个,最后一个在root