Jump to content

Title: A penetration test for a spinach website

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

A spinach-to-day from a big brother, which is a 0-day upload of any file. The webshell is obtained by uploading any file, but you can see that the pagoda is opened by scanning the port.

图片

Then the following problem arose.

图片

Use Godzilla's bypass plugin to execute commands.

图片

The user is WWW, the default user of Baota. The next step is to regular operations, increase authority and log in to Baota.

First carry out the escalation, upload the escalation cow and then look at the escalation exp that can be used.

图片

图片

图片

After running, use CVE-2021-4034 to increase the rights, and first upload the EXP file to the spinach server.

图片

Bounce the shell, then enter the exp folder to compile and run to obtain root permissions.

图片

图片

图片

After obtaining the root permissions, you will do the work, just create an account and grant permissions. The rebound shell cannot vim, then saves its passwd file locally and then gives 0 to the third column, so that logging in afterwards is root.

图片

The account created is ftpp, then save it as passwd file and upload it to the web directory. Use the root permissions after the privilege escalation to delete passwd first and then copy it.

图片

图片

Because this server has a Baota control panel, first enter /www/server/panel/data. There is a default.db file in this folder, which is the Baota configuration data file. After saving it locally, modify its pagoda password and log in. Then remember to restore the db data file after the end, so that his password will be the original password.

图片 Then change the password and log in.

By logging in, you can see the complete information of the site, as well as the database password, web directory, and his mobile phone number, but the mobile phone number is only the first three and the last four, and the middle four digits are number *. The previous method of checking the mobile phone number is useless. In fact, just call it here, and just hand it over to the police to arrest the person.

图片

Reprinted from the original link: https://mp.weixin.qq.com/s/iUipOa4BI8mCBJ7o2QgJrA

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.