Gigroot
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:05 1 60 Unknown vendor
192.168.56.100 08:00:27:ab:4c:5b 1 60 PCS Systemtechnik GmbH
192.168.56.103 08:00:27:44:c8:1b 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.103
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.103 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-29 22:08 EDT
Nmap scan report for localhost (192.168.56.103)
Host is up (0.000075s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 bf45f6b3e3ce0c69185a5b27e5d39c86 (RSA)
| 256 b5d7455006c4e23c2852b806261fdeb0 (ECDSA)
|_ 256 27f0d02113309c5ef070a1d85ca78f75 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Hey Jen
|_http-server-header: Apache/2.4.38 (Debian)
11211/tcp open memcache?
| fingerprint-strings:
| RPCCheck:
|_ Unknown command
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port11211-TCP:V=7.93%I=7%D=4/29%Time=644DCDBD%P=x86_64-pc-linux-gnu%r(R
SF:PCCheck,27,"\x81\0\0\0\0\0\0\x81\0\0\0\x0f\0\0\0\x02\0\0\0\0\0\0\0\0Unk
SF:nown\x20command");
MAC Address: 08:00:27:44:C8:1B (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 85.92 seconds
NMAP扫描结果表明目标主机有3个开放端口:22(ssh)、80(http)、11211(?)
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ curl http://192.168.56.103/
<!doctype html>
<html>
<head>
<title>Hey Jen</title>
</head>
<body>
<p> Hey Jen, just installed wordpress over at wp.gitroot.vuln <br> please go check it out! <p>
</body>
</html>
将wp.gitroot.vuln加入/etc/hosts文件中:
┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ sudo vim /etc/hosts
┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.103 wp.gitroot.vuln
此时访问url,从返回页面可知目标为Wordpress站点:
http://wp.gitroot.vuln/
┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ nikto -h http://wp.gitroot.vuln/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.103
+ Target Hostname: wp.gitroot.vuln
+ Target Port: 80
+ Start Time: 2023-04-29 22:24:21 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://wp.gitroot.vuln/index.php?rest_route=/>; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ /: A Wordpress installation was found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login.php: Wordpress login found
+ 7863 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time: 2023-04-29 22:25:11 (GMT-4) (50 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ gobuster dir -u http://wp.gitroot.vuln/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.js,.html,.txt,.sh,.bak
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://wp.gitroot.vuln/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: html,txt,sh,bak,php,js
[+] Timeout: 10s
===============================================================
2023/04/29 22:25:59 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 280]
/.html (Status: 403) [Size: 280]
/index.php (Status: 301) [Size: 1] [--> http://wp.gitroot.vuln/]
/wp-content (Status: 301) [Size: 323] [--> http://wp.gitroot.vuln/wp-content/]
/wp-login.php (Status: 200) [Size: 3195]
/manual (Status: 301) [Size: 319] [--> http://wp.gitroot.vuln/manual/]
/wp-includes (Status: 301) [Size: 324] [--> http://wp.gitroot.vuln/wp-includes/]
/wp (Status: 403) [Size: 280]
/javascript (Status: 301) [Size: 323] [--> http://wp.gitroot.vuln/javascript/]
/readme.html (Status: 200) [Size: 7440]
/wp-trackback.php (Status: 200) [Size: 136]
/wp-admin (Status: 301) [Size: 321] [--> http://wp.gitroot.vuln/wp-admin/]
/xmlrpc.php (Status: 405) [Size: 43]
/.php (Status: 403) [Size: 280]
/.html (Status: 403) [Size: 280]
/wp-signup.php (Status: 302) [Size: 1] [--> http://wp.gitroot.vuln/wp-login.php?action=register]
/server-status (Status: 403) [Size: 280]
Progress: 1540385 / 1543927 (99.77%)===============================================================
2023/04/29 22:29:10 Finished
============================================================
因为我们已知目标运行wordpress站点,因此从gobuster和nikto工具运行结果中没有看到除了wordpress相关的目录文件之外的信息。接下来看是否可以用wpscan工具扫描出用户名或者可利用的插件。
─(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ wpscan --url http://wp.gitroot.vuln/ -e u,p[+] beth
| Found By: Author Posts - Display Name (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
wpscan工具扫描出用户名beth,看能否破解其密码。