Linux operating system penetration and privilege escalation
Task environment description:
- Server scenario: Server2202 (closed link)
- Username: hacker Password: 123456
- Use an infiltration machine to collect server information, and submit the SSH service port number in the server as a flag;
I use qemu virtualization to start the target machine here, as shown in the figure below
Arp-scan -l host discovery
Perform port information service detection
FLAG:2220
2. Use an infiltration machine to collect server information, and submit the host name in the server as a flag;
FLAG:hacker
3. Use an infiltration machine to collect server information, and submit the system kernel version in the server as a flag;
FLAG:2.6.24-26-server
4. Use an infiltration machine to elevate the server administrator's rights, and submit the text content in the root directory of the server as a flag;
# is Nmap 's interactive mode command line tool, which allows users to use Nmap tools interactively in the command line interface . This mode provides various options and commands for users to understand the Nmap tool more deeply , and can control the behavior of the scan by typing commands and options nmap --interactive
# !
sh
command will re-run the last sh command. After pressing enter on the command line !sh
, it will search through the history of commands you have entered before and find the most recent command, such as sh as a command line argument. Then, the command will be repeated automatically
FLAG: XxudlOkC
5. Use an infiltration machine to elevate the server administrator's rights, and submit the root password in the server as a flag;
Here we can import the username of /etc/passwd into pass.txt, then use the scp command to transfer this file from the target machine, and then use the Kali Linux john tool to crack the root password
scp -P2220 [email protected]:/home/hacker/pass.txt /root/pass.txt
FLAG:87654321
6. Use an infiltration machine to elevate the server administrator's rights, and submit the image content in the root directory of the server as a flag.
Still use scp to transfer it out (! Note that ssh remote is disabled in the target machine, so we ssh into the hacker user and then switch to the root user to modify the configuration file)
change no to yes
transfer successful
turn around
FLAG:PS8ltpLc