banner
[面包]MrTwoC

[面包]MrTwoC

你好,欢迎来到这个基于区块链的个人博客 名字:面包 / MrTwoc 爱好:跑步(5/10KM)、咖啡、游戏(MMORPG、FPS、Minecraft、Warframe) 兴趣方向:Rust、区块链、网络安全、量子信息(量子计算)、游戏设计与开发
bilibili
steam
email
github

[Memory Simulation Penetration]-HackTheBox-Tier2 _ Oopsie - 2

image.png
Using nmap to scan
Found port 80 open for http
Opened the webpage

image.png
Found not much there
Opened F12 and saw a login-like address

image.png

After opening, it really is...
image.png
Try
admin'# Invalid

image.png
Logged in using guest account
Success;
image.png

Tried file upload, found that admin account is needed
image.png

In Account found information, discovered the address bar ID=2
image.png
After changing id to 1, found admin related information
image.png
After searching, saw in F12 that cookie can be modified to change the information to admin's information
image.png

image.png

Visited file upload again, passed
image.png

Generated shell, modified the IP and port to my listening port, and uploaded
image.png
image.png

image.png
Next, listen on the port set in the file earlier
image.png

Used gobuster for directory brute-forcing
image.png
image.png

Here I got a shell after the reverse shell, but this shell
image.png

python3 opens a pseudo terminal

image.png

Saw information under /etc/passwd
image.png

Obtained the ordinary user key
image.png

www-data@oopsie:/home/robert$ cat user.txt
cat user.txt
f2c74ee8db7983851ab2a96a44eb7981

In the db.php found user password
image.png
www-data@oopsie:/var/www/html/cdn-cgi/login$ cat db.php
cat db.php
$conn = mysqli_connect('localhost','robert','M3g4C0rpUs3r!','garage');
?>

Switched to robert account
image.png

export PATH=/tmp:$PATH // Set /tmp directory as environment variable
cd /tmp/ // Switch to /tmp directory
echo '/bin/sh' > cat // Construct a malicious cat command here
chmod +x cat // Grant execute permission

Using the above command, successfully escalated to ROOT
image.png

Because we modified the environment variable, the cat called is malicious, so we can't view the file. Here we use the tac command to view. tac outputs the lines in reverse order and does not reverse each character of a sentence, so we can directly use tac to view.

==================================================

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.