HackMyVm Satori Walkthrough

Machine can be download here.


Nmap scan ports. 21,22,80 three ports open.

图片.png


Ftp login as anonymous, find a mkv file with no use.

图片.png


Scan port 80, find index.html and stream.php.

图片.png


Open index.html, looks like a youtube downloader.

图片.png

Check source code of index.html, we notice it calls stream.php.

图片.png


Curl the stream.php, with address on our machine, it works.

图片.png


Then we can try SSRF, with file:///etc/passwd, we find a user "yana".

图片.png

Try to ssh in as yana, it only accepts key login, no password login.

图片.png


Then hydra to get yana's ftp password. (Be careful, not set too high threads, on my machin, if I set -t 64, then hydra will fail to get the right password.)

图片.png


Ftp login as yana, pwd is home folder, download .ssh/id_rsa.

图片.png


Login ssh as yana, check group.

图片.png


Disk group will give us privilege to read anything on disk. We need debugfs, which is in /usr/sbin, add it to PATH.

图片.png


Check current disk, use debugfs to open it, then change to /root, read flag.

图片.png


发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

«    2022年5月    »
1
2345678
9101112131415
16171819202122
23242526272829
3031
网站分类
搜索
最新留言
文章归档
网站收藏
  • 订阅本站的 RSS 2.0 新闻聚合

Powered By Z-BlogPHP 1.7.2