Vulnhub_Me-And-MyGirlFriend_WriteUP@4ut15m
Description:
This VM tells us that there are a couple of lovers namely Alice and Bob, where the couple was originally very romantic, but since Alice worked at a private company, "Ceban Corp", something has changed from Alice's attitude towards Bob like something is "hidden", And Bob asks for your help to get what Alice is hiding and get full access to the company!
下载链接
信息搜集
先对主机情况进行扫描
nmap -sP 192.168.123.0/24
知晓目标ip为192.168.123.118
对目标机进行扫描
nmap --script=vuln -v 192.168.123.118 -oN info.txt
发现80端口开放,存在web服务,访问,只可以本地访问(修改X-Forwarded-For域值)
查看robots.txt
heyhoo.txt
查看网站功能
注册账号
在profile页面发现user_id参数,尝试修改user_id参数看能否读取其他用户信息
可以读取
使用burp暴破所有用户id,发现alice用户id为5,密码为4lic3
获得shell
尝试该用户名密码进行ssh连接,登录成功
查看文件,获得第一个flag
Flag 1 : gfriEND{2f5f21b2af1b8c3e227bcf35544f8f09}
查看my_notes.txt
查看有超级用户权限的命令
查看当前用户可以sudo权限执行的命令,发现php!!!!!!!!!!!莫说了,可以提权了
试试权限是否为root
上面其实也可以不写php文件,直接如下,获得root权限bash
sudo php -r "system('bash');"
Flag 2: gfriEND{56fbeef560930e77ff984b644fde66e7}