标签：56.254 00110000 00110001 192.168 Vulnhub http 靶机 election

Election

作者: jason huawen

靶机信息

名称: eLection: 1

URL:

https://www.vulnhub.com/entry/election-1,503/

识别IP地址

─(kali㉿kali)-[~/Vulnhub/Election]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
urrently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                                                        

 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:03      1      60  Unknown vendor                                                                                           
 192.168.56.100  08:00:27:3f:57:98      1      60  PCS Systemtechnik GmbH                                                                                   
 192.168.56.254  08:00:27:4a:57:01      1      60  PCS Systemtechnik GmbH

NMAP Scanning

利用NMAP工具扫描目标主机：

──(kali㉿kali)-[~/Vulnhub/Election]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-12 20:56 EDT
Nmap scan report for localhost (192.168.56.254)
Host is up (0.00014s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 20d1ed84cc68a5a786f0dab8923fd967 (RSA)
|   256 7889b3a2751276922af98d27c108a7b9 (ECDSA)
|_  256 b8f4d661cf1690c5071899b07c70fdc0 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:4A:57:01 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

获取Shell

┌──(kali㉿kali)-[~/Vulnhub/Election]
└─$ curl http://192.168.56.254/robots.txt                                                          
admin
wordpress
user
election

Robots.txt中只有election可以访问。

──(kali㉿kali)-[~/Vulnhub/Election]
└─$ nikto -h 192.168.56.254
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.56.254
+ Target Hostname:    192.168.56.254
+ Target Port:        80
+ Start Time:         2023-05-12 21:11:32 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 59558e1434548, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: HEAD, GET, POST, OPTIONS .
+ /phpinfo.php: Output from the phpinfo() function was found.
+ /phpmyadmin/changelog.php: Uncommon header 'x-ob_mode' found, with contents: 1.
+ /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information. See: CWE-552
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /phpmyadmin/: phpMyAdmin directory found.
+ 8254 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2023-05-12 21:11:46 (GMT-4) (14 seconds)
---------------------------------------------------------------------------

──(kali㉿kali)-[~/Vulnhub/Election]
└─$ gobuster dir -u http://192.168.56.254 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.bak,.js,.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.254
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              php,html,sh,bak,js,txt
[+] Timeout:                 10s
===============================================================
2023/05/12 21:19:13 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 10918]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.56.254/javascript/]
/robots.txt           (Status: 200) [Size: 30]
/election             (Status: 301) [Size: 319] [--> http://192.168.56.254/election/]
/phpmyadmin           (Status: 301) [Size: 321] [--> http://192.168.56.254/phpmyadmin/]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/phpinfo.php          (Status: 200) [Size: 95437]
/server-status        (Status: 403) [Size: 279]

┌──(kali㉿kali)-[~/Vulnhub/Election]
└─$ gobuster dir -u http://192.168.56.254/election -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.bak,.js,.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.254/election
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              php,html,sh,bak,js,txt
[+] Timeout:                 10s
===============================================================
2023/05/12 21:21:49 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/index.php            (Status: 200) [Size: 7003]
/media                (Status: 301) [Size: 325] [--> http://192.168.56.254/election/media/]
/themes               (Status: 301) [Size: 326] [--> http://192.168.56.254/election/themes/]
/data                 (Status: 301) [Size: 324] [--> http://192.168.56.254/election/data/]
/admin                (Status: 301) [Size: 325] [--> http://192.168.56.254/election/admin/]
/lib                  (Status: 301) [Size: 323] [--> http://192.168.56.254/election/lib/]
/languages            (Status: 301) [Size: 329] [--> http://192.168.56.254/election/languages/]
/js                   (Status: 301) [Size: 322] [--> http://192.168.56.254/election/js/]
/card.php             (Status: 200) [Size: 1935]
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
Progress: 1538169 / 1543927 (99.63%)

如果只是用gobuster扫描/election目录，就错过重要信息，甚至无法进行了。

┌──(kali㉿kali)-[~/Vulnhub/Election]
└─$ curl http://192.168.56.254/election/card.php
00110000 00110001 00110001 00110001 00110000 00110001 00110000 00110001 00100000 00110000 00110001 00110001 00110001 00110000 00110000 00110001 00110001 00100000 00110000 00110001 00110001 00110000 00110000 00110001 00110000 00110001 00100000 00110000 00110001 00110001 00110001 00110000 00110000 00110001 00110000 00100000 00110000 00110000 00110001 00110001 00110001 00110000 00110001 00110000 00100000 00110000 00110000 00110001 00110001 00110000 00110000 00110000 00110001 00100000 00110000 00110000 00110001 00110001 00110000 00110000 00110001 00110000 00100000 00110000 00110000 00110001 00110001 00110000 00110000 00110001 00110001 00100000 00110000 00110000 00110001 00110001 00110000 00110001 00110000 00110000 00100000 00110000 00110000 00110000 00110000 00110001 00110000 00110001 00110000 00100000 00110000 00110001 00110001 00110001 00110000 00110000 00110000 00110000 00100000 00110000 00110001 00110001 00110000 00110000 00110000 00110000 00110001 00100000 00110000 00110001 00110001 00110001 00110000 00110000 00110001 00110001 00100000 00110000 00110001 00110001 00110001 00110000 00110000 00110001 00110001 00100000 00110000 00110000 00110001 00110001 00110001 00110000 00110001 00110000 00100000 00110000 00110001 00110000 00110001 00110001 00110000 00110001 00110000 00100000 00110000 00110001 00110001 00110001 00110001 00110000 00110000 00110000 00100000 00110000 00110001 00110001 00110000 00110000 00110000 00110001 00110001 00100000 00110000 00110000 00110001 00110001 00110000 00110000 00110000 00110001 00100000 00110000 00110000 00110001 00110001 00110000 00110000 00110001 00110000 00100000 00110000 00110000 00110001 00110001 00110000 00110000 00110001 00110001 00100000 00110000 00110000 00110001 00110000 00110000 00110000 00110000 00110001 00100000 00110000 00110001 00110000 00110000 00110000 00110000 00110000 00110000 00100000 00110000 00110000 00110001 00110000 00110000 00110000 00110001 00110001

解码上述二进制数据，但是没啥卵用。

https://cryptii.com/pipes/binary-decoder

The quick brown 
标签：56.254,00110000,00110001,192.168,Vulnhub,http,靶机,election	

From： https://www.cnblogs.com/jason-huawen/p/17397348.html

Vulnhub之election靶机详细测试过程

Election

靶机信息

识别IP地址

NMAP Scanning

获取Shell

相关文章

赞助商

阅读排行