Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Eyes Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Eyes


Scan ports.

图片.png


Log in ftp as anonymous, and get index.php.

图片.png


Check the source code of index.php, has LFI.

<?php
$file = $_GET['fil3'];
if(isset($file))
{
include($file);
}
else
{
print("Here my eyes...");
}
?>
<!--Monica's eyes-->

Check which log file can be include. Because the FTP service is on, maybe ftp log can be include.

$ wfuzz -w /usr/share/wordlists/logfiles.txt '192.168.56.97/index.php?fil3=FUZZ' 
...                           
000000033:   200        1 L      2 W        21 Ch       "/var/log/auth"                                      
000000031:   200        5 L      53 W       398 Ch      "/var/log/vsftpd.log"                                
000000030:   200        1 L      2 W        21 Ch       "/var/log/error.log"


OK, the vsftpd.log can be included. So we can login ftp using shell code as username.

图片.png


Check if the shell code runs OK.

图片.png


Then we can get a reverse shell as www-data.

图片.png


Because there is only one user "monica", we search for files belong to this user.

图片.png


In /opt, we noticed a file named "ls".

图片.png


Check the source code, it has stack overflow vulnerability.

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
int main(void)
{
 char command[100];
 char ls[50]="/usr/bin/ls";
 char name[50];
 printf("Enter your name:");
 gets(name);
 strcpy(command,ls);
 setuid(1000);
 setgid(1000);
 printf("Hi %s, Im executing ls\n Output:\n",name);
 system(command);
}



We need to input a long name, which can overwrite "/usr/bin/ls" to "bash". Then we can be user monica.

图片.png


Check sudo.

图片.png


Use bzip2 to compress /root/.ssh/id_rsa, and decompress it, then ssh login as root. (Or we can directly read root.txt)

图片.png


At last, we are root.

图片.png

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.0