Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Emma Walkthrough

Machine can be download here.


Nmap scan ports.

图片.png


Scan folders and files at port 80.

图片.png


Check robots.txt.

图片.png


Check php version.

图片.png



Google find CVE exploit.

图片.png


Use pwn code from https://github.com/neex/phuip-fpizdam.

图片.png


Get reverse shell.

图片.png

Check ports.

图片.png


Login mysql as user root  and password from robots.txt.

图片.png


Get a password for emma.

图片.png


Now we can log in  as user emma via ssh.

图片.png


sudo -l.

图片.png


In home folder, has a SUID file who.

图片.png


To get root, we need to use both gzexe and who.

Check the man page of gzexe.That means, when a compressed file runs, it will call gzip, which relies on the PATH.

图片.png


First, compress /bin/id, then make a fake gzip in /tmp and add /tmp into PATH.

图片.png


Last step, run who. We get root.

图片.png


发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.0