Vulnhub:MHZ_CXF: C1F

目录

信息收集

arp-scan

nmap

nikto

WEB

web信息收集

dirmap

gobuster

ssh登录

提权

获得初始立足点

系统信息收集

横向渗透

提权


信息收集

arp-scan
┌──(root㉿ru)-[~/桌面]
└─# arp-scan -l             
Interface: eth0, type: EN10MB, MAC: 00:50:56:2f:dd:99, IPv4: 192.168.9.88
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.9.87    08:00:27:47:aa:76       PCS Systemtechnik GmbH

nmap
端口扫描┌──(root㉿ru)-[~/kali/vulnhub]
└─# nmap -p- 192.168.9.87 --min-rate 10000 -oA ports           
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-07 16:08 CST
Nmap scan report for 192.168.9.87
Host is up (0.0011s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:47:AA:76 (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 4.68 seconds
版本信息收集┌──(root㉿ru)-[~/kali/vulnhub]
└─# nmap -sC -sV -O -p 22,80 192.168.9.87 --min-rate 10000                             
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-07 16:10 CST
Nmap scan report for 192.168.9.87
Host is up (0.00031s latency).PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 38:d9:3f:98:15:9a:cc:3e:7a:44:8d:f9:4d:78:fe:2c (RSA)
|   256 89:4e:38:77:78:a4:c3:6d:dc:39:c4:00:f8:a5:67:ed (ECDSA)
|_  256 7c:15:b9:18:fc:5c:75:aa:30:96:15:46:08:a9:83:fb (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 08:00:27:47:AA:76 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.07 seconds

nikto
┌──(root㉿ru)-[~/kali/vulnhub]
└─# nikto -h 192.168.9.87                                 
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.9.87
+ Target Hostname:    192.168.9.87
+ Target Port:        80
+ Start Time:         2024-04-07 16:15:19 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 5a40b796e2191, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: OPTIONS, HEAD, GET, POST .
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /notes.txt: This might be interesting.
+ 8102 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2024-04-07 16:15:43 (GMT8) (24 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

WEB

web信息收集

没什么可用信息!

dirmap
┌──(root㉿ru)-[~/tools/dirscan/dirmap]
└─# python3 dirmap.py -i http://192.168.9.87/ -lcf                       #####  # #####  #    #   ##   ######    # # #    # ##  ##  #  #  #    ##    # # #    # # ## # #    # #    ##    # # #####  #    # ###### ######    # # #   #  #    # #    # ######  # #    # #    # #    # #   v1.0[*] Initialize targets...
[+] Load targets from: http://192.168.9.87/
[+] Set the number of thread: 30
[+] Coroutine mode
[+] Current target: http://192.168.9.87/                                                                       
[*] Launching auto check 404
[+] Checking with: http://192.168.9.87/mbaknojufociglkfhofsyblelnqhadaommvbtioivj
[*] Use recursive scan: No                                                                                     
[*] Use dict mode
[+] Load dict:/root/tools/dirscan/dirmap/data/dict_mode_dict.txt
[*] Use crawl mode
[200][text/html][3.06kb] http://192.168.9.87/index.html                                                        
[200][image/png][3.26kb] http://192.168.9.87//icons/ubuntu-logo.png  

gobuster
┌──(root㉿ru)-[~/kali/vulnhub]
└─# gobuster dir -u http://192.168.9.87/ -x .php,.txt,.html -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.9.87/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 277]
/index.html           (Status: 200) [Size: 10918]
/notes.txt            (Status: 200) [Size: 86]

只有remb.txt可以访问,remb2.txt应该被删除了!
除了 first_stage:flagitifyoucan1234 没有可以利用得了!我们尝试ssh登录
用户名:first_stage
密码:flagitifyoucan1234

ssh登录
┌──(root㉿ru)-[~/kali/vulnhub]
└─# ssh first_stage@192.168.9.87  
The authenticity of host '192.168.9.87 (192.168.9.87)' can't be established.
ED25519 key fingerprint is SHA256:Jxm0b2xUhxb2N50E9UVsgn5u7Pow8xX6o12kZDGlTlg.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.9.87' (ED25519) to the list of known hosts.
first_stage@192.168.9.87's password: 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-96-generic x86_64)* Documentation:  https://help.ubuntu.com* Management:     https://landscape.canonical.com* Support:        https://ubuntu.com/advantageSystem information as of Sun Apr  7 10:08:16 UTC 2024System load:  0.0               Processes:             90Usage of /:   44.9% of 9.78GB   Users logged in:       0Memory usage: 23%               IP address for enp0s3: 192.168.9.87Swap usage:   0%=> There are 2 zombie processes.
idi^H^H* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8sjust raised the bar for easy, resilient and secure K8s cluster deployment.https://ubuntu.com/engage/secure-kubernetes-at-the-edge285 packages can be updated.
218 updates are security updates.Last login: Fri Apr 24 18:18:07 2020 from 192.168.5.253
$ id
-sh: 1: iid: not found
登录成功!

提权

获得初始立足点
$ bash
first_stage@mhz_c1f:~$ id
uid=1001(first_stage) gid=1001(first_stage) groups=1001(first_stage)
first_stage@mhz_c1f:~$ ls
user.txt
first_stage@mhz_c1f:~$ cat user.txt 
HEEEEEY , you did it 
that's amazing , good job manso just keep it up and get the root bcz i hate low privileges ;)#mhz_cyber

系统信息收集
first_stage@mhz_c1f:~$ uname -a
Linux mhz_c1f 4.15.0-96-generic #97-Ubuntu SMP Wed Apr 1 03:25:46 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
first_stage@mhz_c1f:~$ lsb_release -a
No LSB modules are available.
Distributor ID:  Ubuntu
Description:  Ubuntu 18.04.4 LTS
Release:  18.04
Codename:  bionic
first_stage@mhz_c1f:~$ 
first_stage@mhz_c1f:~$ ls -al /etc/passwd /etc/shadow
-rw-r--r-- 1 root root   1615 Apr 24  2020 /etc/passwd
-rw-r----- 1 root shadow 1068 Apr 24  2020 /etc/shadow
first_stage@mhz_c1f:~$ cat /etc/passwd | grep "home" | grep -v nologin
mhz_c1f:x:1000:1000:mhz_c1f:/home/mhz_c1f:/bin/bash
first_stage:x:1001:1001::/home/first_stage:/bin/sh
first_stage@mhz_c1f:/home$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/gpasswd
/usr/bin/newuidmap
/usr/bin/newgidmap
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/at
/usr/bin/newgrp
/usr/bin/traceroute6.iputils
/usr/bin/pkexec
/usr/bin/chsh
/usr/bin/passwd
/bin/umount
/bin/fusermount
/bin/mount
/bin/ping
/bin/su
/snap/core/16928/bin/mount
/snap/core/16928/bin/ping
/snap/core/16928/bin/ping6
/snap/core/16928/bin/su
/snap/core/16928/bin/umount
/snap/core/16928/usr/bin/chfn
/snap/core/16928/usr/bin/chsh
/snap/core/16928/usr/bin/gpasswd
/snap/core/16928/usr/bin/newgrp
/snap/core/16928/usr/bin/passwd
/snap/core/16928/usr/bin/sudo
/snap/core/16928/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/16928/usr/lib/openssh/ssh-keysign
/snap/core/16928/usr/lib/snapd/snap-confine
/snap/core/16928/usr/sbin/pppd
first_stage@mhz_c1f:/home$ find -writable -type f ! -path '/proc/*' 2>/dev/null
./first_stage/.profile
./first_stage/.bash_logout
./first_stage/.viminfo
./first_stage/.bashrc
./first_stage/.cache/motd.legal-displayed
./first_stage/.ssh/known_hosts
./first_stage/user.txt
first_stage@mhz_c1f:/home$ 

横向渗透
在上面得信息收集中,first_stage用户没有sudo权限,另一个用户可能存在sudo权限!
我们大概率需要进行横向渗透才行,但是经过信息收集,除了发现几张图片外,没有任何收获!

我们下载到本地进行分析吧!!


binwalk

┌──(root?ru)-[~/kali/vulnhub]
└─# binwalk *.jpeg             Scan Time:     2024-04-07 18:29:35
Target File:   /root/kali/vulnhub/19th century American.jpeg
MD5 Checksum:  5cafa72a6fe50328afaba3de8a8d2926
Signatures:    411DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
30            0x1E            TIFF image data, little-endian offset of first image directory: 8Scan Time:     2024-04-07 18:29:35
Target File:   /root/kali/vulnhub/Frank McCarthy.jpeg
MD5 Checksum:  764d621ded4a62d04137349d0947610d
Signatures:    411DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
30            0x1E            TIFF image data, big-endian, offset of first image directory: 8
4704          0x1260          Copyright string: "Copyright (c) 1998 Hewlett-Packard Company"Scan Time:     2024-04-07 18:29:36
Target File:   /root/kali/vulnhub/Russian beauty.jpeg
MD5 Checksum:  fded779eef067f984aea9ecb68a3deac
Signatures:    411DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.02Scan Time:     2024-04-07 18:29:36
Target File:   /root/kali/vulnhub/spinning the wool.jpeg
MD5 Checksum:  44d2017fcafaa9ed3c30a0224473eda7
Signatures:    411DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01

使用binwalk、exiftool都没有看到可疑点!

steghide

┌──(root㉿ru)-[~/kali/vulnhub]
└─# steghide info 19th\ century\ American.jpeg 
"19th century American.jpeg":format: jpegcapacity: 27.1 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: 
steghide: could not extract any data with that passphrase!

使用info参数查看是否存在内嵌数据!发现 'spinning the wool.jpeg' 存在内嵌数据!我们使用 extract 参数提取出来!
┌──(root㉿ru)-[~/kali/vulnhub]
└─# steghide extract -sf spinning\ the\ wool.jpeg
Enter passphrase: 
wrote extracted data to "remb2.txt".┌──(root㉿ru)-[~/kali/vulnhub]
└─# cat remb2.txt  
ooh , i know should delete this , but i cant' remember it 
screw me mhz_c1f:1@ec1f

提权
first_stage@mhz_c1f:/home$ su mhz_c1f
Password: 
mhz_c1f@mhz_c1f:/home$ id
uid=1000(mhz_c1f) gid=1000(mhz_c1f) groups=1000(mhz_c1f),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
mhz_c1f@mhz_c1f:/home$ 
mhz_c1f@mhz_c1f:/home$ sudo -l
Matching Defaults entries for mhz_c1f on mhz_c1f:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser mhz_c1f may run the following commands on mhz_c1f:(ALL : ALL) ALL
mhz_c1f@mhz_c1f:/home$ 
mhz_c1f@mhz_c1f:/home$ sudo /bin/bash
root@mhz_c1f:/home# id
uid=0(root) gid=0(root) groups=0(root)
root@mhz_c1f:/home# 

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.rhkb.cn/news/301217.html

如若内容造成侵权/违法违规/事实不符,请联系长河编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

【Java集合】面试题汇总

Java 集合Java 集合概览1. List, Set, Queue, Map 四者的区别?2. ArrayList 和 Array(数组)的区别?3. ArrayList 和 Vector 的区别?4. Vector 和 Stack 的区别?(了解即可)5. ArrayList 可以添加 null 值吗…

paddle实现手写数字模型(一)

参考文档:paddle官网文档调试代码如下: LeNet.py import paddle import paddle.nn.functional as Fclass LeNet(paddle.nn.Layer):def __init__(self):super().__init__()self.conv1 paddle.nn.Conv2D(in_channels1,out_channels6,kernel_size5,stride…

YOLOV9 + 双目测距

YOLOV9 双目测距 1. 环境配置2. 测距流程和原理2.1 测距流程2.2 测距原理 3. 代码部分解析3.1 相机参数stereoconfig.py3.2 测距部分3.3 主代码yolov9-stereo.py 4. 实验结果4.1 测距4.2 视频展示 相关文章 1. YOLOV5 双目测距(python) 2. YOLOv7双目…

强化学习MPC——(一)

1.什么是强化学习 强化学习是机器学习的一种,是一种介于监督学习和非监督学习的机器学习方法。 学习二字就很形象的说明了这是一种利用数据(任何形式的)来实现一些已有问题的方法,学习方法,大致可以分为机器学习&…

说说TCP为什么需要三次握手和四次挥手?

一、三次握手 三次握手(Three-way Handshake)其实就是指建立一个TCP连接时,需要客户端和服务器总共发送3个包 主要作用就是为了确认双方的接收能力和发送能力是否正常、指定自己的初始化序列号为后面的可靠性传送做准备 过程如下&#xff…

Redis 常见面试题

目录 1. Redis是什么?2. Redis优缺点?3. Redis为什么这么快?4. 既然Redis那么快,为什么不用它做主数据库,只用它做缓存?5. Redis的线程模型?6. Redis 采用单线程为什么还这么快?7. R…

如何使用生成式人工智能撰写关于新产品发布的文章?

利用生成式人工智能撰写新产品发布文章确实是一种既有创意又高效的内容生成方式。以下是如何做到这一点的指南,附带一些背景信息: • 背景:在撰写文章之前,收集有关您的新产品的信息。这包括产品的名称、类别、特点、优势、目标受…

解决Xshell连接不上虚拟机

相信有很多同学和我一样遇到这个问题,在网上看了很多教程基本上都先让在虚拟机输入ifconfig命令查看ip地址,弄来弄去最后还是解决不了😭😭,其实问题根本就不在命令上,很大概率是我们的虚拟机没有开启网卡&a…

基于单片机便携式测振仪的研制系统设计

**单片机设计介绍,基于单片机便携式测振仪的研制系统设计 文章目录 一 概要二、功能设计三、 软件设计原理图 五、 程序六、 文章目录 一 概要 基于单片机便携式测振仪的研制系统设计概要主要涉及利用单片机作为核心控制器件,结合测振原理和技术&#x…

python-可视化篇-turtle-画爱心

文章目录 原效果替换关键字5为8,看看效果改下颜色 原效果 import turtle as tt.color(red,pink) t.begin_fill() t.width(5) t.left(135) t.fd(100) t.right(180) t.circle(50,-180) t.left(90) t.circle(50,-180) t.right(180) t.fd(100) t.pu() t.goto(50,-30) t…

蓝鲸6.1 CMDB 事件推送的开源替代方案

本文来自腾讯蓝鲸智云社区用户:木讷大叔爱运维 背景 在蓝鲸社区“社区问答”帖子中发现这么一个需求: 究其原因,我在《不是CMDB筑高墙,运维需要一定的开发能力!》一文中已经介绍,在此我再简单重复下&#…

JavaScript实现全选、反选功能(Vue全选、反选,js原生全选、反选)

简介: 在JavaScript中,实现全选和反选通常是通过操作DOM元素和事件监听来实现; 全选功能:当用户点击一个“全选”复选框时,页面中所有具有相同类名的复选框都将被选中; 反选功能:用户点击一个…

ARP寻址过程

当知道目标的IP但是不知道目标的Mac地址的时候就需要借助ARP寻址获取目标的Mac地址,传输层借助四元组(源IP源端口:目标IP目标端口)匹配,网络层借助IP匹配,数据链路层则根据Mac地址匹配,数据传输…

局域网共享文件夹怎么加密?局域网共享文件夹加密方法介绍

在企业局域网中,共享文件夹扮演着重要的角色。为了保护数据安全,我们需要加密保护局域网共享文件夹。那么,局域网共享文件夹怎么加密?下面我们来了解一下吧。 局域网共享文件夹加密方法 局域网共享文件夹加密推荐使用共享文件夹加…

在git上先新建仓库-把本地文件提交远程

一.在git新建远程项目库 1.选择新建仓库 以下以gitee为例 2.输入仓库名称,点击创建 这个可以选择仓库私有化还公开权限 3.获取仓库clone链接 这里选择https模式就行,就不需要配置对电脑进行sshkey配置了。只是需要每次提交输入账号密码 二、远…

万字源码解析!彻底搞懂 HashMap【一】:概念辨析与构造方法源码解析

HashMap 的底层原理和扩容机制一直都是面试的时候经常被问到的问题,同时也是集合源码中最难阅读的一部分😢,之前更新的 ArrayList 源码阅读收获了很多朋友的喜欢,也给了我很多自信;本次我准备完成一个关于 HashMap 源码…

python练习三

模式A num int(input("请输入模式A的层数:")) for i in range(1, num 1):# 画数字for j in range(1, i 1):print(str(j) "\t", end"")print() 模式B num int(input("请输入模式B的层数:")) for i in ran…

九州金榜|孩子叛逆的原因是什么?

孩子随着年龄增长都会出现叛逆心理,很多家长不知道孩子为什么会出现叛逆心理,也不知道如何去引导孩子,下面九州金榜家庭教育就带大家了解一下孩子出现叛逆的原因。 一、心理需求增加 孩子对新事物的探索以及追求会随着人际交往扩大而增加&am…

2024年MathorCup妈妈杯数学建模思路D题思路解析+参考成品

1 赛题思路 (赛题出来以后第一时间在群内分享,点击下方群名片即可加群) 2 比赛日期和时间 报名截止时间:2024年4月11日(周四)12:00 比赛开始时间:2024年4月12日(周五)8:00 比赛结束时间&…

买卖股票的最佳时机IV

题目链接 买卖股票的最佳时机 IV 题目描述 注意点 1 < k < 1001 < prices.length < 10000 < prices[i] < 1000不能同时参与多笔交易&#xff08;必须在再次购买前出售掉之前的股票&#xff09;最多可以完成 k 笔交易 解答思路 本题与买卖股票的最佳时机…