信息收集
# nmap -sn 192.168.1.0/24 -oN live.port
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-30 21:10 CST
Nmap scan report for 192.168.1.1 (192.168.1.1)
Host is up (0.00075s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 0bcc61d9e6ea39148e78c7c68571e53 (192.168.1.2)
Host is up (0.00055s latency).
MAC Address: 00:50:56:FE:B1:6F (VMware)
Nmap scan report for 192.168.1.97 (192.168.1.97)
Host is up (0.00011s latency).
MAC Address: 00:0C:29:AF:FE:0C (VMware)
Nmap scan report for 192.168.1.254 (192.168.1.254)
Host is up (0.00021s latency).
MAC Address: 00:50:56:E2:FC:91 (VMware)
Nmap scan report for 192.168.1.60 (192.168.1.60)
Host is up.
探测到目标靶机IP地址为192.168.1.97
# nmap -sT --min-rate 10000 -p- 192.168.1.97 -oN port.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-30 21:24 CST
Nmap scan report for 192.168.1.97 (192.168.1.97)
Host is up (0.0021s latency).
Not shown: 65529 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
6667/tcp open irc
MAC Address: 00:0C:29:AF:FE:0C (VMware)
开放的端口信息比较多,当然还是先以80端口为重点,寻找突破点,其他的端口作为辅助;6667端口暂时还不知道是什么样的服务~
# nmap -sT -sC -sV -O -p80,22,139,445,3306,6667 192.168.1.97 -oN details.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-30 21:24 CST
Nmap scan report for 192.168.1.97 (192.168.1.97)
Host is up (0.00055s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
| 2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
| 256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
|_ 256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Backnode
|_http-generator: Silex v2.2.7
| http-robots.txt: 4 disallowed entries
|_/old/ /test/ /TR2/ /Backnode_files/
|_http-server-header: Apache/2.4.7 (Ubuntu)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open `JRSV Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open mysql MySQL (unauthorized)
6667/tcp open irc InspIRCd
| irc-info:
| server: Admin.local
| users: 1
| servers: 1
| chans: 0
| lusers: 1
| lservers: 0
| source ident: nmap
| source host: 192.168.1.60
|_ error: Closing link: (nmap@192.168.1.60) [Client exited]
MAC Address: 00:0C:29:AF:FE:0C (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: lazysysadmin
| NetBIOS computer name: LAZYSYSADMIN\x00
| Domain name: \x00
| FQDN: lazysysadmin
|_ System time: 2024-01-30T23:24:42+10:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: -3h20m00s, deviation: 5h46m24s, median: 0s
|_nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-01-30T13:24:42
|_ start_date: N/A
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.86 seconds
详细信息探测的结果比较多,挑选出来重点:80端口Apache2.4.7 存在robots文件,samba服务探测到工作组信息,操作系统是Ubuntu系统!6667端口也有信息,但是这里还没有了解,先向下看看,一会去了解下irc服务是什么;smb探测到了os的计算机名等信息!
# nmap -sT --script=vuln -p80,22,139,445,3306,6667 192.168.1.97 -oN vuln.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-30 21:24 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.1.97 (192.168.1.97)
Host is up (0.00075s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-enum:
| /wordpress/: Blog
| /test/: Test page
| /robots.txt: Robots file
| /info.php: Possible information file
| /phpmyadmin/: phpMyAdmin
| /wordpress/wp-login.php: Wordpress login page.
| /apache/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
|_ /old/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
| http-sql-injection:
| Possible sqli for queries:
| http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DD%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DD%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DD%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DD%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DD%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
|_ http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
6667/tcp open irc
| irc-botnet-channels:
|_ ERROR: TIMEOUT
|_irc-unrealircd-backdoor: Server closed connection, possibly due to too many reconnects. Try again with argument irc-unrealircd-backdoor.wait set to 100 (or higher if you get this message again).
MAC Address: 00:0C:29:AF:FE:0C (VMware)
Host script results:
|_smb-vuln-ms10-054: false
| smb-vuln-regsvc-dos:
| VULNERABLE:
| Service regsvc in Microsoft Windows systems vulnerable to denial of service
| State: VULNERABLE
| The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
| pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
| while working on smb-enum-sessions.
|_
|_smb-vuln-ms10-061: false
默认漏洞脚本的探测结果显示存在几个感兴趣的目录,同时存在wordpress目录,那应该就是wordpress了!很大的概率是通过wordpress进行建立立足点;
这里去了解了一下什么是irc:
寻找立足点
既然80端口上存在wordpress,这个是我们比较熟悉的,那就先从这里入手;
可以看到下面存在一句英文”My mind in MYSQL“ 提示我们思路应该在MYSQL上面?看一下robots文件:
存在几个目录,尝试都访问一下:old目录:
下面这个目录是存在文件的,其他的都没有,虽然没有,但是可以查看是不是开启了PUT方法等,能直接上传文件!
上面信息收集的时候,还看到了几个其他的目录,这里也都挨着去访问一下看看!
phpmyadmin界面:
这里尝试了一下弱口令,但是没有什么效果:
查看wordpress目录:
发现可能存在用户名为togie,同时在评论处,发现了Admin:
这里先尝试利用wpscan进行初步的漏洞和用户等信息的探测!wpscan识别到存在用户:
但是并没有上面我们发现的togie用户~ 但是利用wpscan并没有寻找到存在漏洞的插件等:
尝试弱口令登录到wordpress的后台:
可以看到test目录是不可以利用PUT方式上传文件的!这里去尝试了几个wordpress的后台弱口令,均以失败而告终!这个togie(网站上说了很多次togie 感觉这个用户还是有东西的!)用户既然不是wordpress的用户,那是谁的用户?mysql 还是ssh?
mysql无法登录,尝试一下togie去登录ssh,直接上hydra吧,毕竟也不知道密码,巧了真爆破出来了:
接下来去登录:
先确认靶标情况:
接下来就是提权了!
提权
因为我们在ssh登陆成功的时候,出现了系统的信息,内存等使用率;这里会不会涉及到motd提权?看一下吧:
哎? rbash了!需要绕过了这就!看看能使用sudo不,查看下当前用户的权限呗:
没问题,非常好了!三个ALL!
那就直接提权了!看看flag文件!这个靶机比较简单,看起来很复杂,但是实际上很简单了!
总结
昨晚打完之后,闲来无事看了一下红笔师傅的讲解视频,跟自己的打法完全不同,所以来复盘一下红笔师傅的打法:
回到我们wpscan没有什么信息,同时发现了togie用户,但是并不是一个wordpress的用户!于是到了这里似乎80端口上无法进一步去利用了~ 既然靶机开放了139 445端口,所以就尝试去登陆一下:
利用enum4linux进行信息的枚举:
发现了打印机和共享,尝试来链接共享,利用smbclient去登录:
直接无密码登录,上来发现了很多的文件和目录信息,所以直接给下载下来!直接下载当前目录下面所有的文件,然后看到存在wordpress目录,看到存在配置文件,也下载下来:
prompt OFF是将提示关闭掉,所以我们下载文件的时候,就不会每次询问我们!
Backnode_files目录下面似乎没什么有价值的东西,存在一个文件名比较奇怪的图片,之前我们就看到了,当时还去尝试了base64解码,似乎没什么东西,继续看其他的目录:
其他的目录也没什么东西了,所以这里我们就退出了,看一下下载得到的东西有什么价值嘛:
提示一个密码是12345(也不知道是谁的密码)
插件上传getshell
wp的配置文件中发现了数据库的账号和密码信息!于是拿着两个密码和一个账号去碰撞wordpress的后台!最终利用数据库的账号和密码信息,成功登陆到了wordpress的后台,接下来就是利用插件等进行RCE:
先给写好的反弹shell,进行压缩,形成压缩包!
直接将其他的插件头拿过来改一下:
然后上传安装即可!
然后访问插件中的文件:
192.168.1.97/wordpress/wp-content/plugins/sh/sh.php
成功拿到初始的立足点!
修改404文件getshell
还有一种方式是直接编辑写反弹shell:(往404页面里面写反弹shell脚本)
更新之后,想办法触发404页面的执行: