-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.html
108 lines (105 loc) · 18.6 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
<!DOCTYPE html><html lang="zh-CN" data-theme="light"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width,initial-scale=1"><title>hacksudo: L.P.E. 靶场漏洞复现与Linux提权研究 | 欲辨已忘言</title><meta name="description" content="hacksudo: L.P.E. 靶场介绍hacksudo: L.P.E. 是 hacksudo 团队制作的一款针对与 Linux 提权的靶场。 靶场搭建建议使用 VirtualBox 打开下载的 OVA 文件下载地址 靶场漏洞复现打开靶场以后,可以看到登录界面与 ip 地址:使用 Goby 全端口扫描 192.168.88.93 ,发现存在 22、80、4200:22 端口为 ssh 端口、80"><meta name="keywords" content="提权"><meta name="author" content="路边的野花"><meta name="copyright" content="路边的野花"><meta name="format-detection" content="telephone=no"><link rel="shortcut icon" href="/img/avatar.png"><link rel="canonical" href="http://ghealer.top/22de9ae77ecc/"><meta http-equiv="Cache-Control" content="no-transform"><meta http-equiv="Cache-Control" content="no-siteapp"><link rel="preconnect" href="//cdn.jsdelivr.net"/><link rel="preconnect" href="//fonts.googleapis.com" crossorigin="crossorigin"/><link rel="preconnect" href="//busuanzi.ibruce.info"/><meta property="og:type" content="article"><meta property="og:title" content="hacksudo: L.P.E. 靶场漏洞复现与Linux提权研究"><meta property="og:url" content="http://ghealer.top/22de9ae77ecc/"><meta property="og:site_name" content="欲辨已忘言"><meta property="og:description" content="hacksudo: L.P.E. 靶场介绍hacksudo: L.P.E. 是 hacksudo 团队制作的一款针对与 Linux 提权的靶场。 靶场搭建建议使用 VirtualBox 打开下载的 OVA 文件下载地址 靶场漏洞复现打开靶场以后,可以看到登录界面与 ip 地址:使用 Goby 全端口扫描 192.168.88.93 ,发现存在 22、80、4200:22 端口为 ssh 端口、80"><meta property="og:image" content="https://oss.ghealer.top/HACKSUDO%3A%20L.P.E./apt-get/cover.png"><meta property="article:published_time" content="2021-06-08T08:18:17.000Z"><meta property="article:modified_time" content="2021-06-09T06:04:24.305Z"><meta name="twitter:card" content="summary"><script>var activateDarkMode = function () {
document.documentElement.setAttribute('data-theme', 'dark')
if (document.querySelector('meta[name="theme-color"]') !== null) {
document.querySelector('meta[name="theme-color"]').setAttribute('content', '#000')
}
}
var activateLightMode = function () {
document.documentElement.setAttribute('data-theme', 'light')
if (document.querySelector('meta[name="theme-color"]') !== null) {
document.querySelector('meta[name="theme-color"]').setAttribute('content', '#fff')
}
}
var getCookies = function (name) {
const value = `; ${document.cookie}`
const parts = value.split(`; ${name}=`)
if (parts.length === 2) return parts.pop().split(';').shift()
}
var autoChangeMode = 'false'
var t = getCookies('theme')
if (autoChangeMode === '1') {
var isDarkMode = window.matchMedia('(prefers-color-scheme: dark)').matches
var isLightMode = window.matchMedia('(prefers-color-scheme: light)').matches
var isNotSpecified = window.matchMedia('(prefers-color-scheme: no-preference)').matches
var hasNoSupport = !isDarkMode && !isLightMode && !isNotSpecified
if (t === undefined) {
if (isLightMode) activateLightMode()
else if (isDarkMode) activateDarkMode()
else if (isNotSpecified || hasNoSupport) {
console.log('You specified no preference for a color scheme or your browser does not support it. I Schedule dark mode during night time.')
var now = new Date()
var hour = now.getHours()
var isNight = hour <= 6 || hour >= 18
isNight ? activateDarkMode() : activateLightMode()
}
window.matchMedia('(prefers-color-scheme: dark)').addListener(function (e) {
if (Cookies.get('theme') === undefined) {
e.matches ? activateDarkMode() : activateLightMode()
}
})
} else if (t === 'light') activateLightMode()
else activateDarkMode()
} else if (autoChangeMode === '2') {
now = new Date()
hour = now.getHours()
isNight = hour <= 6 || hour >= 18
if (t === undefined) isNight ? activateDarkMode() : activateLightMode()
else if (t === 'light') activateLightMode()
else activateDarkMode()
} else {
if (t === 'dark') activateDarkMode()
else if (t === 'light') activateLightMode()
}</script><link rel="stylesheet" href="/css/index.css"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free/css/all.min.css"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@latest/dist/jquery.fancybox.min.css"><link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Titillium+Web&display=swap"><script>var GLOBAL_CONFIG = {
root: '/',
algolia: undefined,
localSearch: undefined,
translate: {"defaultEncoding":2,"translateDelay":0,"msgToTraditionalChinese":"繁","msgToSimplifiedChinese":"簡"},
noticeOutdate: undefined,
copy: {
success: '复制成功',
error: '复制错误',
noSupport: '浏览器不支持'
},
bookmark: {
message_prev: '按',
message_next: '键将本页加入书签'
},
runtime_unit: '天',
runtime: true,
copyright: {"limitCount":20,"languages":{"author":"作者: 路边的野花","link":"链接: ","source":"来源: 欲辨已忘言","info":"著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。"}},
ClickShowText: undefined,
medium_zoom: false,
fancybox: true,
Snackbar: undefined,
justifiedGallery: {
js: 'https://cdn.jsdelivr.net/npm/justifiedGallery/dist/js/jquery.justifiedGallery.min.js',
css: 'https://cdn.jsdelivr.net/npm/justifiedGallery/dist/css/justifiedGallery.min.css'
},
baiduPush: false,
highlightCopy: true,
highlightLang: true,
isPhotoFigcaption: false,
islazyload: true,
isanchor: false
}</script><script id="config_change">var GLOBAL_CONFIG_SITE = {
isPost: true,
isHome: false,
isHighlightShrink: false,
isSidebar: true,
postUpdate: '2021-06-09 14:04:24'
}</script><noscript><style>
#nav {
opacity: 1
}
.justified-gallery img {
opacity: 1
}
</style></noscript><meta name="generator" content="Hexo 5.0.0"></head><body><div id="loading-box"><div class="loading-left-bg"></div><div class="loading-right-bg"></div><div class="spinner-box"><div class="configure-border-1"><div class="configure-core"></div></div><div class="configure-border-2"><div class="configure-core"></div></div><div class="loading-word">加载中...</div></div></div><div id="mobile-sidebar"><div id="menu_mask"></div><div id="mobile-sidebar-menus"><div class="mobile_author_icon"><img class="avatar-img" data-lazy-src="/img/avatar.png" onerror="onerror=null;src='/img/friend_404.gif'" alt="avatar"/></div><div class="mobile_post_data"><div class="mobile_data_item is-center"><div class="mobile_data_link"><a href="/archives/"><div class="headline">文章</div><div class="length_num">5</div></a></div></div><div class="mobile_data_item is-center"> <div class="mobile_data_link"><a href="/tags/"><div class="headline">标签</div><div class="length_num">10</div></a></div></div><div class="mobile_data_item is-center"> <div class="mobile_data_link"><a href="/categories/"><div class="headline">分类</div><div class="length_num">4</div></a></div></div></div><hr/><div class="menus_items"><div class="menus_item"><a class="site-page" href="/"><i class="fa-fw fas fa-home"></i><span> 首页</span></a></div><div class="menus_item"><a class="site-page" href="/archives/"><i class="fa-fw fas fa-archive"></i><span> 归档</span></a></div><div class="menus_item"><a class="site-page" href="/tags/"><i class="fa-fw fas fa-tags"></i><span> 标签</span></a></div><div class="menus_item"><a class="site-page" href="/categories/"><i class="fa-fw fas fa-folder-open"></i><span> 分类</span></a></div><div class="menus_item"><a class="site-page" href="/link/"><i class="fa-fw fas fa-link"></i><span> 友链</span></a></div><div class="menus_item"><a class="site-page" href="/about/"><i class="fa-fw fas fa-heart"></i><span> 关于</span></a></div></div></div></div><div id="body-wrap"><div id="web_bg" data-type="photo"></div><div id="sidebar"><i class="fas fa-arrow-right on" id="toggle-sidebar"></i><div class="sidebar-toc"><div class="sidebar-toc__title">目录</div><div class="sidebar-toc__progress"><span class="progress-notice">你已经读了</span><span class="progress-num">0</span><span class="progress-percentage">%</span><div class="sidebar-toc__progress-bar"> </div></div><div class="sidebar-toc__content"><ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#hacksudo-L-P-E-%E9%9D%B6%E5%9C%BA%E4%BB%8B%E7%BB%8D"><span class="toc-number">1.</span> <span class="toc-text">hacksudo: L.P.E. 靶场介绍</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#%E9%9D%B6%E5%9C%BA%E6%90%AD%E5%BB%BA"><span class="toc-number">2.</span> <span class="toc-text">靶场搭建</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#%E9%9D%B6%E5%9C%BA%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0"><span class="toc-number">3.</span> <span class="toc-text">靶场漏洞复现</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#Challenge-1"><span class="toc-number">4.</span> <span class="toc-text">Challenge 1</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#apt-get-%E6%BB%A5%E7%94%A8"><span class="toc-number">4.1.</span> <span class="toc-text">apt-get 滥用</span></a></li></ol></li></ol></div></div></div><header class="post-bg" id="page-header" style="background-image: url(https://oss.ghealer.top/HACKSUDO%3A%20L.P.E./apt-get/cover.png)"><nav id="nav"><span class="pull-left" id="blog_name"><a class="blog_title" id="site-name" href="/">欲辨已忘言</a></span><span class="pull-right menus"><div class="menus_items"><div class="menus_item"><a class="site-page" href="/"><i class="fa-fw fas fa-home"></i><span> 首页</span></a></div><div class="menus_item"><a class="site-page" href="/archives/"><i class="fa-fw fas fa-archive"></i><span> 归档</span></a></div><div class="menus_item"><a class="site-page" href="/tags/"><i class="fa-fw fas fa-tags"></i><span> 标签</span></a></div><div class="menus_item"><a class="site-page" href="/categories/"><i class="fa-fw fas fa-folder-open"></i><span> 分类</span></a></div><div class="menus_item"><a class="site-page" href="/link/"><i class="fa-fw fas fa-link"></i><span> 友链</span></a></div><div class="menus_item"><a class="site-page" href="/about/"><i class="fa-fw fas fa-heart"></i><span> 关于</span></a></div></div><span class="toggle-menu close"><a class="site-page"><i class="fas fa-bars fa-fw"></i></a></span></span></nav><div id="post-info"><div id="post-title"><div class="posttitle">hacksudo: L.P.E. 靶场漏洞复现与Linux提权研究</div></div><div id="post-meta"><div class="meta-firstline"><span class="post-meta-date"><i class="far fa-calendar-alt fa-fw post-meta-icon"></i><span class="post-meta-label">发表于</span><time class="post-meta-date-created" datetime="2021-06-08T08:18:17.000Z" title="发表于 2021-06-08 16:18:17">2021-06-08</time><span class="post-meta-separator">|</span><i class="fas fa-history fa-fw post-meta-icon"></i><span class="post-meta-label">更新于</span><time class="post-meta-date-updated" datetime="2021-06-09T06:04:24.305Z" title="更新于 2021-06-09 14:04:24">2021-06-09</time></span><span class="post-meta-categories"><span class="post-meta-separator">|</span><i class="fas fa-inbox fa-fw post-meta-icon"></i><a class="post-meta-categories" href="/categories/%E9%9D%B6%E5%9C%BA/">靶场</a></span></div><div class="meta-secondline"> <span class="post-meta-separator">|</span><span class="post-meta-wordcount"><i class="far fa-file-word fa-fw post-meta-icon"></i><span class="post-meta-label">字数总计:</span><span class="word-count">207</span><span class="post-meta-separator">|</span><i class="far fa-clock fa-fw post-meta-icon"></i><span class="post-meta-label">阅读时长:</span><span>1分钟</span></span><span class="post-meta-separator">|</span><span class="post-meta-pv-cv"><i class="far fa-eye fa-fw post-meta-icon"></i><span class="post-meta-label">阅读量:</span><span id="busuanzi_value_page_pv"></span></span></div></div></div></header><main class="layout_post" id="content-inner"><article id="post"><div class="post-content" id="article-container"><h1 id="hacksudo-L-P-E-靶场介绍"><a href="#hacksudo-L-P-E-靶场介绍" class="headerlink" title="hacksudo: L.P.E. 靶场介绍"></a>hacksudo: L.P.E. 靶场介绍</h1><p>hacksudo: L.P.E. 是 <a target="_blank" rel="noopener" href="https://hacksudo.com/">hacksudo</a> 团队制作的一款针对与 Linux 提权的靶场。</p>
<h1 id="靶场搭建"><a href="#靶场搭建" class="headerlink" title="靶场搭建"></a>靶场搭建</h1><p>建议使用 VirtualBox 打开下载的 OVA 文件<br><a target="_blank" rel="noopener" href="https://download.vulnhub.com/hacksudo/hacksudoLPE.zip">下载地址</a></p>
<h1 id="靶场漏洞复现"><a href="#靶场漏洞复现" class="headerlink" title="靶场漏洞复现"></a>靶场漏洞复现</h1><p>打开靶场以后,可以看到登录界面与 ip 地址:<br><img src= "/img/loading.gif" data-lazy-src="https://oss.ghealer.top/HACKSUDO%3A%20L.P.E./apt-get/1.png"><br>使用 Goby 全端口扫描 192.168.88.93 ,发现存在 22、80、4200:<br><img src= "/img/loading.gif" data-lazy-src="https://oss.ghealer.top/HACKSUDO%3A%20L.P.E./apt-get/Goby%E6%89%AB%E6%8F%8F%E7%BB%93%E6%9E%9C.png"><br>22 端口为 ssh 端口、80 端口为 web 端口、4200 端口为 web shell 连接工具。<br>打开 80 端口,可以看到登录界面,随便输入账号密码,点击登录,然后抓包,在返回的包里看到真实的账号密码,登录获取到的账号密码,登录成功:<br><img src= "/img/loading.gif" data-lazy-src="https://oss.ghealer.top/HACKSUDO%3A%20L.P.E./apt-get/cover.png"><br><img src= "/img/loading.gif" data-lazy-src="https://oss.ghealer.top/HACKSUDO%3A%20L.P.E./apt-get/burp%E8%BF%94%E5%9B%9E%E5%8C%85.png"><br><img src= "/img/loading.gif" data-lazy-src="https://oss.ghealer.top/HACKSUDO%3A%20L.P.E./apt-get/%E6%88%90%E5%8A%9F%E8%BF%9B%E5%85%A5.png"></p>
<h1 id="Challenge-1"><a href="#Challenge-1" class="headerlink" title="Challenge 1"></a>Challenge 1</h1><h2 id="apt-get-滥用"><a href="#apt-get-滥用" class="headerlink" title="apt-get 滥用"></a>apt-get 滥用</h2><p>我们打开 apt-get 滥用页面,发现登录的账号密码 user1 | hacksudo ,使用 SSH 连接:<br><img src= "/img/loading.gif" data-lazy-src="https://oss.ghealer.top/HACKSUDO%3A%20L.P.E./apt-get/apt-get%E6%BB%A5%E7%94%A8.png"><br><img src= "/img/loading.gif" data-lazy-src="https://oss.ghealer.top/HACKSUDO%3A%20L.P.E./apt-get/user1%E7%99%BB%E5%BD%95.png"></p>
</div><div class="post-copyright"><div class="post-copyright__author"><span class="post-copyright-meta">文章作者: </span><span class="post-copyright-info"><a href="mailto:undefined">路边的野花</a></span></div><div class="post-copyright__type"><span class="post-copyright-meta">文章链接: </span><span class="post-copyright-info"><a href="http://ghealer.top/22de9ae77ecc/">http://ghealer.top/22de9ae77ecc/</a></span></div><div class="post-copyright__notice"><span class="post-copyright-meta">版权声明: </span><span class="post-copyright-info">本博客所有文章除特别声明外,均采用 <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/" target="_blank">CC BY-NC-SA 4.0</a> 许可协议。转载请注明来自 <a href="http://ghealer.top" target="_blank">欲辨已忘言</a>!</span></div></div><div class="tag_share"><div class="post-meta__tag-list"><a class="post-meta__tags" href="/tags/%E6%8F%90%E6%9D%83/">提权</a></div><div class="post_share"><div class="social-share" data-image="https://oss.ghealer.top/HACKSUDO%3A%20L.P.E./apt-get/cover.png" data-sites="facebook,twitter,wechat,weibo,qq"></div><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/social-share.js/dist/css/share.min.css"><script src="https://cdn.jsdelivr.net/npm/social-share.js/dist/js/social-share.min.js" defer></script></div></div><nav class="pagination-post" id="pagination"><div class="next-post pull-full"><a href="/f87a885d285a/"><img class="next-cover" data-lazy-src="https://oss.ghealer.top/2.jpg" onerror="onerror=null;src='/img/404.jpg'"><div class="pagination-info"><div class="label">下一篇</div><div class="next_info">IC卡破解与原理探究</div></div></a></div></nav></article></main><footer id="footer" style="background-image: url(https://oss.ghealer.top/HACKSUDO%3A%20L.P.E./apt-get/cover.png)" data-type="photo"><div id="footer-wrap"><div class="copyright">©2020 - 2021 By 路边的野花</div><div class="framework-info"><span>框架 </span><a target="_blank" rel="noopener" href="https://hexo.io">Hexo</a><span class="footer-separator">|</span><span>主题 </span><a target="_blank" rel="noopener" href="https://github.com/jerryc127/hexo-theme-butterfly">Butterfly</a></div></div></footer></div><section id="rightside"><div id="rightside-config-hide"><button id="readmode" type="button" title="阅读模式"><i class="fas fa-book-open"></i></button><button id="font_plus" type="button" title="放大字体"><i class="fas fa-plus"></i></button><button id="font_minus" type="button" title="缩小字体"><i class="fas fa-minus"></i></button><button id="translateLink" type="button" title="简繁转换">繁</button><button id="darkmode" type="button" title="浅色和深色模式转换"><i class="fas fa-adjust"></i></button></div><div id="rightside-config-show"><button id="rightside_config" type="button" title="设置"><i class="fas fa-cog"></i></button><button class="close" id="mobile-toc-button" type="button" title="目录"><i class="fas fa-list-ul"></i></button><button id="go-up" type="button" title="回到顶部"><i class="fas fa-arrow-up"></i></button></div></section><div><script src="https://cdn.jsdelivr.net/npm/jquery@latest/dist/jquery.min.js"></script><script src="/js/utils.js"></script><script src="/js/main.js"></script><script src="/js/tw_cn.js"></script><script src="https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@latest/dist/jquery.fancybox.min.js"></script><script src="https://cdn.jsdelivr.net/npm/instant.page/instantpage.min.js" type="module" defer></script><script src="https://cdn.jsdelivr.net/npm/vanilla-lazyload/dist/lazyload.iife.min.js" async></script><script>var endLoading = function () {
document.body.style.overflow = 'auto';
document.getElementById('loading-box').classList.add("loaded")
}
window.addEventListener('load',endLoading)</script><div class="js-pjax"><script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script></div><script src="/js/third-party/click_heart.js" async="async"></script></div></body></html>