当前位置:网站首页>hackmyvm: again walkthrough

hackmyvm: again walkthrough

2022-08-02 03:59:00 xdeclearn

1. 命令执行获取shell

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

访问web,Get username and hint.
hint
下载 upload.bck.

<?php
if (!isset($_FILES["myFile"])) {
    
    die("There is no file to upload.");
}

$filepath = $_FILES['myFile']['tmp_name'];
$fileSize = filesize($filepath);
$fileinfo = finfo_open(FILEINFO_MIME_TYPE);
$filetype = finfo_file($fileinfo, $filepath);

if ($fileSize === 0) {
    
    die("The file is empty.");
}

$allowedTypes = [
   'image/jpeg' => 'jpg',
   'text/plain' => 'txt'
];

if (!in_array($filetype, array_keys($allowedTypes))) {
    
echo $filetype;
    die("File not allowed.");
}

$filename = basename($filepath);
$extension = $allowedTypes[$filetype];
$newFilepath = $_FILES['myFile']['name'];
if (!copy($filepath, $newFilepath)) {
    
    die("Can't move file.");
}

$blacklistchars = '"%\'*|$;^`{}~\\#=&';
if (preg_match('/[' . $blacklistchars . ']/', $newFilepath)) {
    
echo ("No valid character detected");
exit();
}

if ($filetype === "image/jpeg"){
    
echo $newFilepath;
$myfile = fopen("outputimage.php", "w") or die("Unable to open file!");
$command = "base64 ".$newFilepath;
$output = shell_exec($command);
unlink($newFilepath);
echo "File uploaded";
$lol = '<img src="data:image/png;base64,'.$output.'" alt="Happy" />';
fwrite($myfile, $lol);
}

else{
    
$myfile2 = fopen("outputtext.txt", "w") or die("Unable to open file!");
$command = "cat ".$newFilepath;
$output = shell_exec($command);
unlink($newFilepath);
echo "File uploaded";
fwrite($myfile2, $output);
}
?>

The exploitation process is a two-step process:

  1. 利用txt上传一段base64编码的php反弹shell.
base64 phpreverseshell.php > tmp.txt

Upload via the upload pagetxt.
tmptxt

  1. 利用上传jpg图片利用base64 -ddecode uploadtxt写入shell,并访问.
    uploadjpg
    成功获取shell.
    shell

2. 提权

运行getcap查看特殊文件,发现php7.4具有cap_fowner权限.
getcap
修改/etc/passwd权限,将root:x:****改为root::****,成功切换至root.
passwd
root

[email protected]:/tmp$ su - root
su - root
[email protected]:~# ls -all
ls -all
total 28
drwx------  3 root root 4096 Oct 12 17:36 .
drwxr-xr-x 18 root root 4096 Oct 11 07:33 ..
-rw-------  1 root root  155 Oct 12 17:36 .bash_history
-rw-r--r--  1 root root  571 Apr 10  2021 .bashrc
drwxr-xr-x  3 root root 4096 Oct 11 07:38 .local
-rw-r--r--  1 root root  161 Jul  9  2019 .profile
-rw-------  1 root root   25 Oct 11 07:41 r00t.txt
[email protected]:~#
原网站

版权声明
本文为[xdeclearn]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/214/202208020322422149.html

边栏推荐

猜你喜欢

随机推荐