vulnhub-w1r3s1
forg12
  2022-08-05 17:20:01 2022-08-05 17:20      1.5k 字  

概要

信息收集

获取靶机IP

1
2
3
4
5
6
nmap -sP  192.168.2.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-11 09:22 CST

Nmap scan report for 192.168.2.152
Host is up (0.0083s latency).

端口服务扫描

1
2
3
4
5
6
7
8
9
10
11
12
nmap -p- -T5  192.168.2.152
Starting Nmap 7.92 ( https://nmap.org ) 
Warning: 192.168.2.152 giving up on port because retransmission cap hit (2).
Nmap scan report for 192.168.2.152
Host is up (0.010s latency).
Not shown: 55528 filtered tcp ports (no-response), 10003 closed tcp ports (conn-refused)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
nmap -p 21,22,80,3306 -sV -A -T5  192.168.2.152
Starting Nmap 7.92 ( https://nmap.org ) 
Nmap scan report for 192.168.2.152
Host is up (0.0068s latency).

PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 content
| drwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 docs
|_drwxr-xr-x    2 ftp      ftp          4096 Jan 28  2018 new-employees
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.2.153
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 07:e3:5a:5c:c8:18:65:b0:5f:6e:f7:75:c7:7e:11:e0 (RSA)
|   256 03:ab:9a:ed:0c:9b:32:26:44:13:ad:b0:b0:96:c3:1e (ECDSA)
|_  256 3d:6d:d2:4b:46:e8:c9:a3:49:e0:93:56:22:2e:e3:54 (ED25519)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
3306/tcp open  mysql   MySQL (unauthorized)
Service Info: Host: W1R3S.inc; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.28 seconds

目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
dirsearch -u http://192.168.2.152/ -x 403   

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                            
 (_||| _) (/_(_|| (_| )                                                                                                     
                                                                                                                            
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /home/kali/.dirsearch/reports/192.168.2.152/-_22-08-11_10-29-07.txt

Error Log: /home/kali/.dirsearch/logs/errors-22-08-11_10-29-07.log

Target: http://192.168.2.152/

[10:29:07] Starting: 
[10:29:12] 301 -  322B  - /administrator  ->  http://192.168.2.152/administrator/
[10:29:12] 302 -    7KB - /administrator/  ->  installation/                
[10:29:12] 302 -    7KB - /administrator/index.php  ->  installation/       
[10:29:16] 200 -   11KB - /index.html                                       
[10:29:16] 301 -  319B  - /javascript  ->  http://192.168.2.152/javascript/ 
[10:29:23] 301 -    0B  - /wordpress/  ->  http://localhost/wordpress/      
[10:29:23] 200 -    2KB - /wordpress/wp-login.php                           
                                                                             
Task Completed

ftp匿名登录

​ 通过nmap扫描发现存在ftp匿名登录,然后登录之后把所有文件的下载下来,然后挨个看每个里面的内容。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
ftp 192.168.2.152
Connected to 192.168.2.152.
220 Welcome to W1R3S.inc FTP service.
Name (192.168.2.152:kali): anonymous       
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||45870|)
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 content
drwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 docs
drwxr-xr-x    2 ftp      ftp          4096 Jan 28  2018 new-employees
226 Directory send OK.
ftp> cd content
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||45488|)
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp            29 Jan 23  2018 01.txt
-rw-r--r--    1 ftp      ftp           165 Jan 23  2018 02.txt
-rw-r--r--    1 ftp      ftp           582 Jan 23  2018 03.txt
226 Directory send OK.

ftp> get 01.txt
local: 01.txt remote: 01.txt
229 Entering Extended Passive Mode (|||48220|)
150 Opening BINARY mode data connection for 01.txt (29 bytes).
100% |*******************************************************************************|    29        2.52 KiB/s    00:00 ETA
226 Transfer complete.
29 bytes received in 00:00 (1.63 KiB/s)

ftp> get 02.txt
local: 02.txt remote: 02.txt
229 Entering Extended Passive Mode (|||47208|)
150 Opening BINARY mode data connection for 02.txt (165 bytes).
100% |*******************************************************************************|   165        3.34 MiB/s    00:00 ETA
226 Transfer complete.
165 bytes received in 00:00 (13.15 KiB/s)

ftp> get 03.txt
local: 03.txt remote: 03.txt
229 Entering Extended Passive Mode (|||43815|)
150 Opening BINARY mode data connection for 03.txt (582 bytes).
100% |*******************************************************************************|   582        4.40 MiB/s    00:00 ETA
226 Transfer complete.
582 bytes received in 00:00 (84.45 KiB/s)
ftp> cd ..
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||41195|)
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 content
drwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 docs
drwxr-xr-x    2 ftp      ftp          4096 Jan 28  2018 new-employees
226 Directory send OK.
ftp> cd docs
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||43374|)
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp           138 Jan 23  2018 worktodo.txt
226 Directory send OK.
ftp> get worktodo.txt
local: worktodo.txt remote: worktodo.txt
229 Entering Extended Passive Mode (|||41926|)
150 Opening BINARY mode data connection for worktodo.txt (138 bytes).
100% |*******************************************************************************|   138       72.88 KiB/s    00:00 ETA
226 Transfer complete.
138 bytes received in 00:00 (14.45 KiB/s)
ftp> cd ..
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||40756|)
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 content
drwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 docs
drwxr-xr-x    2 ftp      ftp          4096 Jan 28  2018 new-employees
226 Directory send OK.
ftp> cd new-employees
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||45320|)
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp           155 Jan 28  2018 employee-names.txt
226 Directory send OK.
ftp> get employee-names.txt
local: employee-names.txt remote: employee-names.txt
229 Entering Extended Passive Mode (|||46214|)
150 Opening BINARY mode data connection for employee-names.txt (155 bytes).
100% |*******************************************************************************|   155       14.17 KiB/s    00:00 ETA
226 Transfer complete.
155 bytes received in 00:00 (8.88 KiB/s)
ftp> cd ..
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||49315|)
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 content
drwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 docs
drwxr-xr-x    2 ftp      ftp          4096 Jan 28  2018 new-employees
226 Directory send OK.
ftp> exit
221 Goodbye.

​ 第一个密文不知道是什么加密,使用hash-identifier进行解密。可能是md5,然后去

https://www.somd5.com/解密。

1
hash-identifier 01ec2d8fc11c493b25029fb1f47f39ce

image-20220811104021277

image-20220811104539355

image-20220811104735619

​ 第二个加密字符串:

1
echo "SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==" | base64 --decode

image-20220811104032424

​ 其他的文件:

image-20220811104930561

image-20220811105030384

漏洞利用

​ ftp服务下载下来的文件没发现什么可以利用的信息,然后就去搜索了一下dirsearch发现的路径:

http://192.168.2.152/administrator/installation/

image-20220811105434251

​ 随意填写后点击next,发现这里显示已经修改了Configuration.php,此时在想,在数据库账号密码不正确的情况下也能修改配置文件的话,这里想试试能不能通过改变传入的参数来插入自己的代码。

image-20220811105746709

image-20220811110258867

文件包含

​ 多次尝试无果后Google该cms的公开漏洞。

https://www.exploit-db.com/exploits/25971

image-20220811112816762

image-20220811113109443

image-20220811114915172

破解shadow

image-20220811115717520

1
john shadow.txt

image-20220811114821217

​ www-data用户登录不了,使用w1r3s用户登录。

image-20220811115048219

image-20220811120006227

权限提升

​ 登录用户w1r3s用户后,输入id发现有sudo权限,直接使用sudo su获取最高权限。

image-20220811120323250

flag

image-20220811120351085