Vulnhub-Stapler-1

靶机实验Vulnhub
, , ,

这个同样是备考OSCP靶机清单中的其中一个

下载链接stapler

信息收集

nmap扫描结果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-19 22:07 CST
Nmap scan report for 192.168.56.139
Host is up (0.00036s latency).

PORT      STATE  SERVICE     VERSION
20/tcp    closed ftp-data
21/tcp    open   ftp         vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 550 Permission denied.
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to 192.168.56.1
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp    open   ssh         OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
|   256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
|_  256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519)
53/tcp    open   domain      dnsmasq 2.75
| dns-nsid:
|_  bind.version: dnsmasq-2.75
80/tcp    open   http        PHP cli server 5.5 or later
|_http-title: 404 Not Found
123/tcp   closed ntp
137/tcp   closed netbios-ns
138/tcp   closed netbios-dgm
139/tcp   open   netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp   open   tcpwrapped
3306/tcp  open   mysql       MySQL 5.7.12-0ubuntu1
| mysql-info:
|   Protocol: 10
|   Version: 5.7.12-0ubuntu1
|   Thread ID: 9
|   Capabilities flags: 63487
|   Some Capabilities: Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, FoundRows, IgnoreSigpipes, SupportsTransactions, DontAllowDatabaseTableColumn, Support41Auth, LongPassword, InteractiveClient, Speaks41ProtocolOld, ConnectWithDatabase, SupportsLoadDataLocal, ODBCClient, SupportsCompression, LongColumnFlag, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
|   Status: Autocommit
|   Salt: "s\x04xO\x1F%\x07j2<\x06i'j\x02       \x12t\x0B
|_  Auth Plugin Name: mysql_native_password
12380/tcp open   http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Tim, we need to-do better next year for Initech
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 7h39m57s, deviation: 34m38s, median: 7h59m57s
|_nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
|   Computer name: red
|   NetBIOS computer name: RED\x00
|   Domain name: \x00
|   FQDN: red
|_  System time: 2020-06-19T23:07:17+01:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-06-19T22:07:18
|_  start_date: N/A

扫描目录后发现.bashrc和.profile 下载回来一看,我发现好像都没什么帮助的。

nikto 扫描

80端口的扫描看起来是没什么帮助的。所以再次扫描12380端口。

咦,nikto显示找到了两个路径

  • admin112233
  • blogblog

但是用http去无法访问,尝试用https成功

看起来是个wordpress博客

去看看admin112233
确定之后就被重定向到了xss payloads了

robots.txt

1
2
3
User-agent: *
Disallow: /admin112233/
Disallow: /blogblog/

smb目录探测

尝试连接

在backup里面了找到了vsftpd.conf发现匿名用户的配置选项是打开的。先去看看ftp有什么东西


ftp目录中只有一个文件,其内容为:

Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.
Elly,请确保您更新了有效负载信息。完成后,将其保留在您的FTP帐户中,约翰。

有效负载信息是什么?。。真是吃了文化的亏。。ftp匿名用户目录看起来没什么信息了,继续回去samba目录。
很可惜backup目录下的wordpress.tar.gz并不是网站的备份,只是一个安装包。

kathy_stuff目录下只有一个todolist,内容为

I’m making sure to backup anything important for Initech, Kathy

好像没什么线索了,,所以目前为止找到了Kathy,John,Elly,Harry,zoe这四个好像是目标服务器的中的用户名。

连接samba的tmp目录

只有一个ls文件,内容是

好像不会更新的。

到这里,smb和ftp的线索就断了。我被困住了,尝试检索服务器运行服务的版本的漏洞

sambacry 提权


符合目标版本的好像只有42084.rb.看了一下内容是CVE-2017-7494的漏洞编号而且是rb脚本,直接上msf。

提权成功。

这应该就是最轻松的提权方式了把。。。

尝试使用非msf框架的exp

下载地址:exp-joxeankoret-CVE-2017-7494
目标机器samba版本4.3.9利用不成功

exp42060 sambacry exp
同样也是不成功,,不会改(脚本小子就是脚本小子,真的废物

同样尝试了这个exp也是不成功

讲道理,感觉其他的exp也是能执行的啊。。为什么就msf的可以。难道是和我本机的环境有关?我暂且蒙在古里。想到这里,我又回去尝试了msf的exp,还是成功。我重新看了一下42060 sambacry exp的帮助命令,发现有一个参数。-x 看了这个参数之后,我就想是不是会和目标机器的系统架构有关,而这个脚本默认的是X8664的so文件,在32位的机器上无法执行。所以一直没有成功。想到这里 我将-x这个参数加上去了,结果就成功了。。。

。。此时只想喷自己是弱智

漏洞利用-拿webshell

使用wpscan扫描目标博客

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
wpscan --url "https://192.168.56.139:12380/blogblog/" --disable-tls-checks

[+] URL: https://192.168.56.139:12380/blogblog/ [192.168.56.139]
[+] Started: Sat Jun 20 04:02:20 2020

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.4.18 (Ubuntu)
 |  - Dave: Soemthing doesn't look right here
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: https://192.168.56.139:12380/blogblog/xmlrpc.php
 | Found By: Headers (Passive Detection)
 | Confidence: 100%
 | Confirmed By:
 |  - Link Tag (Passive Detection), 30% confidence
 |  - Direct Access (Aggressive Detection), 100% confidence
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] https://192.168.56.139:12380/blogblog/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Registration is enabled: https://192.168.56.139:12380/blogblog/wp-login.php?action=register
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: https://192.168.56.139:12380/blogblog/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: https://192.168.56.139:12380/blogblog/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.2.1 identified (Insecure, released on 2015-04-27).
 | Found By: Rss Generator (Passive Detection)
 |  - https://192.168.56.139:12380/blogblog/?feed=rss2, <generator>http://wordpress.org/?v=4.2.1</generator>
 |  - https://192.168.56.139:12380/blogblog/?feed=comments-rss2, <generator>http://wordpress.org/?v=4.2.1</generator>

[+] WordPress theme in use: bhost
 | Location: https://192.168.56.139:12380/blogblog/wp-content/themes/bhost/
 | Last Updated: 2019-12-08T00:00:00.000Z
 | Readme: https://192.168.56.139:12380/blogblog/wp-content/themes/bhost/readme.txt
 | [!] The version is out of date, the latest version is 1.4.4
 | Style URL: https://192.168.56.139:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1
 | Style Name: BHost
 | Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This theme ...
 | Author: Masum Billah
 | Author URI: http://getmasum.net/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.2.9 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - https://192.168.56.139:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1, Match: 'Version: 1.2.9'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <=====================================================================================================================> (21 / 21) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

wordpress 4.2.1好像并没有存在的exp。

https://192.168.56.139:12380/blogblog/xmlrpc.php 存在xmldos攻击。不过对我们好像没什么作用

https://192.168.56.139:12380/blogblog/wp-content/themes/bhost/readme.txt 点了一下,发现还有目录遍历

看了一下插件

搜索了一下,发现博客上面的advanced-video-embed-embed-videos-or-playlists插件版本是1.0并且存在文件包含。

看了一下大神构造好的payload

1
http://127.0.0.1/wordpress/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=[FILEPATH]

修改成目标站点的uri就好了
尝试包含/etc/passwd,如果包含成功则会在上传目录下添加一个jpeg文件,并且首页会添加一个新的文章。


下载目标文件,cat查看

1
wget https://192.168.56.139:12380/blogblog/wp-content/uploads/2084215694.jpeg --no-check-certificate #不检查ssl证书

成功包含!,我觉得现在可以尝试包含wp-config。看数据库的帐号密码。对照着在smb共享目录中找到的wordpress.tar.gz知道wp-config.php不在wp-admin目录下,在blogblog的根目录下。(因为解压出来有个wp-config-sample.php)

登录数据库成功。

查看一些配置信息

因为写文件的相关配置是空的,所以代表我们可以任意写文件到指定路径

蚁剑连接成功(要先关闭https证书检查

到这里我们已经获得了webshell了。是真的累。。

爆破wordpress用户密码

观察结果,无效用户名

确定用户名为john,并且没有设置重试次数。可以尝试爆破密码

爆破用户密码

登录之后尝试写一句话,但是不成功。因为主题模板文件不可写。。尝试安装主题也不行

看起来是没有给够权限。

提权-敏感信息泄露

对系统进行信息枚举后,发现一个特别的地方

这里的居然是root执行的,觉得有点奇妙,去这个用户的家目录查看后,发现bash_history可读

peter是uid1000的用户,他可能具有sudo权限。抱着这一想法,登录看看。

感觉是相对比较轻松的提权了。。

内核提权

查看系统内核信息后,发现是4.4.0.21内核的ubuntu系统

搜索exp库,好像还挺多的。有搞头?

排除掉x64和不符合的版本后,只剩下

  • 39772.txt
  • 43418.c
  • 47169.c
  • 44298.c

最后选择了39772.txt,漏洞编号:CVE-2016-4557。照着exp的说明去做,先运行compile.sh编译后,执行doubleput就可以拿到root权限了。这个漏洞还是谷歌的零日计划团队发现的Issue 808: Linux: UAF via double-fdput() in bpf(BPF_PROG_LOAD) error path

总结