hack-my-vm-warez

端口探测

kali@kali [~/web_shell_toos] ➜  sudo nmap -sT -p- --min-rate 1000 192.168.108.47                            [19:56:29]
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-08 19:56 CST
Nmap scan report for 192.168.108.47
Host is up (0.0024s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
6800/tcp open  unknown
MAC Address: 08:00:27:AC:52:02 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 4.06 seconds

端口渗透

先去瞄一眼80端口

拿到了两个信息，比较关键的就是用户名，然后搜一下aria啥东西

大概看了一下，就是下载东西的，而且和6800端口是一套东西，但是不知道咋下载，继续看aria找找思路

这个不难想到，不过他这个不是图像化的，没找到啥有用的，直接返回去找下载的地方吧

很容易就找到了，不过这玩意，我也不知道如何给out参数，索性就直接把名字一改，一步到位

kali@kali [~] ➜  ssh carolina@192.168.108.47                                                                [20:08:01]
Linux warez 5.10.0-8-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu May  8 07:37:11 2025 from 192.168.108.141
carolina@warez:~$ ls
user.txt

提权

看了一眼sudo -l 没有，直接跑linpeas.sh

╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwxr-sr-x 1 root shadow 38K Jul  9  2021 /usr/sbin/unix_chkpwd
-rwxr-sr-x 1 root tty 23K Jul 28  2021 /usr/bin/write.ul (Unknown SGID binary)
-rwxr-sr-x 1 root ssh 347K Mar 13  2021 /usr/bin/ssh-agent
-rwxr-sr-x 1 root shadow 31K Feb  7  2020 /usr/bin/expiry
-rwxr-sr-x 1 root shadow 79K Feb  7  2020 /usr/bin/chage
-rwxr-sr-x 1 root tty 35K Jul 28  2021 /usr/bin/wall
-rwsr-sr-x 1 root root 2.0M Dec 29  2019 /usr/bin/rtorrent

没啥难度

# whoami
root