devbox
数据灵魂
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

Lazysysadmin

作者:数据灵魂 | 2024-02-04 17:25:44

Lazysysadmin

信息收集

  1. # nmap -sn 192.168.1.0/24 -oN live.port                     
  2. Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-30 21:10 CST
  3. Nmap scan report for 192.168.1.1 (192.168.1.1)
  4. Host is up (0.00075s latency).
  5. MAC Address: 00:50:56:C0:00:08 (VMware)
  6. Nmap scan report for 0bcc61d9e6ea39148e78c7c68571e53 (192.168.1.2)
  7. Host is up (0.00055s latency).
  8. MAC Address: 00:50:56:FE:B1:6F (VMware)
  9. Nmap scan report for 192.168.1.97 (192.168.1.97)
  10. Host is up (0.00011s latency).
  11. MAC Address: 00:0C:29:AF:FE:0C (VMware)
  12. Nmap scan report for 192.168.1.254 (192.168.1.254)
  13. Host is up (0.00021s latency).
  14. MAC Address: 00:50:56:E2:FC:91 (VMware)
  15. Nmap scan report for 192.168.1.60 (192.168.1.60)
  16. Host is up.

探测到目标靶机IP地址为192.168.1.97

  1. # nmap -sT --min-rate 10000 -p- 192.168.1.97 -oN port.nmap
  2. Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-30 21:24 CST
  3. Nmap scan report for 192.168.1.97 (192.168.1.97)
  4. Host is up (0.0021s latency).
  5. Not shown: 65529 closed tcp ports (conn-refused)
  6. PORT     STATE SERVICE
  7. 22/tcp   open  ssh
  8. 80/tcp   open  http
  9. 139/tcp  open  netbios-ssn
  10. 445/tcp  open  microsoft-ds
  11. 3306/tcp open  mysql
  12. 6667/tcp open  irc
  13. MAC Address: 00:0C:29:AF:FE:0C (VMware)

开放的端口信息比较多,当然还是先以80端口为重点,寻找突破点,其他的端口作为辅助;6667端口暂时还不知道是什么样的服务~

  1. # nmap -sT -sC -sV -O -p80,22,139,445,3306,6667 192.168.1.97 -oN details.nmap
  2. Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-30 21:24 CST
  3. Nmap scan report for 192.168.1.97 (192.168.1.97)
  4. Host is up (0.00055s latency).
  5.  
  6. PORT     STATE SERVICE     VERSION
  7. 22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
  8. | ssh-hostkey: 
  9. |   1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
  10. |   2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
  11. |   256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
  12. |_  256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (ED25519)
  13. 80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
  14. |_http-title: Backnode
  15. |_http-generator: Silex v2.2.7
  16. | http-robots.txt: 4 disallowed entries 
  17. |_/old/ /test/ /TR2/ /Backnode_files/
  18. |_http-server-header: Apache/2.4.7 (Ubuntu)
  19. 139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
  20. 445/tcp  open  `JRSV      Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
  21. 3306/tcp open  mysql       MySQL (unauthorized)
  22. 6667/tcp open  irc         InspIRCd
  23. | irc-info: 
  24. |   server: Admin.local
  25. |   users: 1
  26. |   servers: 1
  27. |   chans: 0
  28. |   lusers: 1
  29. |   lservers: 0
  30. |   source ident: nmap
  31. |   source host: 192.168.1.60
  32. |_  error: Closing link: (nmap@192.168.1.60) [Client exited]
  33. MAC Address: 00:0C:29:AF:FE:0C (VMware)
  34. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
  35. Device type: general purpose
  36. Running: Linux 3.X|4.X
  37. OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
  38. OS details: Linux 3.2 - 4.9
  39. Network Distance: 1 hop
  40. Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel
  41.  
  42. Host script results:
  43. | smb-os-discovery: 
  44. |   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
  45. |   Computer name: lazysysadmin
  46. |   NetBIOS computer name: LAZYSYSADMIN\x00
  47. |   Domain name: \x00
  48. |   FQDN: lazysysadmin
  49. |_  System time: 2024-01-30T23:24:42+10:00
  50. | smb-security-mode: 
  51. |   account_used: guest
  52. |   authentication_level: user
  53. |   challenge_response: supported
  54. |_  message_signing: disabled (dangerous, but default)
  55. |_clock-skew: mean: -3h20m00s, deviation: 5h46m24s, median: 0s
  56. |_nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
  57. | smb2-security-mode: 
  58. |   3:1:1: 
  59. |_    Message signing enabled but not required
  60. | smb2-time: 
  61. |   date: 2024-01-30T13:24:42
  62. |_  start_date: N/A
  63.  
  64. OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  65. Nmap done: 1 IP address (1 host up) scanned in 22.86 seconds

详细信息探测的结果比较多,挑选出来重点:80端口Apache2.4.7 存在robots文件,samba服务探测到工作组信息,操作系统是Ubuntu系统!6667端口也有信息,但是这里还没有了解,先向下看看,一会去了解下irc服务是什么;smb探测到了os的计算机名等信息!

  1. # nmap -sT --script=vuln -p80,22,139,445,3306,6667 192.168.1.97 -oN vuln.nmap 
  2. Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-30 21:24 CST
  3. Pre-scan script results:
  4. | broadcast-avahi-dos: 
  5. |   Discovered hosts:
  6. |     224.0.0.251
  7. |   After NULL UDP avahi packet DoS (CVE-2011-1002).
  8. |_  Hosts are all up (not vulnerable).
  9. Nmap scan report for 192.168.1.97 (192.168.1.97)
  10. Host is up (0.00075s latency).
  11.  
  12. PORT     STATE SERVICE
  13. 22/tcp   open  ssh
  14. 80/tcp   open  http
  15. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
  16. |_http-csrf: Couldn't find any CSRF vulnerabilities.
  17. |_http-dombased-xss: Couldn't find any DOM based XSS.
  18. | http-slowloris-check: 
  19. |   VULNERABLE:
  20. |   Slowloris DOS attack
  21. |     State: LIKELY VULNERABLE
  22. |     IDs:  CVE:CVE-2007-6750
  23. |       Slowloris tries to keep many connections to the target web server open and hold
  24. |       them open as long as possible.  It accomplishes this by opening connections to
  25. |       the target web server and sending a partial request. By doing so, it starves
  26. |       the http server's resources causing Denial Of Service.
  27. |       
  28. |     Disclosure date: 2009-09-17
  29. |     References:
  30. |       http://ha.ckers.org/slowloris/
  31. |_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
  32. | http-enum: 
  33. |   /wordpress/: Blog
  34. |   /test/: Test page
  35. |   /robots.txt: Robots file
  36. |   /info.php: Possible information file
  37. |   /phpmyadmin/: phpMyAdmin
  38. |   /wordpress/wp-login.php: Wordpress login page.
  39. |   /apache/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
  40. |_  /old/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
  41. | http-sql-injection: 
  42. |   Possible sqli for queries:
  43. |     http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
  44. |     http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
  45. |     http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DD%27%20OR%20sqlspider
  46. |     http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
  47. |     http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
  48. |     http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
  49. |     http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
  50. |     http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DD%27%20OR%20sqlspider
  51. |     http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
  52. |     http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
  53. |     http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DD%27%20OR%20sqlspider
  54. |     http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
  55. |     http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
  56. |     http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
  57. |     http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
  58. |     http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
  59. |     http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
  60. |     http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
  61. |     http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
  62. |     http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DD%27%20OR%20sqlspider
  63. |     http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
  64. |     http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
  65. |     http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DD%27%20OR%20sqlspider
  66. |     http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
  67. |     http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
  68. |     http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
  69. |     http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
  70. |     http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
  71. |     http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
  72. |     http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
  73. |     http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
  74. |     http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
  75. |     http://192.168.1.97:80/Backnode_files/?C=N%3BO%3DA%27%20OR%20sqlspider
  76. |     http://192.168.1.97:80/Backnode_files/?C=D%3BO%3DA%27%20OR%20sqlspider
  77. |     http://192.168.1.97:80/Backnode_files/?C=S%3BO%3DA%27%20OR%20sqlspider
  78. |_    http://192.168.1.97:80/Backnode_files/?C=M%3BO%3DA%27%20OR%20sqlspider
  79. 139/tcp  open  netbios-ssn
  80. 445/tcp  open  microsoft-ds
  81. 3306/tcp open  mysql
  82. 6667/tcp open  irc
  83. | irc-botnet-channels: 
  84. |_  ERROR: TIMEOUT
  85. |_irc-unrealircd-backdoor: Server closed connection, possibly due to too many reconnects. Try again with argument irc-unrealircd-backdoor.wait set to 100 (or higher if you get this message again).
  86. MAC Address: 00:0C:29:AF:FE:0C (VMware)
  87.  
  88. Host script results:
  89. |_smb-vuln-ms10-054: false
  90. | smb-vuln-regsvc-dos: 
  91. |   VULNERABLE:
  92. |   Service regsvc in Microsoft Windows systems vulnerable to denial of service
  93. |     State: VULNERABLE
  94. |       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
  95. |       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
  96. |       while working on smb-enum-sessions.
  97. |_          
  98. |_smb-vuln-ms10-061: false

默认漏洞脚本的探测结果显示存在几个感兴趣的目录,同时存在wordpress目录,那应该就是wordpress了!很大的概率是通过wordpress进行建立立足点;

这里去了解了一下什么是irc:

寻找立足点

既然80端口上存在wordpress,这个是我们比较熟悉的,那就先从这里入手;

可以看到下面存在一句英文”My mind in MYSQL“ 提示我们思路应该在MYSQL上面?看一下robots文件:

存在几个目录,尝试都访问一下:old目录:

下面这个目录是存在文件的,其他的都没有,虽然没有,但是可以查看是不是开启了PUT方法等,能直接上传文件!

上面信息收集的时候,还看到了几个其他的目录,这里也都挨着去访问一下看看!

phpmyadmin界面:

这里尝试了一下弱口令,但是没有什么效果:

查看wordpress目录:

发现可能存在用户名为togie,同时在评论处,发现了Admin:

这里先尝试利用wpscan进行初步的漏洞和用户等信息的探测!wpscan识别到存在用户:

但是并没有上面我们发现的togie用户~ 但是利用wpscan并没有寻找到存在漏洞的插件等:

尝试弱口令登录到wordpress的后台:

可以看到test目录是不可以利用PUT方式上传文件的!这里去尝试了几个wordpress的后台弱口令,均以失败而告终!这个togie(网站上说了很多次togie 感觉这个用户还是有东西的!)用户既然不是wordpress的用户,那是谁的用户?mysql 还是ssh?

mysql无法登录,尝试一下togie去登录ssh,直接上hydra吧,毕竟也不知道密码,巧了真爆破出来了:

接下来去登录:

先确认靶标情况:

接下来就是提权了!

提权

因为我们在ssh登陆成功的时候,出现了系统的信息,内存等使用率;这里会不会涉及到motd提权?看一下吧:

哎? rbash了!需要绕过了这就!看看能使用sudo不,查看下当前用户的权限呗:

没问题,非常好了!三个ALL!

那就直接提权了!看看flag文件!这个靶机比较简单,看起来很复杂,但是实际上很简单了!

总结

昨晚打完之后,闲来无事看了一下红笔师傅的讲解视频,跟自己的打法完全不同,所以来复盘一下红笔师傅的打法:

回到我们wpscan没有什么信息,同时发现了togie用户,但是并不是一个wordpress的用户!于是到了这里似乎80端口上无法进一步去利用了~ 既然靶机开放了139 445端口,所以就尝试去登陆一下:

利用enum4linux进行信息的枚举:

发现了打印机和共享,尝试来链接共享,利用smbclient去登录:

直接无密码登录,上来发现了很多的文件和目录信息,所以直接给下载下来!直接下载当前目录下面所有的文件,然后看到存在wordpress目录,看到存在配置文件,也下载下来:

prompt OFF是将提示关闭掉,所以我们下载文件的时候,就不会每次询问我们!

Backnode_files目录下面似乎没什么有价值的东西,存在一个文件名比较奇怪的图片,之前我们就看到了,当时还去尝试了base64解码,似乎没什么东西,继续看其他的目录:

其他的目录也没什么东西了,所以这里我们就退出了,看一下下载得到的东西有什么价值嘛:

提示一个密码是12345(也不知道是谁的密码)

插件上传getshell

wp的配置文件中发现了数据库的账号和密码信息!于是拿着两个密码和一个账号去碰撞wordpress的后台!最终利用数据库的账号和密码信息,成功登陆到了wordpress的后台,接下来就是利用插件等进行RCE:

先给写好的反弹shell,进行压缩,形成压缩包!

直接将其他的插件头拿过来改一下:

然后上传安装即可!

然后访问插件中的文件:

192.168.1.97/wordpress/wp-content/plugins/sh/sh.php

成功拿到初始的立足点!

修改404文件getshell

还有一种方式是直接编辑写反弹shell:(往404页面里面写反弹shell脚本)

更新之后,想办法触发404页面的执行:

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/article/detail/59478
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号