Windy's little blog

一切生活中的杂七杂八, and I like CTF.

Vulnhub DOUBLE: 1 Walkthough

https://www.vulnhub.com/entry/double-1,632/


Scan ports opened.

图片.png


Port 8080 need auth, we don't know yet. So we start from port 80.

Check http://url/production.

图片.png


Try to send some cmd, like cmd="id", code="1", then we can see the command we input.

图片.png

Send cmd = <?php system($_GET["cmd"]); ?>, then we get error message.

图片.png

See if we can run the php code.

图片.png


Then we get reverse shell.

图片.png


We need to find the config file about port 8080.

In /etc/apache2/sites-available, we get fox.conf.

图片.png


Check the content of fox.conf, get auth file.

图片.png


Check the auth file.

图片.png


Crack it with john.

图片.png


Log in port 8080 with this creds, we get the same page like port 80 again.

图片.png


We use the method to get a reverse shell, but this time as user "fox".

图片.png


Check SUID file.

图片.png


Get root.

图片.png



发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.0