13.Learn2Code
1. 基本信息^toc
靶机链接:https://hackmyvm.eu/machines/machine.php?vm=Learn2Code
作者:x4v1l0k
难度:😅机子不出网,做不了
知识点:栈溢出
2. 信息收集
┌──(root㉿kali)-[/home/kali/hmv/Learn2Code]
└─# nmap -sS 192.168.9.15 -p 1-65535
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-06 21:14 CST
Nmap scan report for 192.168.9.15
Host is up (0.00041s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
MAC Address: 08:00:27:7E:55:49 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 8.27 seconds
2.1. 目录扫描
┌──(root㉿kali)-[/home/kali/hmv/Learn2Code]
└─# gobuster dir -u http://192.168.9.15 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x jpg,php,html,png,zip,txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.9.15
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php,html,png,zip,txt,jpg
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 277]
/.html (Status: 403) [Size: 277]
/index.php (Status: 200) [Size: 1161]
/includes (Status: 301) [Size: 315] [--> http://192.168.9.15/includes/]
/todo.txt (Status: 200) [Size: 51]
/.html (Status: 403) [Size: 277]
/.php (Status: 403) [Size: 277]
/server-status (Status: 403) [Size: 277]
Progress: 1453501 / 1453508 (100.00%)
===============================================================
Finished
===============================================================
这几个200的都访问不了
继续对includes目录进行扫描
┌──(root㉿kali)-[/home/kali/hmv/Learn2Code]
└─# dirsearch -u http://192.168.9.15/includes
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg\_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg\_resources.html
from pkg\_resources import DistributionNotFound, VersionConflict
\_|. \_ \_ \_ \_ \_ \_|\_ v0.4.3
(\_||| \_) (/\_(\_|| (\_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/kali/hmv/Learn2Code/reports/http\_192.168.9.15/\_includes\_24-11-06\_21-19-31.txt
Target: http://192.168.9.15/
[21:19:31] Starting: includes/
[21:19:31] 301 - 319B - /includes/php -> http://192.168.9.15/includes/php/
[21:19:31] 301 - 318B - /includes/js -> http://192.168.9.15/includes/js/
[21:19:32] 403 - 277B - /includes/.ht\_wsr.txt
[21:19:32] 403 - 277B - /includes/.htaccess.bak1
[21:19:32] 403 - 277B - /includes/.htaccess.save
[21:19:32] 403 - 277B - /includes/.htaccess.sample
[21:19:32] 403 - 277B - /includes/.htaccess\_extra
[21:19:32] 403 - 277B - /includes/.htaccess.orig
[21:19:32] 403 - 277B - /includes/.htaccess\_sc
[21:19:32] 403 - 277B - /includes/.htaccessOLD2
[21:19:32] 403 - 277B - /includes/.htaccess\_orig
[21:19:32] 403 - 277B - /includes/.htaccessBAK
[21:19:32] 403 - 277B - /includes/.htaccessOLD
[21:19:32] 403 - 277B - /includes/.htm
[21:19:32] 403 - 277B - /includes/.htpasswd\_test
[21:19:32] 403 - 277B - /includes/.htpasswds
[21:19:32] 403 - 277B - /includes/.html
[21:19:32] 403 - 277B - /includes/.httr-oauth
[21:19:32] 403 - 277B - /includes/.php
[21:19:40] 301 - 319B - /includes/css -> http://192.168.9.15/includes/css/
[21:19:43] 200 - 579B - /includes/js/
[21:19:47] 200 - 557B - /includes/php/
Task Completed
/includes/css
又是一个文件读取
在/includes/php/access.php.bak 获取到一个有用的文件
还获取到一句话
查看access.php.bak
<?php
require\_once 'GoogleAuthenticator.php';
$ga = new PHPGangsta\_GoogleAuthenticator();
$secret = "S4I22IG3KHZIGQCJ";
if ($\_POST['action'] == 'check\_code') {
$code = $\_POST['code'];
$result = $ga->verifyCode($secret, $code, 1);
if ($result) {
include('coder.php');
} else {
echo "wrong";
}
}
?>
卡住了。看了wp才知道。原来是我出不了网的问题😅