Katana:1 PGP Workthrought
考慮了很久,還是決定把英文的報告放上來供大家加參考,畢竟參加OSCP證明是需要英文報告的,不練習(xí)英文確實過不了,以后大部份報告會以英文報告形式發(fā)出,不會有難詞,都是簡單詞,有小學(xué)水平就能看懂 ,如果有懂英文的碼友,非常歡迎指出我的語法錯誤
Scanning
Using?nmap?to begin with basic port scanning on the target machine .
| 21 | vsftpd 3.0.3 |
| 22 | OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) |
| 80 | Apache httpd 2.4.38 ((Debian)) |
| 8088 | LiteSpeed httpd |
| 8715 | nginx 1.14.2 |
In addition , remeber to use?-p-?option to scan all the ports of the machine , if you may lost something important .
80,8088,8715 port
When I use dirseach to try toget something , but there is only a index.html page with a picture of katana in the webserver .
However , there is an interesting upload form available on port 8088 .
And our upload file has been renamed to katana_shell and moved to other webservice .
22 port
I try to log as anonymous , FTP and USER but lose . So I think there may be nothing we can do to exploit the mathine .
Shell As WWW
As we find at port 8088 , I upload a php webshell which is provide by kali . Finally find that film at port 8715 and excute it successfully .
Shell As root
Tring
Merely out of curiosity ,I want to know the service runing on the port 80 and 8715 , as I don't believe ports 80 and 8715 are running nothing .
Surperisedly, I find a path ebook which is proved exploitable and it is running as root ! So I use the way I used in FunboxEasy but lost . This site seems disallow me to upload cover .
I use ps -ef and find apache2 is running by www-data and the web upload path is created by root , so we don't have the priviledge to save files to /ebook path . Instead of that , If I upload files successfully , when I excute that file , I can just shel as www .
And then I moved to /opt/manager/html and find there is nothing actually except the files I uploaded .
Privilege Escalation
I use getcap to find some process with suid capabilities
/usr/sbin/getcap -r / 2>/dev/null /usr/bin/ping = cap_net_raw+ep /usr/bin/python2.7 = cap_setuid+epAnd I take advantage of the poc servered by?python | GTFOBins
python -c 'import os; os.setuid(0); os.system("/bin/bash")'總結(jié)
以上是生活随笔為你收集整理的Katana:1 PGP Workthrought的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 种子软件下载种子慢怎么解决
- 下一篇: iOS苹果超级签苹果分发平台企鹅:422