Catalog

One 、 The host found

Two 、 Port scanning

3、 ... and 、 Service version discovery

Four 、 information gathering

1.80 and 8082

2. Catalog explosion

5、 ... and 、 Break through the border

1. Try to make use of mantis Of RCE Loophole

2. Advanced directory explosion , A lot of information collection

 3.Pre-Auth Remote Password Reset

  6、 ... and 、shell Script authorization

1.shell grammar

2 .check-system

3. Write bounce shell sentence

4. Restart triggers

Be careful ： Use as much as possible vmvare To deploy the target aircraft , And network mode selection NAT Pattern .

One 、 The host found

Two 、 Port scanning

3、 ... and 、 Service version discovery

22 ssh

80 8082 All of them are open http The service is different web Server software .

Four 、 information gathering

1.80 and 8082

It's all open http service , And deployed the same site , Same page . There is no information available in the source code .,

2. Catalog explosion

（1）adminer.php

 （2）info.php

I know some configuration file path addresses , Website environment, etc .

 （3）system

Return code 401, Login is required to access the site , We tried weak password admin/admin Successful entry

（4） Return packet

This one in the response packet is used to verify identity .

Authorization:Basic YWRtaW46YWRtaW4=

5、 ... and 、 Break through the border

1. Try to make use of mantis Of RCE Loophole

cp Come to the local , change exp Of rhost ,lhost,mantisloc , Add validation header , And then execute

nc -nvlp 4444

2. Advanced directory explosion , A lot of information collection

That is to add the verification head and then blast

dirsearch -u url --header="Authorization:Basic YWRtaW46YWRtaW4="

There are many new paths .

（1）config

We got the account and password of the data , name . Before integration adminer.php Interface , Try signing in

 （2） Collect information after login

Here we can find the original account and the account we registered , In the previous registration , We didn't enter the password , So it is inferred that the blank column is the password . To try ssh Sign in

（3）ssh Sign in

 3.Pre-Auth Remote Password Reset

It is a vulnerability of pre authorized remote password modification

Here is also an introduction to usage , This is the remote password change to hash Verified , But we changed it to empty , Go straight around

Log in to the administrator user state , We can also see the account password , And then through ssh Sign in .

  6、 ... and 、shell Script authorization

1.shell grammar

find / -user root -type f -perm -o=rw -ls 2>/dev/null | grep -v "/proc"

check-system It's not the system's own command , Sure , To view the .

2 .check-system

The program started at startup is systemd , Systems and services Manager control . systemd Is the first process to run at startup . It always has process ID (PID)1. All other processes running on the computer are controlled by systemd Starting up , Or by systemd The process that has been started starts . Combine the above sudo jurisdiction , Guess it may be related to the startup of the boot

3. Write bounce shell sentence

4. Restart triggers