2019-01-14-Vulnhub渗透测试实战writeup(
2019-01-15 本文已影响12人
最初的美好_kai
bsidesvancouver2018
先上首页:
p1
然后nmap:
# Nmap 7.40 scan initiated Sun Jan 13 22:32:56 2019 as: nmap -p- -A -sV -oN test.xml 192.168.110.139
Nmap scan report for 192.168.110.139
Host is up (0.0010s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 65534 65534 4096 Mar 03 2018 public
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 85:9f:8b:58:44:97:33:98:ee:98:b0:c1:85:60:3c:41 (DSA)
| 2048 cf:1a:04:e1:7b:a3:cd:2b:d1:af:7d:b3:30:e0:a0:9d (RSA)
|_ 256 97:e5:28:7a:31:4d:0a:89:b2:b0:25:81:d5:36:63:4c (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/backup_wordpress
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:AE:29:FE (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.6
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 1.02 ms 192.168.110.139
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jan 13 22:33:26 2019 -- 1 IP address (1 host up) scanned in 30.91 seconds
dirb结果如下:
+ http://192.168.110.139/cgi-bin/ (CODE:403|SIZE:291)
+ http://192.168.110.139/index (CODE:200|SIZE:177)
+ http://192.168.110.139/robots.txt (CODE:200|SIZE:43)//后台存在wordpress
+ http://192.168.110.139/server-status (CODE:403|SIZE:296)
ftp匿名登陆之后好像没啥用。。。直接上wpscan
wpscan -e u -u http://192.168.110.139/backup_wordpress/
结果如下:
p2
找到用户名但是爆破以后没发现弱口令。
然后感觉没啥思路了,应该得有弱密码才对,这时候只能看看walkthrough了。。。
发现别人也是爆破的,但是他爆的到弱口令。。。。我去。。。
john的密码是enigma.
然后就是直接上404模板反弹shell了。。
这里反弹shell有是一番折腾,不说了。。。记着靠参数来激活404,反弹shell不成功就直接上reverse-php就行了。。。
反弹以后一波搜索,占了wp-config.php,发现里面有john连接数据库账号密码,但是尝试了以后登不了。。。
然后找了内核漏洞,发现没法执行dirty.....
然后最后看了walkthrough之后发现也是发现了一个uuid提权漏洞,怎么做呢,就是发现crontab定期执行文件,而且发现该文件具有root权限执行,所以直接使用echo命令写进去
echo "cat /root/flag.txt > /tmp/flag1.txt" >> /usr/local/bin/cleanup
p3
这样的话应该可以直接提权执行dirty上来了,6666
贴一篇写的特好的walkthrough
https://pentester.land/challenge/2018/06/27/vulnhub-Bsides-Vancouver-2018-walkthrough.html#from-wordpress-user-to-os-shell
然后就是介绍一个wp上传脚本的利用
p4
要等好久,10分钟左右,但是可以直接反弹nc的shell,挺方便的,还可以插入beef。
思路总结:
1.nmap和dirb直接收集信息,发现wordpress后台
2.直接插入404反弹shell
3.使用suid提权,直接借crontab查看flag.txt