vulnhub-photographer

  • A+
所属分类:安全文章

实验环境

kali攻击机ip192.168.56.116

photographer靶机ip192.168.56.145

知识点及工具

nmap扫描

smb服务匿名访问

koken任意文件上传

php提权

靶机难度

简单

开始渗透

首先第一步对目标靶机网络端口扫描 

nmap –A –p- 192.168.56.145

vulnhub-photographer

扫描结果目标服务开放了80/8000(http),135/445(smb)等端口

访问web服务收集可用信息,啥都没有

http://192.168.56.145

vulnhub-photographer

接下来访问smb服务,可以看见有个sambashare文件夹(匿名访问)

smbclient –L 192.168.56.145smbclient //192.168.56.145/sambashare/

把文件下载下来(get)

vulnhub-photographer

下载下来在txt找到了邮件的内容信息提示有个

Yours site is ready now

Don’t forget your secret,my babygirl ;)

故猜测某个信息点为mybabygirl/babygirl

有个wp站备份文件再说了也只能找账号密码了(wp-config-sample.php)

vulnhub-photographer

继续来到8000端口,百度可知为koken cms

http://192.168.56.145:8000

vulnhub-photographer

随手admin后台,看着要邮箱登录,正好前面mailsent.txt里有邮箱账号

agi@photographer.com[email protected]

vulnhub-photographer

得到账号密码[email protected]/babygirl,登录成功

vulnhub-photographer

exploit-db找到一个文件上传https://www.exploit-db.com/exploits/48706

vulnhub-photographer

点击Library—Content—Edit—Relpace original,会弹出文件上传,上传*.php.jpg文件

vulnhub-photographer

抓包直接修改文件后缀名为php,即可上传成功。

vulnhub-photographer

点击文件访问(/storage/originals/60/06/*.php)并开启监听

vulnhub-photographer

查找可suid提权的信息,看见php为发现可疑

vulnhub-photographer

不说了,干活(https://gtfobins.github.io/gtfobins/php/)

php -r "pcntl_exec('/bin/sh',['-p']);"

vulnhub-photographer

微信搜索m20151798添加好友

欢迎关注微信公众号

vulnhub-photographer


发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: