Vulnhub之Web Machine N7靶機測試過程
阿新 • • 發佈:2022-12-07
Web Machine N7
識別目標主機IP地址
─(kali㉿kali)-[~/Vulnhub/Web_machine_N7] └─$ sudo netdiscover -i eth1 Currently scanning: 192.168.62.0/16 | Screen View: Unique Hosts 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor 192.168.56.100 08:00:27:66:82:69 1 60 PCS Systemtechnik GmbH 192.168.56.242 08:00:27:ed:bd:c7 1 60 PCS Systemtechnik GmbH
利用Kali Linux自帶的netdiscover工具識別目標主機的IP地址為192.168.56.242
NMAP掃描
──(kali㉿kali)-[~/Vulnhub/Web_machine_N7] └─$ sudo nmap -sS -sV -sC -p- 192.168.56.242 -oN nmap_full_scan Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-07 04:32 EST Nmap scan report for localhost (192.168.56.242) Host is up (0.00017s latency). Not shown: 65534 closed tcp ports (reset) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.46 ((Debian)) |_http-title: Site doesn't have a title (text/html). |_http-server-header: Apache/2.4.46 (Debian) MAC Address: 08:00:27:ED:BD:C7 (Oracle VirtualBox virtual NIC) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.48 seconds
NMAP掃描結果表明目標主機有1個開放埠:80(HTTP)
獲得Shell
──(kali㉿kali)-[~/Vulnhub/Web_machine_N7] └─$ gobuster dir -u http://192.168.56.242 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.3 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.56.242 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.3 [+] Timeout: 10s =============================================================== 2022/12/07 04:35:37 Starting gobuster in directory enumeration mode =============================================================== /javascript (Status: 301) [Size: 321] [--> http://192.168.56.242/javascript/] /server-status (Status: 403) [Size: 279] Progress: 216954 / 220561 (98.36%)=============================================================== 2022/12/07 04:36:07 Finished =============================================================== ┌──(kali㉿kali)-[~/Vulnhub/Web_machine_N7] └─$ nikto -h http://192.168.56.242 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.56.242 + Target Hostname: 192.168.56.242 + Target Port: 80 + Start Time: 2022-12-07 04:36:10 (GMT-5) --------------------------------------------------------------------------- + Server: Apache/2.4.46 (Debian) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Server may leak inodes via ETags, header found with file /, inode: 654, size: 5cf8ad59e198a, mtime: gzip + Allowed HTTP Methods: GET, POST, OPTIONS, HEAD + 7915 requests: 0 error(s) and 5 item(s) reported on remote host + End Time: 2022-12-07 04:36:59 (GMT-5) (49 seconds) --------------------------------------------------------------------------- + 1 host(s) tested ********************************************************************* Portions of the server's headers (Apache/2.4.46) are not in the Nikto 2.1.6 database or are newer than the known string. Would you like to submit this information (*no server specific data*) to CIRT.net for a Nikto update (or you may email to [email protected]) (y/n)?
Gobuster和nikto都沒有掃描出目錄,看一下有什麼檔案?
┌──(kali㉿kali)-[~/Vulnhub/Web_machine_N7]
└─$ gobuster dir -u http://192.168.56.242 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh,.js
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.242
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: txt,sh,js,php,html
[+] Timeout: 10s
===============================================================
2022/12/07 04:38:00 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 1620]
/profile.php (Status: 200) [Size: 1473]
/javascript (Status: 301) [Size: 321] [--> http://192.168.56.242/javascript/]
/javascript.js (Status: 200) [Size: 0]
/exploit.html (Status: 200) [Size: 279]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1321064 / 1323366 (99.83%)===============================================================
2022/12/07 04:41:10 Finished
===============================================================
Gobuster工具掃描出來/exploit.html檔案,訪問該檔案,可以上傳檔案。接下來的問題就是如何將shell.php上傳至目標主機:
點選submit時,卻返回:
瀏覽器指向了localhost,這是不是導致提交失敗的原因?檢視頁面原始碼:
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body background="black">
<form action="http://localhost/profile.php" method="POST" enctype="multipart/form-data">
<input type="file" name="file">
<input type="submit" >
</form >
</body>
</html>
發現表單提交到localhost,在瀏覽器開發者工具裡將localhost手動改為192.168.56.242是否可行?
但是返回:
檢視頁面原始碼:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.4.46 (Debian) Server at 127.0.1.1 Port 80</address>
</body></html>
雖然出錯,但是得到了一半的flag.
參考其他人的做法,不知道用什麼方法知道存在目錄:enter_network,我用了多種字典都沒有掃描到這個目錄。
┌──(kali㉿kali)-[~/Vulnhub/Web_machine_N7]
└─$ gobuster dir -u http://192.168.56.242/enter_network -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.242/enter_network
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: php,html,txt,sh
[+] Timeout: 10s
===============================================================
2022/12/07 04:56:04 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.php (Status: 200) [Size: 324]
/admin.php (Status: 200) [Size: 126]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
Progress: 486079 / 1102805 (44.08%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2022/12/07 04:57:17 Finished
===============================================================
gobuster掃描出admin.php, index.php檔案。
index.php隨便輸入了使用者名稱和密碼,看到cookie值:
role: MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%253D
這應該是url編碼過的,用cyberchef url解碼,然後base64解碼,得到:
21232f297a57a5a743894a0e4a801fc37
這應該是MD5加密,解密後是admin
然後訪問admin.php,仍然返回:this interface is admin only
在開發者工具裡將cookie中role:改為admin, 重新整理頁面,即得到flag的另一半:
KSA_01}