Vulnhub靶机LordOfTheRoot_1.0.1通关笔记

vulnhub OSCP

Word count: 314Reading time: 1 min

 2020/03/21   Share







Vulnhub靶机LordOfTheRoot_1.0.1通关笔记

¶前言

下载地址:https://www.vulnhub.com/entry/lord-of-the-root-101,129/

upload successful

¶开始

nmap 扫描

upload successful

只开了一个ssh端口

upload successful

Knock 敲门这个以前有了解过
就是依次访问端口序列然后防火墙才会放行一个端口
https://www.cnblogs.com/bask/p/9159197.html

用nmap 扫描1,2,3端口

for x in 1 2 3; do nmap -Pn --max-retries 0 -p $x 192.168.3.101; done

upload successful

多了一个1337端口

upload successful
跟进

upload successful
有一串base64

upload successful

得到一个路径

upload successful

是个登陆框应该不是爆破试试sql注入

upload successful

sqlmap直接登陆上了？应该是万能密码

upload successful

upload successful

sqlmap一把梭

upload successful

用这些账号密码来爆破一下ssh

upload successful

爆破出了一个

smeagol:MyPreciousR00t

upload successful
时间是2015年但是尝试脏牛提权失败

发现mysql是root 尝试udf提权
root:darkshadow

upload successful

查看版本发现可以尝试udf

upload successful

以前的靶机做过

upload successful

upload successful

upload successful
发现不能反弹shell 打算写/etc/passwd
好像出了点问题
select do_system('echo "test::0:0::/root:/bin/bash">>/etc/passwd');

那就添加一个SUID吧
select do_system('chmod u+s /usr/bin/python');

提权成功

upload successful

¶总结

这个靶机还算中规中矩标准的渗透测试流程和思维，又复习了一遍udf提权

Author：r0ckyzzz

原文链接：http://r0cky.xyz/2020/03/21/ulnhub%E9%9D%B6%E6%9C%BALordOfTheRoot-1-0-1%E9%80%9A%E5%85%B3%E7%AC%94%E8%AE%B0/

发表日期：March 21st 2020, 4:27:00 pm

更新日期：March 21st 2020, 4:30:18 pm

版权声明：本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

Next Post

Vulnhub靶机DeRPnStiNK通关笔记
Previous Post

Vulnhub靶机W1r3s通关笔记

CATALOG

1. Vulnhub靶机LordOfTheRoot_1.0.1通关笔记

