考慮了很久，還是決定把英文的報告放上來供大家加參考，畢竟參加OSCP證明是需要英文報告的，不練習英文確實過不了，以后大部份報告會以英文報告形式發出，不會有難詞，都是簡單詞，有小學水平就能看懂 ，如果有懂英文的碼友，非常歡迎指出我的語法錯誤

Scanning

Using?nmap?to begin with basic port scanning on the target machine .

portserver

21	vsftpd 3.0.3
22	OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80	Apache httpd 2.4.38 ((Debian))
8088	LiteSpeed httpd
8715	nginx 1.14.2

In addition , remeber to use?-p-?option to scan all the ports of the machine , if you may lost something important .

80,8088,8715 port

When I use dirseach to try toget something , but there is only a index.html page with a picture of katana in the webserver .

However , there is an interesting upload form available on port 8088 .

And our upload file has been renamed to katana_shell and moved to other webservice .

22 port

I try to log as anonymous , FTP and USER but lose . So I think there may be nothing we can do to exploit the mathine .

Shell As WWW

As we find at port 8088 , I upload a php webshell which is provide by kali . Finally find that film at port 8715 and excute it successfully .

Shell As root

Tring

Merely out of curiosity ,I want to know the service runing on the port 80 and 8715 , as I don't believe ports 80 and 8715 are running nothing .

Surperisedly, I find a path ebook which is proved exploitable and it is running as root ! So I use the way I used in FunboxEasy but lost . This site seems disallow me to upload cover .

I use ps -ef and find apache2 is running by www-data and the web upload path is created by root , so we don't have the priviledge to save files to /ebook path . Instead of that , If I upload files successfully , when I excute that file , I can just shel as www .

And then I moved to /opt/manager/html and find there is nothing actually except the files I uploaded .

Privilege Escalation

I use getcap to find some process with suid capabilities

/usr/sbin/getcap -r / 2>/dev/null /usr/bin/ping = cap_net_raw+ep /usr/bin/python2.7 = cap_setuid+ep

And I take advantage of the poc servered by?python | GTFOBins

python -c 'import os; os.setuid(0); os.system("/bin/bash")'

總結

以上是生活随笔為你收集整理的Katana:1 PGP Workthrought的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。