当前位置：网站首页>动力:2 vulnhub预排

动力:2 vulnhub预排

2022-08-02 03:59:00 【xdeclearn】

信息

Momentum2.ova (Size: 698 MB)
Download (Mirror): https://download.vulnhub.com/momentum/Momentum2.ova
Download (Torrent): https://download.vulnhub.com/momentum/Momentum2.ova.torrent ( Magnet)

Port scanning and directory scanning

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

访问80端口,没发现什么有价值的东西.
80port
于是进行目录扫描,这里使用gobuster进行目录遍历.

*  gobuster-linux-amd64 ./gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.143.183 -x php,php.bak,html,txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.143.183
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php,php.bak,html,txt
[+] Timeout:                 10s
===============================================================
2021/07/19 08:45:42 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 1428]
/img                  (Status: 301) [Size: 316] [--> http://192.168.143.183/img/]
/css                  (Status: 301) [Size: 316] [--> http://192.168.143.183/css/]
/ajax.php             (Status: 200) [Size: 0]                                    
/ajax.php.bak         (Status: 200) [Size: 357]                                  
/manual               (Status: 301) [Size: 319] [--> http://192.168.143.183/manual/]
/js                   (Status: 301) [Size: 315] [--> http://192.168.143.183/js/]    
/dashboard.html       (Status: 200) [Size: 513]                                     
/owls                 (Status: 301) [Size: 317] [--> http://192.168.143.183/owls/]  
/server-status        (Status: 403) [Size: 280]

访问dashboard.html,Found to file upload,Upload processing forajax.php,But it did some limit,具体查看ajax.php.bak.

    //The boss told me to add one more Upper Case letter at the end of the cookie
   if(isset($_COOKIE['admin']) && $_COOKIE['admin'] == '&[email protected]&Ms'){

       //[+] Add if $_POST['secure'] == 'val1d'
        $valid_ext = array("pdf","php","txt");
   }
   else{

        $valid_ext = array("txt");
   }

   // Remember success upload returns 1

You can see upload need to add parameterssecure和cookie,但是cookieNeed to add a capital letter after traversal test,为了方便,直接使用burp的intruder模块.
intruder1
intruder2
成功实现文件上传.
upload

获取shell,root提权

curlAccess pages for reboundshell.
shell
进入/home/athena,发现了第一个flagAnd a password prompt file.

According to clew the userathena的密码myvulnerableapp*.切换到该用户,查看sudo -l.
sudo -l
看看cookie-gen.py

import random
import os
import subprocess

print('~ Random Cookie Generation ~')
print('[!] for security reasons we keep logs about cookie seeds.')
chars = '@#$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefgh'

seed = input("Enter the seed : ")
random.seed = seed

cookie = ''
for c in range(20):
    cookie += random.choice(chars)

print(cookie)

cmd = "echo %s >> log.txt" % seed
subprocess.Popen(cmd, shell=True)

很简单,Directly to a command splicing reboundshell搞定,成功获取root权限.
reverse
root