当前位置：网站首页>hackmyvm-hopper预排

hackmyvm-hopper预排

2022-08-02 03:59:00 【xdeclearn】

hackmyvm: hopper

Information collected to get the first shell

PORT STATE SERVICE22/tcp open ssh80/tcp open http

Full port scan, first visit the web service.
index
Use gobuster to scan the directory to find the directory advanced-search, ssrf exists here.
dirb
ssrf
The virtual machine has three users who can log in with bash, root, edward, henry.

After a simple test, remote file inclusion cannot be performed. It is estimated that curl_exec is called. For the ssrf utilization of php, please refer to SSRF in PHP^[1] to use it.But here is a bit special, there is no redis, no mysql, so the host port is probed.

#!/usr/bin/python3import requestsfor port in range(1,65535):res = requests.get('http://192.168.143.191/advanced-search/path.php?path=http://127.0.0.1:%d' % port)if len(res.text) == 0:continueelse:print('-----------------------')print('port %d\n' % port)print(res.text)print('-----------------------')

The new port obtained by scanning is 2222.
2222
Followed by directory discovery, blasting the directory, and finding the existence of the directorybackup.
backup
It was found to be a passpharse sshkey, so use john to decrypt, seeJTR (John The Ripper)'s ssh key crack record^[2], the passpharse is barcelona.
pass
Use id_rsa to log in ssh to successfully log in useredwardGet user flag.
insert image description here

Switch user

Write a PHP Trojan that bounces the shell into the /var/www/html directory, and successfully obtained the user www-data.

Check that the user has sudo privileges.
sudo
Reference GTFOBins^[3], switch to user henry (note that the environment variable export TERM=xterm needs to be set before running the program).
henry

Elevate to root

View sudo permissions for user henry.
henrysudo
This is relatively simple, change /etc/passwd.

Copy passwd to the tmp directory and replace x in the root user with a known encrypted password.
editpasswd
Then use the command [email protected]:/tmp$ sudo /usr/bin/ascii-xfr -rv /etc/passwd Write the modified passwd to /etc/passwd.Use su to successfully switch to root to get the flag.

`Reference`

[1] https://blog.csdn.net/bylfsj/article/details/105083164 [2] https://blog.csdn.net/qq_40490088/article/details/97812715 [3] https://gtfobins.github.io/

原网站版权声明
 本文为[xdeclearn]所创，转载请带上原文链接，感谢
 https://yzsam.com/2022/214/202208020322422605.html


    
        


        
边栏推荐
16.JS事件, 字符串和运算符
2. PHP variables, output, EOF, conditional statements
MySql高级 -- 约束
Xiaoyao multi-open emulator ADB driver connection
如何根据地图上的两个坐标点来确定方向
PHP的几个有趣的打开方式:从基本到变态
SQL：DDL、DML、DQL、DCL相应介绍以及演示
TypeScript 错误 error TS2469、error TS2731 解决办法
vim edit mode
IO stream, encoding table, character stream, character buffer stream



        
猜你喜欢
(3) Thinkphp6 database
ES6数组的扩展方法map、filter、reduce、fill和数组遍历for…in for…of arr.forEach
Introduction to PHP (self-study notes)
(7) 浅学 “爬虫” 过程 (概念+练习)
CTF入门之md5
(2) Thinkphp6 template engine ** tag
(1)Thinkphp6入门、安装视图、模板渲染、变量赋值
Phonebook
SQL分类、DQL（数据查询语言）、以及相应SQL查询语句演示
(4) 函数、Bug、类与对象、封装、继承、多态、拷贝
        


        
随机推荐
uniapp | 开发中遇到的兼容性问题（待续）
AES加密的各种蛋疼方式方式
16.JS事件, 字符串和运算符
Orasi: 1 vulnhub walkthrough
PHP有哪些杀手级超厉害框架或库或应用？
逍遥多开模拟器ADB驱动连接
[symfony/mailer] An elegant and easy-to-use mail library
解决 Zlibrary 卡死/找不到域名/达到限额问题,Zlibrary最新地址
IO流、 编码表、 字符流、 字符缓冲流
4.表单与输入
解决5+APP真机测试无法访问后台（同局域网）
4. The form with the input
PHP8.2 version release administrator and release plan
Scrapy爬虫遇见重定向301/302问题解决方法
13. JS output content and syntax
Alfa: 1 vulnhub walkthrough
GreenOptic: 1 vulnhub walkthrough
微信小程序开发视频加载：[渲染层网络层错误] Failed to load media
17. JS conditional statements and loops, and data type conversion
PHP 给图片添加全图水印