Vulnhub actual combat-prime1

Internet 2023-10-04 18:28:52 views: null

Preface

VulnHub is a virtual machine (VM) vulnerability testing platform for information security enthusiasts and professionals. It provides a series of specially designed vulnerability testing virtual machine images for users to improve their security skills through attack and vulnerability exploitation exercises. This time, we are testing prime1.

1. Host discovery and port scanning

  1. Check the MAC address of the target machine in Vmware to facilitate comparison with the MAC address of the host scanned by nmap. Select the host whose MAC address matches the MAC address of the target machine. Its IP address will be the IP address of the target machine.

    1692975164_64e8c03c4842949ad21ef.png!small

    Here I know that the target uses NAT mode.

  2. Network scanning using nmap

    nmap -sP 192.168.1.0/24

    1692974915_64e8bf43423bd394fcfa4.png!small?1692974914458

    -p(ping)

    -O(operation)

    In addition to using Nmap commands, you can also use commands to scan the target's IP address.

    arp-scan -l                       //Mapping of IP address and MAC address

    netdiscover -i eth0 -r 192.168.1.0/24      //Scan the existing networks under this network segment

  3. Port scanning using nmap

    nmap -p 1-65535 -A 192.168.1.129

    1692975228_64e8c07cd6c306e8349c7.png!small?1692975228075

    As can be seen from the above figure, nmap scanned out ports 22 and 80, and also scanned out other fingerprint information such as operating system type, Apache version, etc.

  4. access target

    1692975330_64e8c0e2957b917ae57ad.png!small?1692975329983

2. Directory scanning

  1. Perform web directory scan

    dirb http://192.168.1.129

    1692975427_64e8c143924f7456b31f4.png!small?1692975426783

    You can also use the parameter -X to specify the files to be scanned

    1692975469_64e8c16dde7ec4cd29517.png!small?1692975469101

  2. Then access the secret.txt file in the target directory. The result is as shown below

  3. 1692975509_64e8c1952090d19c6e102.png!small?1692975508286

    There is a hint. It seems that location.txt is a special file, but there is nothing special after direct access. This file may be the value of a certain parameter.

3. FUZZ and LFI

  1. Use the wfuzz tool to test and find possible parameters in the URL.

    wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt http://192.168.1.129/index.php?FUZZ

    1692975676_64e8c23c12d8dc380a99a.png!small

    FUZZ fuzz testing, functions:

    • Find parameters

    • directory scan

    • Password brute force cracking

    • Find filtered keywords

    • pressure test

  2. Most of them are the same. Use the hw command to filter out different entries.

    1692975752_64e8c288d31a42a2faa6d.png!small

  3. It can be seen that this one is different from the others. You can try to add the payload to access it. The result is as shown in the figure below.

    1692975818_64e8c2ca4f3b216e72949.png!small?1692975817680

    An error message is given, but it also tells us some information, that is, file is a file parameter that exists in the web page. Next, we can take advantage of this.

  4. Combined with the tips we saw before, use location.txt as the parameter value of file, and then access it

    1692975859_64e8c2f394b787397295f.png!small?1692975859960

  5. It worked. Let’s try the secrettier360 parameter. I tried it but there was no response. Then I changed index.php to image.php before it responded. Image.php was scanned before, but I didn’t pay attention. I don’t know what it is. Useful, because it is no different from the interface of index.php

    1692976394_64e8c50a48880e33cf381.png!small?1692976394756

  6. Because this is a Linux operating system, the sensitive files include /etc/passwd. We can try to pass it as a parameter to secrettier360. The result is as shown below

    1692976419_64e8c52359505f4b370d0.png!small?1692976419271

    Found the prompt to log in to Linux.

In Linux, the password in /etc/passwd is replaced by x and is not displayed, while in /etc/shadow it is encrypted by MD5 plus salt and is displayed.

  1. Follow the prompts to enter relevant parameters in the url.

    1692976443_64e8c53b9e55d19c2cf5b.png!small?1692976442770

  2. I got a password follow_the_ippsec. I didn’t know if it was the password to log in to the Linux operating system. I tried it, but the result was not. It seems that I have to start from other aspects. I scanned the target directory before and found a wordpress directory.

4. WordPress vulnerability scanning

  1. The target website was built using wordpress. This is a CMS that had a file upload vulnerability . I accessed its wordpress directory, which contained a username and a login link.

    1693225723_64ec92fb01aea16e93ad2.png!small?1693225722693

  2. Given a known username, try using the password follow_the_ippsec previously obtained from password.txt to see if you can log in.

    1693225766_64ec93261f5c57d138269.png!small?1693225765860

  3. The result is that the background interface is successfully entered, as shown in the figure below.

    1693225795_64ec93432139eb65a797f.png!small?1693225794935

  4. Now you can try to upload the webshell. First, look for the upload point. I found the upload point in secret.php in the Theme Editor option of Appearance.

    1693225834_64ec936ac8dfb2c2c63b6.png!small?1693225834750

  5. Use MSF to bounce the shell, which is convenient and fast. Generate a shell.php in MSF and establish monitoring.

    1693226011_64ec941baa1008856ebc6.png!small?1693226011483

  6. Remove the first comment, copy it to secret.php, and upload it.

    1693226062_64ec944ea0c283c5d82a8.png!small?1693226062658

  7. Use MSF to create a listener, and then access secret.php.

    1693226088_64ec94685dca9539c51aa.png!small

In wordpress, secret.php is actually located in the wordpress/wp-content/themes/twentyineteen directory, so we can rebound the shell by accessing secret.php in this directory, that is, accessing http://192.168.1.129/wordpress /wp-content/themes/twentynineteen/secret.php .

  1. After successfully getting the shell, we can try some commands to get more information about the target.

    1693226153_64ec94a949b6f2d9f405f.png!small?1693226152977

5. Linux kernel vulnerability and privilege escalation

  1. We have obtained the target's shell, but we have not yet reached root privileges. To obtain root privileges, we must escalate privileges on the target's operating system. I used the sysinfo command in meterpreter to view target related information.

    1693226184_64ec94c8da112dd5cd1d4.png!small?1693226184449

  2. Next, search whether there are any vulnerabilities in the Linux system or system kernel.

    1693226211_64ec94e34b8c0b8aed9e6.png!small?1693226211097

    It seems that there is a vulnerability in the Linux kernel before version 4.13.9. We find the path of 45010.c and compile it into an executable program.

    1693226264_64ec9518de6ea0a03508a.png!small?1693226264490

Problems may occur if compiled in the target system, because the target operating system may not have a gcc compiler and a compilation environment for C language programs.

  1. Upload the compiled 45010.exe to the target /tmp/ directory.

    1693226288_64ec9530f39ba6747568a.png!small?1693226288568

You may not have permission to upload to other files. You can upload to the target's /tmp directory.

  1. After the upload was successful, I checked and found that the program 45010 existed in the /tmp/ directory, but it did not have executable permissions.

    1693226341_64ec956553ad357a50846.png!small?1693226341082

  2. Execute a shell script to obtain executable permissions.

    shell
cd /tmp
ls
chmod +x 45010
./45010
whoami

    1693226391_64ec95970c6d1d36d7d22.png!small?1693226390683

    An error occurred when executing ./45010 in the shell:

    ./45010: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./45010)

    It is also possible to change to an older version of Kali, such as Kali 2021.4. After installation, repeat the above columns and then execute the whoami command. The result shows root, indicating that the privilege escalation is successful.

Supongo que te gusta

Origin blog.csdn.net/2301_76869453/article/details/132921341
Recomendado
Clasificación
Diario
Más
2024-05-12(22)
2024-05-11(31)
2024-05-10(32)
2024-05-09(31)
2024-05-08(18)
2024-05-07(35)
2024-05-06(4)
2024-05-05(0)
2024-05-04(17)
2024-05-03(8)

Code World

© 2018 codetd.com