oscp-vulnhub-Stapler 1 - My-oscp-all-things

### information_gathering port: 20 21 22 80 139 666 3306 ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1609128017489-4fdb6420-1afa-4af3-aead-1d73d6f04152.png#align=left&display=inline&height=663&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1326&originWidth=1738&size=837230&status=done&style=none&width=869) 21->![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1609128164862-d907a1ab-07bb-4f1b-a905-d0002e8cfa2e.png#align=left&display=inline&height=774&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1548&originWidth=2094&size=937341&status=done&style=none&width=1047) put fail 80 ->![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1609128351815-3a15b845-745e-456d-9dd2-e0043a173885.png#align=left&display=inline&height=110&margin=%5Bobject%20Object%5D&name=image.png&originHeight=220&originWidth=1030&size=65000&status=done&style=none&width=515) ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1609128417157-1d992610-512b-4895-85bd-33e01cb5c8b8.png#align=left&display=inline&height=323&margin=%5Bobject%20Object%5D&name=image.png&originHeight=646&originWidth=1140&size=297751&status=done&style=none&width=570) but nothing to find can use 139->samba->enum4linux 192.168.56.7 ->user.txt ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1609129141145-211a84d9-f41a-4191-b03f-96f0279d011d.png#align=left&display=inline&height=626&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1252&originWidth=1778&size=779587&status=done&style=none&width=889) ### Establish a foothold hydra->22 -> SHayslett SHayslett ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1609129292189-31614134-10be-4a73-935d-89ca0f950ee4.png#align=left&display=inline&height=574&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1148&originWidth=422&size=177875&status=done&style=none&width=211) ``` hydra -L user.txt -P user.txt 192.168.56.17 ssh ``` ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1609129493506-3f1f4eae-e278-484c-9e92-8694ea0190f1.png#align=left&display=inline&height=199&margin=%5Bobject%20Object%5D&name=image.png&originHeight=398&originWidth=1982&size=226832&status=done&style=none&width=991) ``` ps -aux ``` 可以发现在/home/JKanode开启了web服务 ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1609129580227-12fc48aa-2e02-499a-bb39-cd32b3e8db3a.png#align=left&display=inline&height=688&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1376&originWidth=2308&size=1111699&status=done&style=none&width=1154) ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1609129642846-6337a867-af51-43d1-b9ce-72d7fd2b7366.png#align=left&display=inline&height=402&margin=%5Bobject%20Object%5D&name=image.png&originHeight=804&originWidth=1248&size=266822&status=done&style=none&width=624) peter ssh pwd -> JZQuyIN5 JKanode ssh pwd -> thisismypassword ### Privilege Escalation ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1609129719780-f805fcbb-51a3-42ec-9b3d-7156b966811f.png#align=left&display=inline&height=697&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1394&originWidth=2180&size=776202&status=done&style=none&width=1090) 登陆peter后发现可以运行sudo，那么可以用来提权: suid探索，并未发现可以利用的，那么尝试内核提权： ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1609135169372-9b173f4e-723e-48bf-a541-80dc113ad883.png#align=left&display=inline&height=431&margin=%5Bobject%20Object%5D&name=image.png&originHeight=862&originWidth=916&size=216929&status=done&style=none&width=458) ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1609135271017-b37b6ec3-6434-4189-89b0-6df5098a9e60.png#align=left&display=inline&height=170&margin=%5Bobject%20Object%5D&name=image.png&originHeight=340&originWidth=1684&size=125290&status=done&style=none&width=842) ``` uname -a or uname -r ``` ``` cat /etc/lsb-release ``` 4.4.0->16.04 ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1609135362175-e981b1c7-b171-4313-9aa7-0358d8005f8a.png#align=left&display=inline&height=628&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1256&originWidth=2870&size=1427637&status=done&style=none&width=1435) 实际过程中，这些都是可以尝试的，这里我们用double-fdput提权: ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1609135548026-e3116eee-233c-40f6-8ef0-7e69f272b07e.png#align=left&display=inline&height=598&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1196&originWidth=2604&size=821083&status=done&style=none&width=1302) 下载好后解压编译等到1分钟后提权成功（直接编译运行失败，运行compile.sh编译成功） ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1609136012949-fe2f492b-9429-4a17-9af1-f4c6646ba9e6.png#align=left&display=inline&height=450&margin=%5Bobject%20Object%5D&name=image.png&originHeight=900&originWidth=1866&size=521215&status=done&style=none&width=933) okay~ we are root. 值得一提得是，需要在靶机机器里进行编译才能运行成功，在本机编译后是运行不了的 ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1609135982649-db6d928d-d60f-44a7-9326-0cbd92f0ce78.png#align=left&display=inline&height=682&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1364&originWidth=2654&size=897914&status=done&style=none&width=1327)