OSCP/Vulnahub
[+] DigitalWorld.local : FALL (SSH id_rsa)
takudaddy
2023. 1. 21. 14:27
1. Information Garhering
![](https://blog.kakaocdn.net/dn/rJme8/btrWUH900uG/Hfwyxw5x81bLWWAkie8N0k/img.png)
![](https://blog.kakaocdn.net/dn/kIvFv/btrWRPVn6NX/fTjTymVKOIRNYel8hFrVKk/img.png)
![](https://blog.kakaocdn.net/dn/GYVs0/btrWQrBxE6J/8S7NXRGK6rJPmI3kXo8Nqk/img.png)
비정상적인 패킷 전송 시
IP 차단당함!
- Web Enum
![](https://blog.kakaocdn.net/dn/c70j2T/btrWQHRBK8W/PA0Y7rv8aS41rMfPYmeGW1/img.png)
: CMS Made Simple v.2.2.15
: posted by qiu
![](https://blog.kakaocdn.net/dn/7l1Cb/btrWRzrJIk1/zxj9qrwVvZbKkvk01p5if1/img.png)
: patrick
- test.php
![](https://blog.kakaocdn.net/dn/b0zgPj/btrWQsUDOqZ/7VdipQkkqXlpa8c0qXHTG1/img.png)
파라미터가 없단다.
- admin
![](https://blog.kakaocdn.net/dn/b5VLO7/btrWSvoHM8x/jGQsIPcPr3WFjEB7EEOtD1/img.png)
2. Exploitation
- test.php
서버 응답을 통해 파라미터 유추가 가능하고
![](https://blog.kakaocdn.net/dn/b8StJd/btrWS3MpxaT/MwBEgrGXTFE7mXnKdwQjDK/img.png)
![](https://blog.kakaocdn.net/dn/bnuqlk/btrWQX0ZtT2/6AYPnhtTtATMpOgGnd3nkk/img.png)
![](https://blog.kakaocdn.net/dn/bGc6yK/btrWRDtZqJ8/DiCTehfVsDhb8McqmTGTSk/img.png)
- LFI 취약점 확인
![](https://blog.kakaocdn.net/dn/nihqV/btrWUch19aX/HekQcTHHX1PxCY6XhEokO1/img.png)
![](https://blog.kakaocdn.net/dn/disnhU/btrWQtTsA7N/oaC3MOOUfbf50On0adSLvK/img.png)
- SSH
id_rsa 키 복사 후
![](https://blog.kakaocdn.net/dn/bmhz3T/btrWQ4FDxCN/5XV3sz3yhjOgSqM5QZ85Z1/img.png)
![](https://blog.kakaocdn.net/dn/cBx35J/btrWQJPoYHX/0dk7JwNo3GlJggVY9EOKyk/img.png)
침투 성공!
3. Privilege Escalation
![](https://blog.kakaocdn.net/dn/dJDbJI/btrWUIukzRc/jOLXN1kWiJXwYGVCgmkdP0/img.png)
비번처럼 보이는 게 하나 있고
remarkablyawesomE
sudo 리스트 확인해 보면
![](https://blog.kakaocdn.net/dn/smAcu/btrWUc3oKCi/f3U0cuYo9i3YDBmrnNonT1/img.png)
Root!
728x90