Vulnhub: BREAKOUT Drone

Enterprise 2023-06-21 13:12:55 views: null

1. Information collection

Scan for open ports

Access port 80

10000 port:

Webmin: A tool for managing system management configurations in the form of web pages. It is possible to configure operating system internals such as users, disk quotas, services or configuration files, as well as modify and control open source applications. Convenient operating system.

Port 20000 is also the login port

scan directory information

Visit the home page directory and view the source code of the home page

Discover encrypted content. The brainfuck language uses ><+-., [] eight symbols to replace various grammars and commands of the C language

The decryption is as follows: https://www.splitbrain.org/services/ook

For the record, possibly a password.

2. Vulnerability attack

The previously scanned ports are available at 10000 and 20000

  1. Try weak password blasting first, and fail;
  2. Analysis is the cms management system of webmin, you can find the vulnerability information of this cms (chaotic, not targeted) and keep it for now

Then analyze the scanned information and find that the port service is smb

The smb service is a protocol name that can be used for web connections and information communication between the client and the server. Through the SMB protocol, the client application can read and write files on the server in various network environments, and The server program makes a service request.

Enum4linux: is a tool for enumerating SMB services on windows and Linux systems, and can discover the following:

  1. domain and group membership
  2. user list
  3. Shares (drives and folders) on the device
  4. Password policy on the target
  5. Operating system of the remote target

Try to log in to webmin according to the blasted user and the decrypted password

Port 20000 can log in

Analyze the places that users can use, and view the cmd shell icon

Click to enter the shell, view files, view permissions, reverse shell

3. Escalation of rights

Whenever you see a copy of a binary, you should check its Capabilities and suid programs.

Query the function of the tar file in the current directory: getcap tar

tar cap_dac_read_search=ep capability allows reading any file

Password backup file found, but does not have any permissions

Use tar to package it and then unzip it, there will be no permission problem

Get backup password, switch root user

Escalation of rights is successful and the flag is obtained

Guess you like

Origin blog.csdn.net/qq_63283137/article/details/127249981
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com