Vulnhub actual combat – jis-ctf_ Vulnupload target
You can get the target image from the above address, and then import it into the VM to start it. Dry now!!
1. Obtain the target IP and what services are enabled
After we import the target into the VM and turn it on, we don’t have to worry about it. We carry out host detection, port scanning and service discovery in Kali
Let’s start with host discovery:
Because there are many virtual machines in my LAN. If you have this situation, you can find the corresponding IP address through the MAC address. The MAC address in the VM is viewed in the settings. We found
192.168.33.117That’s the target. Next, conduct port scanning and service detection!
nmap -sn 192.168.33.0/24
2. Port scanning and service discovery
nmap -sV -p- -O 192.168.33.117
We can see that ports 22 and 80 have been opened, which proves that SSH and web services have been opened, and that the operating system is Ubuntu. These three information will be the key to penetration below.
3. System vulnerability analysis
For SSH service, I am used to attacking from two aspects: weak password and system vulnerability. In terms of weak passwords, I use common user names and common passwords to break them, although the probability is small:
We can use Kali’s ownhydraTools for SSH account password blasting, dictionary self-contained Oh!
https://lecloud.lenovo.com/share/4iPvrb3BgyoW4aMwu (password: k9zu) You can also use this dictionary! Don't ask me why I don't share Baidu online disk, because I don't have a member!
payload: hydra -L '/root/fuzzDicts-master/userNameDict/user.txt' -P '/root/fuzzDicts-master/passwordDict/top6000.txt' -e sr -f -V -t 30 -I 192.168.33.117 ssh
We have to wait for him to sweep this for a while. We’ll have a look later. The probability can’t be swept out! It takes time!
In terms of system vulnerability search of SSH service, I recommend searchsploit tool. Accurately search openssh 7.2p2 (this is the version we found above!):
searchsploit OpenSSH 7.2p2
We found that there is a user name enumeration vulnerability. It happens that finding a valid user name will help break the SSH password. But this py file is missing some modules in my machine and can’t run. But the high probability should be similar to the above! We can also see what vulnerabilities exist in Apache httpd 2.4.18. Let me have a look!
The exact version found in the previous service detection is Apache httpd 2.4.18, so there is only one vulnerability. The vulnerability of memory leakage is of little value.
At this stage, the system vulnerabilities can only be analyzed to this extent. Although we know that the distribution kit is Ubuntu, we do not know the specific version and system architecture, so it is difficult to accurately find the available operating system vulnerabilities. Therefore, there is no need to continue to spend time on the system vulnerability level. If we can get the webshell later, we will conduct in-depth analysis when we raise the right. Now we move to the web application level.
4. Web application analysis
- The web port found before accessing is automatically redirected tohttp://192.168.56.6/login.php：
After reading the HTML source code, there is no valuable information; Enumerating user names cannot be; Maybe you can break the weak password. The SSH break just now is not over. Let’s put the web login break first to see if there are other pages.
Before 2015, scanning the web port – looking for the web background – logging in the background with weak password – uploading a sentence was a common attack method with high success rate. Among them, whether to find the background address was the key to success. In other words, I need to discover more web content. Specifically, I hope to find more files, pages and subdirectories. It is best to find sensitive files packaged with source code, management pages of background operation and maintenance, and subdirectories storing business logic to expand the attack surface. Usually, I’m used to combining enumeration and crawler to find web content.
Before enumeration, with the help of Firefox plug-inwappalyzerConfirm that the back-end language is PHP:
Because it is determined that the back-end language of the target is written in PHP, wedirsearchThe directory scanning tool scans the directory of PHP:
python3 dirsearch.py -u 'http://192.168.33.117' -e php -i 200
We found that we swept out several directories. According to my CTF intuition, robots There may be good things in txt. Let me have a look! of
The web page opens robots Txt, we found the following page
1. First flag
We open the / flag file to get the first flag
2. Second flag
Then we checked the remaining directories in turn. We found that the others could not be opened, only/admin_area/,/uploaded_filesThese two pages can be opened. We guess that there should be an upload point through the uploaded page. After opening the / Admin source code, we find the second flag and a pair of user names and passwords.
3. The third flag
After logging in with this user name and password, we found that there was indeed an upload point. Mind frog, keep touching your stomach! just as one expected
Next, I guess you can also think of uploading a sentence that the Trojan horse directly connects the ant sword!!!
In a word, I believe everyone who is working on the Trojan horse will upload it. There are no restrictions here!, Then we entered the ant sword and had a look. We found a flag Txt and a hint Txt, we are in hint Txt finds the third flag, and then there is another sentence, prompting us to find the usertechnawiRead this flag with your password Txt, sure enough, this flag Txt cannot be opened directly
4. The fourth flag
We just saw it above. We need to find it throughtechnawiThe user’s password is searched through the command of LinuxtechnawiUser related files! It can be executed directly in the virtual terminal of ant sword!
find / -user technawi -type f 2>/dev/null //I still suffered from the lack of familiarity with Linux commands. At first, I didn't know what this 2 > / dev / null meant. Baidu knew that it was throwing standard errors into the black hole file of Linux. If you can't see them, the terminal won't have so much redundant information. Please Baidu for details!
Next, we opened it one by one and found that/etc/mysql/conf.d/credentials.txtFile memorytechnawiThe user’s password, and there is a fourth flag.
Don’t forget there should be.sudo_as_admin_successfulFile, which will be used later!
5. The fifth flag
What should we do after we get the user name and password? I still remember that we found port 22 and started SSH service at the beginning of scanning. Connect SSH to check the last flag Txt file, the last flag should be in there.
If you find a successful connection, go directly to the / var / www / HTML directory to read the flag Txt, successfully get the fifth flag!!!
5. Right raising
Don’t forget what you just said.sudo_as_admin_successfulFile, indicating that the technawi user can log in to the root user with his own password
Finally, successfully obtained 5 flags! Right raised successfully!!!★,°:.☆(￣▽￣)/$:.°★ 。