http://blog.yutian233.xyz/index.php/archives/63/
靶机描述
Machine name: BBS (Bulletin Board System)
Level: Easy->Intermediate
flags: user, root
Description: really technical machine, if you are ready for certifications it will be a good tool to test yourself. You will find a very rare final exploit technique, which you have hardly seen before!
Author: foxlox
About VM: VirtualBox ready, the adapter is currently Bridged, DHCP active
You can contact me by email (fox at thebrain dot net) or Discord foxlox#1089
Machine hint: don't let your eyes confuse you, Try Harder!
This works better with VirtualBox rather than with VMware ## Changelog v1.0.1 - 2020-09-23 v1.0.0 - 2020-09-21
下载 https://www.vulnhub.com/entry/bbs-cute-101,567/
清单
-
信息搜集
- netdiscover
- nmap
- dirb
-
提权
- CuteNews 2.1.2 - Remote Code Execution(CVE-2019-11447)
- sudo -l (hping3)
信息搜集
靶机IP
端口扫描
nmap -sS -sV -p- 192.168.34.152
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
88/tcp open http nginx 1.14.2
110/tcp open pop3 Courier pop3d
995/tcp open ssl/pop3 Courier pop3d
目录扫描
来到 index.php
相关版本为 CuteNews 2.1.2
搜索相关漏洞
修改exp
可以看到 exp 的请求连接拼接为 CuteNews
由于网站没有 CuteNews 所以需要替换
验证
现在来获取shell
Kali
修改shell.php文件
靶机
下载 shell.php
访问 shell.php
得到shell
得到user.txt flag
获取root