难度:中等
靶机发布日期:2019年10月29日
靶机描述:Mission: Millionaire psychopath Max Zorin is a mastermind behind a scheme to destroy Silicon Valley in order to gain control over the international microchip market. Get root and stop this madman from achieving his goal!
Difficulty: Intermediate
Flag is /root/flag/flag.sh
Use in VMware. DHCP enabled.
Learning Objectives: Web Application Security, Scripting, Linux enumeration and more.
博客中如有任何问题,恳请批评指正,万分感谢。个人邮箱:want2live233@gmail.com
友情提示:这个靶机可能会经常性"失联",每次我只能重启靶机解决。
工具、知识点和漏洞
- nmap
- dirsearch
- searchsploit
- metaspaloit
0x00、信息收集
靶机IP:192.168.0.110
nmap -sn 192.168.0.0/24
端口和服务
nmap -sS -sV -T5 -A -p- 192.168.0.110
页面、目录枚举
dirb http://192.168.0.110 -X .php,.txt,.zip,.html
gobuster dir -u http://192.168.0.110 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.zip
http://192.168.0.110/
http://192.168.0.110/robots.txt
看到joomla自然想到了那套全球知名的内容管理系统,但这个却不是。joomscan和gobuster扫描了一下http://192.168.0.110/joomla什么也没发现
整理一下目前收集到的信息
dir&pages:
- /joomla → mp3
- /dev
- /zorin
- /defense
- /pics
- /index.html
port&services
- 22 OpenSSH 7.6p1
- 25 Postfix smtpd
- 80 Apache httpd 2.4.29
- 8191 PHP cli server 5.5 or later(http-title: electronic controller app)
下面就是以上述信息为基础,进一步收集信息
8191端口
http://192.168.0.110/dev/
几个PDF文档只是几个产品的说明文档之类的,而且都可以在网上查到(后面发现这些是重点)
http://192.168.0.110/dev/SystemPrep.txt
SysAdmins, Devs, Security, etc. Keep in mind once this site goes live, we’ll be working a TON of over time. Make sure everything is tested and ready to rock before pushed to prod.
http://192.168.0.110/dev/about.html
insert photo here
Hi I’m Max,
Boss, please add short bio here about your self. The copy writers said to “make yourself sound personable” (whatever that means).
下载压缩文件e_bkup.tar.gz,解压后得到四个文件
tar -zxvs Desktop/e_bkup.tar.gz Desktop/view2akill
在New_Employee_Onboarding_Chuck.rtf文件中我找到了HR mgmt的一个登录用户名:chuck@localhost.com,以及有关密码的信息:password is the lowercase word/txt from the cool R&D video I showed you with the remote detonator + the transmit frequency of an HID proxcard reader - so password format example: facility007.
使用hydra对smtp进行爆破,用户名为chuck
,无果
hydra -l chunk -P /usr/share/wordlists/fasttrack.txt smtp://192.168.0.110
onboarding_email_template.rtf从名字来看应该是个邮件模板;Stop_Storing_Passwords.rtf只是个安全提示邮件。
note_to_mail_admins.txt文件内容:Yo, wassup computer geeks! I was told by design to upload a few example emails for you nerds to work with in prep for what they called “email web gooey platform”.
http://192.168.0.110/defense/
Security devs made a custom app that checks for any unusual files in the apache web directory. Not really sure how it works and if it’s actually secure. Just let them know before any changes are made in web dirs.
http://192.168.0.110/pics/
http://192.168.0.110/zorin/about.html
http://192.168.0.110/zorin/hr.html,找到一个/sentrifugo
从网页中信息中我们可以知道sentrifugo的初始密码为toor,随后我访问了http://192.168.0.110/sentrifugo/,这是一个登录页面,尝试了root、admin、max、zorin作为用户名,toor作为密码,但都没能登录。
Sentrifugo是目前国际上最流行的功能完善的开源人力资源管理系统,使用企业达几十万家。Sentrifugo是一个用PHP编写的强大的开源人力资源管理(HRM)系统,它将其数据存储在关系数据库(如MySQL/MariaDB)中。Sentrifugo易于配置,并提供许多丰富的功能,如:跟踪员工的休假日期、跟踪员工的角色,绩效和特权、跟踪员工的评估、时间和假期管理、招聘/人才招聘、面试时间表、员工自助服务、分析:定义长期和短期目标、背景检查e.t.c.。
http://192.168.0.110/sentrifugo/,通过右上角的Help按钮我们下载到了一个使用说明书