Praying: 1 vulnhub walkthrough

原创

于 2020-11-26 21:54:27 发布 · 467 阅读

CC 4.0 BY-SA版权

This blog post details a walkthrough of the 'Praying: 1' virtual machine on Vulnhub. The author first discovers a vulnerable MantisBT installation with an arbitrary password reset exploit, leading to a shell. Further exploration reveals user information, which is used to escalate privileges. By exploiting sudo access and modifying a file, the author ultimately gains root access." 121933511,8383725,现代密码学：哈希函数的生日攻击解析,"['密码学', '数学', '安全定义']

Praying: 1

虚拟机信息：http://www.vulnhub.com/entry/praying-1,575/

1. 获取shell

80/tcp   open   http           Apache httpd 2.4.41 ((Ubuntu))

服务器只开放了80端口，访问后为apache默认页面，于是用dirb跑了一下目录，发现了admin目录。

==> DIRECTORY: http://192.168.56.105/admin/

发现后发现为mantis的登陆页面

测试了一下发现依然存在任意账户口令重置漏洞。修改aministrator账户登陆，发现版本为2.3.0。

reset
利用searchsploit直接找到了命令执行代码。

Mantis Bug Tracker 2.3.0 - Remote Code E | php/webapps/48818.py

于是得到了第一个shell。

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.56.101:4444 
[*] Command shell session 1 opened

最低0.47元/天解锁文章