本文已参与「新人创作礼」活动，一起开启掘金创作之路

A few days long , I don't write something about OSCP test . So I decide to write two passage today about these days I do .

Enum

Nmap showed the machine servered ssh , web , SMB and something else on 8000 .

80 port

When I viewed index of the website , I found it just a html site , and there was not much point waiting me to test . So I used dirsearch , but also found nothing instead of many useless js file .

445 & 139 port

I found a new smb scaner enum4linux , and it could be used easily .

enum4linux 192.168.248.76

And I was told this smb server could be logged into by anonymity without password . Besides It gave me a smbshare path .

So I used smbclient to login and tried to find some in it .

There wae a mail bak in the share path . And I showed me some inportant informationes . Daisa , daisa@photographer.com and my babygirl :)

8000 port

This was a Koken CMS . And i found there was a file upload exploit in searchsploit

If I wanted to use it I had to found a log panel and logged in it .

So I used dirsearch again and found /admin path .

Now let's start our harking .

Shell as www

Firstly , I used daisa@photographer.com:babygirl to log into the system and found the "import content" bottom mentioned in exp .

I uploaded a php shell code as jpg and changed it back to php in burpsuite

And I got the shell as www .

Shell as root

As I searched suid process , I found php was gave suid so it's very easy to get the root shell .

php -r "pcntl_exec('/bin/sh', ['-p']);"

And again I got the shell as root .

After root

When I viewed 8000 port , here was more than 30 seconds to open one page because this site used google api to speed up the load speed . However , I could not visit google in China . If you have the same problem like me , I suggest you to use this justjavac/ReplaceGoogleCDN: 一个 Chrome 插件：将 Google CDN 替换为国内的。 (github.com)