Os-hackNos-1:

Target download https://www.vulnhub.com/entry/hacknos-os-hacknos,401

The environment is as follows ：

KALI: 192.168.59.141/24
Drone aircraft ：192.168.59.146/24

Target acquisition 2 individual flag

Set up the environment ：

PS:（Vulnhub The target cannot detect IP
After revising ip Restart ok 了 ）
The environment was built successfully ！

information gathering ：

Scan directory

 ./gobuster dir -u http://192.168.59.146/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt 

The discovery service ：
use kali Medium whatweb Let's detect Drupal Version of , See if there are corresponding vulnerabilities , Found to be Drupal7
stay GitHub Find out whether there are loopholes in the framework and exp, Or make use of msf Search for , I use this msf To search for , Then through online search Drupal Framework of the CVE-2018-7600 You can use , Choose here 1

Set path and destination , And run （run）

After a successful attack , No interactive shell, Need to be upgraded to interactive shell
python3 -c “import pty;pty.spawn(’/bin/bash’)”, Here you get the website permission

Return to parent directory , Query to base64 The ciphertext of

Look not to understand , Direct Baidu
Decrypt ：james:[email protected]

Then try to use su Account password login , Found unable to log in

Then try ssh Sign in , Still can't log in

We can try suid Raise the right （　SUID (Set owner User ID up on execution) Is a special type of file permission given to files . stay Linux/Unix in , When a program is running , The program will inherit permissions from the logged in user .SUID Is defined as giving a user temporary （ Program / file ） The owner's permission to run a program / file . The user is executing the program / file / When ordered , The file owner's permissions and the owner's permissions will be obtained UID and GID.）, And then it turns out that there's one wget, This can be used to download files

Then another idea is to put /etc/passwd Download the file , Then add one with root Privileged user , Pass it back and cover it . Here we create a user

openssl passwd -1 -salt myqf 123456
$1$myqf$wD2.LTxOJb7fsYoC1agE6/

└─# python2 -m SimpleHTTPServer 80

copy /etc/passwd Replace root Password and user name

myqf:$1$myqf$wD2.LTxOJb7fsYoC1agE6:0:0:root:/root:/bin/bash

Successfully wrote ：
Successful claim ：

see root.txt

Check it out. ssh, Find out ssh The protection is very good , Just enhance the directory .

Reference resources ：https://blog.csdn.net/Long_gone/article/details/104073135