Date
Mar 8, 2025 → Mar 9, 2025
Tag
Nmap
Web Application Security
Shell Exploitation
Nmap

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-08 09:32 EST
Nmap scan report for 192.168.104.161
Host is up (0.060s latency).
Not shown: 993 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
25/tcp open smtp Exim smtpd
80/tcp open http Apache httpd 2.4.38 ((Debian))
111/tcp open rpcbind 2-4 (RPC #100000)
443/tcp open tcpwrapped
808/tcp open tcpwrapped
8888/tcp open http WSGIServer 0.1 (Python 2.7.16)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.17 seconds
8888 80





用这个里面的sploit里的说明利用到

用dirb扫描到了这个路径,尝试使用上述的方法是否能获得到相关信息

got it用/var/www/html/webdav/passwd.dav获取


administrant : sleepless
‣
可以使用其中的描述上传我们的reverse shell

uploaded

access the file and we can got the reverse shell

we had insided

check cron, we can see netstat no using absolute path, we can make a fake file and let it use it.
去创建一个shell 伪装程序
然后上传之后放到目标目录去

got it