HackMyVm Emma Walkthrough

Machine can be download here.


Nmap scan ports.

图片.png


Scan folders and files at port 80.

图片.png


Check robots.txt.

图片.png


Check php version.

图片.png



Google find CVE exploit.

图片.png


Use pwn code from https://github.com/neex/phuip-fpizdam.

图片.png


Get reverse shell.

图片.png

Check ports.

图片.png


Login mysql as user root  and password from robots.txt.

图片.png


Get a password for emma.

图片.png


Now we can log in  as user emma via ssh.

图片.png


sudo -l.

图片.png


In home folder, has a SUID file who.

图片.png


To get root, we need to use both gzexe and who.

Check the man page of gzexe.That means, when a compressed file runs, it will call gzip, which relies on the PATH.

图片.png


First, compress /bin/id, then make a fake gzip in /tmp and add /tmp into PATH.

图片.png


Last step, run who. We get root.

图片.png


发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

«    2022年12月    »
1234
567891011
12131415161718
19202122232425
262728293031
网站分类
搜索
最新留言
文章归档
网站收藏
  • 订阅本站的 RSS 2.0 新闻聚合

Powered By Z-BlogPHP 1.7.2