**
VulnHub-hackNos: Os-hackNos-3-Walkthrough
**
Drone address: https: //www.vulnhub.com/entry/hacknos-os-hacknos-3,410/
drone Difficulty: Easy + Intermediate (CTF)
drone Release Date: December 14, 2019
drone Description:
Difficulty : Intermediate
Flag: Flag 2 at The First And the User SECOND, root
Learning: the Application Web | Enumeration | Privilege Escalation
Web-Site: www.hacknos.com
Business Card-US: @rahul_gehlaut
This May Work with VirtualBox The Rather Within last of Better VMware
author: Dayu
time : 2020-02-09
Note: for all these computers, I've downloaded using a computer running VMware. I will use Kali Linux as a solution to the attacker's machine the CTF. Here the use of technology for learning for educational purposes only, if the technology is listed for any other goal, I will not be responsible.
First, information collection
We need to identify targets in the VM's IP address, use nmap to obtain the destination IP address:
We've found the CTF target computer IP address: 192.168.56.145
nmap found in 22 and 80 port is open ... you can see nmap were found in 80 port exists websec ...
access websec ...
did not find here other plug-ins can use ... there is only mailboxes and contacts ... [email protected]
I discovered heard, found in the admin login page ...
command: cewl http://192.168.56.145/websec -d 2 -w dayu.txt
use cewl word list generator create a short list of words ... and then blasting ...
here use burpsuite and hardy blasting there were minor problems ... here are waf have been restricted, only one minute and try again ...
after I found the manual test password is: Securityx
successful landing ...
Second, the right to mention
找到了可写入的反向shell地方…
将反向shell复制进去,然后save保存,在点下save即可获得低权…
获得第一个flag…
分析下… 使用脚本:LinEnum.sh或者linuxprivchecker.py
试了几种方法都没成功…跳过…
在local目录下发现数据库文件…fackespreadsheet这是说上面是电子表格编码…谷歌搜索…
进来后选择fackespreadsheet解码即可…
Security@x@
成功利用电子解码获得的密码登陆到blackdevil用户…
发现很多命令都可以提权…
直接最简单的提权,获得了root权限并查看了第二个flag…
肯定还有很多提权的方法…听说还可以使用cpulimit提权…还可以用docker run -v /:/hostOS -i -t rootplease提权…或者参考
除了这些…是不是在web渗透还有别的没发现的信息呢???
由于我们已经成功得到root权限查看flag,因此完成了简单靶机,希望你们喜欢这台机器,请继续关注大余后期会有更多具有挑战性的机器,一起练习学习。
如果你有其他的方法,欢迎留言。要是有写错了的地方,请你一定要告诉我。要是你觉得这篇博客写的还不错,欢迎分享给身边的人。
