Web Machine N7
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Web_machine_N7]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.62.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:66:82:69 1 60 PCS Systemtechnik GmbH
192.168.56.242 08:00:27:ed:bd:c7 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.242
NMAP扫描
──(kali㉿kali)-[~/Vulnhub/Web_machine_N7]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.242 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-07 04:32 EST
Nmap scan report for localhost (192.168.56.242)
Host is up (0.00017s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.46 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.46 (Debian)
MAC Address: 08:00:27:ED:BD:C7 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.48 seconds
NMAP扫描结果表明目标主机有1个开放端口:80(HTTP)
获得Shell
──(kali㉿kali)-[~/Vulnhub/Web_machine_N7]
└─$ gobuster dir -u http://192.168.56.242 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.242
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/07 04:35:37 Starting gobuster in directory enumeration mode
===============================================================
/javascript (Status: 301) [Size: 321] [--> http://192.168.56.242/javascript/]
/server-status (Status: 403) [Size: 279]
Progress: 216954 / 220561 (98.36%)===============================================================
2022/12/07 04:36:07 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Web_machine_N7]
└─$ nikto -h http://192.168.56.242
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.242
+ Target Hostname: 192.168.56.242
+ Target Port: 80
+ Start Time: 2022-12-07 04:36:10 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.46 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 654, size: 5cf8ad59e198a, mtime: gzip
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ 7915 requests: 0 error(s) and 5 item(s) reported on remote host
+ End Time: 2022-12-07 04:36:59 (GMT-5) (49 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.46) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to [email protected]) (y/n)?
Gobuster和nikto都没有扫描出目录,看一下有什么文件?
┌──(kali㉿kali)-[~/Vulnhub/Web_machine_N7]
└─$ gobuster dir -u http://192.168.56.242 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh,.js
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.242
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: txt,sh,js,php,html
[+] Timeout: 10s
===============================================================
2022/12/07 04:38:00 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 1620]
/profile.php (Status: 200) [Size: 1473]
/javascript (Status: 301) [Size: 321] [--> http://192.168.56.242/javascript/]
/javascript.js (Status: 200) [Size: 0]
/exploit.html (Status: 200) [Size: 279]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1321064 / 1323366 (99.83%)===============================================================
2022/12/07 04:41:10 Finished
===============================================================
Gobuster工具扫描出来/exploit.html文件,访问该文件,可以上传文件。接下来的问题就是如何将shell.php上传至目标主机:
点击submit时,却返回:
浏览器指向了localhost,这是不是导致提交失败的原因?查看页面源代码:
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body background="black">
<form action="http://localhost/profile.php" method="POST" enctype="multipart/form-data">
<input type="file" name="file">
<input type="submit" >
</form >
</body>
</html>
发现表单提交到localhost,在浏览器开发者工具里将localhost手动改为192.168.56.242是否可行?
但是返回:
查看页面源代码:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.4.46 (Debian) Server at 127.0.1.1 Port 80</address>
</body></html>
虽然出错,但是得到了一半的flag.
参考其他人的做法,不知道用什么方法知道存在目录:enter_network,我用了多种字典都没有扫描到这个目录。
┌──(kali㉿kali)-[~/Vulnhub/Web_machine_N7]
└─$ gobuster dir -u http://192.168.56.242/enter_network -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.242/enter_network
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: php,html,txt,sh
[+] Timeout: 10s
===============================================================
2022/12/07 04:56:04 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.php (Status: 200) [Size: 324]
/admin.php (Status: 200) [Size: 126]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
Progress: 486079 / 1102805 (44.08%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2022/12/07 04:57:17 Finished
===============================================================
gobuster扫描出admin.php, index.php文件。
index.php随便输入了用户名和密码,看到cookie值:
role: MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%253D
这应该是url编码过的,用cyberchef url解码,然后base64解码,得到:
21232f297a57a5a743894a0e4a801fc37
这应该是MD5加密,解密后是admin
然后访问admin.php,仍然返回:this interface is admin only
在开发者工具里将cookie中role:改为admin, 刷新页面,即得到flag的另一半:
KSA_01}