本文已参与「新人创作礼」活动,一起开启掘金创作之路
Scan
nmap
Recently , I think may be there was something wrong . Nmap was always found has a slow speed to find the open ports . Even when I got the shell from web , it told me nothing .
The scanner reporter will be show on there , if not , It means I do the testing blindly.
| PORT | STATE | SERVICE |
|---|---|---|
| 22/tcp | open | ssh |
| 80/tcp | open | http |
| 2112、tcp | open | ftp |
80 port
Without nmap reporter , I guest there might be a websit . So I tried to enter the 80 port . And then found it .
A sexy potato . Now I know the meaning of the machine name .
Then I use dirsearch to found more useful pages .
Using the default wordlist , "admin" page was found . As I open it , it showed me a simple login panel .
But I did not know the username of the login panel . If I did not have a username exactly , I maybe had to use thousands of hours to get the password because of the limit of the vpn speed : (
So I turn to search other documents which told us the username of the panel .
Easily , I found them at the /admin/logs directory .It showed that some logs about user admin change the password and reboot the machine .
Operation: reboot the server
Date: January 09, 2020 / 9:55 a.m.
User: admin
Status: OK
So now we got the username
22 port
As I try log in the ftp by anonymous without password , I successd .
And I found a interesting bak of index.php , so I got them down . And when I cat the index.php.bak . It gave me the password of admin and also is php file use strcmp func . So I have some Ideas about it .
Shell As WWW
First , I used the password given by the bak file and abslutely failt . And then I think maybe there was a weak password , so I used hydra to run rockyou.txt to try to crake a password , however it had not give me the password even when I got the shell of root .
So I try the vulnerability of the php func strcmp . I caught the post package of the log panel by burpsuite . And changing data type of password to array from string .
like this .
Hardly , I logged in the manage panel finally . The panel just had seveal function . As usual I thought the vulnerability would occur at the ping function
But When I caught the package of "get the logs" , I know there must be LFI
So , I retrieved /etc.password instead of log01 .
In additon , before I tried some times , we should added more than four ../ to the path of the file .
Next , I saved the hash of webadmin's password into a local file "1" and use john to crake the password of webadmin .
After several seconds I got the password of webadmin .
And now I can log into the machine via ssh by webadmin:dragon.
Shell as Root
It is easy to escalate the privilege if you can know the meaning of sudo -l text exactly .
But there were some deviation of mine understanding of the text . I thought the nice and notes/* to two command initially ...LoL
We can just use the skill like LFI . Adding ../ to let us run any file of the system .
So I just write something to a shell file and use nice to excute it , I got a root shell.
echo "/bin/bash" > /home/webadmin/shell.sh
chmod +x /home/webadmin/shell.sh
sudo /bin/nice /notes/../../home/webadmin/shell.sh
After root
My hydra ran for 3 hours and got nothing I am interested in how complex the password of the log panel is . So I cat the /var/www/html/admin/index.php
... Maybe I should give up craking "weak" password sometimes.
And I found another thing , when I cat the shadow file ,I found root cannot be log in , so we can only use reverse shell to get a root shell .
