Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


safe customer, safe information platform

Posted by bax at 2020-03-15


Recently, I've been downing various kinds of target machines, and when I meet interesting target machines, I'll write out the solution ideas and steps to share / record. I think the target machine may be the scene that the target machine designer meets in the actual combat penetration, and it may be used in the future actual combat penetration by everyone. This test has taken the root permission of the host machine. (if you are allowed to do so, you can try to build it yourself first, and then read this article!)

Preparation environment

Target IP: attack host IP: target download address: ﹣ nzfnajgpevw

Practical operation

Nmap artifact open circuit: you can see that the target machine has three ports open: 21, 22, 80. In the first step, we use port 21 to open the circuit and directly access port 21. We find that there is an anonymous user access vulnerability. We can access it without logging in, and get a "user. TXT. BK" file

You can tell by name that there are some user names in it

Next, we come back to port 80. There is no gain when we visit http page. Open directory blasting tool and run through robots.txt to get the directory "/ backup" WordPress ". You can know by name that WordPress framework is used

I'm sure my friends won't hesitate to connect with wpscan. This dish is the same, but I don't find any exploitable loopholes (here, the wpscan version on Kali is still 2.9.3, which will let you update when you open it, but it can't be updated successfully. My friends can go to GitHub to download the new version of wpscan. This dish first uninstalls the 2.9 version, and then you can use the new version of wpscan. )No screenshots here!

This dish thought of the user list file found on the FTP in front, thought of the most annoying explosion Combined with the information on the web page, the result is to select the "John" user and then hang up the dictionary to run using the Hydra magic device... The command is as follows: if you are lazy, you won't need to re tap: of course, you can also run with burp, and the speed of the thread is faster when it is higher (of course, if you have more time, you can also run with all the user names and dictionaries, but it is recommended that the thread is not too high, and the target opportunity is not too high). )

Crack the account password: John / Enigma's next step must be to take the shell directly, which is relatively simple. I won't show it here. Here, you can also use MSF to operate it directly. In order to be intuitive, this time I used web Dama to come here. My friends must say that it's so simple to directly claim the right. It's the same with the original dish. Then I'll upload exp one by one, No right can be raised successfully!!! I really doubt life. I can only search for information one by one. At last, I found that we have permission to operate "cleanup" files in "/ usr / local / bin /" directory

When viewing the content, I saw the top '/ bin / sh', which let me see that I want to know through the introduction that it is a file used to clean the log, so it must have sufficient permissions. Clean those damn logs!! so the idea of the final dish is to generate a rebound shell, replace it, and then let it execute! The first step is to generate a bounce shell: (there may be some partners to ask, why use Python? Because we see python2.7 in the '/ usr / local / lib' directory.) the second step is to open the NC receiving shell on the local machine: the third step is to upload the shell and confirm to view it

Everything is ready. We need to trigger this file. How? In fact, it's very simple. We just need to ask to check this file. The command: cat / usr / local / bin / cleanup. After a while, we can see our shell. We have got it. It's the last step to get the root permission: take the flag:


At last, I'd like to summarize that the front part of the target machine is relatively flat, except for the time-consuming and tedious blasting password, the other parts are relatively simple, and the last part of lifting the right is the significance of this article, which may be encountered in the real penetration test environment. I hope you can think of this article and successfully win the root authority. Don't be afraid to read more and look more when asking for power!

Finally, apply the sentence at the beginning of the target machine: Happy hacking!


You also saw that the flag.txt file said that there might be other ways to claim the right of the target. Did you find it? For example, MySQL

Thank you for watching. If you don't write right, welcome to correct!