web页面是一个密码生成器,信息搜集没搜到什么东西就一个/password.log
nmap扫描
┌──(root㉿kali)-[/opt/tools]
└─# nmap 192.168.31.226
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-17 23:46 EDT
Nmap scan report for 192.168.31.226
Host is up (0.0018s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:74:8A:E9 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.48 seconds存在ftp访问看一下
┌──(root㉿kali)-[/opt/tools]
└─# ftp 192.168.31.226
Connected to 192.168.31.226.
220 220 Welcome to FTP Service Please use guest:guest to login可以看到泄露了用户信息。
ftp登录进去没东西
然后脑子一登录了ssh发现可以登录上去
然后想着web页面的密码生成器总不能没用吧,然后就查看了还有没有其它用户
然后密码生成器生成一个,就直接ssh上去了
sudo -l
film@Paste:~$ sudo -l
Matching Defaults entries for film on Paste:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User film may run the following commands on Paste:
(ALL) NOPASSWD: /usr/bin/paste发现了paste题目名字也是,包是利用这个的
看看参数
film@Paste:~$ /usr/bin/paste --help
Usage: /usr/bin/paste [OPTION]... [FILE]...
Write lines consisting of the sequentially corresponding lines from
each FILE, separated by TABs, to standard output.
With no FILE, or when FILE is -, read standard input.
Mandatory arguments to long options are mandatory for short options too.
-d, --delimiters=LIST reuse characters from LIST instead of TABs
-s, --serial paste one file at a time instead of in parallel
-z, --zero-terminated line delimiter is NUL, not newline
--help display this help and exit
--version output version information and exit
GNU coreutils online help: <https://www.gnu.org/software/coreutils/>
Full documentation at: <https://www.gnu.org/software/coreutils/paste>
or available locally via: info '(coreutils) paste invocation'-s是依次粘贴文件而非并行粘贴,看看能不能读flag
