Today, a friend suddenly told me that a certain person was cheated out of 1,200 yuan to buy a mobile phone. I was shocked, and as expected, I will try it. .
To come to a fraudulent website address, open it like this:
Collect some information decisively: (Because the scammer in the message returned the money to the friend, temporarily save him some face and make a mosaic)
Check the port, guess it is the construction of the pagoda panel,
Open 80, then visit:
Find tutorials for customer service software from the official website. Found that the background path is: /admin
Direct access really found:
Without even thinking about it, I went directly to admin: 123456, I didn’t expect to go in hahaha:
The next step is of course getshell. After searching around, I found a directly editable language configuration file:
I used a simple sentence here and blocked my ip. I took a look and actually used Yunshield. This liar is still a little security conscious, so I had to sacrifice my Godzilla killer (directly with bypass function, it’s okay) Use it or not):
Good guy, there are so many disabled functions, so let’s bypass it
During file management, it was found that the restricted directory reads:
Directly use Godzilla's directory access bypass:
Finally, when browsing the directory, I found that there are multiple versions of php. I am not familiar with php5 rights promotion (Godzilla is not applicable haha). After seeing php7, I decided to find other sites:
Access to other sites can be accessed, and the parsing ip is all this, and finally found a php7
I finally found a php7 version, but the kernel of the linux version is very new, it seems that the privilege escalation is a trouble:
Then, as expected, Godzilla's function bypasses the executable command:
Obtain the low-privilege shell directly after execution:
It is a www user with very low authority.
In the directory, I also found a pig-killing tool: Frame
You can generate fraud details links with one click:
(Now everyone knows not to believe in the importance of QQ and WeChat transactions, this kind of pig killing is easy to deceive people)
Finally, according to the collected database links and other information, I am going to take a look in the database. There is a problem with the Godzilla link:
So set up frp to visit the liar server:
information:
Because the www user cannot write to the .so file in the mysql directory, the mysql privilege cannot be used to escalate.
Sudo has always used the www password, and the result is that sudo cannot be used.
Commands with suid bits are shown in the table,
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/mount /
usr/bin/su
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/at /
usr/bin/sudo /
usr/bin/crontab
/usr/bin/passwd
/usr/sbin/grub2-set-bootflag
/usr/sbin /unix_chkpwd
/usr/sbin/pam_timestamp_check
/usr/lib/polkit-1/polkit-agent-helper-1
Last use CVE-2018-18955
https://www.freebuf.com/news/197122.html
In the end, the sorted information was submitted to the police, so I didn't go any further.