VulnHub target machine-VulnOs-2

Others 2021-02-27 16:57:32 views: null

VulnHub target machine-VulnOs-2

Download: https: //www.vulnhub.com/entry/vulnos-2,147/
After downloading drone opened under VirtualBox, network card configured for bridging
mission: provide the right to obtain the flag and
attack aircraft: kali linux 192.168.8.108
drone: 192.168.8.107

Article Directory

1. Information collection

First, nmap detects the surviving target machine
Command: nmap -sP 192.168.8.0/24
Insert picture description here
Get the target machine IP: 192.168.8.107
Scan the open port of the target machine
Command nmap -sV
Insert picture description here-p- 192.168.8.107 Scan out ports 22, 80, 6667, corresponding services Respectively ssh, http and irc
visited the web to
Insert picture description hereview the source code and found no useful information. The web page prompts us to visit the purple connection, get the root of the system and read the final flag.
Insert picture description hereAfter browsing the entire site, I finally found the hidden prompt in the source code of the Documentation page.
Insert picture description hereOriginally, the font color was changed to black. If you select this font on the Documentation page, you can also see the prompt
Insert picture description here. Let us visit /jabcd0cs/
Insert picture description hereOpenDocMan 1.2.7. It is a document management system. Use searchsploit to search for vulnerabilities in
Insert picture description herethe system and download 32075.txt to
Insert picture description hereopen it for viewing
Insert picture description here

Second, right escalation

There is SQL injection
using payload: http://192.168.8.107/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user%20UNION SELECT 1,version(),3,4,5,6,7,8,9
Insert picture description herecan be seen The version information is displayed in the red box to prove that the vulnerability is available. Just throw the sqlmap directly. Here I will not check the database step by step. Directly post the command of the last step
: sqlmap -u "http://192.168.8.107/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --risk 3 --level 3 -p add_value -D jabcd0cs -T odm_user -C username,password --dump The
Insert picture description heretwo passwords are encrypted by md5. After decryption, the password for webmin is webmin1980, and the password for guest is guest.

First log in with the webmin user to log in to ssh
Insert picture description here
successfully, check the kernel version,
Insert picture description hereuse searchsploit to search for the kernel's exp,
Insert picture description heredownload the exp, pass it to the target
Insert picture description hereInsert picture description heremachine, compile 37292.c on the target machine and execute
Insert picture description hereit successfully, get root permission, enter the root directory and get the flag successfully
Insert picture description here

Guess you like

Origin blog.csdn.net/Slow_/article/details/114022061
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com