本文已参与「新人创作礼」活动,一起开启掘金创作之路
Scanning
Using nmap to begin with basic port scanning on the target machine .
| port | server |
|---|---|
| 21 | vsftpd 3.0.3 |
| 22 | OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) |
| 80 | Apache httpd 2.4.38 ((Debian)) |
| 8088 | LiteSpeed httpd |
| 8715 | nginx 1.14.2 |
In addition , remeber to use -p- option to scan all the ports of the machine , if you may lost something important .
80,8088,8715 port
When I use dirseach to try toget something , but there is only a index.html page with a picture of katana in the webserver .
However , there is an interesting upload form available on port 8088 .
And our upload file has been renamed to katana_shell and moved to other webservice .
22 port
I try to log as anonymous , FTP and USER but lose . So I think there may be nothing we can do to exploit the mathine .
Shell As WWW
As we find at port 8088 , I upload a php webshell which is provide by kali . Finally find that film at port 8715 and excute it successfully .
Shell As root
Tring
Merely out of curiosity ,I want to know the service runing on the port 80 and 8715 , as I don't believe ports 80 and 8715 are running nothing .
Surperisedly, I find a path ebook which is proved exploitable and it is running as root ! So I use the way I used in FunboxEasy but lost . This site seems disallow me to upload cover .
I use ps -ef and find apache2 is running by www-data and the web upload path is created by root , so we don't have the priviledge to save files to /ebook path . Instead of that , If I upload files successfully , when I excute that file , I can just shel as www .
And then I moved to /opt/manager/html and find there is nothing actually except the files I uploaded .
Privilege Escalation
I use getcap to find some process with suid capabilities
/usr/sbin/getcap -r / 2>/dev/null
/usr/bin/ping = cap_net_raw+ep
/usr/bin/python2.7 = cap_setuid+ep
And I take advantage of the poc servered by python | GTFOBins
python -c 'import os; os.setuid(0); os.system("/bin/bash")'
\
