1.cap
1.How many TCP ports are open?
用nmap扫描,指令如下:
1 | nmap -sV -sC -O -T4 |
开启了21,22,80端口
答案为3
2.After running a “Security Snapshot”, the browser is redirected to a path of the format /[something]/[id], where [id] represents the id number of the scan. What is the [something]?
用浏览器访问,点击以后自动跳转到/data/1。
答案为data
3.Are you able to get to other users’ scans?
访问/data/0,访问成功,
答案为yes
4.What is the ID of the PCAP file that contains sensative data?
访问/data/0,点击download可以下载0.pcap。用CTFNeta可以梭出z用户名和密码。
1 | # user:nathan |
答案为0。
5.Which application layer protocol in the pcap file can the sensetive data be found in?
0.pcap里面是ftp的用户名和密码。
答案为ftp
6.We’ve managed to collect nathan’s FTP password. On what other service does this password work?
之前扫描端口发现22端口也开着,猜测密码和用户名服用,成功连接ssh。
答案;ssh
7.Submit the flag located in the nathan user’s home directory.
ssh连接,ls后cat user.txt即可获得flag。
8.What is the full path to the binary on this machine has special capabilities that can be abused to obtain root privileges?
上传linpeas.sh到远程
1 | scp ~/linpeas.sh nathan@10.129.37.234:~/ |
运行,
发现/usr/bin/python3.8 带了 cap_setuid。
1 | python3.8 -c 'import os; os.setuid(0); os.system("id && whoami && bash |
实现提权。
答案:/usr/bin/python3.8
9.Submit the flag located in root’s home directory.
读取/root/root.txt
1 | 4f6d64b33dfc0ce5062bdc797e4e7680 |