OSCP/Vulnahub
[+] Keyring
takudaddy
2023. 1. 22. 14:22
1. Reconnaissance
![](https://blog.kakaocdn.net/dn/bch3UX/btrWQY0oxnD/HCs4EzpahmT6skavkCSs50/img.png)
![](https://blog.kakaocdn.net/dn/bvu8aO/btrWQY682Ve/whjR2teFksuBhaiuq7Gw5K/img.png)
![](https://blog.kakaocdn.net/dn/BkTqA/btrWXhXR1he/AVedR7UDUkRDA9dRqUSOe1/img.png)
![](https://blog.kakaocdn.net/dn/bnQAFi/btrWTKfotJa/bJKvvFnjKZtvmFRzLmfBj1/img.png)
![](https://blog.kakaocdn.net/dn/cIYYc5/btrWS1O9xdg/6jvtY9rkh0eKvH7XabaR2K/img.png)
: HTTP Parameter Pollution(HPP)
![](https://blog.kakaocdn.net/dn/bEjHfj/btrWRcqzbPr/SFLTKzgOwhrXM6j89Kr4Q1/img.png)
: hisotry.php는 빈 페이지
![](https://blog.kakaocdn.net/dn/byZzx7/btrWRjXsSib/Oaj5qIg6RnkYwXAR1lF8Kk/img.png)
- 혹시 모르니 파라미터 fuzzing
![](https://blog.kakaocdn.net/dn/mm2GV/btrWSwPhfsx/CX8EKceK00zkkpCX6XWv8K/img.png)
: user
- 테스트
![](https://blog.kakaocdn.net/dn/zLZ1Y/btrWQ3UQ519/YTiYdro1W9yYTEe0IEEt6K/img.png)
확인 완료!
2. Exploitation
- admin 조회
![](https://blog.kakaocdn.net/dn/NDoYI/btrWRjiNhTC/jK5Z52EhWroPSz0FZdKX21/img.png)
- github 확인
![](https://blog.kakaocdn.net/dn/bQkW9V/btrWX4xjEFt/It0Z3Jgri4wmblZ3YL8pF0/img.png)
- 소스 확인
![](https://blog.kakaocdn.net/dn/c5P5T4/btrWQKVuU6V/neg0QiPlTTmpJmhjPcMHi1/img.png)
: SQL 계정 정보 확인
root/ sqluserrootpassw0r4
![](https://blog.kakaocdn.net/dn/MK9Xa/btrWRPIox6g/EqPBa9SJqoc1aJgIKuih7K/img.png)
: system 함수 파라미터 확인
- RCE 시도
![](https://blog.kakaocdn.net/dn/yzjPE/btrWQYTCE5c/2SoXQNQHeFYqUpv1dWBfPk/img.png)
: 일반 계정으로 시도 시 실행 불가
> admin 계정 비번을 알아야 한다.
- SQL injection
# sqlmap --url 'http://192.168.10.114/history.php?user=admin' --cookie="PHPSESSID=8nsdb4ue0bi7g7hjaju33tjfvd" --dump --batch
![](https://blog.kakaocdn.net/dn/bohHwh/btrWRXzyREH/URXn9gcrXbR5luAkRtWJI1/img.png)
admin / myadmin#p4szw0r4d
john / Sup3r$S3cr3t$PasSW0RD
- 다시 RCE 시도
![](https://blog.kakaocdn.net/dn/btgFE6/btrWRC3wMPD/HLJik5Bbt4ODYqCL0mXfi1/img.png)
성공!
- 쉘
![](https://blog.kakaocdn.net/dn/Ii74d/btrWUIhm79j/rIHvVtDgKYQ9ae5kN0k5vk/img.png)
![](https://blog.kakaocdn.net/dn/FuiNP/btrWRdXis3W/lj5We0j88ac4HRbmOBkwe0/img.png)
: 침투 성공!
3. Privilege Escalation
- John?
![](https://blog.kakaocdn.net/dn/bvbPZw/btrWRDnMp28/FDS7zWQ2jWmckndagPGgU0/img.png)
john!
728x90